diff --git a/pkg/manifest/service.go b/pkg/manifest/service.go index 0018dcd2f4..d97a7d26a6 100644 --- a/pkg/manifest/service.go +++ b/pkg/manifest/service.go @@ -31,6 +31,7 @@ type Service struct { Termination ServiceTermination `yaml:"termination,omitempty"` Test string `yaml:"test,omitempty"` Volumes []string `yaml:"volumes,omitempty"` + Whitelist string `yaml:"whitelist,omitempty"` } type Services []Service diff --git a/provider/aws/formation/service.json.tmpl b/provider/aws/formation/service.json.tmpl index 35475e378c..2db6861fc9 100644 --- a/provider/aws/formation/service.json.tmpl +++ b/provider/aws/formation/service.json.tmpl @@ -238,7 +238,7 @@ {{ end }} "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } }, "Priority": "{{ priority $.App .Name "default" -1 }}" } @@ -250,7 +250,7 @@ {{ end }} "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Join": [ ".", [ "{{$.App}}-{{.Name}}", { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Host" } } ] ] } ] }, { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } }, "Priority": "{{ priority $.App .Name "default" -1 }}" } @@ -271,7 +271,7 @@ "Condition": "InternalDomainsAndRouteHttp", "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener80" } }, "Priority": "{{ priority $.App .Name "internal" -1 }}" } @@ -281,7 +281,7 @@ "Condition": "InternalDomains", "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if .Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ { "Fn::Sub": "{{.Name}}.{{$.App}}.${Rack}.convox" } ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router .Name $.Manifest }}Listener443" } }, "Priority": "{{ priority $.App .Name "internal" -1 }}" } @@ -303,7 +303,7 @@ {{ end }} "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener80" } }, "Priority": "{{ priority $.App $.Service.Name $domain $i }}" } @@ -315,7 +315,7 @@ {{ end }} "Properties": { "Actions": [ { "Type": "forward", "TargetGroupArn": { "Ref": "BalancerTargetGroup{{ if $.Service.Internal }}Internal{{ end }}" } } ], - "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } ], + "Conditions": [ { "Field": "host-header", "Values": [ "{{$domain}}" ] } , { "Field": "source-ip", "SourceIpConfig": { "Values": [ {{ range safeWhitelist .Whitelist }} "{{ . }}", {{ end }} ] } } ], "ListenerArn": { "Fn::ImportValue": { "Fn::Sub": "${Rack}:{{ router $.Service.Name $.Manifest }}Listener443" } }, "Priority": "{{ priority $.App $.Service.Name $domain $i }}" } diff --git a/provider/aws/template.go b/provider/aws/template.go index 49c274dd21..5fd0d6b6a2 100644 --- a/provider/aws/template.go +++ b/provider/aws/template.go @@ -75,6 +75,13 @@ func formationHelpers() template.FuncMap { "safe": func(s string) template.HTML { return template.HTML(fmt.Sprintf("%q", s)) }, + "safeWhitelist": func(s string) []string { + if s == "" { + return []string{"0.0.0.0/0"} + } else { + return strings.Split(s,",") + } + }, "services": func(m *manifest.Manifest) string { if m == nil { return ""