slococo-uni
/
bsmsapp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add WAF and update README.md 

Co-authored-by: Ezequiel Bellver <ebellver@itba.edu.ar>
This commit is contained in:
Santiago Lo Coco 2022-10-29 18:12:35 -03:00
parent 042a72d427
commit 6494d4d26c
15 changed files with 260 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
README.md
View File

@ -4,40 +4,44 @@ Best Stock Management System application.
## Descripción de los módulos
### Api gateway
### API Gateway
Recibe pedidos HTTPS. Pueden ser POST o GET. EN el caso de GET, va directo a la lambda de lectura de la tabla. En el caso de POST, se encola en el SQS para luego ir a la lambda.
Construye una API REST que puede recibir requests POST, GET u OPTIONS. En el caso de GET, va directo a la lambda de lectura de la tabla (`lambdaDB`). Por otro lado, en el caso de un POST, se encola en el SQS para luego ir a otra lambda (`lambdaSQSDB`). Finalmente, el OPTIONS se utiliza para poder soportar y habilitar `CORS` y que, por ende, funcionen correctamente los llamados a la API desde el sitio estático.
### Cloudfront
### CloudFront
Realiza cache de la API y del S3.
Realiza caché de la API y del S3 (que hostea el sitio estático).
### Dynamo DB
Guarda los datos de los stocks de los usuarios.
Guarda los datos de los stocks de los usuarios. Tiene una tabla compuesta por `id` (la partition key) y `stock`.
### Lambda
Definimos 2 lambdas.
Una se encarga de realizar escrituras al DynamoDB y la otra de realizar lecturas.
Definimos 2 lambdas. Una se encarga de realizar escrituras al `DynamoDB` (`lambdaSQSDB`) y la otra de realizar lecturas (`lambdaDB`).
### S3
Definimos 3 buckets. Uno para logs y dos para front.
Definimos 3 buckets. Uno para logs y dos para el frontend (el sitio estático en sí y uno `www` que se redirecciona al primero).
### SQS
Se encarga de encolar POSTs recibidos por la API. Luego dispara la lambda correspondiente
Se encarga de encolar POSTs recibidos por la API. Luego, dispara la lambda correspondiente (en este caso `lambdaSQSDB`).
### VPC
Este módulo es [externo](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest).
Este módulo es [externo](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest). Se define en este toda la parte de networking que se detalla en el diagrama de la arquitectura (el cual se encuentra al final de este documento).
### WAF
Protege la aplicación mediante 3 rules. Esto lo hace mediante la creación de un web ACL asociado a la distribución de cloudfront.
## Descripción y referencia de funciones y meta-argumentos
*Los links solo hacen referencia a la primera aparición en cada archivo.*
Se debe notar que los links solo hacen referencia a la primera aparición en cada archivo.
### Funciones
Junto a cada función se especifica para qué se usa.
- **file**: devuelve como string el contenido del archivo `index.html`. Esto es utilizado para luego poder modificarlo (pues actúa como un template ya que tiene la variable `ENDPOINT` parametrizada) y usarlo.
@ -95,6 +99,8 @@ Junto a cada función se especifica para qué se usa.
## Diagrama de arquitectura deployada
Los servicios que deben ser corregidos (asociados a la entrega del TP3) son los numerados.
<img src="docs/architecture.png" alt="architecture" width="800"/>
## Rúbrica
@ -126,10 +132,3 @@ Junto a cada función se especifica para qué se usa.
<td>25%</td>
</tr>
</table>
## Autores
- Bellver, Ezequiel (61268)
- Burgos, Santiago Eduardo (55193)
- Lo Coco, Santiago (61301)
- Oillataguerre, Amparo (58714)

70
terraform/modules/apigw/main.tf
View File

@ -96,41 +96,6 @@ resource "aws_api_gateway_integration" "options" {
depends_on = [aws_api_gateway_method.options]
}
resource "aws_api_gateway_deployment" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
triggers = {
redeployment = sha1(jsonencode([
aws_api_gateway_resource.this.id,
aws_api_gateway_method.this.id,
aws_api_gateway_method.options.id,
aws_api_gateway_method.stock_get.id,
aws_api_gateway_integration.this.id,
aws_api_gateway_integration.options.id,
aws_api_gateway_integration.stock_get.id,
]))
}
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_api_gateway_integration.options,
aws_api_gateway_integration.this,
aws_api_gateway_integration.stock_get,
aws_api_gateway_method.options,
aws_api_gateway_method.this,
aws_api_gateway_method.stock_get,
aws_api_gateway_method_response.options200,
aws_api_gateway_method_response.http200,
aws_api_gateway_method_response.stock200,
aws_api_gateway_integration_response.options200,
aws_api_gateway_integration_response.http200,
aws_api_gateway_integration_response.stock200,
]
}
resource "aws_api_gateway_stage" "this" {
deployment_id = aws_api_gateway_deployment.this.id
rest_api_id = aws_api_gateway_rest_api.this.id
@ -221,6 +186,41 @@ resource "aws_api_gateway_integration_response" "options200" {
depends_on = [aws_api_gateway_method_response.options200]
}
resource "aws_api_gateway_deployment" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
triggers = {
redeployment = sha1(jsonencode([
aws_api_gateway_resource.this.id,
aws_api_gateway_method.this.id,
aws_api_gateway_method.options.id,
aws_api_gateway_method.stock_get.id,
aws_api_gateway_integration.this.id,
aws_api_gateway_integration.options.id,
aws_api_gateway_integration.stock_get.id,
]))
}
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_api_gateway_integration.options,
aws_api_gateway_integration.this,
aws_api_gateway_integration.stock_get,
aws_api_gateway_method.options,
aws_api_gateway_method.this,
aws_api_gateway_method.stock_get,
aws_api_gateway_method_response.options200,
aws_api_gateway_method_response.http200,
aws_api_gateway_method_response.stock200,
aws_api_gateway_integration_response.options200,
aws_api_gateway_integration_response.http200,
aws_api_gateway_integration_response.stock200,
]
}
resource "aws_lambda_permission" "this" {
statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction"

9
terraform/modules/sqs/outputs.tf
View File

@ -1,8 +1,13 @@
# --------------------------------------------------------------------
# Lambda outputs
# Amazon Simple Queue Service outputs
# --------------------------------------------------------------------
output "sqs_arn" {
description = "The ARN of SQS"
description = "The ARN of SQS."
value = aws_sqs_queue.this.arn
}
output "name" {
description = "The name of the SQS."
value = aws_sqs_queue.this.name
}

3
terraform/modules/sqs/variables.tf
View File

@ -3,9 +3,8 @@
# ------------------------------------------------------------------------------
variable "name" {
description = "This is the human-readable name of the queue. If omitted, Terraform will assign a random name."
description = "This is the human-readable name of the queue."
type = string
default = null
}
variable "message_retention_seconds" {

87
terraform/modules/waf/main.tf Normal file
View File

@ -0,0 +1,87 @@
# --------------------------------------------------------------------
# WAF
# --------------------------------------------------------------------
resource "aws_wafv2_web_acl" "this" {
name = var.name
scope = var.scope
default_action {
allow {}
}
rule {
name = "AWS-AWSManagedRulesCommonRuleSet"
priority = 1
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesCommonRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesLinuxRuleSet"
priority = 2
statement {
managed_rule_group_statement {
name = "AWSManagedRulesLinuxRuleSet"
vendor_name = "AWS"
}
}
override_action {
none {}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesLinuxRuleSet"
sampled_requests_enabled = true
}
}
rule {
name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
priority = 3
override_action {
none {}
}
statement {
managed_rule_group_statement {
name = "AWSManagedRulesKnownBadInputsRuleSet"
vendor_name = "AWS"
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = true
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "waf-bsmsapp"
sampled_requests_enabled = true
}
tags = var.tags
}

8
terraform/modules/waf/outputs.tf Normal file
View File

@ -0,0 +1,8 @@
# --------------------------------------------------------------------
# WAF outputs
# --------------------------------------------------------------------
output "web_acl_arn" {
description = "The web ACL ARN."
value = aws_wafv2_web_acl.this.arn
}

19
terraform/modules/waf/variables.tf Normal file
View File

@ -0,0 +1,19 @@
# ------------------------------------------------------------------------------
# WAF variables
# ------------------------------------------------------------------------------
variable "name" {
description = "This is the human-readable name of the WAF."
type = string
}
variable "tags" {
description = "A mapping of tags to assign to all resources."
type = map(string)
default = {}
}
variable "scope" {
description = "WAF scope (cloudfront or regional)."
type = string
}

10
terraform/modules/waf/versions.tf Normal file
View File

@ -0,0 +1,10 @@
terraform {
required_version = ">= 1.0.6"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.10.0"
}
}
}

2
terraform/organization/apigw.tf
View File

@ -21,7 +21,7 @@ module "apigw" {
]
role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole"
sqs_arn = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/AWS-SQS-g3"
sqs_arn = "arn:aws:apigateway:${data.aws_region.current.name}:sqs:path/${module.sqs.name}"
tags = {
name = "api-gateway-g3"

8
terraform/organization/cloudfront.tf
View File

@ -1,12 +1,18 @@
module "cloudfront" {
source = "../modules/cloudfront"
depends_on = [module.s3, module.apigw]
providers = {
aws = aws.aws
}
depends_on = [
module.s3,
module.apigw,
module.waf
]
enabled = true
web_acl_id = module.waf.web_acl_arn
origin = {
api-gateway = {

10
terraform/organization/html/index.html
View File

@ -16,15 +16,15 @@
<form id="myForm" class="form-style">
<ul>
<li>
<input value="0" name="id" type="number" />
<input value="0" name="id" type="number" min="0"/>
<span>Enter the product identifier.</span>
</li>
<li>
<input value="0" name="stock" type="number" />
<input value="0" name="stock" type="number" min="0"/>
<span>Enter the new stock number.</span>
</li>
<li>
<input type="submit" value="Upload" />
<input type="submit" value="Upload"/>
</li>
</ul>
</form>
@ -95,7 +95,11 @@
}
var el = document.getElementById("table");
if (!list.length) {
el.innerHTML = "No items."
} else {
el.innerHTML = "";
}
el.appendChild(table);
}

21
terraform/organization/locals.tf
View File

@ -66,4 +66,25 @@ locals {
runtime = "python3.9"
}
}
private_inbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 1024
to_port = 65535
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
private_outbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
}

31
terraform/organization/vpc.tf
View File

@ -1,29 +1,6 @@
locals {
private_inbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 1024
to_port = 65535
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
private_outbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
}
]
}
################################################################################
# ------------------------------------------------------------------------------
# VPC Module (from terraform-aws-modules)
################################################################################
# ------------------------------------------------------------------------------
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
@ -88,10 +65,6 @@ module "vpc_endpoints" {
}
}
################################################################################
# Supporting Resources
################################################################################
resource "aws_vpc_endpoint" "dynamodb_endpoint" {
vpc_id = module.vpc.vpc_id
service_name = "com.amazonaws.us-east-1.dynamodb"

14
terraform/organization/waf.tf Normal file
View File

@ -0,0 +1,14 @@
module "waf" {
source = "../modules/waf"
providers = {
aws = aws.aws
}
name = "AWS-WAF-g3"
scope = "CLOUDFRONT"
tags = {
name = "WAF"
}
}