Hi all,
So Insight is building a lambda function to update the security groups on a cron job. This will allow security groups to be kept reasonably up to date based on how often it runs but I believe there is a better solution than this we can work on later.
The function is deployed via terraform and uses terraform within the function itself to change the security groups. It does this by pulling the ip whitelist from https://download.solidwallet.io/conf/prep_iplist.json, rendering a jinja template to come up with a new list of security group rules, and the applies those changes to the security groups.
You can find the currently WIP code here:
I considered using the raw AWS CLI to do this as it will be faster (~2 seconds) vs (~12 seconds) but then you have do extra operations such as reading the security groups and then changing only the ones that exist. I thought that would be more difficult than just using terraform so I am going to go with that so that the state of the security groups can be tracked entirely in terraform remote state. Happy to see if anyone wants to make this with the AWS CLI as it will be better that way in some ways.
This was just the cron job version of this code and hoping to later include this within an event driven system where the security groups can be modified in response to certain alarms or an API call. Lots that can happen but most importantly, it will lock down our network and not need maintenance when a node IP changes or if a node decides to incorporate DDoS protection by advertising a list of sentry node proxies instead of the actual IP. Still a little fuzzy there on implementation.
Let me know what you think!