[darkwater]

Yeah, I completely agree and really don't see the point of having a Configuration Management server facing Internet and basically having all your servers connect to it through the Internet! One thing is BeyondCorp idea to eliminate the roadwarrior concept and another is having your infra management exposed to CVEs in the wild!

For Jenkins it's a bit more complicated because GitHub webhooks although they do publish their IPs in a programmatic form so you can whitelist them.

[kureikain]

For Jenkins, what I do is:

1. Configured webhook override in Jenkins. So Jenkins will register sth like https://ci-webhook.domain.com to github webhook.

2. This ci-webhook is a simple webapp that validate webhook and if it's valid(sign by correct key), write the payload to SQS queue

3. A small daemon, run on same Jenkins master, that pulls SQS queue, and replay it to local jenkins

I used to rely on Github IP whitelist but one day i realized anyone can hit my Jenkins use Github.

[darkwater]

> I used to rely on Github IP whitelist but one day i realized anyone can hit my Jenkins use Github.

That's a really good point but I guess you are talking about Actions egress right? Webhook in theory have dedicated IP ranges [1] and I think they are not shared with Actions egress, although TBH I haven't tested it.

[1] https://api.github.com/meta

[tilolebo]

Hooks have a dedicated IP range.

With Terraform and AWS it's pretty simple to create a security group on an Application Load Balancer and whitelist these IPs using https://www.terraform.io/docs/providers/github/d/ip_ranges.h...