diff --git a/src/deployment/config.json b/src/deployment/config.json new file mode 100644 index 0000000000..6b0dd83203 --- /dev/null +++ b/src/deployment/config.json @@ -0,0 +1,6 @@ +{ + "proxy_nsg_config": { + "allowed_ips": ["*"], + "allowed_service_tags": [] + } +} \ No newline at end of file diff --git a/src/deployment/configuration.py b/src/deployment/configuration.py index b3e1b50303..43861c7b4a 100644 --- a/src/deployment/configuration.py +++ b/src/deployment/configuration.py @@ -6,7 +6,7 @@ import ipaddress import json import logging -from typing import List, Optional +from typing import Dict, List, Optional from uuid import UUID from azure.cosmosdb.table.tableservice import TableService @@ -65,13 +65,10 @@ def __init__(self, rule: str): ) def check_rule(self, value: str) -> None: - if value is None: + if value is None or len(value.strip()) == 0: raise ValueError( - "Please provide a valid rule or supply the empty string '' to block all sources or the wild card * to allow all sources." + "Please provide a valid rule. Supply an empty list to block all sources or the wild card * to allow all sources." ) - # Check block all - if len(value.strip()) == 0: - return # Check Wild Card if value == "*": return @@ -83,7 +80,7 @@ def check_rule(self, value: str) -> None: pass # Check if IP Range try: - ipaddress.ip_network(value) + ipaddress.ip_network(value, False) return except ValueError: pass @@ -120,17 +117,35 @@ def update_admins(config_client: InstanceConfigClient, admins: List[UUID]) -> No ) -def parse_rules(rules_str: str) -> List[NsgRule]: - rules_list = rules_str.split(",") +def parse_rules(proxy_config: Dict[str, str]) -> List[NsgRule]: + allowed_ips = proxy_config["allowed_ips"] + allowed_service_tags = proxy_config["allowed_service_tags"] nsg_rules = [] - for rule in rules_list: + if "*" in allowed_ips: + nsg_rule = NsgRule("*") + nsg_rules.append(nsg_rule) + return nsg_rules + elif len(allowed_ips) + len(allowed_service_tags) == 0: + return [] + + for rule in allowed_ips: + try: + nsg_rule = NsgRule(rule) + nsg_rules.append(nsg_rule) + except Exception: + raise ValueError( + "One or more input ips was invalid: %s. Please enter a comma-separted list of valid sources.", + rule, + ) + for rule in allowed_service_tags: try: nsg_rule = NsgRule(rule) nsg_rules.append(nsg_rule) except Exception: raise ValueError( - "One or more input rules was invalid. Please enter a comma-separted list if valid sources." + "One or more input tags was invalid: %s. Please enter a comma-separted list of valid sources.", + rule, ) return nsg_rules diff --git a/src/deployment/deploy.py b/src/deployment/deploy.py index 62b4f8e186..6b40bfeba8 100644 --- a/src/deployment/deploy.py +++ b/src/deployment/deploy.py @@ -619,7 +619,24 @@ def set_instance_config(self) -> None: config_client = InstanceConfigClient(table_service, self.application_name) if self.nsg_config: - rules = parse_rules(self.nsg_config) + logger.info("deploying arm template: %s", self.nsg_config) + + with open(self.nsg_config, "r") as template_handle: + config_template = json.load(template_handle) + + if ( + not config_template["proxy_nsg_config"] + and not config_template["proxy_nsg_config"]["allowed_ips"] + and not config_template["proxy_nsg_config"]["allowed_service_tags"] + ): + raise Exception( + "proxy_nsg_config and sub-values were not properly included in config." + + "Please submit a configuration resembling" + + " { 'proxy_nsg_config': { 'allowed_ips': [], 'allowed_service_tags': [] } }" + ) + proxy_config = config_template["proxy_nsg_config"] + rules = parse_rules(proxy_config) + update_nsg(config_client, rules) if self.admins: