search

cds-snc / url-shortener

An API written in Python that shortens URLs
MIT License
4 stars 0 forks source link

fix: remove the Route53 DNS resolver firewall #395

Closed patheard closed 1 year ago

patheard commented 1 year ago

Summary

Remove the Route53 DNS resolver firewall as this will become a challenge to maintain with how each CNAME in the DNS chain must be allowed for a URL to resolve properly when adding a short URL.

Related

github-actions[bot] commented 1 year ago

Staging: cloudfront

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

⚠️   Warning: resources will be destroyed by this change!

Plan: 0 to add, 0 to change, 6 to destroy
Show summary | CHANGE | NAME | |--------|----------------------------------------------------------------------------------------------| | delete | `module.resolver_dns.aws_route53_resolver_firewall_domain_list.allowed[0]` | | | `module.resolver_dns.aws_route53_resolver_firewall_domain_list.blocked[0]` | | | `module.resolver_dns.aws_route53_resolver_firewall_rule.allowed[0]` | | | `module.resolver_dns.aws_route53_resolver_firewall_rule.blocked[0]` | | | `module.resolver_dns.aws_route53_resolver_firewall_rule_group.firewall_rules[0]` | | | `module.resolver_dns.aws_route53_resolver_firewall_rule_group_association.firewall_rules[0]` |
Show plan ```terraform Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # module.resolver_dns.aws_route53_resolver_firewall_domain_list.allowed[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_domain_list" "allowed" { - arn = "arn:aws:route53resolver:ca-central-1:843973686572:firewall-domain-list/rslvr-fdl-414a3248695e44df" -> null - domains = [ - "*.akamaiedge.net.", - "*.amazonaws.com.", - "*.canada.ca.", - "*.edgekey.net.", - "*.gc.ca.", - "*.gg.ca.", - "canada.ca.", - "gg.ca.", ] -> null - id = "rslvr-fdl-414a3248695e44df" -> null - name = "AllowedDomains" -> null - tags = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null - tags_all = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null } # module.resolver_dns.aws_route53_resolver_firewall_domain_list.blocked[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_domain_list" "blocked" { - arn = "arn:aws:route53resolver:ca-central-1:843973686572:firewall-domain-list/rslvr-fdl-9ebe972bd2674caf" -> null - domains = [ - "*.", ] -> null - id = "rslvr-fdl-9ebe972bd2674caf" -> null - name = "BlockedDomains" -> null - tags = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null - tags_all = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null } # module.resolver_dns.aws_route53_resolver_firewall_rule.allowed[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_rule" "allowed" { - action = "ALLOW" -> null - block_override_ttl = 0 -> null - firewall_domain_list_id = "rslvr-fdl-414a3248695e44df" -> null - firewall_rule_group_id = "rslvr-frg-b0f5265d514b4c38" -> null - id = "rslvr-frg-b0f5265d514b4c38:rslvr-fdl-414a3248695e44df" -> null - name = "AllowedDomains" -> null - priority = 100 -> null } # module.resolver_dns.aws_route53_resolver_firewall_rule.blocked[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_rule" "blocked" { - action = "BLOCK" -> null - block_override_ttl = 0 -> null - block_response = "NODATA" -> null - firewall_domain_list_id = "rslvr-fdl-9ebe972bd2674caf" -> null - firewall_rule_group_id = "rslvr-frg-b0f5265d514b4c38" -> null - id = "rslvr-frg-b0f5265d514b4c38:rslvr-fdl-9ebe972bd2674caf" -> null - name = "BlockedDomains" -> null - priority = 200 -> null } # module.resolver_dns.aws_route53_resolver_firewall_rule_group.firewall_rules[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_rule_group" "firewall_rules" { - arn = "arn:aws:route53resolver:ca-central-1:843973686572:firewall-rule-group/rslvr-frg-b0f5265d514b4c38" -> null - id = "rslvr-frg-b0f5265d514b4c38" -> null - name = "FirewallRules" -> null - owner_id = "843973686572" -> null - share_status = "NOT_SHARED" -> null - tags = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null - tags_all = { - "CostCentre" = "url-shortener-staging" - "Terraform" = "true" } -> null } # module.resolver_dns.aws_route53_resolver_firewall_rule_group_association.firewall_rules[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_route53_resolver_firewall_rule_group_association" "firewall_rules" { - arn = "arn:aws:route53resolver:ca-central-1:843973686572:firewall-rule-group-association/rslvr-frgassoc-56e0d977e37f4769" -> null - firewall_rule_group_id = "rslvr-frg-b0f5265d514b4c38" -> null - id = "rslvr-frgassoc-56e0d977e37f4769" -> null - mutation_protection = "DISABLED" -> null - name = "FirewallRules" -> null - priority = 101 -> null - tags = {} -> null - tags_all = {} -> null - vpc_id = "vpc-0801eefa3b72cc1da" -> null } Plan: 0 to add, 0 to change, 6 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```
Show Conftest results ```sh WARN - plan.json - main - Missing Common Tags: ["module.resolver_dns.aws_route53_resolver_query_log_config.route53_vpc_dns"] 18 tests, 17 passed, 1 warning, 0 failures, 0 exceptions ```