actions/runner-images
1
0
Fork 0
mirror of https://github.com/actions/runner-images.git synced 2025-12-11 11:37:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Securing packer builds via allowed_inbound_ip_addresses (#3193)

Browse Source 
* Trying to handover additional parameters

* Make restriction to agent ip configurable

* Added additional parameter to all other packer files

* Added note about new parameter's incompatibility with other parameters to command line help

* Added line break for better readability

Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com>

Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com>
This commit is contained in:
Daniel
2021-05-04 20:39:55 +12:00
committed by GitHub
parent c2a2904e48
commit f109d39c83
6 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
helpers/GenerateResourcesAndImage.ps1
View File

@@ -89,6 +89,10 @@ Function GenerateResourcesAndImage {
.PARAMETER AzureTenantId
Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
.PARAMETER RestrictToAgentIpAddress
If set, access to the VM used by packer to generate the image is restricted to the public IP address this script is run from.
This parameter cannot be used in combination with the virtual_network_name packer parameter.
.EXAMPLE
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US"
#>
@@ -112,6 +116,8 @@ Function GenerateResourcesAndImage {
[Parameter(Mandatory = $False)]
[string] $AzureTenantId,
[Parameter(Mandatory = $False)]
[Switch] $RestrictToAgentIpAddress,
[Parameter(Mandatory = $False)]
[Switch] $Force
)
@@ -215,6 +221,11 @@ Function GenerateResourcesAndImage {
throw "'packer' binary is not found on PATH"
}
if($RestrictToAgentIpAddress -eq $true) {
$AgentIp = (Invoke-RestMethod http://ipinfo.io/json).ip
echo "Restricting access to packer generated VM to agent IP Address: $AgentIp"
}
& $packerBinary build -on-error=ask `
-var "client_id=$($spClientId)" `
-var "client_secret=$($ServicePrincipalClientSecret)" `
@@ -224,5 +235,6 @@ Function GenerateResourcesAndImage {
-var "resource_group=$($ResourceGroupName)" `
-var "storage_account=$($storageAccountName)" `
-var "install_password=$($InstallPassword)" `
-var "allowed_inbound_ip_addresses=$($AgentIp)" `
$builderScriptPath
}