Closed charlesmims closed 6 years ago
Thanks for filing this. I'll be working on updating this and let you know when it's completed.
I'm not sure why it isn't letting me submit a PR, but the changes I made locally to correct this are:
Add this to aws/main.tf at line 164:
resource "aws_security_group" "bootstrap" {
name = "bootstrap-security-group"
description = "SSH access to bootstrap node"
vpc_id = "${aws_vpc.default.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
and in aws/bootstrap.tf change line 33 to this:
vpc_security_group_ids = ["${aws_security_group.any_access_internal.id}", "${aws_security_group.bootstrap.id}"]
Currently, terraform-dcos creates the bootstrap host as part of the admin security group, which has port 80 open to the world, and serves the dcos_install.sh script on port 80. If you configure your docker credentials in the desired_cluster_profile.tfvars file as suggested in the README, those are exposed in the dcos_install.sh script.
This is astoundingly bad. Bootstrap node should be removed from the admin security group, and a new security group that allows only port 22 created.