├── .circleci
    └── config.yml
├── .gitignore
├── .python-version
├── CONTRIBUTING.md
├── LICENSE.md
├── Makefile
├── README.md
├── defaults
    └── main.yml
├── docs
    ├── integration.md
    ├── manual_config.md
    └── terraform.md
├── handlers
    └── main.yml
├── meta
    └── main.yml
├── tasks
    ├── logging.yml
    ├── main.yml
    ├── nginx.yml
    └── ssh.yml
├── templates
    └── rsyslog.conf
├── terraform
    ├── aws.tf
    ├── modules
    │   ├── instances
    │   │   ├── master.tf
    │   │   ├── outputs.tf
    │   │   └── vars.tf
    │   └── networking
    │   │   ├── outputs.tf
    │   │   ├── security_group.tf
    │   │   └── vars.tf
    ├── outputs.tf
    └── vars.tf
└── tests
    ├── ansible.cfg
    ├── files
        ├── Jenkinsfile
        └── job.xml
    ├── group_vars
        └── all
        │   ├── .keep
        │   └── ssh.yml
    ├── hosts-docker
    ├── requirements.yml
    ├── secrets-example.yml
    └── test.yml


/.circleci/config.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | jobs:
 3 |   build:
 4 |     # Needs to match repository name; when the role is included normally, it will be `gsa.jenkins`. Also, needs to be an absolute path due to
 5 |     # https://circleci.com/docs/2.0/local-jobs/#relative-path-for-working_directory
 6 |     working_directory: /etc/jenkins-deploy
 7 |     docker:
 8 |       - image: docker
 9 |     steps:
10 |       - checkout
11 |       - setup_remote_docker
12 |       - run:
13 |           name: Install packages
14 |           command: apk add --update-cache ansible git make
15 |       - run:
16 |           name: Start remote container
17 |           command: make start_container
18 |       - run:
19 |           name: Install Ansible roles
20 |           command: make install_roles
21 |       - run:
22 |           name: Run Ansible playbook
23 |           command: make test_ci
24 |   validate_terraform:
25 |     working_directory: /etc/jenkins-deploy
26 |     docker:
27 |       - image: hashicorp/terraform
28 |     steps:
29 |       - checkout
30 |       - run:
31 |           name: Install Make
32 |           command: apk add --update make
33 |       - run:
34 |           name: Set up Terraform
35 |           command: make terraform_init
36 |       - run:
37 |           name: Check Terraform syntax
38 |           command: make validate_terraform
39 | workflows:
40 |   version: 2
41 |   build_and_test:
42 |     jobs:
43 |       - build
44 |       - validate_terraform
45 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Ansible
 2 | *.retry
 3 | secrets.yml
 4 | tests/roles/
 5 | 
 6 | ## Terraform ##
 7 | *.tfvars
 8 | # Compiled files
 9 | *.tfstate*
10 | # Module directory
11 | .terraform/
12 | 


--------------------------------------------------------------------------------
/.python-version:
--------------------------------------------------------------------------------
1 | 2.7.11
2 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | ## Welcome!
 2 | 
 3 | We're so glad you're thinking about contributing to an 18F open source project! If you're unsure about anything, just ask -- or submit the issue or pull request anyway. The worst that can happen is you'll be politely asked to change something. We love all friendly contributions.
 4 | 
 5 | We want to ensure a welcoming environment for all of our projects. Our staff follow the [18F Code of Conduct](https://github.com/18F/code-of-conduct/blob/master/code-of-conduct.md) and all contributors should do the same.
 6 | 
 7 | We encourage you to read this project's CONTRIBUTING policy (you are here), its [LICENSE](LICENSE.md), and its [README](README.md).
 8 | 
 9 | If you have any questions or want to read more, check out the [18F Open Source Policy GitHub repository](https://github.com/18f/open-source-policy), or just [shoot us an email](mailto:18f@gsa.gov).
10 | 
11 | ## Public domain
12 | 
13 | This project is in the public domain within the United States, and
14 | copyright and related rights in the work worldwide are waived through
15 | the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/publicdomain/zero/1.0/).
16 | 
17 | All contributions to this project will be released under the CC0
18 | dedication. By submitting a pull request, you are agreeing to comply
19 | with this waiver of copyright interest.
20 | 
21 | ## Development
22 | 
23 | ### Testing locally
24 | 
25 | 1. [Install the CircleCI CLI.](https://circleci.com/docs/2.0/local-jobs/#installing-the-cli-locally)
26 | 1. Run the tests.
27 | 
28 |     ```sh
29 |     make test
30 |     ```
31 | 
32 | ### Testing in AWS
33 | 
34 | See [the documentation](docs/integration.md).
35 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | As a work of the United States government, this project is in the
 2 | public domain within the United States.
 3 | 
 4 | Additionally, we waive copyright and related rights in the work
 5 | worldwide through the CC0 1.0 Universal public domain dedication.
 6 | 
 7 | ## CC0 1.0 Universal summary
 8 | 
 9 | This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode).
10 | 
11 | ### No copyright
12 | 
13 | The person who associated a work with this deed has dedicated the work to
14 | the public domain by waiving all rights to the work worldwide
15 | under copyright law, including all related and neighboring rights, to the
16 | extent allowed by law.
17 | 
18 | You can copy, modify, distribute and perform the work, even for commercial
19 | purposes, all without asking permission.
20 | 
21 | ### Other information
22 | 
23 | In no way are the patent or trademark rights of any person affected by CC0,
24 | nor are the rights that other persons may have in the work or in how the
25 | work is used, such as publicity or privacy rights.
26 | 
27 | Unless expressly stated otherwise, the person who associated a work with
28 | this deed makes no warranties about the work, and disclaims liability for
29 | all uses of the work, to the fullest extent permitted by applicable law.
30 | When using or citing the work, you should not imply endorsement by the
31 | author or the affirmer.
32 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | TERRAFORM_DIR := terraform
 2 | PLAYBOOK_DIR := tests
 3 | SSH_USER := ec2-user
 4 | 
 5 | all: terraform ansible
 6 | 
 7 | install_roles:
 8 | 	cd $(PLAYBOOK_DIR) && ansible-galaxy install -r requirements.yml
 9 | 
10 | terraform_init:
11 | 	cd $(TERRAFORM_DIR) && terraform init -backend=false
12 | 
13 | .PHONY: terraform
14 | terraform:
15 | 	cd $(TERRAFORM_DIR) && terraform apply
16 | 
17 | INVENTORY_PATH := $(shell which terraform-inventory)
18 | .PHONY: ansible
19 | ansible: install_roles
20 | 	cd $(PLAYBOOK_DIR) && TF_STATE=../$(TERRAFORM_DIR)/terraform.tfstate ansible-playbook --inventory-file=$(INVENTORY_PATH) --become --user=$(SSH_USER) test.yml
21 | 
22 | destroy:
23 | 	cd $(TERRAFORM_DIR) && terraform destroy
24 | 
25 | validate_terraform:
26 | 	cd $(TERRAFORM_DIR) && terraform validate
27 | 
28 | validate_ansible:
29 | 	cd $(PLAYBOOK_DIR) && ansible-playbook --syntax-check test.yml
30 | 
31 | validate: validate_terraform validate_ansible
32 | 
33 | start_container:
34 | 	docker run -it --privileged -d --name remote centos/systemd
35 | 
36 | test_ci:
37 | 	cd $(PLAYBOOK_DIR) && ansible-playbook -i hosts-docker test.yml
38 | 
39 | test:
40 | 	circleci build --job validate_terraform
41 | 	# CircleCI CLI doesn't clean up remote containers
42 | 	docker rm -f remote || true
43 | 	circleci build
44 | 	docker rm -f remote
45 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Jenkins Bootstrap [![CircleCI](https://circleci.com/gh/GSA/jenkins-deploy.svg?style=svg)](https://circleci.com/gh/GSA/jenkins-deploy)
  2 | 
  3 | This repository is reusable deployment code/configuration of Jenkins, which gets you up and running with a production-grade Jenkins quickly.
  4 | 
  5 | ## Integration
  6 | 
  7 | See [the documentation](docs/integration.md).
  8 | 
  9 | ## Reusable pieces
 10 | 
 11 | ### Terraform modules
 12 | 
 13 | See [the documentation](docs/terraform.md).
 14 | 
 15 | ### Ansible role
 16 | 
 17 | #### Requirements
 18 | 
 19 | None.
 20 | 
 21 | #### Role variables
 22 | 
 23 | For any variables marked `sensitive`, you are strongly encouraged to store the values in an [Ansible Vault](https://docs.ansible.com/ansible/playbooks_vault.html).
 24 | 
 25 | ##### Required
 26 | 
 27 | * `jenkins_admin_password` - store in a [Vault](https://docs.ansible.com/ansible/playbooks_vault.html)
 28 | * `jenkins_external_hostname`
 29 | 
 30 | * SSH key - information about how to generate in [Usage](#usage) section below.
 31 |     * `jenkins_ssh_key_passphrase` (sensitive)
 32 |     * `jenkins_ssh_private_key_data` (sensitive)
 33 |     * `jenkins_ssh_public_key_data`
 34 | * [SSL configuration](https://github.com/jdauphant/ansible-role-ssl-certs#examples) (sensitive)
 35 |     * The [key data](https://github.com/jdauphant/ansible-role-ssl-certs#example-to-deploy-a-ssl-certificate-stored-in-variables) approach is recommended.
 36 | 
 37 | ##### Optional
 38 | 
 39 | See [`defaults/main.yml`](defaults/main.yml).
 40 | 
 41 | #### Dependencies
 42 | 
 43 | * [`geerlingguy.jenkins`](https://galaxy.ansible.com/geerlingguy/jenkins/)
 44 | * [`gsa.https-proxy`](https://github.com/GSA/ansible-https-proxy)
 45 | * [`srsp.oracle-java`](https://galaxy.ansible.com/srsp/oracle-java/)
 46 | 
 47 | #### Usage
 48 | 
 49 | 1. Generate an SSH key.
 50 | 
 51 |     ```sh
 52 |     ssh-keygen -t rsa -b 4096 -f temp.key -C "group-email+jenkins@some.gov"
 53 |     # enter a passphrase - store in Vault as vault_jenkins_ssh_key_passphrase
 54 | 
 55 |     cat temp.key
 56 |     # store in Vault as vault_jenkins_ssh_private_key_data
 57 | 
 58 |     cat temp.key.pub
 59 |     # store as jenkins_ssh_public_key_data
 60 | 
 61 |     rm temp.key*
 62 |     ```
 63 | 
 64 | 1. Include the role and required variables. Example:
 65 | 
 66 |     ```yaml
 67 |     # requirements.yml
 68 |     - src: https://github.com/GSA/jenkins-deploy
 69 |       name: gsa.jenkins
 70 | 
 71 |     # group_vars/all/vars.yml
 72 |     jenkins_ssh_user: jenkins
 73 |     jenkins_ssh_public_key_data: |
 74 |       ssh-rsa ... group-email+jenkins@some.gov
 75 | 
 76 |     # group_vars/jenkins/vars.yml
 77 |     jenkins_external_hostname: ...
 78 |     jenkins_ssh_key_passphrase: "{{ vault_jenkins_ssh_key_passphrase }}"
 79 |     jenkins_ssh_private_key_data: "{{ vault_jenkins_ssh_private_key_data }}"
 80 |     ssl_certs_local_cert_data: "{{ vault_ssl_certs_local_cert_data }}"
 81 |     ssl_certs_local_privkey_data: "{{ vault_ssl_certs_local_privkey_data }}"
 82 | 
 83 |     # group_vars/jenkins/vault.yml (encrypted)
 84 |     vault_jenkins_ssh_key_passphrase: ...
 85 |     vault_jenkins_ssh_private_key_data: |
 86 |       -----BEGIN RSA PRIVATE KEY-----
 87 |       ...
 88 |       -----END RSA PRIVATE KEY-----
 89 |     vault_ssl_certs_local_cert_data: |
 90 |       -----BEGIN CERTIFICATE-----
 91 |       ...
 92 |       -----END CERTIFICATE-----
 93 |     vault_ssl_certs_local_privkey_data: |
 94 |       -----BEGIN RSA PRIVATE KEY-----
 95 |       ...
 96 |       -----END RSA PRIVATE KEY-----
 97 | 
 98 |     # playbooks/jenkins.yml
 99 |     - hosts: jenkins
100 |       become: true
101 |       roles:
102 |         - gsa.jenkins
103 | 
104 |     # playbooks/other.yml
105 |     # hosts that Jenkins is going to run playbooks against
106 |     - hosts: other
107 |       become: true
108 |       tasks:
109 |         - name: Create Jenkins user
110 |           user:
111 |             name: "{{ jenkins_ssh_user }}"
112 |             group: wheel
113 |         - name: Set up SSH key for Jenkins
114 |           authorized_key:
115 |             user: "{{ jenkins_ssh_user }}"
116 |             key: "{{ jenkins_ssh_public_key_data }}"
117 |         # ...other host setup tasks...
118 |     ```
119 | 
120 | 1. Run the Terraform (if applicable) and the playbook.
121 | 1. Ensure you can log into Jenkins (at `jenkins_external_hostname`).
122 | 1. Follow the [manual configuration steps](docs/manual_config.md)
123 | 
124 | ## License
125 | 
126 | CC0
127 | 


--------------------------------------------------------------------------------
/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | jenkins_audit_file_path: /var/log/jenkins/audit.log.0
 3 | # the homepage may not be accessible if anonymous users don't have read permissions, so check the login page
 4 | jenkins_health_check_path: /login
 5 | 
 6 | jenkins_ssh_user: jenkins
 7 | 
 8 | ### Plugins ###
 9 | 
10 | # For more information on each plugin, visit
11 | #
12 | #   https://plugins.jenkins.io/<ID>
13 | #
14 | # Note that removing items from this list won't uninstall them.
15 | jenkins_plugins:
16 |   - ansible
17 |   - ansicolor
18 |   - audit-trail
19 |   - blueocean
20 |   - github
21 |   - pipeline-utility-steps
22 |   - role-strategy
23 |   - ssh-agent
24 |   - timestamper
25 |   - workflow-aggregator
26 |   - ws-cleanup
27 |   - saml
28 |   - periodicbackup
29 |   - aws-credentials
30 |   - packer
31 |   - docker
32 | 
33 | # Use this variable if you want to append to the recommended `jenkins_plugins` above.
34 | additional_jenkins_plugins: []
35 | 


--------------------------------------------------------------------------------
/docs/integration.md:
--------------------------------------------------------------------------------
 1 | # Example configuration
 2 | 
 3 | If you want to create a standalone Jenkins with the example out-of-the-box configuration provided in this repository, do the following:
 4 | 
 5 | ### Setup
 6 | 
 7 | 1. Install dependencies.
 8 |     * [Terraform](https://www.terraform.io/)
 9 |     * [Ansible](http://docs.ansible.com/ansible/intro_installation.html)
10 |     * [Terraform Inventory](https://github.com/adammck/terraform-inventory)
11 | 1. [Configure Terraform.](https://www.terraform.io/docs/providers/aws/#authentication)
12 | 1. Initialize Terraform.
13 | 
14 |     ```sh
15 |     cd terraform
16 |     terraform init
17 |     ```
18 | 
19 | 1. Create an Ansible secrets file.
20 | 
21 |     ```sh
22 |     cp tests/secrets-example.yml tests/group_vars/all/secrets.yml
23 |     # set values for the variables
24 |     ```
25 | 
26 | ### Usage
27 | 
28 | Simple! Just run `make`. Use `make destroy` to tear it down.
29 | 


--------------------------------------------------------------------------------
/docs/manual_config.md:
--------------------------------------------------------------------------------
 1 | # Manual configuration
 2 | 
 3 | The following steps need to be done by hand.
 4 | 
 5 | ### Access control
 6 | 
 7 | 1. Follow [the Role-Based Strategy guide](https://plugins.jenkins.io/role-strategy#RoleStrategyPlugin-Userguide).
 8 |     * [More information about the various permissions](https://wiki.jenkins.io/display/JENKINS/Matrix-based+security)
 9 | 1. Create a `developer` role with all but the `Agent` and `SCM` options.
10 | 1. Assign the role by adding a `group` called `authenticated`, selecting the `developer` checkbox.
11 | 
12 | ### Audit trail
13 | 
14 | 1. Click `Manage Jenkins`.
15 | 1. Click `Configure System`.
16 | 1. Under `Audit Trail`, click `Add Logger`, then `Log file`.
17 | 1. For `Log Location`, enter `/var/log/jenkins/audit.log`.
18 | 1. For `Log File Size`, enter `50` MB.
19 | 1. For `Log File Count`, enter `10`.
20 | 1. Click `Save`.
21 | 
22 | ## Credentials
23 | 
24 | 1. Visit `https://JENKINS_EXTERNAL_HOSTNAME/credentials/store/system/domain/_/newCredentials`
25 | 1. Fill in the form:
26 |     1. `Kind`: `SSH Username with private key`
27 |     1. `Scope`: `Global (Jenkins, nodes, items, all child items, etc)`
28 |     1. `Username`: `jenkins`
29 |     1. `Private Key`: `From the Jenkins master ~/.ssh`
30 |     1. `Passphrase`: the value from `vault_jenkins_ssh_key_passphrase`
31 |     1. `ID`: `jenkins-ssh-key`
32 |     1. `Description`: (empty)
33 | 1. Click `OK`.
34 | 1.  Use these Credentials from your Jobs.
35 | 
36 | ## Adding users
37 | 
38 | For each user:
39 | 
40 | 1. Generate a password. Here's an easy way on Linux:
41 | 
42 |     ```sh
43 |     cat /dev/urandom | LC_ALL=C tr -dc 'a-zA-Z0-9!@#\$%^&\*\(\)\+=_' | head -c 64
44 |     ```
45 | 
46 | 1. View the people list.
47 |     1. Click `Manage Jenkins`.
48 |     1. Click `Manage Users`.
49 |     1. If they exist already:
50 |         1. Click their username.
51 |         1. Click `Configure`.
52 |         1. Correct their `Full Name`.
53 |         1. Set their password.
54 |     1. If they don't, create a user for them.
55 |         1. Click `Create User`.
56 |         1. For the `Username`, use the first part of their GSA email. This will ensure that [it matches up to their commits](https://support.cloudbees.com/hc/en-us/articles/204498804-How-People-is-managed-by-Jenkins).
57 | 1. Send the password via [Fugacious](https://fugacious.18f.gov/).
58 | 
59 | ## Other
60 | 
61 | * Subscribe to [Jenkins security advisories](https://jenkins.io/security/).
62 | * When creating jobs/pipelines, don't include any spaces or special characters in the name, as this can break things in confusing ways.
63 | * Make sure to do cleanup, to prevent disk space from filling up.
64 |     * [Discard old builds](https://jenkins.io/doc/book/pipeline/syntax/#available-options)
65 |     * [Remove the workspace](https://jenkins.io/doc/pipeline/tour/post/#cleaning-up-and-notifications)
66 | 


--------------------------------------------------------------------------------
/docs/terraform.md:
--------------------------------------------------------------------------------
 1 | # Terraform modules
 2 | 
 3 | To create the Jenkins infrastructure, include the [Terraform modules](https://www.terraform.io/docs/modules/index.html) alongside your existing Terraform code:
 4 | 
 5 | ```hcl
 6 | # optional - use if you want a Jenkins-specific security group
 7 | module "jenkins_networking" {
 8 |   source = "./<path_to_ansible_role>/terraform/modules/networking"
 9 | 
10 |   vpc_id = "${<vpc_id>}"
11 | }
12 | 
13 | module "jenkins_instances" {
14 |   source = "./<path_to_ansible_role>/terraform/modules/instances"
15 | 
16 |   subnet_id = "${<subnet_id}"
17 |   # you can pass in a different security group name instead
18 |   vpc_security_group_ids = ["${module.jenkins_networking.sg_id}"]
19 | }
20 | ```
21 | 
22 | See the variables files in the [`networking`](../terraform/modules/networking/vars.tf) and [`instances`](../terraform/modules/instances/vars.tf) modules for more options. See the [example usage](../terraform/aws.tf).
23 | 


--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Restart rsyslog
3 |   service:
4 |     name: rsyslog
5 |     state: restarted
6 | 


--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
 1 | galaxy_info:
 2 |   author: Aidan Feldman
 3 |   description: Production-grade Jenkins
 4 |   company: General Services Administration
 5 | 
 6 |   # If the issue tracker for your role is not on github, uncomment the
 7 |   # next line and provide a value
 8 |   # issue_tracker_url: http://example.com/issue/tracker
 9 | 
10 |   license: CC0
11 | 
12 |   min_ansible_version: 2.4
13 | 
14 |   # If this a Container Enabled role, provide the minimum Ansible Container version.
15 |   # min_ansible_container_version:
16 | 
17 |   # Optionally specify the branch Galaxy will use when accessing the GitHub
18 |   # repo for this role. During role install, if no tags are available,
19 |   # Galaxy will use this branch. During import Galaxy will access files on
20 |   # this branch. If Travis integration is configured, only notifications for this
21 |   # branch will be accepted. Otherwise, in all cases, the repo's default branch
22 |   # (usually master) will be used.
23 |   #github_branch:
24 | 
25 |   #
26 |   # platforms is a list of platforms, and each platform has a name and a list of versions.
27 |   #
28 |   platforms:
29 |     - name: EL
30 |       versions:
31 |         - 7
32 | 
33 |   galaxy_tags:
34 |     # List tags for your role here, one per line. A tag is a keyword that describes
35 |     # and categorizes the role. Users find roles by searching for tags. Be sure to
36 |     # remove the '[]' above, if you add tags to this list.
37 |     #
38 |     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
39 |     #       Maximum 20 tags per role.
40 |     - jenkins
41 |     - deployment
42 |     - continuous-deployment
43 |     - cd
44 | 
45 | dependencies:
46 | 
47 |   - role: srsp.oracle-java
48 |     java_remove_download: false
49 | 
50 |   - src: geerlingguy.jenkins
51 |     # use srsp.oracle-java instead
52 |     # https://github.com/geerlingguy/ansible-role-java/issues/42
53 |     java_packages: []
54 |     # handle the plugins ourselves - see `jenkins_plugin` use in tasks
55 |     jenkins_plugins: []
56 | 
57 |   - src: https://github.com/GSA/ansible-https-proxy
58 |     name: gsa.https-proxy
59 |     external_hostname: "{{ jenkins_external_hostname }}"
60 |     upstream_origin: "{{ jenkins_hostname }}:{{ jenkins_http_port }}"
61 |     # for backwards compatability, prior to https://github.com/GSA/jenkins-deploy/pull/36
62 |     nginx_proxy_vhost_path: "{{ nginx_vhost_path }}/jenkins.conf"
63 | 
64 |   - role: mauromedda.ansible_role_terraform
65 | 
66 |   - role: mauromedda.ansible_role_terragrunt
67 | 


--------------------------------------------------------------------------------
/tasks/logging.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Install rsyslog
 3 |   yum:
 4 |     name: rsyslog
 5 | 
 6 | - name: Copy rsyslog config file
 7 |   template:
 8 |     src: rsyslog.conf
 9 |     dest: /etc/rsyslog.d/jenkins-audit.conf
10 |   notify: Restart rsyslog
11 | 


--------------------------------------------------------------------------------
/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Enable Extras repo for ansible
 3 |   ini_file:
 4 |     dest: /etc/yum.repos.d/redhat-rhui.repo
 5 |     section: rhui-REGION-rhel-server-extras
 6 |     option: enabled
 7 |     value: 1
 8 | 
 9 | - name: Set yum repo for AWSCLI
10 |   ini_file:
11 |     dest: /etc/yum.repos.d/redhat-rhui.repo
12 |     section: rhui-REGION-rhel-server-optional
13 |     option: enabled
14 |     value: 1
15 | 
16 | - name: Install dependencies
17 |   yum:
18 |     name:
19 |       - ansible
20 |       - awscli
21 |       - git
22 |       - python2-pip
23 |       # need latest versions for installing Jenkins plugins - otherwise get a certificate error
24 |       - ca-certificates
25 |       - python
26 |       - docker
27 |     state: latest
28 | 
29 | - name: Create a docker group
30 |   group:
31 |     name: docker
32 |     state: present
33 | 
34 | - name: Add the jenkins user to the docker group
35 |   user:
36 |     name: jenkins
37 |     groups: docker
38 |     state: present
39 |     append: yes
40 | 
41 | - name: Docker setup-set docker to start on boot
42 |   command: systemctl enable docker
43 |   become: true
44 |   become_user: root
45 |   become_method: sudo
46 | 
47 | - name: Docker setup-restart jenkins
48 |   command: systemctl restart docker
49 |   become: true
50 |   become_user: root
51 |   become_method: sudo
52 |   
53 | - name: Install dependencies for Jenkins modules
54 |   pip:
55 |     name: python-jenkins
56 | 
57 | # We handle the plugin installation ourselves, so that we can support appending to the default list. Code pulled from
58 | # https://github.com/geerlingguy/ansible-role-jenkins/pull/119
59 | - name: Install Jenkins plugins
60 |   jenkins_plugin:
61 |     name: "{{ item }}"
62 |     params:
63 |       url_username: "{{ jenkins_admin_username }}"
64 |     url_password: "{{ jenkins_admin_password }}"
65 |     url: http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}
66 |     # some of the plugins are large, so give them extra time
67 |     timeout: 90
68 |   with_items: "{{ jenkins_plugins + additional_jenkins_plugins }}"
69 |   notify: restart jenkins
70 | 
71 | - name: Restart Jenkins, if necessary
72 |   meta: flush_handlers
73 | 
74 | # http://stackoverflow.com/a/34522653/358804
75 | - name: Wait for Jenkins to be available
76 |   uri:
77 |     url: http://{{ jenkins_hostname }}:{{ jenkins_http_port }}{{ jenkins_url_prefix }}{{ jenkins_health_check_path }}
78 |     return_content: true
79 |   register: jenkins_req
80 |   until: jenkins_req.status == 200
81 |   retries: 60
82 |   delay: 1
83 | 
84 | - name: Fail if Jenkins not available
85 |   fail:
86 |   when: "'Jenkins' not in jenkins_req.content"
87 | 
88 | - import_tasks: nginx.yml
89 | - import_tasks: logging.yml
90 | - import_tasks: ssh.yml
91 | 
92 | - name: Install terraform
93 |   include_role:
94 |     name: mauromedda.ansible_role_terraform
95 | 
96 | - name: Install terragrunt
97 |   include_role:
98 |     name: mauromedda.ansible_role_terragrunt
99 | 


--------------------------------------------------------------------------------
/tasks/nginx.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Check nginx responds via HTTPS
 3 |   uri:
 4 |     url: https://localhost{{ jenkins_url_prefix }}{{ jenkins_health_check_path }}
 5 |     follow_redirects: none
 6 |     return_content: yes
 7 |     # TODO have it use the test cert
 8 |     validate_certs: no
 9 |   register: https_req
10 | - name: Fail if HTTPS response isn't from Jenkins
11 |   fail:
12 |   when: "'Jenkins' not in https_req.content"
13 | 


--------------------------------------------------------------------------------
/tasks/ssh.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Create SSH directory
 3 |   file:
 4 |     path: "{{ jenkins_home }}/.ssh"
 5 |     state: directory
 6 |     owner: "{{ jenkins_process_user }}"
 7 |     group: "{{ jenkins_process_group }}"
 8 |     mode: 0700
 9 | 
10 | - name: Write private SSH key
11 |   copy:
12 |     content: "{{ jenkins_ssh_private_key_data }}"
13 |     dest: "{{ jenkins_home }}/.ssh/id_rsa"
14 |     owner: "{{ jenkins_process_user }}"
15 |     group: "{{ jenkins_process_group }}"
16 |     mode: 0600
17 | 
18 | - name: Write public SSH key
19 |   copy:
20 |     content: "{{ jenkins_ssh_public_key_data }}"
21 |     dest: "{{ jenkins_home }}/.ssh/id_rsa.pub"
22 |     owner: "{{ jenkins_process_user }}"
23 |     group: "{{ jenkins_process_group }}"
24 |     mode: 0644
25 | 


--------------------------------------------------------------------------------
/templates/rsyslog.conf:
--------------------------------------------------------------------------------
1 | # http://www.rsyslog.com/doc/v7-stable/configuration/modules/imfile.html
2 | 
3 | $ModLoad imfile
4 | 
5 | $InputFileName {{ jenkins_audit_file_path }}
6 | $InputFileTag jenkins-audit:
7 | $InputFileStateFile stat-jenkins-audit
8 | 


--------------------------------------------------------------------------------
/terraform/aws.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "${var.region}"
 3 | }
 4 | 
 5 | data "aws_region" "current" {
 6 |   current = true
 7 | }
 8 | 
 9 | data "aws_vpc" "default" {
10 |   default = true
11 | }
12 | 
13 | data "aws_subnet_ids" "all" {
14 |   vpc_id = "${data.aws_vpc.default.id}"
15 | }
16 | 
17 | module "networking" {
18 |   source = "./modules/networking"
19 | 
20 |   vpc_id = "${data.aws_vpc.default.id}"
21 | }
22 | 
23 | module "instances" {
24 |   source = "./modules/instances"
25 | 
26 |   key_name = "${var.key_name}"
27 |   # pick first subnet in default VPC, arbitrarily
28 |   subnet_id = "${element(data.aws_subnet_ids.all.ids, 0)}"
29 |   vpc_security_group_ids = ["${module.networking.sg_id}"]
30 | }
31 | 


--------------------------------------------------------------------------------
/terraform/modules/instances/master.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_instance" "jenkins" {
 2 |   instance_type = "${var.instance_type}"
 3 |   ami = "${var.ami}"
 4 |   key_name = "${var.key_name}"
 5 | 
 6 |   subnet_id = "${var.subnet_id}"
 7 |   vpc_security_group_ids = ["${var.vpc_security_group_ids}"]
 8 | 
 9 |   iam_instance_profile = "${var.iam_instance_profile}"
10 | 
11 |   # The connection block tells our provisioner how to
12 |   # communicate with the resource (instance)
13 |   connection {
14 |     # The default username for our AMI
15 |     user = "${var.vm_user}"
16 | 
17 |     # The connection will use the local SSH agent for authentication.
18 |   }
19 | 
20 |   tags {
21 |     "Name" = "${var.jenkins_name}"
22 |   }
23 | 
24 |   # force Terraform to wait until a connection can be made, so that Ansible doesn't fail when trying to provision
25 |   provisioner "remote-exec" {
26 |     inline = [
27 |       "echo 'Remote execution connected.'"
28 |     ]
29 |   }
30 | }
31 | 


--------------------------------------------------------------------------------
/terraform/modules/instances/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "public_ip" {
 2 |   value = "${aws_instance.jenkins.public_ip}"
 3 | }
 4 | 
 5 | output "private_ip" {
 6 |   value = "${aws_instance.jenkins.private_ip}"
 7 | }
 8 | 
 9 | output "instance_id" {
10 |   value = "${aws_instance.jenkins.id}"
11 | }


--------------------------------------------------------------------------------
/terraform/modules/instances/vars.tf:
--------------------------------------------------------------------------------
 1 | variable "jenkins_name" {
 2 |   description = "The name of the Jenkins server."
 3 |   default = "jenkins"
 4 | }
 5 | 
 6 | variable "ami" {
 7 |   # RHEL 7.0 (HVM)
 8 |   # https://aws.amazon.com/marketplace/pp/B00KWBZVK6
 9 |   default = "ami-a8d369c0"
10 | }
11 | 
12 | variable "instance_type" {
13 |   default = "t2.micro"
14 | }
15 | 
16 | variable "iam_instance_profile" {
17 |   default = ""
18 | }
19 | 
20 | # networking
21 | variable "vpc_security_group_ids" {
22 |   type = "list"
23 | }
24 | variable "subnet_id" {
25 |   type = "string"
26 | }
27 | 
28 | variable "key_name" {
29 |   default = "jenkins"
30 |   description = "SSH key name in your AWS account for AWS instances."
31 | }
32 | 
33 | variable "vm_user" {
34 |   default = "ec2-user"
35 | }
36 | 


--------------------------------------------------------------------------------
/terraform/modules/networking/outputs.tf:
--------------------------------------------------------------------------------
1 | output "sg_id" {
2 |   value = "${aws_security_group.sg_jenkins.id}"
3 | }
4 | 


--------------------------------------------------------------------------------
/terraform/modules/networking/security_group.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "sg_jenkins" {
 2 |   name = "${var.sg_name}"
 3 |   description = "Allows all traffic"
 4 | 
 5 |   vpc_id = "${var.vpc_id}"
 6 | 
 7 |   # SSH
 8 |   ingress {
 9 |     from_port = 22
10 |     to_port = 22
11 |     protocol = "tcp"
12 |     cidr_blocks = ["${var.ssh_cidrs}"]
13 |   }
14 | 
15 |   # HTTP, for redirecting to HTTPS
16 |   ingress {
17 |     from_port = 80
18 |     to_port = 80
19 |     protocol = "tcp"
20 |     cidr_blocks = ["${var.http_cidrs}"]
21 |   }
22 | 
23 |   # HTTPS
24 |   ingress {
25 |     from_port = 443
26 |     to_port = 443
27 |     protocol = "tcp"
28 |     cidr_blocks = ["${var.http_cidrs}"]
29 |   }
30 | 
31 |   egress {
32 |     from_port = 0
33 |     to_port = 0
34 |     protocol = "-1"
35 |     cidr_blocks = ["0.0.0.0/0"]
36 |   }
37 | }
38 | 


--------------------------------------------------------------------------------
/terraform/modules/networking/vars.tf:
--------------------------------------------------------------------------------
 1 | variable "vpc_id" {
 2 |   type = "string"
 3 | }
 4 | 
 5 | variable "sg_name" {
 6 |   default = "sg_jenkins"
 7 |   description = "Security group name"
 8 | }
 9 | 
10 | variable "http_cidrs" {
11 |   default = ["0.0.0.0/0"]
12 |   description = "CIDRs for accessing the instance via HTTP(S)."
13 | }
14 | 
15 | variable "ssh_cidrs" {
16 |   default = ["0.0.0.0/0"]
17 |   description = "CIDRs for accessing the instance via SSH."
18 | }
19 | 


--------------------------------------------------------------------------------
/terraform/outputs.tf:
--------------------------------------------------------------------------------
1 | output "ip" {
2 |   value = "${module.instances.public_ip}"
3 | }
4 | 
5 | output "instance_id" {
6 |   value = "${module.instances.instance_id}"
7 | }


--------------------------------------------------------------------------------
/terraform/vars.tf:
--------------------------------------------------------------------------------
 1 | variable "region" {
 2 |   description = "The AWS region to create resources in."
 3 |   default = "us-east-1"
 4 | }
 5 | 
 6 | variable "key_name" {
 7 |   default = "jenkins"
 8 |   description = "SSH key name in your AWS account for AWS instances."
 9 | }
10 | 


--------------------------------------------------------------------------------
/tests/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | # without this, the connection to a new instance is interactive
3 | host_key_checking = False
4 | 
5 | roles_path = roles/:../../
6 | 


--------------------------------------------------------------------------------
/tests/files/Jenkinsfile:
--------------------------------------------------------------------------------
 1 | #!groovy
 2 | 
 3 | pipeline {
 4 |   agent any
 5 | 
 6 |   stages {
 7 |     stage('Setup') {
 8 |       steps {
 9 |         git 'https://github.com/ansible/tower-example.git'
10 |         sh 'ansible --version'
11 |       }
12 |     }
13 | 
14 |     stage('Provision') {
15 |       steps {
16 |         ansiColor('xterm') {
17 |           ansiblePlaybook playbook: 'helloworld.yml', colorized: true
18 |         }
19 |       }
20 |     }
21 |   }
22 | }
23 | 


--------------------------------------------------------------------------------
/tests/files/job.xml:
--------------------------------------------------------------------------------
 1 | <?xml version='1.0' encoding='UTF-8'?>
 2 | <flow-definition plugin="workflow-job@2.10">
 3 |   <actions/>
 4 |   <description></description>
 5 |   <keepDependencies>false</keepDependencies>
 6 |   <properties>
 7 |     <org.jenkinsci.plugins.workflow.job.properties.PipelineTriggersJobProperty>
 8 |       <triggers/>
 9 |     </org.jenkinsci.plugins.workflow.job.properties.PipelineTriggersJobProperty>
10 |   </properties>
11 |   <definition class="org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition" plugin="workflow-cps@2.30">
12 |     <script>node {
13 |    echo &apos;Hello World&apos;
14 | }</script>
15 |     <sandbox>true</sandbox>
16 |   </definition>
17 |   <triggers/>
18 | </flow-definition>
19 | 


--------------------------------------------------------------------------------
/tests/group_vars/all/.keep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GSA/jenkins-deploy/af222abb4d0c97a1d7647cd36d92184382525f0b/tests/group_vars/all/.keep


--------------------------------------------------------------------------------
/tests/group_vars/all/ssh.yml:
--------------------------------------------------------------------------------
1 | ---
2 | jenkins_ssh_private_key_data: DUMMY_KEY
3 | jenkins_ssh_public_key_data: DUMMY_KEY
4 | 


--------------------------------------------------------------------------------
/tests/hosts-docker:
--------------------------------------------------------------------------------
1 | remote ansible_connection=docker
2 | 


--------------------------------------------------------------------------------
/tests/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # gsa.jenkins role dependencies, which should match what's in `dependencies` list of `../meta/main.yml`.
3 | - src: geerlingguy.jenkins
4 | - src: srsp.oracle-java
5 | - src: https://github.com/GSA/ansible-https-proxy
6 |   name: gsa.https-proxy
7 | - src: mauromedda.ansible_role_terraform
8 | - src: mauromedda.ansible_role_terragrunt


--------------------------------------------------------------------------------
/tests/secrets-example.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # note changing this after the initial setup has no effect
3 | jenkins_admin_password: ...
4 | 


--------------------------------------------------------------------------------
/tests/test.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: all
 3 |   name: Set up Jenkins
 4 |   pre_tasks:
 5 |     - set_fact:
 6 |         jenkins_external_hostname: "{{ inventory_hostname }}"
 7 |   roles:
 8 |     # needs to match repository name; when the role is included normally, it will be `gsa.jenkins`
 9 |     - jenkins-deploy
10 |   tasks:
11 | 
12 |     - name: Install jenkins_job dependencies
13 |       yum:
14 |         name: python-lxml
15 | 
16 |     - name: Set up pipeline
17 |       jenkins_job:
18 |         config: "{{ lookup('file', 'files/job.xml') }}"
19 |         name: test-auto
20 |         user: "{{ jenkins_admin_username }}"
21 |         password: "{{ jenkins_admin_password }}"
22 | 


--------------------------------------------------------------------------------