Manually pass allowed IP addresses for WinRM firewall rules

Co-authored-by: Chris Selzo <[email protected]>
Co-authored-by: Nishad Mathur <[email protected]>

Author: 3 people

ci/pipelines/stemcells-windows-2019.yml

@@ -737,12 +737,11 @@ jobs:
       COMMERCIAL_AWS_DEFAULT_REGION: ((AWS_PACKER_REGION))
       COMMERCIAL_AWS_ROLE_ARN: ((aws-stemcells_aws_access_key.role_arn))
       COMMERCIAL_AWS_SECRET_ACCESS_KEY: ((aws-stemcells_aws_access_key.password))
-      CONCOURSE_GCP_CREDENTIALS_JSON: ((gcp_credentials_json))
-      CONCOURSE_GOOGLE_PROJECT_ID: cf-bosh-concourse
       GOVCLOUD_AWS_ACCESS_KEY_ID: ((packer_user_gov_aws_access_key.username))
       GOVCLOUD_AWS_DEFAULT_REGION: ((AWS_GOVCLOUD_PACKER_REGION))
       GOVCLOUD_AWS_SECRET_ACCESS_KEY: ((packer_user_gov_aws_access_key.password))
       WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON: ((cff-bosh-windows-stemcells_bosh-153_gcp_credentials_json))
+      ALLOWED_IP_ADDRESSES: 35.197.92.68 34.169.1.255 34.82.52.87 34.168.69.249 34.82.182.73
   - put: main-version
     params:
       file: version/number
@@ -1868,6 +1867,7 @@ jobs:
   - put: azure-tested
     params:
       file: bosh-windows-stemcell/light-bosh-stemcell-*-azure-hyperv-((STEMCELL_OS_NAME))-go_agent.tgz
+
 - name: wuts-azure
   serial: true
   plan:
@@ -1927,6 +1927,7 @@ jobs:
       params:
         release: azure-lock
       tags: [broadcom]
+
 - name: create-gcp
   serial: true
   serial_groups: [gcp-version]

ci/tasks/firewall-rules/configure-windows-firewall-rules.sh

@@ -3,27 +3,11 @@ set -eu -o pipefail
 set -x
 
 # We have firewall rules that are necessary when creating Windows stemcells in AWS and GCP.
-# This script gets the IPs of our Concourse workers and ensures that they have access on the
+# This script ensures that the concourse worker egress IPs have access on the
 # WinRM port (5985).
-
-set +x
-echo "${CONCOURSE_GCP_CREDENTIALS_JSON}" | gcloud auth activate-service-account --key-file - --project "${CONCOURSE_GOOGLE_PROJECT_ID}"
-set -x
-concourse_worker_external_ips=$( \
-  gcloud compute instances list \
-  --project "${CONCOURSE_GOOGLE_PROJECT_ID}" \
-  --filter="labels.instance_group:worker AND networkInterfaces.network:bosh-ecosystem-concourse" \
-  --format="value(networkInterfaces[0].accessConfigs[0].natIP)" \
-)
-
-if [ -z "${concourse_worker_external_ips}" ]; then
-  echo "Unable to find Concourse worker IP addresses"
-  exit 1
-fi
-
 # Set firewall rules in the GCP project
 comma_separated_external_ips=""
-for external_ip in $concourse_worker_external_ips; do
+for external_ip in $ALLOWED_IP_ADDRESSES; do
   comma_separated_external_ips="${external_ip}/32,${comma_separated_external_ips}"
 done
 comma_separated_external_ips="${comma_separated_external_ips%,}"
@@ -35,7 +19,7 @@ gcloud compute firewall-rules update default-allow-winrm --project cff-bosh-wind
 
 # Set firewall rules in the AWS project
 aws_ip_ranges=""
-for external_ip in $concourse_worker_external_ips; do
+for external_ip in $ALLOWED_IP_ADDRESSES; do
   aws_ip_ranges="{CidrIp=${external_ip}/32},${aws_ip_ranges}"
 done
 aws_ip_ranges="${aws_ip_ranges%,}"

ci/tasks/firewall-rules/configure-windows-firewall-rules.yml

@@ -12,9 +12,8 @@ params:
   GOVCLOUD_AWS_ACCESS_KEY_ID:
   GOVCLOUD_AWS_DEFAULT_REGION:
   GOVCLOUD_AWS_SECRET_ACCESS_KEY:
-  CONCOURSE_GCP_CREDENTIALS_JSON:
-  CONCOURSE_GOOGLE_PROJECT_ID:
   WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON:
+  ALLOWED_IP_ADDRESSES:
 
 run:
   path: bosh-windows-stemcell-builder-ci/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh