Protecting internal websites
The tools Substrate manages under your Intranet (the Accounts page that facilitates logging into the AWS Console, the Credential Factory, and the Instance Factory) are far from the only internal tools you're going to operate as a part of your business. You should take advantage of your Intranet to protect your other internal tools with SSO, HTTP Strict Transport Security, a separate cookie scope, and a robust serverless exterior courtesy of AWS API Gateway.
There are two main strategies for adding new features to your Intranet which should serve use cases as wide-ranging as Lambda functions in your admin account to load-balanced EC2 deployments in a service account. These strategies are both available to you after deciding where to host each particular internal tool.
Integrating with API Gateway and Lambda in modules/intranet/regional
modules/intranet/regional
The easiest place to put Intranet extensions is in modules/intranet/regional
because all the scaffolding is already present and it'll transparently handle multiple regions. Add resources such as these to a new file (and not main.tf
, which is overwritten per the comment on its first line):
It is also possible to put the Lambda function in another AWS account but you'll need to grant your admin account(s) permission to invoke it with additional aws_lambda_permission
resources.
Integrating with API Gateway and Lambda in your own module
If you'd prefer to stay out of modules/intranet
, you can create your own module (using substrate create-terraform-module
, if you like) and reference it from root-modules/admin/*/*
(except global
) thus:
Place your API Gateway and Lambda resources there as shown above but use var.authorizer_id
, etc. in place of the direct references that were possible within modules/intranet/regional
.
Proxying to internal websites
Not everything is, can be, or should be a Lambda function, though, and these internal services are just as worthy of protection. Substrate ships a proxy that makes it easy to create secure network paths to anything running in your AWS organization. In a new file in modules/intranet/regional
, add a resource like this for each internal service you're protecting and proxying.
The majority of the input variables are just about how the proxy is wired into the Intranet's API Gateway. You must provide a proxy_destination_url
(where requests are proxied) and proxy_path_prefix
(the first path component of the Intranet URLs that are proxied). You probably want to provide security_group_ids
and subnet_ids
in order to place the proxy Lambda function in a network position that's actually able to reach the internal service. (After all, if it's reachable from the Internet, making it also accessible via your Intranet doesn't offer much in the way of additional protection.)
Identifying users on websites protected by the Intranet
When the Intranet passes a request to a Lambda function as an event, the identity of the authenticated user is available in event.requestContext.authorizer.principalId
.
That same identity is made available to internal websites in the X-Substrate-Intranet-Proxy-Principal
header.
In most cases, the principal is given as an email address though its exact format depends on your identity provider and its configuration.
Jenkins users can use the Reverse Proxy Auth Plugin to accept the X-Substrate-Intranet-Proxy-Principal
header. If you take this path you must set both Header User Name and Header Groups Name to X-Substrate-Intranet-Proxy-Principal
to avoid introducing a security vulnerability and you must be OK with not being able to use Jenkins groups in any meaningful sense.
Last updated