-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the rules publication Terraform configuration #742
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mcdonnnj
added
bug
This issue or pull request addresses broken functionality
improvement
This issue or pull request will add or improve functionality, maintainability, or ease of use
terraform
Pull requests that update Terraform code
labels
Dec 28, 2023
mcdonnnj
requested review from
dav3r,
felddy,
jasonodoom and
jsf9k
as code owners
December 28, 2023 21:34
jsf9k
approved these changes
Dec 28, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for fixing this!
6 tasks
dav3r
approved these changes
Dec 28, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 👍 Thanks for dragging us into the future, kicking and screaming all the way!
Since we are serving this content with a CloudFront distribution now we no longer need the S3 bucket configured as a static website.
Create an Origin Access Identity and configure the CloudFront distribution for the rules bucket to use the newly created OAI.
Add a policy that will allow the CloudFront distribution to read from the rules bucket. This should allow hte distribution to correctly access the bucket's contents even though it is completely private.
The bucket that is storing these lists is now set to disallow any ACLs or policies that allow public access. Attempting to set an object that has been uploaded to `public-read` will throw an authorization error as a result.
Origin Access Control is the newer, improved way to secure S3 origins when using CloudFront. Since it effectively replaces Origin Access Identity it makes sense to use it instead.
mcdonnnj
force-pushed
the
bug/adjust_rules_bucket_access
branch
from
December 29, 2023 03:59
47fc163
to
0904ddd
Compare
12 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
This issue or pull request addresses broken functionality
improvement
This issue or pull request will add or improve functionality, maintainability, or ease of use
terraform
Pull requests that update Terraform code
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🗣 Description
This pull request updates the configuration in
terraform_egress_pub/
that publishes the rules site listing the IP ranges we publish that are in use for assessments. This includes:💭 Motivation and context
When #654 was merged I apparently neglected to apply the changes in the
terraform_egress_pub/
configuration. As a result a bug went unnoticed until @jsf9k applied his changes for #738 and suddenly the rules site was no longer working. I took a look and realized that the problem was due to the fact that although the bucket was set to use theprivate
canned ACL, the script that uploads objects to the bucket would set each uploaded object to use thepublic-read
canned ACL. With the addition of aaws_s3_bucket_public_access_block
for the rules S3 bucket that disallowed any public access it broke access to the objects in the bucket. Adding an OAC and appropriate policy to the bucket allows the CloudFront distribution to access the S3 bucket even if it is completely private.The static website configuration was removed because
🧪 Testing
Automated tests pass. I applied this in production and verified that the rules site works once more.
✅ Pre-approval checklist