Security Group and FW settings for SQLServer (MRN-972)

Deploying of MsSQLServer will create a new Security Group in OpenStack, with the proper set of ports opened and forwarded to the instance(s). SqlServer instances of the environment will be assigned to this security group. Other services will be assigned to default Security Group. Same set of ports will be opened in Windows Firewall on the VM(s) The security group will be created one per environment. If the environment has 2 or more SQLServer services, they will share the same security group. The security group will be deleted if the environment is deleted. Also, security group will be deleted if the last service of type SQLServer is deleted from the environment. Change-Id: I518fac828af4bd58e7c0b3991c4918714dd0dc94
2013-09-10 16:19:46 +04:00 · 2013-09-10 16:19:46 +04:00 · 3127bbdf9a
commit 3127bbdf9a
parent 0c660bea1b
4 changed files with 127 additions and 2 deletions
--- a/data/templates/agent/InstallMsSqlServer.template
+++ b/data/templates/agent/InstallMsSqlServer.template
@ -4,7 +4,8 @@
    "OptionParser.ps1",
    "SQLServerOptionParsers.ps1",
    "SQLServerInstaller.ps1",
-    "Install-SQLServer.ps1"
+    "Install-SQLServer.ps1",
+    "Alter-FirewallRulesForSQL.ps1"
  ],
  "Commands": [
    {
@ -13,6 +14,10 @@
        "SAPassword": "$saPassword",
        "MixedModeAuth": "$mixedModeAuth"
      }
+    },
+    {
+      "Name": "Enable-SQLExternalAccess",
+      "Arguments": {}
    }
  ],
  "RebootOnCompletion": 0
--- a/data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1
+++ b/data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1
@ -0,0 +1,61 @@
+trap {
+    &$TrapHandler
+}
+
+
+$FW_Rules = @{
+    "SQL Server Data Connection" = "1433";
+    "SQL Admin Connection" = "1434";
+    "SQL Service Broker" = "4022";
+    "SQL Debugger/RPC"="135";
+}
+
+
+$FW_Proto = "TCP"
+
+
+function Add-NetshFirewallRule {
+    param (
+        [HashTable] $hshRules,
+        [String] $proto
+    )
+
+
+    foreach ($h in $hshRules.GetEnumerator()) {
+        try {
+            $command="advfirewall firewall add rule name=`"$($h.Name)`" dir=in action=allow protocol=$proto localport=$($h.Value)"
+            Start-Process -FilePath netsh -ArgumentList $command -Wait
+        }
+        catch {
+            $except= $_ | Out-String
+            Write-LogError "Add rule $($h.Name) FAILS with $except"
+        }
+    }
+}
+
+function Remove-NetShFirewallRule {
+    param (
+        [HashTable] $hshRules
+    )
+
+    foreach ($h in $hshRules.GetEnumerator()) {
+        try {
+            $command="advfirewall firewall delete rule name=`"$($h.Name)`""
+            Start-Process -FilePath netsh -ArgumentList $command -Wait
+        }
+        catch {
+            $except= $_ | Out-String
+            Write-LogError "Delete rule $($h.Name) FAILS with $except"
+        }
+    }
+}
+
+
+function Enable-SQLExternalAccess {
+    Add-NetshFirewallRule $FW_Rules $FW_Proto
+}
+
+
+function Disable-SQLExternalAccess {
+    Remove-NetshFirewallRule $FW_Rules $FW_Proto
+}
--- a/data/templates/cf/Windows-w-SQL-security.template
+++ b/data/templates/cf/Windows-w-SQL-security.template
@ -0,0 +1,59 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+
+    "Parameters": {
+        "KeyName": {
+            "Description": "Key Pair name for Load Balancer",
+            "Type": "String",
+            "Default": "murano-lb-key"
+        }
+    },
+
+    "Resources": {
+        "$instanceName": {
+            "Type": "AWS::EC2::Instance",
+            "Properties": {
+                "InstanceType": "$instanceType",
+                "ImageId": "$imageName",
+                "AvailabilityZone": "$availabilityZone",
+                "UserData": "$userData",
+                "SecurityGroups" : [ {"Ref" : "MsSqlSecuritygroup"} ]
+            }
+        },
+        "MsSqlSecuritygroup": {
+            "Type": "AWS::EC2::SecurityGroup",
+            "Properties": {
+                "SecurityGroupIngress": [
+                    {
+                        "ToPort": 4022,
+                        "IpProtocol": "tcp",
+                        "FromPort": 4022,
+                        "CidrIp": "0.0.0.0/0"
+                    },
+                    {
+                        "ToPort": 135,
+                        "IpProtocol": "tcp",
+                        "FromPort": 135,
+                        "CidrIp": "0.0.0.0/0"
+                    },
+                    {
+                        "ToPort": 1433,
+                        "IpProtocol": "tcp",
+                        "FromPort": 1433,
+                        "CidrIp": "0.0.0.0/0"
+                    },
+                    {
+                        "ToPort": 1434,
+                        "IpProtocol": "tcp",
+                        "FromPort": 1434,
+                        "CidrIp": "0.0.0.0/0"
+                    }
+                ],
+                "GroupDescription": "Enable MS SQL access"
+            }
+        }
+    },
+    
+    "Outputs": {
+    }
+}
--- a/data/workflows/MsSqlServer.xml
+++ b/data/workflows/MsSqlServer.xml
@ -13,7 +13,7 @@
 			<parameter name="id"><select path="id"/></parameter>
 			<parameter name="text">Creating instance <select path="state.hostname"/> (<select path="name"/>)</parameter>
 		</report>
-		<update-cf-stack template="Windows" error="exception">
+		<update-cf-stack template="Windows-w-SQL-security" error="exception">
 			<parameter name="mappings">
 				<map>
 					<mapping name="instanceName"><select path="state.hostname"/></mapping>