diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml index f9e45d593..4aadf879b 100644 --- a/.github/workflows/docker_job.yml +++ b/.github/workflows/docker_job.yml @@ -58,6 +58,11 @@ jobs: path: ./docker/schedule-runner/Dockerfile trivyignores: ./docker/schedule-runner/.trivyignore.yaml platforms: linux/amd64 + - ecr_repository: egress-checker + name: egress-checker + path: ./docker/egress-checker/Dockerfile + trivyignores: ./docker/schedule-runner/.trivyignore.yaml + platforms: linux/amd64 runs-on: ubuntu-latest name: ${{ matrix.ecr_repository }} diff --git a/docker/egress-checker/.trivyignore.yaml b/docker/egress-checker/.trivyignore.yaml new file mode 100644 index 000000000..34b4c0887 --- /dev/null +++ b/docker/egress-checker/.trivyignore.yaml @@ -0,0 +1 @@ +misconfigurations: diff --git a/docker/egress-checker/Dockerfile b/docker/egress-checker/Dockerfile new file mode 100644 index 000000000..156de5162 --- /dev/null +++ b/docker/egress-checker/Dockerfile @@ -0,0 +1,9 @@ +FROM public.ecr.aws/lambda/python:3.13 + +WORKDIR ${LAMBDA_TASK_ROOT} + +COPY lambda/egress_checker ${LAMBDA_TASK_ROOT} + +RUN pip install --no-cache-dir --requirement requirements.txt + +CMD [ "main.lambda_handler" ] diff --git a/lambda/egress_checker/main.py b/lambda/egress_checker/main.py new file mode 100644 index 000000000..137cd95d6 --- /dev/null +++ b/lambda/egress_checker/main.py @@ -0,0 +1,14 @@ +import json +import requests # type: ignore + +def lambda_handler(event, context): + response = requests.get('https://google.com') + return { + 'statusCode': response.status_code, + 'body': response.text + } + + +if __name__ == '__main__': + output = lambda_handler("event", "contenxt") + print(output) diff --git a/lambda/egress_checker/requirements.txt b/lambda/egress_checker/requirements.txt new file mode 100644 index 000000000..cc16f6915 --- /dev/null +++ b/lambda/egress_checker/requirements.txt @@ -0,0 +1 @@ +requests==v2.32.3 diff --git a/terraform/account/region/network.tf b/terraform/account/region/network.tf index ee152a87b..30913e63d 100644 --- a/terraform/account/region/network.tf +++ b/terraform/account/region/network.tf @@ -1,5 +1,5 @@ module "network" { - source = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.10" + source = "github.com/ministryofjustice/opg-terraform-aws-firewalled-network?ref=v0.2.12" cidr = var.network_cidr_block enable_dns_hostnames = true enable_dns_support = true diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl index c9f9b6929..296e54586 100644 --- a/terraform/environment/.terraform.lock.hcl +++ b/terraform/environment/.terraform.lock.hcl @@ -5,20 +5,7 @@ provider "registry.terraform.io/hashicorp/aws" { version = "5.82.2" constraints = "~> 5.82.0" hashes = [ - "h1:A+p239yxppdk209lLSm/YZZTwigdiloBefOHV9rzLIk=", - "h1:DA8G6qWp+4EefwZ6gZeaWI7ecKCG8bYXO1XUfpA2Oy8=", - "h1:ERlzacp7dxBqlMqk1mVwsZvRE0kxpWOK3EeexukKEoY=", - "h1:KLvAcTBRhfBJIC61eaNvoagQe1+3K+iyYCve7LoMmw0=", - "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", - "h1:b3TPdC4w/Klrj5a/Eeb8WSmvESCwy7FWT4J86i91BqM=", "h1:ce6Dw2y4PpuqAPtnQ0dO270dRTmwEARqnfffrE1VYJ8=", - "h1:eSyOtevg4bRxHEjpATM2qxhx82R52j2+MNSpPqzmuas=", - "h1:g9Ym3RVn2jvSmVXjMSJL1trPwGvPt1Df5yp8B2qT+sU=", - "h1:kQr3M8lD6q2CdFAGp/IeXzmkbRdMfCgwzWtFUNTwAZI=", - "h1:or5d7gv2fCgeStMdIgFLpj7ag66vs+2PDH6ae1YR0dI=", - "h1:pWMnp8J8DJT7Q+sd0P1/tE1z9tUo441XR5zmNxRBF1s=", - "h1:t33jWBPtYLRbbFEnYf/eajkrvhA3w2oEDirIv6TJbZA=", - "h1:xeNk4aWj5/bjPodhIu26+AGKLnqlSEqev7dsOhIDUUQ=", "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", @@ -60,18 +47,6 @@ provider "registry.terraform.io/pagerduty/pagerduty" { version = "3.18.3" constraints = "3.18.3" hashes = [ - "h1:9quOpmQG7JeoNBIHYtLhqMwkfzQpXxRlKMdOKyq8oSE=", - "h1:9u037HJeZIZ5O+p0BNNdJ6qa4nRCL91YXMYr0IeFN1Y=", - "h1:EQpDz0Nvtj1ZbKYLnL8uEAyF/ke72/0ckBEZ2TVUXfE=", - "h1:G+fVDTVdx8r4mou3FHB28mRxI0r3qtHaWmgg/9Q6knM=", - "h1:HEBFuIkgK1wMsfn0hYAgMFynYpgTP0axUJnuK1gVb7M=", - "h1:KDdMGO3MTOpskTC9LwUAHjsRqdB9pTeoVaCSG08kVEg=", - "h1:QUARiq/j6gN95KGn6/GeWK7CdgSfwnjr/fZ/m0rfhvQ=", - "h1:SXGpIzyqWLmv0CiVhMIMC0S3ddC5WTC9NquH3btoc6k=", - "h1:eyQcLgY08KiR8Pik9fLfkRq9/u4GGIX+CRrxrNiczX0=", - "h1:qigmzi4qxiGDHay5k/EDZNFu7sRE3n55xfDacxOp864=", - "h1:rK4S7mg2y4Rhe9oXRahMgA6p9UHZPZy+B9vXy7TNkcg=", - "h1:s05/lXhIXBMwrMYPMOTpsq5JvRZO3Dg2KWRfSP+6Aog=", "h1:vv5BxrgnJF1mv2Excn5hMj5UXGMD/JCYC36LoqwE+5M=", "zh:18d9c8f2d3e411d6e50c79ea9d7c7f1b2fee31d3b66c7032c68b5c18a8e7e420", "zh:3911eef8c66f3bb66e67be46781cc5f6cdf6f3089cada782f291b2a7b7bbb110", diff --git a/terraform/environment/region/egress-checker.tf b/terraform/environment/region/egress-checker.tf new file mode 100644 index 000000000..f79ba728d --- /dev/null +++ b/terraform/environment/region/egress-checker.tf @@ -0,0 +1,16 @@ +module "egress_checker" { + count = var.egress_checker_enabled ? 0 : 1 + source = "./modules/egress_checker" + lambda_function_image_ecr_url = var.egress_checker_repository_url + lambda_function_image_tag = var.egress_checker_container_version + event_received_lambda_role = var.iam_roles.event_received_lambda + vpc_config = { + subnet_ids = data.aws_subnet.application[*].id + security_group_ids = [data.aws_security_group.lambda_egress.id] + } + + providers = { + aws.region = aws.region + aws.management = aws.management + } +} diff --git a/terraform/environment/region/modules/egress_checker/main.tf b/terraform/environment/region/modules/egress_checker/main.tf new file mode 100644 index 000000000..43326544e --- /dev/null +++ b/terraform/environment/region/modules/egress_checker/main.tf @@ -0,0 +1,28 @@ +data "aws_kms_alias" "cloudwatch_application_logs_encryption" { + name = "alias/${data.aws_default_tags.current.tags.application}_cloudwatch_application_logs_encryption" + provider = aws.region +} + +data "aws_default_tags" "current" { + provider = aws.region +} + +module "egress_checker" { + source = "../lambda" + lambda_name = "egress-checker" + description = "Function to check egress from the VPC via the network firewall" + image_uri = "${var.lambda_function_image_ecr_url}:${var.lambda_function_image_tag}" + aws_iam_role = var.event_received_lambda_role + environment = data.aws_default_tags.current.tags.environment-name + kms_key = data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn + iam_policy_documents = [] + timeout = 300 + memory = 1024 + vpc_config = { + subnet_ids = var.vpc_config.subnet_ids + security_group_ids = var.vpc_config.security_group_ids + } + providers = { + aws.region = aws.region + } +} diff --git a/terraform/environment/region/modules/egress_checker/variables.tf b/terraform/environment/region/modules/egress_checker/variables.tf new file mode 100644 index 000000000..6e047c448 --- /dev/null +++ b/terraform/environment/region/modules/egress_checker/variables.tf @@ -0,0 +1,19 @@ +variable "lambda_function_image_ecr_url" { + type = string +} + +variable "lambda_function_image_tag" { + type = string +} + +variable "event_received_lambda_role" { + type = any +} + +variable "vpc_config" { + description = "Configuration block for VPC" + type = object({ + subnet_ids = list(string) + security_group_ids = list(string) + }) +} diff --git a/terraform/environment/region/modules/egress_checker/versions.tf b/terraform/environment/region/modules/egress_checker/versions.tf new file mode 100644 index 000000000..d8b02f0ea --- /dev/null +++ b/terraform/environment/region/modules/egress_checker/versions.tf @@ -0,0 +1,14 @@ +terraform { + required_version = ">= 1.5.2" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.82.0" + configuration_aliases = [ + aws.region, + aws.management + ] + } + } +} diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf index 9b4a65e6e..c4ed4b2e3 100644 --- a/terraform/environment/region/variables.tf +++ b/terraform/environment/region/variables.tf @@ -194,3 +194,18 @@ variable "waf_alb_association_enabled" { description = "Enable WAF association with the ALBs" default = true } + +variable "egress_checker_repository_url" { + type = string + description = "Repository URL for the egress-checker lambda function" +} + +variable "egress_checker_container_version" { + type = string + description = "Container version the egress-checker lambda function" +} + +variable "egress_checker_enabled" { + type = bool + default = false +} diff --git a/terraform/environment/regions.tf b/terraform/environment/regions.tf index f35a37f7d..0e12d2ce2 100644 --- a/terraform/environment/regions.tf +++ b/terraform/environment/regions.tf @@ -13,6 +13,11 @@ data "aws_ecr_repository" "mock_pay" { provider = aws.management_eu_west_1 } +data "aws_ecr_repository" "egress_checker" { + name = "egress-checker" + provider = aws.management_eu_west_1 +} + data "aws_ecr_image" "mock_onelogin" { repository_name = data.aws_ecr_repository.mock_onelogin.name image_tag = "latest" @@ -46,6 +51,9 @@ module "eu_west_1" { mock_onelogin_service_container_version = data.aws_ecr_image.mock_onelogin.id mock_pay_service_repository_url = data.aws_ecr_repository.mock_pay.repository_url mock_pay_service_container_version = var.container_version + egress_checker_repository_url = data.aws_ecr_repository.egress_checker.repository_url + egress_checker_container_version = var.container_version + egress_checker_enabled = local.environment.egress_checker_enabled ingress_allow_list_cidr = module.allow_list.moj_sites alb_deletion_protection_enabled = local.environment.application_load_balancer.deletion_protection_enabled waf_alb_association_enabled = local.environment.application_load_balancer.waf_alb_association_enabled @@ -116,6 +124,9 @@ module "eu_west_2" { mock_onelogin_service_container_version = local.mock_onelogin_version mock_pay_service_repository_url = data.aws_ecr_repository.mock_pay.repository_url mock_pay_service_container_version = var.container_version + egress_checker_repository_url = data.aws_ecr_repository.egress_checker.repository_url + egress_checker_container_version = var.container_version + egress_checker_enabled = local.environment.egress_checker_enabled ingress_allow_list_cidr = module.allow_list.moj_sites alb_deletion_protection_enabled = local.environment.application_load_balancer.deletion_protection_enabled waf_alb_association_enabled = local.environment.application_load_balancer.waf_alb_association_enabled diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index a1bf01098..c7b673ca4 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -27,6 +27,7 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": true, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -112,6 +113,7 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": true, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -197,6 +199,7 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": false, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -282,6 +285,7 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": true, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -367,6 +371,7 @@ }, "mock_onelogin_enabled": true, "mock_pay_enabled": true, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -452,6 +457,7 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": true, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -537,6 +543,7 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": false, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://preproduction.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ @@ -622,6 +629,7 @@ }, "mock_onelogin_enabled": false, "mock_pay_enabled": false, + "egress_checker_enabled": false, "uid_service": { "base_url": "https://development.lpa-uid.api.opg.service.justice.gov.uk", "api_arns": [ diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf index 3d918fe47..e27797a41 100644 --- a/terraform/environment/variables.tf +++ b/terraform/environment/variables.tf @@ -50,8 +50,9 @@ variable "environments" { fault_injection_experiments_enabled = bool real_user_monitoring_cw_logs_enabled = bool }) - mock_onelogin_enabled = bool - mock_pay_enabled = bool + mock_onelogin_enabled = bool + mock_pay_enabled = bool + egress_checker_enabled = bool uid_service = object({ base_url = string api_arns = list(string)