Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

bitbucket - enabled IP Whitelisting - AWS Codebuild status doesn't report build success

Edited

Hi,

I recently enabled the bitbucket IP whitelisting.

I noticed that our PR now always shows 0/1 build passed.

The build is from AWS codebuild. The codebuild is configured to be in a VPC.

We whitelist the NAT IP to bitbucket.

The codebuild can clone the source code from bitbucket and runs unit test. 

The build success status does not seem to report back to bitbucket.

The issue goes away after we disable the IP whitelisting.

Am I missing something?.

 

The following picture shows how the build status integration that is automatically added to PR and shows pass when it works.

If I enable IP whitelisting, it would always show 0 of 1 build pass.

image.png

Thanks.

1 answer

1 accepted

1 vote
Answer accepted

If I understand your scenario correctly, you are using the AWS CodeBuild integration for building Bitbucket pull requests etc. - the build is triggered correctly, which means the outbound webhook from Bitbucket reached CodeBuild, but the build status is not reported back, which means the inbound request to the Bitbucket build status REST API is lost, presumably due to being blocked by the allowlist.

To address this, you apparently need to update your Bitbucket allowlist with the published AWS IP address ranges for AWS CodeBuild. These are part of a gigantic JSON file, which you need to filter for the CODEBUILD prefix, for example:

Windows (download is built into the resp. AWS Tools for Windows PowerShell)

❯ Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix

IpPrefix
--------
35.157.127.248/29
13.48.4.192/29
13.56.32.200/29
52.43.76.88/29
13.127.70.136/29
52.82.1.0/29
13.55.255.216/29
13.112.191.184/29
52.47.73.72/29
13.124.145.16/29
35.176.92.32/29
34.250.63.248/29
52.61.40.104/29
52.221.221.128/29
18.231.194.8/29
52.80.198.136/29
35.182.14.48/29
52.15.247.208/29
34.228.4.208/28

Linux (manual download)

$ curl -LO https://ip-ranges.amazonaws.com/ip-ranges.json

$ jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
35.157.127.248/29
13.48.4.192/29
13.56.32.200/29
52.43.76.88/29
13.127.70.136/29
52.82.1.0/29
13.55.255.216/29
13.112.191.184/29
52.47.73.72/29
13.124.145.16/29
35.176.92.32/29
34.250.63.248/29
52.61.40.104/29
52.221.221.128/29
18.231.194.8/29
52.80.198.136/29
35.182.14.48/29
52.15.247.208/29
34.228.4.208/28

Automation

Of course, for a sustainable solution, you would need to automate this process one way or another by monitoring the resp. SNS topic for AWS IP address range notifications and then updating your allow list via the Bitbucket Cloud REST API - a good approach for this would be to build an AWS Serverless Application Model (AWS SAM) app, and ideally publish it to the AWS Serverless Application Repository for the benefit of the community :)

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,818 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you