add vxlan/wireguard aws acl rules

Signed-off-by: denis-tingaikin <[email protected]>
networkservicemesh · Aug 3, 2022 · 00ddf77 · 00ddf77
1 parent b135651
commit 00ddf77
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -117,6 +117,7 @@ jobs:
           AZURE_TENANT: ${{ secrets.AZURE_TENANT }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: "us-west-2"
           PACKET_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }}
           PACKET_PROJECT_ID: ${{ secrets.PACKET_PROJECT_ID }}
           KUBERNETES_VERSION: ${{ secrets.NSM_KUBERNETES_VERSION }}

diff --git a/aws/aws.yaml b/aws/aws.yaml
@@ -16,6 +16,7 @@ providers:
       - AWS_ACCESS_KEY_ID
       - AWS_SECRET_ACCESS_KEY
       - GITHUB_RUN_NUMBER
+      - AWS_REGION
     scripts:
       start: |
         scripts/aws/aws-start.sh

diff --git a/scripts/aws/aws-start.sh b/scripts/aws/aws-start.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+echo "aws region is $AWS_REGION"
+
 apt-get update && apt-get -y install curl dnsutils
 
 curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.23.6/bin/linux/amd64/kubectl
@@ -23,4 +25,38 @@ eksctl create cluster  \
       --node-type t3.xlarge \
       --nodes 1
 
+sg=$(aws ec2 describe-security-groups --filter Name=tag:aws:eks:cluster-name,Values="${AWS_CLUSTER_NAME}" --query 'SecurityGroups[0].GroupId' --output text)
+
+echo "security group is $sg"
+
+## Setup security group rules
+for i in {1..25}
+do
+    if [[ -n $sg  ]]; then
+        break
+    fi
+    sleep 30
+    echo attempt "$i" has failed
+    sg=$(aws ec2 describe-security-groups --filter Name=tag:aws:eks:cluster-name,Values="${AWS_CLUSTER_NAME}" --query 'SecurityGroups[0].GroupId' --output text)
+done
+
+if [[ -z $sg  ]]; then
+    echo "Security group is not found"
+    exit 1
+fi
+
+### authorize wireguard
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 51820 --cidr 0.0.0.0/0
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol udp --port 51820 --cidr 0.0.0.0/0
+### authorize vxlan
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 4789 --cidr 0.0.0.0/0
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol udp --port 4789 --cidr 0.0.0.0/0
+### authorize nsmgr-proxy
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5004 --cidr 0.0.0.0/0
+### authorize registry
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5002 --cidr 0.0.0.0/0
+### authorize vl3-ipam
+aws ec2 authorize-security-group-ingress --group-id "$sg" --protocol tcp --port 5006 --cidr 0.0.0.0/0
+
+
 kubectl version --client