From 3abcb615222a571e2e1293c460037806ad0b551f Mon Sep 17 00:00:00 2001 From: aloftus23 Date: Thu, 18 Jul 2024 11:46:57 -0400 Subject: [PATCH] Restrict API gateways to Glebe VPN --- backend/env.yml | 1 + backend/serverless.yml | 4 ++++ frontend/env.yml | 1 + frontend/serverless.yml | 6 +++++- 4 files changed, 11 insertions(+), 1 deletion(-) diff --git a/backend/env.yml b/backend/env.yml index 8928edb6..526ae659 100644 --- a/backend/env.yml +++ b/backend/env.yml @@ -30,6 +30,7 @@ staging: DOMAIN: ${ssm:/crossfeed/staging/DOMAIN} FARGATE_SG_ID: ${ssm:/crossfeed/staging/WORKER_SG_ID} FARGATE_SUBNET_ID: ${ssm:/crossfeed/staging/WORKER_SUBNET_ID} + DMZ_CIDR: ${ssm:/crossfeed/staging/DMZ_CIDR} FARGATE_MAX_CONCURRENCY: 100 SCHEDULER_ORGS_PER_SCANTASK: 10 FARGATE_CLUSTER_NAME: crossfeed-staging-worker diff --git a/backend/serverless.yml b/backend/serverless.yml index fccb2cd3..279f6d86 100644 --- a/backend/serverless.yml +++ b/backend/serverless.yml @@ -33,6 +33,10 @@ provider: Principal: '*' Action: execute-api:Invoke Resource: execute-api:/${self:provider.stage}/*/* + Condition: + IpAddress: + aws:SourceIp: + - ${file(env.yml):${self:provider.stage}.DMZ_CIDR, ''} logs: restApi: true deploymentBucket: diff --git a/frontend/env.yml b/frontend/env.yml index e1c8ee82..6df1c216 100644 --- a/frontend/env.yml +++ b/frontend/env.yml @@ -4,6 +4,7 @@ dev: staging: DOMAIN: staging-cd.crossfeed.cyber.dhs.gov + DMZ_CIDR: ${ssm:/crossfeed/staging/DMZ_CIDR} prod: DOMAIN: crossfeed.cyber.dhs.gov diff --git a/frontend/serverless.yml b/frontend/serverless.yml index 58a94186..94bcfe59 100644 --- a/frontend/serverless.yml +++ b/frontend/serverless.yml @@ -32,7 +32,11 @@ provider: - Effect: Allow Principal: '*' Action: execute-api:Invoke - Resource: 'execute-api:/${self:provider.stage}/*/*' + Resource: execute-api:/${self:provider.stage}/*/* + Condition: + IpAddress: + aws:SourceIp: + - ${file(env.yml):${self:provider.stage}.DMZ_CIDR, ''} logs: restApi: true deploymentBucket: