IP Whitelisting - "Do you need to add your IP?"

EngineerBetter / control-tower

Deploy and operate Concourse CI in a single command

https://www.engineerbetter.com

Apache License 2.0

121 stars 39 forks source link

IP Whitelisting - "Do you need to add your IP?" #43

Open bkonkle opened 5 years ago

bkonkle commented 5 years ago

Hi! I'm using a deployment that I created with a command like this:

control-tower deploy --iaas aws \
  --region us-west-2 \
  --domain <domain> \
  --workers 2 \
  --worker-size large \
  --github-auth-client-id <id> \
  --github-auth-client-secret <secret> \
  --add-tag ProvisionedBy=control-tower \
  concourse

Yesterday things were working fine. Today, however, when I try to query info on the deployment, I'm getting this:

control-tower info --region us-west-2  --iaas AWS --env concourse

Do you need to add your IP 162.246.197.181 to the control-tower-concourse-director security group/source range entry for director firewall (for ports 22, 6868, and 25555)?

I can't find anything in the documentation about this issue. How do I solve it?

Thanks!

bkonkle commented 5 years ago

My security group appears to have some arbitrary IP values:

Screenshot from 2019-09-11 08-53-46

My team works from home, so there's no way to guarantee the IP ranges they'll be working from. Do I have to use the "Custom CIDR ranges" options and set all 5 to 0.0.0.0/0?

bkonkle commented 5 years ago

Also - if I change this manually, will it be overwritten by control-tower's next Terraform run?

bkonkle commented 5 years ago

I see now in the docs, "The control plane will be restricted to the IP control-tower deploy was run from." - how do we override this effectively in a dynamic-IP environment?

DMeechan commented 4 years ago

After setting up our control-tower deployment a few months ago, I'm only just running into this same issue now - any updates on this?

Do you need to add your IP xxx to the control-tower-xxx security group/source range entry for director firewall (for ports 22, 6868, and 25555)?

If I manually add my IP to the whitelist, will it get overwritten by Terraform?

DanielJonesEB commented 4 years ago

Hi @DMeechan. Whilst it'd be nice to automate this problem away, we're all busy in billable work currently.

You can work around this by:

Logging into AWS
Go to EC2 > Security Groups
Find the group called control-tower-DEPLOYMENT_NAME-director
Grant access to the machine you want to run Control Tower from on ports 22, 6868 and 25555.

Unfortunately after the next deploy it'll get converged back to its original state, so this is a bit of an inconvenience.

crsimmons commented 4 years ago

control-tower deploy will always change the whitelist to be the IP you are running the command from. So if you deploy using the same version of Control Tower and only provide the mandatory flags it should be a no-op deploy that re-whitelists your IP. Unfortunately we currently don't support whitelisting a range instead of a single IP.

DanielJonesEB commented 4 years ago

Given that this is a perennial pain in the arse for everyone involved, I wonder if it is a security compromise to just say "if you have the right IAAS creds, we'll update the security group to include your current IP".

Possibly there's a story here of outputting @crsimmons' advice to the terminal when access ist verboten.