From 4396548173de23045611cbebd8606ca47e9af9ea Mon Sep 17 00:00:00 2001
From: Michal Charemza <michal@charemza.name>
Date: Thu, 30 May 2024 15:18:02 +0100
Subject: [PATCH] feat: filter DNS queries from the datasets VPC using the
 Route53 Firewall

We don't know of any particular thing in the datasets VPC that allows users to
make DNS queries, especially to unauthorised servers, so this is a defense in
depth/just in case change. We are soon to put ArrangoDB in the dame VPC, so I
think it makes sense to tighten things down as we increase the surface area
otherwise.

It is set to only allow queries to amazonaws.com domains, and block everything
else. While we might be able to block it further in future, this is a step
forward in terms of locking things down.

In the notebooks VPC we have a similar setup, but with what is essentially our
own custom firewall, written before the Route53 Firewall existed. If this goes
well, potentially we could shut that down in favour of this for the notebooks
VPC.
---
 infra/vpc.tf | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/infra/vpc.tf b/infra/vpc.tf
index f4866da..a284987 100644
--- a/infra/vpc.tf
+++ b/infra/vpc.tf
@@ -314,6 +314,44 @@ resource "aws_vpc" "datasets" {
   }
 }
 
+resource "aws_route53_resolver_firewall_domain_list" "datasets_amazonaws" {
+  name    = "${var.prefix}-datasets-amazonaws"
+  domains = ["*.amazonaws.com."]
+}
+
+resource "aws_route53_resolver_firewall_domain_list" "datasets_all" {
+  name    = "${var.prefix}-datasets-all-domains"
+  domains = ["*."]
+}
+
+resource "aws_route53_resolver_firewall_rule_group" "datasets_allow_amazonaws_block_otherwise" {
+  name = "${var.prefix}-datasets-allow-amazonaws-block-otherwise"
+}
+
+resource "aws_route53_resolver_firewall_rule_group_association" "datasets_allow_amazonaws_block_otherwise" {
+  name                   = "${var.prefix}-datasets-allow-amazonaws-block-otherwise"
+  firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority               = 1000
+  vpc_id                 = aws_vpc.datasets.id
+}
+
+resource "aws_route53_resolver_firewall_rule" "datasets_allow_amazonaws" {
+  name                    = "${var.prefix}-allow-amazonaws"
+  action                  = "ALLOW"
+  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.datasets_amazonaws.id
+  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority                = 100
+}
+
+resource "aws_route53_resolver_firewall_rule" "datasets_block_otherwise" {
+  name                    = "${var.prefix}-block-all"
+  action                  = "BLOCK"
+  block_response          = "NXDOMAIN"
+  firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.datasets_all.id
+  firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.datasets_allow_amazonaws_block_otherwise.id
+  priority                = 200
+}
+
 resource "aws_flow_log" "datasets" {
   log_destination_type = "s3"
   log_destination      = "arn:aws:s3:::flowlog-${data.aws_caller_identity.aws_caller_identity.account_id}/${aws_vpc.datasets.id}"