From 1a8a5416c068fe208ff38d1f2b0964e249724e57 Mon Sep 17 00:00:00 2001 From: devzspy <7217419+devzspy@users.noreply.github.com> Date: Tue, 13 Aug 2024 17:38:47 -0700 Subject: [PATCH] feat(ansible): Add role for managing ingress restrictions Introduces a new Ansible role `ingress-restrictions` with tasks to manage ingress restrictions between edge and middle hosts. Also includes necessary files such as handlers, vars, defaults, and README. --- .../roles/ingress-restrictions/README.md | 24 ++++++++++++++ .../roles/ingress-restrictions/meta/main.yml | 1 + .../roles/ingress-restrictions/tasks/main.yml | 33 +++++++++++++++++++ .../ingress-restrictions/tests/inventory | 2 ++ .../roles/ingress-restrictions/tests/test.yml | 5 +++ 5 files changed, 65 insertions(+) create mode 100644 external/sketch/ansible/roles/ingress-restrictions/README.md create mode 100644 external/sketch/ansible/roles/ingress-restrictions/meta/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tests/inventory create mode 100644 external/sketch/ansible/roles/ingress-restrictions/tests/test.yml diff --git a/external/sketch/ansible/roles/ingress-restrictions/README.md b/external/sketch/ansible/roles/ingress-restrictions/README.md new file mode 100644 index 0000000..3ef1d3b --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/README.md @@ -0,0 +1,24 @@ +ingress-restrictions +========= + +This role is used to help reduce the chances for backflip correlation from public ssh keys from tools like Censys. + +This will automatically tell middle hosts to only allow connections on port 2222 from edge hosts. + +This role only handles the sketch infrastructure as of now. + +Requirements +------------ + +Once you've ran this in your Sketch infrastructure, you will need to grab the IP Addresses or IP Address range from your middles and add them to your OCI/AWS infrastructure manually. + +Whenever we do the grand restructure, this should be done automatically for you everywhere. + +Example Playbook +---------------- + +```yml +- hosts: all + roles: + - ingress-restrictions +``` \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml new file mode 100644 index 0000000..32cf5dd --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/meta/main.yml @@ -0,0 +1 @@ +dependencies: [] diff --git a/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml new file mode 100644 index 0000000..df20f2f --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tasks/main.yml @@ -0,0 +1,33 @@ +--- +# tasks file for ingress-restrictions + +- name: Set fact for 'edge' hosts + set_fact: + is_edge_host: true + when: "'edge' in inventory_hostname" + +- name: Gather Edge IPs into a dictionary + set_fact: + edge_ips_dict: >- + {{ + edge_ips_dict | default({}) | combine( + { item: hostvars[item]['host_ip_address'] } + ) + }} + loop: "{{ groups['all'] }}" + when: hostvars[item]['is_edge_host'] is defined and hostvars[item]['is_edge_host'] + delegate_to: localhost + +- name: Allow port 2222 from Edges to Middles + ufw: + rule: allow + port: 2222 + from_ip: "{{ item.value }}" + with_items: "{{ edge_ips_dict | dict2items }}" + when: "'middle' in inventory_hostname" + +- name: Deny port 2222 + ufw: + rule: deny + port: 2222 + when: "'middle' in inventory_hostname" \ No newline at end of file diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/inventory b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml new file mode 100644 index 0000000..71b6000 --- /dev/null +++ b/external/sketch/ansible/roles/ingress-restrictions/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ingress-restrictions