Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
aws-sg-white-list-circleci-ip: inokappa/aws-sg-white-list-circleci-ip@0.0.3
Use aws-sg-white-list-circleci-ip
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
The usage of aws-sg-white-list-circleci-ip is as follows.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
orbs:
aws-sg-white-list-circleci-ip: inokappa/aws-sg-white-list-circleci-ip@0.0.1
version: 2.1
workflows:
use-my-orb1:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add
- aws-sg-white-list-circleci-ip/del
use-my-orb2:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
group-id: sg-xxxxxxxx
- aws-sg-white-list-circleci-ip/del:
group-id: sg-xxxxxxxx
use-my-orb3:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
tag-key: key
tag-value: value
- aws-sg-white-list-circleci-ip/del:
tag-key: key
tag-value: value
use-my-orb4:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
description: MyDescription
group-id: sg-xxxxxxxx
- aws-sg-white-list-circleci-ip/del:
description: MyDescription
group-id: sg-xxxxxxxx
This command will add a rule in the SG of the AWS Security Group to allow the ingress of the CircleCI Machine
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
description | Description to identify the rule. Spaces cannot be included. | No | CircleCI | string |
group-id | Specifies the ID of the security group. | No | '' | string |
mask | Mask to use for the ip address. | No | 32 | integer |
port | Port to open for the inbound rule. | No | 443 | integer |
tag-key | This key should exist in the SG where we are going to add the rules. | No | developers | string |
tag-value | This value should exist in the tag of the SG where we are going to add the rules. | No | bastionaccess | string |
This command will add a rule in the SG of the AWS Security Group to allow the ingress of the CircleCI Machine
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
description | Description to identify the rule. Spaces cannot be included. | No | CircleCI | string |
group-id | Specifies the ID of the security group. | No | '' | string |
mask | Mask to use for the ip address. | No | 32 | integer |
port | Port to open for the inbound rule. | No | 443 | integer |
tag-key | This key should exist in the SG where we are going to add the rules. | No | developers | string |
tag-value | This value should exist in the tag of the SG where we are going to add the rules. | No | bastionaccess | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
add:
description: This command will add a rule in the SG of the AWS Security Group to allow the ingress of the CircleCI Machine
parameters:
description:
default: CircleCI
description: Description to identify the rule. Spaces cannot be included.
type: string
group-id:
default: ""
description: Specifies the ID of the security group.
type: string
mask:
default: 32
description: Mask to use for the ip address.
type: integer
port:
default: 443
description: Port to open for the inbound rule.
type: integer
tag-key:
default: developers
description: This key should exist in the SG where we are going to add the rules.
type: string
tag-value:
default: bastionaccess
description: This value should exist in the tag of the SG where we are going to add the rules.
type: string
steps:
- aws-cli/install
- jq/install
- run:
command: |
AWS_COMMAND="aws"
if [ -n "${AWS_ENDPOINT}" ];then
AWS_COMMAND="aws --endpoint ${AWS_ENDPOINT}"
fi
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [ -z "${IP}" ]; then
echo "Could not find your public IP"
exit 1
fi
PARAM_GROUPID=<< parameters.group-id >>
if [ -z "${PARAM_GROUPID}" ]; then
GROUPID=$(${AWS_COMMAND} ec2 describe-security-groups \
--query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' \
--output text | grep << parameters.tag-value >> | awk '{print $2}')
[[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
PARAM_GROUPID=${GROUPID}
fi
${AWS_COMMAND} ec2 authorize-security-group-ingress \
--group-id "${PARAM_GROUPID}" --ip-permissions \
$(echo '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "", "Description": ""}]}]' \
| jq -c '.[].IpRanges[].CidrIp="'${IP}/<< parameters.mask >>'"|.[].IpRanges[].Description="'<< parameters.description >>'"|.[].FromPort='<< parameters.port >>'|.[].ToPort='<< parameters.port >>'')
name: Add CircleCI's IP address to the Security Group
del:
description: This command will add a rule in the SG of the AWS Security Group to allow the ingress of the CircleCI Machine
parameters:
description:
default: CircleCI
description: Description to identify the rule. Spaces cannot be included.
type: string
group-id:
default: ""
description: Specifies the ID of the security group.
type: string
mask:
default: 32
description: Mask to use for the ip address.
type: integer
port:
default: 443
description: Port to open for the inbound rule.
type: integer
tag-key:
default: developers
description: This key should exist in the SG where we are going to add the rules.
type: string
tag-value:
default: bastionaccess
description: This value should exist in the tag of the SG where we are going to add the rules.
type: string
steps:
- aws-cli/install
- jq/install
- run:
command: |
AWS_COMMAND="aws"
if [ -n "${AWS_ENDPOINT}" ];then
AWS_COMMAND="aws --endpoint ${AWS_ENDPOINT}"
fi
LATEST_IP=$(wget -qO- http://checkip.amazonaws.com)
IP="${IP-$LATEST_IP}"
if [ -z "${IP}" ]; then
echo "Could not find your public IP"
exit 1
fi
PARAM_GROUPID=<< parameters.group-id >>
if [ -z "${PARAM_GROUPID}" ]; then
GROUPID=$(${AWS_COMMAND} ec2 describe-security-groups \
--query 'SecurityGroups[].[Tags[?Key==`<< parameters.tag-key >>`] | [0].Value, GroupId]' \
--output text | grep << parameters.tag-value >> | awk '{print $2}')
[[ -n "${GROUPID}" ]] || (echo "Could not determine Security Group ID" && exit 0);
PARAM_GROUPID=${GROUPID}
fi
${AWS_COMMAND} ec2 revoke-security-group-ingress \
--group-id "${PARAM_GROUPID}" --ip-permissions \
$(echo '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "", "Description": ""}]}]' \
| jq -c '.[].IpRanges[].CidrIp="'${IP}/<< parameters.mask >>'"|.[].IpRanges[].Description="'<< parameters.description >>'"|.[].FromPort='<< parameters.port >>'|.[].ToPort='<< parameters.port >>'')
name: Remove CircleCI's IP address from the Security Group
when: always
description: |
Add a custom script that gets the public ip address of the current box and calls the AWS CLI to add an inbound security rule on the fly. Then remove that rule at the end of the script. Referring to https://circleci.com/developer/orbs/orb/configure/aws-white-list-circleci-ip.
display:
home_url: https://circleci.com/developer/orbs/orb/inokappa/
source_url: https://github.com/inokappa/aws-sg-white-list-circleci-ip
examples:
example:
description: |
The usage of aws-sg-white-list-circleci-ip is as follows.
usage:
orbs:
aws-sg-white-list-circleci-ip: inokappa/aws-sg-white-list-circleci-ip@0.0.1
version: 2.1
workflows:
use-my-orb1:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add
- aws-sg-white-list-circleci-ip/del
use-my-orb2:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
group-id: sg-xxxxxxxx
- aws-sg-white-list-circleci-ip/del:
group-id: sg-xxxxxxxx
use-my-orb3:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
tag-key: key
tag-value: value
- aws-sg-white-list-circleci-ip/del:
tag-key: key
tag-value: value
use-my-orb4:
jobs:
- checkout
- aws-sg-white-list-circleci-ip/add:
description: MyDescription
group-id: sg-xxxxxxxx
- aws-sg-white-list-circleci-ip/del:
description: MyDescription
group-id: sg-xxxxxxxx
executors:
default: {}
jobs: {}
orbs:
aws-cli: circleci/aws-cli@1.3.3
jq: circleci/jq@2.2.0
scripts: {}
tests: {}
version: 2.1