Internal HTTPS Endpoints for Ciinabox 2

September 4, 2020

Updates

Orchestrate JCASC Yaml config changes with Codepipeline
Internal aplication loadbalancer for private https endpoints
IAM S3 policy for default cfhighlander generated buckets

Internal HTTPS Endpoints

The Ciinabox 2 0.5.2 release gives you the ability to add a internal HTTPS endpoints via a new internal application loadbalancer placed with the private subnets. Too support this feature a new public Route53 zone is created named int.<ciinabox_domain> along with a wild card A record and ACM certifcate to match which is applied to the internal application loadbalancer. This will enable customers to access ciinabox services privately using HTTPS from with in the VPC either through a VPN, transit gateway or AWS Direct Connect.

To enable the internal loadbalancer we need to add the following yaml to the ciinabox.yaml config:

internal_loadbalancer: 
  enable: true

we then need to white list some ip’s for our security group in our ip_blocks config in the ciinabox.yaml:

ip_blocks:
  internal:
    - ip: 192.168.0.0/24
      desc: peered vpn vpc

The default subnet group the internal loadbalancer is placed into is the compute, however this can be changed to be placed in suit you situation. For example we could created an issolated subnet group for a direct connect to give users access to the loadbalancer but restrict direct access to the compute resources. We could achiveve this by creating a new subnet group and placing our internal loadbalancer inside of it.

To set this up we need to create a new subnet group in the vpc config which we’ll call DirectConnect and reference the subnet name in the internal_loadbalancer config.

vpc:
  subnets:
    directconnect:
      name: DirectConnect
      type: private
      enable: true

internal_loadbalancer: 
  enable: true
  subnet_group: DirectConnect

ip_blocks:
  internal:
    - ip: 192.168.0.0/24
      desc: direct connect

once the stack has been updated with the new config, you then should be able to access Jenkins on https://jenkins.int.ciinabox.domain/login

JCASC Codepipeline

Previously JCASC Yaml updates were orchestrated from CodeBuild where as all other ciinabox operations are orchestrated by Codepipeline. This update bring JCASC inline to make updating and troubleshooting JCASC easier.