Skip to content

danbrakeley/upmyip

Repository files navigation

upmyip

Overview

This is a solution to maintaining an IP allow list on a service using Security Groups in AWS. It gives a cli to end users that they can run to first look up their public-facing IP address, and to then send it along to a lambda that will revoke any old IP address for that user, and authorize the new one.

The lambda and CLI are both written in Go, and deployment and adding users happens via the included CloudFormation scripts (see aws/README.md). The CLI reads its credentials from its own config file (and not from ~/.aws, this was done to keep it simple to roll out to users).

WARNING

If you want to keep something secure, then put it behind a VPN. This solution is just meant to reduce the attack surface, but doesn't offer any real protection.

I TAKE NO RESPONSIBILITY FOR THIS WORKING OR NOT WORKING. ASSUME IT DOESN'T WORK, AND THEN PROVE TO YOURSELF THAT IT DOES BEFORE USING.

If you find something wrong/broken, please let me know and/or open a PR to help fix it!

Dev Setup

  • Install a recent version of Go
  • Install Mage
    • There's a helper bash script for installing and upgrading Mage here: ./scripts/reinstall-mage.sh.
  • run mage to see the build targets, e.g.
    $ mage
    Targets:
      all            tests, builds, and packages all targets
      ci             runs all CI tasks
      lambda         tests, builds, and packages the lambda
      lambdaBuild    builds the lamda (output goes to "local" folder)
      lambdaZip      zips the lambda
      test           tests all packages
      upMyIP         tests and builds the upmyip cli app
      upMyIPBuild    builds the upmyip cli app
      upMyIPRun      runs the upmyip cli app in the "local" folder
    

Building and packaging happen in the local folder, which is ignored by git.

Building the Lambda

  • run mage lambda
    • output is local/lambda.zip

Note that deploying code changes to all running lambdas can be automated via some bash script in aws/README.md.

Building the CLI

  • run mage upmyip
    • output is local/upmyip[.exe]
  • it will require a upmyip.toml config file in the current folder, in the form:
    lambda = "LAMBDA_FUNCTION_NAME"
    access_key = "ACCESS_KEY"
    secret_key = "SECRET"
  • mage upmyiprun will run the most recently built upmyip inside the local folder (meaning your upmyip.toml file needs to be in the local folder as well)

AWS Setup

See aws/README.md.

Adding users

  • For each new user, deploy the per-user.yaml CF template in the aws folder (see the README in that folder for more specifics).
  • Create a upmyip.toml for this user by hand (see Building the CLI above for an example).
  • Securely send the user the config file.
  • Send the user the latest cli executable.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Packages

No packages published