diff --git a/pkg/asset/manifests/azure/cluster.go b/pkg/asset/manifests/azure/cluster.go index 399cc746d9..0e7bcdaa60 100644 --- a/pkg/asset/manifests/azure/cluster.go +++ b/pkg/asset/manifests/azure/cluster.go @@ -93,6 +93,17 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID Destination: ptr.To("*"), Action: capz.SecurityRuleActionAllow, }, + { + Name: fmt.Sprintf("%s_ssh_in", clusterID.InfraID), + Protocol: capz.SecurityGroupProtocolTCP, + Direction: capz.SecurityRuleDirectionInbound, + Priority: 220, + SourcePorts: ptr.To("*"), + DestinationPorts: ptr.To("22"), + Source: ptr.To(source), + Destination: ptr.To("*"), + Action: capz.SecurityRuleActionAllow, + }, }, }, } diff --git a/pkg/infrastructure/azure/azure.go b/pkg/infrastructure/azure/azure.go index 0539428122..47bb7b82ac 100644 --- a/pkg/infrastructure/azure/azure.go +++ b/pkg/infrastructure/azure/azure.go @@ -537,16 +537,6 @@ func (p *Provider) PostProvision(ctx context.Context, in clusterapi.PostProvisio } sshRuleName := fmt.Sprintf("%s_ssh_in", in.InfraID) - if err = addSecurityGroupRule(ctx, &securityGroupInput{ - resourceGroupName: p.ResourceGroupName, - securityGroupName: fmt.Sprintf("%s-nsg", in.InfraID), - securityRuleName: sshRuleName, - securityRulePort: "22", - securityRulePriority: 220, - networkClientFactory: p.NetworkClientFactory, - }); err != nil { - return fmt.Errorf("failed to add security rule: %w", err) - } loadBalancerName := in.InfraID frontendIPConfigName := "public-lb-ip-v4" diff --git a/pkg/infrastructure/azure/network.go b/pkg/infrastructure/azure/network.go index d7aed2a883..75de4d50a5 100644 --- a/pkg/infrastructure/azure/network.go +++ b/pkg/infrastructure/azure/network.go @@ -11,7 +11,6 @@ import ( "github.com/Azure/azure-sdk-for-go/sdk/azcore/to" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v2" - "k8s.io/utils/ptr" capz "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -54,7 +53,6 @@ type securityGroupInput struct { securityGroupName string securityRuleName string securityRulePort string - securityRulePriority int32 networkClientFactory *armnetwork.ClientFactory } @@ -368,40 +366,6 @@ func associateVMToBackendPool(ctx context.Context, in vmInput) error { return nil } -func addSecurityGroupRule(ctx context.Context, in *securityGroupInput) error { - securityRulesClient := in.networkClientFactory.NewSecurityRulesClient() - - // Assume inbound tcp connections from any port to destination port for now - securityRuleResp, err := securityRulesClient.BeginCreateOrUpdate(ctx, - in.resourceGroupName, - in.securityGroupName, - in.securityRuleName, - armnetwork.SecurityRule{ - Name: ptr.To(in.securityRuleName), - Properties: &armnetwork.SecurityRulePropertiesFormat{ - Access: ptr.To(armnetwork.SecurityRuleAccessAllow), - Direction: ptr.To(armnetwork.SecurityRuleDirectionInbound), - Protocol: ptr.To(armnetwork.SecurityRuleProtocolTCP), - DestinationAddressPrefix: ptr.To("*"), - DestinationPortRange: ptr.To(in.securityRulePort), - Priority: ptr.To[int32](in.securityRulePriority), - SourceAddressPrefix: ptr.To("*"), - SourcePortRange: ptr.To("*"), - }, - }, - nil, - ) - if err != nil { - return fmt.Errorf("failed to add security rule: %w", err) - } - _, err = securityRuleResp.PollUntilDone(ctx, nil) - if err != nil { - return fmt.Errorf("failed to add security rule: %w", err) - } - - return nil -} - func deleteSecurityGroupRule(ctx context.Context, in *securityGroupInput) error { securityRulesClient := in.networkClientFactory.NewSecurityRulesClient() securityRulesPoller, err := securityRulesClient.BeginDelete(ctx, in.resourceGroupName, in.securityGroupName, in.securityRuleName, nil)