adjust ip whitelisting

Author: andresionek91

.circleci/config.yml

@@ -8,10 +8,12 @@ Resources:
       GroupDescription: Security group for Postgres Metadata DB. Public access
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-metadata-db-public-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
+      {% for ip in whitelistedIPs %}
+        - CidrIp: "{{ ip }}"
           FromPort: "{{ metadataDb.port }}"
-          IpProtocol: -1
+          IpProtocol: tcp
           ToPort: "{{ metadataDb.port }}"
+      {% endfor %}
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           FromPort: "{{ metadataDb.port }}"

cloudformation/60_databases.yml.j2

@@ -17,10 +17,12 @@ Resources:
       GroupDescription: Security group for Redis
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-redis-security-group"
       SecurityGroupEgress:
-        - CidrIp: 0.0.0.0/0
-          FromPort: 0
-          IpProtocol: -1
-          ToPort: 0
+      {% for ip in whitelistedIPs %}
+        - CidrIp: "{{ ip }}"
+          FromPort: "{{ celeryBackend.port }}"
+          IpProtocol: tcp
+          ToPort: "{{ celeryBackend.port }}"
+      {% endfor %}
       SecurityGroupIngress:
         - CidrIp: "{{ service.cidrBlock }}/16"
           FromPort: "{{ celeryBackend.port }}"

cloudformation/70_redis.yml.j2

@@ -7,7 +7,16 @@ Resources:
       GroupDescription: Security group for Airflow Flower.  Allow all inbound traffic.
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-flower-external-security-group"
       SecurityGroupEgress:
-        {{ securityGroupEgressRules }}
+      {% for ip in whitelistedIPs %}
+        - CidrIp: "{{ ip }}"
+          FromPort: 80
+          IpProtocol: tcp
+          ToPort: 80
+        - CidrIp: "{{ ip }}"
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+      {% endfor %}
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           FromPort: "{{ service.port }}"

cloudformation/83_airflow-flower.yml.j2

@@ -6,8 +6,6 @@ Resources:
     Properties:
       GroupDescription: Security group for Airflow Scheduler
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-scheduler-security-group"
-      SecurityGroupEgress:
-        {{ securityGroupEgressRules }}
       VpcId: !ImportValue network-VpcId
       Tags:
         - Key: Name

cloudformation/84_airflow-scheduler.yml.j2

@@ -7,7 +7,16 @@ Resources:
       GroupDescription: Security group for Airflow webserver. Allow all inbound traffic.
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-webserver-security-group"
       SecurityGroupEgress:
-        {{ securityGroupEgressRules }}
+      {% for ip in whitelistedIPs %}
+        - CidrIp: "{{ ip }}"
+          FromPort: 80
+          IpProtocol: tcp
+          ToPort: 80
+        - CidrIp: "{{ ip }}"
+          FromPort: 443
+          IpProtocol: tcp
+          ToPort: 443
+      {% endfor %}
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           FromPort: "{{ service.port }}"

cloudformation/85_airflow-webserver.yml.j2

@@ -6,8 +6,6 @@ Resources:
     Properties:
       GroupDescription: Security group for Airflow workers
       GroupName: "{{ serviceName }}-{{ ENVIRONMENT }}-workers-security-group"
-      SecurityGroupEgress:
-        {{ securityGroupEgressRules }}
       SecurityGroupIngress:
         - CidrIp: "{{ service.cidrBlock }}/16"
           FromPort: "{{ service.workers.port }}"

cloudformation/86_airflow-workers.yml.j2

@@ -83,11 +83,8 @@ publicSubnet:
 
 # List of SecurityGroupEgress.
 # Will be used to whitelist IPs for webserver, flower, workers and scheduler
-securityGroupEgressRules:
-  - CidrIp: 0.0.0.0/0
-    FromPort: 0
-    IpProtocol: -1
-    ToPort: 0
+whitelistedIPs:
+  - 0.0.0.0/0
 
 metadataDb:
   instanceType: db.t3.micro
@@ -103,6 +100,7 @@ metadataDb:
     maxConnections: 100
 
 
+
 celeryBackend:
   port: 6379
   azMode: single-az