From 273ed1f3d58b2e30571383e2177b75bcc6ade7e7 Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Thu, 29 Oct 2020 10:56:06 +0000 Subject: [PATCH 01/11] Change default download_schedule value --- CHANGELOG.md | 1 + variables.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cc78ad1..eadc279 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Updated: Set default "download_schedule" to offset from "upload_schedule" ## [v0.1.12] 2020-10-28 diff --git a/variables.tf b/variables.tf index 1d68597..f5cac7a 100644 --- a/variables.tf +++ b/variables.tf @@ -376,7 +376,7 @@ variable "disable_valid_key_check" { } variable "download_schedule" { description = "download lambda CloudWatch schedule" - default = "cron(0 * * * ? *)" + default = "cron(30 * * * ? *)" } variable "enable_callback" { description = "Flag to determine whether the API service should enable callback endpoints" From 1b47ada97121ecdbf89fcf58a35a9ce4e7e2015e Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Tue, 17 Nov 2020 11:19:07 +0000 Subject: [PATCH 02/11] Remove CALLBACK_REQUEST from metrics_config --- CHANGELOG.md | 1 + variables.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d2d983..83084a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Updated: Remove "CALLBACK_REQUEST" from "metrics_config". ## [0.1.14] 2020-11-13 - Added: self isolation notices support. diff --git a/variables.tf b/variables.tf index e089024..272929a 100644 --- a/variables.tf +++ b/variables.tf @@ -597,7 +597,7 @@ variable "native_regions" { default = "" } variable "metrics_config" { - default = "{ \"CONTACT_UPLOAD\": 60, \"CHECK_IN\": 60, \"FORGET\": 60, \"CALLBACK_OPTIN\": 60, \"DAILY_ACTIVE_TRACE\": 60, \"CONTACT_NOTIFICATION\": 60, \"LOG_ERROR\": 60, \"CALLBACK_REQUEST\": 60 }" + default = "{ \"CONTACT_UPLOAD\": 60, \"CHECK_IN\": 60, \"FORGET\": 60, \"CALLBACK_OPTIN\": 60, \"DAILY_ACTIVE_TRACE\": 60, \"CONTACT_NOTIFICATION\": 60, \"LOG_ERROR\": 60 }" } variable "migrations_custom_image" { description = "Custom image for the ECS Migrations container, overrides the default ECR repo, assumes we can pull from the repository" From c42483ae353a13ee18875e29edac1a5c3f9ced71 Mon Sep 17 00:00:00 2001 From: Leonardo Rossi Date: Tue, 17 Nov 2020 17:15:31 +0100 Subject: [PATCH 03/11] Adds route54:getChange permission to CI user --- users.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/users.tf b/users.tf index 691c951..4dd2275 100644 --- a/users.tf +++ b/users.tf @@ -34,6 +34,15 @@ data "aws_iam_policy_document" "ci_user" { format("%s/*", aws_s3_bucket.assets.arn) ] } + + statement { + actions = [ + "route53:GetChange" + ] + resources = [ + "*" + ] + } } data "aws_iam_policy_document" "ci_user_lambda" { From bb6896ea2eff635171f141641c324141533fb279 Mon Sep 17 00:00:00 2001 From: Dayne Lucas Date: Tue, 17 Nov 2020 11:58:52 -0500 Subject: [PATCH 04/11] Adds reserved_concurrency_executions to the lambda module. --- modules/lambda/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/lambda/main.tf b/modules/lambda/main.tf index 43c3944..bf3354d 100644 --- a/modules/lambda/main.tf +++ b/modules/lambda/main.tf @@ -121,6 +121,9 @@ variable "timeout" { default = 15 } +variable "concurrency" { + default = -1 +} # ######################################### # Module content @@ -350,9 +353,13 @@ resource "aws_lambda_function" "this" { runtime = var.runtime tags = var.tags timeout = var.timeout - + depends_on = [aws_cloudwatch_log_group.this] + # See https://docs.aws.amazon.com/lambda/latest/dg/invocation-scaling.html + # Use default `concurrency` value for no limit + reserved_concurrent_executions = var.concurrency + environment { variables = { CONFIG_VAR_PREFIX = var.config_var_prefix, From 5122cf1c265031dbb959f26e8006eb512f67f006 Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Wed, 18 Nov 2020 10:24:00 +0000 Subject: [PATCH 05/11] New parameter push_cors_origin --- CHANGELOG.md | 2 ++ ecs_push.tf | 1 + parameters.tf | 8 ++++++++ variables.tf | 4 ++++ 4 files changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d2d983..d2560c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Added: New parameter "push_cors_origin" to control CORS headers in push service + ## [0.1.14] 2020-11-13 - Added: self isolation notices support. diff --git a/ecs_push.tf b/ecs_push.tf index db15cd4..8373502 100644 --- a/ecs_push.tf +++ b/ecs_push.tf @@ -27,6 +27,7 @@ data "aws_iam_policy_document" "push_ecs_task_policy" { aws_ssm_parameter.hsts_max_age.arn, aws_ssm_parameter.log_level.arn, aws_ssm_parameter.onset_date_mandatory.arn, + aws_ssm_parameter.push_cors_origin.arn, aws_ssm_parameter.push_host.arn, aws_ssm_parameter.push_port.arn, aws_ssm_parameter.security_code_charset.arn, diff --git a/parameters.tf b/parameters.tf index 8846788..b1b8d77 100644 --- a/parameters.tf +++ b/parameters.tf @@ -201,6 +201,14 @@ resource "aws_ssm_parameter" "onset_date_mandatory" { tags = module.labels.tags } +resource "aws_ssm_parameter" "push_cors_origin" { + overwrite = true + name = format("%spush_cors_origin", local.config_var_prefix) + type = "String" + value = var.push_cors_origin + tags = module.labels.tags +} + resource "aws_ssm_parameter" "push_host" { overwrite = true name = format("%spush_host", local.config_var_prefix) diff --git a/variables.tf b/variables.tf index e089024..28b2280 100644 --- a/variables.tf +++ b/variables.tf @@ -627,6 +627,10 @@ variable "push_allowed_ips" { description = "ECS Push service ALB allowed ingress CIDRs" default = ["0.0.0.0/0"] } +variable "push_cors_origin" { + description = "Push service CORS header value" + default = "*" +} variable "push_cpu_high_threshold" { description = "ECS Push service ASG scaling CPU high threshold" default = 15 From c3432d2f352cfb525e331376584b54a4166c2679 Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Mon, 23 Nov 2020 15:52:24 +0000 Subject: [PATCH 06/11] Give access to time_zone parameter to all services that write metrics --- CHANGELOG.md | 1 + ecs_push.tf | 1 + lambda-callback.tf | 3 ++- lambda-download.tf | 3 ++- lambda-sms.tf | 3 ++- lambda-upload.tf | 3 ++- 6 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2560c4..ef0008c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Updated: Give access to "time_zone" parameter to all services that write metrics - Added: New parameter "push_cors_origin" to control CORS headers in push service diff --git a/ecs_push.tf b/ecs_push.tf index 8373502..c5416d3 100644 --- a/ecs_push.tf +++ b/ecs_push.tf @@ -35,6 +35,7 @@ data "aws_iam_policy_document" "push_ecs_task_policy" { aws_ssm_parameter.security_code_lifetime_mins.arn, aws_ssm_parameter.sms_url.arn, aws_ssm_parameter.symptom_date_offset.arn, + aws_ssm_parameter.time_zone.arn, aws_ssm_parameter.use_test_date_as_onset_date.arn ] } diff --git a/lambda-callback.tf b/lambda-callback.tf index 222a402..5f2ba10 100644 --- a/lambda-callback.tf +++ b/lambda-callback.tf @@ -21,7 +21,8 @@ data "aws_iam_policy_document" "callback_policy" { aws_ssm_parameter.db_database.arn, aws_ssm_parameter.db_host.arn, aws_ssm_parameter.db_port.arn, - aws_ssm_parameter.db_ssl.arn + aws_ssm_parameter.db_ssl.arn, + aws_ssm_parameter.time_zone.arn ], aws_ssm_parameter.callback_email_notifications_sns_arn.*.arn ) diff --git a/lambda-download.tf b/lambda-download.tf index c605c49..ee709a9 100644 --- a/lambda-download.tf +++ b/lambda-download.tf @@ -15,7 +15,8 @@ module "download" { aws_ssm_parameter.db_host.arn, aws_ssm_parameter.db_port.arn, aws_ssm_parameter.db_reader_host.arn, - aws_ssm_parameter.db_ssl.arn + aws_ssm_parameter.db_ssl.arn, + aws_ssm_parameter.time_zone.arn ] aws_secret_arns = concat([data.aws_secretsmanager_secret_version.rds_read_write.arn], data.aws_secretsmanager_secret_version.interop.*.arn) cloudwatch_schedule_expression = var.download_schedule diff --git a/lambda-sms.tf b/lambda-sms.tf index 827a484..fdb819c 100644 --- a/lambda-sms.tf +++ b/lambda-sms.tf @@ -21,7 +21,8 @@ module "sms" { aws_ssm_parameter.sms_region.arn, aws_ssm_parameter.sms_sender.arn, aws_ssm_parameter.sms_template.arn, - aws_ssm_parameter.sms_url.arn + aws_ssm_parameter.sms_url.arn, + aws_ssm_parameter.time_zone.arn ] aws_secret_arns = concat([data.aws_secretsmanager_secret_version.rds_read_write.arn], data.aws_secretsmanager_secret_version.sms.*.arn) config_var_prefix = local.config_var_prefix diff --git a/lambda-upload.tf b/lambda-upload.tf index 78fee93..a0afa99 100644 --- a/lambda-upload.tf +++ b/lambda-upload.tf @@ -15,7 +15,8 @@ module "upload" { aws_ssm_parameter.db_host.arn, aws_ssm_parameter.db_port.arn, aws_ssm_parameter.db_reader_host.arn, - aws_ssm_parameter.db_ssl.arn + aws_ssm_parameter.db_ssl.arn, + aws_ssm_parameter.time_zone.arn ] aws_secret_arns = concat([data.aws_secretsmanager_secret_version.rds_read_write.arn], data.aws_secretsmanager_secret_version.interop.*.arn) cloudwatch_schedule_expression = var.upload_schedule From 2b0f4066e672868c6c1be62b134db17fe6ffba11 Mon Sep 17 00:00:00 2001 From: David Gonzalez Date: Thu, 26 Nov 2020 16:03:18 +0000 Subject: [PATCH 07/11] Refreshed changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71e7a51..3e97b0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. ## Unreleased + + +## [0.1.15] 2020-11-26 - Updated: Set default "download_schedule" to offset from "upload_schedule" - Updated: Give access to "time_zone" parameter to all services that write metrics - Updated: Remove "CALLBACK_REQUEST" from "metrics_config". From 5144b32a674da6e6ccdda32a706898683ff49ef8 Mon Sep 17 00:00:00 2001 From: David Gonzalez Date: Thu, 26 Nov 2020 16:03:18 +0000 Subject: [PATCH 08/11] Refreshed changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71e7a51..3e97b0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file. ## Unreleased + + +## [0.1.15] 2020-11-26 - Updated: Set default "download_schedule" to offset from "upload_schedule" - Updated: Give access to "time_zone" parameter to all services that write metrics - Updated: Remove "CALLBACK_REQUEST" from "metrics_config". From dddc49c61d6e4f4e701f6d070a07bdb3d70fe8d7 Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Wed, 9 Dec 2020 11:43:14 +0000 Subject: [PATCH 09/11] New parameter reduced_metrics_whitelist --- CHANGELOG.md | 1 + ecs_push.tf | 1 + parameters.tf | 8 ++++++++ variables.tf | 4 ++++ 4 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e97b0e..03e0819 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Added: New parameter "reduced_metrics_whitelist" ## [0.1.15] 2020-11-26 diff --git a/ecs_push.tf b/ecs_push.tf index c5416d3..9d7adce 100644 --- a/ecs_push.tf +++ b/ecs_push.tf @@ -30,6 +30,7 @@ data "aws_iam_policy_document" "push_ecs_task_policy" { aws_ssm_parameter.push_cors_origin.arn, aws_ssm_parameter.push_host.arn, aws_ssm_parameter.push_port.arn, + aws_ssm_parameter.reduced_metrics_whitelist.arn, aws_ssm_parameter.security_code_charset.arn, aws_ssm_parameter.security_code_length.arn, aws_ssm_parameter.security_code_lifetime_mins.arn, diff --git a/parameters.tf b/parameters.tf index b1b8d77..b009df4 100644 --- a/parameters.tf +++ b/parameters.tf @@ -225,6 +225,14 @@ resource "aws_ssm_parameter" "push_port" { tags = module.labels.tags } +resource "aws_ssm_parameter" "reduced_metrics_whitelist" { + overwrite = true + name = format("%sreduced_metrics_whitelist", local.config_var_prefix) + type = "String" + value = var.reduced_metrics_whitelist + tags = module.labels.tags +} + resource "aws_ssm_parameter" "s3_assets_bucket" { overwrite = true name = format("%ss3_assets_bucket", local.config_var_prefix) diff --git a/variables.tf b/variables.tf index dce642b..cd1923d 100644 --- a/variables.tf +++ b/variables.tf @@ -691,6 +691,10 @@ variable "push_services_task_memory" { description = "ECS Push service task memory" default = 512 } +variable "reduced_metrics_whitelist" { + description = "Comma separated list of metrics the reduced metrics role can access" + default = "CALLBACK_OPTIN,CALLBACK_SENT,CASES,CHECK_IN,DEATHS,FORGET,INTEROP_KEYS_DOWNLOADED,INTEROP_KEYS_UPLOADED,UPLOAD" +} variable "refresh_token_expiry" { description = "Lifetime of refresh tokens generated after a user registers" default = "10y" From 216eb8fb145796a9e3433962aedd3095d0e981fa Mon Sep 17 00:00:00 2001 From: Jack Murdoch <35329295+jackmurdoch@users.noreply.github.com> Date: Wed, 9 Dec 2020 11:55:12 +0000 Subject: [PATCH 10/11] Optional parameters and secret to proxy verification requests to a third party (#106) --- CHANGELOG.md | 1 + ecs_api.tf | 10 +++++++--- ecs_push.tf | 12 ++++++++---- parameters.tf | 18 ++++++++++++++++++ secrets.tf | 5 +++++ 5 files changed, 39 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e97b0e..f3ddf1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Added: New optional parameters and secret to proxy verification requests to a third party ## [0.1.15] 2020-11-26 diff --git a/ecs_api.tf b/ecs_api.tf index 81cec91..c3d2307 100644 --- a/ecs_api.tf +++ b/ecs_api.tf @@ -66,18 +66,22 @@ data "aws_iam_policy_document" "api_ecs_task_policy" { aws_ssm_parameter.security_self_isolation_notices_rate_limit_secs.arn ], aws_ssm_parameter.security_callback_rate_limit_request_count.*.arn, - aws_ssm_parameter.security_callback_rate_limit_secs.*.arn) + aws_ssm_parameter.security_callback_rate_limit_secs.*.arn, + aws_ssm_parameter.verify_proxy_url.*.arn + ) } statement { actions = ["secretsmanager:GetSecretValue"] - resources = [ + resources = concat([ data.aws_secretsmanager_secret_version.device_check.arn, data.aws_secretsmanager_secret_version.encrypt.arn, data.aws_secretsmanager_secret_version.jwt.arn, data.aws_secretsmanager_secret_version.rds_read_write_create.arn, data.aws_secretsmanager_secret_version.verify.arn - ] + ], + data.aws_secretsmanager_secret_version.verify_proxy.*.arn + ) } statement { diff --git a/ecs_push.tf b/ecs_push.tf index c5416d3..d92b855 100644 --- a/ecs_push.tf +++ b/ecs_push.tf @@ -15,7 +15,7 @@ data "aws_iam_policy_document" "push_ecs_assume_role_policy" { data "aws_iam_policy_document" "push_ecs_task_policy" { statement { actions = ["ssm:GetParameter"] - resources = [ + resources = concat([ aws_ssm_parameter.cors_origin.arn, aws_ssm_parameter.db_database.arn, aws_ssm_parameter.db_host.arn, @@ -37,15 +37,19 @@ data "aws_iam_policy_document" "push_ecs_task_policy" { aws_ssm_parameter.symptom_date_offset.arn, aws_ssm_parameter.time_zone.arn, aws_ssm_parameter.use_test_date_as_onset_date.arn - ] + ], + aws_ssm_parameter.issue_proxy_url.*.arn + ) } statement { actions = ["secretsmanager:GetSecretValue"] - resources = [ + resources = concat([ data.aws_secretsmanager_secret_version.jwt.arn, data.aws_secretsmanager_secret_version.rds_read_write.arn - ] + ], + data.aws_secretsmanager_secret_version.verify_proxy.*.arn + ) } statement { diff --git a/parameters.tf b/parameters.tf index b1b8d77..742f5b9 100644 --- a/parameters.tf +++ b/parameters.tf @@ -440,6 +440,15 @@ resource "aws_ssm_parameter" "daily_registrations_reporter_sns_arn" { tags = module.labels.tags } +resource "aws_ssm_parameter" "issue_proxy_url" { + count = contains(var.optional_parameters_to_include, "issue_proxy_url") ? 1 : 0 + overwrite = true + name = format("%sissue_proxy_url", local.config_var_prefix) + type = "String" + value = var.issue_proxy_url + tags = module.labels.tags +} + resource "aws_ssm_parameter" "security_callback_rate_limit_request_count" { count = contains(var.optional_parameters_to_include, "security_callback_rate_limit_request_count") ? 1 : 0 overwrite = true @@ -457,3 +466,12 @@ resource "aws_ssm_parameter" "security_callback_rate_limit_secs" { value = var.callback_rate_limit_secs tags = module.labels.tags } + +resource "aws_ssm_parameter" "verify_proxy_url" { + count = contains(var.optional_parameters_to_include, "verify_proxy_url") ? 1 : 0 + overwrite = true + name = format("%sverify_proxy_url", local.config_var_prefix) + type = "String" + value = var.verify_proxy_url + tags = module.labels.tags +} diff --git a/secrets.tf b/secrets.tf index 7420227..5483683 100644 --- a/secrets.tf +++ b/secrets.tf @@ -69,3 +69,8 @@ data "aws_secretsmanager_secret_version" "sms" { count = contains(var.optional_secrets_to_include, "sms") ? 1 : 0 secret_id = "${local.config_var_prefix}sms" } + +data "aws_secretsmanager_secret_version" "verify_proxy" { + count = contains(var.optional_secrets_to_include, "verify-proxy") ? 1 : 0 + secret_id = "${local.config_var_prefix}verify-proxy" +} From c2b3c03ae85a099c695bad7a7b184ea4ccdd07b0 Mon Sep 17 00:00:00 2001 From: Jack Murdoch Date: Fri, 11 Dec 2020 11:02:47 +0000 Subject: [PATCH 11/11] Add missing variable declarations --- CHANGELOG.md | 1 + variables.tf | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3ddf1b..e4c2398 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file. ## Unreleased +- Added: Missing variables for proxy URLs - Added: New optional parameters and secret to proxy verification requests to a third party diff --git a/variables.tf b/variables.tf index dce642b..9b85023 100644 --- a/variables.tf +++ b/variables.tf @@ -429,6 +429,10 @@ variable "hsts_max_age" { description = "The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS." default = "300" // 5 minutes } +variable "issue_proxy_url" { + description = "URL to proxy OTC issue requests if necessary" + default = "" +} variable "lambda_authorizer_memory_size" { description = "authorizer lambda memory size" default = 512 # Since this is on the hot path and we get faster CPUs with higher memory @@ -745,6 +749,10 @@ variable "variance_offset_mins" { description = "Variance offset in minutes to add to lifetime of keys to check if they are still valid" default = "120" } +variable "verify_proxy_url" { + description = "URL to code verification requests if necessary" + default = "" +} variable "verify_rate_limit_secs" { description = "Time in seconds a user must wait before attempting to verify a one-time upload code" }