Packer: Create temporary security group with source IP restriction
Hi, I was wondering whether it would be possible to add the source IP of the instance running Packer (whether local or Atlas), to the temporary security group that is created to provide SSH access, when running the amazon-* builders (and I guess others as well).
I realize there is only a very small exposure window to the instance while it is being built (and that exposure is only to SSH in most scenarios). But I think limiting by source IP would provide some additional protection. Possibly there is a reason why this wouldn't be feasible though?
mvermaes
All 3 comments
@mvermaes Unfortunately there are a lot of variables here that make determining your IP address infeasible. For instance, you might be using a VPN tunnel or bastion host, where your IP would look like a server. You might be assigned a private IP inside your VPC. You might have a public IP address, or could be going through a proxy. Packer doesn't know about any of this so it can't determine which IP address Amazon will see.
However, if you have specific configuration or security requirements you can define all of this yourself by specifying the security groups packer should use.
cbednarski
on 29 Jun 2015
Hi Chris, thanks - yes, I thought there might be some reasons it wouldn't be possible to enable this by default. It would be convenient as an option though.
I was looking at that link you sent, which would enable us to do what you mentioned if we are the ones running Packer (which we have been up until now). But in order to make use of the remote building service provided by Atlas, I think we would need the possible IPs that the Atlas builders use.
Do the Atlas builders have a specific IP range that they use? If not, does an Atlas builder maintain the same public IP for the duration of the build? If it does, I guess it would be possible to dynamically create the security group during the build based on the current IP.
Thanks again for your help Chris.
mvermaes
on 29 Jun 2015
@mvermaes For help with the Atlas use-case, please get in touch via [email protected]. We'll be able to exchange additional information via email. Please include a link to this issue so we know it's you. Thanks!
cbednarski
on 29 Jun 2015
Related issues
KimRechnagel
·
64Comments
mealingr
·
71Comments
DanHam
·
42Comments
fasmat
·
98Comments
shibumi
·
48Comments
Most helpful comment
@mvermaes Unfortunately there are a lot of variables here that make determining your IP address infeasible. For instance, you might be using a VPN tunnel or bastion host, where your IP would look like a server. You might be assigned a private IP inside your VPC. You might have a public IP address, or could be going through a proxy. Packer doesn't know about any of this so it can't determine which IP address Amazon will see.
However, if you have specific configuration or security requirements you can define all of this yourself by specifying the security groups packer should use.