diff --git a/backend/env.yml b/backend/env.yml index 944fe4eb..47d3d8bc 100644 --- a/backend/env.yml +++ b/backend/env.yml @@ -3,6 +3,13 @@ dev: DUMMY: staging: + REGION: us-east-1 + RESOURCE_POLICY: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/${self:provider.stage}/*/* + ENDPOINT_TYPE: REGIONAL DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/staging/DATABASE_HOST} @@ -58,6 +65,13 @@ staging: EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email prod: + REGION: us-east-1 + ENDPOINT_TYPE: REGIONAL + RESOURCE_POLICY: + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/${self:provider.stage}/*/* DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/prod/DATABASE_HOST} @@ -105,6 +119,20 @@ prod: EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email staging-lz: + REGION: us-gov-east-1 + RESOURCE_POLICY: + - Effect: Deny + Principal: '*' + Action: 'execute-api:Invoke' + Resource: 'execute-api:/${self:provider.stage}/*/*' + Condition: + StringNotEquals: + 'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''} + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/${self:provider.stage}/*/* + ENDPOINT_TYPE: PRIVATE DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/staging/DATABASE_HOST} @@ -159,6 +187,20 @@ staging-lz: EMAIL_BUCKET_NAME: cisa-crossfeed-staging-html-email prod-lz: + REGION: us-gov-east-1 + ENDPOINT_TYPE: PRIVATE + RESOURCE_POLICY: + - Effect: Deny + Principal: '*' + Action: 'execute-api:Invoke' + Resource: 'execute-api:/${self:provider.stage}/*/*' + Condition: + StringNotEquals: + 'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''} + - Effect: Allow + Principal: '*' + Action: execute-api:Invoke + Resource: execute-api:/${self:provider.stage}/*/* DB_DIALECT: postgres DB_PORT: 5432 DB_HOST: ${ssm:/crossfeed/prod/DATABASE_HOST} @@ -199,7 +241,6 @@ prod-lz: PE_API_URL: ${ssm:/crossfeed/prod/PE_API_URL} REPORTS_BUCKET_NAME: cisa-crossfeed-prod-reports VPC_ENDPOINT: ${ssm:/crossfeed/prod/BACKEND_VPC_ENDPOINT} - EMAIL_BUCKET_NAME: cisa-crossfeed-prod-html-email CLOUDWATCH_BUCKET_NAME: cisa-crossfeed-prod-cloudwatch STAGE: prod PE_FARGATE_CLUSTER_NAME: pe-prod-worker diff --git a/backend/serverless.yml b/backend/serverless.yml index a2db3933..a3a4c96a 100644 --- a/backend/serverless.yml +++ b/backend/serverless.yml @@ -16,8 +16,8 @@ custom: provider: name: aws - region: us-gov-east-1 - endpointType: PRIVATE + region: ${file(env.yml):${self:provider.stage}.REGION, ''} + endpointType: ${file(env.yml):${self:provider.stage}.ENDPOINT_TYPE, ''} runtime: nodejs16.x timeout: 30 stage: ${opt:stage, 'dev'} @@ -29,18 +29,7 @@ provider: binaryMediaTypes: - image/* - font/* - resourcePolicy: - - Effect: Deny - Principal: '*' - Action: 'execute-api:Invoke' - Resource: 'execute-api:/${self:provider.stage}/*/*' - Condition: - StringNotEquals: - 'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''} - - Effect: Allow - Principal: '*' - Action: execute-api:Invoke - Resource: execute-api:/${self:provider.stage}/*/* + resourcePolicy: ${file(env.yml):${self:provider.stage}.RESOURCE_POLICY, ''} logs: restApi: true deploymentBucket: @@ -48,7 +37,7 @@ provider: iam: role: statements: - # TODO: make the resources more specific. + # TODO: make the resources more specific. See Resource: '*' was - Effect: Allow Action: - lambda:InvokeAsync @@ -61,6 +50,9 @@ provider: Action: - ecs:RunTask - ecs:ListTasks + - ecs:DescribeTasks + - ecs:DescribeServices + - ecs:UpdateService - iam:PassRole - logs:GetLogEvents Resource: '*' @@ -75,6 +67,8 @@ provider: - s3:GetObjectAcl - s3:PutObject - s3:PutObjectAcl + - s3:PutBucketAcl + - s3:GetBucketAcl Resource: '*' - Effect: Allow Action: @@ -112,9 +106,19 @@ provider: Resource: '*' resources: + Conditions: + IsDMZ: + Fn::Or: + - Fn::Equals: + - ${opt:stage} + - staging + - Fn::Equals: + - ${opt:stage} + - prod Resources: ShodanQueue: Type: AWS::SQS::Queue + Condition: IsDMZ Properties: QueueName: ${self:provider.stage}-shodan-queue VisibilityTimeout: 18000 # 5 hours @@ -122,6 +126,7 @@ resources: MessageRetentionPeriod: 604800 # 7 days DnstwistQueue: Type: AWS::SQS::Queue + Condition: IsDMZ Properties: QueueName: ${self:provider.stage}-dnstwist-queue VisibilityTimeout: 18000 # 5 hours @@ -129,6 +134,7 @@ resources: MessageRetentionPeriod: 604800 # 7 days HibpQueue: Type: AWS::SQS::Queue + Condition: IsDMZ Properties: QueueName: ${self:provider.stage}-hibp-queue VisibilityTimeout: 18000 # 5 hours @@ -136,6 +142,7 @@ resources: MessageRetentionPeriod: 604800 # 7 days IntelxQueue: Type: AWS::SQS::Queue + Condition: IsDMZ Properties: QueueName: ${self:provider.stage}-intelx-queue VisibilityTimeout: 18000 # 5 hours @@ -143,17 +150,21 @@ resources: MessageRetentionPeriod: 604800 # 7 days CybersixgillQueue: Type: AWS::SQS::Queue + Condition: IsDMZ Properties: QueueName: ${self:provider.stage}-cybersixgill-queue VisibilityTimeout: 18000 # 5 hours MaximumMessageSize: 262144 # 256 KB MessageRetentionPeriod: 604800 # 7 days + {% endif %} functions: - ${file(./src/tasks/functions.yml)} - ${file(./src/api/functions.yml)} + plugins: - serverless-better-credentials - serverless-domain-manager - serverless-webpack + - serverless-dotenv-plugin diff --git a/package.json b/package.json index 811cbdf5..8ea54cae 100644 --- a/package.json +++ b/package.json @@ -24,4 +24,4 @@ "start": "docker-compose build --parallel && docker-compose up --force-recreate" }, "version": "1.0.0" -} +} \ No newline at end of file