Merge pull request #1678 from ministryofjustice/MLPAB-2748-check-requ…

…ests-for-addresses-not-on-the-allow-list-are-dropped

MLPAB-2748 - Check egress via network firewall

.github/workflows/docker_job.yml

@@ -58,6 +58,11 @@ jobs:
             path: ./docker/schedule-runner/Dockerfile
             trivyignores: ./docker/schedule-runner/.trivyignore.yaml
             platforms: linux/amd64
+          - ecr_repository: egress-checker
+            name: egress-checker
+            path: ./docker/egress-checker/Dockerfile
+            trivyignores: ./docker/schedule-runner/.trivyignore.yaml
+            platforms: linux/amd64
 
     runs-on: ubuntu-latest
     name: ${{ matrix.ecr_repository }}

docker/egress-checker/.trivyignore.yaml

@@ -0,0 +1 @@
+misconfigurations:

docker/egress-checker/Dockerfile

@@ -0,0 +1,9 @@
+FROM public.ecr.aws/lambda/python:3.13
+
+WORKDIR ${LAMBDA_TASK_ROOT}
+
+COPY lambda/egress_checker ${LAMBDA_TASK_ROOT}
+
+RUN pip install --no-cache-dir --requirement requirements.txt
+
+CMD [ "main.lambda_handler" ]

lambda/egress_checker/main.py

@@ -0,0 +1,14 @@
+import json
+import requests # type: ignore
+
+def lambda_handler(event, context):
+    response = requests.get('https://google.com')
+    return {
+        'statusCode': response.status_code,
+        'body': response.text
+    }
+
+
+if __name__ == '__main__':
+    output = lambda_handler("event", "contenxt")
+    print(output)

lambda/egress_checker/requirements.txt

@@ -0,0 +1 @@
+requests==v2.32.3

terraform/account/region/network.tf

@@ -1,5 +1,5 @@
 module "network" {
-  source                         = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.10"
+  source                         = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.12"
   cidr                           = var.network_cidr_block
   enable_dns_hostnames           = true
   enable_dns_support             = true

terraform/environment/region/egress-checker.tf

@@ -0,0 +1,16 @@
+module "egress_checker" {
+  count                         = var.egress_checker_enabled ? 0 : 1
+  source                        = "./modules/egress_checker"
+  lambda_function_image_ecr_url = var.egress_checker_repository_url
+  lambda_function_image_tag     = var.egress_checker_container_version
+  event_received_lambda_role    = var.iam_roles.event_received_lambda
+  vpc_config = {
+    subnet_ids         = data.aws_subnet.application[*].id
+    security_group_ids = [data.aws_security_group.lambda_egress.id]
+  }
+
+  providers = {
+    aws.region     = aws.region
+    aws.management = aws.management
+  }
+}

terraform/environment/region/modules/egress_checker/main.tf

@@ -0,0 +1,28 @@
+data "aws_kms_alias" "cloudwatch_application_logs_encryption" {
+  name     = "alias/${data.aws_default_tags.current.tags.application}_cloudwatch_application_logs_encryption"
+  provider = aws.region
+}
+
+data "aws_default_tags" "current" {
+  provider = aws.region
+}
+
+module "egress_checker" {
+  source               = "../lambda"
+  lambda_name          = "egress-checker"
+  description          = "Function to check egress from the VPC via the network firewall"
+  image_uri            = "${var.lambda_function_image_ecr_url}:${var.lambda_function_image_tag}"
+  aws_iam_role         = var.event_received_lambda_role
+  environment          = data.aws_default_tags.current.tags.environment-name
+  kms_key              = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn
+  iam_policy_documents = []
+  timeout              = 300
+  memory               = 1024
+  vpc_config = {
+    subnet_ids         = var.vpc_config.subnet_ids
+    security_group_ids = var.vpc_config.security_group_ids
+  }
+  providers = {
+    aws.region = aws.region
+  }
+}

terraform/environment/region/modules/egress_checker/variables.tf

@@ -0,0 +1,19 @@
+variable "lambda_function_image_ecr_url" {
+  type = string
+}
+
+variable "lambda_function_image_tag" {
+  type = string
+}
+
+variable "event_received_lambda_role" {
+  type = any
+}
+
+variable "vpc_config" {
+  description = "Configuration block for VPC"
+  type = object({
+    subnet_ids         = list(string)
+    security_group_ids = list(string)
+  })
+}

terraform/environment/region/modules/egress_checker/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.5.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.82.0"
+      configuration_aliases = [
+        aws.region,
+        aws.management
+      ]
+    }
+  }
+}

terraform/environment/region/variables.tf

@@ -194,3 +194,18 @@ variable "waf_alb_association_enabled" {
   description = "Enable WAF association with the ALBs"
   default     = true
 }
+
+variable "egress_checker_repository_url" {
+  type        = string
+  description = "Repository URL for the egress-checker lambda function"
+}
+
+variable "egress_checker_container_version" {
+  type        = string
+  description = "Container version the egress-checker lambda function"
+}
+
+variable "egress_checker_enabled" {
+  type    = bool
+  default = false
+}

terraform/environment/regions.tf

@@ -13,6 +13,11 @@ data "aws_ecr_repository" "mock_pay" {
   provider = aws.management_eu_west_1
 }
 
+data "aws_ecr_repository" "egress_checker" {
+  name     = "egress-checker"
+  provider = aws.management_eu_west_1
+}
+
 data "aws_ecr_image" "mock_onelogin" {
   repository_name = data.aws_ecr_repository.mock_onelogin.name
   image_tag       = "latest"
@@ -46,6 +51,9 @@ module "eu_west_1" {
   mock_onelogin_service_container_version = data.aws_ecr_image.mock_onelogin.id
   mock_pay_service_repository_url         = data.aws_ecr_repository.mock_pay.repository_url
   mock_pay_service_container_version      = var.container_version
+  egress_checker_repository_url           = data.aws_ecr_repository.egress_checker.repository_url
+  egress_checker_container_version        = var.container_version
+  egress_checker_enabled                  = local.environment.egress_checker_enabled
   ingress_allow_list_cidr                 = module.allow_list.moj_sites
   alb_deletion_protection_enabled         = local.environment.application_load_balancer.deletion_protection_enabled
   waf_alb_association_enabled             = local.environment.application_load_balancer.waf_alb_association_enabled
@@ -116,6 +124,9 @@ module "eu_west_2" {
   mock_onelogin_service_container_version = local.mock_onelogin_version
   mock_pay_service_repository_url         = data.aws_ecr_repository.mock_pay.repository_url
   mock_pay_service_container_version      = var.container_version
+  egress_checker_repository_url           = data.aws_ecr_repository.egress_checker.repository_url
+  egress_checker_container_version        = var.container_version
+  egress_checker_enabled                  = local.environment.egress_checker_enabled
   ingress_allow_list_cidr                 = module.allow_list.moj_sites
   alb_deletion_protection_enabled         = local.environment.application_load_balancer.deletion_protection_enabled
   waf_alb_association_enabled             = local.environment.application_load_balancer.waf_alb_association_enabled

terraform/environment/terraform.tfvars.json

@@ -27,6 +27,7 @@
       },
       "mock_onelogin_enabled": false,
       "mock_pay_enabled": true,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -112,6 +113,7 @@
       },
       "mock_onelogin_enabled": false,
       "mock_pay_enabled": true,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -197,6 +199,7 @@
       },
       "mock_onelogin_enabled": true,
       "mock_pay_enabled": false,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -282,6 +285,7 @@
       },
       "mock_onelogin_enabled": true,
       "mock_pay_enabled": true,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -367,6 +371,7 @@
       },
       "mock_onelogin_enabled": true,
       "mock_pay_enabled": true,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -452,6 +457,7 @@
       },
       "mock_onelogin_enabled": false,
       "mock_pay_enabled": true,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -537,6 +543,7 @@
       },
       "mock_onelogin_enabled": false,
       "mock_pay_enabled": false,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://preproduction.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [
@@ -622,6 +629,7 @@
       },
       "mock_onelogin_enabled": false,
       "mock_pay_enabled": false,
+      "egress_checker_enabled": false,
       "uid_service": {
         "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk",
         "api_arns": [

terraform/environment/variables.tf

@@ -50,8 +50,9 @@ variable "environments" {
         fault_injection_experiments_enabled     = bool
         real_user_monitoring_cw_logs_enabled    = bool
       })
-      mock_onelogin_enabled = bool
-      mock_pay_enabled      = bool
+      mock_onelogin_enabled  = bool
+      mock_pay_enabled       = bool
+      egress_checker_enabled = bool
       uid_service = object({
         base_url = string
         api_arns = list(string)