Tighten up firewall rules for access to postgresl

Allow access only from the private subnet
ooni · Jan 15, 2025 · 8536e8e · 8536e8e
1 parent cae575b
commit 8536e8e
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 42 deletions.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -152,6 +152,10 @@ module "oonipg" {
   db_storage_type          = "standard"
   db_allocated_storage     = "5"
   db_max_allocated_storage = null
+
+  allow_cidr_blocks     = module.network.vpc_subnet_private[*].cidr_block
+  allow_security_groups = []
+
   tags = merge(
     local.tags,
     { Name = "ooni-tier0-postgres" }
@@ -326,9 +330,7 @@ module "ooniapi_ooniprobe" {
   # First run should be set on first run to bootstrap the task definition
   # first_run = true
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "ooniprobe"
   default_docker_image_url = "ooni/api-ooniprobe:latest"
@@ -378,9 +380,7 @@ module "ooniapi_reverseproxy" {
   # First run should be set on first run to bootstrap the task definition
   # first_run = true
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "reverseproxy"
   default_docker_image_url = "ooni/api-reverseproxy:latest"
@@ -394,7 +394,7 @@ module "ooniapi_reverseproxy" {
   }
 
   task_environment = {
-    TARGET_URL               = "https://backend-hel.ooni.org/"
+    TARGET_URL = "https://backend-hel.ooni.org/"
   }
 
   ooniapi_service_security_groups = [
@@ -456,9 +456,7 @@ module "ooniapi_oonirun" {
 
   task_memory = 64
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "oonirun"
   default_docker_image_url = "ooni/api-oonirun:latest"
@@ -506,9 +504,7 @@ module "ooniapi_oonifindings" {
 
   task_memory = 64
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "oonifindings"
   default_docker_image_url = "ooni/api-oonifindings:latest"
@@ -557,9 +553,7 @@ module "ooniapi_ooniauth" {
 
   task_memory = 64
 
-  vpc_id             = module.network.vpc_id
-  public_subnet_ids  = module.network.vpc_subnet_public[*].id
-  private_subnet_ids = module.network.vpc_subnet_private[*].id
+  vpc_id = module.network.vpc_id
 
   service_name             = "ooniauth"
   default_docker_image_url = "ooni/api-ooniauth:latest"

diff --git a/tf/modules/ecs_cluster/outputs.tf b/tf/modules/ecs_cluster/outputs.tf
@@ -13,3 +13,7 @@ output "cluster_id" {
 output "web_security_group_id" {
   value = aws_security_group.web.id
 }
+
+output "container_security_group_id" {
+  value = aws_security_group.container_host.id
+}
diff --git a/tf/modules/ooniapi_service/main.tf b/tf/modules/ooniapi_service/main.tf
@@ -55,12 +55,12 @@ resource "aws_ecs_task_definition" "ooniapi_service" {
   container_definitions = jsonencode([
     {
       memoryReservation = var.task_memory,
-      essential = true,
+      essential         = true,
       image = try(
         data.aws_ecs_container_definition.ooniapi_service_current[0].image,
         var.default_docker_image_url
       ),
-      name   = local.name,
+      name = local.name,
 
       portMappings = [
         {

diff --git a/tf/modules/ooniapi_service/variables.tf b/tf/modules/ooniapi_service/variables.tf
@@ -23,16 +23,6 @@ variable "vpc_id" {
   description = "the id of the VPC to deploy the instance into"
 }
 
-variable "public_subnet_ids" {
-  description = "the ids of the subnet of the subnets to deploy the instance into"
-  type        = list(string)
-}
-
-variable "private_subnet_ids" {
-  description = "the ids of the subnet of the subnets to deploy the instance into"
-  type        = list(string)
-}
-
 variable "tags" {
   description = "tags to apply to the resources"
   default     = {}
@@ -74,4 +64,4 @@ variable "task_environment" {
 variable "ooniapi_service_security_groups" {
   description = "the shared web security group from the ecs cluster"
   type        = list(string)
-}
+}
diff --git a/tf/modules/postgresql/main.tf b/tf/modules/postgresql/main.tf
@@ -5,10 +5,11 @@ resource "aws_security_group" "pg" {
   name_prefix = "oonipg"
 
   ingress {
-    protocol    = "tcp"
-    from_port   = 5432
-    to_port     = 5432
-    cidr_blocks = var.allow_cidr_blocks
+    protocol        = "tcp"
+    from_port       = 5432
+    to_port         = 5432
+    security_groups = var.allow_security_groups
+    cidr_blocks     = var.allow_cidr_blocks
   }
 
   egress {
@@ -51,12 +52,12 @@ resource "aws_db_instance" "pg" {
   db_name                     = var.pg_db_name
   username                    = var.pg_username
   manage_master_user_password = true
-  parameter_group_name    = var.db_parameter_group
-  db_subnet_group_name    = aws_db_subnet_group.pg.name
-  vpc_security_group_ids  = [aws_security_group.pg.id]
-  skip_final_snapshot     = true
-  backup_retention_period = 7
-  publicly_accessible     = true
+  parameter_group_name        = var.db_parameter_group
+  db_subnet_group_name        = aws_db_subnet_group.pg.name
+  vpc_security_group_ids      = [aws_security_group.pg.id]
+  skip_final_snapshot         = true
+  backup_retention_period     = 7
+  publicly_accessible         = true
 
   # Enable deletion protection in production
   deletion_protection = true

diff --git a/tf/modules/postgresql/outputs.tf b/tf/modules/postgresql/outputs.tf
@@ -17,5 +17,5 @@ output "secrets_manager_pg_login_id" {
   description = "The postgres password to login as pg_username into pg_db_name as a secrets_manager_id"
   # Due to: https://github.com/hashicorp/terraform-provider-aws/issues/34094
   # If changing this on an old instance you have to run it manually
-  value       = aws_db_instance.pg.master_user_secret[0].secret_arn
+  value = aws_db_instance.pg.master_user_secret[0].secret_arn
 }
diff --git a/tf/modules/postgresql/variables.tf b/tf/modules/postgresql/variables.tf
@@ -55,9 +55,12 @@ variable "db_parameter_group" {
   default = "default.postgres16"
 }
 
-
 variable "allow_cidr_blocks" {
-  default = ["0.0.0.0/0"]
+  default = []
+}
+
+variable "allow_security_groups" {
+  default = []
 }
 
 variable "db_multi_az" {