Correct the security-groups in cf spaces #5797
Description
For proper network egress access, spaces with "egress" apps should have the public_networks_egress security group, and spaces with protected apps should have the trusted_local_networks_egress group. Currently, some spaces have public_networks_egress that should not.
This applies to the running ASGs only; staging ASGs are typically more permissive.
This probably is encoded in terraform somewhere?
How to reproduce
- Description of steps to reproduce the issue.
Run this cf cli command to examine the current bindings of security groups to spaces:
cf security-groups | grep gsa-datagov | grep running
Checking another way, processes running on an app that is supposed to use an egress proxy should not be able to access arbitrary internet sites. You can test this by running something like this from the app command line (assuming presence of curl, etc.) to remove proxy :
# set HTTP_PROXY=
# set HTTPS_PROXY=
# curl https://yahoo.com
curl: (7) Failed to connect to yahoo.com port 443 after 3 ms: Could not connect to server
Note: If you see curl: (56) CONNECT tunnel failed, response 403, that is a response from caddy and probably these instructions are incorrect!
Expected behavior
cf security-groups | grep gsa-datagov | grep running
shows public_networks_egress bound to all egress spaces, and trusted_local_networks_egress bound to all others.
Note: There is also a "DNS" group that should be bound, and is, but it is bound as a default for all spaces, so it won't appear in the listing. At least I think that's how it works; if the suggested change causes problems that would be something to try.
Additionally, everything still works! If an app incorrectly had the more-open security group, it's possible that some process running on it would be running successfully without having been provided the egress proxy URL and credentials.
References
- Cloud.gov docs "Controlling egress traffic"
- cg-egress-proxy README has a nice troubleshooting section