Bash Script for Atlassian Cloud Migration Firewall Check - BCMA

Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

DISCLAIMER: This script is provided as a convenience for checking network connectivity related to Atlassian services. It is NOT an official Atlassian tool and is not supported by Atlassian in any way. Use of this script is at your own risk. Atlassian is not responsible for any issues arising from the use, modification, or distribution of this script. This script may require modifications to function correctly in your specific environment. It is the user's responsibility to ensure the script's accuracy and suitability for their needs. Atlassian does not provide support for troubleshooting or customizing this script.

This documentation provides a valuable resource, featuring a Bash script designed to assist in verifying firewall rules for compatibility with Atlassian Cloud migration.

Solution

Overview

Before initiating the migration, it is essential to ensure that your firewall permits communication with Atlassian's servers and services. This page offers a valuable resource—a Bash script—that aids in verifying your firewall rules for compatibility with Atlassian cloud migration. The script references the Atlassian pages Preparing your firewall to migrate using the Bitbucket Cloud Migration Assistant | Bitbucket Cloud | Atlassian Documentation and IP addresses and domains for Atlassian cloud products | Atlassian Support to confirm the URLs and domains that need to be whitelisted.

Requirements:

  • This script is written for Linux servers

  • This script requires curl, jq, ping, and iptables to be available on your server.

  • Modify the script as needed (for example, change URLs, ports, or timeout values).

  • Running the script requires sudo privileges for firewall rule checks.

Environment without proxy

Copy the following into a file called bcma-firewall-script.sh for your Linux server if there is no proxy enabled.

bcma-firewall-script.sh

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 #!/bin/bash # URL for Atlassian IP ranges ATLASSIAN_IP_RANGES_URL="https://ip-ranges.atlassian.com/" # Output file OUTPUT_FILE="url_check_results.csv" # Timeout for internet connection check and URL checks (in seconds) CONNECTION_TIMEOUT=10 # Ports to check PORTS_TO_CHECK=(443) # URLs to check URLS_TO_CHECK=( "https://api-private.atlassian.com" "https://marketplace.atlassian.com" "https://api.atlassian.com" "https://migration.atlassian.com" "https://migration-service.services.atlassian.com" "https://bitbucket.org" "https://rps--prod-west2--migration-catalogue--migration-storage.s3.us-west-2.amazonaws.com/" "https://rps--prod-west2--migration-catalogue--migration-storage-v2.s3.us-west-2.amazonaws.com/" "https://rps--prod-west2--migration-orchestrator--task-data-repository.s3.us-west-2.amazonaws.com/" "https://rps--prod-east--app-migration-service--ams.s3.amazonaws.com" ) # Initialize the output file with headers echo "Item,Status,Details" > "$OUTPUT_FILE" # Function to check internet connectivity check_internet_connection() { echo "Checking internet connection..." timeout "$CONNECTION_TIMEOUT" ping -c 1 -q google.com &> /dev/null if [[ $? -ne 0 ]]; then echo "ERROR: No internet connection or outgoing traffic is blocked. Terminating script." echo "Internet Connection,Failed,No internet connectivity" >> "$OUTPUT_FILE" exit 1 fi echo "Internet connection is active." echo "Internet Connection,Success,Internet connectivity is active" >> "$OUTPUT_FILE" } # Function to check if specific ports are blocked check_ports() { echo "Checking for blocked ports..." for port in "${PORTS_TO_CHECK[@]}"; do sudo iptables -L OUTPUT -v -n | grep -q "dpt:$port" if [[ $? -eq 0 ]]; then echo "ERROR: Port $port is blocked. Outgoing traffic might be restricted. Terminating script." echo "Port $port,Failed,Port is blocked" >> "$OUTPUT_FILE" exit 1 fi done echo "All required ports are open." echo "Required Ports,Success,All required ports are open" >> "$OUTPUT_FILE" } # Function to fetch and filter Bitbucket-related egress IP ranges fetch_bitbucket_egress_ip_ranges() { echo "Fetching IP ranges from $ATLASSIAN_IP_RANGES_URL..." local ip_data ip_data=$(curl -s "$ATLASSIAN_IP_RANGES_URL") if [[ $? -ne 0 || -z "$ip_data" ]]; then echo "ERROR: Failed to fetch IP ranges. Exiting." echo "Atlassian IP Ranges,Failed,Failed to fetch IP ranges" >> "$OUTPUT_FILE" exit 1 fi echo "Parsing Bitbucket-related egress IP ranges..." echo "$ip_data" | jq -r '.items[] | select(.product[] == "bitbucket" and .direction[] == "egress") | .cidr' > bitbucket_egress_ip_ranges.txt if [[ $? -ne 0 || ! -s bitbucket_egress_ip_ranges.txt ]]; then echo "ERROR: Failed to parse Bitbucket egress IP ranges. Exiting." echo "Bitbucket Egress IP Ranges,Failed,Failed to parse Bitbucket egress IP ranges" >> "$OUTPUT_FILE" exit 1 fi echo "Bitbucket egress IP ranges fetched and saved to bitbucket_egress_ip_ranges.txt." echo "Bitbucket Egress IP Ranges,Success,Bitbucket egress IP ranges fetched" >> "$OUTPUT_FILE" } # Function to check Bitbucket-specific egress IP addresses and ports against firewall rules check_bitbucket_egress_ips_and_ports() { local ip_list=($(cat bitbucket_egress_ip_ranges.txt)) for ip in "${ip_list[@]}"; do echo "Checking Bitbucket egress IP address: $ip..." # Check if the IP is blocked if sudo iptables -L OUTPUT -v -n | grep -q "$ip"; then # Check for blocked ports blocked_ports=$(sudo iptables -L OUTPUT -v -n | grep "$ip" | grep -oP '(?<=dpt:)\d+') if [[ -n $blocked_ports ]]; then echo "$ip,Blocked,Blocked Ports: $blocked_ports" >> "$OUTPUT_FILE" else echo "$ip,Blocked,All Ports Blocked" >> "$OUTPUT_FILE" fi else echo "$ip,Not Blocked,None" >> "$OUTPUT_FILE" fi done } # Function to check URLs check_urls() { echo "Checking additional URLs..." for url in "${URLS_TO_CHECK[@]}"; do if curl -s -f --max-time "$CONNECTION_TIMEOUT" "$url" &> /dev/null; then echo "$url,Accessible,Connection Successful" >> "$OUTPUT_FILE" else echo "$url,Not Accessible,Connection Failed" >> "$OUTPUT_FILE" fi done } # Run the internet connection check check_internet_connection # Run the port check check_ports # Fetch and filter Bitbucket egress IP ranges fetch_bitbucket_egress_ip_ranges # Run checks for Bitbucket-specific egress IP addresses and ports echo "Checking Bitbucket egress IP addresses and ports..." check_bitbucket_egress_ips_and_ports # Check additional URLs check_urls # Output file generated echo "Results saved in $OUTPUT_FILE" #Clean up the temp file rm -f bitbucket_egress_ip_ranges.txt

Script Explanation

This script is designed to check various aspects of your internet connection and accessibility to specific services. Here's a breakdown of its functionalities:

  1. Configuration:

    • Defines variables like URLs, ports, timeout values, and output file location.

  2. Functions:

    • check_internet_connection: Uses ping to check internet connectivity and reports success or failure.

    • check_ports: Uses iptables to verify if firewall rules are blocking ports (80 and 443) and reports success or failure.

    • fetch_bitbucket_egress_ip_ranges: Downloads IP ranges from Atlassian for Bitbucket egress traffic and saves them to a temporary file (bitbucket_egress_ip_ranges.txt).

    • check_bitbucket_egress_ips_and_ports: Iterates through the downloaded IP ranges, checks if firewall rules block them, and logs details to the output file.

    • check_urls: Iterates through a list of URLs, uses curl to check accessibility, and logs "Accessible" or "Not Accessible" in the output file.

  3. Script Execution

    • Checks internet connection first. If failed, script exits.

    • Checks ports (443) for blockage. If blocked, script exits.

    • Fetches Bitbucket egress IP ranges and parses them.

    • Checks if firewall rules block any Bitbucket egress IP addresses and reports them.

    • Checks the accessibility of additional URLs listed in the script.

    • Creates an output file (url_check_results.csv) containing results of all checks.

    • Cleans up the temporary file (bitbucket_egress_ip_ranges.txt).

How to Use the Script

  1. Save the Script: Paste the script content into a text file (e.g.,bcma-firewall-script.sh ).

  2. Make the Script Executable: Run chmod +x check_internet_and_urls.sh to allow execution.

  3. Run the Script: Open a terminal, navigate to the directory where you saved the script, and run ./check_internet_and_urls.sh.

  4. Output: The script will generate a file named url_check_results.csv containing results for each check (internet connectivity, ports, BitbucketIP access, and additional URLs).

Environment with Proxy Enabled

Copy the following into a file called bcma-proxy-firewallcheck.sh

bcma-proxy-firewallcheck.sh

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 #!/bin/bash # File paths LOG_FILE="script.log" # For general logs and debug information CSV_FILE="output.csv" # For the final output in CSV format # Debug flag DEBUG=true # Timeout for internet connection check (in seconds) CONNECTION_TIMEOUT=10 # Ports to check PORTS_TO_CHECK=(443) # Initialize the output CSV file with headers echo "Type, URL/IP, Status, Issues" > "$CSV_FILE" # This initializes the CSV file with headers # Function to log messages to the log file with a timestamp and log level log_message() { log_level=$1 message=$2 echo "[$(date '+%Y-%m-%d %H:%M:%S')] [$log_level] $message" | tee -a "$LOG_FILE" } # Function to check internet connectivity check_internet_connection() { log_message "INFO" "Checking internet connection..." # Test connection to a reliable site timeout "$CONNECTION_TIMEOUT" ping -c 1 -q google.com &> /dev/null if [[ $? -ne 0 ]]; then log_message "ERROR" "No internet connection or outgoing traffic is blocked. Terminating script." echo "ERROR: No internet connection or outgoing traffic is blocked." >> "$CSV_FILE" exit 1 fi log_message "INFO" "Internet connection is active." } # Function to check if specific ports are blocked check_ports() { log_message "INFO" "Checking for blocked ports..." for port in "${PORTS_TO_CHECK[@]}"; do sudo iptables -L OUTPUT -v -n | grep -q "dpt:$port" if [[ $? -eq 0 ]]; then log_message "ERROR" "Port $port is blocked. Outgoing traffic might be restricted. Terminating script." echo "ERROR: Port $port is blocked. Outgoing traffic might be restricted." >> "$CSV_FILE" exit 1 fi done log_message "INFO" "All required ports are open." } # Function to fetch and filter Bitbucket-related egress IP ranges fetch_bitbucket_egress_ip_ranges() { log_message "INFO" "Fetching IP ranges from https://ip-ranges.atlassian.com..." local ip_data ip_data=$(curl -s "https://ip-ranges.atlassian.com") if [[ $? -ne 0 || -z "$ip_data" ]]; then log_message "ERROR" "Failed to fetch IP ranges. Exiting." echo "ERROR: Failed to fetch IP ranges." >> "$CSV_FILE" exit 1 fi log_message "INFO" "Parsing Bitbucket-related egress IP ranges..." echo "$ip_data" | jq -r '.items[] | select(.product[] == "bitbucket" and .direction[] == "egress") | .cidr' > bitbucket_egress_ip_ranges.txt if [[ $? -ne 0 || ! -s bitbucket_egress_ip_ranges.txt ]]; then log_message "ERROR" "Failed to parse Bitbucket egress IP ranges. Exiting." echo "ERROR: Failed to parse Bitbucket egress IP ranges." >> "$CSV_FILE" exit 1 fi log_message "INFO" "Bitbucket egress IP ranges fetched and saved to bitbucket_egress_ip_ranges.txt." } # Function to check Bitbucket-specific egress IP addresses and ports against firewall rules check_bitbucket_egress_ips_and_ports() { local ip_list=($(cat bitbucket_egress_ip_ranges.txt)) for ip in "${ip_list[@]}"; do log_message "INFO" "Checking Bitbucket egress IP address: $ip..." # Check if the IP is blocked if sudo iptables -L OUTPUT -v -n | grep -q "$ip"; then # Check for blocked ports blocked_ports=$(sudo iptables -L OUTPUT -v -n | grep "$ip" | grep -oP '(?<=dpt:)\d+') if [[ -n $blocked_ports ]]; then echo "IP, $ip, Blocked, Blocked Ports: $blocked_ports" >> "$CSV_FILE" log_message "WARNING" "Blocked IP: $ip, Blocked Ports: $blocked_ports" else echo "IP, $ip, Blocked, All Ports Blocked" >> "$CSV_FILE" log_message "WARNING" "Blocked IP: $ip, All Ports Blocked" fi else echo "IP, $ip, Not Blocked, None" >> "$CSV_FILE" log_message "INFO" "IP: $ip is not blocked." fi done } # Function to validate URLs validate_url() { url=$1 log_message "INFO" "Validating $url..." response=$(curl -s -o /dev/null -w "%{http_code}" "$url") if [[ "$response" -eq 200 ]]; then echo "URL, $url, Reachable, None" >> "$CSV_FILE" log_message "INFO" "$url is reachable." else echo "URL, $url, Unreachable, HTTP Status Code: $response" >> "$CSV_FILE" log_message "ERROR" "$url is unreachable. HTTP Status Code: $response" fi } # Main function main() { # Ask for proxy details echo -n "Enter the proxy URL (or press Enter to skip): " read proxy_url if [[ -n "$proxy_url" ]]; then echo -n "Enter the proxy username (or press Enter to skip): " read proxy_user echo -n "Enter the proxy password (or press Enter to skip): " read -s proxy_pass echo if [[ -n "$proxy_user" && -n "$proxy_pass" ]]; then proxy_option="--proxy $proxy_url --proxy-user $proxy_user:$proxy_pass" else proxy_option="--proxy $proxy_url" fi else proxy_option="" fi # Validate URLs urls=( "https://api-private.atlassian.com" "https://marketplace.atlassian.com" "https://api.atlassian.com" "https://migration.atlassian.com" "https://migration-service.services.atlassian.com" "https://mp-module-federation.prod-east.frontend.public.atl-paas.net" "https://bitbucket.org" "https://rps--prod-west2--migration-catalogue--migration-storage.s3.us-west-2.amazonaws.com/" "https://rps--prod-west2--migration-orchestrator--task-data-repository.s3.us-west-2.amazonaws.com/" "https://rps--prod-east--app-migration-service--ams.s3.amazonaws.com" ) # Check internet connection and blocked ports check_internet_connection check_ports # Fetch and parse Bitbucket-related IP ranges fetch_bitbucket_egress_ip_ranges # Validate each URL for url in "${urls[@]}"; do validate_url "$url" done # Check Bitbucket egress IPs and firewall rules check_bitbucket_egress_ips_and_ports # Output completion message log_message "INFO" "Script completed. Results saved in $CSV_FILE" } # Run the main function main

if you have proxy enabled on your Linux server.

Script Explanation

  1. Initialization:

    • Sets paths for log and output files ( script.log and output.csv).

    • Defines a debug flag (DEBUG) and connection timeout.

    • Configures ports to check (PORTS_TO_CHECK).

    • Initializes the CSV file with headers ("Type", "URL/IP", "Status", "Issues").

  2. Functions:

    • log_message: Logs messages to the log file with timestamp and log level.

    • check_internet_connection: Pings http://google.com to verify internet connectivity.

    • check_ports: Uses iptables to check if specified ports (443) are blocked.

    • fetch_bitbucket_egress_ip_ranges: Downloads IP ranges from Atlassian's website and filters for Bitbucket egress IPs.

    • check_bitbucket_egress_ips_and_ports: Checks if firewall rules block any of the fetched Bitbucket IP addresses and ports.

    • validate_url: Uses curl to check if provided URLs are reachable and records HTTP status codes.

  3. Main Function (main):

    • Prompts the user for a proxy URL, username, and password (optional).

    • Sets up a proxy option string if provided.

    • Defines a list of URLs to check (Bitbucket-related and Atlassian services).

    • Calls check_internet_connection and check_ports.

    • Calls fetch_bitbucket_egress_ip_ranges .

    • Loops through the URLs, calling validate_url for each.

    • Calls check_bitbucket_egress_ips_and_ports.

    • Logs a completion message and the output file location.

How to Use the Script

  1. Save the Script: Paste the script content into a text file (e.g.,bcma-proxy-firewallcheck.sh ).

  2. Make the Script Executable: Run chmod +x bcma-proxy-firewallcheck.sh to allow execution.

  3. Run the Script: Open a terminal, navigate to the directory where you saved the script, and run ./bcma-proxy-firewallcheck.sh.

  4. Output: The script will generate a file named url_check_results.csv containing results for each check (internet connectivity, ports, BitbucketIP access, and additional URLs).

    Sample Input and Output files

    Sample Input (User Interaction):

    1 2 3 Enter the proxy URL (or press Enter to skip): [Proxy URL] (optional) Enter the proxy username (or press Enter to skip): [Proxy username] (optional) Enter the proxy password (or press Enter to skip): [Proxy password] (optional)

    Sample Output (Written to output.csv)

    1 2 3 4 5 6 7 Type,URL/IP,Status,Issues URL,https://api-private.atlassian.com,Reachable,None URL,https://marketplace.atlassian.com,Reachable,None # ... (output for other URLs) IP,10.0.0.1,Blocked,Blocked Ports: 80,443 # Example blocked IP IP,192.168.1.1,Not Blocked,None INFO,Script completed. Results saved in output.csv

Updated on April 17, 2025
Platform
Cloud and Data Center
Products
Bitbucket Cloud
Bitbucket Data Center
App
Bitbucket Cloud Migration Assistant
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community