Closed Bug 1139668 Opened 9 years ago Closed 9 years ago

Allow access to internal KMS for AWS releng vpcs

Categories

(Infrastructure & Operations Graveyard :: NetOps: DC ACL Request, task)

Product:
Infrastructure & Operations Graveyard
Component:
NetOps: DC ACL Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: q, Assigned: jbarnell)

Details

Need VPC access from these zones
VPC us-west-1	releng.usw1	10.130.0.0/16		 
VPC us-west-2	releng.usw2	10.132.0.0/16		 
VPC us-east-1	releng.use1	10.134.0.0/16

to kms1.ad.mozilla.com 10.22.69.24
on tcp port 1688
FW1.SCL3:

{primary:node0}[edit]
jbarnell@fw1.scl3.mozilla.net# show | compare 
[edit security policies from-zone dc to-zone db]
      policy ldapmaster1--ldap { ... }
+     policy kms {
+         match {
+             source-address [ us-west-1.releng us-west-2.releng us-east-1.releng ];
+             destination-address kms1.ad;
+             application kms;
+         }
+         then {
+             permit;
+         }
+     }


This is complete there is no need to add policies to FW1.RELENG.SCL3 as there is an existing permit all from the VPC to the DC.

Please test and confirm
Assignee: network-operations → jbarnell
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
nuked in bug 1162352

re-added per request:
jbircher@fw1.ops.scl3.mozilla.net# show | compare 
[edit security policies from-zone dc to-zone db]
      policy bug-1204792--mysql { ... }
+     policy bug-1139668-kms {
+         match {
+             source-address [ us-west-1.releng us-west-2.releng us-east-1.releng ];
+             destination-address kms1.ad.db.scl3;
+             application kms;
+         }
+         then {
+             permit;
+         }
+     }
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.