Protecting internal tools
Protecting internal tools
The tools Substrate manages under your Intranet (the Accounts page that facilitates logging into the AWS Console, the Credential Factory, and the Instance Factory) are far from the only internal tools you're going to operate as a part of your business. You should take advantage of your Intranet to protect your other internal tools with SSO, HTTP Strict Transport Security, a separate cookie scope, and a robust serverless exterior courtesy of AWS API Gateway.
There are two main strategies for adding new features to your Intranet which should serve use cases as wide-ranging as Lambda functions in your Substrate account to load-balanced EC2 deployments in a service account. These strategies are both available to you after deciding where to host each particular internal tool.
Integrating with API Gateway and Lambda in modules/intranet/regional
modules/intranet/regional
The easiest place to put Intranet extensions is in modules/intranet/regional
because all the scaffolding is already present and it'll transparently handle multiple regions. Add resources such as these to a new file (and not main.tf
, which is overwritten per the comment on its first line):
It is also possible to put the Lambda function in another AWS account but you'll need to grant your Substrate account permission to invoke it with additional aws_lambda_permission
resources.
Integrating with API Gateway and Lambda in your own module
If you'd prefer to stay out of modules/intranet
, you can create your own module (using substrate create-terraform-module
, if you like) and reference it from root-modules/admin/*/*
(except global
) thus:
Place your API Gateway and Lambda resources there as shown above but use var.authorizer_id
, etc. in place of the direct references that were possible within modules/intranet/regional
.
Proxying to internal websites
Not everything is, can be, or should be a Lambda function, though, and these internal services are just as worthy of protection. Substrate ships a proxy that makes it easy to create secure network paths to anything running in your AWS organization. In a new file in modules/intranet/regional
, add a resource like this for each internal service you're protecting and proxying.
The majority of the input variables are just about how the proxy is wired into the Intranet's API Gateway. You must provide a proxy_destination_url
(where requests are proxied) and proxy_path_prefix
(the first path component of the Intranet URLs that are proxied). You probably want to provide security_group_ids
and subnet_ids
in order to place the proxy Lambda function in a network position that's actually able to reach the internal service. (After all, if it's reachable from the Internet, making it also accessible via your Intranet doesn't offer much in the way of additional protection.)
Identifying users on websites protected by the Intranet
When the Intranet passes a request to a Lambda function as an event, the identity of the authenticated user is available in event.requestContext.authorizer.principalId
.
That same identity is made available to internal websites in the X-Substrate-Intranet-Proxy-Principal
header.
In most cases, the principal is given as an email address though its exact format depends on your identity provider and its configuration.
Jenkins users can use the Reverse Proxy Auth Plugin to accept the X-Substrate-Intranet-Proxy-Principal
header. If you take this path you must set both Header User Name and Header Groups Name to X-Substrate-Intranet-Proxy-Principal
to avoid introducing a security vulnerability and you must be OK with not being able to use Jenkins groups in any meaningful sense.
Protecting internal tools in Substrate 2023.12 and beyond
Substrate 2023.10 began shipping a preview of the next-generation Intranet that will land in Substrate 2023.12, powered by AWS API Gateway v2. This new Intranet dramatically simplifies the process of protecting internal websites. The technique documented below will become the only way to protect internal websites with the Intranet starting in Substrate 2023.12.
The tools Substrate manages under your Intranet (the Accounts page that facilitates logging into the AWS Console, the Credential Factory, and the Instance Factory) are probably not the only internal tools you're going to operate as a part of your business and your Intranet can protect your other internal tools with the same SSO, HTTP Strict Transport Security, separate cookie scope, robust serverless implementation, and regional fault-tolerance.
In this example, we're going to route Intranet requests for /example
to a Lambda function. (The details of the Lambda function refered to here as aws_lambda_function.example
are left as an exercise to the reader.) Add Terraform code like the following to modules/intranet/regional/example.tf
:
The aws_apigatewayv2_integration
does not have to have integration_type = "AWS_PROXY"
. Beware, though, that setting integration_type = "HTTP_PROXY"
without also configuring VPC link with connection_type = "VPC_LINK"
, a connection_id
attribute, and an aws_apigatewayv2_vpc_link
resource is almost certainly a security vulnerability.
Note, too, that you do not have to use Terraform to route requests from your Intranet to your internal tools. Substrate may provide facilities to natively manage these internal tool integrations in the future.
Last updated