fix: replace 0.0.0.0/0 WinRM SG with per-run runner-scoped SG (#663)

Author: sky333999

terraform/ec2/win/main.tf

@@ -33,6 +33,40 @@ locals {
   ssm_parameter_name  = "WindowsAgentConfigSSMTest-${module.common.testing_id}"
 }
 
+#####################################################################
+# Per-run Security Group for WinRM access from CI runner
+#####################################################################
+
+resource "aws_security_group" "winrm_runner" {
+  name        = "cwagent-integ-win-sg-${module.common.testing_id}"
+  description = "WinRM access from CI runner for test ${module.common.testing_id}"
+  vpc_id      = module.basic_components.vpc_id
+
+  ingress {
+    description = "WinRM HTTP from CI runner"
+    from_port   = 5985
+    to_port     = 5985
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+
+  ingress {
+    description = "WinRM HTTPS from CI runner"
+    from_port   = 5986
+    to_port     = 5986
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+
+  ingress {
+    description = "RDP from CI runner"
+    from_port   = 3389
+    to_port     = 3389
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+}
+
 #####################################################################
 # Prepare Parameters Tests
 #####################################################################
@@ -59,7 +93,7 @@ resource "aws_instance" "cwagent" {
   instance_type                        = var.ec2_instance_type
   key_name                             = local.ssh_key_name
   iam_instance_profile                 = module.basic_components.instance_profile
-  vpc_security_group_ids               = [module.basic_components.security_group]
+  vpc_security_group_ids               = [module.basic_components.security_group, aws_security_group.winrm_runner.id]
   associate_public_ip_address          = true
   instance_initiated_shutdown_behavior = "terminate"
   user_data                            = length(regexall("/feature/windows/custom_start/userdata", var.test_dir)) > 0 ? data.template_file.user_data.rendered : ""

terraform/ec2/win/variable.tf

@@ -69,4 +69,10 @@ variable "github_test_repo" {
 variable "github_test_repo_branch" {
   type    = string
   default = "main"
-}
+}
+
+variable "runner_ip" {
+  type        = string
+  description = "CIDR of the CI runner (e.g. 1.2.3.4/32) allowed to connect via WinRM"
+  default     = "127.0.0.1/32"
+}

terraform/performance/main.tf

@@ -40,6 +40,32 @@ module "validator" {
   values_per_minute   = var.values_per_minute
 }
 
+#####################################################################
+# Per-run Security Group for SSH/WinRM access from CI runner
+#####################################################################
+
+resource "aws_security_group" "runner_access" {
+  name        = "cwagent-integ-perf-sg-${module.common.testing_id}"
+  description = "SSH/WinRM access from CI runner for test ${module.common.testing_id}"
+  vpc_id      = module.basic_components.vpc_id
+
+  ingress {
+    description = "SSH from CI runner"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+
+  ingress {
+    description = "WinRM HTTP from CI runner"
+    from_port   = 5985
+    to_port     = 5985
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+}
+
 #####################################################################
 # Generate EC2 Instance and execute test commands
 #####################################################################
@@ -49,7 +75,7 @@ resource "aws_instance" "cwagent" {
   instance_type                        = var.ec2_instance_type
   key_name                             = local.ssh_key_name
   iam_instance_profile                 = module.basic_components.instance_profile
-  vpc_security_group_ids               = [module.basic_components.security_group]
+  vpc_security_group_ids               = [module.basic_components.security_group, aws_security_group.runner_access.id]
   get_password_data                    = local.connection_type == "winrm" ? true : false
   associate_public_ip_address          = true
   instance_initiated_shutdown_behavior = "terminate"

terraform/performance/variables.tf

@@ -78,4 +78,10 @@ variable "github_test_repo_branch" {
 variable "run_mock_server" {
   type    = bool
   default = false
-}
+}
+
+variable "runner_ip" {
+  type        = string
+  description = "CIDR of the CI runner (e.g. 1.2.3.4/32) allowed to connect via SSH/WinRM"
+  default     = "127.0.0.1/32"
+}

terraform/setup/vpc.tf

@@ -61,14 +61,6 @@ resource "aws_security_group" "ec2_security_group" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  // OpenSSH and others ssh into EC2 Instance
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "TCP"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
   // localstack http and https
   ingress {
     from_port   = 4566
@@ -77,27 +69,15 @@ resource "aws_security_group" "ec2_security_group" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  // WinRM http https://developer.hashicorp.com/terraform/language/resources/provisioners/connection#argument-reference
-  ingress {
-    from_port   = 5985
-    to_port     = 5985
-    protocol    = "TCP"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+  // Management ports (WinRM, RDP) are NOT in the shared SG.
+  // They are created per-run in the compute-specific modules (ec2/win)
+  // scoped to the CI runner's IP. See terraform/ec2/win/main.tf.
 
-  // WinRM https https://developer.hashicorp.com/terraform/language/resources/provisioners/connection#argument-reference
+  // SSH: still in shared SG until Linux modules are updated to use per-run SGs.
   ingress {
-    from_port   = 5986
-    to_port     = 5986
+    from_port   = 22
+    to_port     = 22
     protocol    = "TCP"
     cidr_blocks = ["0.0.0.0/0"]
   }
-
-  // RDP https://en.wikipedia.org/wiki/Remote_Desktop_Protocol
-  ingress {
-    from_port   = 3389
-    to_port     = 3389
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
 }

terraform/stress/main.tf

@@ -40,6 +40,32 @@ module "validator" {
   values_per_minute   = var.values_per_minute
 }
 
+#####################################################################
+# Per-run Security Group for SSH/WinRM access from CI runner
+#####################################################################
+
+resource "aws_security_group" "runner_access" {
+  name        = "cwagent-integ-stress-sg-${module.common.testing_id}"
+  description = "SSH/WinRM access from CI runner for test ${module.common.testing_id}"
+  vpc_id      = module.basic_components.vpc_id
+
+  ingress {
+    description = "SSH from CI runner"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+
+  ingress {
+    description = "WinRM HTTP from CI runner"
+    from_port   = 5985
+    to_port     = 5985
+    protocol    = "tcp"
+    cidr_blocks = [var.runner_ip]
+  }
+}
+
 #####################################################################
 # Generate EC2 Instance and execute test commands
 #####################################################################
@@ -49,7 +75,7 @@ resource "aws_instance" "cwagent" {
   instance_type                        = var.ec2_instance_type
   key_name                             = local.ssh_key_name
   iam_instance_profile                 = module.basic_components.instance_profile
-  vpc_security_group_ids               = [module.basic_components.security_group]
+  vpc_security_group_ids               = [module.basic_components.security_group, aws_security_group.runner_access.id]
   get_password_data                    = local.connection_type == "winrm" ? true : false
   associate_public_ip_address          = true
   instance_initiated_shutdown_behavior = "terminate"

terraform/stress/variables.tf

@@ -66,3 +66,9 @@ variable "family" {
     error_message = "Valid values for family are (windows, linux)."
   }
 }
+
+variable "runner_ip" {
+  type        = string
+  description = "CIDR of the CI runner (e.g. 1.2.3.4/32) allowed to connect via SSH/WinRM"
+  default     = "127.0.0.1/32"
+}