Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create temporary security group with source IP restriction #2345

Closed
mvermaes opened this issue Jun 29, 2015 · 3 comments
Closed

Create temporary security group with source IP restriction #2345

mvermaes opened this issue Jun 29, 2015 · 3 comments

Comments

@mvermaes
Copy link
Contributor

Hi, I was wondering whether it would be possible to add the source IP of the instance running Packer (whether local or Atlas), to the temporary security group that is created to provide SSH access, when running the amazon-* builders (and I guess others as well).

I realize there is only a very small exposure window to the instance while it is being built (and that exposure is only to SSH in most scenarios). But I think limiting by source IP would provide some additional protection. Possibly there is a reason why this wouldn't be feasible though?
@cbednarski
Copy link
Contributor

@mvermaes Unfortunately there are a lot of variables here that make determining your IP address infeasible. For instance, you might be using a VPN tunnel or bastion host, where your IP would look like a server. You might be assigned a private IP inside your VPC. You might have a public IP address, or could be going through a proxy. Packer doesn't know about any of this so it can't determine which IP address Amazon will see.

However, if you have specific configuration or security requirements you can define all of this yourself by specifying the security groups packer should use.

@mvermaes
Copy link
Contributor Author

Hi Chris, thanks - yes, I thought there might be some reasons it wouldn't be possible to enable this by default. It would be convenient as an option though.

I was looking at that link you sent, which would enable us to do what you mentioned if we are the ones running Packer (which we have been up until now). But in order to make use of the remote building service provided by Atlas, I think we would need the possible IPs that the Atlas builders use.

Do the Atlas builders have a specific IP range that they use? If not, does an Atlas builder maintain the same public IP for the duration of the build? If it does, I guess it would be possible to dynamically create the security group during the build based on the current IP.

Thanks again for your help Chris.

@cbednarski
Copy link
Contributor

@mvermaes For help with the Atlas use-case, please get in touch via support@hashicorp.com. We'll be able to exchange additional information via email. Please include a link to this issue so we know it's you. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cbednarski @mvermaes