Tolerate https scheme & update docs (#8)

* Tolerate https scheme & update docs Private networks may need to have the policy updated for VPC endpoints, otherwise gitpod-network-check will fail. * Cleanup
gitpod-io · Aug 21, 2024 · e6e821a · e6e821a
1 parent 355e5fc
commit e6e821a
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 4 deletions.
diff --git a/gitpod-network-check/README.md b/gitpod-network-check/README.md
@@ -100,3 +100,74 @@ A CLI to check if your network setup is suitable for the installation of Gitpod.
    INFO[0122] ✅ Security group 'sg-0a6119dcb6a564fc1' deleted
    INFO[0122] ✅ Security group 'sg-07373362953212e54' deleted
    ```
+
+## FAQ
+
+If the EC2 instances are timing out, or you cannot connect to them with Session Manager, be sure to add the following policies.
+
+For the ssm vpc endpoint, add the following policy:
+
+```json
+{
+   "Effect": "Allow",
+   "Action": [
+      "*"
+   ],
+   "Resource": [
+      "*"
+   ],
+   "Principal": {
+      "AWS": [
+         "*"
+      ]
+   },
+   "Condition": {
+      "ArnEquals": {
+         "aws:PrincipalArn": "arn:aws:iam::<aws-account-id>:role/GitpodNetworkCheck"
+      }
+   }
+},
+{
+   "Effect": "Allow",
+   "Action": [
+      "*"
+   ],
+   "Resource": [
+      "*"
+   ],
+   "Principal": {
+      "AWS": [
+         "*"
+      ]
+   },
+   "Condition": {
+      "StringEquals": {
+         "ec2:InstanceProfile": "arn:aws:iam::<aws-account-id>:instance-profile/GitpodNetworkCheck"
+      }
+   }
+}
+```
+
+For the ec2messages and ssmmessages vpc endpoints, add the following policy:
+
+```json
+{
+   "Effect": "Allow",
+   "Action": [
+      "*"
+   ],
+   "Resource": [
+      "*"
+   ],
+   "Principal": {
+      "AWS": [
+         "*"
+      ]
+   },
+   "Condition": {
+      "ArnEquals": {
+         "aws:PrincipalArn": "arn:aws:iam::<aws-account-id>:role/GitpodNetworkCheck"
+      }
+   }
+}
+```
diff --git a/gitpod-network-check/cmd/checks.go b/gitpod-network-check/cmd/checks.go
@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"net/url"
 	"slices"
 	"sort"
 	"strings"
@@ -129,7 +130,20 @@ var checkCommand = &cobra.Command{ // nolint:gochecknoglobals
 		httpHosts := map[string]string{}
 		for _, v := range networkConfig.HttpsHosts {
 			host := strings.TrimSpace(v)
-			httpHosts[host] = fmt.Sprintf("https://%s", host)
+			parsedUrl, err := url.Parse(host)
+			if err != nil {
+				log.Warnf("🚧 Invalid Host: %s, skipping due to error: %v", host, err)
+				continue
+			}
+
+			if parsedUrl.Scheme == "" {
+				httpHosts[host] = fmt.Sprintf("https://%s", host)
+			} else if parsedUrl.Scheme == "https" {
+				httpHosts[host] = parsedUrl.Host
+			} else {
+				log.Warnf("🚧 Unsupported scheme: %s, skipping test for %s", parsedUrl.Scheme, host)
+				continue
+			}
 		}
 		if len(httpHosts) > 0 {
 			log.Infof("ℹ️  Checking if hosts can be reached with HTTPS from ec2 instances in the main subnets")

diff --git a/gitpod-network-check/gitpod-network-check.yaml b/gitpod-network-check/gitpod-network-check.yaml
@@ -1,5 +1,5 @@
 log-level: debug # Options: debug, info, warning, error
 region: eu-central-1
-main-subnets: subnet-0a195092eb78c7674, subnet-05db6651c2ef39639
-pod-subnets: subnet-00a5f0d10253fb33c, subnet-09f658fd789fc9b84
-https-hosts: accounts.google.com, github.com
+main-subnets: subnet-017c6a80f4879d851, subnet-0215744d52cd1c01f
+pod-subnets: subnet-00a118009d1d572a5, subnet-062288af00ba50d86
+https-hosts: accounts.google.com, https://github.com