mirror of
https://github.com/actions/runner-images.git
synced 2025-12-13 20:56:47 +00:00
Securing packer builds via allowed_inbound_ip_addresses (#3193)
* Trying to handover additional parameters * Make restriction to agent ip configurable * Added additional parameter to all other packer files * Added note about new parameter's incompatibility with other parameters to command line help * Added line break for better readability Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com> Co-authored-by: Mikhail Timofeev <48208649+miketimofeev@users.noreply.github.com>
This commit is contained in:
Daniel
@@ -89,6 +89,10 @@ Function GenerateResourcesAndImage {
|
|||||||
.PARAMETER AzureTenantId
|
.PARAMETER AzureTenantId
|
||||||
Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
|
Tenant needs to be provided for optional authentication via service principal. Example: "11111111-1111-1111-1111-111111111111"
|
||||||
|
|
||||||
|
.PARAMETER RestrictToAgentIpAddress
|
||||||
|
If set, access to the VM used by packer to generate the image is restricted to the public IP address this script is run from.
|
||||||
|
This parameter cannot be used in combination with the virtual_network_name packer parameter.
|
||||||
|
|
||||||
.EXAMPLE
|
.EXAMPLE
|
||||||
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US"
|
GenerateResourcesAndImage -SubscriptionId {YourSubscriptionId} -ResourceGroupName "shsamytest1" -ImageGenerationRepositoryRoot "C:\virtual-environments" -ImageType Ubuntu1604 -AzureLocation "East US"
|
||||||
#>
|
#>
|
||||||
@@ -112,6 +116,8 @@ Function GenerateResourcesAndImage {
|
|||||||
[Parameter(Mandatory = $False)]
|
[Parameter(Mandatory = $False)]
|
||||||
[string] $AzureTenantId,
|
[string] $AzureTenantId,
|
||||||
[Parameter(Mandatory = $False)]
|
[Parameter(Mandatory = $False)]
|
||||||
|
[Switch] $RestrictToAgentIpAddress,
|
||||||
|
[Parameter(Mandatory = $False)]
|
||||||
[Switch] $Force
|
[Switch] $Force
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -215,6 +221,11 @@ Function GenerateResourcesAndImage {
|
|||||||
throw "'packer' binary is not found on PATH"
|
throw "'packer' binary is not found on PATH"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if($RestrictToAgentIpAddress -eq $true) {
|
||||||
|
$AgentIp = (Invoke-RestMethod http://ipinfo.io/json).ip
|
||||||
|
echo "Restricting access to packer generated VM to agent IP Address: $AgentIp"
|
||||||
|
}
|
||||||
|
|
||||||
& $packerBinary build -on-error=ask `
|
& $packerBinary build -on-error=ask `
|
||||||
-var "client_id=$($spClientId)" `
|
-var "client_id=$($spClientId)" `
|
||||||
-var "client_secret=$($ServicePrincipalClientSecret)" `
|
-var "client_secret=$($ServicePrincipalClientSecret)" `
|
||||||
@@ -224,5 +235,6 @@ Function GenerateResourcesAndImage {
|
|||||||
-var "resource_group=$($ResourceGroupName)" `
|
-var "resource_group=$($ResourceGroupName)" `
|
||||||
-var "storage_account=$($storageAccountName)" `
|
-var "storage_account=$($storageAccountName)" `
|
||||||
-var "install_password=$($InstallPassword)" `
|
-var "install_password=$($InstallPassword)" `
|
||||||
|
-var "allowed_inbound_ip_addresses=$($AgentIp)" `
|
||||||
$builderScriptPath
|
$builderScriptPath
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,6 +12,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
||||||
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
|
||||||
"image_folder": "/imagegeneration",
|
"image_folder": "/imagegeneration",
|
||||||
"imagedata_file": "/imagegeneration/imagedata.json",
|
"imagedata_file": "/imagegeneration/imagedata.json",
|
||||||
"installer_script_folder": "/imagegeneration/installers",
|
"installer_script_folder": "/imagegeneration/installers",
|
||||||
@@ -45,6 +46,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
||||||
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
|
||||||
"os_type": "Linux",
|
"os_type": "Linux",
|
||||||
"image_publisher": "Canonical",
|
"image_publisher": "Canonical",
|
||||||
"image_offer": "UbuntuServer",
|
"image_offer": "UbuntuServer",
|
||||||
|
|||||||
@@ -12,6 +12,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
||||||
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
|
||||||
"image_folder": "/imagegeneration",
|
"image_folder": "/imagegeneration",
|
||||||
"imagedata_file": "/imagegeneration/imagedata.json",
|
"imagedata_file": "/imagegeneration/imagedata.json",
|
||||||
"installer_script_folder": "/imagegeneration/installers",
|
"installer_script_folder": "/imagegeneration/installers",
|
||||||
@@ -45,6 +46,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
||||||
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
|
||||||
"os_type": "Linux",
|
"os_type": "Linux",
|
||||||
"image_publisher": "Canonical",
|
"image_publisher": "Canonical",
|
||||||
"image_offer": "UbuntuServer",
|
"image_offer": "UbuntuServer",
|
||||||
|
|||||||
@@ -12,6 +12,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
||||||
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
|
||||||
"image_folder": "/imagegeneration",
|
"image_folder": "/imagegeneration",
|
||||||
"imagedata_file": "/imagegeneration/imagedata.json",
|
"imagedata_file": "/imagegeneration/imagedata.json",
|
||||||
"installer_script_folder": "/imagegeneration/installers",
|
"installer_script_folder": "/imagegeneration/installers",
|
||||||
@@ -45,6 +46,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
||||||
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
|
||||||
"os_type": "Linux",
|
"os_type": "Linux",
|
||||||
"image_publisher": "canonical",
|
"image_publisher": "canonical",
|
||||||
"image_offer": "0001-com-ubuntu-server-focal",
|
"image_offer": "0001-com-ubuntu-server-focal",
|
||||||
|
|||||||
@@ -13,6 +13,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
||||||
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
|
||||||
"vm_size": "Standard_D8s_v4",
|
"vm_size": "Standard_D8s_v4",
|
||||||
"run_scan_antivirus": "false",
|
"run_scan_antivirus": "false",
|
||||||
"root_folder": "C:",
|
"root_folder": "C:",
|
||||||
@@ -53,6 +54,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
||||||
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
|
||||||
"os_type": "Windows",
|
"os_type": "Windows",
|
||||||
"image_publisher": "MicrosoftWindowsServer",
|
"image_publisher": "MicrosoftWindowsServer",
|
||||||
"image_offer": "WindowsServer",
|
"image_offer": "WindowsServer",
|
||||||
|
|||||||
@@ -13,6 +13,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
"virtual_network_resource_group_name": "{{env `VNET_RESOURCE_GROUP`}}",
|
||||||
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
"virtual_network_subnet_name": "{{env `VNET_SUBNET`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
"private_virtual_network_with_public_ip": "{{env `PRIVATE_VIRTUAL_NETWORK_WITH_PUBLIC_IP`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{env `AGENT_IP`}}",
|
||||||
"vm_size": "Standard_D8s_v4",
|
"vm_size": "Standard_D8s_v4",
|
||||||
"run_scan_antivirus": "false",
|
"run_scan_antivirus": "false",
|
||||||
"root_folder": "C:",
|
"root_folder": "C:",
|
||||||
@@ -53,6 +54,7 @@
|
|||||||
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
"virtual_network_resource_group_name": "{{user `virtual_network_resource_group_name`}}",
|
||||||
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
"virtual_network_subnet_name": "{{user `virtual_network_subnet_name`}}",
|
||||||
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
"private_virtual_network_with_public_ip": "{{user `private_virtual_network_with_public_ip`}}",
|
||||||
|
"allowed_inbound_ip_addresses": "{{user `allowed_inbound_ip_addresses`}}",
|
||||||
"os_type": "Windows",
|
"os_type": "Windows",
|
||||||
"image_publisher": "MicrosoftWindowsServer",
|
"image_publisher": "MicrosoftWindowsServer",
|
||||||
"image_offer": "WindowsServer",
|
"image_offer": "WindowsServer",
|
||||||
|
|||||||
Reference in New Issue
Block a user