Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.1
Use aws-white-list-circleci-ip
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Examples uses aws-white-list-circleci-ip commands
1
2
3
4
5
6
7
8
9
10
11
version: 2.1
orbs:
aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.0
jobs:
build:
docker:
- image: circleci/python:2.7
steps:
- checkout
- aws-white-list-circleci-ip/add
- aws-white-list-circleci-ip/remove
This command will add a rule in the SG of the Kubernetes API to allow the ingress of the CircleCI Machine
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
description | Description to identify the rule. | No | CircleCI | string |
port | Port to open for the inbound rule. | No | 443 | integer |
mask | Mask to use for the ip address. | No | 32 | integer |
tag-key | This key should exist in the SG where we are going to add the rules. | No | developers | string |
tag-value | This value should exist in the tag of the SG where we are going to add the rules. | No | bastionaccess | string |
This command will remove the rule added in the SG from the Kubernetes API of the CircleCI machine
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
description | Description to identify the rule. | No | CircleCI | string |
port | Port to open for the inbound rule. | No | 443 | integer |
mask | Mask to use for the ip address. | No | 32 | integer |
tag-key | This key should exist in the SG where we are going to add the rules. | No | developers | string |
tag-value | This value should exist in the tag of the SG where we are going to add the rules. | No | bastionaccess | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Add a custom script that gets the public ip address of the current box
and calls the AWS CLI to add an inbound security rule on the fly.
Then remove that rule at the end of the script.
examples:
basic_commands:
description: "Examples uses aws-white-list-circleci-ip commands"
usage:
version: 2.1
orbs:
aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.0
jobs:
build:
docker:
- image: circleci/python:2.7
steps:
- checkout
- aws-white-list-circleci-ip/add
- aws-white-list-circleci-ip/remove
orbs:
aws-cli: circleci/aws-cli@0.1.13
commands:
add:
description: This command will add a rule in the SG of the Kubernetes API to allow the ingress of the CircleCI Machine
parameters:
description:
description: Description to identify the rule.
type: string
default: CircleCI
port:
description: Port to open for the inbound rule.
type: integer
default: 443
mask:
description: Mask to use for the ip address.
type: integer
default: 32
tag-key:
description: This key should exist in the SG where we are going to add the rules.
type: string
default: developers
tag-value:
description: This value should exist in the tag of the SG where we are going to add the rules.
type: string
default: bastionaccess
steps:
- aws-cli/install
- run:
name: AWS whitelist add CircleCI IP
command: |
# Get the public ip address
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [[ "${IP}" == "" ]]; then
echo "Could not find your public IP"
exit 1
fi
GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}')
[[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
# Adding Rule SSH to Your Security Group
echo Allowing << parameters.description >> to access port $PORT from IP $IP to the security group $GROUPID
aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
remove:
description: This command will remove the rule added in the SG from the Kubernetes API of the CircleCI machine
parameters:
description:
description: Description to identify the rule.
type: string
default: CircleCI
port:
description: Port to open for the inbound rule.
type: integer
default: 443
mask:
description: Mask to use for the ip address.
type: integer
default: 32
tag-key:
description: This key should exist in the SG where we are going to add the rules.
type: string
default: developers
tag-value:
description: This value should exist in the tag of the SG where we are going to add the rules.
type: string
default: bastionaccess
steps:
- aws-cli/install
- run:
name: AWS whitelist remove CircleCI IP
command: |
# Get the public ip address
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP=${IP-$LATEST_IP}
[[ -n "$IP" ]] || (echo "Could not find your public IP" && exit 1);
GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}');
[[ -n "$GROUPID" ]] || (echo "Could not determine Security Group ID" && exit 1);
echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID"
# Delete IP rules matching port
aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]'
when: always