Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,552,672
Community Members
 
Community Events
184
Community Groups

bitbucket - enabled IP Whitelisting - AWS Codebuild status doesn't report build success

Edited
jason.tsai
jason.tsai Sep 30, 2020

Hi,

I recently enabled the bitbucket IP whitelisting.

I noticed that our PR now always shows 0/1 build passed.

The build is from AWS codebuild. The codebuild is configured to be in a VPC.

We whitelist the NAT IP to bitbucket.

The codebuild can clone the source code from bitbucket and runs unit test. 

The build success status does not seem to report back to bitbucket.

The issue goes away after we disable the IP whitelisting.

Am I missing something?.

 

The following picture shows how the build status integration that is automatically added to PR and shows pass when it works.

If I enable IP whitelisting, it would always show 0 of 1 build pass.

image.png

Thanks.

Answer
Watch
Like Steffen Opel _Utoolity_ likes this
704 views

2 answers

1 accepted

1 vote
Answer accepted
Steffen Opel _Utoolity_
Steffen Opel _Utoolity_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Oct 01, 2020 • edited

If I understand your scenario correctly, you are using the AWS CodeBuild integration for building Bitbucket pull requests etc. - the build is triggered correctly, which means the outbound webhook from Bitbucket reached CodeBuild, but the build status is not reported back, which means the inbound request to the Bitbucket build status REST API is lost, presumably due to being blocked by the allowlist.

To address this, you apparently need to update your Bitbucket allowlist with the published AWS IP address ranges for AWS CodeBuild. These are part of a gigantic JSON file, which you need to filter for the CODEBUILD prefix, for example:

Windows (download is built into the resp. AWS Tools for Windows PowerShell)

❯ Get-AWSPublicIpAddressRange -ServiceKey CODEBUILD | select IpPrefix

IpPrefix
--------
35.157.127.248/29
13.48.4.192/29
13.56.32.200/29
52.43.76.88/29
13.127.70.136/29
52.82.1.0/29
13.55.255.216/29
13.112.191.184/29
52.47.73.72/29
13.124.145.16/29
35.176.92.32/29
34.250.63.248/29
52.61.40.104/29
52.221.221.128/29
18.231.194.8/29
52.80.198.136/29
35.182.14.48/29
52.15.247.208/29
34.228.4.208/28

Linux (manual download)

$ curl -LO https://ip-ranges.amazonaws.com/ip-ranges.json

$ jq -r '.prefixes[] | select(.service=="CODEBUILD") | .ip_prefix' < ip-ranges.json
35.157.127.248/29
13.48.4.192/29
13.56.32.200/29
52.43.76.88/29
13.127.70.136/29
52.82.1.0/29
13.55.255.216/29
13.112.191.184/29
52.47.73.72/29
13.124.145.16/29
35.176.92.32/29
34.250.63.248/29
52.61.40.104/29
52.221.221.128/29
18.231.194.8/29
52.80.198.136/29
35.182.14.48/29
52.15.247.208/29
34.228.4.208/28

Automation

Of course, for a sustainable solution, you would need to automate this process one way or another by monitoring the resp. SNS topic for AWS IP address range notifications and then updating your allow list via the Bitbucket Cloud REST API - a good approach for this would be to build an AWS Serverless Application Model (AWS SAM) app, and ideally publish it to the AWS Serverless Application Repository for the benefit of the community :)

Reply
1 vote
Timo Neuhäußer
Timo Neuhäußer Mar 31, 2023

For us whitelisting the ip addresses of aws CodeBuild as suggested by Steffen was only part of the solution. After adding them to our whitelist CodeBuild is still not able to report the build status back to Bitbucket.
I contacted the aws support which responded with the info that

I checked internally and found that there is a known issue with Bitbucket IP whitelisting feature where customers could not create webhooks. This is due to the fact that the IPs that are used to create the Webhook are different from the IPs which are published in the documentation. We cannot provide the IP range which is used by CodeBuild to create the Webhook.

Since aws CodeBuild has internet access and Bitbucket expects the status to be reported by invocation of their api we have now included the reporting of the build status manually into our build process. I attached a minimal buildspec.yml to do. The BITBUCKET_ACCESS_TOKEN environment variable must be supplied to codebuild manually.
So far this is working for us having allowed only the ip address of CodeBuild in the region of our build projects.

version: 0.2

phases:
  pre_build:
    commands:
      - export CQZ_BUILD_SUCCESS=0
      - ip=$(curl ipinfo.io/ip)
      - echo IP is "$ip"
      - |
        if [[ $CODEBUILD_SOURCE_REPO_URL =~ bitbucket\.org/([^/]+)/([^\.]+)\.git$ ]]; then
          export workspace=${BASH_REMATCH[1]};
          export repository=${BASH_REMATCH[2]};
        else
          echo Failed to parse CODEBUILD_SOURCE_REPO_URL "${CODEBUILD_SOURCE_REPO_URL}";
        fi
      - export commitHash=$CODEBUILD_RESOLVED_SOURCE_VERSION
      - export buildKey=$CODEBUILD_PROJECT_UUID
  build:
    commands:
      - export CQZ_BUILD_SUCCESS=1
    finally:
      - echo Build completed with status "${CQZ_BUILD_SUCCESS}"
  post_build:
    commands:
      - |
        if [[ $CQZ_BUILD_SUCCESS > 0 ]]; then
          export buildStatus="SUCCESSFUL";
        else
          export buildStatus="FAILED";
        fi
      - |
        curl --request PUT -H "Authorization: Bearer ${BITBUCKET_ACCESS_TOKEN}" -H "Accept: application/json" -H "Content-Type: application/json" https://api.bitbucket.org/2.0/repositories/${workspace}/${repository}/commit/${commitHash}/statuses/build/${buildKey} -d "{\"state\":\"${buildStatus}\"}"
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

See all events