option to remove grafana and cloud foundry web UIs?

[RichardBradley]

Hi,

Thanks for control-tower, it has saved me lots of time in setting up Concourse.

It comes with "Grafana" publicly accessible on port 3000, but I'm not sure what for? I only noticed it when it was flagged as out of date in a pen test we had recently and when I logged into it with the super admin account it appears empty. I notice that issue #28 relates to the setup not working out of the box for this.

It comes with a login page for "Cloud Foundry" on port 8443 that gives a cert error and which I can't seem to log in to. What is this for? This was also flagged in our pen test as out of date, even though I have recently run the self-update job.

I would prefer to just remove these two: is there an easy way to do that? I don't see any options about them at https://github.com/EngineerBetter/control-tower/blob/master/docs/deploy.md If I just close their ports off in AWS Security Group, will BOSH open them up again later?

[will-gant]

Hi Richard. Grafana is a metrics dashboard that control-tower configures with a number of graphs that can be handy for diagnosing Concourse performance issues. The same admin credentials that you use to access Concourse itself will log you into Grafana.

The "Cloud Foundry" login page is, somewhat confusingly, actually the UI for a thing called the User Account and Authentication (UAA) server, which was originally developed for Cloud Foundry. We use it to manage user authentication in Credhub, which is the integrated secrets manager we deploy alongside Concourse.

We don't currently offer flags that allow users to choose whether these endpoints are accessible. As you say, you can close off the ports yourself in AWS. BOSH will not re-open them, but control-tower will do so the next time you either redeploy with control-tower deploy or run the self-update pipeline.

[crsimmons]

UAA is required for Credhub to function. This is what provides credential management in Control Tower. I would consider this a core functionality of the product. We could look into whether access to it could be restricted more though.

There is a basic grafana dashboard included in Control Tower. It should be called Concourse. As far as updates to grafana go, we're using https://github.com/vito/grafana-boshrelease which hasn't been updated in a while unfortunately.

[RichardBradley]

For the record, I have blocked these endpoints on my instance by removing the 0.0.0.0/0 rule from the "control-tower-xxx-atc" security group for all ports other than 80 and 443. I have also ip-restricted the 80 and 443 rules to my team's IPs in the same place.

I believe I will have to re-apply these changes every time I run the "self update" job (just as I do with the Concourse perms, see #91).

[crsimmons]

FYI if removing the 0.0.0.0/0 on the control-tower-xxx-atc security group fixes your problem then this is configurable via the --allow-ips flag. This defaults to 0.0.0.0/0 and governs access to the web vm (where grafana, credhub, and the UAA are all colocated). Using the flag means self-update will respect the change.