Assign least-privilege IAM policies to pipeline

Author: chriswilty

cloud/README.md

@@ -28,7 +28,7 @@ Generates the CloudFormation templates for a "dev stage" build pipeline.
 Generates the CloudFormation templates for a "production stage" build pipeline.
 
 `npm run cdk:synth -- --context STAGE={STAGENAME}`  
-Generates the CloudFormation templates for a build pipeline, stage given by `{STAGENAME}`.
+Generates the CloudFormation templates for a build pipeline, for the given stage name
 
 `npm run cdk:deploy:all`  
 Deploys the synthesized pipeline to an AWS Environment, as defined by your active AWS config profile.
@@ -54,8 +54,8 @@ costs.
 
 `npm run cdk:test:deploy` - deploys these stacks to AWS as "dev" stage
 
-All being successful, you should see the application login screen at `https://dev.spylogic.ai`. Log into the AWS Console to add a
-user to the dev Cognito userpool, then log into the UI to test app deployment was successful.
+All being successful, you should see the application login screen at `https://dev.spylogic.ai`. Log into the AWS Console
+to add a user to the dev Cognito userpool, then log into the UI to test app deployment was successful.
 
 `npm run cdk:test:destroy` - Remember to destroy the stacks after testing, else you will rack up costs!
 
@@ -66,52 +66,115 @@ user to the dev Cognito userpool, then log into the UI to test app deployment wa
 At the time of writing, current infrastructure costs us around $60 per month, with just two AZs for the load balancer,
 deployed into `eu-north-1`. This is one of the [greenest AWS regions](https://app.electricitymaps.com/map), but costs
 are about average. The vast majority of the bill is for the VPC, Load Balancer and NAT EC2 Instance. We have tasks on
-our todo list to reduce these costs (such as removing the NAT Instance in favour of IPv6 egress), but those are
-work-in-progress.
+our todo list to reduce these costs (radical idea: convert container app to REDIS-backed lambdas).
 
 The bottom line: remember to destroy your stacks when no longer needed!
 
 ## First-time admin tasks
 
 When setting up the CDK project for the first time, there are a few one-time tasks you must complete.
 
-### Bootstrapping the CDK using a Developer Policy
+### Bootstrapping the CDK
 
 In order to deploy AWS resources to a remote environment using CDK, you must first
 [bootstrap the CDK](https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html). For this project, as per
 [CDK guidelines](https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/), we are
 using a lightweight permissions boundary to restrict permissions, to prevent creation of new users or roles with
 elevated permissions. See `cdk-developer-policy.yaml` for details.
 
-Note that once the pipeline is deployed, it is a good idea to restrict permissions further, so that only the pipeline
-can make changes to the stacks.
+We also have a set of [IAM Managed Policies](./permissions/README.md) that restrict what CloudFormation is allowed to
+do, as CDK by default allows full AdministratorAccess! 😵 🤢 🤮
 
-Create the permissions boundary CloudFormation stack:
+Note that once the pipeline is deployed, it's a good idea to restrict permissions for developers further, so that only
+the pipeline can make changes to the stacks, via approved GitHub merges.
 
-```
+1. Create permissions boundary stack
+
+```shell
 aws cloudformation create-stack \
   --stack-name CDKDeveloperPolicy \
   --template-body file://cdk-developer-policy.yaml \
   --capabilities CAPABILITY_NAMED_IAM
 ```
 
-Then bootstrap the CDK:
-
+2. Create IAM managed policies
+
+```shell
+aws iam create-policy \
+  --policy-name cdk-execution-policy-basics \
+  --policy-document file://permissions/execution_policy_basics.json \
+  --description "Baseline permissions for cloudformation deployments"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-cloudfront \
+  --policy-document file://permissions/execution_policy_cloudfront.json \
+  --description "Permissions to deploy cloudfront resources, except for lambda@edge functions"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-cognito \
+  --policy-document file://permissions/execution_policy_cognito.json \
+  --description "Permissions to deploy cognito userpools and related resources"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-edgelambda \
+  --policy-document file://permissions/execution_policy_edgelambda.json \
+  --description "Permissions to deploy lambda@edge functions for a cloudfront distribution"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-pipeline \
+  --policy-document file://permissions/execution_policy_pipeline.json \
+  --description "Permissions to deploy a codepipeline and codebuild projects"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-route53 \
+  --policy-document file://permissions/execution_policy_route53.json \
+  --description "Permissions to deploy domain records and ACM certificates"
+
+aws iam create-policy \
+  --policy-name cdk-execution-policy-vpc \
+  --policy-document file://permissions/execution_policy_vpc.json \
+  --description "Permissions to deploy VPC, EC2 and ECS resources for a Fargate-managed container app"
 ```
-# install dependencies if not already done
-npm install
 
-# run the bootstrap command
-npx cdk bootstrap --custom-permissions-boundary cdk-developer-policy
+3. Bootstrap the CDK environment
+
+```shell
+# install dependencies if you've not already done so
+npm install
 ```
 
-Unless your default region is `us-east-1`, you will also need to bootstrap this region, as certificates for CloudFront
-currently need to be deployed there:
+If your primary region is NOT `us-east-1`, you will need to bootstrap that region as well, as
+currently Lambda@Edge functions can only be deployed to `us-east-1`:
 
+```shell
+# Bootstrap primary region
+npx cdk bootstrap aws://{account}/{region} \
+  --custom-permissions-boundary cdk-developer-policy \
+  --cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-cloudfront,arn:aws:iam::{account}:policy/cdk-execution-policy-cognito,arn:aws:iam::{account}:policy/cdk-execution-policy-pipeline,arn:aws:iam::{account}:policy/cdk-execution-policy-route53,arn:aws:iam::{account}:policy/cdk-execution-policy-vpc"
+
+# Bootstrap us-east-1 for cloudfront
+npx cdk bootstrap aws://{account}/us-east-1 \
+  --custom-permissions-boundary cdk-developer-policy \
+  --cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-edgelambda"
 ```
-npx cdk bootstrap --custom-permissions-boundary cdk-developer-policy aws://YOUR_ACCOUNT_NUMBER/us-east-1
+
+If your primary region IS `us-east-1`, then you only need one bootstrap command:
+
+```shell
+# Bootstrap us-east-1
+npx cdk bootstrap aws://{account}/us-east-1 \
+  --custom-permissions-boundary cdk-developer-policy \
+  --cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-cloudfront,arn:aws:iam::{account}:policy/cdk-execution-policy-cognito,arn:aws:iam::{account}:policy/cdk-execution-policy-edgelambda,arn:aws:iam::{account}:policy/cdk-execution-policy-pipeline,arn:aws:iam::{account}:policy/cdk-execution-policy-route53,arn:aws:iam::{account}:policy/cdk-execution-policy-vpc"
 ```
 
+### SSM Parameters
+
+There are two Parameters needed when the stacks are deployed, so ensure these are added before you deploy the
+pipeline first time:
+
+- `DOMAIN_NAME` - Domain where the application will be available
+- `HOSTED_ZONE_ID` - We advise you create your Hosted Zone manually (via the AWS Console) before deploying the stacks
+
 ### Server secrets
 
 The Node Express server needs a couple of secret values, which are injected into the container environment during

cloud/bin/pipeline.ts

@@ -25,20 +25,23 @@ const tags = {
 	stage: stageName(app),
 };
 
+const generateStackName = stackName(app);
+const generateDescription = resourceDescription(app);
+
 /* Pipeline is now responsible for deploying all other Stacks */
 
-const pipelineUsEast1Stack = new PipelineAssistUsEast1Stack(
-	app,
-	stackName(app)('pipeline-useast1'),
-	{
-		description: resourceDescription(app)('Code Pipeline Cross-Region resources stack (us-east-1)'),
-		env,
-		tags,
-	}
-);
-
-new PipelineStack(app, stackName(app)('pipeline'), {
-	description: resourceDescription(app)('Code Pipeline stack'),
+const pipelineUsEast1StackName = generateStackName('pipeline-useast1');
+const pipelineUsEast1Stack = new PipelineAssistUsEast1Stack(app, pipelineUsEast1StackName, {
+	stackName: pipelineUsEast1StackName,
+	description: generateDescription('Code Pipeline Cross-Region resources stack (us-east-1)'),
+	env,
+	tags,
+});
+
+const pipelineStackName = generateStackName('pipeline');
+new PipelineStack(app, pipelineStackName, {
+	stackName: pipelineStackName,
+	description: generateDescription('Code Pipeline stack'),
 	env,
 	tags,
 	usEast1Bucket: pipelineUsEast1Stack.resourceBucket,

cloud/lib/app-stage.ts

@@ -30,28 +30,36 @@ export class AppStage extends Stage {
 		const generateDescription = resourceDescription(scope);
 		const generateStackName = stackName(scope);
 
-		const hostedZoneStack = new HostedZoneStack(this, generateStackName('hostedzone'), {
+		const hostedZoneStackName = generateStackName('hostedzone');
+		const hostedZoneStack = new HostedZoneStack(this, hostedZoneStackName, {
+			stackName: hostedZoneStackName,
 			description: generateDescription('Hosted Zone stack'),
 			env,
 			tags,
 		});
 
-		const certificateStack = new CertificateStack(this, generateStackName('certificate'), {
+		const certificateStackName = generateStackName('certificate');
+		const certificateStack = new CertificateStack(this, certificateStackName, {
+			stackName: certificateStackName,
 			description: generateDescription('Certificate stack'),
 			env,
 			tags,
 			domainName: hostedZoneStack.topLevelDomain.value as string,
 			hostedZone: hostedZoneStack.hostedZone,
 		});
 
-		const authStack = new AuthStack(this, generateStackName('auth'), {
+		const authStackName = generateStackName('auth');
+		const authStack = new AuthStack(this, authStackName, {
+			stackName: authStackName,
 			description: generateDescription('Auth stack'),
 			env,
 			tags,
 			domainName: hostedZoneStack.topLevelDomain.value as string,
 		});
 
-		new ApiStack(this, generateStackName('api'), {
+		const apiStackName = generateStackName('api');
+		new ApiStack(this, apiStackName, {
+			stackName: apiStackName,
 			description: generateDescription('API stack'),
 			env,
 			tags,
@@ -63,7 +71,9 @@ export class AppStage extends Stage {
 			hostedZone: hostedZoneStack.hostedZone,
 		});
 
-		const uiStack = new UiStack(this, generateStackName('ui'), {
+		const uiStackName = generateStackName('ui');
+		const uiStack = new UiStack(this, uiStackName, {
+			stackName: uiStackName,
 			description: generateDescription('UI stack'),
 			env,
 			tags,

cloud/lib/pipeline-stack.ts

@@ -1,4 +1,8 @@
-import { BuildEnvironmentVariableType, BuildSpec } from 'aws-cdk-lib/aws-codebuild';
+import {
+	BuildEnvironmentVariable,
+	BuildEnvironmentVariableType,
+	BuildSpec,
+} from 'aws-cdk-lib/aws-codebuild';
 import { PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { IBucket } from 'aws-cdk-lib/aws-s3';
 import { Stack, StackProps } from 'aws-cdk-lib/core';
@@ -25,18 +29,44 @@ export class PipelineStack extends Stack {
 		const generateResourceId = resourceId(scope);
 		const stage = stageName(scope);
 
-		const sourceCode = CodePipelineSource.connection('ScottLogic/prompt-injection', 'main', {
-			connectionArn: `arn:aws:codestar-connections:${env.region}:${env.account}:connection/05c0f0a4-2233-4269-a697-33a339f8a6bc`,
-		});
+		// FIXME Reset branch to 'main' !!!
+		const sourceCode = CodePipelineSource.connection(
+			'ScottLogic/prompt-injection',
+			'feature/aws-cloud-infrastructure',
+			{
+				//connectionArn: `arn:aws:codestar-connections:${env.region}:${env.account}:connection/05c0f0a4-2233-4269-a697-33a339f8a6bc`,
+				connectionArn: `arn:aws:codestar-connections:eu-north-1:${env.account}:connection/05c0f0a4-2233-4269-a697-33a339f8a6bc`,
+			}
+		);
 
 		const hostBucketName = generateResourceId('host-bucket');
 
+		const identityProviderEnv: Record<string, BuildEnvironmentVariable> =
+			process.env.IDP_NAME?.toUpperCase() === 'AZURE'
+				? {
+						IDP_NAME: {
+							type: BuildEnvironmentVariableType.PLAINTEXT,
+							value: 'AZURE',
+						},
+						AZURE_APPLICATION_ID: {
+							type: BuildEnvironmentVariableType.PARAMETER_STORE,
+							value: 'AZURE_APPLICATION_ID',
+						},
+						AZURE_TENANT_ID: {
+							type: BuildEnvironmentVariableType.PARAMETER_STORE,
+							value: 'AZURE_TENANT_ID',
+						},
+					}
+				: {};
+
 		const pipeline = new CodePipeline(this, generateResourceId('pipeline'), {
 			synth: new ShellStep('Synth', {
 				input: sourceCode,
 				installCommands: ['npm ci'],
-				commands: ['cd cloud', `npm run cdk:synth -- --context STAGE=${stage}`],
-				primaryOutputDirectory: 'cloud/cdk.out',
+				// FIXME Revert this to `npm run cdk:synth -- --context STAGE=${stage}`
+				commands: ['cd cloud', 'npm run cdk:dev:synth'],
+				// FIXME Revert this to 'cloud/cdk.out'
+				primaryOutputDirectory: 'cloud/cdk.dev.out',
 			}),
 			synthCodeBuildDefaults: {
 				buildEnvironment: {
@@ -49,18 +79,7 @@ export class PipelineStack extends Stack {
 							type: BuildEnvironmentVariableType.PARAMETER_STORE,
 							value: 'HOSTED_ZONE_ID',
 						},
-						IDP_NAME: {
-							type: BuildEnvironmentVariableType.PLAINTEXT,
-							value: 'AZURE',
-						},
-						AZURE_APPLICATION_ID: {
-							type: BuildEnvironmentVariableType.PARAMETER_STORE,
-							value: 'AZURE_APPLICATION_ID',
-						},
-						AZURE_TENANT_ID: {
-							type: BuildEnvironmentVariableType.PARAMETER_STORE,
-							value: 'AZURE_TENANT_ID',
-						},
+						...identityProviderEnv,
 					},
 				},
 			},
@@ -74,6 +93,8 @@ export class PipelineStack extends Stack {
 
 		// Pre-deployment quality checks
 		deployment.addPre(
+			// TODO Add a ConfirmPermissionsBroadening step:
+			// new ConfirmPermissionsBroadening('Check Permissions', { stage: appStage }),
 			new CodeBuildStep('API-CodeChecks', {
 				input: sourceCode,
 				commands: [

cloud/lib/ui-stack.ts

@@ -96,29 +96,27 @@ export class UiStack extends Stack {
 		If so, we might be able to switch to a CloudFront Function instead of Edge,
 		and use CloudFront KeyValueStore to hold our jwks value as JSON.
 		*/
-		const verifierEdgeFunction = new experimental.EdgeFunction(
-			this,
-			generateResourceId('api-gatekeeper'),
-			{
-				stackId: stackName(scope)('edge-lambda'),
-				handler: 'index.handler',
-				runtime: Runtime.NODEJS_18_X,
-				code: new TypeScriptCode(join(__dirname, 'lambdas/verifyAuth/index.ts'), {
-					buildOptions: {
-						bundle: true,
-						external: ['@aws-sdk/client-ssm'],
-						minify: false,
-						platform: 'node',
-						target: 'node18',
-						define: {
-							'process.env.DOMAIN_NAME': `"${domainName}"`,
-							'process.env.PARAM_USERPOOL_ID': `"${parameterNameUserPoolId}"`,
-							'process.env.PARAM_USERPOOL_CLIENT': `"${parameterNameUserPoolClient}"`,
-						},
+		const edgeFunctionName = generateResourceId('api-gatekeeper');
+		const verifierEdgeFunction = new experimental.EdgeFunction(this, edgeFunctionName, {
+			stackId: stackName(scope)('edge-lambda'),
+			functionName: edgeFunctionName,
+			handler: 'index.handler',
+			runtime: Runtime.NODEJS_18_X,
+			code: new TypeScriptCode(join(__dirname, 'lambdas/verifyAuth/index.ts'), {
+				buildOptions: {
+					bundle: true,
+					external: ['@aws-sdk/client-ssm'],
+					minify: false,
+					platform: 'node',
+					target: 'node18',
+					define: {
+						'process.env.DOMAIN_NAME': `"${domainName}"`,
+						'process.env.PARAM_USERPOOL_ID': `"${parameterNameUserPoolId}"`,
+						'process.env.PARAM_USERPOOL_CLIENT': `"${parameterNameUserPoolClient}"`,
 					},
-				}),
-			}
-		);
+				},
+			}),
+		});
 		verifierEdgeFunction.addToRolePolicy(
 			new PolicyStatement({
 				effect: Effect.ALLOW,

cloud/package.json

@@ -19,6 +19,10 @@
 		"cdk:test:destroy": "cdk destroy --app cdk.test.out",
 		"cdk:test:destroy:all": "cdk destroy --app cdk.test.out --all",
 		"cdk:test:clean": "rimraf cdk.test.out",
+		"cdk:dev:synth": "cdk synth -o cdk.dev.out --context STAGE=dev",
+		"cdk:dev:deploy": "cdk deploy --app cdk.dev.out --all",
+		"cdk:dev:destroy": "cdk destroy --app cdk.dev.out --all",
+		"cdk:dev:clean": "rimraf cdk.dev.out",
 		"codecheck": "concurrently \"npm run lint:check\" \"npm run format:check\"",
 		"format": "prettier . --write",
 		"format:check": "prettier . --check",