Update allowed ips to reflect additional Concourse worker range.

ragaskar · CI Bot · commit 8f8dd206a096 · 2025-12-03T11:30:49.000-08:00
- We have a new set of concourse workers we need to allow traffic from
  in order to build stemcells correctly.
- Previously the set of egress IPs was quite small and it made sense to
  pass them as IPs. The new workers have a much larger range of IPs that
  they may send traffic from, so the task interface has been changed to
  consume CIDRs instead of individual IPs (happily, the necessary
  firewall configuration is already consuming CIDRs, so we just needed
  to convert each "legacy" IP to a /32 CIDR.)
diff --git a/ci/pipelines/stemcells-windows.yml b/ci/pipelines/stemcells-windows.yml
@@ -703,7 +703,7 @@ jobs:
       GOVCLOUD_AWS_DEFAULT_REGION: ((AWS_GOVCLOUD_PACKER_REGION))
       GOVCLOUD_AWS_SECRET_ACCESS_KEY: ((packer_user_gov_aws_access_key.password))
       WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON: *gcp_account_json
-      ALLOWED_IP_ADDRESSES: 35.197.92.68 34.169.1.255 34.82.52.87 34.168.69.249 34.82.182.73
+      ALLOWED_CIDRS: 35.197.92.68/32 34.169.1.255/32 34.82.52.87/32 34.168.69.249/32 34.82.182.73/32 34.145.18.128/26
   - put: main-version
     inputs: detect
     params:
diff --git a/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh b/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh
@@ -8,8 +8,8 @@ set -x
 # Set firewall rules in the GCP project if needed
 if [ "${CONFIGURE_GCP:-}" == "true" ]; then
   comma_separated_external_ips=""
-  for external_ip in ${ALLOWED_IP_ADDRESSES}; do
-    comma_separated_external_ips="${external_ip}/32,${comma_separated_external_ips}"
+  for allowed_cidr in ${ALLOWED_CIDRS}; do
+    comma_separated_external_ips="${allowed_cidr},${comma_separated_external_ips}"
   done
   comma_separated_external_ips="${comma_separated_external_ips%,}"
 
@@ -22,8 +22,8 @@ fi
 
 # Set firewall rules in the AWS project
 aws_ip_ranges=""
-for external_ip in ${ALLOWED_IP_ADDRESSES}; do
-  aws_ip_ranges="{CidrIp=${external_ip}/32},${aws_ip_ranges}"
+for allowed_cidr in ${ALLOWED_CIDRS}; do
+  aws_ip_ranges="{CidrIp=${allowed_cidr}},${aws_ip_ranges}"
 done
 aws_ip_ranges="${aws_ip_ranges%,}"
 
diff --git a/ci/tasks/firewall-rules/configure-windows-firewall-rules.yml b/ci/tasks/firewall-rules/configure-windows-firewall-rules.yml
@@ -14,7 +14,7 @@ params:
   GOVCLOUD_AWS_DEFAULT_REGION:
   GOVCLOUD_AWS_SECRET_ACCESS_KEY:
   WINDOWS_STEMCELLS_GCP_CREDENTIALS_JSON:
-  ALLOWED_IP_ADDRESSES:
+  ALLOWED_CIDRS:
 
 run:
   path: bosh-windows-stemcell-builder-ci/ci/tasks/firewall-rules/configure-windows-firewall-rules.sh
