From 3a65cdadfee85229962ff395c24e4681f29b71bf Mon Sep 17 00:00:00 2001
From: Jonathan Fortin <j.fortin@sap.com>
Date: Tue, 11 Aug 2020 11:34:24 -0400
Subject: [PATCH] Limit SSH node security group to Bastion IP

---
 pkg/cmd/ssh_aws.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/ssh_aws.go b/pkg/cmd/ssh_aws.go
index 4aa4a28e7..c53bbd5b9 100644
--- a/pkg/cmd/ssh_aws.go
+++ b/pkg/cmd/ssh_aws.go
@@ -194,7 +194,7 @@ func (a *AwsInstanceAttribute) createBastionHostSecurityGroup() {
 	fmt.Println("Bastion host security group set up.")
 
 	// add shh rule to ec2 instance
-	arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr 0.0.0.0/0", a.SecurityGroupID)
+	arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s/32", a.SecurityGroupID, a.BastionIP)
 	captured = capture()
 	operate("aws", arguments)
 	_, err = captured()
@@ -336,7 +336,7 @@ func (a *AwsInstanceAttribute) cleanupAwsBastionHost() {
 
 	// remove shh rule from ec2 instance
 	fmt.Println("  (2/3) Close SSH Port on Node.")
-	arguments = fmt.Sprintf("aws ec2 revoke-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr 0.0.0.0/0", a.SecurityGroupID)
+	arguments = fmt.Sprintf("aws ec2 revoke-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s/32", a.SecurityGroupID, a.BastionIP)
 	captured = capture()
 	operate("aws", arguments)
 	capturedOutput, err = captured()