pkg/infrastructure/azure: add and remove bootstrap ssh security rule

https://issues.redhat.com/browse/CORS-3302

Author: jhixson74

pkg/infrastructure/azure/azure.go

@@ -45,6 +45,7 @@ type Provider struct {
 	StorageAccount       *armstorage.Account
 	StorageClientFactory *armstorage.ClientFactory
 	StorageAccountKeys   []armstorage.AccountKey
+	NetworkClientFactory *armnetwork.ClientFactory
 	Tags                 map[string]*string
 	lbBackendAddressPool *armnetwork.BackendAddressPool
 }
@@ -53,6 +54,7 @@ var _ clusterapi.PreProvider = (*Provider)(nil)
 var _ clusterapi.InfraReadyProvider = (*Provider)(nil)
 var _ clusterapi.PostProvider = (*Provider)(nil)
 var _ clusterapi.IgnitionProvider = (*Provider)(nil)
+var _ clusterapi.PostDestroyer = (*Provider)(nil)
 
 // Name returns the name of the provider.
 func (p *Provider) Name() string {
@@ -486,6 +488,7 @@ func (p *Provider) InfraReady(ctx context.Context, in clusterapi.InfraReadyInput
 	p.StorageAccount = storageAccount
 	p.StorageClientFactory = storageClientFactory
 	p.StorageAccountKeys = storageAccountKeys
+	p.NetworkClientFactory = networkClientFactory
 	p.lbBackendAddressPool = lbBap
 
 	if err := createDNSEntries(ctx, in, extLBFQDN, resourceGroupName); err != nil {
@@ -544,6 +547,33 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio
 		if err = associateVMToBackendPool(ctx, *vmInput); err != nil {
 			return fmt.Errorf("failed to associate control plane VMs with external load balancer: %w", err)
 		}
+
+		if err = addSecurityGroupRule(ctx, &securityGroupInput{
+			resourceGroupName:    p.ResourceGroupName,
+			securityGroupName:    fmt.Sprintf("%s-nsg", in.InfraID),
+			securityRuleName:     "ssh_in",
+			securityRulePort:     "22",
+			securityGroupsClient: p.NetworkClientFactory.NewSecurityGroupsClient(),
+		}); err != nil {
+			return fmt.Errorf("failed to add security rule: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// PostDestroy removes SSH access from the network security rules after the
+// bootstrap machine is destroyed.
+func (p *Provider) PostDestroy(ctx context.Context, in clusterapi.PostDestroyerInput) error {
+	err := deleteSecurityGroupRule(ctx, &securityGroupInput{
+		resourceGroupName:    p.ResourceGroupName,
+		securityGroupName:    fmt.Sprintf("%s-nsg", in.Metadata.InfraID),
+		securityRuleName:     "ssh_in",
+		securityRulePort:     "22",
+		securityGroupsClient: p.NetworkClientFactory.NewSecurityGroupsClient(),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to delete security rule: %w", err)
 	}
 
 	return nil

pkg/infrastructure/azure/network.go

@@ -8,6 +8,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2"
+	"k8s.io/utils/ptr"
 )
 
 type lbInput struct {
@@ -37,6 +38,14 @@ type vmInput struct {
 	nicClient     *armnetwork.InterfacesClient
 }
 
+type securityGroupInput struct {
+	resourceGroupName    string
+	securityGroupName    string
+	securityRuleName     string
+	securityRulePort     string
+	securityGroupsClient *armnetwork.SecurityGroupsClient
+}
+
 func createPublicIP(ctx context.Context, in *pipInput) (*armnetwork.PublicIPAddress, error) {
 	pollerResp, err := in.pipClient.BeginCreateOrUpdate(
 		ctx,
@@ -266,3 +275,65 @@ func associateVMToBackendPool(ctx context.Context, in vmInput) error {
 	}
 	return nil
 }
+
+func addSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
+	securityGroupResp, err := in.securityGroupsClient.Get(ctx, in.resourceGroupName, in.securityGroupName, nil)
+	if err != nil {
+		return fmt.Errorf("failed to get security group: %w", err)
+	}
+	securityGroup := securityGroupResp.SecurityGroup
+
+	priority := int32(100)
+	for _, securityRule := range securityGroup.Properties.SecurityRules {
+		if *securityRule.Properties.Priority >= priority {
+			priority = *securityRule.Properties.Priority + 1
+		}
+	}
+	// Assume inbound tcp connections from any port to destination port for now
+	securityGroup.Properties.SecurityRules = append(securityGroup.Properties.SecurityRules,
+		&armnetwork.SecurityRule{
+			Name: ptr.To(in.securityRuleName),
+			Properties: &armnetwork.SecurityRulePropertiesFormat{
+				Access:                   ptr.To(armnetwork.SecurityRuleAccessAllow),
+				Direction:                ptr.To(armnetwork.SecurityRuleDirectionInbound),
+				Protocol:                 ptr.To(armnetwork.SecurityRuleProtocolTCP),
+				DestinationAddressPrefix: ptr.To("*"),
+				DestinationPortRange:     ptr.To(in.securityRulePort),
+				Priority:                 ptr.To[int32](priority),
+				SourceAddressPrefix:      ptr.To("*"),
+				SourcePortRange:          ptr.To("*"),
+			},
+		},
+	)
+
+	_, err = in.securityGroupsClient.BeginCreateOrUpdate(ctx, in.resourceGroupName, in.securityGroupName, securityGroup, nil)
+	if err != nil {
+		return fmt.Errorf("failed to add security rule: %w", err)
+	}
+
+	return nil
+}
+
+func deleteSecurityGroupRule(ctx context.Context, in *securityGroupInput) error {
+	securityGroupResp, err := in.securityGroupsClient.Get(ctx, in.resourceGroupName, in.securityGroupName, nil)
+	if err != nil {
+		return fmt.Errorf("failed to get security group: %w", err)
+	}
+	securityGroup := securityGroupResp.SecurityGroup
+
+	var securityRules []*armnetwork.SecurityRule
+	for _, securityRule := range securityGroup.Properties.SecurityRules {
+		if *securityRule.Name == in.securityRuleName {
+			continue
+		}
+		securityRules = append(securityRules, securityRule)
+	}
+	securityGroup.Properties.SecurityRules = securityRules
+
+	_, err = in.securityGroupsClient.BeginCreateOrUpdate(ctx, in.resourceGroupName, in.securityGroupName, securityGroup, nil)
+	if err != nil {
+		return fmt.Errorf("failed to update security group: %w", err)
+	}
+
+	return nil
+}