1 | 'use strict'
|
2 |
|
3 | let cli = require('heroku-cli-util')
|
4 | let co = require('co')
|
5 | const { SpaceCompletion } = require('@heroku-cli/command/lib/completions')
|
6 |
|
7 | const ProtocolCompletion = {
|
8 | cacheDuration: 60 * 60 * 24 * 365,
|
9 | options: async (ctx) => {
|
10 | return ['tcp', 'udp', 'icmp', '0-255', 'any']
|
11 | }
|
12 | }
|
13 |
|
14 | function * run (context, heroku) {
|
15 | let lib = require('../../lib/outbound-rules')(heroku)
|
16 | let space = context.flags.space
|
17 | if (!space) throw new Error('Space name required.')
|
18 | let ruleset = yield lib.getOutboundRules(space)
|
19 | ruleset.rules = ruleset.rules || []
|
20 | let ports = yield lib.parsePorts(context.flags.protocol, context.flags.port)
|
21 | ruleset.rules.push({
|
22 | target: context.flags.dest,
|
23 | from_port: ports[0],
|
24 | to_port: ports[1] || ports[0],
|
25 | protocol: context.flags.protocol })
|
26 | ruleset = yield lib.putOutboundRules(space, ruleset)
|
27 | cli.log(`Added rule to the Outbound Rules of ${cli.color.cyan.bold(space)}`)
|
28 | cli.warn('Modifying the Outbound Rules may break Add-ons for Apps in this Private Space')
|
29 | }
|
30 |
|
31 | module.exports = {
|
32 | topic: 'outbound-rules',
|
33 | command: 'add',
|
34 | description: 'Add outbound rules to a Private Space',
|
35 | help: `
|
36 | The destination flag uses CIDR notation.
|
37 |
|
38 | Example:
|
39 |
|
40 | $ heroku outbound-rules:add --space my-space --dest 192.168.2.0/24 --protocol tcp --port 80
|
41 | Added 192.168.0.1/24 to the outbound rules on my-space
|
42 |
|
43 | Example with port range:
|
44 |
|
45 | $ heroku outbound-rules:add --space my-space --dest 192.168.2.0/24 --protocol tcp --port 80-100
|
46 | Added 192.168.0.1/24 to the outbound rules on my-space
|
47 |
|
48 | Example opening up everything
|
49 |
|
50 | $ heroku outbound-rules:add --space my-space --dest 0.0.0.0/0 --protocol any --port any
|
51 | Added 0.0.0.0/0 to the outbound rules on my-space
|
52 |
|
53 | ICMP Rules
|
54 | The ICMP protocol has types, not ports, but the underlying systems treat them as the same. For this reason,
|
55 | when you want to allow ICMP traffic you will use the --port flag to specify the ICMP types you want to
|
56 | allow. ICMP types are numbered, 0-255.
|
57 | `,
|
58 | needsApp: false,
|
59 | needsAuth: true,
|
60 | hidden: true,
|
61 | args: [],
|
62 | flags: [
|
63 | { name: 'space', char: 's', hasValue: true, description: 'space to add rule to', completion: SpaceCompletion },
|
64 | { name: 'confirm', hasValue: true, description: 'set to space name to bypass confirm prompt' },
|
65 | { name: 'dest', hasValue: true, description: 'target CIDR block dynos are allowed to communicate with' },
|
66 | { name: 'protocol', hasValue: true, description: 'the protocol dynos are allowed to use when communicating with hosts in destination CIDR block. Valid protocols are "tcp", "udp", "icmp", "0-255" and "any".', completion: ProtocolCompletion },
|
67 | { name: 'port', hasValue: true, description: 'the port dynos are allowed to use when communicating with hosts in destination CIDR block. Accepts a range in `<lowest port>-<highest port>` format. 0 is the minimum. The maximum port allowed is 65535, except for ICMP with a maximum of 255.' }
|
68 | ],
|
69 | run: cli.command(co.wrap(run))
|
70 | }
|