Allow BitBucket Webhooks Access to Jenkins on an AWS EC2 instance behind a Private VPC

Let’s say you want to let BitBucket notify Jenkins to do a build every time a PR is created or a branch is updated. You can leverage the BitBucket webhooks to do this. If so you will want to allow traffic from the BitBucket CIDR addresses here:

If you are using AWS CloudFormation to manage your infrastructure, then you may have noticed that unfortunately there is not a more simple way to define AWS::EC2::SecurityGroupIngress. You cannot supply an array, nor can you readily loop through inputs to the template. Therefore, you have to brute-force copy and paste it over and over with unique names for the variables and Security Groups. Here is a sample CloudFormation template in JSON that you can use:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "BitBucket Webhooks to Jenkins: https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#AtlassiancloudIPrangesanddomains-OutgoingConnections",
    "Parameters": {
        "JenkinsStackName": {
            "Type": "String",
            "Description": "Name of the CloudFormation Stack that contains the Jenkins configuration",
            "MinLength": 1,
            "MaxLength": 255,
            "Default": "DEV-Jenkins"
        },
        "FromCidr1": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"13.52.5.96/28"
        },
        "FromCidr2": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"13.236.8.224/28"
        },
        "FromCidr3": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"18.184.99.224/28"
        },
        "FromCidr4": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"18.234.32.224/28"
        },
        "FromCidr5": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"18.246.31.224/28"
        },
        "FromCidr6": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"52.215.192.224/28"
        },
        "FromCidr7": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"104.192.137.240/28"
        },
        "FromCidr8": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"104.192.138.240/28"
        },
        "FromCidr9": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"104.192.140.240/28"
        },
        "FromCidr10": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"104.192.142.240/28"
        },
        "FromCidr11": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"104.192.143.240/28"
        },
        "FromCidr12": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"185.166.143.240/28"
        },
        "FromCidr13": {
            "Type": "String",
            "Description": "Source IP Cidr to allow connections from",
            "MinLength": 1,
            "MaxLength": 18,
            "Default":"185.166.142.240/28"
        }
    },
    "Resources": {
        "SecurityGroupIngress1": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr1"
                }
            }
        },
        "SecurityGroupIngress2": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr2"
                }
            }
        },
        "SecurityGroupIngress3": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr3"
                }
            }
        },
        "SecurityGroupIngress4": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr4"
                }
            }
        },
        "SecurityGroupIngress5": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr5"
                }
            }
        },
        "SecurityGroupIngress6": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr6"
                }
            }
        },
        "SecurityGroupIngress7": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr7"
                }
            }
        },
        "SecurityGroupIngress8": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr8"
                }
            }
        },
        "SecurityGroupIngress9": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr9"
                }
            }
        },
        "SecurityGroupIngress10": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr10"
                }
            }
        },
        "SecurityGroupIngress11": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr11"
                }
            }
        },
        "SecurityGroupIngress12": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr12"
                }
            }
        },
        "SecurityGroupIngress13": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupId": {
                    "Fn::ImportValue": {
                        "Fn::Sub": "${JenkinsStackName}-SecurityGroupId"
                    }
                },                
                "IpProtocol": "tcp",
                "FromPort": "443",
                "ToPort": "443",
                "CidrIp": {
                    "Ref": "FromCidr13"
                }
            }
        }
    }
}

Once the stack is created, you will no longer see NETWORK ERROR in BitBucket.

Here is a deeper look at the “View details” for the NETWORK ERROR

Leave a Reply

Your email address will not be published. Required fields are marked *