Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS: Inbound IP whitelist #97

Open
wants to merge 8 commits into
base: dev
Choose a base branch
from
Open

AWS: Inbound IP whitelist #97

wants to merge 8 commits into from

Conversation

mattlbeck
Copy link

New config param instances.parameters.inboundIp.

Allows users to specify an inbound IP address or range, which is then
used to whitelist all ports, including 22, in the instance's security
group. By default this is set to 0.0.0.0/0 and therefore not
whitelisted.

Resolves #96

@mattlbeck
add inbound IP configuration for aws provider
e81a68e 
New config param `instances.parameters.inboundIp`.

Allows users to specify an inbound IP address or range, which is then
used to whitelist all ports, including 22, in the instance's security
group. By default this is set to 0.0.0.0/0 and therefore not
whitelisted.
@mattlbeck
validate inboundIp param using netaddr
9c10188 
netaddr.IPNetwork used as part of the schema validation and type for
inbound_ip param.
@mattlbeck
add netaddr to packages
bb09c15
@mattlbeck
add default value for inboundIp to test
74ea220
@mattlbeck
add inboundIp param to params documentation
4fb6d74
@mattlbeck mattlbeck changed the title Inbound IP whitelist AWS: Inbound IP whitelist Mar 29, 2021
apls777
apls777 reviewed Mar 30, 2021
View reviewed changes
spotty/providers/aws/cfn_templates/instance/template.py Outdated
}]
# add ports to the security group for the user-defined inbound IP
inbound_ip = instance_config.inbound_ip
cidr_ip = 'CidrIpv6' if inbound_ip == 6 else 'CidrIp'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you forgot to add a proper check for IPv6 addresses here

Copy link
Author

@mattlbeck mattlbeck Mar 31, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

woops! This is what happens when I don't do the unit tests - maybe the templates could to with some tests to ensure the args are at least building them correctly...

@mattlbeck
fix check for IPv6 addresses
ffa79c8 
Forgot to call the .version on the IPNetwork object
@mattlbeck
Revert "add inboundIp param to params documentation"
ae749de 
This reverts commit 4fb6d74.

This re-introduces spaces at the end of each markdown line
@mattlbeck
fix code style formatting
ef95afa 
Single quotes for strings

Trailing commas for multiline arrays
@mattlbeck
Copy link
Author

@apls777 Thank you for the feedback, I have made all the requested changes.

@mattlbeck mattlbeck requested a review from apls777 April 6, 2021 08:59
apls777
apls777 requested changes Apr 7, 2021
View reviewed changes
spotty/providers/aws/cfn_templates/instance/template.py
'CidrIpv6': '::/0',
'IpProtocol': 'tcp',
'FromPort': port,
'ToPort': port,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed that now if the inboundIp parameter is not specified, we're not opening ports for IPv6. So, I think we need to use None for the default value instead of 0.0.0.0/0 to know when the parameter wasn't specified and open ports for both protocols.

spotty/providers/aws/config/validation.py
@@ -30,6 +31,8 @@ def validate_instance_parameters(params: dict):
),
Optional('managedPolicyArns', default=[]): [str],
Optional('instanceProfileArn', default=None): str,
Optional('inboundIp', default='0.0.0.0/0'): Use(IPNetwork, error='"inboundIp" should be a valid IP '
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the default value, the inbound_ip.version == 6 check will fail later in the code as the Use(IPNetwork, ... function is not applied. It can be fixed with the IPNetwork('0.0.0.0/0') value, but as I mentioned in another comment, we need to use None instead to know when the value wasn't set at all.

tests/providers/aws/config/instance_config_validation.py
@@ -28,6 +28,7 @@ def test_default_configuration(self):
'spotInstance': False,
'subnetId': '',
'volumes': [],
'inboundIp': '0.0.0.0/0',
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fixed as well when the default inboundIp value is changed.

@apls777 apls777 changed the base branch from master to dev April 13, 2021 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apls777 apls777 apls777 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWS: Option to whitelist instances to local IP
2 participants
@mattlbeck @apls777