IP whitelisting lambda function


#1

Hi all,

So Insight is building a lambda function to update the security groups on a cron job. This will allow security groups to be kept reasonably up to date based on how often it runs but I believe there is a better solution than this we can work on later.

The function is deployed via terraform and uses terraform within the function itself to change the security groups. It does this by pulling the ip whitelist from https://download.solidwallet.io/conf/prep_iplist.json, rendering a jinja template to come up with a new list of security group rules, and the applies those changes to the security groups.

You can find the currently WIP code here:

I considered using the raw AWS CLI to do this as it will be faster (~2 seconds) vs (~12 seconds) but then you have do extra operations such as reading the security groups and then changing only the ones that exist. I thought that would be more difficult than just using terraform so I am going to go with that so that the state of the security groups can be tracked entirely in terraform remote state. Happy to see if anyone wants to make this with the AWS CLI as it will be better that way in some ways.

This was just the cron job version of this code and hoping to later include this within an event driven system where the security groups can be modified in response to certain alarms or an API call. Lots that can happen but most importantly, it will lock down our network and not need maintenance when a node IP changes or if a node decides to incorporate DDoS protection by advertising a list of sentry node proxies instead of the actual IP. Still a little fuzzy there on implementation.

Let me know what you think!


#2

Use SAM: https://github.com/awslabs/serverless-application-model


#3

Can you leave more constructive feedback than a one line suggestion to rewrite all the code I just posted?

I know of SAM though for my use case and direction I didn’t think it was the right tool. This project will evolve into more terraform related things and in the meantime terraform is more than adequate to run simple serverless functions.


#4

That’s my feedback, if you want to write tons of terraform to do simple things, feel free to do so.
I merely suggested a simpler way to do things. It’s a simple lambda function triggered by a CW event.

It seems you are not open to feedback or learning anything. I will refrain from providing any feedback but just think about the fact the community will have to operate those things.

Good luck with your project!


#5

Cool so one person thinks I should rewrite the most basic part that works just fine.

Anybody else have any feedback on the concept I am building? I know @thelionshire and I talked about this idea and it seems like something like this is needed. This code can easily be modified to integrate with anybodies stack.

Also to be very clear about the SAM proposal that was mentioned, terraform is an extremely popular way of running serverless and there is nothing wrong with it. Check this video out for a quick explanation or watch the whole thing as it is excellent. The rest of the infrastructure will be in terraform (here’s a quick comment that compares it with cloudformation - ie what SAM produces) so it is only natural I did it all in that framework so it is cohesive within my stack. Nothing wrong with SAM though, seems like a great tool.


#6

Hi everyone.

This is working now. It is very integrated with our one-click deployment and am happy to talk with anyone if they want it generalized to fit in another setup. Could use some work later to make it responsive to an SQS que and an endpoint off API gateway though there are higher priorities for Insight at the moment.

Hope this is useful!