Merge pull request #1 from aws-samples/ssm-changes

edwinavalos · web-flow · commit cb0405e61772 · 2018-10-25T13:37:10.000-05:00
Upgrade to 1.10.1
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ This repository assumes you have a new AWS account and wish to test Spinnaker ou
 3. Navigate to CodeBuild
 4. Start the create-eks CodeBuild project
 5. Create a security group in the EKS-VPC to lock-down the Spinnaker load balancers take note of the security group id.
-6. Start the deploy-spinnaker CodeBuild project, fill in the environment variable "SECURITY_GROUP_ID" with the security group id from the previous step 
+6. Start the deploy-spinnaker CodeBuild project, fill in the environment variable "SECURITY_GROUP_ID" with the security group id from the previous step (replacing the "false" default)
 
 Spinnaker will be available at the UI/Deck address emitted at the end of the deploy-spinnaker CodeBuild job.
 
@@ -55,9 +55,7 @@ Once it is downloaded you can run kubectl commands as normal to read and output
 
 # Exposing Services
 
-See the [buildspec section](#modifying-buildspec-for-authentication-and-security-groups) for some supplemental information.
-
-The code in this repository will create two load balancers using the EKS and EC2 integrations, these services are created in the deploy_spinnaker.sh. When created these load balancers are open to the world, so there are few flags in the deploy_spinnaker.sh to give you options on locking down the security groups, the flags in this example will apply the security group specified in the deploy_spinnaker.sh script to the load balancers to lock down load balancers.
+There are two methods in this repository that can expose the Spinnaker services on load balancers, one uses a user-provided security group that is locked down. These are controlled via environment variables in the deploy-spinnaker CodeBuild project. The second method is using SSM to store security information that can be used to lock down the Spinnaker installation even further. See details in the deploy_spinnaker.sh script.
 
 # Modifying the Spinnaker installation
 
diff --git a/buildspec-deploy.yaml b/buildspec-deploy.yaml
@@ -16,4 +16,4 @@ phases:
       - ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
       - ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
       - aws s3 cp s3://codebuild-artifacts-${ACCOUNT_ID}/create-eks/files/resources/kubernetes/kubeconfig-no-role.yaml /home/spinnaker/.kube/config
-      - su spinnaker -c "./scripts/deploy_spinnaker.sh -f ${SECURITY_GROUP_ID}"
+      - su spinnaker -c "./scripts/deploy_spinnaker.sh -S ${USE_SSM} -f ${SECURITY_GROUP_ID}"
diff --git a/resources/cloudformation/codebuild-projects.yaml b/resources/cloudformation/codebuild-projects.yaml
@@ -120,7 +120,11 @@ Resources:
           -
             Name: SECURITY_GROUP_ID
             Type: PLAINTEXT
-            Value: ""
+            Value: false
+          -
+            Name: USE_SSM
+            Type: PLAINTEXT
+            Value: false
       Name: deploy-spinnaker
       ServiceRole: !Ref CreateEKSSpinnakerRole
       Source:
diff --git a/scripts/deploy_spinnaker.sh b/scripts/deploy_spinnaker.sh
@@ -15,10 +15,10 @@ Usage: $0
 """ 1>&2; exit 1;
 }
 
-while getopts ":Sg:r:f:" o; do
+while getopts "S:g:r:f:" o; do
     case "${o}" in
         S)
-            USE_SSM_FOR_SECRETS=true
+            USE_SSM_FOR_SECRETS=${OPTARG}
             ;;
         g)
             GITHUB_ORG=${OPTARG}
@@ -46,6 +46,7 @@ if [ -z "${REGION}" ]; then
 fi
 
 if [ "${USE_SSM_FOR_SECRETS}" == true ]; then
+    LB_SG=""
     AUTHN_CLIENT_ID=$(aws ssm get-parameters --names github-authn-client-id --with-decryption --query Parameters[0].Value --output text)
     AUTHN_CLIENT_SECRET=$(aws ssm get-parameters --names github-authn-client-secret --with-decryption --query Parameters[0].Value --output text)
     AUTHZ_ACCESS_TOKEN=$(aws ssm get-parameters --names github-authz-token --with-decryption --query Parameters[0].Value --output text)
@@ -83,10 +84,11 @@ GATE_SG=$(aws elb describe-load-balancers --load-balancer-names ${GATE_LB} --que
 DECK_SG=$(aws elb describe-load-balancers --load-balancer-names ${DECK_LB} --query LoadBalancerDescriptions[0].SecurityGroups[0] --output text)
 
 if [ ! -z "${PREFIX_LIST}" ]; then
-    aws ec2 describe-security-groups --group-ids ${GATE_SG} | grep ${PREFIX_LIST} && echo "Found prefix list, skipping adding exception" || \
-        aws ec2 authorize-security-group-ingress --group-id ${GATE_SG} --ip-permissions '[{"FromPort":80,"IpProtocol":"tcp","PrefixListIds":[{"Description":"prefix-list-restriction","PrefixListId":"pl-f8a64391"}],"ToPort":80}]'
-    aws ec2 describe-security-groups --group-ids ${DECK_SG} | grep ${PREFIX_LIST}  && echo "Found prefix list, skipping adding exception" || \
-        aws ec2 authorize-security-group-ingress --group-id ${DECK_SG} --ip-permissions '[{"FromPort":80,"IpProtocol":"tcp","PrefixListIds":[{"Description":"prefix-list-restriction","PrefixListId":"pl-f8a64391"}],"ToPort":80}]'
+    for SG in "${GATE_SG}" "${DECK_SG}"; do
+        aws ec2 revoke-security-group-ingress --group-id ${SG} --protocol tcp --port 80 --cidr 0.0.0.0/0 || true
+        aws ec2 describe-security-groups --group-ids ${SG} | grep ${PREFIX_LIST} && echo "Found prefix list, skipping adding exception" || \
+        aws ec2 authorize-security-group-ingress --group-id ${SG} --ip-permissions '[{"FromPort":80,"IpProtocol":"tcp","PrefixListIds":[{"Description":"prefix-list-restriction","PrefixListId":"pl-f8a64391"}],"ToPort":80}]'
+    done
 elif [ ! -z "${LB_SG}" ]; then
     for LB in "${GATE_LB}" "${DECK_LB}"; do
         PREV_GROUPS=$(aws elb describe-load-balancers --load-balancer-names ${LB} --query LoadBalancerDescriptions[0].SecurityGroups[*] --output text | tr "\t" " ")
