Merge pull request #41 from Financial-Times/upp-elasticsearch-provisi…

…oner/fix-access-policy

Fix ES access policy

upp-elasticsearch-provisioner/ansible/provision.yml

@@ -29,6 +29,8 @@
         template_parameters:
           EnvironmentType: "{{environment_type}}"
           ClusterName: "{{cluster_name}}"
+          AccountID: "{{aws_account_id}}"
+          Region: "{{aws_default_region}}"
         tags:
           Stack: "{{cluster_name}}"
       register: es_stack_output

upp-elasticsearch-provisioner/ansible/vault_p.yml

@@ -1,18 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
-62363832666230333834653431383938623238386464333862326133333532306366373263346539
-3061663666363063643437373339623633643234633632640a313938373433386633343937636631
-33643563343539363733656335643865386665306239386138633533353730333466366538363430
-3836613537653130330a356565636564316432333837373031353961303631306535393564643762
-32393630393564393166613539613335633766373462353838636238336665623964666636656539
-64356538343666616330626333613736643261636634326162646464313132623434613963366439
-31653866343431393666643635346432623763303637303466323966623865333864326163313135
-37353666653630323831366236626261363339366366393935336664346632653063373662626638
-31646666303362613164316334663066613961636331333166666564623839346338613164306237
-65323164343738386531333835326238653061333164623738356539356239326366323761356532
-66376134653462313464643539306166363961353166313464656336346239666336383366613765
-65303064363538643932613138613839356638396466623634333265653364373065643532656635
-66666134316239386661633030613033336336356138393437316432383832373063353035363663
-33303738383835366265316264393265313930646633643939393931363963336535303536626336
-39663930653131393931663830616236316531383730333831356530656530366366636238393438
-66326239313438383261353162666437333130336439303762393464373439383463326332363530
-3534
+34626162356265633262346236326333323533333165346439663038336561396237663439623465
+3130383633353665626161653462376363393134363833340a356438303261626132333239653136
+32376630346233633630393334336430383034333234323666343635396333623861323061316334
+3735653830396564340a346261643431626265313166363531623862623639376661623831376664
+32616531623932316332313537643962333736346537303265333236616261613131343837343463
+61366561643262646133666533366265643764656135396561646465663634373461313061366435
+65303635376235346135633331373537633765313432343933313463623930646539653965393532
+61396366666432343663366265646134613461326231623737653563316631393265323863333965
+33626138386562623364313337393861663830626633663663306461613938353638373166653661
+30346563333162656431386462616437353463656262346636636465623161616537303964366563
+64363263336239393034303162303335373734336634313864393836356438386463616330343433
+35303262643634653636616264663637383663326661613564313930373230656132396363316464
+62303030636562643338623339373231643731356532393165346438386439303437343564636338
+34616566376566666539643837633333643038373364373962666335333862656537396335353533
+63393065663962356337363662303066313639663064626434323462643462613462316632383332
+64326630386239663730633162376466306338323565646333363030306166366563666634373838
+39303335396139373264396662346265653437346336333237633061373835356136

upp-elasticsearch-provisioner/ansible/vault_t.yml

@@ -1,18 +1,18 @@
 $ANSIBLE_VAULT;1.1;AES256
-34353862636130376438366531343230383964376232613433656138303639393831613933333531
-6662383137623161393262313238393835303439663738360a613662313231633835643932386331
-37346133336666316436663039366339653232316637653837623861623638646232303336633730
-3335623432656632620a386530373363663264613331333161396338613738336666396133616166
-38656632353536666636353430623533656434336561383536303936613062663238316337376563
-62396530373830383731643664653463383264663335373733633633313064633138626661616565
-33323732353134333861373830613464613033626533636562626661633431363332326130396538
-33326366663435613463383738323733303034353230633366323431666338363836353232643138
-33373636616339313232646462376338383934383733623062336539343935313733653130373431
-33313562383266313530663764366664396665346137366435613737613434653534633834633631
-35306361346466333664393131326661333561643439323839326531363864616437653866393164
-66343961353933663434383435663838343532626637323130343237363830393936356361383865
-63613837353339346162366339353234356164653230343066333433326463633239613263323232
-33663330313365386635323634646633373063643365303762616562376365613131643031343665
-31616564363362316263333730386633396632613562356232326436336265373036376438656234
-36303764313664633433393133376339326361383530333262653161383266356437363636363334
-3165
+32343662343634383766623432666235306632646232643563316262373733373865383234313135
+3131663166623734313062346134363132336636666562610a313738353461323262313563663635
+36343036616631663532363533653838626339366561623433306133613261323963383530376133
+3438353534313266340a633838396638613834626463303231336631326532373465646630396639
+35306162336131323537653436353332316461336538333934376530626366353331323732636634
+66303762383130373331343835623630616632323934313634356537343965373037376238363732
+66306565643135646264333336623337336166363065373664346164373961326561623930636137
+34613638623763373564326165396161303439656662386634326539643638393766316635373863
+32663638633431386238346363366534613864326431626362636236323332633063653731313138
+66393265623462393264396264643830336434633062393632373736306264353263393462653664
+66343437616265353266303962626333643730653533393261643165346634373731633435393530
+35383266366136623638393865353861383236333531333530306231643635343234363739326639
+64323965343130343532396534303437396232613835633230613566343365396139346637646439
+31393235623263373238313239383835653532303932653531343264393165343739333236386465
+61373937646633323538363837656361666261356162323132613138376538313365626462393464
+36666363623530656232666662353038353433613264326639363765386431616564396264643666
+30313432326235393235376466356435366339383936323061613438653565333565

upp-elasticsearch-provisioner/cloudformation/upp-concepts.yml

@@ -13,6 +13,21 @@ Parameters:
   ClusterName:
     Description: The name of the ES cluster
     Type: String
+  AccountID:
+    Description: AWS Account ID for Test or Prod
+    Type: String
+    AllowedValues:
+      # ft-tech-content-platform-test
+      - '070529446553'
+      # ft-tech-content-platform-prod
+      - '469211898354'
+  Region:
+    Description: AWS region - only used to generate the domain access policy 
+    Type: String
+    AllowedValues:
+      - 'eu-west-1'
+      - 'us-east-1'
+    Default: eu-west-1
 
 Resources:
   ElasticsearchDomain:
@@ -41,7 +56,7 @@ Resources:
             Principal:
               AWS: "arn:aws:iam::027104099916:user/content-containers-apps"
             Action: "es:*"
-            Resource: !Join [ "", [ "arn:aws:es:eu-west-1:027104099916:domain/", !Ref ClusterName, "/*" ] ]
+            Resource: !Join [ "", [ "arn:aws:es:", !Ref Region, ":", !Ref AccountID, ":domain/", !Ref ClusterName, "/*" ] ]
       AdvancedOptions:
         rest.action.multi.allow_explicit_index: "true"
       Tags:

upp-elasticsearch-provisioner/cloudformation/upp-sapi-v1.yml

@@ -13,6 +13,22 @@ Parameters:
   ClusterName:
     Description: Which delivery cluster this ES service is attached to (eg. prod-uk).  Must be no more than 12 characters.
     Type: String
+  AccountID:
+    Description: AWS Account ID for Test or Prod
+    Type: String
+    AllowedValues:
+      # ft-tech-content-platform-test
+      - '070529446553'
+      # ft-tech-content-platform-prod
+      - '469211898354'
+    Default: 070529446553
+  Region:
+    Description: AWS region - only used to generate the domain access policy 
+    Type: String
+    AllowedValues:
+      - 'eu-west-1'
+      - 'us-east-1'
+    Default: eu-west-1
 
 Resources:
   ElasticsearchDomain:
@@ -37,31 +53,12 @@ Resources:
       AccessPolicies:
         Version: "2012-10-17"
         Statement:
-          -
-            Effect: "Allow"
-            Principal:
-              AWS: "*"
-            Action: "es:*"
-            Resource: !Join [ "", [ "arn:aws:es:eu-west-1:027104099916:domain/", !Ref ClusterName, "/*" ] ]
-            Condition:
-              IpAddress:
-                aws:SourceIP:
-                  # OSB + LDNWebPerf
-                  - "82.136.1.214/32"
-                  # Park Royal
-                  - "213.216.148.1/32"
-                  # iQuest - Cluj office
-                  - "194.117.242.0/23"
-                  # EU VPN Client
-                  - "62.25.64.1/32"
-                  # US VPN Client
-                  - "64.210.200.1/32"
           -
             Effect: "Allow"
             Principal:
               AWS: "arn:aws:iam::027104099916:user/content-containers-apps"
             Action: "es:*"
-            Resource: !Join [ "", [ "arn:aws:es:eu-west-1:027104099916:domain/", !Ref ClusterName, "/*" ] ]
+            Resource: !Join [ "", [ "arn:aws:es:", !Ref Region, ":", !Ref AccountID, ":domain/", !Ref ClusterName, "/*" ] ]
       AdvancedOptions:
         rest.action.multi.allow_explicit_index: "true"
       Tags: