Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRIVERS-2987 Restrict access to Azure VMs #514

Merged
merged 6 commits into from
Oct 2, 2024
Merged

DRIVERS-2987 Restrict access to Azure VMs #514

merged 6 commits into from
Oct 2, 2024

Conversation

kevinAlbs
Copy link
Contributor

Summary

Restrict access to Azure VMs. Resolves DRIVERS-2987.

Tested CSFLE with C driver: https://spruce.mongodb.com/version/66fc4490ce827200070347f9

Tested CSFLE+OIDC with Go driver: https://spruce.mongodb.com/patch/66fc50fb3bc93e0007ef36a2

Background & Motivation

azure vm create documents:

Defaults to open ports for allowing RDP on Windows and allowing SSH on Linux.

Though the private SSH key is expected to be secured, this PR disables the default open port to follow recommendations noted in DRIVERS-2987.

Every script that may ssh to the Azure VM sets the IP of the network security group. I expect the setup script (create-and-setup-vm.sh) may run on a different Evergreen host scripts used to test (run-command.sh) if Evergreen task groups are used.

After setting an IP, the retry-with-backoff.sh script is to wait until ssh succeeds. The default ATTEMPTS was increased to 10 due to an observed failure on retry.

Adding -n to ssh

The -n parameter is added to ssh commands to prevent reading from stdin.

This appears to solve an observed issue testing with the C driver: The shell.exec would abruptly stop after running an Azure KMS script. Example logs indicate:

- command: shell.exec
  params:
    script: |-
      # ... omitted ...
      AZUREKMS_SRC="testazurekms.tgz" \
      AZUREKMS_DST="./" \
          $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh
      # copy-file.sh succeeded, but `shell.exec` stops!
      # ... omitted ...

https://docs.devprod.prod.corp.mongodb.com/evergreen/Project-Configuration/Project-Commands#shellexec notes:

By default, shell.exec runs sh then pipes your script to its stdin. Use this parameter if your script will be doing something that may change stdin, such as sshing

@kevinAlbs
remove default network security group rule
c034893 
Default opens SSH and RDP to internet.
@kevinAlbs
create NSG rule with current IP
aa5af2b
@kevinAlbs
add set-ssh-ip.sh to add current IP
8cfc3e9 
Needed since Azure KMS task group may run scripts across multiple Evergreen hosts.
@kevinAlbs
add -n to ssh commands
8ed1478 
To prevent reading from stdin. Fixes interaction when script is run with Evergreen `shell.exec`. `shell.exec` reads commands from stdin by default.
@kevinAlbs
update OIDC script
0c15966
@kevinAlbs
silence stdout
641b859 
To avoid printing JSON blob in logs. Still prints errors
@kevinAlbs kevinAlbs marked this pull request as ready for review October 1, 2024 23:26
blink1073
blink1073 approved these changes Oct 2, 2024
View reviewed changes
Copy link
Member

@blink1073 blink1073 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, thank you!

@kevinAlbs kevinAlbs merged commit 9e68c29 into mongodb-labs:master Oct 2, 2024
58 of 59 checks passed
adriandole pushed a commit to adriandole/drivers-evergreen-tools that referenced this pull request Oct 7, 2024
@kevinAlbs @adriandole
DRIVERS-2987 Restrict access to Azure VMs (mongodb-labs#514)
000faf3 
* Remove default network security group rule. Default opens SSH and RDP to internet.
* Create NSG rule with current IP
* Add set-ssh-ip.sh to add current IP. Needed since Azure KMS task group may run scripts across multiple Evergreen hosts.
* Add `-n` to ssh commands. Prevents reading from stdin. Fixes interaction when script is run with Evergreen `shell.exec`. `shell.exec` reads commands from stdin by default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blink1073 blink1073 blink1073 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kevinAlbs @blink1073