BCDA-8360 add waf sync lambda #197

carlpartridge · 2024-12-30T15:01:23Z

🎫 Ticket

https://jira.cms.gov/browse/BCDA-8360

🛠 Changes

Add WAF auto sync lambda

ℹ️ Context

We have recently switched over to WAF to control our allowlist of IP addresses. This lambda should sync our app DB with the source of truth on IP addresses to our WAF.

🧪 Validation

Local tests and linting passing.

lambda/wafsync/aws.go

lambda/wafsync/db.go

lambda/wafsync/README.md

laurenkrugen-navapbc · 2025-01-09T20:59:19Z

lambda/wafsync/db.go

+
+		err = rows.Scan(&ip)
+		if err != nil {
+			log.Warningf("Scan error: %+v", err)


What do you think about bumping this to a fatal or error level? if scan fails on reading any of the IP set that should be updated, then that would mean that the IP allow list could be out of sync between database <> waf.

What do you think about bumping this to a fatal or error level? if scan fails on reading any of the IP set that should be updated, then that would mean that the IP allow list could be out of sync between database <> waf.

I think error makes more sense as we already return nil, err on issue here. Also I think returning fatal is not recommended in lambdas.

laurenkrugen-navapbc · 2025-01-09T21:04:42Z

.github/workflows/waf-sync-lambda-integration-test.yml

+        id: invoke-lambda
+        run: |
+          echo "STARTTIME=`date +%s`" >> "$GITHUB_OUTPUT"
+          aws lambda invoke --function-name bcda-dev-api-waf-sync test-result.txt


if an error is returned; do we need to do any verification here or do we expect a non-zero exit code?

do we want to add any additional validation for other cases where it runs successfully, but the end result might be different from what we expect; ie the update doesn't return an error, but there are no IPs in the WAF?

I believe returning nonzero is enough but Im not entirely sure how to force the function to error out in order to test. I copied a lot of this code from the DPC version, maybe its worth pinging them?

I feel like that would best be solved via splunk or cloudwatch alerts? They could watch for a variety of things based off the logs? I can create a ticket to look into this, either creating new alerts or modifying the jenkins alerts.

carlpartridge added 6 commits December 26, 2024 17:22

BCDA-8360 First pass WAF Sync lambda

2bf47df

Better testing

5d2212b

Fix linters

4eef0ab

Stubbing of GHA for wafsync deploy and testing

492f5fc

Small corrections to GHA workflows

c80abc8

Minor fixes to GHA

83ded31

carlpartridge requested a review from a team December 30, 2024 15:01

carlpartridge had a problem deploying to dev December 30, 2024 15:01 — with GitHub Actions Failure

carlpartridge changed the title ~~Carl/bcda 8360 add waf sync lambda~~ BCDA-8360 add waf sync lambda Dec 30, 2024

Security updates

fd3beaf

carlpartridge had a problem deploying to dev December 30, 2024 15:15 — with GitHub Actions Failure

Match name from platform-ops

5fd1395

carlpartridge had a problem deploying to dev December 30, 2024 20:59 — with GitHub Actions Failure

Convert how we get DATABASE_URL

f664f69

carlpartridge had a problem deploying to dev January 2, 2025 18:31 — with GitHub Actions Failure

carlpartridge had a problem deploying to dev January 2, 2025 21:58 — with GitHub Actions Failure

bhagatparwinder had a problem deploying to dev January 3, 2025 21:53 — with GitHub Actions Failure