From f109d39c835e31d9b392241a3513c837480764b7 Mon Sep 17 00:00:00 2001 From: Daniel <56939361+seqdan@users.noreply.github.com> Date: Tue, 4 May 2021 20:39:55 +1200 Subject: [PATCH] Securing packer builds via allowed_inbound_ip_addresses (#3193) * Trying to handover additional parameters * Make restriction to agent ip configurable * Added additional parameter to all other packer files * Added note about new parameter's incompatibility with other parameters to command line help * Added line break for better readability Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com> Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com> --- helpers/GenerateResourcesAndImage.ps1 | 12 ++++++++++++ images/linux/ubuntu1604.json | 2 ++ images/linux/ubuntu1804.json | 2 ++ images/linux/ubuntu2004.json | 2 ++ images/win/windows2016.json | 2 ++ images/win/windows2019.json | 2 ++ 6 files changed, 22 insertions(+) diff --git a/helpers/GenerateResourcesAndImage.ps1 b/helpers/GenerateResourcesAndImage.ps1 index 681ff3877..d7ae67f27 100644 --- a/helpers/GenerateResourcesAndImage.ps1 +++ b/helpers/GenerateResourcesAndImage.ps1 @@ -89,6 +89,10 @@ Function GenerateResourcesAndImage { .PARAMETER AzureTenantId Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111" + .PARAMETER RestrictToAgentIpAddress + If set, access to the VM used by packer to generate the image is restricted to the public IP address this script is run from. + This parameter cannot be used in combination with the virtual_network_name packer parameter. + .EXAMPLE GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US" #> @@ -112,6 +116,8 @@ Function GenerateResourcesAndImage { [Parameter(Mandatory = $False)] [string] $AzureTenantId, [Parameter(Mandatory = $False)] + [Switch] $RestrictToAgentIpAddress, + [Parameter(Mandatory = $False)] [Switch] $Force ) @@ -215,6 +221,11 @@ Function GenerateResourcesAndImage { throw "'packer' binary is not found on PATH" } + if($RestrictToAgentIpAddress -eq $true) { + $AgentIp = (Invoke-RestMethod http://ipinfo.io/json).ip + echo "Restricting access to packer generated VM to agent IP Address: $AgentIp" + } + & $packerBinary build -on-error=ask ` -var "client_id=$($spClientId)" ` -var "client_secret=$($ServicePrincipalClientSecret)" ` @@ -224,5 +235,6 @@ Function GenerateResourcesAndImage { -var "resource_group=$($ResourceGroupName)" ` -var "storage_account=$($storageAccountName)" ` -var "install_password=$($InstallPassword)" ` + -var "allowed_inbound_ip_addresses=$($AgentIp)" ` $builderScriptPath } diff --git a/images/linux/ubuntu1604.json b/images/linux/ubuntu1604.json index cdb33e709..d83c58cbd 100644 --- a/images/linux/ubuntu1604.json +++ b/images/linux/ubuntu1604.json @@ -12,6 +12,7 @@ "virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}", "virtual_network_subnet_name": "{{env `VNET_SUBNET`}}", "private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}", + "allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}", "image_folder": "/imagegeneration", "imagedata_file": "/imagegeneration/imagedata.json", "installer_script_folder": "/imagegeneration/installers", @@ -45,6 +46,7 @@ "virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}", "virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}", "private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}", + "allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}", "os_type": "Linux", "image_publisher": "Canonical", "image_offer": "UbuntuServer", diff --git a/images/linux/ubuntu1804.json b/images/linux/ubuntu1804.json index b4a54f47a..a8c494402 100644 --- a/images/linux/ubuntu1804.json +++ b/images/linux/ubuntu1804.json @@ -12,6 +12,7 @@ "virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}", "virtual_network_subnet_name": "{{env `VNET_SUBNET`}}", "private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}", + "allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}", "image_folder": "/imagegeneration", "imagedata_file": "/imagegeneration/imagedata.json", "installer_script_folder": "/imagegeneration/installers", @@ -45,6 +46,7 @@ "virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}", "virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}", "private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}", + "allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}", "os_type": "Linux", "image_publisher": "Canonical", "image_offer": "UbuntuServer", diff --git a/images/linux/ubuntu2004.json b/images/linux/ubuntu2004.json index 7c0ca2b57..f6e241d10 100644 --- a/images/linux/ubuntu2004.json +++ b/images/linux/ubuntu2004.json @@ -12,6 +12,7 @@ "virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}", "virtual_network_subnet_name": "{{env `VNET_SUBNET`}}", "private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}", + "allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}", "image_folder": "/imagegeneration", "imagedata_file": "/imagegeneration/imagedata.json", "installer_script_folder": "/imagegeneration/installers", @@ -45,6 +46,7 @@ "virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}", "virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}", "private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}", + "allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}", "os_type": "Linux", "image_publisher": "canonical", "image_offer": "0001-com-ubuntu-server-focal", diff --git a/images/win/windows2016.json b/images/win/windows2016.json index f090f12bc..a0aa9473e 100644 --- a/images/win/windows2016.json +++ b/images/win/windows2016.json @@ -13,6 +13,7 @@ "virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}", "virtual_network_subnet_name": "{{env `VNET_SUBNET`}}", "private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}", + "allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}", "vm_size": "Standard_D8s_v4", "run_scan_antivirus": "false", "root_folder": "C:", @@ -53,6 +54,7 @@ "virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}", "virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}", "private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}", + "allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}", "os_type": "Windows", "image_publisher": "MicrosoftWindowsServer", "image_offer": "WindowsServer", diff --git a/images/win/windows2019.json b/images/win/windows2019.json index b98ea750e..c0c6b65d0 100644 --- a/images/win/windows2019.json +++ b/images/win/windows2019.json @@ -13,6 +13,7 @@ "virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}", "virtual_network_subnet_name": "{{env `VNET_SUBNET`}}", "private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}", + "allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}", "vm_size": "Standard_D8s_v4", "run_scan_antivirus": "false", "root_folder": "C:", @@ -53,6 +54,7 @@ "virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}", "virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}", "private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}", + "allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}", "os_type": "Windows", "image_publisher": "MicrosoftWindowsServer", "image_offer": "WindowsServer",