From 26689199200c1998ebf0ded2e55b338d4e7c4c43 Mon Sep 17 00:00:00 2001
From: Damien Duportal <damien.duportal@gmail.com>
Date: Thu, 23 Jan 2025 18:30:55 +0100
Subject: [PATCH 1/2] feat(ci.jenkins.io) allow inbound JNLP from public NAT
 gateways IPs instead of private subnet CIDRs as we use public DNS

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
---
 eks-cijenkinsio-agents-2.tf | 4 ++--
 network-security.tf         | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/eks-cijenkinsio-agents-2.tf b/eks-cijenkinsio-agents-2.tf
index d05e727..8f0ed4a 100644
--- a/eks-cijenkinsio-agents-2.tf
+++ b/eks-cijenkinsio-agents-2.tf
@@ -141,8 +141,8 @@ module "cijenkinsio_agents_2" {
       from_port        = 50000
       to_port          = 50000
       type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
+      cidr_blocks      = ["${aws_eip.ci_jenkins_io.public_ip}/32"]
+      ipv6_cidr_blocks = formatlist("%s/32", aws_instance.ci_jenkins_io.ipv6_addresses)
     },
     egress_http = {
       description      = "Allow egress to plain HTTP"
diff --git a/network-security.tf b/network-security.tf
index 67ff074..3773fb0 100644
--- a/network-security.tf
+++ b/network-security.tf
@@ -553,12 +553,12 @@ resource "aws_vpc_security_group_egress_rule" "allow_cifs_out_private_subnets" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "allow_jnlp_in_private_subnets" {
-  for_each = toset(module.vpc.private_subnets_cidr_blocks)
+  count = length(module.vpc.nat_public_ips)
 
-  description       = "Allow inbound JNLP Jenkins Agent protocol from private subnet ${each.key}"
+  description       = "Allow inbound JNLP Jenkins Agent protocol from agents outbound IP ${module.vpc.nat_public_ips[count.index]}"
   security_group_id = aws_security_group.ci_jenkins_io_controller.id
 
-  cidr_ipv4   = each.key
+  cidr_ipv4   = "${module.vpc.nat_public_ips[count.index]}/32"
   from_port   = 50000
   ip_protocol = "tcp"
   to_port     = 50000

From 6a737f4388647fa030713d8993889fac97c0b54c Mon Sep 17 00:00:00 2001
From: Damien Duportal <damien.duportal@gmail.com>
Date: Thu, 23 Jan 2025 19:07:05 +0100
Subject: [PATCH 2/2] fixup

Signed-off-by: Damien Duportal <damien.duportal@gmail.com>
---
 eks-cijenkinsio-agents-2.tf | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/eks-cijenkinsio-agents-2.tf b/eks-cijenkinsio-agents-2.tf
index 8f0ed4a..fdc73c6 100644
--- a/eks-cijenkinsio-agents-2.tf
+++ b/eks-cijenkinsio-agents-2.tf
@@ -133,25 +133,15 @@ module "cijenkinsio_agents_2" {
     },
   }
 
-  # Allow egress from nodes (and pods...)
+  # Allow JNLP egress from pods to controller
   node_security_group_additional_rules = {
     egress_jenkins_jnlp = {
-      description      = "Allow egress to Jenkins TCP"
-      protocol         = "TCP"
-      from_port        = 50000
-      to_port          = 50000
-      type             = "egress"
-      cidr_blocks      = ["${aws_eip.ci_jenkins_io.public_ip}/32"]
-      ipv6_cidr_blocks = formatlist("%s/32", aws_instance.ci_jenkins_io.ipv6_addresses)
-    },
-    egress_http = {
-      description      = "Allow egress to plain HTTP"
-      protocol         = "TCP"
-      from_port        = 80
-      to_port          = 80
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
+      description = "Allow egress to Jenkins TCP"
+      protocol    = "TCP"
+      from_port   = 50000
+      to_port     = 50000
+      type        = "egress"
+      cidr_blocks = ["${aws_eip.ci_jenkins_io.public_ip}/32"]
     },
   }