1. configure/aws-white-list-circleci-ip@1.0.1

configure/aws-white-list-circleci-ip@1.0.1

Sections
Add a custom script that gets the public ip address of the current box and calls the AWS CLI to add an inbound security rule on the fly. Then remove that rule at the end of the script.
Created: June 17, 2019Version Published: June 19, 2019Releases: 2
Org Usage:
< 25
Categories:

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.1

Use aws-white-list-circleci-ip elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

basic_commands

Examples uses aws-white-list-circleci-ip commands

1 2 3 4 5 6 7 8 9 10 11 version: 2.1 orbs: aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.0 jobs: build: docker: - image: circleci/python:2.7 steps: - checkout - aws-white-list-circleci-ip/add - aws-white-list-circleci-ip/remove

Commands

add

This command will add a rule in the SG of the Kubernetes API to allow the ingress of the CircleCI Machine

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
description
Description to identify the rule.
No
CircleCI
string
port
Port to open for the inbound rule.
No
443
integer
mask
Mask to use for the ip address.
No
32
integer
tag-key
This key should exist in the SG where we are going to add the rules.
No
developers
string
tag-value
This value should exist in the tag of the SG where we are going to add the rules.
No
bastionaccess
string

remove

This command will remove the rule added in the SG from the Kubernetes API of the CircleCI machine

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
description
Description to identify the rule.
No
CircleCI
string
port
Port to open for the inbound rule.
No
443
integer
mask
Mask to use for the ip address.
No
32
integer
tag-key
This key should exist in the SG where we are going to add the rules.
No
developers
string
tag-value
This value should exist in the tag of the SG where we are going to add the rules.
No
bastionaccess
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: | Add a custom script that gets the public ip address of the current box and calls the AWS CLI to add an inbound security rule on the fly. Then remove that rule at the end of the script. examples: basic_commands: description: "Examples uses aws-white-list-circleci-ip commands" usage: version: 2.1 orbs: aws-white-list-circleci-ip: configure/aws-white-list-circleci-ip@1.0.0 jobs: build: docker: - image: circleci/python:2.7 steps: - checkout - aws-white-list-circleci-ip/add - aws-white-list-circleci-ip/remove orbs: aws-cli: circleci/aws-cli@0.1.13 commands: add: description: This command will add a rule in the SG of the Kubernetes API to allow the ingress of the CircleCI Machine parameters: description: description: Description to identify the rule. type: string default: CircleCI port: description: Port to open for the inbound rule. type: integer default: 443 mask: description: Mask to use for the ip address. type: integer default: 32 tag-key: description: This key should exist in the SG where we are going to add the rules. type: string default: developers tag-value: description: This value should exist in the tag of the SG where we are going to add the rules. type: string default: bastionaccess steps: - aws-cli/install - run: name: AWS whitelist add CircleCI IP command: | # Get the public ip address LATEST_IP=$(wget -qO- http://checkip.amazonaws.com) IP="${IP-$LATEST_IP}" if [[ "${IP}" == "" ]]; then echo "Could not find your public IP" exit 1 fi GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}') [[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0); # Adding Rule SSH to Your Security Group echo Allowing << parameters.description >> to access port $PORT from IP $IP to the security group $GROUPID aws ec2 authorize-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]' remove: description: This command will remove the rule added in the SG from the Kubernetes API of the CircleCI machine parameters: description: description: Description to identify the rule. type: string default: CircleCI port: description: Port to open for the inbound rule. type: integer default: 443 mask: description: Mask to use for the ip address. type: integer default: 32 tag-key: description: This key should exist in the SG where we are going to add the rules. type: string default: developers tag-value: description: This value should exist in the tag of the SG where we are going to add the rules. type: string default: bastionaccess steps: - aws-cli/install - run: name: AWS whitelist remove CircleCI IP command: | # Get the public ip address LATEST_IP=$(wget -qO- http://checkip.amazonaws.com) IP=${IP-$LATEST_IP} [[ -n "$IP" ]] || (echo "Could not find your public IP" && exit 1); GROUPID=$(aws ec2 describe-security-groups --query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' --output table | grep << parameters.tag-value >> | awk '{print $4}'); [[ -n "$GROUPID" ]] || (echo "Could not determine Security Group ID" && exit 1); echo "Removing << parameters.description >> access from IP $IP to the security group $GROUPID" # Delete IP rules matching port aws ec2 revoke-security-group-ingress --group-id $GROUPID --ip-permissions '[{"IpProtocol": "tcp", "FromPort": '<< parameters.port >>', "ToPort": '<< parameters.port >>', "IpRanges": [{"CidrIp": "'$LATEST_IP/<< parameters.mask >>'", "Description": "'<< parameters.description >>'"}]}]' when: always
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.