From b73b136c2a68d07dab86964e518708219b32baed Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Fri, 4 Jun 2021 10:04:45 -0400 Subject: [PATCH 1/4] restrict ingress ip --- e2e/terraform/.terraform.lock.hcl | 18 ++++++++++++++++++ e2e/terraform/network.tf | 24 ++++++++++++++++-------- e2e/terraform/variables.tf | 6 ++++++ 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/e2e/terraform/.terraform.lock.hcl b/e2e/terraform/.terraform.lock.hcl index 408f24d30d5..10b8e28f75c 100644 --- a/e2e/terraform/.terraform.lock.hcl +++ b/e2e/terraform/.terraform.lock.hcl @@ -39,6 +39,24 @@ provider "registry.terraform.io/hashicorp/external" { ] } +provider "registry.terraform.io/hashicorp/http" { + version = "2.1.0" + hashes = [ + "h1:GYoVrTtiSAE3AlP1fad3fFmHoPaXAPhm/DJyMcVCwZA=", + "zh:03d82dc0887d755b8406697b1d27506bc9f86f93b3e9b4d26e0679d96b802826", + "zh:0704d02926393ddc0cfad0b87c3d51eafeeae5f9e27cc71e193c141079244a22", + "zh:095ea350ea94973e043dad2394f10bca4a4bf41be775ba59d19961d39141d150", + "zh:0b71ac44e87d6964ace82979fc3cbb09eb876ed8f954449481bcaa969ba29cb7", + "zh:0e255a170db598bd1142c396cefc59712ad6d4e1b0e08a840356a371e7b73bc4", + "zh:67c8091cfad226218c472c04881edf236db8f2dc149dc5ada878a1cd3c1de171", + "zh:75df05e25d14b5101d4bc6624ac4a01bb17af0263c9e8a740e739f8938b86ee3", + "zh:b4e36b2c4f33fdc44bf55fa1c9bb6864b5b77822f444bd56f0be7e9476674d0e", + "zh:b9b36b01d2ec4771838743517bc5f24ea27976634987c6d5529ac4223e44365d", + "zh:ca264a916e42e221fddb98d640148b12e42116046454b39ede99a77fc52f59f4", + "zh:fe373b2fb2cc94777a91ecd7ac5372e699748c455f44f6ea27e494de9e5e6f92", + ] +} + provider "registry.terraform.io/hashicorp/local" { version = "2.1.0" hashes = [ diff --git a/e2e/terraform/network.tf b/e2e/terraform/network.tf index 6b72bdd2282..fb4460e82e3 100644 --- a/e2e/terraform/network.tf +++ b/e2e/terraform/network.tf @@ -7,6 +7,14 @@ data "aws_subnet" "default" { vpc_id = data.aws_vpc.default.id } +data "http" "my_public_ipv4" { + url = "https://ipv4.icanhazip.com" +} + +locals { + ingress_cidr = var.restrict_ingress_cidrblock ? "${chomp(data.http.my_public_ipv4.body)}/32" : "0.0.0.0/0" +} + resource "aws_security_group" "primary" { name = local.random_name vpc_id = data.aws_vpc.default.id @@ -15,7 +23,7 @@ resource "aws_security_group" "primary" { from_port = 22 to_port = 22 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # Nomad @@ -23,7 +31,7 @@ resource "aws_security_group" "primary" { from_port = 4646 to_port = 4646 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # Fabio @@ -31,7 +39,7 @@ resource "aws_security_group" "primary" { from_port = 9998 to_port = 9999 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # Consul @@ -39,7 +47,7 @@ resource "aws_security_group" "primary" { from_port = 8500 to_port = 8500 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # Vault @@ -47,7 +55,7 @@ resource "aws_security_group" "primary" { from_port = 8200 to_port = 8200 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # HDFS NameNode UI @@ -55,7 +63,7 @@ resource "aws_security_group" "primary" { from_port = 50070 to_port = 50070 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # HDFS DataNode UI @@ -63,7 +71,7 @@ resource "aws_security_group" "primary" { from_port = 50075 to_port = 50075 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } # Spark history server UI @@ -71,7 +79,7 @@ resource "aws_security_group" "primary" { from_port = 18080 to_port = 18080 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [local.ingress_cidr] } ingress { diff --git a/e2e/terraform/variables.tf b/e2e/terraform/variables.tf index 89500009444..6461c704b69 100644 --- a/e2e/terraform/variables.tf +++ b/e2e/terraform/variables.tf @@ -54,6 +54,12 @@ variable "profile" { default = "" } +variable "restrict_ingress_cidrblock" { + description = "Restrict ingress traffic to cluster to invoker ip address" + type = bool + default = true +} + # ---------------------------------------- # The specific version of Nomad deployed will default to whichever one of # nomad_sha, nomad_version, or nomad_local_binary is set From 8d03f4ccbc6a3edf68c6d66467787222ec19ce6d Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Fri, 4 Jun 2021 10:28:43 -0400 Subject: [PATCH 2/4] e2e: NOMAD_VERSION is not set when installing url --- e2e/terraform/packer/ubuntu-bionic-amd64/provision.sh | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/e2e/terraform/packer/ubuntu-bionic-amd64/provision.sh b/e2e/terraform/packer/ubuntu-bionic-amd64/provision.sh index 42cef394dd1..5ba8f08b305 100755 --- a/e2e/terraform/packer/ubuntu-bionic-amd64/provision.sh +++ b/e2e/terraform/packer/ubuntu-bionic-amd64/provision.sh @@ -11,6 +11,7 @@ Options (use one of the following): --nomad_sha SHA full git sha to install from S3 --nomad_version VERSION release version number (ex. 0.12.4+ent) --nomad_binary FILEPATH path to file on host + --nomad_url URL url to nomad binary archive Options for configuration: --config_profile FILEPATH path to config profile directory @@ -76,12 +77,6 @@ install_from_release() { } install_from_url() { - # check that we don't already have this version - if [ "$(command -v nomad)" ]; then - nomad -version | grep -v 'dev' | grep -q "${NOMAD_VERSION}" \ - && echo "$NOMAD_VERSION already installed" && return - fi - case "${NOMAD_URL}" in *.zip*) curl -sL --fail -o /tmp/nomad.zip "$NOMAD_URL" From f6d503ddd0641c247ff36f0b06c11cfdd783d564 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Fri, 4 Jun 2021 10:32:51 -0400 Subject: [PATCH 3/4] e2e: pass nomad_url variable --- e2e/terraform/nomad.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/e2e/terraform/nomad.tf b/e2e/terraform/nomad.tf index 3bdf7537740..dd472ab3efa 100644 --- a/e2e/terraform/nomad.tf +++ b/e2e/terraform/nomad.tf @@ -19,6 +19,8 @@ module "nomad_server" { nomad_local_binary = count.index < length(var.nomad_local_binary_server) ? var.nomad_local_binary_server[count.index] : var.nomad_local_binary + nomad_url = count.index < length(var.nomad_url_server) ? var.nomad_url_server[count.index] : var.nomad_url + nomad_enterprise = var.nomad_enterprise nomad_license = var.nomad_license nomad_acls = var.nomad_acls @@ -56,6 +58,8 @@ module "nomad_client_ubuntu_bionic_amd64" { nomad_local_binary = count.index < length(var.nomad_local_binary_client_ubuntu_bionic_amd64) ? var.nomad_local_binary_client_ubuntu_bionic_amd64[count.index] : var.nomad_local_binary + nomad_url = count.index < length(var.nomad_url_client_ubuntu_bionic_amd64) ? var.nomad_url_client_ubuntu_bionic_amd64[count.index] : var.nomad_url + nomad_enterprise = var.nomad_enterprise nomad_acls = false cluster_name = local.random_name From 9c8f7624c9b7245d9a29cd625ac4afd25fbdf763 Mon Sep 17 00:00:00 2001 From: Mahmood Ali Date: Fri, 4 Jun 2021 11:49:43 -0400 Subject: [PATCH 4/4] remove unused Spark security group rules --- e2e/terraform/network.tf | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/e2e/terraform/network.tf b/e2e/terraform/network.tf index fb4460e82e3..a6ca95aa57b 100644 --- a/e2e/terraform/network.tf +++ b/e2e/terraform/network.tf @@ -58,30 +58,6 @@ resource "aws_security_group" "primary" { cidr_blocks = [local.ingress_cidr] } - # HDFS NameNode UI - ingress { - from_port = 50070 - to_port = 50070 - protocol = "tcp" - cidr_blocks = [local.ingress_cidr] - } - - # HDFS DataNode UI - ingress { - from_port = 50075 - to_port = 50075 - protocol = "tcp" - cidr_blocks = [local.ingress_cidr] - } - - # Spark history server UI - ingress { - from_port = 18080 - to_port = 18080 - protocol = "tcp" - cidr_blocks = [local.ingress_cidr] - } - ingress { from_port = 0 to_port = 0