diff --git a/.evergreen/auth_oidc/azure/run-driver-test.sh b/.evergreen/auth_oidc/azure/run-driver-test.sh index 7bdeebbd..6260f7eb 100755 --- a/.evergreen/auth_oidc/azure/run-driver-test.sh +++ b/.evergreen/auth_oidc/azure/run-driver-test.sh @@ -24,6 +24,9 @@ export AZUREKMS_RESOURCEGROUP=$AZUREOIDC_RESOURCEGROUP export AZUREKMS_VMNAME=$AZUREOIDC_VMNAME export AZUREKMS_PRIVATEKEYPATH=$SCRIPT_DIR/keyfile +# Permit SSH access from current IP. +"$DRIVERS_TOOLS"/.evergreen/csfle/azurekms/set-ssh-ip.sh + # Set up the remote driver checkout. DRIVER_TARFILE_BASE=$(basename ${AZUREOIDC_DRIVERS_TAR_FILE}) # shellcheck disable=SC2088 diff --git a/.evergreen/csfle/azurekms/copy-file.sh b/.evergreen/csfle/azurekms/copy-file.sh index 893c218b..05ec0b42 100755 --- a/.evergreen/csfle/azurekms/copy-file.sh +++ b/.evergreen/csfle/azurekms/copy-file.sh @@ -18,6 +18,10 @@ if [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \ exit 1 fi +# Permit SSH access from current IP. +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") +"$SCRIPT_DIR"/set-ssh-ip.sh + echo "Copying file $AZUREKMS_SRC to Virtual Machine $AZUREKMS_DST ... begin" IP=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query publicIps -o tsv) # Use -o StrictHostKeyChecking=no to skip the prompt for known hosts. diff --git a/.evergreen/csfle/azurekms/create-vm.sh b/.evergreen/csfle/azurekms/create-vm.sh index 228bcd91..e7739327 100755 --- a/.evergreen/csfle/azurekms/create-vm.sh +++ b/.evergreen/csfle/azurekms/create-vm.sh @@ -23,6 +23,7 @@ echo "Creating a Virtual Machine ($AZUREKMS_VMNAME) ... begin" # Use --nic-delete-option 'Delete' to delete the NIC. # Specify a name for the public IP to delete later. # Specify a name for the Network Security Group (NSG) to delete later. +# Use --nsg-rule=NONE to remove default open SSH and RDP ports. # Pipe to /dev/null to hide the output. The output includes tenantId. az vm create \ --resource-group "$AZUREKMS_RESOURCEGROUP" \ @@ -36,6 +37,7 @@ az vm create \ --os-disk-delete-option "Delete" \ --public-ip-address "$AZUREKMS_VMNAME-PUBLIC-IP" \ --nsg "$AZUREKMS_VMNAME-NSG" \ + --nsg-rule "NONE" \ --assign-identity $AZUREKMS_IDENTITY \ >/dev/null @@ -45,4 +47,17 @@ else SHUTDOWN_TIME=$(date -u -d "$(date) + 1 hours" +"%H%M") fi az vm auto-shutdown -g $AZUREKMS_RESOURCEGROUP -n $AZUREKMS_VMNAME --time $SHUTDOWN_TIME + +EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com/) + +# Add a network security group rule to permit SSH from current IP. This rule is updated with the current IP in "set-ssh-ip.sh" to permit SSH from different Evergreen hosts. +az network nsg rule create \ + --name "$AZUREKMS_VMNAME-nsg-rule" \ + --nsg-name "$AZUREKMS_VMNAME-nsg" \ + --priority 100 \ + --resource-group "$AZUREKMS_RESOURCEGROUP" \ + --destination-port-ranges 22 \ + --description "To allow SSH access" \ + --source-address-prefixes "$EXTERNAL_IP" + echo "Creating a Virtual Machine ($AZUREKMS_VMNAME) ... end" diff --git a/.evergreen/csfle/azurekms/run-command.sh b/.evergreen/csfle/azurekms/run-command.sh index b66069ac..92249928 100755 --- a/.evergreen/csfle/azurekms/run-command.sh +++ b/.evergreen/csfle/azurekms/run-command.sh @@ -16,7 +16,11 @@ for VARNAME in "${VARLIST[@]}"; do [[ -z "${!VARNAME:-}" ]] && echo "ERROR: $VARNAME not set" && exit 1; done +# Permit SSH access from current IP. +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") +"$SCRIPT_DIR"/set-ssh-ip.sh + echo "Running '$AZUREKMS_CMD' on Azure Virtual Machine ... begin" IP=$(az vm show --show-details --resource-group $AZUREKMS_RESOURCEGROUP --name $AZUREKMS_VMNAME --query publicIps -o tsv) -ssh -o StrictHostKeyChecking=no azureuser@$IP -i "$AZUREKMS_PRIVATEKEYPATH" "$AZUREKMS_CMD" +ssh -n -o StrictHostKeyChecking=no azureuser@$IP -i "$AZUREKMS_PRIVATEKEYPATH" "$AZUREKMS_CMD" echo "Running '$AZUREKMS_CMD' on Azure Virtual Machine ... end" diff --git a/.evergreen/csfle/azurekms/set-ssh-ip.sh b/.evergreen/csfle/azurekms/set-ssh-ip.sh new file mode 100755 index 00000000..a62bc9e2 --- /dev/null +++ b/.evergreen/csfle/azurekms/set-ssh-ip.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +# set-ssh-ip.sh adds the current IP to an already-created VM. + +set -o errexit +set -o pipefail +set -o nounset + +# Get DRIVERS_TOOLS path. +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") +. "$SCRIPT_DIR"/../../handle-paths.sh + +VARLIST=( + AZUREKMS_RESOURCEGROUP + AZUREKMS_VMNAME + AZUREKMS_PRIVATEKEYPATH +) + +# Ensure that all variables required to run the test are set, otherwise throw +# an error. +for VARNAME in "${VARLIST[@]}"; do + [[ -z "${!VARNAME:-}" ]] && echo "ERROR: $VARNAME not set" && exit 1; +done + +EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com/) + +echo "Adding current IP ($EXTERNAL_IP) to Azure Virtual Machine ... begin" +az network nsg rule update \ + --name "$AZUREKMS_VMNAME-nsg-rule" \ + --nsg-name "$AZUREKMS_VMNAME-nsg" \ + --resource-group "$AZUREKMS_RESOURCEGROUP" \ + --source-address-prefixes "$EXTERNAL_IP" > /dev/null + +IP=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query publicIps -o tsv) + +"$DRIVERS_TOOLS/.evergreen/retry-with-backoff.sh" ssh -n -o ConnectTimeout=10 -o StrictHostKeyChecking=no azureuser@"$IP" -i "$AZUREKMS_PRIVATEKEYPATH" "echo 'hi' > /dev/null" + +echo "Adding current IP ($EXTERNAL_IP) to Azure Virtual Machine ... end"