CI: add conditional for setting GCP firewall rules

aramprice · aramprice · commit 99d8bb2be5ff · 2025-06-30T15:59:22.000-07:00
diff --git a/ci/pipelines/stemcells-windows.yml b/ci/pipelines/stemcells-windows.yml
@@ -737,6 +737,7 @@ jobs:
     file: bosh-windows-stemcell-builder-ci/ci/tasks/firewall-rules/configure-windows-firewall-rules.yml
     image: bosh-windows-stemcell-builder-ci-image
     params:
+      CONFIGURE_GCP: true
       COMMERCIAL_AWS_ACCESS_KEY_ID: ((aws-stemcells_aws_access_key.username))
       COMMERCIAL_AWS_DEFAULT_REGION: ((AWS_PACKER_REGION))
       COMMERCIAL_AWS_ROLE_ARN: ((aws-stemcells_aws_access_key.role_arn))
diff --git a/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh b/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh
@@ -2,20 +2,22 @@
 set -eu -o pipefail
 set -x
 
-# We have firewall rules that are necessary when creating Windows stemcells in AWS and GCP.
+# We have firewall rules that are necessary when creating Windows stemcells in AWS and GCP (if needed).
 # This script ensures that the concourse worker egress IPs have access on the
 # WinRM port (5985).
-# Set firewall rules in the GCP project
-comma_separated_external_ips=""
-for external_ip in $ALLOWED_IP_ADDRESSES; do
-  comma_separated_external_ips="${external_ip}/32,${comma_separated_external_ips}"
-done
-comma_separated_external_ips="${comma_separated_external_ips%,}"
+# Set firewall rules in the GCP project if needed
+if [ -n "${CONFIGURE_GCP}" ]; then
+  comma_separated_external_ips=""
+  for external_ip in $ALLOWED_IP_ADDRESSES; do
+    comma_separated_external_ips="${external_ip}/32,${comma_separated_external_ips}"
+  done
+  comma_separated_external_ips="${comma_separated_external_ips%,}"
 
-set +x
-echo "${WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON}" | gcloud auth activate-service-account --key-file - --project cff-bosh-windows-stemcells
-set -x
-gcloud compute firewall-rules update default-allow-winrm --project cff-bosh-windows-stemcells --source-ranges="${comma_separated_external_ips}"
+  set +x
+  echo "${WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON}" | gcloud auth activate-service-account --key-file - --project cff-bosh-windows-stemcells
+  set -x
+  gcloud compute firewall-rules update default-allow-winrm --project cff-bosh-windows-stemcells --source-ranges="${comma_separated_external_ips}"
+fi
 
 # Set firewall rules in the AWS project
 aws_ip_ranges=""
diff --git a/ci/tasks/firewall-rules/configure-windows-firewall-rules.yml b/ci/tasks/firewall-rules/configure-windows-firewall-rules.yml
@@ -5,6 +5,7 @@ inputs:
   - name: bosh-windows-stemcell-builder-ci
 
 params:
+  CONFIGURE_GCP:
   COMMERCIAL_AWS_ACCESS_KEY_ID:
   COMMERCIAL_AWS_DEFAULT_REGION:
   COMMERCIAL_AWS_ROLE_ARN:
