From 5b9ce9a2228ff1b514faabae3782a2df776257b7 Mon Sep 17 00:00:00 2001 From: Abdelhak Marouane Date: Wed, 10 Jul 2024 11:23:24 -0500 Subject: [PATCH 1/2] Use HTTPS only for GHG observability system --- grafana/Dockerfile | 2 +- grafana/provisioning/datasources/athena.yaml | 7 +++ stacks/grafana.py | 54 +++++++++++++++----- stacks/settings.py | 3 ++ 4 files changed, 51 insertions(+), 15 deletions(-) create mode 100644 grafana/provisioning/datasources/athena.yaml diff --git a/grafana/Dockerfile b/grafana/Dockerfile index 7b27417..f9750a8 100644 --- a/grafana/Dockerfile +++ b/grafana/Dockerfile @@ -1,7 +1,7 @@ FROM --platform=arm64 grafana/grafana:latest # List of plugins to install... -ENV GF_INSTALL_PLUGINS=grafana-x-ray-datasource +ENV GF_INSTALL_PLUGINS=grafana-x-ray-datasource,grafana-athena-datasource ADD provisioning/. /usr/local/grafana/provisioning diff --git a/grafana/provisioning/datasources/athena.yaml b/grafana/provisioning/datasources/athena.yaml new file mode 100644 index 0000000..da382aa --- /dev/null +++ b/grafana/provisioning/datasources/athena.yaml @@ -0,0 +1,7 @@ +apiVersion: 1 +datasources: + - name: Athena + type: grafana-athena-datasource + jsonData: + authType: default + defaultRegion: $AWS_REGION diff --git a/stacks/grafana.py b/stacks/grafana.py index 9c02e30..b9fc6dc 100644 --- a/stacks/grafana.py +++ b/stacks/grafana.py @@ -51,10 +51,22 @@ def __init__( container_name = "grafana" + cloudfront_certificate = acm.Certificate.from_certificate_arn( + + self, "East Certificate", settings.cloudfront_certificate_arn + + ) + + grafana_certificate = acm.Certificate.from_certificate_arn( + + self, "West Certificate", settings.grafana_certificate_arn + + ) service = self.build_service( vpc=vpc, container_name=container_name, - cluster_name=settings.grafana_stack_name + cluster_name=settings.grafana_stack_name, + certificate=grafana_certificate, ) container = service.task_definition.find_container(container_name) @@ -71,15 +83,16 @@ def __init__( distro = self.create_cloudfront_distribution( lb=service.load_balancer, domain_name=settings.grafana_domain_name, - certificate_arn=settings.grafana_certificate_arn, + certificate=cloudfront_certificate, ) # Add environment variables to container env: EcsEnv = { envify("paths.data"): mount_point.container_path, + "FOOBAR2": "BARFOO", envify("server.root_url"): ( - f"https://{settings.grafana_domain_name}" - if settings.grafana_domain_name + f"https://{settings.grafana_domain_name}" + if settings.grafana_domain_name else f"https://{distro.distribution_domain_name}" ), } @@ -106,7 +119,8 @@ def build_service( self, vpc: ec2.Vpc, cluster_name: str, - container_name: str + container_name: str, + certificate: acm.Certificate = None, ): # Production has a public NAT Gateway subnet, which causes the # default load balancer creation to fail with too many subnets @@ -155,6 +169,23 @@ def build_service( interval=Duration.seconds(60), ) + # Add HTTPS listener to the load balancer + + load_balancer.add_listener( + "HTTPSListener", + port=443, + certificates=[certificate], + default_action=elbv2.ListenerAction.forward( + target_groups=[service.target_group] + ), + ) + + load_balancer.connections.security_groups[0].add_ingress_rule( + + ec2.Peer.any_ipv4(), ec2.Port.tcp(443), "Allow HTTPS traffic" + + ) + # Ensure service can interact with other AWS resources for policy in ( iam.PolicyStatement( @@ -277,7 +308,7 @@ def create_cloudfront_distribution( self, lb: elbv2.ILoadBalancerV2, domain_name: Optional[str] = None, - certificate_arn: Optional[str] = None, + certificate: Optional[str] = None, ): return cloudfront.Distribution( self, @@ -288,20 +319,15 @@ def create_cloudfront_distribution( origin=origins.LoadBalancerV2Origin( origin_id="grafana", load_balancer=lb, - protocol_policy=cloudfront.OriginProtocolPolicy.HTTP_ONLY, + protocol_policy=cloudfront.OriginProtocolPolicy.HTTPS_ONLY, ), origin_request_policy=cloudfront.OriginRequestPolicy.ALL_VIEWER_AND_CLOUDFRONT_2022, cache_policy=cloudfront.CachePolicy.CACHING_DISABLED, allowed_methods=cloudfront.AllowedMethods.ALLOW_ALL, + viewer_protocol_policy=cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS, ), domain_names=[domain_name] if domain_name else [], - certificate=( - acm.Certificate.from_certificate_arn( - self, "Certificate", certificate_arn - ) - if certificate_arn - else None - ), + certificate=certificate, ) def github_oauth_settings( self, diff --git a/stacks/settings.py b/stacks/settings.py index 1b01a23..ca1b163 100644 --- a/stacks/settings.py +++ b/stacks/settings.py @@ -33,6 +33,9 @@ class Settings(BaseSettings): grafana_certificate_arn: Optional[str] = None + cloudfront_certificate_arn: Optional[str] = None + + permissions_boundary_arn: str # Github auth provider configuration From beee0adde10f185747f3c534aa22d4569b5ddbdf Mon Sep 17 00:00:00 2001 From: Abdelhak Marouane Date: Wed, 10 Jul 2024 11:25:26 -0500 Subject: [PATCH 2/2] Use HTTPS only for GHG observability system --- stacks/grafana.py | 1 - 1 file changed, 1 deletion(-) diff --git a/stacks/grafana.py b/stacks/grafana.py index b9fc6dc..9ec8c1a 100644 --- a/stacks/grafana.py +++ b/stacks/grafana.py @@ -89,7 +89,6 @@ def __init__( # Add environment variables to container env: EcsEnv = { envify("paths.data"): mount_point.container_path, - "FOOBAR2": "BARFOO", envify("server.root_url"): ( f"https://{settings.grafana_domain_name}" if settings.grafana_domain_name