Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add network tags to VMs created by Packer for firewalling #263

Merged
merged 2 commits into from
Jul 8, 2024
Merged

Add network tags to VMs created by Packer for firewalling #263

merged 2 commits into from
Jul 8, 2024

Conversation

nkinkade
Copy link
Contributor

@nkinkade nkinkade commented Jul 3, 2024
edited by stephen-soltesz
Loading

We lately disabled SSH access to project VMs in most VPCs, notwithstanding the mlab-platform-network. We don't SSH into those nodes, and they don't need to be publicly exposed in that way. However, doing this broke epoxy-images builds for
Packer, because, by default, Packer will SSH into the VM that is created using the public address.

This PR causes Packer to add a special network tag to the VMs it creates, and this tag can be used to create a firewall rule that will explicitly allow public SSH access to VMs it creates, while still disallowing public SSH access to all other VMs.

This change is Reviewable

nkinkade added 2 commits July 3, 2024 11:49
@nkinkade
Causes Packer to use VMs internal IP address
bcada88 
We lately disabled SSH access to project VMs in most VPCs, notwithstanding the
mlab-platform-network. We don't SSH into those nodes, and they don't need to be
publicly exposed in that way. However, doing this broke epoxy-images builds for
Packer, because, by default, Packer will SSH into the VM that is created using
the public address. This commit modifies Packer to omit giving the VM a public
address, and to use the private internal address when SSHing into the VM to
provision the image. This should work fine for us, since Packer is running in
Cloud Build on the same VPC as the VM that is created.
@nkinkade
Adds network tag to Packer VM for firewalling
ba1e927 
Removes the use_internal_ip and omit_public_ip options, since I did not
realize before that Cloud Build instances run in a Google-managed pool of
machines outside of project VPCs, so SSHing to the private IP of a VM created
by Packer will not work.

Instead, this new commit adds a network tag to the VM, which should allow me to
create a targeted firewall rule explicitly allowing SSH access to VMs created
by Packer.
@nkinkade nkinkade requested a review from stephen-soltesz July 3, 2024 18:25
stephen-soltesz
stephen-soltesz approved these changes Jul 8, 2024
View reviewed changes
Copy link
Contributor

@stephen-soltesz stephen-soltesz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r1.
Reviewable status: :shipit: complete! 1 of 1 approvals obtained

@nkinkade nkinkade merged commit 22a638d into main Jul 8, 2024
5 checks passed
@nkinkade nkinkade deleted the sandbox-kinkade branch July 8, 2024 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephen-soltesz stephen-soltesz stephen-soltesz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nkinkade @stephen-soltesz