Skip to content

Secure security group rules #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 25, 2025
Merged

Secure security group rules #43

merged 7 commits into from
Jun 25, 2025

Conversation

PyMedic
Copy link

@PyMedic PyMedic commented Jun 24, 2025

closes #22

@PyMedic PyMedic changed the base branch from develop to main June 24, 2025 22:32
@PyMedic
Added the egress rules for DatabaseClientSecurityGroups to allow acce…
db942a0 
…ss to the Internet for Canvas Data API and the RDS Aurora Cluster.
@PyMedic
Copy link
Author

PyMedic commented Jun 25, 2025

For DatabaseClientSecurityGroup, I added the outbound rules for:

  • TCP Port 5432, Destination: DatabaseSecurityGroup
    • To allow access to the Canvas Data 2 RDS cluster.
  • TCP 443, Destination: 0.0.0.0/0
    • To allow access to the Canvas Data API

For EmptySecurityGroup, which executes the ListTables Lambda function, I added the outbound to rule for:

  • TCP 443, Destination: 0.0.0.0/0
    • To allow access to the Canvas Data API

I deployed the changes to ubcla-stg.

I tested EmptySecurityGroup by running the ubcla-canvas-data-2-ListTablesFunction in ubcla-stg, and it worked properly.

I also executed the ubcla-canvas-data-2-state-machine, and it ran successfully.

@PyMedic PyMedic requested a review from jlongland June 25, 2025 00:29
jlongland
jlongland requested changes Jun 25, 2025
View reviewed changes
Copy link

@jlongland jlongland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sung. I noted a couple of small changes.

template.yaml Outdated
Comment on lines 365 to 372
DatabaseClientSGToEgress5439:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !Ref DatabaseClientSecurityGroup
IpProtocol: tcp
FromPort: 5432
ToPort: 5432
DestinationSecurityGroupId: !Sub ${DatabaseSecurityGroupParameter}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be mindful of conditions we should cover to keep our changes upstream friendly.

  1. CreateDatabaseSecurityGroup
  2. ExistingDatabaseSecurityGroup - Where someone has an existing database security group that they'd like to use.

I'd do this:

  DatabaseClientEgressToDatabase:
    Type: AWS::EC2::SecurityGroupEgress
    Condition: CreateDatabaseSecurityGroup
    Properties:
      GroupId: !Ref DatabaseClientSecurityGroup
      IpProtocol: tcp
      FromPort: 5432
      ToPort: 5432
      DestinationSecurityGroupId: !GetAtt DatabaseSecurityGroup.GroupId

  DatabaseClientEgressToExistingDatabase:
    Type: AWS::EC2::SecurityGroupEgress
    Condition: ExistingDatabaseSecurityGroup
    Properties:
      GroupId: !Ref DatabaseClientSecurityGroup
      IpProtocol: tcp
      FromPort: 5432
      ToPort: 5432
      DestinationSecurityGroupId: !Ref DatabaseSecurityGroupParameter

template.yaml
- Key: !Sub ${TagNameParameter}
Value: !Sub ${TagValueParameter}
Value: !Sub ${TagValueParameter}

DatabaseClientSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
Copy link

@jlongland jlongland Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not specific to your changes, but I noticed the group is unnamed. Can you add a GroupName like Canvas Data 2 Database Client?

Edit: This comment refers to the DatabaseClientSecurityGroup, not sure how it ended up attaching to the tag.

template.yaml Outdated
Comment on lines 335 to 347
EmptySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub ${ResourcePrefixParameter}-cd2-empty-sg-${EnvironmentParameter}
VpcId: !Ref VpcIdParameter
Tags:
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0
Tags:
- Key: !Sub ${TagNameParameter}
Value: !Sub ${TagValueParameter}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not specific to your change, but the naming of this resource has always bugged me. ListFunctionSecurityGroup is more descriptive than EmptySecurityGroup. Can you change it and also add a GroupName like Canvas Data 2 ListFunction?

@PyMedic
Copy link
Author

PyMedic commented Jun 25, 2025
edited
Loading

@jlongland I made the changes.

Tested on ubcla-stg.

@PyMedic PyMedic merged commit 9df5e05 into main Jun 25, 2025
3 checks passed
@PyMedic PyMedic deleted the secure-security-group-rules branch June 25, 2025 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlongland jlongland jlongland requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Limit ingress and egress in DatabaseClientSecurityGroup and EmptySecurityGroup
2 participants
@PyMedic @jlongland