From 3127bbdf9a3e1c61fd0460a6a36491eed8bcb869 Mon Sep 17 00:00:00 2001 From: Alexander Tivelkov Date: Tue, 10 Sep 2013 16:19:46 +0400 Subject: [PATCH] Security Group and FW settings for SQLServer (MRN-972) Deploying of MsSQLServer will create a new Security Group in OpenStack, with the proper set of ports opened and forwarded to the instance(s). SqlServer instances of the environment will be assigned to this security group. Other services will be assigned to default Security Group. Same set of ports will be opened in Windows Firewall on the VM(s) The security group will be created one per environment. If the environment has 2 or more SQLServer services, they will share the same security group. The security group will be deleted if the environment is deleted. Also, security group will be deleted if the last service of type SQLServer is deleted from the environment. Change-Id: I518fac828af4bd58e7c0b3991c4918714dd0dc94 --- .../agent/InstallMsSqlServer.template | 7 ++- .../scripts/Alter-FirewallRulesForSQL.ps1 | 61 +++++++++++++++++++ .../cf/Windows-w-SQL-security.template | 59 ++++++++++++++++++ data/workflows/MsSqlServer.xml | 2 +- 4 files changed, 127 insertions(+), 2 deletions(-) create mode 100644 data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1 create mode 100644 data/templates/cf/Windows-w-SQL-security.template diff --git a/data/templates/agent/InstallMsSqlServer.template b/data/templates/agent/InstallMsSqlServer.template index 8a75996..d1eaacc 100644 --- a/data/templates/agent/InstallMsSqlServer.template +++ b/data/templates/agent/InstallMsSqlServer.template @@ -4,7 +4,8 @@ "OptionParser.ps1", "SQLServerOptionParsers.ps1", "SQLServerInstaller.ps1", - "Install-SQLServer.ps1" + "Install-SQLServer.ps1", + "Alter-FirewallRulesForSQL.ps1" ], "Commands": [ { @@ -13,6 +14,10 @@ "SAPassword": "$saPassword", "MixedModeAuth": "$mixedModeAuth" } + }, + { + "Name": "Enable-SQLExternalAccess", + "Arguments": {} } ], "RebootOnCompletion": 0 diff --git a/data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1 b/data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1 new file mode 100644 index 0000000..2e2594f --- /dev/null +++ b/data/templates/agent/scripts/Alter-FirewallRulesForSQL.ps1 @@ -0,0 +1,61 @@ +trap { + &$TrapHandler +} + + +$FW_Rules = @{ + "SQL Server Data Connection" = "1433"; + "SQL Admin Connection" = "1434"; + "SQL Service Broker" = "4022"; + "SQL Debugger/RPC"="135"; +} + + +$FW_Proto = "TCP" + + +function Add-NetshFirewallRule { + param ( + [HashTable] $hshRules, + [String] $proto + ) + + + foreach ($h in $hshRules.GetEnumerator()) { + try { + $command="advfirewall firewall add rule name=`"$($h.Name)`" dir=in action=allow protocol=$proto localport=$($h.Value)" + Start-Process -FilePath netsh -ArgumentList $command -Wait + } + catch { + $except= $_ | Out-String + Write-LogError "Add rule $($h.Name) FAILS with $except" + } + } +} + +function Remove-NetShFirewallRule { + param ( + [HashTable] $hshRules + ) + + foreach ($h in $hshRules.GetEnumerator()) { + try { + $command="advfirewall firewall delete rule name=`"$($h.Name)`"" + Start-Process -FilePath netsh -ArgumentList $command -Wait + } + catch { + $except= $_ | Out-String + Write-LogError "Delete rule $($h.Name) FAILS with $except" + } + } +} + + +function Enable-SQLExternalAccess { + Add-NetshFirewallRule $FW_Rules $FW_Proto +} + + +function Disable-SQLExternalAccess { + Remove-NetshFirewallRule $FW_Rules $FW_Proto +} diff --git a/data/templates/cf/Windows-w-SQL-security.template b/data/templates/cf/Windows-w-SQL-security.template new file mode 100644 index 0000000..5590cb5 --- /dev/null +++ b/data/templates/cf/Windows-w-SQL-security.template @@ -0,0 +1,59 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + + "Parameters": { + "KeyName": { + "Description": "Key Pair name for Load Balancer", + "Type": "String", + "Default": "murano-lb-key" + } + }, + + "Resources": { + "$instanceName": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "$instanceType", + "ImageId": "$imageName", + "AvailabilityZone": "$availabilityZone", + "UserData": "$userData", + "SecurityGroups" : [ {"Ref" : "MsSqlSecuritygroup"} ] + } + }, + "MsSqlSecuritygroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "ToPort": 4022, + "IpProtocol": "tcp", + "FromPort": 4022, + "CidrIp": "0.0.0.0/0" + }, + { + "ToPort": 135, + "IpProtocol": "tcp", + "FromPort": 135, + "CidrIp": "0.0.0.0/0" + }, + { + "ToPort": 1433, + "IpProtocol": "tcp", + "FromPort": 1433, + "CidrIp": "0.0.0.0/0" + }, + { + "ToPort": 1434, + "IpProtocol": "tcp", + "FromPort": 1434, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Enable MS SQL access" + } + } + }, + + "Outputs": { + } +} diff --git a/data/workflows/MsSqlServer.xml b/data/workflows/MsSqlServer.xml index 070932c..5fee60e 100644 --- a/data/workflows/MsSqlServer.xml +++ b/data/workflows/MsSqlServer.xml @@ -13,7 +13,7 @@ (