Skip to content

Commit

Permalink
Allow network whitelisting on the service level
Browse files Browse the repository at this point in the history
  • Loading branch information
@beastawakens
beastawakens committed Sep 15, 2022
1 parent d9d46fd commit 4aed578
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 6 deletions.
1 change: 1 addition & 0 deletions pkg/manifest/service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ type Service struct {
Termination ServiceTermination `yaml:"termination,omitempty"`
Test string `yaml:"test,omitempty"`
Volumes []string `yaml:"volumes,omitempty"`
Whitelist string `yaml:"whitelist,omitempty"`
}

type Services []Service
Expand Down
12 changes: 6 additions & 6 deletions provider/aws/formation/service.json.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@
{{ end }}
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } },
"Priority": "{{ priority $.App .Name "default" -1 }}"
}
Expand All @@ -250,7 +250,7 @@
{{ end }}
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } },
"Priority": "{{ priority $.App .Name "default" -1 }}"
}
Expand All @@ -271,7 +271,7 @@
"Condition": "InternalDomainsAndRouteHttp",
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } },
"Priority": "{{ priority $.App .Name "internal" -1 }}"
}
Expand All @@ -281,7 +281,7 @@
"Condition": "InternalDomains",
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } },
"Priority": "{{ priority $.App .Name "internal" -1 }}"
}
Expand All @@ -303,7 +303,7 @@
{{ end }}
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener80" } },
"Priority": "{{ priority $.App $.Service.Name $domain $i }}"
}
Expand All @@ -315,7 +315,7 @@
{{ end }}
"Properties": {
"Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ],
"Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ],
"Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
"ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener443" } },
"Priority": "{{ priority $.App $.Service.Name $domain $i }}"
}
Expand Down
7 changes: 7 additions & 0 deletions provider/aws/template.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,13 @@ func formationHelpers() template.FuncMap {
"safe": func(s string) template.HTML {
return template.HTML(fmt.Sprintf("%q", s))
},
"safeWhitelist": func(s string) []string {
if s == "" {
return []string{"0.0.0.0/0"}
} else {
return strings.Split(s,",")
}
},
"services": func(m *manifest.Manifest) string {
if m == nil {
return ""
Expand Down

0 comments on commit 4aed578

Please sign in to comment.