Allow network whitelisting on the service level

Author: beastawakens

pkg/manifest/service.go

@@ -31,6 +31,7 @@ type Service struct {
 	Termination ServiceTermination `yaml:"termination,omitempty"`
 	Test        string             `yaml:"test,omitempty"`
 	Volumes     []string           `yaml:"volumes,omitempty"`
+	Whitelist   string             `yaml:"whitelist,omitempty"`
 }
 
 type Services []Service

provider/aws/formation/service.json.tmpl

@@ -238,7 +238,7 @@
           {{ end }}
           "Properties": {
             "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
-            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ],
+            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
             "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } },
             "Priority": "{{ priority $.App .Name "default" -1 }}"
           }
@@ -250,7 +250,7 @@
           {{ end }}
           "Properties": {
             "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
-            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ],
+            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
             "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } },
             "Priority": "{{ priority $.App .Name "default" -1 }}"
           }
@@ -271,7 +271,7 @@
           "Condition": "InternalDomainsAndRouteHttp",
           "Properties": {
             "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
-            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ],
+            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
             "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } },
             "Priority": "{{ priority $.App .Name "internal" -1 }}"
           }
@@ -281,7 +281,7 @@
           "Condition": "InternalDomains",
           "Properties": {
             "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ],
-            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ],
+            "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
             "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } },
             "Priority": "{{ priority $.App .Name "internal" -1 }}"
           }
@@ -303,7 +303,7 @@
               {{ end }}
               "Properties": {
               "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ],
-                "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ],
+                "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
                 "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener80" } },
                 "Priority": "{{ priority $.App $.Service.Name $domain $i }}"
               }
@@ -315,7 +315,7 @@
               {{ end }}
               "Properties": {
               "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ],
-                "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ],
+                "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ],
                 "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener443" } },
                 "Priority": "{{ priority $.App $.Service.Name $domain $i }}"
               }

provider/aws/template.go

@@ -75,6 +75,13 @@ func formationHelpers() template.FuncMap {
 		"safe": func(s string) template.HTML {
 			return template.HTML(fmt.Sprintf("%q", s))
 		},
+		"safeWhitelist": func(s string) []string {
+			if s == "" {
+				return []string{"0.0.0.0/0"}
+			} else {
+				return strings.Split(s,",")
+			}
+		},
 		"services": func(m *manifest.Manifest) string {
 			if m == nil {
 				return ""