From da8e3b7df1eb316bb750b30f7f2de0ca8bd6abfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20MERLE?=
 <95630726+smerle33@users.noreply.github.com>
Date: Tue, 3 Dec 2024 18:30:40 +0100
Subject: [PATCH] fix(trusted.ci): allow crawler to publish to pkg VM (and
 allow to publish to archives) (#896)

WIP
---
 locals.tf                |  6 ++++--
 trusted.ci.jenkins.io.tf | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/locals.tf b/locals.tf
index 875b344d..1fc003f3 100644
--- a/locals.tf
+++ b/locals.tf
@@ -23,8 +23,10 @@ locals {
   }
 
   external_services = {
-    "updates.jenkins.io" = "52.202.51.185"
-    "s390x.jenkins.io"   = "148.100.84.76"
+    "updates.jenkins.io"    = "52.202.51.185"
+    "s390x.jenkins.io"      = "148.100.84.76"
+    "pkg.origin.jenkins.io" = "52.202.51.185"
+    "archives.jenkins.io"   = "46.101.121.132"
   }
 
   # Ref. https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses
diff --git a/trusted.ci.jenkins.io.tf b/trusted.ci.jenkins.io.tf
index 5891d46c..72ab7da3 100644
--- a/trusted.ci.jenkins.io.tf
+++ b/trusted.ci.jenkins.io.tf
@@ -313,6 +313,38 @@ resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_
   resource_group_name         = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
   network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
 }
+resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_agents_to_pkg" {
+  provider          = azurerm.jenkins-sponsorship
+  name              = "allow-out-many-from-ephemeral-agents-to-pkg"
+  priority          = 4055
+  direction         = "Outbound"
+  access            = "Allow"
+  protocol          = "Tcp"
+  source_port_range = "*"
+  destination_port_ranges = [
+    "22", # SSH (for rsync)
+  ]
+  source_address_prefixes     = data.azurerm_subnet.trusted_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
+  destination_address_prefix  = local.external_services["pkg.origin.jenkins.io"]
+  resource_group_name         = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
+  network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
+}
+resource "azurerm_network_security_rule" "allow_out_many_from_trusted_ephemeral_agents_to_archive" {
+  provider          = azurerm.jenkins-sponsorship
+  name              = "allow-out-many-from-ephemeral-agents-to-archive"
+  priority          = 4060
+  direction         = "Outbound"
+  access            = "Allow"
+  protocol          = "Tcp"
+  source_port_range = "*"
+  destination_port_ranges = [
+    "22", # SSH (for rsync)
+  ]
+  source_address_prefixes     = data.azurerm_subnet.trusted_ci_jenkins_io_sponsorship_ephemeral_agents.address_prefixes
+  destination_address_prefix  = local.external_services["archives.jenkins.io"]
+  resource_group_name         = azurerm_resource_group.trusted_ci_jenkins_io_controller_jenkins_sponsorship.name
+  network_security_group_name = module.trusted_ci_jenkins_io_azurevm_agents_jenkins_sponsorship.ephemeral_agents_nsg_name
+}
 # Ignore the rule as it does not detect the IP restriction to only update.jenkins.io"s host
 #trivy:ignore:azure-network-no-public-egress
 resource "azurerm_network_security_rule" "allow_outbound_ssh_from_permanent_agent_to_updatecenter" {