README
¶
upmyip
Overview
This is a solution to maintaining an IP allow list on a service using Security Groups in AWS. It gives a cli to end users that they can run to first look up their public-facing IP address, and to then send it along to a lambda that will revoke any old IP address for that user, and authorize the new one.
The lambda and CLI are both written in Go, and deployment and adding users happens via the included CloudFormation scripts (see aws/README.md). The CLI reads its credentials from its own config file (and not from ~/.aws, this was done to keep it simple to roll out to users).
WARNING
If you want to keep something secure, then put it behind a VPN. This solution is just meant to reduce the attack surface, but doesn't offer any real protection.
I TAKE NO RESPONSIBILITY FOR THIS WORKING OR NOT WORKING. ASSUME IT DOESN'T WORK, AND THEN PROVE TO YOURSELF THAT IT DOES BEFORE USING.
If you find something wrong/broken, please let me know and/or open a PR to help fix it!
Dev Setup
Note that building and packaging happen in the local folder (which is ignored by git).
Building the Lambda
- run
mage buildlambda- output is
local/lambda.zip
- output is
Note that deploying code changes to all running lambdas can be automated via some bash script in aws/README.md.
Building the CLI
- run
mage build- output is
local/upmyip[.exe]
- output is
- it will require a
upmyip.tomlconfig file in the current folder, in the form:lambda = "LAMBDA_FUNCTION_NAME" access_key = "ACCESS_KEY" secret_key = "SECRET"
AWS Setup
See aws/README.md.
Adding users
- For each new user, deploy the
per-user.yamlCF template in theawsfolder (see theREADMEin that folder for more specifics). - Create a
upmyip.tomlfor this user by hand (seeBuilding the CLIabove for an example). - Securely send the user the config file.
- Send the user the latest cli executable.
Directories