AWS Serverless Jenkins Terraform Module

Terraform module which creates a serverless Jenkins environment based on AWS Fargate. The following resources are created:

• Two Amazon ECS clusters
  • One utilizing the standard FARGATE capacity provider, which is to be used by the Jenkins controller and high priority agents.
  • One utilizing the FARGATE_SPOT capacity provider, which is to be used by Jenkins agents which handle lower priority jobs.
• Amazon ECS service and task for Jenkins controller.
• Jenkins controller Docker container, including the amazon-ecs-plugin.
• Amazon ECR repository for storing the above container
• Application load balancer
• Amazon Elastic Filesystem to provide stateful storage for the Jenkins controller
• AWS Backup vault and schedule to backup EFS
• AWS Cloud Map service discovery domain and entry for Jenkins controller (for agent -> controller discovery)
• IAM Roles for the above components
• Security Groups for the above components

An example is included in the example directory.

Prerequisites

The following are required to deploy this Terraform module

1. Terraform 13+ - Download at https://www.terraform.io/downloads.html
2. Docker 19+ - Download at https://docs.docker.com/get-docker/
3. A VPC with at least two public and two private subnets.
4. An SSL certificate to associate with the Application Load Balancer. It's recommended to use and ACM certificate. This is not done by the main Terraform module. However, the example in the example directory uses the public AWS ACM module to create the ACM certificate and pass it to the Serverless Jenkins module. You may choose to do it this way or explicitly pass the ARN of a certificate that you had previously created or imported into ACM.
5. An admin password for Jenkins must be stored in SSM Parameter store. This parameter must be of type SecureString and have the name jenkins-pwd
6. Terraform must be bootstrapped. This means that a state S3 bucket and a state locking DynamoDB table must be initialized.

Deployment

This is packaged as a Terraform module, which means it's not directly deployable. However, there is a deployable example in the example directory. To deploy the example:

1. Ensure you have met all the Prerequisites
2. If necessary, execute the bootstrap in the bootstrap directory. This will create a Terraform state bucket & state locking table. This step may be unnecessary if you already have an established Terraform environment.
3. copy vars.sh.example to vars.sh
4. Edit the variables in vars.sh as necessary giving all details specific to your environment (VPC, subnets, state bucket & state locking table, etc.)
5. Run deploy_example.sh

Requirements

No requirements.

Providers

Name	Version
aws	n/a
null	n/a
template	n/a

Modules

No modules.

Resources

Name	Type
aws_backup_plan.this	resource
aws_backup_selection.this	resource
aws_backup_vault.this	resource
aws_cloudwatch_log_group.jenkins_controller_log_group	resource
aws_ecr_repository.jenkins_controller	resource
aws_ecr_repository_policy.this	resource
aws_ecs_cluster.jenkins_agents	resource
aws_ecs_cluster.jenkins_controller	resource
aws_ecs_service.jenkins_controller	resource
aws_ecs_task_definition.jenkins_controller	resource
aws_efs_access_point.this	resource
aws_efs_file_system.this	resource
aws_efs_file_system_policy.this	resource
aws_efs_mount_target.this	resource
aws_iam_policy.jenkins_controller_task_policy	resource
aws_iam_policy.ssm_access_policy	resource
aws_iam_role.aws_backup_role	resource
aws_iam_role.ecs_execution_role	resource
aws_iam_role.jenkins_controller_task_role	resource
aws_iam_role_policy_attachment.backup_role_policy	resource
aws_iam_role_policy_attachment.ecs_execution	resource
aws_iam_role_policy_attachment.ecs_execution_ssm	resource
aws_iam_role_policy_attachment.jenkins_controller_task	resource
aws_iam_role_policy_attachment.jenkins_controller_task_ssm	resource
aws_kms_key.cloudwatch	resource
aws_lb.this	resource
aws_lb_listener.http	resource
aws_lb_listener.https	resource
aws_lb_listener_rule.redirect_http_to_https	resource
aws_lb_target_group.this	resource
aws_route53_record.this	resource
aws_security_group.alb_security_group	resource
aws_security_group.efs_security_group	resource
aws_security_group.jenkins_controller_security_group	resource
aws_service_discovery_private_dns_namespace.controller	resource
aws_service_discovery_service.controller	resource
null_resource.build_docker_image	resource
null_resource.render_template	resource
aws_ecr_authorization_token.token	data source
aws_iam_policy_document.aws_backup_assume_policy	data source
aws_iam_policy_document.cloudwatch	data source
aws_iam_policy_document.ecr_resource_policy	data source
aws_iam_policy_document.ecs_assume_policy	data source
aws_iam_policy_document.efs_resource_policy	data source
aws_iam_policy_document.jenkins_controller_task_policy	data source
aws_iam_policy_document.ssm_access_policy	data source
template_file.jenkins_configuration_def	data source

Inputs

Name	Description	Type	Default	Required
account_id	The target AWS account's id	string	n/a	yes
alb_access_logs_bucket_name	n/a	string	null	no
alb_access_logs_s3_prefix	n/a	bool	null	no
alb_acm_certificate_arn	The ACM certificate ARN to use for the alb	string	n/a	yes
alb_create_security_group	Should a security group allowing all traffic on ports 80 * 443 be created for the alb. If false, a valid list of security groups must be passed with 'alb_security_group_ids'	bool	true	no
alb_enable_access_logs	n/a	bool	false	no
alb_ingress_allow_cidrs	A list of cidrs to allow inbound into Jenkins.	list(string)	null	no
alb_security_group_ids	A list of security group ids to attach to the Application Load Balancer	list(string)	null	no
alb_subnet_ids	A list of subnets for the Application Load Balancer	list(string)	null	no
alb_type_internal	alb	bool	false	no
docker_folder	The path to a folder containing a Dockerfile and a Jenkins YAML template. If not set, the default is to use the included files in './docker'	string	null	no
ecs_execution_role_arn	An custom execution role to use as the ecs exection role (optional)	string	null	no
efs_access_point_gid	The gid number to associate with the EFS access point	number	1000	no
efs_access_point_uid	The uid number to associate with the EFS access point	number	1000	no
efs_backup_cold_storage_after_days	Number of days until backup is moved to cold storage	number	30	no
efs_backup_completion_window	A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup	number	120	no
efs_backup_delete_after_days	Number of days until backup is deleted. If cold storage transition 'efs_backup_cold_storage_after_days' is declared, the delete value must be 90 days greater	number	120	no
efs_backup_schedule	n/a	string	"cron(0 00 * * ? *)"	no
efs_backup_start_window	A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully	number	60	no
efs_enable_backup	n/a	bool	true	no
efs_enable_encryption	EFS	bool	true	no
efs_ia_lifecycle_policy	n/a	string	null	no
efs_kms_key_arn	n/a	string	null	no
efs_performance_mode	n/a	string	"generalPurpose"	no
efs_provisioned_throughput_in_mibps	n/a	number	null	no
efs_subnet_ids	A list of subnets to attach to the EFS mountpoint	list(string)	null	no
efs_throughput_mode	n/a	string	"bursting"	no
jenkins_controller_cpu	n/a	number	2048	no
jenkins_controller_memory	n/a	number	4096	no
jenkins_controller_port	n/a	number	8080	no
jenkins_controller_subnet_ids	A list of subnets for the jenkins controller fargate service (required)	list(string)	null	no
jenkins_controller_task_log_retention_days	n/a	number	30	no
jenkins_controller_task_role_arn	An custom task role to use for the jenkins controller (optional)	string	null	no
jenkins_ecr_repository_name	Name for Jenkins controller ECR repository	string	"serverless-jenkins-controller"	no
jenkins_jnlp_port	n/a	number	50000	no
name_prefix	n/a	string	"serverless-jenkins"	no
region	The target AWS region	string	n/a	yes
route53_alias_name	The CNAME alias for the ALB, if route53_create_alias is true	string	"jenkins-controller"	no
route53_create_alias	Create a CNAME alias for the ALB	string	false	no
route53_zone_id	An existing zone id to place the alias in, if route53_create_alias is true	string	null	no
secrets	A list of environment variables used to populate the secrets section of the Jenkins controller task definition. The map is defined as a environment variable name to SSM value ARN	map(string)	{}	no
tags	An object of tag key value pairs	map(any)	{}	no
template_vars	A map of key/value pairs that will be added to the default set, overriding existing keys, and inected into the jenkins.yaml.tpl file to generate jenkins.yaml	map(any)	{}	no
vpc_id	n/a	string	n/a	yes

Outputs

Name	Description
efs_access_point_id	The id of the efs access point
efs_aws_backup_plan_name	The name of the aws backup plan used for EFS backups
efs_aws_backup_vault_name	The name of the aws backup vault used for EFS backups
efs_file_system_dns_name	The dns name of the efs file system
efs_file_system_id	The id of the efs file system
efs_security_group_id	The id of the efs security group
jenkins_controller_task_role	The ARN of the task role used by or created for the Jenkins controller

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.