diff --git a/UPGRADING.rst b/UPGRADING.rst index de971acf0..f37dc2bee 100644 --- a/UPGRADING.rst +++ b/UPGRADING.rst @@ -20,6 +20,23 @@ reverted. This is all fairly informal and loosely defined. Hopefully we won't have too many entries in this file. +DataBiosphere/azul-private#133 Disable split tunneling for GitLab VPN in prod and anvilprod +=========================================================================================== + +This change requires an update to your existing VPN connections for `prod` and +`anvilprod`. + +Run the following commands:: + + _select prod.gitlab # or anvilprod.gitlab + cd terraform/gitlab/vpn + make config > ~/azul-gitlab-prod.ovpn # or azul-gitlab-anvilprod.ovpn + +Then, remove the existing VPN connection and import the generated `.ovpn` file +to recreate it. Finally, delete the `.ovpn` file to prevent proliferation of the +private key. + + #6046 Fix: VPC CIDR in ``anvildev`` is wrong ============================================ diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py index 26f8df2c7..40ff42c13 100644 --- a/terraform/gitlab/gitlab.tf.json.template.py +++ b/terraform/gitlab/gitlab.tf.json.template.py @@ -1,11 +1,15 @@ from collections.abc import ( Iterable, ) +import ipaddress from itertools import ( chain, ) import json +from more_itertools import ( + nth, +) import yaml from azul import ( @@ -177,10 +181,14 @@ # https://github.com/docker/libnetwork/blob/a79d3687931697244b8e03485bf7b2042f8ec6b6/ipamutils/utils.go#L10 # +all_ipv4 = '0.0.0.0/0' + vpc_cidr = config.vpc_cidr vpn_subnet = config.vpn_subnet +split_tunnel = not config.is_stable_deployment + # The public key of that keypair # administrator_key = ( @@ -999,7 +1007,7 @@ def sq(*words): }, 'aws_route': { 'gitlab': { - 'destination_cidr_block': '0.0.0.0/0', + 'destination_cidr_block': all_ipv4, 'gateway_id': '${aws_internet_gateway.gitlab.id}', 'route_table_id': '${aws_vpc.gitlab.main_route_table_id}' } @@ -1024,7 +1032,7 @@ def sq(*words): f'gitlab_{zone}': { 'route': [ { - 'cidr_block': '0.0.0.0/0', + 'cidr_block': all_ipv4, 'nat_gateway_id': f'${{aws_nat_gateway.gitlab_{zone}.id}}', 'egress_only_gateway_id': None, 'gateway_id': None, @@ -1074,25 +1082,35 @@ def sq(*words): 'name': 'azul-gitlab-vpn', 'vpc_id': '${aws_vpc.gitlab.id}', 'egress': [ - vpc.security_rule(description='Any traffic to the VPC', - cidr_blocks=['${aws_vpc.gitlab.cidr_block}'], + vpc.security_rule(description='Any traffic to the ' + f"{'VPC' if split_tunnel else 'internet'}", + cidr_blocks=[ + '${aws_vpc.gitlab.cidr_block}' + if split_tunnel else + all_ipv4 + ], protocol=-1, from_port=0, to_port=0), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set ], 'ingress': [ - vpc.security_rule(description='Any traffic from the VPC', - cidr_blocks=['${aws_vpc.gitlab.cidr_block}'], + vpc.security_rule(description='Any traffic from the ' + f"{'VPC' if split_tunnel else 'internet'}", + cidr_blocks=[ + '${aws_vpc.gitlab.cidr_block}' + if split_tunnel else + all_ipv4 + ], protocol=-1, from_port=0, to_port=0), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set @@ -1108,7 +1126,7 @@ def sq(*words): from_port=0, to_port=0), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + idr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set @@ -1120,7 +1138,7 @@ def sq(*words): from_port=443, to_port=443), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set @@ -1132,7 +1150,7 @@ def sq(*words): 'vpc_id': '${aws_vpc.gitlab.id}', 'egress': [ vpc.security_rule(description='Any traffic to anywhere (to be routed by NAT Gateway)', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol=-1, from_port=0, to_port=0), @@ -1153,7 +1171,7 @@ def sq(*words): from_port=4789, to_port=4789), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set @@ -1178,7 +1196,7 @@ def sq(*words): from_port=4789, to_port=4789), vpc.security_rule(description='ICMP for PMTUD', - cidr_blocks=['0.0.0.0/0'], + cidr_blocks=[all_ipv4], protocol='icmp', from_port=3, # Destination Unreachable to_port=4) # Fragmentation required DF-flag set @@ -1214,7 +1232,12 @@ def sq(*words): 'security_group_ids': ['${aws_security_group.gitlab_vpn.id}'], 'server_certificate_arn': '${data.aws_acm_certificate.gitlab_vpn.arn}', 'transport_protocol': 'udp', - 'split_tunnel': True, + 'split_tunnel': split_tunnel, + 'dns_servers': [] if split_tunnel else [ + # https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#AmazonDNS + str(nth(ipaddress.ip_network(vpc_cidr).hosts(), 1)), + '169.254.169.253' + ], 'authentication_options': { 'type': 'certificate-authentication', 'root_certificate_chain_arn': '${data.aws_acm_certificate.gitlab_vpn.arn}' @@ -1234,10 +1257,23 @@ def sq(*words): } for zone in range(num_zones) }, + 'aws_ec2_client_vpn_route': { + f'gitlab_{zone}': { + 'client_vpn_endpoint_id': '${aws_ec2_client_vpn_endpoint.gitlab.id}', + 'target_vpc_subnet_id': '${aws_subnet.gitlab_public_%s.id}' % zone, + 'destination_cidr_block': all_ipv4 + } + for zone in range(num_zones) + if not split_tunnel + }, 'aws_ec2_client_vpn_authorization_rule': { 'gitlab': { 'client_vpn_endpoint_id': '${aws_ec2_client_vpn_endpoint.gitlab.id}', - 'target_network_cidr': '${aws_vpc.gitlab.cidr_block}', + 'target_network_cidr': ( + '${aws_vpc.gitlab.cidr_block}' + if split_tunnel else + all_ipv4 + ), 'authorize_all_groups': True } }, diff --git a/terraform/gitlab/vpn/Makefile b/terraform/gitlab/vpn/Makefile index ec8674a3d..ae3292019 100644 --- a/terraform/gitlab/vpn/Makefile +++ b/terraform/gitlab/vpn/Makefile @@ -57,7 +57,9 @@ config: _client && aws ec2 export-client-vpn-client-configuration \ --client-vpn-endpoint-id $$endpoint \ --output=text - @echo "pull-filter ignore redirect-gateway" + @if [ "$$(AZUL_DEBUG=0 python -m azul config.is_stable_deployment)" != True ]; then \ + echo "pull-filter ignore redirect-gateway"; \ + fi @echo "" @cat $(EASYRSA_PKI)/issued/$(client_cn).crt | openssl x509 -inform pem @echo ""