slococo-uni
/
bsmsapp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add WAF and update README.md 

Co-authored-by: Ezequiel Bellver <ebellver@itba.edu.ar>
This commit is contained in:
Santiago Lo Coco 2022-10-29 18:12:35 -03:00
parent 042a72d427
commit 6494d4d26c
15 changed files with 260 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@ -4,40 +4,44 @@ Best Stock Management System application.
## Descripción de los módulos ## Descripción de los módulos
### Api gateway ### API Gateway
Recibe pedidos HTTPS. Pueden ser POST o GET. EN el caso de GET, va directo a la lambda de lectura de la tabla. En el caso de POST, se encola en el SQS para luego ir a la lambda. Construye una API REST que puede recibir requests POST, GET u OPTIONS. En el caso de GET, va directo a la lambda de lectura de la tabla (`lambdaDB`). Por otro lado, en el caso de un POST, se encola en el SQS para luego ir a otra lambda (`lambdaSQSDB`). Finalmente, el OPTIONS se utiliza para poder soportar y habilitar `CORS` y que, por ende, funcionen correctamente los llamados a la API desde el sitio estático.
### Cloudfront ### CloudFront
Realiza cache de la API y del S3. Realiza caché de la API y del S3 (que hostea el sitio estático).
### Dynamo DB ### Dynamo DB
Guarda los datos de los stocks de los usuarios. Guarda los datos de los stocks de los usuarios. Tiene una tabla compuesta por `id` (la partition key) y `stock`.
### Lambda ### Lambda
Definimos 2 lambdas. Definimos 2 lambdas. Una se encarga de realizar escrituras al `DynamoDB` (`lambdaSQSDB`) y la otra de realizar lecturas (`lambdaDB`).
Una se encarga de realizar escrituras al DynamoDB y la otra de realizar lecturas.
### S3 ### S3
Definimos 3 buckets. Uno para logs y dos para front. Definimos 3 buckets. Uno para logs y dos para el frontend (el sitio estático en sí y uno `www` que se redirecciona al primero).
### SQS ### SQS
Se encarga de encolar POSTs recibidos por la API. Luego dispara la lambda correspondiente Se encarga de encolar POSTs recibidos por la API. Luego, dispara la lambda correspondiente (en este caso `lambdaSQSDB`).
### VPC ### VPC
Este módulo es [externo](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest). Este módulo es [externo](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest). Se define en este toda la parte de networking que se detalla en el diagrama de la arquitectura (el cual se encuentra al final de este documento).
### WAF
Protege la aplicación mediante 3 rules. Esto lo hace mediante la creación de un web ACL asociado a la distribución de cloudfront.
## Descripción y referencia de funciones y meta-argumentos ## Descripción y referencia de funciones y meta-argumentos
*Los links solo hacen referencia a la primera aparición en cada archivo.* Se debe notar que los links solo hacen referencia a la primera aparición en cada archivo.
### Funciones ### Funciones
Junto a cada función se especifica para qué se usa. Junto a cada función se especifica para qué se usa.
- **file**: devuelve como string el contenido del archivo `index.html`. Esto es utilizado para luego poder modificarlo (pues actúa como un template ya que tiene la variable `ENDPOINT` parametrizada) y usarlo. - **file**: devuelve como string el contenido del archivo `index.html`. Esto es utilizado para luego poder modificarlo (pues actúa como un template ya que tiene la variable `ENDPOINT` parametrizada) y usarlo.
@ -95,6 +99,8 @@ Junto a cada función se especifica para qué se usa.
## Diagrama de arquitectura deployada ## Diagrama de arquitectura deployada
Los servicios que deben ser corregidos (asociados a la entrega del TP3) son los numerados.
<img src="docs/architecture.png" alt="architecture" width="800"/> <img src="docs/architecture.png" alt="architecture" width="800"/>
## Rúbrica ## Rúbrica
@ -126,10 +132,3 @@ Junto a cada función se especifica para qué se usa.
<td>25%</td> <td>25%</td>
</tr> </tr>
</table> </table>
## Autores
- Bellver, Ezequiel (61268)
- Burgos, Santiago Eduardo (55193)
- Lo Coco, Santiago (61301)
- Oillataguerre, Amparo (58714)

70
terraform/modules/apigw/main.tf
View File

@ -96,41 +96,6 @@ resource "aws_api_gateway_integration" "options" {
depends_on = [aws_api_gateway_method.options] depends_on = [aws_api_gateway_method.options]
} }
resource "aws_api_gateway_deployment" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
triggers = {
redeployment = sha1(jsonencode([
aws_api_gateway_resource.this.id,
aws_api_gateway_method.this.id,
aws_api_gateway_method.options.id,
aws_api_gateway_method.stock_get.id,
aws_api_gateway_integration.this.id,
aws_api_gateway_integration.options.id,
aws_api_gateway_integration.stock_get.id,
]))
}
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_api_gateway_integration.options,
aws_api_gateway_integration.this,
aws_api_gateway_integration.stock_get,
aws_api_gateway_method.options,
aws_api_gateway_method.this,
aws_api_gateway_method.stock_get,
aws_api_gateway_method_response.options200,
aws_api_gateway_method_response.http200,
aws_api_gateway_method_response.stock200,
aws_api_gateway_integration_response.options200,
aws_api_gateway_integration_response.http200,
aws_api_gateway_integration_response.stock200,
]
}
resource "aws_api_gateway_stage" "this" { resource "aws_api_gateway_stage" "this" {
deployment_id = aws_api_gateway_deployment.this.id deployment_id = aws_api_gateway_deployment.this.id
rest_api_id = aws_api_gateway_rest_api.this.id rest_api_id = aws_api_gateway_rest_api.this.id
@ -221,6 +186,41 @@ resource "aws_api_gateway_integration_response" "options200" {
depends_on = [aws_api_gateway_method_response.options200] depends_on = [aws_api_gateway_method_response.options200]
} }
resource "aws_api_gateway_deployment" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
triggers = {
redeployment = sha1(jsonencode([
aws_api_gateway_resource.this.id,
aws_api_gateway_method.this.id,
aws_api_gateway_method.options.id,
aws_api_gateway_method.stock_get.id,
aws_api_gateway_integration.this.id,
aws_api_gateway_integration.options.id,
aws_api_gateway_integration.stock_get.id,
]))
}
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_api_gateway_integration.options,
aws_api_gateway_integration.this,
aws_api_gateway_integration.stock_get,
aws_api_gateway_method.options,
aws_api_gateway_method.this,
aws_api_gateway_method.stock_get,
aws_api_gateway_method_response.options200,
aws_api_gateway_method_response.http200,
aws_api_gateway_method_response.stock200,
aws_api_gateway_integration_response.options200,
aws_api_gateway_integration_response.http200,
aws_api_gateway_integration_response.stock200,
]
}
resource "aws_lambda_permission" "this" { resource "aws_lambda_permission" "this" {
statement_id = "AllowExecutionFromAPIGateway" statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction" action = "lambda:InvokeFunction"

9
terraform/modules/sqs/outputs.tf
View File

@ -1,8 +1,13 @@
# -------------------------------------------------------------------- # --------------------------------------------------------------------
# Lambda outputs # Amazon Simple Queue Service outputs
# -------------------------------------------------------------------- # --------------------------------------------------------------------
output "sqs_arn" { output "sqs_arn" {
description = "The ARN of SQS" description = "The ARN of SQS."
value = aws_sqs_queue.this.arn value = aws_sqs_queue.this.arn
} }
output "name" {
description = "The name of the SQS."
value = aws_sqs_queue.this.name
}

3
terraform/modules/sqs/variables.tf
View File

@ -3,9 +3,8 @@
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
variable "name" { variable "name" {
description = "This is the human-readable name of the queue. If omitted, Terraform will assign a random name." description = "This is the human-readable name of the queue."
type = string type = string
default = null
} }
variable "message_retention_seconds" { variable "message_retention_seconds" {

87
terraform/modules/waf/main.tf Normal file
View File

@ -0,0 +1,87 @@
# --------------------------------------------------------------------
# WAF
# --------------------------------------------------------------------
resource "aws_wafv2_web_acl" "this" {
name = var.name
scope = var.scope
default_action {
allow {}
}
rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesLinuxRuleSet"
priority = 2
statement {
managed_rule_group_statement {
name = "AWSManagedRulesLinuxRuleSet"
vendor_name = "AWS"
}
}
override_action {
none {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesLinuxRuleSet"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
priority = 3
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-bsmsapp"
sampled_requests_enabled = true
}
tags = var.tags
}

8
terraform/modules/waf/outputs.tf Normal file
View File

@ -0,0 +1,8 @@
# --------------------------------------------------------------------
# WAF outputs
# --------------------------------------------------------------------
output "web_acl_arn" {
description = "The web ACL ARN."
value = aws_wafv2_web_acl.this.arn
}

19
terraform/modules/waf/variables.tf Normal file
View File

@ -0,0 +1,19 @@
# ------------------------------------------------------------------------------
# WAF variables
# ------------------------------------------------------------------------------
variable "name" {
description = "This is the human-readable name of the WAF."
type = string
}
variable "tags" {
description = "A mapping of tags to assign to all resources."
type = map(string)
default = {}
}
variable "scope" {
description = "WAF scope (cloudfront or regional)."
type = string
}

10
terraform/modules/waf/versions.tf Normal file
View File

@ -0,0 +1,10 @@
terraform {
required_version = ">= 1.0.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.10.0"
}
}
}

4
terraform/organization/apigw.tf
View File

@ -9,7 +9,7 @@ module "apigw" {
module.lambda, module.sqs module.lambda, module.sqs
] ]
name = "AWSAPIGateway-g3" name = "AWSAPIGateway-g3"
lambda = [ lambda = [
{ {
@ -21,7 +21,7 @@ module "apigw" {
] ]
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole"
sqs_arn = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/AWS-SQS-g3" sqs_arn = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/${module.sqs.name}"
tags = { tags = {
name = "api-gateway-g3" name = "api-gateway-g3"

12
terraform/organization/cloudfront.tf
View File

@ -1,12 +1,18 @@
module "cloudfront" { module "cloudfront" {
source = "../modules/cloudfront" source = "../modules/cloudfront"
depends_on = [module.s3, module.apigw]
providers = { providers = {
aws = aws.aws aws = aws.aws
} }
enabled = true depends_on = [
module.s3,
module.apigw,
module.waf
]
enabled = true
web_acl_id = module.waf.web_acl_arn
origin = { origin = {
api-gateway = { api-gateway = {

12
terraform/organization/html/index.html
View File

@ -16,15 +16,15 @@
<form id="myForm" class="form-style"> <form id="myForm" class="form-style">
<ul> <ul>
<li> <li>
<input value="0" name="id" type="number" /> <input value="0" name="id" type="number" min="0"/>
<span>Enter the product identifier.</span> <span>Enter the product identifier.</span>
</li> </li>
<li> <li>
<input value="0" name="stock" type="number" /> <input value="0" name="stock" type="number" min="0"/>
<span>Enter the new stock number.</span> <span>Enter the new stock number.</span>
</li> </li>
<li> <li>
<input type="submit" value="Upload" /> <input type="submit" value="Upload"/>
</li> </li>
</ul> </ul>
</form> </form>
@ -95,7 +95,11 @@
} }
var el = document.getElementById("table"); var el = document.getElementById("table");
el.innerHTML = ""; if (!list.length) {
el.innerHTML = "No items."
} else {
el.innerHTML = "";
}
el.appendChild(table); el.appendChild(table);
} }

33
terraform/organization/locals.tf
View File

@ -4,9 +4,9 @@ locals {
s3 = { s3 = {
website = { website = {
type = 1 type = 1
bucket_name = local.bucket_name bucket_name = local.bucket_name
bucket_acl = "public-read" bucket_acl = "public-read"
path = "../resources" path = "../resources"
website = { website = {
@ -35,18 +35,18 @@ locals {
website = { website = {
redirect_all_requests_to = { redirect_all_requests_to = {
host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com" host_name = "${local.bucket_name}.s3-website-${data.aws_region.current.name}.amazonaws.com"
protocol = "http" protocol = "http"
} }
} }
bucket_name = "www.${local.bucket_name}" bucket_name = "www.${local.bucket_name}"
bucket_acl = "public-read" bucket_acl = "public-read"
} }
logs = { logs = {
type = 2 type = 2
bucket_name = "${local.bucket_name}-logs" bucket_name = "${local.bucket_name}-logs"
bucket_acl = "log-delivery-write" bucket_acl = "log-delivery-write"
} }
} }
@ -66,4 +66,25 @@ locals {
runtime = "python3.9" runtime = "python3.9"
} }
} }
private_inbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 1024
to_port = 65535
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
private_outbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
} }

2
terraform/organization/sqs.tf
View File

@ -9,7 +9,7 @@ module "sqs" {
module.lambda module.lambda
] ]
name = "AWS-SQS-g3" name = "AWS-SQS-g3"
lambda_name = module.lambda["lambdaSQS"].lambda_function_name lambda_name = module.lambda["lambdaSQS"].lambda_function_name
tags = { tags = {

57
terraform/organization/vpc.tf
View File

@ -1,29 +1,6 @@
locals { # ------------------------------------------------------------------------------
private_inbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 1024
to_port = 65535
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
private_outbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
}
################################################################################
# VPC Module (from terraform-aws-modules) # VPC Module (from terraform-aws-modules)
################################################################################ # ------------------------------------------------------------------------------
module "vpc" { module "vpc" {
source = "terraform-aws-modules/vpc/aws" source = "terraform-aws-modules/vpc/aws"
@ -47,9 +24,9 @@ module "vpc" {
manage_default_route_table = true manage_default_route_table = true
default_route_table_tags = { Name = "vpc-g3-bsmsapp-default" } default_route_table_tags = { Name = "vpc-g3-bsmsapp-default" }
private_dedicated_network_acl = true private_dedicated_network_acl = true
private_inbound_acl_rules = local.private_inbound private_inbound_acl_rules = local.private_inbound
private_outbound_acl_rules = local.private_outbound private_outbound_acl_rules = local.private_outbound
manage_default_security_group = true manage_default_security_group = true
default_security_group_tags = { Name = "vpc-g3-bsmsapp-default" } default_security_group_tags = { Name = "vpc-g3-bsmsapp-default" }
@ -73,25 +50,21 @@ module "vpc_endpoints" {
endpoints = { endpoints = {
dynamodb = { dynamodb = {
service = "dynamodb" service = "dynamodb"
service_type = "Gateway" service_type = "Gateway"
route_table_ids = flatten([module.vpc.private_route_table_ids]) route_table_ids = flatten([module.vpc.private_route_table_ids])
policy = data.aws_iam_policy_document.this.json policy = data.aws_iam_policy_document.this.json
tags = { Name = "dynamodb-vpc-endpoint" } tags = { Name = "dynamodb-vpc-endpoint" }
security_group_ids = [aws_security_group.dynamodb_sg.id] security_group_ids = [aws_security_group.dynamodb_sg.id]
} }
} }
tags = { tags = {
Name = "vpc-g3-bsmsapp" Name = "vpc-g3-bsmsapp"
Endpoint = "true" Endpoint = "true"
} }
} }
################################################################################
# Supporting Resources
################################################################################
resource "aws_vpc_endpoint" "dynamodb_endpoint" { resource "aws_vpc_endpoint" "dynamodb_endpoint" {
vpc_id = module.vpc.vpc_id vpc_id = module.vpc.vpc_id
service_name = "com.amazonaws.us-east-1.dynamodb" service_name = "com.amazonaws.us-east-1.dynamodb"
@ -108,10 +81,10 @@ resource "aws_security_group" "dynamodb_sg" {
vpc_id = module.vpc.vpc_id vpc_id = module.vpc.vpc_id
egress { egress {
description = "HTTPs to DynamoDB" description = "HTTPs to DynamoDB"
from_port = 443 from_port = 443
to_port = 443 to_port = 443
protocol = "tcp" protocol = "tcp"
prefix_list_ids = [aws_vpc_endpoint.dynamodb_endpoint.prefix_list_id] prefix_list_ids = [aws_vpc_endpoint.dynamodb_endpoint.prefix_list_id]
} }

14
terraform/organization/waf.tf Normal file
View File

@ -0,0 +1,14 @@
module "waf" {
source = "../modules/waf"
providers = {
aws = aws.aws
}
name = "AWS-WAF-g3"
scope = "CLOUDFRONT"
tags = {
name = "WAF"
}
}