Feature request: Have a variable for IP address/range control

Question

Feature request: Have a variable for IP address/range control

Closed this issue 7 years ago · 5 comments

Hi,

It would be nice to have a variable in the module to control from which IP address/range Jenkins would be accessible from. Some projects doesn't want Jenkins exposed to 0.0.0.0/0 and requires that Jenkins is only accessible through company's IP address(es).

Ivan Pinatti

Answer 1 · 2018-01-18T18:05:30.000Z

@ivan-pinatti
Are you talking about SSH access to the Jenkins master?
This could be restricted, and I agree this should be restricted by default.
We don't recommend using IPs and CIDRs to configure firewall rules.
It's better to have a security group created for that purpose, and then allow the security group to access the server.

This is already implemented here:
https://github.com/cloudposse/terraform-aws-jenkins/blob/master/variables.tf#L84
https://github.com/cloudposse/terraform-aws-jenkins/blob/master/main.tf#L41
https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf#L325

This needs to be removed because it overrides the security group ingress rule:
https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf#L314

We'll fix that.
Thanks for pointing out.

Answer 2 · 2018-01-18T20:14:46.000Z

@aknysh,

I'm talking about overall access to Jenkins (Master and Slaves), and yes, I mean to add this rules to security groups. However, I'm not mentioning only SSH connections but also HTTP/HTTPS as well.

The idea is to lockdown Jenkins to be only accessible from certains sources.

Answer 3 · 2018-01-22T22:11:35.000Z

Hi @aknysh,

I agree, these lines should be removed because it is conceding too broad access;

Elastic Beanstalk module

https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/blob/master/main.tf#L314-L319

Also, these lines in Jenkins module should be changed from;

https://github.com/cloudposse/terraform-aws-jenkins/blob/master/main.tf#L157-L162

to something like;

  ingress {
    from_port       = 0
    to_port         = 0
    protocol        = -1
    security_groups = ["${var.security_groups}"]
  }

Then we just need to add a new security group in the examples and a variable with the IP(s) address(es). With these changes it will be possible to restrict access in Jenkins Master and its Slaves.

Let me hear your inputs on this.

Answer 4 · 2018-01-23T02:14:39.000Z

@ivan-pinatti
I agree with what you said and will create PRs for this
Thanks

Answer 5 · 2018-01-23T21:09:36.000Z

@ivan-pinatti
It was addressed in these releases:
https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/releases/tag/0.3.4
https://github.com/cloudposse/terraform-aws-jenkins/releases/tag/0.3.3

Let us know if you have other questions.
Thanks.
Will close the issue for now.