Skip to content

AWS: Inbound IP whitelist#97

Open
mattlbeck wants to merge 8 commits intospotty-cloud:devfrom
mattlbeck:inbound-ip-whitelist
Open

AWS: Inbound IP whitelist#97
mattlbeck wants to merge 8 commits intospotty-cloud:devfrom
mattlbeck:inbound-ip-whitelist

Conversation

@mattlbeck
Copy link

@mattlbeck mattlbeck commented Mar 29, 2021

New config param instances.parameters.inboundIp.

Allows users to specify an inbound IP address or range, which is then
used to whitelist all ports, including 22, in the instance's security
group. By default this is set to 0.0.0.0/0 and therefore not
whitelisted.

Resolves #96

@mattlbeck
add inbound IP configuration for aws provider
e81a68e 
New config param `instances.parameters.inboundIp`.

Allows users to specify an inbound IP address or range, which is then
used to whitelist all ports, including 22, in the instance's security
group. By default this is set to 0.0.0.0/0 and therefore not
whitelisted.
@mattlbeck
validate inboundIp param using netaddr
9c10188 
netaddr.IPNetwork used as part of the schema validation and type for
inbound_ip param.
@mattlbeck
add netaddr to packages
bb09c15
@mattlbeck
add default value for inboundIp to test
74ea220
@mattlbeck
add inboundIp param to params documentation
4fb6d74
@mattlbeck mattlbeck changed the title Inbound IP whitelist AWS: Inbound IP whitelist Mar 29, 2021
apls777
apls777 reviewed Mar 30, 2021
View reviewed changes
spotty/providers/aws/cfn_templates/instance/template.py Outdated
}]
# add ports to the security group for the user-defined inbound IP
inbound_ip = instance_config.inbound_ip
cidr_ip = 'CidrIpv6' if inbound_ip == 6 else 'CidrIp'
Copy link
Collaborator

@apls777 apls777 Mar 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you forgot to add a proper check for IPv6 addresses here

Copy link
Author

@mattlbeck mattlbeck Mar 31, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

woops! This is what happens when I don't do the unit tests - maybe the templates could to with some tests to ensure the args are at least building them correctly...

apls777
apls777 reviewed Mar 30, 2021
View reviewed changes
apls777
apls777 reviewed Mar 30, 2021
View reviewed changes
apls777
apls777 reviewed Mar 30, 2021
View reviewed changes
@mattlbeck
fix check for IPv6 addresses
ffa79c8 
Forgot to call the .version on the IPNetwork object
@mattlbeck
Revert "add inboundIp param to params documentation"
ae749de 
This reverts commit 4fb6d74.

This re-introduces spaces at the end of each markdown line
@mattlbeck
fix code style formatting
ef95afa 
Single quotes for strings

Trailing commas for multiline arrays
@mattlbeck
Copy link
Author

mattlbeck commented Mar 31, 2021

@apls777 Thank you for the feedback, I have made all the requested changes.

@mattlbeck mattlbeck requested a review from apls777 April 6, 2021 08:59
apls777
apls777 requested changes Apr 7, 2021
View reviewed changes
spotty/providers/aws/cfn_templates/instance/template.py
'CidrIpv6': '::/0',
'IpProtocol': 'tcp',
'FromPort': port,
'ToPort': port,
Copy link
Collaborator

@apls777 apls777 Apr 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed that now if the inboundIp parameter is not specified, we're not opening ports for IPv6. So, I think we need to use None for the default value instead of 0.0.0.0/0 to know when the parameter wasn't specified and open ports for both protocols.

spotty/providers/aws/config/validation.py
),
Optional('managedPolicyArns', default=[]): [str],
Optional('instanceProfileArn', default=None): str,
Optional('inboundIp', default='0.0.0.0/0'): Use(IPNetwork, error='"inboundIp" should be a valid IP '
Copy link
Collaborator

@apls777 apls777 Apr 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the default value, the inbound_ip.version == 6 check will fail later in the code as the Use(IPNetwork, ... function is not applied. It can be fixed with the IPNetwork('0.0.0.0/0') value, but as I mentioned in another comment, we need to use None instead to know when the value wasn't set at all.

tests/providers/aws/config/instance_config_validation.py
'spotInstance': False,
'subnetId': '',
'volumes': [],
'inboundIp': '0.0.0.0/0',
Copy link
Collaborator

@apls777 apls777 Apr 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be fixed as well when the default inboundIp value is changed.

@apls777 apls777 changed the base branch from master to dev April 13, 2021 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apls777 apls777 apls777 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AWS: Option to whitelist instances to local IP

2 participants

@mattlbeck @apls777

Comments