Terraform module which creates a serverless Jenkins environment based on AWS Fargate. The following resources are created:
- Two Amazon ECS clusters
- One utilizing the standard
FARGATEcapacity provider, which is to be used by the Jenkins controller and high priority agents. - One utilizing the
FARGATE_SPOTcapacity provider, which is to be used by Jenkins agents which handle lower priority jobs.
- One utilizing the standard
- Amazon ECS service and task for Jenkins controller.
- Jenkins controller Docker container, including the amazon-ecs-plugin.
- Amazon ECR repository for storing the above container
- Application load balancer
- Amazon Elastic Filesystem to provide stateful storage for the Jenkins controller
- AWS Backup vault and schedule to backup EFS
- AWS Cloud Map service discovery domain and entry for Jenkins controller (for agent -> controller discovery)
- IAM Roles for the above components
- Security Groups for the above components
An example is included in the example directory.
The following are required to deploy this Terraform module
- Terraform 13+ - Download at https://www.terraform.io/downloads.html
- Docker 19+ - Download at https://docs.docker.com/get-docker/
- A VPC with at least two public and two private subnets.
- An SSL certificate to associate with the Application Load Balancer. It's recommended to use and ACM certificate. This is not done by the main Terraform module. However, the example in the
exampledirectory uses the public AWS ACM module to create the ACM certificate and pass it to the Serverless Jenkins module. You may choose to do it this way or explicitly pass the ARN of a certificate that you had previously created or imported into ACM. - An admin password for Jenkins must be stored in SSM Parameter store. This parameter must be of type
SecureStringand have the namejenkins-pwd - Terraform must be bootstrapped. This means that a state S3 bucket and a state locking DynamoDB table must be initialized.
This is packaged as a Terraform module, which means it's not directly deployable. However, there is a deployable example in the example directory. To deploy the example:
- Ensure you have met all the Prerequisites
- If necessary, execute the bootstrap in the bootstrap directory. This will create a Terraform state bucket & state locking table. This step may be unnecessary if you already have an established Terraform environment.
- copy
vars.sh.exampletovars.sh - Edit the variables in
vars.shas necessary giving all details specific to your environment (VPC, subnets, state bucket & state locking table, etc.) - Run
deploy_example.sh
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| null | n/a |
| template | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | The target AWS account's id | string |
n/a | yes |
| alb_access_logs_bucket_name | n/a | string |
null |
no |
| alb_access_logs_s3_prefix | n/a | bool |
null |
no |
| alb_acm_certificate_arn | The ACM certificate ARN to use for the alb | string |
n/a | yes |
| alb_create_security_group | Should a security group allowing all traffic on ports 80 * 443 be created for the alb. If false, a valid list of security groups must be passed with 'alb_security_group_ids' |
bool |
true |
no |
| alb_enable_access_logs | n/a | bool |
false |
no |
| alb_ingress_allow_cidrs | A list of cidrs to allow inbound into Jenkins. | list(string) |
null |
no |
| alb_security_group_ids | A list of security group ids to attach to the Application Load Balancer | list(string) |
null |
no |
| alb_subnet_ids | A list of subnets for the Application Load Balancer | list(string) |
null |
no |
| alb_type_internal | alb | bool |
false |
no |
| docker_folder | The path to a folder containing a Dockerfile and a Jenkins YAML template. If not set, the default is to use the included files in './docker' |
string |
null |
no |
| ecs_execution_role_arn | An custom execution role to use as the ecs exection role (optional) | string |
null |
no |
| efs_access_point_gid | The gid number to associate with the EFS access point | number |
1000 |
no |
| efs_access_point_uid | The uid number to associate with the EFS access point | number |
1000 |
no |
| efs_backup_cold_storage_after_days | Number of days until backup is moved to cold storage | number |
30 |
no |
| efs_backup_completion_window | A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup |
number |
120 |
no |
| efs_backup_delete_after_days | Number of days until backup is deleted. If cold storage transition 'efs_backup_cold_storage_after_days' is declared, the delete value must be 90 days greater |
number |
120 |
no |
| efs_backup_schedule | n/a | string |
"cron(0 00 * * ? *)" |
no |
| efs_backup_start_window | A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully |
number |
60 |
no |
| efs_enable_backup | n/a | bool |
true |
no |
| efs_enable_encryption | EFS | bool |
true |
no |
| efs_ia_lifecycle_policy | n/a | string |
null |
no |
| efs_kms_key_arn | n/a | string |
null |
no |
| efs_performance_mode | n/a | string |
"generalPurpose" |
no |
| efs_provisioned_throughput_in_mibps | n/a | number |
null |
no |
| efs_subnet_ids | A list of subnets to attach to the EFS mountpoint | list(string) |
null |
no |
| efs_throughput_mode | n/a | string |
"bursting" |
no |
| jenkins_controller_cpu | n/a | number |
2048 |
no |
| jenkins_controller_memory | n/a | number |
4096 |
no |
| jenkins_controller_port | n/a | number |
8080 |
no |
| jenkins_controller_subnet_ids | A list of subnets for the jenkins controller fargate service (required) | list(string) |
null |
no |
| jenkins_controller_task_log_retention_days | n/a | number |
30 |
no |
| jenkins_controller_task_role_arn | An custom task role to use for the jenkins controller (optional) | string |
null |
no |
| jenkins_ecr_repository_name | Name for Jenkins controller ECR repository | string |
"serverless-jenkins-controller" |
no |
| jenkins_jnlp_port | n/a | number |
50000 |
no |
| name_prefix | n/a | string |
"serverless-jenkins" |
no |
| region | The target AWS region | string |
n/a | yes |
| route53_alias_name | The CNAME alias for the ALB, if route53_create_alias is true |
string |
"jenkins-controller" |
no |
| route53_create_alias | Create a CNAME alias for the ALB | string |
false |
no |
| route53_zone_id | An existing zone id to place the alias in, if route53_create_alias is true |
string |
null |
no |
| secrets | A list of environment variables used to populate the secrets section of the Jenkins controller task definition. The map is defined as a environment variable name to SSM value ARN |
map(string) |
{} |
no |
| tags | An object of tag key value pairs | map(any) |
{} |
no |
| template_vars | A map of key/value pairs that will be added to the default set, overriding existing keys, and inected into the jenkins.yaml.tpl file to generate jenkins.yaml |
map(any) |
{} |
no |
| vpc_id | n/a | string |
n/a | yes |
| Name | Description |
|---|---|
| efs_access_point_id | The id of the efs access point |
| efs_aws_backup_plan_name | The name of the aws backup plan used for EFS backups |
| efs_aws_backup_vault_name | The name of the aws backup vault used for EFS backups |
| efs_file_system_dns_name | The dns name of the efs file system |
| efs_file_system_id | The id of the efs file system |
| efs_security_group_id | The id of the efs security group |
| jenkins_controller_task_role | The ARN of the task role used by or created for the Jenkins controller |
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.