Skip to content

Commit

Permalink
Securing packer builds via allowed_inbound_ip_addresses (actions#3193)
Browse files Browse the repository at this point in the history 
* Trying to handover additional parameters

* Make restriction to agent ip configurable

* Added additional parameter to all other packer files

* Added note about new parameter's incompatibility with other parameters to command line help

* Added line break for better readability

Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com>

Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com>
  • Loading branch information
@seqdan @miketimofeev
seqdan and miketimofeev authored May 4, 2021
1 parent c2a2904 commit f109d39
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 0 deletions.
12 changes: 12 additions & 0 deletions helpers/GenerateResourcesAndImage.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ Function GenerateResourcesAndImage {
.PARAMETER AzureTenantId
Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
.PARAMETER RestrictToAgentIpAddress
If set, access to the VM used by packer to generate the image is restricted to the public IP address this script is run from.
This parameter cannot be used in combination with the virtual_network_name packer parameter.
.EXAMPLE
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US"
#>
Expand All @@ -112,6 +116,8 @@ Function GenerateResourcesAndImage {
[Parameter(Mandatory = $False)]
[string] $AzureTenantId,
[Parameter(Mandatory = $False)]
[Switch] $RestrictToAgentIpAddress,
[Parameter(Mandatory = $False)]
[Switch] $Force
)

Expand Down Expand Up @@ -215,6 +221,11 @@ Function GenerateResourcesAndImage {
throw "'packer' binary is not found on PATH"
}

if($RestrictToAgentIpAddress -eq $true) {
$AgentIp = (Invoke-RestMethod http://ipinfo.io/json).ip
echo "Restricting access to packer generated VM to agent IP Address: $AgentIp"
}

& $packerBinary build -on-error=ask `
-var "client_id=$($spClientId)" `
-var "client_secret=$($ServicePrincipalClientSecret)" `
Expand All @@ -224,5 +235,6 @@ Function GenerateResourcesAndImage {
-var "resource_group=$($ResourceGroupName)" `
-var "storage_account=$($storageAccountName)" `
-var "install_password=$($InstallPassword)" `
-var "allowed_inbound_ip_addresses=$($AgentIp)" `
$builderScriptPath
}
2 changes: 2 additions & 0 deletions images/linux/ubuntu1604.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
"image_folder": "/imagegeneration",
"imagedata_file": "/imagegeneration/imagedata.json",
"installer_script_folder": "/imagegeneration/installers",
Expand Down Expand Up @@ -45,6 +46,7 @@
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
"os_type": "Linux",
"image_publisher": "Canonical",
"image_offer": "UbuntuServer",
Expand Down
2 changes: 2 additions & 0 deletions images/linux/ubuntu1804.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
"image_folder": "/imagegeneration",
"imagedata_file": "/imagegeneration/imagedata.json",
"installer_script_folder": "/imagegeneration/installers",
Expand Down Expand Up @@ -45,6 +46,7 @@
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
"os_type": "Linux",
"image_publisher": "Canonical",
"image_offer": "UbuntuServer",
Expand Down
2 changes: 2 additions & 0 deletions images/linux/ubuntu2004.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
"image_folder": "/imagegeneration",
"imagedata_file": "/imagegeneration/imagedata.json",
"installer_script_folder": "/imagegeneration/installers",
Expand Down Expand Up @@ -45,6 +46,7 @@
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
"os_type": "Linux",
"image_publisher": "canonical",
"image_offer": "0001-com-ubuntu-server-focal",
Expand Down
2 changes: 2 additions & 0 deletions images/win/windows2016.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
"vm_size": "Standard_D8s_v4",
"run_scan_antivirus": "false",
"root_folder": "C:",
Expand Down Expand Up @@ -53,6 +54,7 @@
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
"os_type": "Windows",
"image_publisher": "MicrosoftWindowsServer",
"image_offer": "WindowsServer",
Expand Down
2 changes: 2 additions & 0 deletions images/win/windows2019.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
"vm_size": "Standard_D8s_v4",
"run_scan_antivirus": "false",
"root_folder": "C:",
Expand Down Expand Up @@ -53,6 +54,7 @@
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
"os_type": "Windows",
"image_publisher": "MicrosoftWindowsServer",
"image_offer": "WindowsServer",
Expand Down

0 comments on commit f109d39

Please sign in to comment.