feat: Custom network security groups to segregate lambdas #773

.github/workflows/tools_deployment.yml

@@ -6,6 +6,7 @@ on:
     branches:
       # Enable a specific branch to temporarily test in the tools environment.
       - "feat/718-auth-lambda-db-user"
+      - "feat/773-lambda-segregation"
 
 
 jobs:

infrastructure/server/aurora-v2.tf

@@ -2,6 +2,10 @@ data "aws_kms_alias" "rds_key" {
   name = "alias/aws/rds"
 }
 
+locals {
+    aws_security_group_fam_data_sg_id = "${aws_security_group.fam_data_sg.id}"
+}
+
 resource "random_password" "famdb_master_password" {
   length           = 16
   special          = true
@@ -52,7 +56,7 @@ module "aurora_postgresql_v2" {
   database_name     = var.famdb_database_name
 
   vpc_id                 = data.aws_vpc.selected.id
-  vpc_security_group_ids = [data.aws_security_group.sg_data.id]
+  vpc_security_group_ids = [local.aws_security_group_fam_data_sg_id]
   db_subnet_group_name   = aws_db_subnet_group.famdb_subnet_group.name
 
   master_username = var.famdb_master_username
@@ -263,7 +267,7 @@ resource "aws_db_proxy" "famdb_proxy_api" {
   role_arn            = aws_iam_role.famdb_api_user_rds_proxy_secret_access_role.arn
   # vpc_security_group_ids = [data.aws_security_group.sg_app.id]
   # vpc_subnet_ids         = [data.aws_subnet.a_datapp_a.id, data.aws_subnet.a_datapp_b.id]
-  vpc_security_group_ids = [data.aws_security_group.sg_data.id]
+  vpc_security_group_ids = [local.aws_security_group_fam_data_sg_id]
   vpc_subnet_ids         = [data.aws_subnet.a_data.id, data.aws_subnet.b_data.id]
 
 

infrastructure/server/auth_lambda.tf

@@ -80,7 +80,7 @@ resource "aws_lambda_function" "fam-auth-function" {
   runtime = "python3.8"
 
   vpc_config {
-    security_group_ids = [data.aws_security_group.sg_app.id]
+    security_group_ids = ["${aws_security_group.fam_app_sg.id}"]
     subnet_ids         = [data.aws_subnet.a_app.id, data.aws_subnet.b_app.id]
   }
 

infrastructure/server/fam_api.tf

@@ -104,7 +104,7 @@ resource "aws_lambda_function" "fam-api-function" {
   runtime = "python3.8"
 
   vpc_config {
-    security_group_ids = [data.aws_security_group.sg_app.id]
+    security_group_ids = ["${aws_security_group.fam_app_sg.id}"]
     subnet_ids         = [data.aws_subnet.a_app.id, data.aws_subnet.b_app.id]
   }
 

infrastructure/server/flyway.tf

@@ -123,7 +123,7 @@ resource "aws_lambda_function" "flyway-migrations" {
 
   vpc_config {
     subnet_ids         = [data.aws_subnet.a_data.id, data.aws_subnet.b_data.id]
-    security_group_ids = [data.aws_security_group.sg_data.id]
+    security_group_ids = ["${aws_security_group.fam_data_sg.id}"]
   }
 
   memory_size = 512

infrastructure/server/network_security_groups.tf

@@ -0,0 +1,121 @@
+resource "aws_security_group" "fam_app_sg" {
+    name = "fam_app_sg"
+    description = "FAM custom security group for application tier (lambdas)."
+    vpc_id = data.aws_vpc.selected.id
+    revoke_rules_on_delete = true
+
+    tags = {
+        Name = "fam_app_sg"
+        managed-by = "terraform"
+    }
+
+    ingress {
+        from_port = 0
+        to_port = 0
+        protocol = "-1"
+        cidr_blocks = ["10.10.32.0/20", "10.10.128.0/20"]
+        description = "Central VPC Traffic Inbound from Web subnets"
+    }
+
+    ingress {
+        from_port = 0
+        to_port = 0
+        protocol = "-1"
+        cidr_blocks = ["10.10.0.0/19", "10.10.96.0/19"]
+        description = "Central VPC Traffic Inbound from App subnets"
+    }
+
+    ingress {
+        from_port = 0
+        to_port = 0
+        protocol = "-1"
+        cidr_blocks = ["10.10.64.0/21", "10.10.72.0/21"]
+        description = "Central VPC Traffic Inbound from Mgmt subnets"
+    }
+
+    egress {
+        from_port = 0
+        to_port = 0
+        protocol = "-1"
+        cidr_blocks = ["0.0.0.0/0"]
+        description = "Allow All Outbound Traffic"
+    }
+
+}
+
+resource "aws_security_group" "fam_data_sg" {
+    name = "fam_data_sg"
+    description = "FAM custom security group for data tier."
+    vpc_id = data.aws_vpc.selected.id
+    revoke_rules_on_delete = true
+    tags = {
+        Name = "fam_data_sg"
+        managed-by = "terraform"
+    }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_east_west" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  referenced_security_group_id = aws_security_group.fam_data_sg.id
+  ip_protocol = "-1"
+  description = "East/West Communication within FAM Data Security Group."
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_postgres" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  referenced_security_group_id = aws_security_group.fam_app_sg.id
+  from_port = 5432
+  to_port = 5432
+  ip_protocol = "TCP"
+  description = "Allow traffic to database from FAM application tier (lambdas)."
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_web_a" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.32.0/20"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from Web-a"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_web_b" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.128.0/20"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from Web-b"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_app_a" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.0.0/19"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from App-a"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_app_b" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.96.0/19"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from App-b"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_mgmt_a" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.64.0/21"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from Mgmt-a"
+}
+
+resource "aws_vpc_security_group_ingress_rule" "fam_data_sg_central_mgmt_b" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "10.10.72.0/21"
+  ip_protocol = "-1"
+  description = "Central VPC Traffic Inbound from Mgmt-b"
+}
+
+resource "aws_vpc_security_group_egress_rule" "fam_data_sg_outbound" {
+  security_group_id = aws_security_group.fam_data_sg.id
+  cidr_ipv4   = "0.0.0.0/0"
+  ip_protocol = "-1"
+  description = "Allow All Outbound Traffic"
+}
+

infrastructure/server/networking.tf

@@ -2,14 +2,6 @@ data "aws_vpc" "selected" {
   state = "available"
 }
 
-
-data "aws_security_group" "sg_data" {
-  filter {
-    name   = "tag:Name"
-    values = [var.aws_security_group_data]
-  }
-}
-
 data "aws_subnet" "a_data" {
   filter {
     name   = "tag:Name"
@@ -37,10 +29,3 @@ data "aws_subnet" "b_app" {
     values = [var.subnet_app_b]
   }
 }
-
-data "aws_security_group" "sg_app" {
-  filter {
-    name   = "tag:Name"
-    values = [var.aws_security_group_app]
-  }
-}

infrastructure/server/variables_provided.tf

@@ -129,12 +129,6 @@ variable "prod_oidc_bcsc_idp_client_id" {
 
 
 # Networking Variables
-
-variable "aws_security_group_data" {
-  description = "Value of the name tag for the DATA security group"
-  type = string
-}
-
 variable "subnet_data_a" {
   description = "Value of the name tag for a subnet in the DATA security group"
   type = string
@@ -145,11 +139,6 @@ variable "subnet_data_b" {
   type = string
 }
 
-variable "aws_security_group_app" {
-  description = "Value of the name tag for the APP security group"
-  type = string
-}
-
 variable "subnet_app_a" {
   description = "Value of the name tag for a subnet in the APP security group"
   type = string

terraform/dev/terragrunt.hcl

@@ -17,10 +17,8 @@ generate "dev_tfvars" {
   oidc_idir_idp_client_id = "fsa-cognito-idir-dev-4088"
   oidc_idir_idp_issuer = "https://dev.loginproxy.gov.bc.ca/auth/realms/standard"
   oidc_bceid_business_idp_client_id = "fsa-cognito-b-ce-id-business-dev-4090"
-  aws_security_group_data = "Data_sg"
   subnet_data_a = "Data_Dev_aza_net"
   subnet_data_b = "Data_Dev_azb_net"
-  aws_security_group_app = "App_sg"
   subnet_app_a = "App_Dev_aza_net"
   subnet_app_b = "App_Dev_azb_net"
   cognito_app_client_logout_chain_url = {

terraform/prod/terragrunt.hcl

@@ -17,10 +17,8 @@ generate "prod_tfvars" {
   oidc_idir_idp_client_id = "fsa-cognito-idir-dev-4088"
   oidc_idir_idp_issuer = "https://loginproxy.gov.bc.ca/auth/realms/standard"
   oidc_bceid_business_idp_client_id = "fsa-cognito-b-ce-id-business-dev-4090"
-  aws_security_group_data = "Data_sg"
   subnet_data_a = "Data_Prod_aza_net"
   subnet_data_b = "Data_Prod_azb_net"
-  aws_security_group_app = "App_sg"
   subnet_app_a = "App_Prod_aza_net"
   subnet_app_b = "App_Prod_azb_net"
   front_end_redirect_path = "https://fam.nrs.gov.bc.ca"

terraform/test/terragrunt.hcl

@@ -14,10 +14,8 @@ generate "test_tfvars" {
   fam_user_pool_name = "test-fam-user-pool-bcsc"
   fam_user_pool_domain_name = "test-fam-user-pool-domain"
   famdb_cluster_name = "test-fam-cluster"
-  aws_security_group_data = "Data_sg"
   subnet_data_a = "Data_Test_aza_net"
   subnet_data_b = "Data_Test_azb_net"
-  aws_security_group_app = "App_sg"
   subnet_app_a = "App_Test_aza_net"
   subnet_app_b = "App_Test_azb_net"
   cognito_app_client_logout_chain_url = {

terraform/tools/terragrunt.hcl

@@ -17,10 +17,8 @@ generate "tools_tfvars" {
   oidc_idir_idp_client_id = "fsa-cognito-idir-dev-4088"
   oidc_idir_idp_issuer = "https://dev.loginproxy.gov.bc.ca/auth/realms/standard"
   oidc_bceid_business_idp_client_id = "fsa-cognito-b-ce-id-business-dev-4090"
-  aws_security_group_data = "Data_sg"
   subnet_data_a = "Data_Tools_aza_net"
   subnet_data_b = "Data_Tools_azb_net"
-  aws_security_group_app = "App_sg"
   subnet_app_a = "App_Tools_aza_net"
   subnet_app_b = "App_Tools_azb_net"
   cognito_app_client_logout_chain_url = {