Skip to content

Commit 2af0a49

Browse files
niallthomsonniallthomson
authored
feat: Ability to restrict inbound CIDRs for public endpoints (#1837)
1 parent 6774b1c commit 2af0a49

93 files changed

Lines changed: 501 additions & 189 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

hack/deploy-ide-cfn.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,8 @@ outfile=$(mktemp)
1010

1111
bash $SCRIPT_DIR/build-ide-cfn.sh $outfile
1212

13+
source $SCRIPT_DIR/lib/resolve-source-ip.sh
14+
1315
aws cloudformation deploy --stack-name "$EKS_CLUSTER_NAME-ide" \
14-
--capabilities CAPABILITY_NAMED_IAM --disable-rollback --template-file $outfile
16+
--capabilities CAPABILITY_NAMED_IAM --disable-rollback --template-file $outfile \
17+
--parameter-overrides InboundCIDR="$INBOUND_CIDRS"

hack/lib/resolve-source-ip.sh

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#!/bin/bash
2+
3+
# Resolves SOURCE_IP_ADDRESS to INBOUND_CIDRS
4+
# If SOURCE_IP_ADDRESS is blank or "auto", resolves the current public IP
5+
# Otherwise uses the provided value verbatim
6+
7+
if [ -z "${SOURCE_IP_ADDRESS:-}" ] || [ "${SOURCE_IP_ADDRESS:-}" = "auto" ]; then
8+
SOURCE_IP_ADDRESS=$(curl -s https://checkip.amazonaws.com)
9+
echo "Resolved source IP address: ${SOURCE_IP_ADDRESS}"
10+
else
11+
echo "Using provided source IP address: ${SOURCE_IP_ADDRESS}"
12+
fi
13+
14+
export INBOUND_CIDRS="${SOURCE_IP_ADDRESS}/32"
15+
echo "Inbound CIDRs: ${INBOUND_CIDRS}"

hack/run-tests.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,8 @@ fi
7474

7575
RESOURCES_PRECREATED=${RESOURCES_PRECREATED:-""}
7676

77+
source $SCRIPT_DIR/lib/resolve-source-ip.sh
78+
7779
echo "Running test suite..."
7880

7981
# get current IDs
@@ -86,7 +88,7 @@ $CONTAINER_CLI run $background_args $dns_args \
8688
--name $container_name \
8789
-v $SCRIPT_DIR/../website/docs:/content \
8890
-v $SCRIPT_DIR/../manifests:/eks-workshop/manifests \
89-
-e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'RESOURCES_PRECREATED' \
91+
-e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'RESOURCES_PRECREATED' -e 'INBOUND_CIDRS' \
9092
$aws_credential_args $container_image -g "${actual_glob}" --hook-timeout 3600 --timeout 3600 $output_args ${AWS_EKS_WORKSHOP_TEST_FLAGS} || exit_code=$?
9193

9294
if [ $exit_code -eq 0 ]; then

hack/shell.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,11 @@ if [ ! -z "$DOCKER_DNS_OVERRIDE" ]; then
3737
dns_args="--dns=$DOCKER_DNS_OVERRIDE"
3838
fi
3939

40+
source $SCRIPT_DIR/lib/resolve-source-ip.sh
41+
4042
$CONTAINER_CLI run --rm $interactive_args $dns_args \
4143
-v $SCRIPT_DIR/../manifests:/eks-workshop/manifests \
4244
-v $SCRIPT_DIR/../cluster:/cluster \
43-
-e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' \
45+
-e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'INBOUND_CIDRS' \
4446
-p 8889:8889 \
4547
$aws_credential_args $container_image $shell_command

hack/validate-terraform.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ module "gen-$target" {
3030
addon_context = local.addon_context
3131
tags = local.tags
3232
resources_precreated = var.resources_precreated
33+
inbound_cidrs = "0.0.0.0/0"
3334
}
3435
EOF
3536
done

lab/bin/reset-environment

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,6 +136,7 @@ mkdir -p /eks-workshop/terraform-data
136136
export TF_DATA_DIR="/eks-workshop/terraform-data"
137137

138138
export TF_VAR_eks_cluster_id="$EKS_CLUSTER_NAME"
139+
export TF_VAR_inbound_cidrs="${INBOUND_CIDRS:-0.0.0.0/0}"
139140

140141
RESOURCES_PRECREATED=${RESOURCES_PRECREATED:-"false"}
141142

lab/cfn/eks-workshop-vscode-cfn.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,10 @@ Parameters:
3939
Type: String
4040
Description: For testing purposes only
4141
Default: ""
42+
InboundCIDR:
43+
Type: String
44+
Description: CIDR range to allowlist for inbound traffic
45+
Default: "0.0.0.0/0"
4246

4347
Mappings:
4448
PrefixListID:
@@ -309,6 +313,9 @@ Resources:
309313
export REPOSITORY_REF="${RepositoryRef}"
310314
export RESOURCES_PRECREATED="${ResourcesPrecreated}"
311315
export ANALYTICS_ENDPOINT="${AnalyticsEndpoint}"
316+
IMDS_TOKEN=$(curl -s -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
317+
IDE_IP=$(curl -s -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" http://169.254.169.254/latest/meta-data/public-ipv4)
318+
export INBOUND_CIDRS="${InboundCIDR},$IDE_IP/32"
312319
313320
curl -fsSL https://raw.githubusercontent.com/${RepositoryOwner}/${RepositoryName}/${RepositoryRef}/lab/scripts/installer.sh | bash
314321

lab/scripts/setup.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,8 @@ echo "export RESOURCES_PRECREATED='${RESOURCES_PRECREATED}'" > ~/.bashrc.d/infra
5858

5959
echo "export ANALYTICS_ENDPOINT='${ANALYTICS_ENDPOINT}'" > ~/.bashrc.d/analytics.bash
6060

61+
echo "export INBOUND_CIDRS='${INBOUND_CIDRS}'" > ~/.bashrc.d/inbound-cidr.bash
62+
6163
/usr/local/bin/kubectl completion bash > ~/.bashrc.d/kubectl_completion.bash
6264
echo "alias k=kubectl" >> ~/.bashrc.d/kubectl_completion.bash
6365
echo "complete -F __start_kubectl k" >> ~/.bashrc.d/kubectl_completion.bash

manifests/.workshop/terraform/base.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,13 @@ variable "resources_precreated" {
4545
default = false
4646
}
4747

48+
# tflint-ignore: terraform_unused_declarations
49+
variable "inbound_cidrs" {
50+
description = "CIDR range to allowlist for inbound traffic"
51+
type = string
52+
default = "0.0.0.0/0"
53+
}
54+
4855
data "aws_partition" "current" {}
4956
data "aws_caller_identity" "current" {}
5057
data "aws_region" "current" {}

manifests/.workshop/terraform/lab.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ module "lab" {
77
addon_context = local.addon_context
88
tags = local.tags
99
resources_precreated = var.resources_precreated
10+
inbound_cidrs = var.inbound_cidrs
1011
}
1112

1213
locals {

0 commit comments

Comments
 (0)