fix: allow Jenkins build agents to discover FSx volumes/snapshots and…

… make outbound Internet connections (#147)
aws-games · Jul 19, 2024 · 4e3d512 · 4e3d512
1 parent 7645254
commit 4e3d512
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/modules/jenkins/iam.tf b/modules/jenkins/iam.tf
@@ -200,15 +200,27 @@ data "aws_iam_policy_document" "build_farm_fsxz_policy" {
     actions = [
       "fsx:DeleteSnapshot",
       "fsx:CreateSnapshot",
-      "fsx:DescribeSnapshots",
-      "fsx:DescribeVolumes",
       "fsx:ListTagsForResource"
     ]
     resources = concat(
       ["arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:snapshot/*/*"],
       [for fs in values(aws_fsx_openzfs_file_system.jenkins_build_farm_fsxz_file_system) : "arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/${fs.id}/*"]
     )
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "fsx:DescribeSnapshots"
+    ]
+    resources = ["arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:snapshot/*/*"]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "fsx:DescribeVolumes"
+    ]
+    resources = ["arn:aws:fsx:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:volume/*/*"]
+  }
 }
 resource "aws_iam_policy" "build_farm_fsxz_policy" {
   name        = "${var.project_prefix}-build-farm-fsxz-policy"

diff --git a/modules/jenkins/sg.tf b/modules/jenkins/sg.tf
@@ -106,6 +106,22 @@ resource "aws_vpc_security_group_ingress_rule" "jenkins_build_farm_inbound_ssh_s
   ip_protocol                  = "tcp"
 }
 
+# Outbound access from Build Farm to Internet (IPV4)
+resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv4" {
+  security_group_id = aws_security_group.jenkins_build_farm_sg.id
+  description       = "Allow outbound traffic from Jenkins build farm to internet (ipv4)"
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
+# Outbound access from Build Farm to Internet (IPV6)
+resource "aws_vpc_security_group_egress_rule" "jenkins_build_farm_outbound_ipv6" {
+  security_group_id = aws_security_group.jenkins_build_farm_sg.id
+  description       = "Allow outbound traffic from Jenkins build farm to internet (ipv6)"
+  cidr_ipv6         = "::/0"
+  ip_protocol       = "-1" # semantically equivalent to all ports
+}
+
 ########################################
 # JENKINS BUILD FARM FSX SECURITY GROUP
 ########################################