Merge pull request #5384 from dave2/sg-source-cidr

[WIP] Allow temporary security group to have source CIDR block explicit
2017-10-12 17:05:45 -07:00 · 2017-10-12 17:05:45 -07:00 · c74be87187
parent edc3281c83 2a6b592c99
commit c74be87187
10 changed files with 36 additions and 6 deletions
--- a/builder/amazon/common/run_config.go
+++ b/builder/amazon/common/run_config.go
@ -40,6 +40,7 @@ type RunConfig struct {
 	DisableStopInstance               bool              `mapstructure:"disable_stop_instance"`
 	SecurityGroupId                   string            `mapstructure:"security_group_id"`
 	SecurityGroupIds                  []string          `mapstructure:"security_group_ids"`
+	SecurityGroupSourceCidr           string            `mapstructure:"security_group_source_cidr"`
 	SubnetId                          string            `mapstructure:"subnet_id"`
 	TemporaryKeyPairName              string            `mapstructure:"temporary_key_pair_name"`
 	UserData                          string            `mapstructure:"user_data"`
@ -115,6 +116,10 @@ func (c *RunConfig) Prepare(ctx *interpolate.Context) []error {
 		}
 	}

+	if c.SecurityGroupSourceCidr == "" {
+		c.SecurityGroupSourceCidr = "0.0.0.0/0"
+	}
+
 	if c.InstanceInitiatedShutdownBehavior == "" {
 		c.InstanceInitiatedShutdownBehavior = "stop"
 	} else if !reShutdownBehavior.MatchString(c.InstanceInitiatedShutdownBehavior) {
--- a/builder/amazon/common/step_security_group.go
+++ b/builder/amazon/common/step_security_group.go
@ -15,9 +15,10 @@ import (
 )

 type StepSecurityGroup struct {
-	CommConfig       *communicator.Config
-	SecurityGroupIds []string
-	VpcId            string
+	CommConfig              *communicator.Config
+	SecurityGroupIds        []string
+	VpcId                   string
+	SecurityGroupSourceCidr string

 	createdGroupId string
 }
@ -78,15 +79,15 @@ func (s *StepSecurityGroup) Run(state multistep.StateBag) multistep.StepAction {
 		IpProtocol: aws.String("tcp"),
 		FromPort:   aws.Int64(int64(port)),
 		ToPort:     aws.Int64(int64(port)),
-		CidrIp:     aws.String("0.0.0.0/0"),
+		CidrIp:     aws.String(s.SecurityGroupSourceCidr),
 	}

 	// We loop and retry this a few times because sometimes the security
 	// group isn't available immediately because AWS resources are eventually
 	// consistent.
 	ui.Say(fmt.Sprintf(
-		"Authorizing access to port %d on the temporary security group...",
-		port))
+		"Authorizing access to port %d from %s in the temporary security group...",
+		port, s.SecurityGroupSourceCidr))
 	for i := 0; i < 5; i++ {
 		_, err = ec2conn.AuthorizeSecurityGroupIngress(req)
 		if err == nil {
--- a/builder/amazon/ebs/builder.go
+++ b/builder/amazon/ebs/builder.go
@ -176,6 +176,7 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SecurityGroupIds: b.config.SecurityGroupIds,
 			CommConfig:       &b.config.RunConfig.Comm,
 			VpcId:            b.config.VpcId,
+			SecurityGroupSourceCidr: b.config.SecurityGroupSourceCidr,
 		},
 		&stepCleanupVolumes{
 			BlockDevices: b.config.BlockDevices,
--- a/builder/amazon/ebssurrogate/builder.go
+++ b/builder/amazon/ebssurrogate/builder.go
@ -190,6 +190,7 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SecurityGroupIds: b.config.SecurityGroupIds,
 			CommConfig:       &b.config.RunConfig.Comm,
 			VpcId:            b.config.VpcId,
+			SecurityGroupSourceCidr: b.config.SecurityGroupSourceCidr,
 		},
 		instanceStep,
 		&awscommon.StepGetPassword{
--- a/builder/amazon/ebsvolume/builder.go
+++ b/builder/amazon/ebsvolume/builder.go
@ -161,6 +161,7 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SecurityGroupIds: b.config.SecurityGroupIds,
 			CommConfig:       &b.config.RunConfig.Comm,
 			VpcId:            b.config.VpcId,
+			SecurityGroupSourceCidr: b.config.SecurityGroupSourceCidr,
 		},
 		instanceStep,
 		&awscommon.StepGetPassword{
--- a/builder/amazon/instance/builder.go
+++ b/builder/amazon/instance/builder.go
@ -259,6 +259,7 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			CommConfig:       &b.config.RunConfig.Comm,
 			SecurityGroupIds: b.config.SecurityGroupIds,
 			VpcId:            b.config.VpcId,
+			SecurityGroupSourceCidr: b.config.SecurityGroupSourceCidr,
 		},
 		instanceStep,
 		&awscommon.StepGetPassword{
--- a/website/source/docs/builders/amazon-ebs.html.md
+++ b/website/source/docs/builders/amazon-ebs.html.md
@ -235,6 +235,11 @@ builder.
    described above. Note that if this is specified, you must omit the
    `security_group_id`.

+-   `security_group_source_cidr` (string) - An IPv4 CIDR block to be authorized
+    access to the instance, when packer is creating a temporary security group.
+    The default is `0.0.0.0/0` (ie, allow any IPv4 source). This is only used 
+    when `security_group_id` or `security_group_ids` is not specified.
+
 -   `shutdown_behavior` (string) - Automatically terminate instances on shutdown
    in case Packer exits ungracefully. Possible values are "stop" and "terminate",
    default is `stop`.
--- a/website/source/docs/builders/amazon-ebssurrogate.html.md
+++ b/website/source/docs/builders/amazon-ebssurrogate.html.md
@ -228,6 +228,11 @@ builder.
    described above. Note that if this is specified, you must omit the
    `security_group_id`.

+-   `security_group_source_cidr` (string) - An IPv4 CIDR block to be authorized
+    access to the instance, when packer is creating a temporary security group.
+    The default is `0.0.0.0/0` (ie, allow any IPv4 source). This is only used
+    when `security_group_id` or `security_group_ids` is not specified.
+
 -   `shutdown_behavior` (string) - Automatically terminate instances on shutdown
    incase packer exits ungracefully. Possible values are "stop" and "terminate",
    default is `stop`.
--- a/website/source/docs/builders/amazon-ebsvolume.html.md
+++ b/website/source/docs/builders/amazon-ebsvolume.html.md
@ -147,6 +147,11 @@ builder.
    described above. Note that if this is specified, you must omit the
    `security_group_id`.

+-   `security_group_source_cidr` (string) - An IPv4 CIDR block to be authorized
+    access to the instance, when packer is creating a temporary security group.
+    The default is `0.0.0.0/0` (ie, allow any IPv4 source). This is only used
+    when `security_group_id` or `security_group_ids` is not specified.
+
 -   `shutdown_behavior` (string) - Automatically terminate instances on shutdown
    in case Packer exits ungracefully. Possible values are `stop` and `terminate`.
    Defaults to `stop`.
--- a/website/source/docs/builders/amazon-instance.html.md
+++ b/website/source/docs/builders/amazon-instance.html.md
@ -243,6 +243,11 @@ builder.
    described above. Note that if this is specified, you must omit the
    `security_group_id`.

+-   `security_group_source_cidr` (string) - An IPv4 CIDR block to be authorized
+    access to the instance, when packer is creating a temporary security group.
+    The default is `0.0.0.0/0` (ie, allow any IPv4 source). This is only used
+    when `security_group_id` or `security_group_ids` is not specified.
+
 -   `skip_region_validation` (boolean) - Set to true if you want to skip
    validation of the region configuration option. Defaults to `false`.