SPIKE: Solidify approach to DNS, TLS termination, ALB use ,etc. within LZ

[sheaphillips]

Describe the issue This is a manual process which could overwhelm Cloud Ops. It's a bit of an unknown how we handle the firewalls. There was work done on the demo app which will feed into the design of an automated approach.

Which Sprint Priority is this issue related to? Priority 2

Additional context

• no gitops process around the Project Spec currently (could solve via wildcards)
• Ryan J has work in flight around automating the firewalls
• Include plan for domains/urls of core platform services such as the AWS login app.

Definition of done

• discuss with Ryan J
• Plan and diagram how the automation could work (not necessarily automate everything right away)

[wrnu]

Firewalls

FortiGate Firewalls are currently in place; however, Check Point Firewalls are being evaluated for a potential switch

• ForitGate
  • Terraform provider for FortiOS (FortiGate Firewall resources)
• Checkpoint
  • Terraform provider for Check Point

[ActionAnalytics]

Ryan J has finished his prototype and is ready to demo.

[wrnu]

Networking

Proposed Terraform Approach

Routing

• Subdomains of *.{{identifier}}-{{environment}}.nimbus.cloud.gov.bc.ca
• Specified by list of objects in accounts.network.routes, in project.json
  • public_subdomain is routed to the specified alb_name
  • all unspecified subdomains are routed to the default alb
  • if default alb does not exist no routes are created for unspecified routes
• future: custom domains

DNS

• AWS SEA bootstrap terraform module
  • Create and manage base hosted zone nimbus.cloud.gov.bc.ca
• Project layer terraform module
  • Create wildcard e.g. *.{{identifier}}-{{environment}}.nimbus.cloud.gov.bc.ca
  • defined by project license plate and environments
  • future: custom e.g. myapp.gov.bc.ca
  • defined in project.json

TLS (AWS Certificate Manager)

• Create wildcard cert for *.{{identifier}}-{{environment}}.nimbus.cloud.gov.bc.ca

Perimeter ALB (Public)

• Creation of public facing ALBs is managed by SEA code
• Project layer terraform module
  • Create target groups
  • Create listener rule
  • forwards to firewall
  • Add TLS
  • wildcard cert
  • future: custom cert defined in project.json

Firewall

FortGate

• Project layer terraform module
  • Create FQDN Address
  • target is internal load balancer in an AWS team account
  • config is defined in project.json
    • public dns that routes to internal alb
  • Create Virtual IP (port forwarding, similar to a vhost) linked to FQDN Address
  • This provides the ip/port for the ALB target group
  • The challenge here will be selecting an unused port on the firewall

Links

• Terraform - FortiOS Provider

Check Point

TDB

Links

• Terraform - Check Point Provider

Project Spec

The project spec is defined using a project.json file.

Proposed schema for the network configuration (see network object in the accounts list):

{
  "identifier": "a1bc23",
  "name": "Example Project Spec",
  "accounts": [
    {
      "name": "Development",
      "environment": "dev",
      "alb": [
        {
          "name": "default"
        },
        {
          "name": "alb-for-service-0"
        }
      ],
      "network": {
        "routes": [
          {
            "public_subdomain": "service-0",
            "alb_name": "alb-for-service-0"
          },
          {
            "public_subdomain": "service-1",
            "alb_name": "created-by-tenant"
          }
        ]
      },
      "extra_tfc_workspaces": ["service-1"]
    },
    {
      "name": "Test",
      "environment": "test",
      "alb": [
        {
          "name": "default"
        }
      ],
      "network": {}
    },
    {
      "name": "Production",
      "environment": "prod",
      "alb": [
        {
          "name": "default"
        }
      ],
      "network": {}
    },
    {
      "name": "Tools",
      "environment": "sandbox",
      "alb": [],
      "network": {}
    },
    {
      "name": "Unclassified",
      "environment": "unclass",
      "alb": [],
      "network": {}
    }
  ]
}

Ryan Jaeger's Approach

Architecture

• Typescript state machine using DynamoDB to store state
  • Implemented using AWS Step Functions and Lambdas
  • Perimeter ALB
  • Create target group
  • Create listener rule
  • Firewalls
  • Create Address (internal FQDN)
  • Create Virtual IP (target of ALB mapped to the address above)
    • Selects unused ports on the firewalls
• REST API
  • Inputs:
  • Public ALB in Perimeter network to use (Prod or DevTest)
  • Public domain to be routed
  • Target internal FQDN
  • Limited to only accept requests from inside the VPC
• Doesn't handle TLS or DNS but could be extended to do so

How we could use this from Terraform

• Use the terraform http provider
  • The REST API needs to allow connections from the server that runs terraform.
  • Using GitHub actions could be a challenge unless we use a runner inside the VPC.
  • Or we would have to allow global access and implement authentication. This is not recommended.