Comment on page
Protecting internal tools
The tools Substrate manages under your Intranet (the Accounts page that facilitates logging into the AWS Console, the Credential Factory, and the Instance Factory) are far from the only internal tools you're going to operate as a part of your business. You should take advantage of your Intranet to protect your other internal tools with SSO, HTTP Strict Transport Security, a separate cookie scope, and a robust serverless exterior courtesy of AWS API Gateway.
There are two main strategies for adding new features to your Intranet which should serve use cases as wide-ranging as Lambda functions in your Substrate account to load-balanced EC2 deployments in a service account. These strategies are both available to you after deciding where to host each particular internal tool.
The easiest place to put Intranet extensions is in
modules/intranet/regional because all the scaffolding is already present and it'll transparently handle multiple regions. Add resources such as these to a new file (and not main.tf, which is overwritten per the comment on its first line):resource "aws_api_gateway_integration" "GET-wildcard" {
credentials = data.aws_iam_role.apigateway.arn
http_method = aws_api_gateway_method.GET-example.http_method
integration_http_method = "POST" # always "POST" even if you specify "GET" everywhere else
passthrough_behavior = "NEVER"
resource_id = aws_api_gateway_resource.example.id
rest_api_id = aws_api_gateway_rest_api.intranet.id
type = "AWS_PROXY"
uri = aws_lambda_function.example.invoke_arn
}
resource "aws_api_gateway_method" "GET-example" {
authorization = "CUSTOM"
authorizer_id = aws_api_gateway_authorizer.substrate.id
http_method = "GET"
resource_id = aws_api_gateway_resource.example.id
rest_api_id = aws_api_gateway_rest_api.intranet.id
}
resource "aws_api_gateway_resource" "example" {
parent_id = var.parent_resource_id
path_part = "example"
rest_api_id = aws_api_gateway_rest_api.intranet.id
}
resource "aws_cloudwatch_log_group" "example" {
name = "/aws/lambda/example"
retention_in_days = 1
}
resource "aws_lambda_function" "example" {
depends_on = [aws_cloudwatch_log_group.example]
function_name = "example"
// ...
}
resource "aws_lambda_permission" "example" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "apigateway.amazonaws.com"
}
It is also possible to put the Lambda function in another AWS account but you'll need to grant your Substrate account permission to invoke it with additional
aws_lambda_permission resources.If you'd prefer to stay out of
modules/intranet, you can create your own module (using substrate create-terraform-module, if you like) and reference it from root-modules/admin/*/* (except global) thus:module "intranet-extensions" {
authorizer_id = module.intranet.authorizer_id
integration_credentials = module.intranet.integration_credentials
rest_api_id = module.intranet.rest_api_id
root_resource_id = module.intranet.root_resource_id
source = "../../../../modules/intranet-extensions"
}
Place your API Gateway and Lambda resources there as shown above but use
var.authorizer_id, etc. in place of the direct references that were possible within modules/intranet/regional.Not everything is, can be, or should be a Lambda function, though, and these internal services are just as worthy of protection. Substrate ships a proxy that makes it easy to create secure network paths to anything running in your AWS organization. In a new file in
modules/intranet/regional, add a resource like this for each internal service you're protecting and proxying.module "proxy-example" {
apigateway_execution_arn = aws_api_gateway_deployment.intranet.execution_arn
apigateway_role_arn = data.aws_iam_role.apigateway.arn
authorizer_id = aws_api_gateway_authorizer.substrate.id
lambda_role_arn = data.aws_iam_role.intranet.arn
parent_resource_id = aws_api_gateway_rest_api.intranet.root_resource_id
proxy_destination_url = "http://<internal-website>"
proxy_path_prefix = "example"
rest_api_id = aws_api_gateway_rest_api.intranet.id
security_group_ids = ["<security-group-id>"]
strip_path_prefix = true
subnet_ids = module.substrate.public_subnet_ids
source = "./proxy"
}
The majority of the input variables are just about how the proxy is wired into the Intranet's API Gateway. You must provide a
proxy_destination_url (where requests are proxied) and proxy_path_prefix (the first path component of the Intranet URLs that are proxied). You probably want to provide security_group_ids and subnet_ids in order to place the proxy Lambda function in a network position that's actually able to reach the internal service. (After all, if it's reachable from the Internet, making it also accessible via your Intranet doesn't offer much in the way of additional protection.)When the Intranet passes a request to a Lambda function as an event, the identity of the authenticated user is available in
event.requestContext.authorizer.principalId.That same identity is made available to internal websites in the
X-Substrate-Intranet-Proxy-Principal header.In most cases, the principal is given as an email address though its exact format depends on your identity provider and its configuration.
Jenkins users can use the Reverse Proxy Auth Plugin to accept the
X-Substrate-Intranet-Proxy-Principal header. If you take this path you must set both Header User Name and Header Groups Name to X-Substrate-Intranet-Proxy-Principal to avoid introducing a security vulnerability and you must be OK with not being able to use Jenkins groups in any meaningful sense.Substrate 2023.10 began shipping a preview of the next-generation Intranet that will land in Substrate 2023.12, powered by AWS API Gateway v2. This new Intranet dramatically simplifies the process of protecting internal websites. The technique documented below will become the only way to protect internal websites with the Intranet starting in Substrate 2023.12.
The tools Substrate manages under your Intranet (the Accounts page that facilitates logging into the AWS Console, the Credential Factory, and the Instance Factory) are probably not the only internal tools you're going to operate as a part of your business and your Intranet can protect your other internal tools with the same SSO, HTTP Strict Transport Security, separate cookie scope, robust serverless implementation, and regional fault-tolerance.
In this example, we're going to route Intranet requests for
/example to a Lambda function. (The details of the Lambda function refered to here as aws_lambda_function.example are left as an exercise to the reader.) Add Terraform code like the following to modules/intranet/regional/example.tf:data "aws_apigatewayv2_apis" "substrate" {
name = "Substrate"
protocol_type = "HTTP"
}
data "aws_apigatewayv2_api" "substrate" {
api_id = tolist(data.aws_apigatewayv2_apis.substrate.ids)[0]
}
resource "aws_apigatewayv2_integration" "example" {
api_id = data.aws_apigatewayv2_api.substrate.id
integration_method = "POST"
integration_type = "AWS_PROXY" # or "HTTP_PROXY" with connection_id, connection_type = "VPC_LINK" and other attributes
integration_uri = aws_lambda_function.example.invoke_arn
}
resource "aws_apigatewayv2_route" "example" {
api_id = data.aws_apigatewayv2_api.substrate.id
authorization_type = "CUSTOM"
authorizer_id = data.awsapigatewayv2_api.substrate.tags["AuthorizerId"]
route_key = "ANY /example" # or "ANY /example/{proxy+}" or a more specific HTTP method
target = "integrations/${aws_apigatewayv2_integration.example.id}"
}
resource "aws_lambda_permission" "example" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "apigateway.amazonaws.com"
source_arn = data.aws_apigatewayv2_api.substrate.execution_arn
}
The
aws_apigatewayv2_integration does not have to have integration_type = "AWS_PROXY". Beware, though, that setting integration_type = "HTTP_PROXY" without also configuring VPC link with connection_type = "VPC_LINK", a connection_id attribute, and an aws_apigatewayv2_vpc_link resource is almost certainly a security vulnerability.Note, too, that you do not have to use Terraform to route requests from your Intranet to your internal tools. Substrate may provide facilities to natively manage these internal tool integrations in the future.