Bastion SSH lockdown parameter added (#99)

k8soneill · web-flow · commit 35d91d2b60d8 · 2019-04-23T12:04:37.000+01:00
added bastion sec group parameter
diff --git a/environment_example.yaml b/environment_example.yaml
@@ -32,6 +32,7 @@ parameter_defaults:
   # Security group options
   control_plane_allowed_sources: <allowed cidr for inbound traffic to control plane default: 0.0.0.0/0 (any)>
   data_plane_allowed_sources: <allowed cidr for inbound traffic to data plane default : 0.0.0.0/0 (any)>
+  bastion_allowed_sources: <list of allowed sources for inbound SSH to bastions. Defaults to 0.0.0.0/0>
   # Extra gateway options
   #deploy_extra_gateway: <whether to deploy an extra gateway e.g. VRF default: false>
   #extra_gateway_external_network: <external network extra gateway connects to>
diff --git a/security_groups.yaml b/security_groups.yaml
@@ -31,6 +31,9 @@ parameters:
     type: comma_delimited_list
     description: ip addresses that inbound connectivity can come from
     default: [ "0.0.0.0/0" ]
+  bastion_sources:
+    type: comma_delimited_list
+    description: ip addresses that inbound SSH connectivity can come from
 
 resources:
   external_service_secgroup:
@@ -131,11 +134,15 @@ resources:
     properties:
       name: bastion_external_sg
       rules:
-        - direction: ingress
-          remote_ip_prefix: 0.0.0.0/0
-          protocol: tcp
-          port_range_min: 22
-          port_range_max: 22
+        repeat:
+          for_each:
+            <%sourceip%>: { get_param: bastion_sources }
+          template:
+            direction: ingress
+            remote_ip_prefix: <%sourceip%>
+            protocol: tcp
+            port_range_min: 22
+            port_range_max: 22
 
   bastion_internal_ssh_secgroup:
     type: OS::Neutron::SecurityGroup
diff --git a/top-level-template.yaml b/top-level-template.yaml
@@ -121,6 +121,10 @@ parameters:
     type: comma_delimited_list
     description: ip addresses that inbound connectivity can come from
     default: [ "0.0.0.0/0" ]
+  bastion_allowed_sources:
+    type: comma_delimited_list
+    description: ip addresses that can SSH to bastions
+    default: [ "0.0.0.0/0" ]
   network_config:
     type: json
     description: Network configuration for internal network
@@ -172,6 +176,7 @@ resources:
         data_plane_ports: "80,443"
         control_plane_sources: { get_param: control_plane_allowed_sources }
         data_plane_sources: { get_param: data_plane_allowed_sources }
+        bastion_sources: { get_param: bastion_allowed_sources }
 
   external_services_infra:
     type: OS::Heat::ResourceGroup
