-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathci.jenkins.io.tf
178 lines (150 loc) · 6.17 KB
/
ci.jenkins.io.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
####################################################################################
# ci.jenkins.io resources
####################################################################################
### Network resources
resource "aws_eip" "ci_jenkins_io" {
domain = "vpc"
}
resource "aws_eip_association" "ci_jenkins_io" {
instance_id = aws_instance.ci_jenkins_io.id
allocation_id = aws_eip.ci_jenkins_io.id
}
### IAM Resources (to allow instance profile instance of credentials for the controller VM to use ec2 plugin)
data "aws_iam_policy_document" "assume_role_ec2" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "ci_jenkins_io" {
name = "ci-jenkins-io"
assume_role_policy = data.aws_iam_policy_document.assume_role_ec2.json
tags = local.common_tags
}
resource "aws_iam_instance_profile" "ci_jenkins_io" {
name = "ci-jenkins-io"
role = aws_iam_role.ci_jenkins_io.name
}
resource "aws_iam_role_policy" "ci_jenkins_io_ec2_agents" {
name = "ci-jenkins-io-ec2-agents"
role = aws_iam_role.ci_jenkins_io.id
policy = data.aws_iam_policy_document.jenkins_ec2_agents.json
}
# Permissions required by Jenkins EC2 plugin in https://plugins.jenkins.io/ec2/#plugin-content-iam-setup
data "aws_iam_policy_document" "jenkins_ec2_agents" {
# Minimum set of permissions
statement {
sid = "jenkinsEC2"
effect = "Allow"
actions = [
"ec2:DescribeSpotInstanceRequests",
"ec2:CancelSpotInstanceRequests",
"ec2:GetConsoleOutput",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:DescribeImages",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"ec2:GetPasswordData",
]
## We allow all resources names
# tfsec:ignore:AWS099
resources = ["*"]
}
}
### Compute Resources
resource "aws_key_pair" "ci_jenkins_io" {
key_name = "ci-jenkins-io"
# Private key 'id_jenkins-infra-team' encrypted in our SOPS vault
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKvZ23dkvhjSU0Gxl5+mKcBOwmR7gqJDYeA1/Xzl3otV4CtC5te5Vx7YnNEFDXD6BsNkFaliXa34yE37WMdWl+exIURBMhBLmOPxEP/cWA5ZbXP//78ejZsxawBpBJy27uQhdcR0zVoMJc8Q9ShYl5YT/Tq1UcPq2wTNFvnrBJL1FrpGT+6l46BTHI+Wpso8BK64LsfX3hKnJEGuHSM0GAcYQSpXAeGS9zObKyZpk3of/Qw/2sVilIOAgNODbwqyWgEBTjMUln71Mjlt1hsEkv3K/VdvpFNF8VNq5k94VX6Rvg5FQBRL5IrlkuNwGWcBbl8Ydqk4wrD3b/PrtuLBEUsqbNhLnlEvFcjak+u2kzCov73csN/oylR0Tkr2y9x2HfZgDJVtvKjkkc4QERo7AqlTuy1whGfDYsioeabVLjZ9ahPjakv9qwcBrEEF+pAya7Q3AgNFVSdPgLDEwEO8GUHaxAjtyXXv9+yPdoDGmG3Pfn3KqM6UZjHCxne3Dr5ZE="
}
resource "aws_instance" "ci_jenkins_io" {
ami = "ami-0700ac71a4832f3b3" # Ubuntu 22.04 - arm64 - 2024-11-15 (no need to update it unless if recreating the VM)
instance_type = "m8g.xlarge" # 4vcpu 16Go https://aws.amazon.com/fr/ec2/instance-types/
iam_instance_profile = aws_iam_instance_profile.ci_jenkins_io.name
subnet_id = module.vpc.public_subnets[0]
associate_public_ip_address = true
vpc_security_group_ids = [
aws_security_group.restricted_in_ssh.id,
aws_security_group.unrestricted_in_http.id,
aws_security_group.unrestricted_out_http.id,
aws_security_group.allow_out_puppet_jenkins_io.id,
aws_security_group.ci_jenkins_io_controller.id,
]
key_name = aws_key_pair.ci_jenkins_io.key_name
disable_api_termination = true # Protect ourselves from accidental deletion
user_data = templatefile("${path.root}/.shared-tools/terraform/cloudinit.tftpl", { hostname = local.ci_jenkins_io["controller_vm_fqdn"], admin_username = "ubuntu" })
root_block_device {
delete_on_termination = false # Even if we terminate the machine
encrypted = true
volume_type = "gp3"
volume_size = 300
tags = local.common_tags
}
ebs_optimized = true
metadata_options {
# EC2 recommends setting IMDSv2 to required - https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/
http_tokens = "required"
# Needed to obtain IMDSv2 token from inside a docker container with a NAT network + AWS SDK proxy
http_put_response_hop_limit = 3
}
tags = merge(
local.common_tags,
{ "Name" = "ci-jenkins-io" }
)
}
## SSH Key used to access EC2 Agents (private key stored encrypted in SOPS)
resource "aws_key_pair" "deployer" {
key_name = "deployer-key"
public_key = trimspace(element(split("#", compact(split("\n", file("./ec2_agents_authorized_keys")))[0]), 0))
tags = local.common_tags
}
### DNS Zone delegated from Azure DNS (jenkins-infra/azure-net)
# `updatecli` maintains sync between the 2 repositories using the infra reports (see outputs.tf)
resource "aws_route53_zone" "aws_ci_jenkins_io" {
name = local.ci_jenkins_io["controller_vm_fqdn"]
tags = local.common_tags
}
resource "aws_route53_record" "a_aws_ci_jenkins_io" {
zone_id = aws_route53_zone.aws_ci_jenkins_io.zone_id
name = local.ci_jenkins_io["controller_vm_fqdn"]
type = "A"
ttl = 60
records = [aws_eip.ci_jenkins_io.public_ip]
}
resource "aws_route53_record" "aaaa_aws_ci_jenkins_io" {
zone_id = aws_route53_zone.aws_ci_jenkins_io.zone_id
name = local.ci_jenkins_io["controller_vm_fqdn"]
type = "AAAA"
ttl = 60
records = aws_instance.ci_jenkins_io.ipv6_addresses
}
resource "aws_route53_record" "a_assets_aws_ci_jenkins_io" {
zone_id = aws_route53_zone.aws_ci_jenkins_io.zone_id
name = "assets.${local.ci_jenkins_io["controller_vm_fqdn"]}"
type = "A"
ttl = 60
records = [aws_eip.ci_jenkins_io.public_ip]
}
resource "aws_route53_record" "aaaa_assets_aws_ci_jenkins_io" {
zone_id = aws_route53_zone.aws_ci_jenkins_io.zone_id
name = "assets.${local.ci_jenkins_io["controller_vm_fqdn"]}"
type = "AAAA"
ttl = 60
records = aws_instance.ci_jenkins_io.ipv6_addresses
}