From d4848a67b5e2923b83464a0ad5d203585f80b44f Mon Sep 17 00:00:00 2001
From: Carlo Costino <carlo.costino@gsa.gov>
Date: Thu, 10 Aug 2023 18:02:45 -0400
Subject: [PATCH] Switch to using FIPS-enabled endpoints

This changeset switches AWS service touchpoints to use their FIPS-enabled counterparts.  Note that S3 has some specific configuration associated with it.

This changeset also updates our allow ACLs to cover the FIPS-enabled endpoints.  We should investigate removing the non-FIPS endpoints as a part of this.

Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
---
 app/aws/s3.py                                 |  9 +++++++-
 app/clients/__init__.py                       | 21 ++++++++++++++-----
 app/clients/cloudwatch/aws_cloudwatch.py      |  5 +++--
 app/clients/email/aws_ses.py                  |  9 ++++++--
 app/clients/sms/aws_sns.py                    |  4 +++-
 .../egress_proxy/notify-api-demo.allow.acl    |  9 ++++++++
 .../notify-api-production.allow.acl           |  4 ++++
 .../egress_proxy/notify-api-staging.allow.acl |  8 +++++++
 8 files changed, 58 insertions(+), 11 deletions(-)

diff --git a/app/aws/s3.py b/app/aws/s3.py
index d48cbd083..c47653b64 100644
--- a/app/aws/s3.py
+++ b/app/aws/s3.py
@@ -2,6 +2,8 @@ import botocore
 from boto3 import Session
 from flask import current_app
 
+from app.clients import AWS_CLIENT_CONFIG
+
 FILE_LOCATION_STRUCTURE = 'service-{}-notify/{}.csv'
 
 
@@ -15,7 +17,12 @@ def get_s3_file(
 def get_s3_object(
     bucket_name, file_location, access_key, secret_key, region
 ):
-    session = Session(aws_access_key_id=access_key, aws_secret_access_key=secret_key, region_name=region)
+    session = Session(
+        aws_access_key_id=access_key,
+        aws_secret_access_key=secret_key,
+        region_name=region,
+        config=AWS_CLIENT_CONFIG
+    )
     s3 = session.resource('s3')
     return s3.Object(bucket_name, file_location)
 
diff --git a/app/clients/__init__.py b/app/clients/__init__.py
index 4553dfc48..0df4ca889 100644
--- a/app/clients/__init__.py
+++ b/app/clients/__init__.py
@@ -1,3 +1,19 @@
+from botocore.config import Config
+
+AWS_CLIENT_CONFIG = Config(
+    # This config is required to enable S3 to connect to FIPS-enabled
+    # endpoints.  See https://aws.amazon.com/compliance/fips/ for more
+    # information.
+    s3={
+        'addressing_style': 'virtual',
+    },
+    use_fips_endpoint=True
+)
+STATISTICS_REQUESTED = 'requested'
+STATISTICS_DELIVERED = 'delivered'
+STATISTICS_FAILURE = 'failure'
+
+
 class ClientException(Exception):
     '''
     Base Exceptions for sending notifications that fail
@@ -12,11 +28,6 @@ class Client(object):
     pass
 
 
-STATISTICS_REQUESTED = 'requested'
-STATISTICS_DELIVERED = 'delivered'
-STATISTICS_FAILURE = 'failure'
-
-
 class NotificationProviderClients(object):
     sms_clients = {}
     email_clients = {}
diff --git a/app/clients/cloudwatch/aws_cloudwatch.py b/app/clients/cloudwatch/aws_cloudwatch.py
index 532472295..04e8e995c 100644
--- a/app/clients/cloudwatch/aws_cloudwatch.py
+++ b/app/clients/cloudwatch/aws_cloudwatch.py
@@ -4,7 +4,7 @@ import time
 
 from boto3 import client
 
-from app.clients import Client
+from app.clients import AWS_CLIENT_CONFIG, Client
 from app.cloudfoundry_config import cloud_config
 
 
@@ -18,7 +18,8 @@ class AwsCloudwatchClient(Client):
             "logs",
             region_name=cloud_config.sns_region,
             aws_access_key_id=cloud_config.sns_access_key,
-            aws_secret_access_key=cloud_config.sns_secret_key
+            aws_secret_access_key=cloud_config.sns_secret_key,
+            config=AWS_CLIENT_CONFIG
         )
         super(Client, self).__init__(*args, **kwargs)
         self.current_app = current_app
diff --git a/app/clients/email/aws_ses.py b/app/clients/email/aws_ses.py
index 6bd4050df..cc4ef6d0c 100644
--- a/app/clients/email/aws_ses.py
+++ b/app/clients/email/aws_ses.py
@@ -4,7 +4,11 @@ import botocore
 from boto3 import client
 from flask import current_app
 
-from app.clients import STATISTICS_DELIVERED, STATISTICS_FAILURE
+from app.clients import (
+    AWS_CLIENT_CONFIG,
+    STATISTICS_DELIVERED,
+    STATISTICS_FAILURE,
+)
 from app.clients.email import (
     EmailClient,
     EmailClientException,
@@ -62,7 +66,8 @@ class AwsSesClient(EmailClient):
             'ses',
             region_name=cloud_config.ses_region,
             aws_access_key_id=cloud_config.ses_access_key,
-            aws_secret_access_key=cloud_config.ses_secret_key
+            aws_secret_access_key=cloud_config.ses_secret_key,
+            config=AWS_CLIENT_CONFIG
         )
         super(AwsSesClient, self).__init__(*args, **kwargs)
 
diff --git a/app/clients/sms/aws_sns.py b/app/clients/sms/aws_sns.py
index 45bff2917..dbba5e8ff 100644
--- a/app/clients/sms/aws_sns.py
+++ b/app/clients/sms/aws_sns.py
@@ -5,6 +5,7 @@ import botocore
 import phonenumbers
 from boto3 import client
 
+from app.clients import AWS_CLIENT_CONFIG
 from app.clients.sms import SmsClient
 from app.cloudfoundry_config import cloud_config
 
@@ -19,7 +20,8 @@ class AwsSnsClient(SmsClient):
             "sns",
             region_name=cloud_config.sns_region,
             aws_access_key_id=cloud_config.sns_access_key,
-            aws_secret_access_key=cloud_config.sns_secret_key
+            aws_secret_access_key=cloud_config.sns_secret_key,
+            config=AWS_CLIENT_CONFIG
         )
         super(SmsClient, self).__init__(*args, **kwargs)
         self.current_app = current_app
diff --git a/deploy-config/egress_proxy/notify-api-demo.allow.acl b/deploy-config/egress_proxy/notify-api-demo.allow.acl
index 4566d5a0c..ffc2d8273 100644
--- a/deploy-config/egress_proxy/notify-api-demo.allow.acl
+++ b/deploy-config/egress_proxy/notify-api-demo.allow.acl
@@ -1,5 +1,14 @@
+logs.us-east-1.amazonaws.com
+logs-fips.us-east-1.amazonaws.com
 monitoring.us-west-2.amazonaws.com
+monitoring-fips.us-west-2.amazonaws.com
 email.us-west-2.amazonaws.com
+email-fips.us-west-2.amazonaws.com
+s3-fips.us-east-1.amazonaws.com
+s3-fips.us-east-2.amazonaws.com
+s3-fips.us-west-1.amazonaws.com
+s3-fips.us-west-2.amazonaws.com
 sns.us-east-1.amazonaws.com
+sns-fips.us-east-1.amazonaws.com
 gov-collector.newrelic.com
 egress-proxy-notify-api-demo.apps.internal
diff --git a/deploy-config/egress_proxy/notify-api-production.allow.acl b/deploy-config/egress_proxy/notify-api-production.allow.acl
index 17f909bbb..31718a7bb 100644
--- a/deploy-config/egress_proxy/notify-api-production.allow.acl
+++ b/deploy-config/egress_proxy/notify-api-production.allow.acl
@@ -1,5 +1,9 @@
+logs.us-gov-west-1.amazonaws.com
 monitoring.us-west-2.amazonaws.com
 email.us-gov-west-1.amazonaws.com
+email-fips.us-gov-west-1.amazonaws.com
+s3-fips.us-gov-east-1.amazonaws.com
+s3-fips.us-gov-west-1.amazonaws.com
 sns.us-gov-west-1.amazonaws.com
 gov-collector.newrelic.com
 egress-proxy-notify-api-production.apps.internal
diff --git a/deploy-config/egress_proxy/notify-api-staging.allow.acl b/deploy-config/egress_proxy/notify-api-staging.allow.acl
index f6f592295..eb984390e 100644
--- a/deploy-config/egress_proxy/notify-api-staging.allow.acl
+++ b/deploy-config/egress_proxy/notify-api-staging.allow.acl
@@ -1,6 +1,14 @@
 logs.us-west-2.amazonaws.com
+logs-fips.us-west-2.amazonaws.com
 monitoring.us-west-2.amazonaws.com
+monitoring-fips.us-west-2.amazonaws.com
 email.us-west-2.amazonaws.com
+email-fips.us-west-2.amazonaws.com
+s3-fips.us-east-1.amazonaws.com
+s3-fips.us-east-2.amazonaws.com
+s3-fips.us-west-1.amazonaws.com
+s3-fips.us-west-2.amazonaws.com
 sns.us-west-2.amazonaws.com
+sns-fips.us-west-2.amazonaws.com
 gov-collector.newrelic.com
 egress-proxy-notify-api-staging.apps.internal