[updatecli] Track GitHub SSH in bound IPs allowed from our controllers and agents

[dduportal]

Service(s)

cert.ci.jenkins.io, ci.jenkins.io, infra.ci.jenkins.io, release.ci.jenkins.io, trusted.ci.jenkins.io

Summary

In https://github.com/jenkins-infra/shared-tools/blob/3612af5941ad4f991dd5f731e91c27c1394f0477/terraform/modules/azure-jenkinsinfra-azurevm-agents/main.tf#L81, we define a network firewall rule which allow outbound SSH from our VM agents to any SSH server.

We want to restrict this list to only the GitHub git endpoints to avoid cloning repositories from other sources.

This will also be needed soon in the new ci.jenkins.io AWS instance.

• Update the attribute destination_address_prefix to destination_address_prefixes (include the values). See its doc at https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#destination_address_prefixes-1.
  • The new value must be the list from the GitHub Meta API endpoint (object git)
• Add an updatecli manifest to track the list of IPs (same kind of update than https://github.com/jenkins-infra/kubernetes-management/blob/main/updatecli/updatecli.d/allowed-github-hooks-ips.yaml but with a different sub attribute)

Reproduction steps

No response

[jayfranco999]

Update:

jenkins-infra/shared-tools#160 updates the attribute destination_address_prefix to destination_address_prefixes with the list of GitHub git end points.

Next steps include tracking the list of ips in destination_address_prefixes with updatecli

[jayfranco999]

Update:

jenkins-infra/shared-tools#160 stores the GitHub git endpoints in subfile locals.tf & jenkins-infra/shared-tools#161 tracks the git end points using native json source.

The solution has been tested locally with success

TARGETS
========

updateGitHubIPs
---------------

**Dry Run enabled**

✔ - no changes detected:
        path "locals.github_destination_address_prefixes" already set to "192.30.252.0/22 185.199.108.0/22 140.82.112.0/20 143.55.64.0/20 2a0a:a440::/29 2606:50c0::/32 20.201.28.151/32 20.205.243.166/32 20.87.245.0/32 4.237.22.38/32 20.207.73.82/32 20.27.177.113/32 20.200.245.247/32 20.175.192.147/32 20.233.83.145/32 20.29.134.23/32 20.199.39.232/32 20.217.135.5/32 4.225.11.198/32 4.208.26.197/32 20.26.156.215/32 20.201.28.152/32 20.205.243.160/32 20.87.245.4/32 4.237.22.40/32 20.207.73.83/32 20.27.177.118/32 20.200.245.248/32 20.175.192.146/32 20.233.83.149/32 20.29.134.19/32 20.199.39.227/32 20.217.135.4/32 4.225.11.200/32 4.208.26.198/32 20.26.156.214/32", from file "terraform/modules/azure-jenkinsinfra-azurevm-agents/locals.tf", 


ACTIONS
========


=============================

SUMMARY:



✔ Update allowed GitHub inbound IPs:
        Source:
                ✔ [githubInboundIpV4] get GitHub git IPv4s
        Target:
                ✔ [updateGitHubIPs] Update allowed IPs


Run Summary
===========
Pipeline(s) run:
  * Changed:    0
  * Failed:     0
  * Skipped:    0
  * Succeeded:  1
  * Total:      1
  

Since all points related to this issue have been addressed, we can close this issue.

[dduportal]

Good job! Both jenkins-infra/shared-tools#160 and jenkins-infra/shared-tools#161 have been merged!

Alas, jenkins-infra/shared-tools#160 did fail to deploy (despite the extensive testing) with errors like the following:

... contains IP addresses or prefixes that belong to different address families. All IP addresses or prefixes in the resource should belong to the same address family...

=> Proposal: we have to filter out the IPv6 and only keep the IPv4. We already have this kind of filtering in "pure" Terraform (see here: https://github.com/jenkins-infra/terraform-aws-sponsorship/blob/a43bb51d344122074c5a705ad6fa4ea08486242c/locals.tf#L40-L48) which mean no need to change the updatecli manifest or the locals!

destination_address_prefixes = [
    for ip in split(" ", local.github_destination_address_prefixes) : ip
    if can(cidrnetmask("${ip}/32"))
]

[dduportal]

jenkins-infra/shared-tools#162 applied with success 👏