control-tower icon indicating copy to clipboard operation
control-tower copied to clipboard
verified publisher icon EngineerBetter

IP Whitelisting - "Do you need to add your IP?"

Open bkonkle opened this issue 6 years ago • 7 comments

Hi! I'm using a deployment that I created with a command like this:

control-tower deploy --iaas aws \
  --region us-west-2 \
  --domain <domain> \
  --workers 2 \
  --worker-size large \
  --github-auth-client-id <id> \
  --github-auth-client-secret <secret> \
  --add-tag ProvisionedBy=control-tower \
  concourse

Yesterday things were working fine. Today, however, when I try to query info on the deployment, I'm getting this:

control-tower info --region us-west-2  --iaas AWS --env concourse

Do you need to add your IP 162.246.197.181 to the control-tower-concourse-director security group/source range entry for director firewall (for ports 22, 6868, and 25555)?

I can't find anything in the documentation about this issue. How do I solve it?

Thanks!

bkonkle avatar Sep 11 '19 14:09 bkonkle

My security group appears to have some arbitrary IP values:

Screenshot from 2019-09-11 08-53-46

My team works from home, so there's no way to guarantee the IP ranges they'll be working from. Do I have to use the "Custom CIDR ranges" options and set all 5 to 0.0.0.0/0?

bkonkle avatar Sep 11 '19 14:09 bkonkle

Also - if I change this manually, will it be overwritten by control-tower's next Terraform run?

bkonkle avatar Sep 11 '19 14:09 bkonkle

I see now in the docs, "The control plane will be restricted to the IP control-tower deploy was run from." - how do we override this effectively in a dynamic-IP environment?

bkonkle avatar Sep 11 '19 15:09 bkonkle

After setting up our control-tower deployment a few months ago, I'm only just running into this same issue now - any updates on this?

Do you need to add your IP xxx to the control-tower-xxx security group/source range entry for director firewall (for ports 22, 6868, and 25555)?

If I manually add my IP to the whitelist, will it get overwritten by Terraform?

DMeechan avatar Mar 04 '20 15:03 DMeechan

Hi @DMeechan. Whilst it'd be nice to automate this problem away, we're all busy in billable work currently.

You can work around this by:

  1. Logging into AWS
  2. Go to EC2 > Security Groups
  3. Find the group called control-tower-DEPLOYMENT_NAME-director
  4. Grant access to the machine you want to run Control Tower from on ports 22, 6868 and 25555.

Unfortunately after the next deploy it'll get converged back to its original state, so this is a bit of an inconvenience.

DanielJonesEB avatar Mar 06 '20 16:03 DanielJonesEB

control-tower deploy will always change the whitelist to be the IP you are running the command from. So if you deploy using the same version of Control Tower and only provide the mandatory flags it should be a no-op deploy that re-whitelists your IP. Unfortunately we currently don't support whitelisting a range instead of a single IP.

crsimmons avatar Apr 06 '20 09:04 crsimmons

Given that this is a perennial pain in the arse for everyone involved, I wonder if it is a security compromise to just say "if you have the right IAAS creds, we'll update the security group to include your current IP".

Possibly there's a story here of outputting @crsimmons' advice to the terminal when access ist verboten.

DanielJonesEB avatar Apr 06 '20 09:04 DanielJonesEB