How to secure atlantis connected to bitbucketcloud since bbc does not support webhook secrets?

[nealharris]

Hello! The documentation here has a scary message which reads:

DANGER
Bitbucket Cloud does not support webhook secrets. This could allow attackers to spoof requests from Bitbucket. Ensure you are allowing only Bitbucket IPs.

I'm a little concerned about the suggestion at the end of that message. Even if one configures their Atlantis installation to only accept traffic from Bitbucket IP addresses, this does not seem to provide meaningful protection, since anyone can sign up for a Bitbucket Cloud account and use Bitbucket Pipelines.

What am I missing here? Does limiting traffic to Bitbucket IP addresses significantly mitigate the risk here, even in the face of an attacker that uses Bitbucket Pipelines?

[DrFaust92]

Not an atlantis maintainer but you can reduce ips to webhooks ips
https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/

should be ok as i think what you can do from a webhool is limited

[DrFaust92]

shameless plug you can resolve this in TF via https://registry.terraform.io/providers/DrFaust92/bitbucket/latest/docs/data-sources/ip_ranges

[nitrocode]

Yes, agreed with @DrFaust92. Best way is to only allow web hook ips to hit atlantis.

Here is the upstream issue you can follow to get webhook secrets enabled in bitbucket cloud

https://jira.atlassian.com/browse/BCLOUD-14683

[nealharris]

Sorry, when I said 'bitbucket IPs', I actually did mean webhook IPs. But my question still stands, I think? Anyone can use Bitbucket Pipelines, so what's the point of limiting to those IP addresses? What's the threat model here? Are we assuming/hoping that an attacker won't know we're using Bitbucket Pipelines?

[nitrocode]

The BitbucketCloud has a webhook. The webhook hits the atlantis API. If the security group on the atlantis load balancer only allows ingress from the BitbucketCloud webhook, then only BitbucketCloud will be able to hit the atlantis api.

The warning you quoted above is only because bitbucketcloud does not support webhook secrets.

I do not know bitbucket pipelines enough to know how that is related to this.

If you did not have the security group limited to bitbucketcloud webhook IPs, provided your load balancer is public, due to bitbucketcloud's limitation, then anyone on the internet would be able to hit the atlantis API to trigger plans and applies.

[nealharris]

Oh my goodness, I finally realized my confusion. That is, I was conflating Bitbucket Pipelines IP addresses with the IP addresses used for Webhooks. Sorry about this, and thank you for your patient answers!