Merge pull request #110 from dduportal/fix/ci.jio/allow-inbound-jnlp-…

…from-gateways

feat(ci.jenkins.io) allow inbound JNLP from public NAT gateways IPs instead of private subnet CIDRs as we use public DNS

eks-cijenkinsio-agents-2.tf

@@ -133,25 +133,15 @@ module "cijenkinsio_agents_2" {
     },
   }
 
-  # Allow egress from nodes (and pods...)
+  # Allow JNLP egress from pods to controller
   node_security_group_additional_rules = {
     egress_jenkins_jnlp = {
-      description      = "Allow egress to Jenkins TCP"
-      protocol         = "TCP"
-      from_port        = 50000
-      to_port          = 50000
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
-    },
-    egress_http = {
-      description      = "Allow egress to plain HTTP"
-      protocol         = "TCP"
-      from_port        = 80
-      to_port          = 80
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
+      description = "Allow egress to Jenkins TCP"
+      protocol    = "TCP"
+      from_port   = 50000
+      to_port     = 50000
+      type        = "egress"
+      cidr_blocks = ["${aws_eip.ci_jenkins_io.public_ip}/32"]
     },
   }
 

network-security.tf

@@ -553,12 +553,12 @@ resource "aws_vpc_security_group_egress_rule" "allow_cifs_out_private_subnets" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "allow_jnlp_in_private_subnets" {
-  for_each = toset(module.vpc.private_subnets_cidr_blocks)
+  count = length(module.vpc.nat_public_ips)
 
-  description       = "Allow inbound JNLP Jenkins Agent protocol from private subnet ${each.key}"
+  description       = "Allow inbound JNLP Jenkins Agent protocol from agents outbound IP ${module.vpc.nat_public_ips[count.index]}"
   security_group_id = aws_security_group.ci_jenkins_io_controller.id
 
-  cidr_ipv4   = each.key
+  cidr_ipv4   = "${module.vpc.nat_public_ips[count.index]}/32"
   from_port   = 50000
   ip_protocol = "tcp"
   to_port     = 50000