chore: allow cloud front prefix list to restrict security group access via environment manifest

internal/pkg/aws/ec2/ec2.go

@@ -472,24 +472,24 @@ func (c *EC2) managedPrefixList(prefixListName string) (*ec2.DescribeManagedPref
 }
 
 // CloudFrontManagedPrefixListID returns the PrefixListId of the associated cloudfront prefix list as a *string.
-func (c *EC2) CloudFrontManagedPrefixListID() (*string, error) {
+func (c *EC2) CloudFrontManagedPrefixListID() (string, error) {
 	prefixListsOutput, err := c.managedPrefixList(cloudFrontPrefixListName)
 
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
-	var ids []*string
+	var ids []string
 	for _, v := range prefixListsOutput.PrefixLists {
-		ids = append(ids, v.PrefixListId)
+		ids = append(ids, *v.PrefixListId)
 	}
 
 	if len(ids) == 0 {
-		return nil, fmt.Errorf("cannot find any prefix list with name: %s", cloudFrontPrefixListName)
+		return "", fmt.Errorf("cannot find any prefix list with name: %s", cloudFrontPrefixListName)
 	}
 
 	if len(ids) > 1 {
-		return nil, fmt.Errorf("found more than one prefix list with the name %s: %v", cloudFrontPrefixListName, ids)
+		return "", fmt.Errorf("found more than one prefix list with the name %s: %v", cloudFrontPrefixListName, ids)
 	}
 
 	return ids[0], nil

internal/pkg/aws/ec2/ec2_test.go

@@ -368,7 +368,7 @@ func TestEC2_CloudFrontManagedPrefixListId(t *testing.T) {
 
 		wantedError          error
 		wantedErrorMsgPrefix string
-		wantedId             *string
+		wantedId             string
 	}{
 		"query returns error": {
 			mockEC2Client: func(m *mocks.Mockapi) {
@@ -418,7 +418,7 @@ func TestEC2_CloudFrontManagedPrefixListId(t *testing.T) {
 					},
 				}, nil)
 			},
-			wantedId: aws.String(mockPrefixListId),
+			wantedId: mockPrefixListId,
 		},
 	}
 

internal/pkg/cli/deploy/env.go

@@ -10,6 +10,7 @@ import (
 
 	awscfn "github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/aws/copilot-cli/internal/pkg/aws/cloudformation"
+	"github.com/aws/copilot-cli/internal/pkg/aws/ec2"
 	"github.com/aws/copilot-cli/internal/pkg/aws/s3"
 	"github.com/aws/copilot-cli/internal/pkg/aws/sessions"
 	"github.com/aws/copilot-cli/internal/pkg/config"
@@ -34,13 +35,18 @@ type environmentDeployer interface {
 	ForceUpdateOutputID(app, env string) (string, error)
 }
 
+type prefixListGetter interface {
+	CloudFrontManagedPrefixListID() (string, error)
+}
+
 type envDeployer struct {
 	app *config.Application
 	env *config.Environment
 
 	// Dependencies to upload artifacts.
-	templateFS template.Reader
-	s3         uploader
+	templateFS       template.Reader
+	s3               uploader
+	prefixListGetter prefixListGetter
 	// Dependencies to deploy an environment.
 	appCFN             appResourcesGetter
 	envDeployer        environmentDeployer
@@ -75,8 +81,9 @@ func NewEnvDeployer(in *NewEnvDeployerInput) (*envDeployer, error) {
 		app: in.App,
 		env: in.Env,
 
-		templateFS: template.New(),
-		s3:         s3.New(envRegionSession),
+		templateFS:       template.New(),
+		s3:               s3.New(envRegionSession),
+		prefixListGetter: ec2.New(envRegionSession),
 
 		appCFN:      deploycfn.New(defaultSession),
 		envDeployer: deploycfn.New(envManagerSession),
@@ -109,6 +116,31 @@ func (d *envDeployer) uploadCustomResources(bucket string) (map[string]string, e
 	return urls, nil
 }
 
+func (d *envDeployer) cidrPrefixLists(in *DeployEnvironmentInput) ([]string, error) {
+	var cidrPrefixListIDs []string
+
+	// Check if ingress is allowed from cloudfront
+	if in.Manifest == nil || !in.Manifest.IsIngressRestrictedToCDN() {
+		return nil, nil
+	}
+	cfManagedPrefixListID, err := d.cfManagedPrefixListID()
+	if err != nil {
+		return nil, err
+	}
+	cidrPrefixListIDs = append(cidrPrefixListIDs, cfManagedPrefixListID)
+
+	return cidrPrefixListIDs, nil
+}
+
+func (d *envDeployer) cfManagedPrefixListID() (string, error) {
+	id, err := d.prefixListGetter.CloudFrontManagedPrefixListID()
+	if err != nil {
+		return "", fmt.Errorf("retrieve CloudFront managed prefix list id: %w", err)
+	}
+
+	return id, nil
+}
+
 // DeployEnvironmentInput contains information used to deploy the environment.
 type DeployEnvironmentInput struct {
 	RootUserARN         string
@@ -188,6 +220,10 @@ func (d *envDeployer) buildStackInput(in *DeployEnvironmentInput) (*deploy.Creat
 	if err != nil {
 		return nil, err
 	}
+	cidrPrefixListIDs, err := d.cidrPrefixLists(in)
+	if err != nil {
+		return nil, err
+	}
 	return &deploy.CreateEnvironmentInput{
 		Name: d.env.Name,
 		App: deploy.AppInformation{
@@ -199,6 +235,7 @@ func (d *envDeployer) buildStackInput(in *DeployEnvironmentInput) (*deploy.Creat
 		CustomResourcesURLs:  in.CustomResourcesURLs,
 		ArtifactBucketARN:    s3.FormatARN(partition.ID(), resources.S3Bucket),
 		ArtifactBucketKeyARN: resources.KMSKeyARN,
+		CIDRPrefixListIDs:    cidrPrefixListIDs,
 		Mft:                  in.Manifest,
 		ForceUpdate:          in.ForceNewUpdate,
 		RawMft:               in.RawManifest,

internal/pkg/cli/deploy/env_test.go

@@ -10,12 +10,14 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/aws/aws-sdk-go/aws"
 	awscfn "github.com/aws/aws-sdk-go/service/cloudformation"
 	"github.com/aws/copilot-cli/internal/pkg/cli/deploy/mocks"
 	"github.com/aws/copilot-cli/internal/pkg/config"
 	"github.com/aws/copilot-cli/internal/pkg/deploy"
 	"github.com/aws/copilot-cli/internal/pkg/deploy/cloudformation/stack"
 	"github.com/aws/copilot-cli/internal/pkg/deploy/upload/customresource"
+	"github.com/aws/copilot-cli/internal/pkg/manifest"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 )
@@ -116,9 +118,10 @@ func TestEnvDeployer_UploadArtifacts(t *testing.T) {
 }
 
 type deployEnvironmentMock struct {
-	appCFN          *mocks.MockappResourcesGetter
-	envDeployer     *mocks.MockenvironmentDeployer
-	stackSerializer *mocks.MockstackSerializer
+	appCFN           *mocks.MockappResourcesGetter
+	envDeployer      *mocks.MockenvironmentDeployer
+	stackSerializer  *mocks.MockstackSerializer
+	prefixListGetter *mocks.MockprefixListGetter
 }
 
 func TestEnvDeployer_GenerateCloudFormationTemplate(t *testing.T) {
@@ -248,6 +251,7 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 	}
 	testCases := map[string]struct {
 		setUpMocks  func(m *deployEnvironmentMock)
+		inManifest  *manifest.Environment
 		wantedError error
 	}{
 		"fail to get app resources by region": {
@@ -257,6 +261,42 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 			},
 			wantedError: fmt.Errorf("get app resources in region %s: some error", mockEnvRegion),
 		},
+		"fail to get prefix list id": {
+			setUpMocks: func(m *deployEnvironmentMock) {
+				m.appCFN.EXPECT().GetAppResourcesByRegion(mockApp, mockEnvRegion).Return(&stack.AppRegionalResources{
+					S3Bucket: "mockS3Bucket",
+				}, nil)
+				m.prefixListGetter.EXPECT().CloudFrontManagedPrefixListID().Return("", errors.New("some error"))
+			},
+			inManifest: &manifest.Environment{
+				EnvironmentConfig: manifest.EnvironmentConfig{
+					HTTPConfig: manifest.EnvironmentHTTPConfig{
+						Public: manifest.PublicHTTPConfig{
+							SecurityGroupConfig: manifest.ALBSecurityGroupsConfig{
+								Ingress: manifest.Ingress{
+									RestrictiveIngress: manifest.RestrictiveIngress{
+										CDNIngress: aws.Bool(true),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantedError: fmt.Errorf("retrieve CloudFront managed prefix list id: some error"),
+		},
+		"prefix list not retrieved when manifest not present": {
+			setUpMocks: func(m *deployEnvironmentMock) {
+				m.appCFN.EXPECT().GetAppResourcesByRegion(mockApp, mockEnvRegion).Return(&stack.AppRegionalResources{
+					S3Bucket: "mockS3Bucket",
+				}, nil)
+				m.envDeployer.EXPECT().EnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, nil)
+				m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil)
+				m.prefixListGetter.EXPECT().CloudFrontManagedPrefixListID().Return("mockPrefixListID", nil).Times(0)
+				m.envDeployer.EXPECT().UpdateAndRenderEnvironment(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
+			},
+			inManifest: nil,
+		},
 		"fail to get existing parameters": {
 			setUpMocks: func(m *deployEnvironmentMock) {
 				m.appCFN.EXPECT().GetAppResourcesByRegion(gomock.Any(), gomock.Any()).Return(&stack.AppRegionalResources{
@@ -281,6 +321,7 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 				m.appCFN.EXPECT().GetAppResourcesByRegion(mockApp, mockEnvRegion).Return(&stack.AppRegionalResources{
 					S3Bucket: "mockS3Bucket",
 				}, nil)
+				m.prefixListGetter.EXPECT().CloudFrontManagedPrefixListID().Return("mockPrefixListID", nil).Times(0)
 				m.envDeployer.EXPECT().EnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, nil)
 				m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil)
 				m.envDeployer.EXPECT().UpdateAndRenderEnvironment(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(errors.New("some error"))
@@ -292,6 +333,7 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 				m.appCFN.EXPECT().GetAppResourcesByRegion(mockApp, mockEnvRegion).Return(&stack.AppRegionalResources{
 					S3Bucket: "mockS3Bucket",
 				}, nil)
+				m.prefixListGetter.EXPECT().CloudFrontManagedPrefixListID().Return("mockPrefixListID", nil).Times(0)
 				m.envDeployer.EXPECT().EnvironmentParameters(gomock.Any(), gomock.Any()).Return(nil, nil)
 				m.envDeployer.EXPECT().ForceUpdateOutputID(gomock.Any(), gomock.Any()).Return("", nil)
 				m.envDeployer.EXPECT().UpdateAndRenderEnvironment(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
@@ -304,8 +346,9 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 			defer ctrl.Finish()
 
 			m := &deployEnvironmentMock{
-				appCFN:      mocks.NewMockappResourcesGetter(ctrl),
-				envDeployer: mocks.NewMockenvironmentDeployer(ctrl),
+				appCFN:           mocks.NewMockappResourcesGetter(ctrl),
+				envDeployer:      mocks.NewMockenvironmentDeployer(ctrl),
+				prefixListGetter: mocks.NewMockprefixListGetter(ctrl),
 			}
 			tc.setUpMocks(m)
 			d := envDeployer{
@@ -315,14 +358,16 @@ func TestEnvDeployer_DeployEnvironment(t *testing.T) {
 					ManagerRoleARN: mockManagerRoleARN,
 					Region:         mockEnvRegion,
 				},
-				appCFN:      m.appCFN,
-				envDeployer: m.envDeployer,
+				appCFN:           m.appCFN,
+				envDeployer:      m.envDeployer,
+				prefixListGetter: m.prefixListGetter,
 			}
 			mockIn := &DeployEnvironmentInput{
 				RootUserARN: "mockRootUserARN",
 				CustomResourcesURLs: map[string]string{
 					"mockResource": "mockURL",
 				},
+				Manifest: tc.inManifest,
 			}
 			gotErr := d.DeployEnvironment(mockIn)
 			if tc.wantedError != nil {

internal/pkg/deploy/cloudformation/stack/env.go

@@ -96,18 +96,19 @@ func (e *EnvStackConfig) Template() (string, error) {
 		forceUpdateID = id.String()
 	}
 	content, err := e.parser.ParseEnv(&template.EnvOpts{
-		AppName:                  e.in.App.Name,
-		EnvName:                  e.in.Name,
-		CustomResources:          crs,
-		ArtifactBucketARN:        e.in.ArtifactBucketARN,
-		ArtifactBucketKeyARN:     e.in.ArtifactBucketKeyARN,
-		PublicImportedCertARNs:   e.importPublicCertARNs(),
-		PrivateImportedCertARNs:  e.importPrivateCertARNs(),
-		VPCConfig:                e.vpcConfig(),
-		CustomInternalALBSubnets: e.internalALBSubnets(),
-		AllowVPCIngress:          aws.BoolValue(e.in.Mft.HTTPConfig.Private.SecurityGroupsConfig.Ingress.VPCIngress),
-		Telemetry:                e.telemetryConfig(),
-		CDNConfig:                e.cdnConfig(),
+		AppName:                       e.in.App.Name,
+		EnvName:                       e.in.Name,
+		CustomResources:               crs,
+		ArtifactBucketARN:             e.in.ArtifactBucketARN,
+		ArtifactBucketKeyARN:          e.in.ArtifactBucketKeyARN,
+		PublicFacingCIDRPrefixListIDs: e.in.CIDRPrefixListIDs,
+		PublicImportedCertARNs:        e.importPublicCertARNs(),
+		PrivateImportedCertARNs:       e.importPrivateCertARNs(),
+		VPCConfig:                     e.vpcConfig(),
+		CustomInternalALBSubnets:      e.internalALBSubnets(),
+		AllowVPCIngress:               aws.BoolValue(e.in.Mft.HTTPConfig.Private.SecurityGroupsConfig.Ingress.VPCIngress),
+		Telemetry:                     e.telemetryConfig(),
+		CDNConfig:                     e.cdnConfig(),
 
 		Version:            e.in.Version,
 		LatestVersion:      deploy.LatestEnvTemplateVersion,

internal/pkg/deploy/cloudformation/stack/env_integration_test.go

@@ -30,8 +30,13 @@ func TestEnvStack_Template(t *testing.T) {
 				rawMft := `name: test
 type: Environment
 # Create the public ALB with certificates attached.
+cdn: true
 http:
   public:
+    security_groups:
+      ingress:
+        restrict_to:
+          cdn: true
     certificates:
       - cert-1
       - cert-2
@@ -51,6 +56,7 @@ observability:
 						Name:                "demo",
 					},
 					Name:                 "test",
+					CIDRPrefixListIDs:    []string{"pl-mockid"},
 					ArtifactBucketARN:    "arn:aws:s3:::mockbucket",
 					ArtifactBucketKeyARN: "arn:aws:kms:us-west-2:000000000:key/1234abcd-12ab-34cd-56ef-1234567890ab",
 					CustomResourcesURLs: map[string]string{