restrict control plane access if soc2 enabled (#4509)

.github/actions/build-npm/action.yml

@@ -2,8 +2,12 @@
 name: 'build-npm'
 description: builds the static dashboard files for the app
 
+inputs:
+  env_vars:
+    description: 'frontend env vars from Github action variables'
+
 runs:
-  using: "composite"
+  using: 'composite'
   steps:
     - name: Setup Node
       uses: actions/setup-node@v3
@@ -14,6 +18,10 @@ runs:
       run: |
         cd dashboard
         npm i --legacy-peer-deps
+    - name: Set Environment Variables
+      run: |
+        touch dashboard/.env
+        echo '${{ inputs.env_vars }}' > dashboard/.env
     - name: Run NPM Build
       shell: bash
       run: |

.github/workflows/porter_stack_porter-sandbox.yml

@@ -19,6 +19,8 @@ jobs:
         uses: actions/checkout@v3
       - name: build-npm
         uses: ./.github/actions/build-npm
+        with:
+          env_vars: ${{ vars.DASHBOARD_ENV_SANDBOX }}
 
   porter-deploy:
     runs-on: ubuntu-latest

.github/workflows/porter_stack_porter-ui.yml

@@ -19,6 +19,8 @@ jobs:
         uses: actions/checkout@v3
       - name: build-npm
         uses: ./.github/actions/build-npm
+        with:
+          env_vars: ${{ vars.DASHBOARD_ENV_INTERNAL_TOOLS }}
 
   porter-deploy:
     runs-on: ubuntu-latest

.github/workflows/production.yml

@@ -52,6 +52,9 @@ jobs:
         uses: actions/checkout@v3
       - name: build-npm
         uses: ./.github/actions/build-npm
+        with:
+          env_vars: ${{ vars.DASHBOARD_ENV_PRODUCTION }}
+
   deploy-porter:
     runs-on: ubuntu-latest
     needs: [ build-go, build-npm ]

dashboard/package-lock.json

@@ -97,7 +97,7 @@
         "@babel/preset-typescript": "^7.15.0",
         "@ianvs/prettier-plugin-sort-imports": "^4.1.1",
         "@pmmmwh/react-refresh-webpack-plugin": "^0.4.3",
-        "@porter-dev/api-contracts": "^0.2.131",
+        "@porter-dev/api-contracts": "^0.2.142",
         "@testing-library/jest-dom": "^4.2.4",
         "@testing-library/react": "^9.3.2",
         "@testing-library/user-event": "^7.1.2",
@@ -2756,9 +2756,9 @@
       }
     },
     "node_modules/@porter-dev/api-contracts": {
-      "version": "0.2.131",
-      "resolved": "https://registry.npmjs.org/@porter-dev/api-contracts/-/api-contracts-0.2.131.tgz",
-      "integrity": "sha512-Ui66wdOQmWik6c6uvXn1m6SkcO7LO67BAqbkg8kY5F4YMHvusDhXEbq1Pl9FoaRQUsRk2OaZgxWXyTGj3wPYHQ==",
+      "version": "0.2.142",
+      "resolved": "https://registry.npmjs.org/@porter-dev/api-contracts/-/api-contracts-0.2.142.tgz",
+      "integrity": "sha512-WRIuZGQ8VXx6CIG4ODtfb+wlOSWCSJOm5uBXyn67eAwvNQsnj+RAzhSBqNUz+2XlIVGv2SET1BXV6uJhB2gQ8g==",
       "dev": true,
       "dependencies": {
         "@bufbuild/protobuf": "^1.1.0"
@@ -20079,9 +20079,9 @@
       "integrity": "sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A=="
     },
     "@porter-dev/api-contracts": {
-      "version": "0.2.131",
-      "resolved": "https://registry.npmjs.org/@porter-dev/api-contracts/-/api-contracts-0.2.131.tgz",
-      "integrity": "sha512-Ui66wdOQmWik6c6uvXn1m6SkcO7LO67BAqbkg8kY5F4YMHvusDhXEbq1Pl9FoaRQUsRk2OaZgxWXyTGj3wPYHQ==",
+      "version": "0.2.142",
+      "resolved": "https://registry.npmjs.org/@porter-dev/api-contracts/-/api-contracts-0.2.142.tgz",
+      "integrity": "sha512-WRIuZGQ8VXx6CIG4ODtfb+wlOSWCSJOm5uBXyn67eAwvNQsnj+RAzhSBqNUz+2XlIVGv2SET1BXV6uJhB2gQ8g==",
       "dev": true,
       "requires": {
         "@bufbuild/protobuf": "^1.1.0"

dashboard/package.json

@@ -104,7 +104,7 @@
     "@babel/preset-typescript": "^7.15.0",
     "@ianvs/prettier-plugin-sort-imports": "^4.1.1",
     "@pmmmwh/react-refresh-webpack-plugin": "^0.4.3",
-    "@porter-dev/api-contracts": "^0.2.131",
+    "@porter-dev/api-contracts": "^0.2.142",
     "@testing-library/jest-dom": "^4.2.4",
     "@testing-library/react": "^9.3.2",
     "@testing-library/user-event": "^7.1.2",

dashboard/src/main/home/compliance-dashboard/ComplianceContext.tsx

@@ -123,11 +123,18 @@ export const ProjectComplianceProvider: React.FC<
         return;
       }
 
+      const cidrAllowList = process.env.PORTER_CIDRS
+        ? process.env.PORTER_CIDRS.split(",")
+        : [];
+
       const updatedKindValues = match(latestContractProto.cluster.kindValues)
         .with({ case: "eksKind" }, ({ value }) => ({
           case: "eksKind" as const,
           value: new EKS({
             ...value,
+            ...(cidrAllowList.length > 0 && {
+              controlPlaneCidrAllowlist: cidrAllowList,
+            }),
             enableKmsEncryption: true,
             enableEcrScanning: true,
             logging: new EKSLogging({

go.mod

@@ -85,7 +85,7 @@ require (
 	github.com/matryer/is v1.4.0
 	github.com/nats-io/nats.go v1.24.0
 	github.com/open-policy-agent/opa v0.44.0
-	github.com/porter-dev/api-contracts v0.2.140
+	github.com/porter-dev/api-contracts v0.2.142
 	github.com/riandyrn/otelchi v0.5.1
 	github.com/santhosh-tekuri/jsonschema/v5 v5.0.1
 	github.com/stefanmcshane/helm v0.0.0-20221213002717-88a4a2c6e77d

go.sum

@@ -1552,8 +1552,8 @@ github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw=
-github.com/porter-dev/api-contracts v0.2.140 h1:AkAEAhcg7VsrkMxCInRtlYQbik/p+KvOUEri3IZLtek=
-github.com/porter-dev/api-contracts v0.2.140/go.mod h1:VV5BzXd02ZdbWIPLVP+PX3GKawJSGQnxorVT2sUZALU=
+github.com/porter-dev/api-contracts v0.2.142 h1:vpbrdAuDpC09boJWUCUkm0t455H9xOd1KfP3/M61zbg=
+github.com/porter-dev/api-contracts v0.2.142/go.mod h1:VV5BzXd02ZdbWIPLVP+PX3GKawJSGQnxorVT2sUZALU=
 github.com/porter-dev/switchboard v0.0.3 h1:dBuYkiVLa5Ce7059d6qTe9a1C2XEORFEanhbtV92R+M=
 github.com/porter-dev/switchboard v0.0.3/go.mod h1:xSPzqSFMQ6OSbp42fhCi4AbGbQbsm6nRvOkrblFeXU4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=

zarf/helm/.dashboardenv

@@ -19,3 +19,8 @@ API_SERVER=http://localhost:8080
 # TRUST_ARN is used with the cloudformation pack, to allow supporting multiple AWS accounts as management accounts. Change MY_AWS_DEV_ACCOUNT_ID to your AWS developer account ID
 
 TRUST_ARN=arn:aws:iam::MY_AWS_DEV_ACCOUNT_ID:role/CAPIManagement
+
+# PORTER_CIDRS are a comma-separated list of CIDRs mapping to Porter infra. Used for restricting access to a customer's control plane endpoint
+# below example is for the office IP
+PORTER_CIDRS="135.84.167.61/32"
+