-
-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(terraform/modules/azure-jenkinsinfra-inbound-agents) ensure NSG a…
…nd security rules have valid names (semantic and size) Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
- Loading branch information
Showing
4 changed files
with
49 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,3 @@ | ||
| locals { | ||
| stripped_short_service_name = replace(replace(var.service_fqdn, ".", "-"), "jenkinsio", "jio") | ||
| stripped_short_nsg_agent_name = "${local.stripped_short_service_name}-kube-agents-${data.azurerm_subnet.kubernetes_agents.name}" | ||
| stripped_short_service_name = replace(replace(var.service_fqdn, ".", "-"), "jenkinsio", "jio") | ||
| } |
78 changes: 39 additions & 39 deletions
78
terraform/modules/azure-jenkinsinfra-inbound-agents/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,120 +1,120 @@ | ||
| #################################################################################### | ||
| # Network resources defined in https://github.com/jenkins-infra/azure-net | ||
| #################################################################################### | ||
| data "azurerm_resource_group" "kubernetes_agents_vnet" { | ||
| name = var.kubernetes_agents_network_rg_name | ||
| data "azurerm_resource_group" "inbound_agents_vnet" { | ||
| name = var.inbound_agents_network_rg_name | ||
| } | ||
| data "azurerm_virtual_network" "kubernetes_agents" { | ||
| name = var.kubernetes_agents_network_name | ||
| resource_group_name = data.azurerm_resource_group.kubernetes_agents_vnet.name | ||
| data "azurerm_virtual_network" "inbound_agents" { | ||
| name = var.inbound_agents_network_name | ||
| resource_group_name = data.azurerm_resource_group.inbound_agents_vnet.name | ||
| } | ||
| data "azurerm_subnet" "kubernetes_agents" { | ||
| name = var.kubernetes_agents_subnet_name | ||
| virtual_network_name = data.azurerm_virtual_network.kubernetes_agents.name | ||
| resource_group_name = data.azurerm_resource_group.kubernetes_agents_vnet.name | ||
| data "azurerm_subnet" "inbound_agents" { | ||
| name = var.inbound_agents_subnet_name | ||
| virtual_network_name = data.azurerm_virtual_network.inbound_agents.name | ||
| resource_group_name = data.azurerm_resource_group.inbound_agents_vnet.name | ||
| } | ||
|
|
||
| #################################################################################### | ||
| ## Network Security Group and rules | ||
| #################################################################################### | ||
| resource "azurerm_network_security_group" "kubernetes_agents" { | ||
| name = local.stripped_short_nsg_agent_name | ||
| location = data.azurerm_resource_group.kubernetes_agents_vnet.location | ||
| resource "azurerm_network_security_group" "inbound_agents" { | ||
| name = data.azurerm_subnet.inbound_agents.name | ||
| location = data.azurerm_resource_group.inbound_agents_vnet.location | ||
| resource_group_name = var.controller_rg_name | ||
| tags = var.default_tags | ||
| } | ||
| resource "azurerm_subnet_network_security_group_association" "kubernetes_agents" { | ||
| subnet_id = data.azurerm_subnet.kubernetes_agents.id | ||
| network_security_group_id = azurerm_network_security_group.kubernetes_agents.id | ||
| resource "azurerm_subnet_network_security_group_association" "inbound_agents" { | ||
| subnet_id = data.azurerm_subnet.inbound_agents.id | ||
| network_security_group_id = azurerm_network_security_group.inbound_agents.id | ||
| } | ||
| ## Outbound Rules (different set of priorities than Inbound rules) ## | ||
| #trivy:ignore:azure-network-no-public-egress | ||
| resource "azurerm_network_security_rule" "allow_outbound_ssh_from_kubernetes_agents_to_internet" { | ||
| name = "allow-out-ssh-from-${local.stripped_short_nsg_agent_name}-to-internet" | ||
| resource "azurerm_network_security_rule" "allow_outbound_ssh_from_inbound_agents_to_internet" { | ||
| name = "allow-out-ssh-from-subnet-to-internet" | ||
| priority = 4092 | ||
| direction = "Outbound" | ||
| access = "Allow" | ||
| protocol = "Tcp" | ||
| source_port_range = "*" | ||
| source_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| source_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| destination_port_range = "22" | ||
| destination_address_prefix = "Internet" # TODO: restrict to GitHub IPs from their meta endpoint (subsection git) - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } | ||
| resource "azurerm_network_security_rule" "allow_outbound_jenkins_from_kubernetes_agents_to_controller" { | ||
| name = "allow-out-jenkins-from-${local.stripped_short_service_name}-to-ctrl" | ||
| resource "azurerm_network_security_rule" "allow_outbound_jenkins_from_subnet_to_controller" { | ||
| name = "allow-out-jenkins-from-subnet-to-ctrl" | ||
| priority = 4093 | ||
| direction = "Outbound" | ||
| access = "Allow" | ||
| protocol = "Tcp" | ||
| source_port_range = "*" | ||
| source_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| source_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| destination_port_ranges = [ | ||
| "443", # HTTPS for secured inbound websocket | ||
| "50000", # Direct TCP Inbound protocol | ||
| ] | ||
| destination_address_prefixes = compact(var.controller_ips) | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } | ||
| #trivy:ignore:azure-network-no-public-egress | ||
| resource "azurerm_network_security_rule" "allow_outbound_http_from_kubernetes_agents_to_internet" { | ||
| name = "allow-out-http-from-${local.stripped_short_nsg_agent_name}-to-internet" | ||
| resource "azurerm_network_security_rule" "allow_outbound_http_from_subnet_to_internet" { | ||
| name = "allow-out-http-from-subnet-to-internet" | ||
| priority = 4094 | ||
| direction = "Outbound" | ||
| access = "Allow" | ||
| protocol = "Tcp" | ||
| source_port_range = "*" | ||
| source_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| source_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| destination_port_ranges = [ | ||
| "80", # HTTP | ||
| "443", # HTTPS | ||
| ] | ||
| destination_address_prefix = "Internet" | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } | ||
| resource "azurerm_network_security_rule" "deny_all_outbound_from_kubernetes_agents_to_internet" { | ||
| name = "deny-all-out-from-${local.stripped_short_nsg_agent_name}-to-internet" | ||
| resource "azurerm_network_security_rule" "deny_all_outbound_from_subnet_to_internet" { | ||
| name = "deny-all-out-from-subnet-to-internet" | ||
| priority = 4095 | ||
| direction = "Outbound" | ||
| access = "Deny" | ||
| protocol = "*" | ||
| source_port_range = "*" | ||
| destination_port_range = "*" | ||
| source_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| source_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| destination_address_prefix = "Internet" | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } | ||
| # This rule overrides an Azure-Default rule. its priority must be < 65000. | ||
| resource "azurerm_network_security_rule" "deny_all_outbound_from_kubernetes_agents_to_vnet" { | ||
| name = "deny-all-out-from-${local.stripped_short_nsg_agent_name}-to-vnet" | ||
| resource "azurerm_network_security_rule" "deny_all_outbound_from_subnet_to_vnet" { | ||
| name = "deny-all-out-from-subnet-to-vnet" | ||
| priority = 4096 # Maximum value allowed by Azure API | ||
| direction = "Outbound" | ||
| access = "Deny" | ||
| protocol = "*" | ||
| source_port_range = "*" | ||
| destination_port_range = "*" | ||
| source_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| source_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| destination_address_prefix = "VirtualNetwork" | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } | ||
|
|
||
| ## Inbound Rules (different set of priorities than Outbound rules) ## | ||
| # This rule overrides an Azure-Default rule. its priority must be < 65000 | ||
| resource "azurerm_network_security_rule" "deny_all_inbound_from_vnet_to_kubernetes_agents" { | ||
| name = "deny-all-in-from-vnet-to-${local.stripped_short_service_name}_kubernetes_agents" | ||
| resource "azurerm_network_security_rule" "deny_all_inbound_from_vnet_to_subnet" { | ||
| name = "deny-all-in-from-vnet-to-subnet" | ||
| priority = 4096 # Maximum value allowed by the Azure Terraform Provider | ||
| direction = "Inbound" | ||
| access = "Deny" | ||
| protocol = "*" | ||
| source_port_range = "*" | ||
| destination_port_range = "*" | ||
| source_address_prefix = "*" | ||
| destination_address_prefixes = data.azurerm_subnet.kubernetes_agents.address_prefixes | ||
| destination_address_prefixes = data.azurerm_subnet.inbound_agents.address_prefixes | ||
| resource_group_name = var.controller_rg_name | ||
| network_security_group_name = azurerm_network_security_group.kubernetes_agents.name | ||
| network_security_group_name = azurerm_network_security_group.inbound_agents.name | ||
| } |
4 changes: 2 additions & 2 deletions
4
terraform/modules/azure-jenkinsinfra-inbound-agents/outputs.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| # Exported to allow adding additional custom security rules | ||
| output "kubernetes_agents_nsg_name" { | ||
| value = azurerm_network_security_group.kubernetes_agents.name | ||
| output "inbound_agents_nsg_name" { | ||
| value = azurerm_network_security_group.inbound_agents.name | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters