Write allow ips into self-update pipeline

The `allow-ips` flag has to be provided on every deploy otherwise it gets reset to the default of allow all. To get around this in the self-update pipeline we now write allow-ips into the pipeline yaml.
EngineerBetter · Oct 9, 2020 · 057ce69 · 057ce69
1 parent 651a153
commit 057ce69
Show file tree

Hide file tree

Showing 13 changed files with 35 additions and 10 deletions.
diff --git a/commands/deploy.go b/commands/deploy.go
@@ -121,7 +121,7 @@ var deployFlags = []cli.Flag{
 	},
 	cli.StringFlag{
 		Name:        "allow-ips",
-		Usage:       "(optional) Comma separated list of IP addresses or CIDR ranges to allow access to",
+		Usage:       "(optional) Comma separated list of IP addresses or CIDR ranges to allow access to. Not applied to future manual deploys unless this flag is provided again",
 		EnvVar:      "ALLOW_IPS",
 		Value:       "0.0.0.0/0",
 		Destination: &initialDeployArgs.AllowIPs,

diff --git a/concourse/client_aws_test.go b/concourse/client_aws_test.go
@@ -240,6 +240,7 @@ sWbB3FCIsym1FXB+eRnVF3Y15RwBWWKA5RfwUNpEXFxtv24tQ8jrdA==
 		//Mutations we expect to have been done after load
 		configAfterLoad = configInBucket
 		configAfterLoad.AllowIPs = "\"0.0.0.0/0\""
+		configAfterLoad.AllowIPsUnformatted = "0.0.0.0/0"
 		configAfterLoad.SourceAccessIP = "192.0.2.0"
 		configAfterLoad.NetworkCIDR = "10.0.0.0/16"
 		configAfterLoad.PublicCIDR = "10.0.0.0/24"

diff --git a/concourse/client_deploy_test.go b/concourse/client_deploy_test.go
@@ -298,6 +298,7 @@ sWbB3FCIsym1FXB+eRnVF3Y15RwBWWKA5RfwUNpEXFxtv24tQ8jrdA==
 					//Mutations we expect to have been done after load
 					configAfterLoad = configInBucket
 					configAfterLoad.AllowIPs = "\"0.0.0.0/0\""
+					configAfterLoad.AllowIPsUnformatted = "0.0.0.0/0"
 					configAfterLoad.SourceAccessIP = "192.0.2.0"
 					configAfterLoad.NetworkCIDR = "10.0.0.0/16"
 					configAfterLoad.PublicCIDR = "10.0.0.0/24"
@@ -504,6 +505,7 @@ wEW5QkylaPEkbVDhJWeR1I8=
 
 					configAfterLoad = configInBucket
 					configAfterLoad.AllowIPs = "\"88.98.225.40/32\""
+					configAfterLoad.AllowIPsUnformatted = "88.98.225.40"
 					configAfterLoad.ConcourseWebSize = args.WebSize
 					configAfterLoad.ConcourseWorkerCount = args.WorkerCount
 					configAfterLoad.ConcourseWorkerSize = args.WorkerSize
@@ -606,6 +608,7 @@ wEW5QkylaPEkbVDhJWeR1I8=
 				// Config generated by default for a new deployment
 				defaultGeneratedConfig = config.Config{
 					AllowIPs:                 "\"0.0.0.0/0\"",
+					AllowIPsUnformatted:      "0.0.0.0/0",
 					AvailabilityZone:         "eu-west-1a",
 					ConcoursePassword:        "",
 					ConcourseUsername:        "",
@@ -644,6 +647,7 @@ wEW5QkylaPEkbVDhJWeR1I8=
 				//Mutations we expect to have been done after load
 				configAfterLoad = defaultGeneratedConfig
 				configAfterLoad.AllowIPs = "\"0.0.0.0/0\""
+				configAfterLoad.AllowIPsUnformatted = "0.0.0.0/0"
 				configAfterLoad.SourceAccessIP = "192.0.2.0"
 
 				//Mutations we expect to have been done after deploying the director

diff --git a/concourse/client_gcp_test.go b/concourse/client_gcp_test.go
@@ -267,6 +267,7 @@ sWbB3FCIsym1FXB+eRnVF3Y15RwBWWKA5RfwUNpEXFxtv24tQ8jrdA==
 		//Mutations we expect to have been done after load
 		configAfterLoad = configInBucket
 		configAfterLoad.AllowIPs = "\"0.0.0.0/0\""
+		configAfterLoad.AllowIPsUnformatted = "0.0.0.0/0"
 		configAfterLoad.SourceAccessIP = "192.0.2.0"
 		configAfterLoad.PublicCIDR = "10.0.0.0/24"
 		configAfterLoad.PrivateCIDR = "10.0.1.0/24"

diff --git a/concourse/config.go b/concourse/config.go
@@ -132,6 +132,7 @@ func applyArgumentsToConfig(conf config.Config, deployArgs *deploy.Args, provide
 	}
 
 	conf.AllowIPs = allowedIPs
+	conf.AllowIPsUnformatted = deployArgs.AllowIPs
 
 	if deployArgs.ZoneIsSet {
 		conf.AvailabilityZone = deployArgs.Zone

diff --git a/config/config.go b/config/config.go
@@ -14,6 +14,7 @@ func ConvertSpotBoolToVMProvisioningType(spot bool) string {
 // Config represents a control-tower configuration file
 type Config struct {
 	AllowIPs                 string `json:"allow_ips"`
+	AllowIPsUnformatted      string `json:"allow_ips_unformatted"`
 	AvailabilityZone         string `json:"availability_zone"`
 	ConcourseCACert          string `json:"concourse_ca_cert"`
 	ConcourseCert            string `json:"concourse_cert"`
@@ -75,6 +76,7 @@ type Config struct {
 
 type ConfigView interface {
 	GetAllowIPs() string
+	GetAllowIPsUnformatted() string
 	GetAvailabilityZone() string
 	GetConcourseCACert() string
 	GetConcourseCert() string
@@ -137,6 +139,10 @@ func (c Config) GetAllowIPs() string {
 	return c.AllowIPs
 }
 
+func (c Config) GetAllowIPsUnformatted() string {
+	return c.AllowIPsUnformatted
+}
+
 func (c Config) GetAvailabilityZone() string {
 	return c.AvailabilityZone
 }

diff --git a/docs/deploy.md b/docs/deploy.md
@@ -100,10 +100,12 @@ control-tower deploy \
 
 |**Flag**|**Description**|**Environment Variable**|
 |:-|:-|:-|
-|`--allow-ips value`|Comma separated list of IP addresses or CIDR ranges to allow access to<br>(default: "0.0.0.0/0")|`ALLOW_IPS`|
+|`--allow-ips value`|Comma separated list of IP addresses or CIDR ranges to allow access to. Not applied to future manual deploys unless this flag is provided again<br>(default: "0.0.0.0/0")|`ALLOW_IPS`|
 
 > `allow-ips` governs what can access Concourse but not what can access the control plane (i.e. the BOSH director). The control plane will be restricted to the IP `control-tower deploy` was run from.
 
+> This flag overwrites the allowed IPs on every deploy. This means deploying with `allow-ips` then deploying again without it will reset the allow list to `0.0.0.0/0`. The self-update pipeline will maintain the `allow-ips` of the most recent deploy.
+
 ## GitHub Auth
 
 |**Flag**|**Description**|**Environment Variable**|

diff --git a/fly/aws_pipeline.go b/fly/aws_pipeline.go
@@ -36,7 +36,7 @@ var getCredsFromSession = func() (string, string, error) {
 }
 
 //BuildPipelineParams builds params for AWS control-tower self update pipeline
-func (a AWSPipeline) BuildPipelineParams(deployment, namespace, region, domain, iaas string) (Pipeline, error) {
+func (a AWSPipeline) BuildPipelineParams(deployment, namespace, region, domain, allowIps, iaas string) (Pipeline, error) {
 	accessKeyID, secretAccessKey, err := a.credsGetter()
 	if err != nil {
 		return nil, err
@@ -47,6 +47,7 @@ func (a AWSPipeline) BuildPipelineParams(deployment, namespace, region, domain,
 			ControlTowerVersion: ControlTowerVersion,
 			Deployment:          strings.TrimPrefix(deployment, "control-tower-"),
 			Domain:              domain,
+			AllowIPs:            allowIps,
 			Namespace:           namespace,
 			Region:              region,
 			IaaS:                iaas,
@@ -79,6 +80,7 @@ jobs:
       DEPLOYMENT: "{{ .Deployment }}"
       IAAS: "{{ .IaaS }}"
       NAMESPACE: "{{ .Namespace }}"
+      ALLOW_IPS: "{{ .AllowIPs }}"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -114,6 +116,7 @@ jobs:
       DEPLOYMENT: "{{ .Deployment }}"
       IAAS: "{{ .IaaS }}"
       NAMESPACE: "{{ .Namespace }}"
+      ALLOW_IPS: "{{ .AllowIPs }}"
       SELF_UPDATE: true
     config:
       platform: linux

diff --git a/fly/aws_pipeline_test.go b/fly/aws_pipeline_test.go
@@ -39,6 +39,7 @@ jobs:
       DEPLOYMENT: "my-deployment"
       IAAS: "AWS"
       NAMESPACE: "prod"
+      ALLOW_IPS: "10.0.0.0"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -74,6 +75,7 @@ jobs:
       DEPLOYMENT: "my-deployment"
       IAAS: "AWS"
       NAMESPACE: "prod"
+      ALLOW_IPS: "10.0.0.0"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -108,13 +110,13 @@ jobs:
 `
 
 		It("Generates something sensible", func() {
-			fakeCredsGetter := func()(string, string, error) {
+			fakeCredsGetter := func() (string, string, error) {
 				return "access-key", "secret-key", nil
 			}
 
 			pipeline := NewAWSPipeline(fakeCredsGetter)
 
-			params, err := pipeline.BuildPipelineParams("my-deployment", "prod", "eu-west-1", "ci.engineerbetter.com", "AWS")
+			params, err := pipeline.BuildPipelineParams("my-deployment", "prod", "eu-west-1", "ci.engineerbetter.com", "10.0.0.0", "AWS")
 			Expect(err).ToNot(HaveOccurred())
 
 			yamlBytes, err := util.RenderTemplate("self-update pipeline", pipeline.GetConfigTemplate(), params)
@@ -125,4 +127,3 @@ jobs:
 		})
 	})
 })
-
diff --git a/fly/fly.go b/fly/fly.go
@@ -210,7 +210,7 @@ func (client *Client) writePipelineConfig(pipelinePath string, config config.Con
 	}
 	defer fileHandler.Close()
 
-	params, err := client.pipeline.BuildPipelineParams(config.GetDeployment(), config.GetNamespace(), config.GetRegion(), config.GetDomain(), config.GetIAAS())
+	params, err := client.pipeline.BuildPipelineParams(config.GetDeployment(), config.GetNamespace(), config.GetRegion(), config.GetDomain(), config.GetAllowIPsUnformatted(), config.GetIAAS())
 	if err != nil {
 		return err
 	}

diff --git a/fly/gcp_pipeline.go b/fly/gcp_pipeline.go
@@ -23,11 +23,12 @@ func NewGCPPipeline(credsPath string) (Pipeline, error) {
 }
 
 //BuildPipelineParams builds params for AWS control-tower self update pipeline
-func (a GCPPipeline) BuildPipelineParams(deployment, namespace, region, domain, iaas string) (Pipeline, error) {
+func (a GCPPipeline) BuildPipelineParams(deployment, namespace, region, domain, allowIps, iaas string) (Pipeline, error) {
 	return GCPPipeline{
 		PipelineTemplateParams: PipelineTemplateParams{
 			ControlTowerVersion: ControlTowerVersion,
 			Deployment:          strings.TrimPrefix(deployment, "control-tower-"),
+			AllowIPs:            allowIps,
 			Domain:              domain,
 			Namespace:           namespace,
 			Region:              region,
@@ -67,6 +68,7 @@ jobs:
       GCPCreds: '{{ .GCPCreds }}'
       IAAS: "{{ .IaaS }}"
       NAMESPACE: "{{ .Namespace }}"
+      ALLOW_IPS: "{{ .AllowIPs }}"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -102,6 +104,7 @@ jobs:
       GCPCreds: '{{ .GCPCreds }}'
       IAAS: "{{ .IaaS }}"
       NAMESPACE: "{{ .Namespace }}"
+      ALLOW_IPS: "{{ .AllowIPs }}"
       SELF_UPDATE: true
     config:
       platform: linux

diff --git a/fly/gcp_pipeline_test.go b/fly/gcp_pipeline_test.go
@@ -41,6 +41,7 @@ jobs:
       GCPCreds: 'creds-content'
       IAAS: "GCP"
       NAMESPACE: "prod"
+      ALLOW_IPS: "10.0.0.0"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -76,6 +77,7 @@ jobs:
       GCPCreds: 'creds-content'
       IAAS: "GCP"
       NAMESPACE: "prod"
+      ALLOW_IPS: "10.0.0.0"
       SELF_UPDATE: true
     config:
       platform: linux
@@ -123,7 +125,7 @@ jobs:
 			pipeline, err := NewGCPPipeline(tempFile.Name())
 			Expect(err).ToNot(HaveOccurred())
 
-			params, err := pipeline.BuildPipelineParams("my-deployment", "prod", "europe-west1", "ci.engineerbetter.com", "GCP")
+			params, err := pipeline.BuildPipelineParams("my-deployment", "prod", "europe-west1", "ci.engineerbetter.com", "10.0.0.0", "GCP")
 			Expect(err).ToNot(HaveOccurred())
 
 			yamlBytes, err := util.RenderTemplate("self-update pipeline", pipeline.GetConfigTemplate(), params)

diff --git a/fly/pipeline.go b/fly/pipeline.go
@@ -2,14 +2,15 @@ package fly
 
 // Pipeline is interface for self update pipeline
 type Pipeline interface {
-	BuildPipelineParams(deployment, namespace, region, domain, iaas string) (Pipeline, error)
+	BuildPipelineParams(deployment, namespace, region, domain, allowIps, iaas string) (Pipeline, error)
 	GetConfigTemplate() string
 }
 
 type PipelineTemplateParams struct {
 	ControlTowerVersion string
 	Deployment          string
 	Domain              string
+	AllowIPs            string
 	Namespace           string
 	Region              string
 	IaaS                string