Bootstrap: require user to pass Bastion remote access CIDRs (#22)

Author: tjohnes

README.md

@@ -61,12 +61,13 @@ required:
         created the repository and upload the image.
      3. Example: `./publish-ecr xrd-vrouter-container-x86.7.9.1.tgz`
   2. Run the `aws-quickstart` script.
-     1. This has two mandatory arguments, the username and password to be
-        used for the XRd root user.
+     1. This has three mandatory arguments: the username and password to be
+        used for the XRd root user, and a comma-separated list of IPv4 CIDR
+        blocks to allow SSH access to the Bastion instance.
      2. This will first build an AMI using the
         [XRd Packer](https://github.com/ios-xr/xrd-packer) templates if one
         is not detected.
-     3. Example: `./aws-quickstart -u user -p password`
+     3. Example: `./aws-quickstart -u user -p password -b 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16`
 
 This will bring up an EKS cluster called 'xrd-cluster', some worker nodes,
 and a dummy topology with a pair of back-to-back XRd instances running an
@@ -140,6 +141,13 @@ terraform -chdir=examples/bootstrap init
 terraform -chdir=examples/bootstrap apply
 ```
 
+This accepts a number of input variables described in
+[`variables.tf`](/examples/bootstrap/variables.tf).  In particular, the
+`bastion_remote_access_cidr_blocks` variable is required, which is a list of
+IPv4 CIDR blocks to allow SSH access to the Bastion instance.  Pass `null` to
+prevent access to the Bastion instance, or `["0.0.0.0/0"]` to allow SSH access
+from any IPv4 address.
+
 Terraform will show you a changeset and ask you to confirm that it should
 proceed.  It takes around 15 minutes to bring up the configuration.
 
@@ -194,7 +202,7 @@ When you've finished with the topology, it can be torn down with:
 ```
 terraform -chdir=examples/overlay/workload destroy -var-file=$PWD/vars.tfvars
 terraform -chdir=examples/overlay/infra destroy
-terraform -chdir=examples/bootstrap destroy
+terraform -chdir=examples/bootstrap destroy -var=bastion_remote_access_cidr_blocks=null
 ```
 
 N.B. It is recommended to pass the same configuration to `terraform destroy`

aws-quickstart

@@ -8,7 +8,7 @@ set -o pipefail
 usage()  {
     >&2 cat << EOF
 USAGE:
-    aws-quickstart [OPTIONS] -u XR_USERNAME -p XR_PASSWORD
+    aws-quickstart [OPTIONS] -u XR_USERNAME -p XR_PASSWORD -b BASTION_REMOTE_ACCESS_CIDR_BLOCKS
 
 EOF
 }
@@ -27,6 +27,9 @@ ARGS:
     -p, --password
            XR password.
 
+    -b, --bastion-remote-access-cidr-blocks
+           IPv4 CIDR blocks to allow SSH access to the Bastion instance.
+
 OPTIONS:
     -a, --ami
             AMI ID of an image used to launch the EKS worker nodes (default: use
@@ -48,6 +51,7 @@ DESTROY=""
 KUBERNETES_VERSION="1.30"
 XR_USERNAME=""
 XR_PASSWORD=""
+BASTION_REMOTE_ACCESS_CIDR_BLOCKS=""
 
 # Parse the arguments
 while [ $# -gt 0 ]; do
@@ -60,6 +64,10 @@ while [ $# -gt 0 ]; do
       XR_PASSWORD="$2"
       shift
       ;;
+    -b|--bastion-remote-access-cidr-blocks )
+      BASTION_REMOTE_ACCESS_CIDR_BLOCKS="$2"
+      shift
+      ;;
     -a|--ami )
       AMI_ID="$2"
       shift
@@ -88,6 +96,10 @@ if [ -z "${XR_PASSWORD:-}" ] && [ -z "$DESTROY" ]; then
   >&2 echo "error: XR password (-p|--password) must be specified"
   ERROR=1
 fi
+if [ -z "${BASTION_REMOTE_ACCESS_CIDR_BLOCKS:-}" ] && [ -z "$DESTROY" ]; then
+  >&2 echo "error: Bastion remote access CIDR blocks (-b|--bastion-remote-access-cidr-blocks) must be specified"
+  ERROR=1
+fi
 
 if [ "${KUBERNETES_VERSION}" != "1.23" ] &&
    [ "${KUBERNETES_VERSION}" != "1.24" ] &&
@@ -144,9 +156,28 @@ terraform_apply () {
 
   trap terraform_destroy ERR EXIT
 
+  if [ "$BASTION_REMOTE_ACCESS_CIDR_BLOCKS" != "null" ]; then
+    # This script takes a comma-separated list as input, but Terraform wants
+    # this as a list of strings in HCL format.
+    #
+    # For example, we must convert:
+    #   10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    # to:
+    #   ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
+    #
+    # Do this in two steps:
+    #   Replace any ',' with '","'.
+    #   Prepend '["', and append '"]'.
+    bastion_var_value="${BASTION_REMOTE_ACCESS_CIDR_BLOCKS//,/\",\"}"
+    bastion_var_value="[\"${bastion_var_value}\"]"
+  else
+    bastion_var_value="null"
+  fi
+
   terraform -chdir="$SCRIPT_DIR"/examples/bootstrap apply \
       -auto-approve \
-      -var "cluster_version=$KUBERNETES_VERSION"
+      -var "cluster_version=$KUBERNETES_VERSION" \
+      -var "bastion_remote_access_cidr_blocks=$bastion_var_value"
   terraform -chdir="$SCRIPT_DIR"/examples/overlay/infra apply \
       -auto-approve \
       ${AMI_ID:+"-var node_ami=$AMI_ID"}
@@ -166,7 +197,8 @@ terraform_destroy () {
   terraform -chdir="$SCRIPT_DIR"/examples/overlay/infra destroy \
       -auto-approve
   terraform -chdir="$SCRIPT_DIR"/examples/bootstrap destroy \
-      -auto-approve
+      -auto-approve \
+      -var "bastion_remote_access_cidr_blocks=null"
 }
 
 if [ -z "$DESTROY" ]; then

examples/bootstrap/README.md

@@ -41,6 +41,7 @@ terraform destroy
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_azs"></a> [azs](#input\_azs) | List of exactly two availability zones in the currently configured AWS region.<br>A private subnet and a public subnet is created in each of these availability zones.<br>Each cluster node is launched in one of the private subnets.<br>If null, then the first two availability zones in the currently configured AWS region is used. | `list(string)` | `null` | no |
+| <a name="input_bastion_remote_access_cidr_blocks"></a> [bastion\_remote\_access\_cidr\_blocks](#input\_bastion\_remote\_access\_cidr\_blocks) | Allowed CIDR blocks for external SSH access to the Bastion instance.<br>This must be a list of strings.<br>If null, then access to the Bastion instance is prevented. | `list(string)` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Cluster version | `string` | `"1.30"` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Used as a prefix for the 'Name' tag for each created resource.<br>If null, then a random name 'xrd-terraform-[0-9a-z]{8}' is used. | `string` | `null` | no |
 

examples/bootstrap/main.tf

@@ -10,7 +10,8 @@ provider "aws" {
 module "bootstrap" {
   source = "../../modules/aws/bootstrap"
 
-  azs             = coalesce(var.azs, slice(data.aws_availability_zones.available.names, 0, 2))
-  cluster_version = var.cluster_version
-  name_prefix     = var.name_prefix
+  azs                               = coalesce(var.azs, slice(data.aws_availability_zones.available.names, 0, 2))
+  bastion_remote_access_cidr_blocks = var.bastion_remote_access_cidr_blocks
+  cluster_version                   = var.cluster_version
+  name_prefix                       = var.name_prefix
 }

examples/bootstrap/variables.tf

@@ -23,6 +23,15 @@ variable "azs" {
   }
 }
 
+variable "bastion_remote_access_cidr_blocks" {
+  description = <<-EOT
+  Allowed CIDR blocks for external SSH access to the Bastion instance.
+  This must be a list of strings.
+  If null, then access to the Bastion instance is prevented.
+  EOT
+  type        = list(string)
+}
+
 variable "cluster_version" {
   description = "Cluster version"
   type        = string

modules/aws/bastion/variables.tf

@@ -29,7 +29,7 @@ variable "name" {
 variable "remote_access_cidr" {
   description = "Allowed CIDR blocks for external SSH access to the Bastion instance"
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = []
   nullable    = false
 }
 

modules/aws/bootstrap/variables.tf

@@ -9,9 +9,11 @@ variable "azs" {
 }
 
 variable "bastion_remote_access_cidr_blocks" {
-  description = "Allowed CIDR blocks for external SSH access to the Bastion instance"
+  description = <<-EOT
+  Allowed CIDR blocks for external SSH access to the Bastion instance.
+  If null, then access to the Bastion instance is prevented.
+  EOT
   type        = list(string)
-  default     = null
 }
 
 variable "cluster_version" {