Ciinabox2 0.4.1

Updates

• update ecs-serice component to 2.11.0 to support iam conditions and add policy to create spot iam service linked role for Jenkins ec2-plugin
• update default jenkins distribution version to 2.235.1.2-b2
• update jcasc component to 0.1.3 which modifies the default jcasc template
  • remove contentFilter key
  • set hostKeyVerificationStrategy to OFF because we trust our ciinabox vpc and the process to verify the host is lengthy and buggy
• update alb component to 0.3.0 to support security rule descriptions for ip_block ips

Spot Service Linked Role

When launching ciinabox in a fresh account, the Jenkins EC2-Plugin with spot requires the creation of service linked role in order to launch spot instances. This fix grants Jenkins the permission to create the role when first launching.

Jenkins Version Update

This will only update only effects new ciinabox 2 stacks when launched. To update existsing ciinabox 2 please update the jenkins version in the ciinabox.yaml

jenkins:
  version: 2.235.1.2-b2

JCASC Template Update

This resolves 2 issues when launching new ciinabox stacks

1. ContentFilter is not a supported JCASC attribute and causes jenkins to crash. The contentFilter key has been removed

2. EC2-Plugin is unable to successfully ssh to the agent. The resolution was to set the hostKeyVerificationStrategy attribute to OFF. This feature helps prevent a man-in-the-middle attack however we are establishing ssh connections in our private vpc and we trust our local private network. This may change in future. ec2-plugin docs

Ciinabox Security Group Rule Descriptions

Previous versions of ciinabox 2 had a generic security group rule description of ciinabox whitelist for all IPs listed in the whitelist array of the ciinabox config, with this update this allows descriptions to be placed on each ip. Update your ciinabox.yaml with the example bellow to add descriptions to the ip_block security group rules.

ip_blocks:
  webhooks:
    - ip: 104.192.143.192/28 
      desc: github incoming webhooks to trigger jenkins jobs
    - ip: 104.192.143.208/28 
      desc: github incoming webhooks to trigger jenkins jobs
    - ip: 104.192.136.0/21 
      desc: bitbucket incoming webhooks to trigger jenkins jobs
    - ip: 34.198.203.127/32 
      desc: bitbucket incoming webhooks to trigger jenkins jobs
    - ip: 34.198.178.64/32 
      desc: bitbucket incoming webhooks to trigger jenkins jobs
    - ip: 34.198.32.85/32
      desc: bitbucket incoming webhooks to trigger jenkins jobs

  whitelist:
    - ip: 52.64.86.162/32
      desc: base2 Sydney VPN access
    - ip: 54.191.24.202/32
      desc: base2 Oregon VPN access