Merge pull request #455 from cisagov/AL-restrict-IPs

Restrict DMZ API gateways to Glebe VPN
cisagov · Jul 18, 2024 · cc0e9f3 · cc0e9f3
2 parents 71fb37f + 3abcb61
commit cc0e9f3
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 1 deletion.
diff --git a/backend/env.yml b/backend/env.yml
@@ -30,6 +30,7 @@ staging:
   DOMAIN: ${ssm:/crossfeed/staging/DOMAIN}
   FARGATE_SG_ID: ${ssm:/crossfeed/staging/WORKER_SG_ID}
   FARGATE_SUBNET_ID: ${ssm:/crossfeed/staging/WORKER_SUBNET_ID}
+  DMZ_CIDR: ${ssm:/crossfeed/staging/DMZ_CIDR}
   FARGATE_MAX_CONCURRENCY: 100
   SCHEDULER_ORGS_PER_SCANTASK: 10
   FARGATE_CLUSTER_NAME: crossfeed-staging-worker

diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -33,6 +33,10 @@ provider:
         Principal: '*'
         Action: execute-api:Invoke
         Resource: execute-api:/${self:provider.stage}/*/*
+        Condition:
+          IpAddress:
+            aws:SourceIp:
+              - ${file(env.yml):${self:provider.stage}.DMZ_CIDR, ''}
   logs:
     restApi: true
   deploymentBucket:

diff --git a/frontend/env.yml b/frontend/env.yml
@@ -4,6 +4,7 @@ dev:
 
 staging:
   DOMAIN: staging-cd.crossfeed.cyber.dhs.gov
+  DMZ_CIDR: ${ssm:/crossfeed/staging/DMZ_CIDR}
 
 prod:
   DOMAIN: crossfeed.cyber.dhs.gov

diff --git a/frontend/serverless.yml b/frontend/serverless.yml
@@ -32,7 +32,11 @@ provider:
       - Effect: Allow
         Principal: '*'
         Action: execute-api:Invoke
-        Resource: 'execute-api:/${self:provider.stage}/*/*'
+        Resource: execute-api:/${self:provider.stage}/*/*
+        Condition:
+          IpAddress:
+            aws:SourceIp:
+              - ${file(env.yml):${self:provider.stage}.DMZ_CIDR, ''}
   logs:
     restApi: true
   deploymentBucket: