Conditionalize the serverless backend for DMZ vs PROD

cisagov · May 2, 2024 · 4d89031 · 4d89031
1 parent 5310092
commit 4d89031
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 17 deletions.
diff --git a/backend/env.yml b/backend/env.yml
@@ -3,6 +3,13 @@ dev:
   DUMMY:
 
 staging:
+  REGION: us-east-1
+  RESOURCE_POLICY:
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
+  ENDPOINT_TYPE: REGIONAL
   DB_DIALECT: postgres
   DB_PORT: 5432
   DB_HOST: ${ssm:/crossfeed/staging/DATABASE_HOST}
@@ -58,6 +65,13 @@ staging:
   EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email
 
 prod:
+  REGION: us-east-1
+  ENDPOINT_TYPE: REGIONAL
+  RESOURCE_POLICY:
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   DB_DIALECT: postgres
   DB_PORT: 5432
   DB_HOST: ${ssm:/crossfeed/prod/DATABASE_HOST}
@@ -105,6 +119,20 @@ prod:
   EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email
 
 staging-lz:
+  REGION: us-gov-east-1
+  RESOURCE_POLICY:
+    - Effect: Deny
+      Principal: '*'
+      Action: 'execute-api:Invoke'
+      Resource: 'execute-api:/${self:provider.stage}/*/*'
+      Condition:
+        StringNotEquals:
+          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
+  ENDPOINT_TYPE: PRIVATE
   DB_DIALECT: postgres
   DB_PORT: 5432
   DB_HOST: ${ssm:/crossfeed/staging/DATABASE_HOST}
@@ -159,6 +187,20 @@ staging-lz:
   EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email
 
 prod-lz:
+  REGION: us-gov-east-1
+  ENDPOINT_TYPE: PRIVATE
+  RESOURCE_POLICY:
+    - Effect: Deny
+      Principal: '*'
+      Action: 'execute-api:Invoke'
+      Resource: 'execute-api:/${self:provider.stage}/*/*'
+      Condition:
+        StringNotEquals:
+          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   DB_DIALECT: postgres
   DB_PORT: 5432
   DB_HOST: ${ssm:/crossfeed/prod/DATABASE_HOST}
@@ -199,7 +241,6 @@ prod-lz:
   PE_API_URL: ${ssm:/crossfeed/prod/PE_API_URL}
   REPORTS_BUCKET_NAME: cisa-crossfeed-prod-reports
   VPC_ENDPOINT: ${ssm:/crossfeed/prod/BACKEND_VPC_ENDPOINT}
-  EMAIL_BUCKET_NAME: cisa-crossfeed-prod-html-email
   CLOUDWATCH_BUCKET_NAME: cisa-crossfeed-prod-cloudwatch
   STAGE: prod
   PE_FARGATE_CLUSTER_NAME: pe-prod-worker

diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -16,8 +16,8 @@ custom:
 
 provider:
   name: aws
-  region: us-gov-east-1
-  endpointType: PRIVATE
+  region: ${file(env.yml):${self:provider.stage}.REGION, ''}
+  endpointType: ${file(env.yml):${self:provider.stage}.ENDPOINT_TYPE, ''}
   runtime: nodejs16.x
   timeout: 30
   stage: ${opt:stage, 'dev'}
@@ -29,26 +29,15 @@ provider:
     binaryMediaTypes:
       - image/*
       - font/*
-    resourcePolicy:
-      - Effect: Deny
-        Principal: '*'
-        Action: 'execute-api:Invoke'
-        Resource: 'execute-api:/${self:provider.stage}/*/*'
-        Condition:
-          StringNotEquals:
-            'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
-      - Effect: Allow
-        Principal: '*'
-        Action: execute-api:Invoke
-        Resource: execute-api:/${self:provider.stage}/*/*
+    resourcePolicy: ${file(env.yml):${self:provider.stage}.RESOURCE_POLICY, ''}
   logs:
     restApi: true
   deploymentBucket:
     serverSideEncryption: AES256
   iam:
     role:
       statements:
-        # TODO: make the resources more specific.
+        # TODO: make the resources more specific. See Resource: '*' was
         - Effect: Allow
           Action:
             - lambda:InvokeAsync
@@ -61,6 +50,9 @@ provider:
           Action:
             - ecs:RunTask
             - ecs:ListTasks
+            - ecs:DescribeTasks
+            - ecs:DescribeServices
+            - ecs:UpdateService
             - iam:PassRole
             - logs:GetLogEvents
           Resource: '*'
@@ -75,6 +67,8 @@ provider:
             - s3:GetObjectAcl
             - s3:PutObject
             - s3:PutObjectAcl
+            - s3:PutBucketAcl
+            - s3:GetBucketAcl
           Resource: '*'
         - Effect: Allow
           Action:
@@ -112,48 +106,65 @@ provider:
           Resource: '*'
 
 resources:
+  Conditions:
+    IsDMZ:
+      Fn::Or:
+        - Fn::Equals:
+            - ${opt:stage}
+            - staging
+        - Fn::Equals:
+            - ${opt:stage}
+            - prod
   Resources:
     ShodanQueue:
       Type: AWS::SQS::Queue
+      Condition: IsDMZ
       Properties:
         QueueName: ${self:provider.stage}-shodan-queue
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
     DnstwistQueue:
       Type: AWS::SQS::Queue
+      Condition: IsDMZ
       Properties:
         QueueName: ${self:provider.stage}-dnstwist-queue
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
     HibpQueue:
       Type: AWS::SQS::Queue
+      Condition: IsDMZ
       Properties:
         QueueName: ${self:provider.stage}-hibp-queue
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
     IntelxQueue:
       Type: AWS::SQS::Queue
+      Condition: IsDMZ
       Properties:
         QueueName: ${self:provider.stage}-intelx-queue
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
     CybersixgillQueue:
       Type: AWS::SQS::Queue
+      Condition: IsDMZ
       Properties:
         QueueName: ${self:provider.stage}-cybersixgill-queue
         VisibilityTimeout: 18000  # 5 hours
         MaximumMessageSize: 262144  # 256 KB
         MessageRetentionPeriod: 604800  # 7 days
+    {% endif %}
 
 functions:
   - ${file(./src/tasks/functions.yml)}
   - ${file(./src/api/functions.yml)}
 
+
 plugins:
   - serverless-better-credentials
   - serverless-domain-manager
   - serverless-webpack
+  - serverless-dotenv-plugin
diff --git a/package.json b/package.json
@@ -24,4 +24,4 @@
     "start": "docker-compose build --parallel && docker-compose up --force-recreate"
   },
   "version": "1.0.0"
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,4 +24,4 @@ @@
         "start": "docker-compose build --parallel && docker-compose up --force-recreate"
       },
       "version": "1.0.0"
-    }
+    }