Skip to content

Commit 57d6963

Browse files
modulimoduli
authored
chore(e2e): Update firewall rules for instances in the windows domain (#6059)
* chore(e2e): Update firewall rules * fix(e2e): Add ipv6_address
1 parent ac9774b commit 57d6963

File tree

3 files changed

+49
-11
lines changed
  • enos/modules

3 files changed

+49
-11
lines changed

enos/modules/aws_rdp_domain_controller/main.tf

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -280,9 +280,21 @@ resource "aws_instance" "domain_controller" {
280280
# Force an immediate time synchronization
281281
w32tm /resync /force
282282
283-
$password = ConvertTo-SecureString ${random_string.DSRMPassword.result} -AsPlainText -Force
283+
# Open firewall ports for RDP functionality
284+
New-NetFirewallRule -Name kerberostcp -DisplayName 'Kerberos TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 88
285+
New-NetFirewallRule -Name kerberosudp -DisplayName 'Kerberos UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 88
286+
New-NetFirewallRule -Name rpctcp -DisplayName 'RPC TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 135
287+
New-NetFirewallRule -Name rpcudp -DisplayName 'RPC UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 135
288+
New-NetFirewallRule -Name ldaptcp -DisplayName 'LDAP TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 389
289+
New-NetFirewallRule -Name ldapudp -DisplayName 'LDAP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 389
290+
New-NetFirewallRule -Name smbtcp -DisplayName 'SMB TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 445
291+
New-NetFirewallRule -Name rdptcp -DisplayName 'RDP TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 3389
292+
New-NetFirewallRule -Name rdpudp -DisplayName 'RDP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 3389
293+
294+
# Add computer to the domain and promote to a domain
295+
# controller
284296
Add-WindowsFeature -name ad-domain-services -IncludeManagementTools
285-
297+
$password = ConvertTo-SecureString ${random_string.DSRMPassword.result} -AsPlainText -Force
286298
# causes the instance to reboot
287299
Install-ADDSForest -CreateDnsDelegation:$false -DomainMode 7 -DomainName ${var.active_directory_domain} -DomainNetbiosName ${local.domain_sld} -ForestMode 7 -InstallDns:$true -NoRebootOnCompletion:$false -SafeModeAdministratorPassword $password -Force:$true
288300
</powershell>

enos/modules/aws_rdp_member_server/main.tf

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -70,13 +70,14 @@ resource "aws_instance" "member_server" {
7070
# Force an immediate time synchronization
7171
w32tm /resync /force
7272
73+
# Set up SSH so we can remotely manage the instance
74+
# Note: Windows Server 2016 does not support OpenSSH
7375
%{if var.server_version != "2016"~}
7476
# set variables for retry loops
7577
$timeout = 300
7678
$interval = 30
7779
78-
# Set up SSH so we can remotely manage the instance
79-
## Install OpenSSH Server and Client
80+
# Install OpenSSH Server and Client
8081
# Loop to make sure that SSH installs correctly
8182
$elapsed = 0
8283
do {
@@ -122,25 +123,36 @@ resource "aws_instance" "member_server" {
122123
}
123124
} while ($true)
124125
125-
## Set PowerShell as the default SSH shell
126+
# Set PowerShell as the default SSH shell
126127
New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value (Get-Command powershell.exe).Path -PropertyType String -Force
127128
128-
## Configure SSH server to use private key authentication so that scripts don't have to use passwords
129-
## Save the private key from instance metadata
129+
# Configure SSH server to use private key authentication so that scripts don't have to use passwords
130+
# Save the private key from instance metadata
130131
$ImdsToken = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/api/token' -Method 'PUT' -Headers @{'X-aws-ec2-metadata-token-ttl-seconds' = 2160} -UseBasicParsing).Content
131132
$ImdsHeaders = @{'X-aws-ec2-metadata-token' = $ImdsToken}
132133
$AuthorizedKey = (Invoke-WebRequest -Uri 'http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key' -Headers $ImdsHeaders -UseBasicParsing).Content
133134
$AuthorizedKeysPath = 'C:\ProgramData\ssh\administrators_authorized_keys'
134135
New-Item -Path $AuthorizedKeysPath -ItemType File -Value $AuthorizedKey -Force
135136
136-
## Ensure the SSH agent pulls in the new key.
137+
# Ensure the SSH agent pulls in the new key.
137138
Set-Service -Name ssh-agent -StartupType "Automatic"
138139
Restart-Service -Name ssh-agent
139140
140-
## Open the firewall for SSH connections
141+
# Open the firewall for SSH connections
141142
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
142143
%{endif~}
143144
145+
# Open firewall ports for RDP functionality
146+
New-NetFirewallRule -Name kerberostcp -DisplayName 'Kerberos TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 88
147+
New-NetFirewallRule -Name kerberosudp -DisplayName 'Kerberos UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 88
148+
New-NetFirewallRule -Name rpctcp -DisplayName 'RPC TCP ' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 135
149+
New-NetFirewallRule -Name rpcudp -DisplayName 'RPC UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 135
150+
New-NetFirewallRule -Name ldaptcp -DisplayName 'LDAP TCP ' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 389
151+
New-NetFirewallRule -Name ldapudp -DisplayName 'LDAP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 389
152+
New-NetFirewallRule -Name smbtcp -DisplayName 'SMB TCP ' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 445
153+
New-NetFirewallRule -Name rdptcp -DisplayName 'RDP TCP ' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 3389
154+
New-NetFirewallRule -Name rdpudp -DisplayName 'RDP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 3389
155+
144156
# Adds member server to the domain
145157
[int]$intix = Get-NetAdapter | % { Process { If ( $_.Status -eq "up" ) { $_.ifIndex } }}
146158
Set-DNSClientServerAddress -interfaceIndex $intix -ServerAddresses ("${var.domain_controller_ip}","127.0.0.1")

enos/modules/aws_rdp_member_server_with_worker/main.tf

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,7 @@ resource "aws_instance" "worker" {
7575
key_name = var.domain_controller_aws_keypair_name
7676
subnet_id = data.aws_subnets.infra.ids[0]
7777
iam_instance_profile = var.iam_name
78+
ipv6_address_count = 1
7879

7980
root_block_device {
8081
volume_type = "gp2"
@@ -101,7 +102,7 @@ resource "aws_instance" "worker" {
101102
$interval = 30
102103
103104
# Set up SSH so we can remotely manage the instance
104-
## Install OpenSSH Server and Client
105+
# Install OpenSSH Server and Client
105106
# Loop to make sure that SSH installs correctly
106107
$elapsed = 0
107108
do {
@@ -162,11 +163,24 @@ resource "aws_instance" "worker" {
162163
Set-Service -Name ssh-agent -StartupType "Automatic"
163164
Restart-Service -Name ssh-agent
164165
165-
## Open the firewall for SSH and boundary connections
166+
# Open the firewall for SSH
166167
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
168+
169+
# Open firewall for boundary connections
167170
New-NetFirewallRule -Name boundary_in -DisplayName 'Boundary inbound' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 9202
168171
New-NetFirewallRule -Name boundary_out -DisplayName 'Boundary outbound' -Enabled True -Direction Outbound -Protocol TCP -Action Allow -LocalPort 9202
169172
173+
# Open firewall ports for RDP functionality
174+
New-NetFirewallRule -Name kerberostcp -DisplayName 'Kerberos TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 88
175+
New-NetFirewallRule -Name kerberosudp -DisplayName 'Kerberos UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 88
176+
New-NetFirewallRule -Name rpctcp -DisplayName 'RPC TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 135
177+
New-NetFirewallRule -Name rpcudp -DisplayName 'RPC UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 135
178+
New-NetFirewallRule -Name ldaptcp -DisplayName 'LDAP TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 389
179+
New-NetFirewallRule -Name ldapudp -DisplayName 'LDAP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 389
180+
New-NetFirewallRule -Name smbtcp -DisplayName 'SMB TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 445
181+
New-NetFirewallRule -Name rdptcp -DisplayName 'RDP TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 3389
182+
New-NetFirewallRule -Name rdpudp -DisplayName 'RDP UDP' -Enabled True -Direction Inbound -Protocol UDP -Action Allow -LocalPort 3389
183+
170184
# Add computer to the domain
171185
[int]$intix = Get-NetAdapter | % { Process { If ( $_.Status -eq "up" ) { $_.ifIndex } }}
172186
Set-DNSClientServerAddress -interfaceIndex $intix -ServerAddresses ("${var.domain_controller_ip}","127.0.0.1")

0 commit comments

Comments
 (0)