From 1e6ea294bcb9dbe397b075b4a44293fdbcb1ae65 Mon Sep 17 00:00:00 2001 From: Kevin Yung Date: Mon, 10 Jul 2017 16:29:27 +1000 Subject: [PATCH 1/2] parameterize git repo --- docs/development.md | 2 +- pipeline/tasks/jenkins.rake | 8 ++++- .../templates/workshop-jenkins.json | 29 ++++++++++++++----- 3 files changed, 29 insertions(+), 10 deletions(-) diff --git a/docs/development.md b/docs/development.md index 358b2a8..65e4cb6 100644 --- a/docs/development.md +++ b/docs/development.md @@ -36,7 +36,7 @@ You can include a parameter to specify your VPN CIDR block for a more secure NAC Limits inbound/outbound traffic to the VPC, Github and your CIDR block. ```bash $ bundle install -$ rake jenkins:create['192.0.0.0/24'] +$ rake jenkins:create['192.0.0.0/24','git-repo-url'] ``` ## Updating CloudFormation Templates diff --git a/pipeline/tasks/jenkins.rake b/pipeline/tasks/jenkins.rake index a1bb81b..245c148 100644 --- a/pipeline/tasks/jenkins.rake +++ b/pipeline/tasks/jenkins.rake @@ -10,11 +10,13 @@ region = 'us-east-1' if ENV['AWS_REGION'].nil? namespace :jenkins do desc 'Create a Workshop VPC + Jenkins' # task :create, [:vpc_id, :subnet_id, :world_cidr] do |_, opts| - task :create, [:world_cidr] do |_, opts| + task :create, [:world_cidr, :gitrepo_url] do |_, opts| opts[:world_cidr] = '0.0.0.0/0' world_cidr = opts[:world_cidr] + gitrepo_url = opts[:gitrepo_url] world_cidr = '0.0.0.0/0' if world_cidr.nil? + gitrepo_url = 'git@github.com:stelligent/aws-devsecops-workshop.git' if gitrepo_url.nil? # Compile the template cfn_template_path = 'provisioning/cloudformation/templates/workshop-jenkins' @@ -32,6 +34,10 @@ namespace :jenkins do { parameter_key: 'WorldCIDR', parameter_value: world_cidr + }, + { + parameter_key: 'GitRepoUrl', + parameter_value: gitrepo_url } ] ) diff --git a/provisioning/cloudformation/templates/workshop-jenkins.json b/provisioning/cloudformation/templates/workshop-jenkins.json index 5253249..12a5d4e 100644 --- a/provisioning/cloudformation/templates/workshop-jenkins.json +++ b/provisioning/cloudformation/templates/workshop-jenkins.json @@ -16,6 +16,11 @@ "Type": "String", "Description": "The CIDR block to allow HTTP access to Jenkins with.", "Default": "192.30.252.0/22" + }, + "GitRepoUrl": { + "Type": "String", + "Description": "Your Customized Github Repo aws-devsecops-workshop. Default: git@github.com:stelligent/aws-devsecops-workshop.git", + "Default": "git@github.com:stelligent/aws-devsecops-workshop.git" } }, "Resources": { @@ -157,14 +162,6 @@ "Ref": "WorldCIDR" } }, - { - "IpProtocol": "tcp", - "FromPort": "443", - "ToPort": "443", - "CidrIp": { - "Ref": "GithubCIDR" - } - }, { "IpProtocol": "tcp", "FromPort": "80", @@ -338,7 +335,16 @@ { "Ref": "ConfigRulesUser" }, + "export git_repo_url=\"", + { + "Ref": "GitRepoUrl" + }, "\"\n", + "# Install SSM\n", + "mkdir -p /tmp/ssm; cd /tmp/;\n", + "wget https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_amd64/amazon-ssm-agent.deb\n", + "sudo dpkg -i amazon-ssm-agent.deb\n", + "sudo start amazon-ssm-agent\n", "#!/bin/bash --login\n", "set -ex\n", "\n", @@ -425,6 +431,7 @@ "sed -i.bak \"s#STACK_NAME_TOKEN#${stack_name}#g\" /var/lib/jenkins/config.xml\n", "sed -i.bak \"s#REGION_TOKEN#${region}#g\" /var/lib/jenkins/config.xml\n", "sed -i.bak \"s#0.0.0.0/0#${world_cidr}#g\" /var/lib/jenkins/config.xml\n", + "sed -i.bak \"s#git@github.com:stelligent/aws-devsecops-workshop.git#${git_repo_url}#g\" /var/lib/jenkins/jobs/seed-aws-devsecops-workshop/config.xml\n", "\n", "# Restart Jenkins\n", "service jenkins restart\n", @@ -467,6 +474,7 @@ ] }, "Path": "/", + "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"], "Policies": [ { "PolicyName": "aws-devsecops-jenkins-role", @@ -477,6 +485,11 @@ "Action": "cloudformation:*", "Resource": "*" }, + { + "Effect": "Allow", + "Action": "ssm:*", + "Resource": "*" + }, { "Effect": "Allow", "Action": "ec2:*", From db9a817fcf21e2ff8f49d2b6c079d75e46ca77c2 Mon Sep 17 00:00:00 2001 From: Kevin Yung Date: Mon, 10 Jul 2017 16:56:49 +1000 Subject: [PATCH 2/2] added git repo as creation parameters --- docs/development.md | 3 ++- provisioning/cloudformation/templates/workshop-jenkins.json | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/development.md b/docs/development.md index 65e4cb6..2c23e7a 100644 --- a/docs/development.md +++ b/docs/development.md @@ -33,7 +33,8 @@ $ rake jenkins:create You can include a parameter to specify your VPN CIDR block for a more secure NACL/Security Group configuration: -Limits inbound/outbound traffic to the VPC, Github and your CIDR block. +Limits inbound/outbound traffic to the VPC, Github and your CIDR block. You can use your own github repo foked from this one. +You can change the source reop from `pipeline/jobs/jobdsl.groovy` file to create new set of rules ```bash $ bundle install $ rake jenkins:create['192.0.0.0/24','git-repo-url'] diff --git a/provisioning/cloudformation/templates/workshop-jenkins.json b/provisioning/cloudformation/templates/workshop-jenkins.json index 12a5d4e..8f3ee1a 100644 --- a/provisioning/cloudformation/templates/workshop-jenkins.json +++ b/provisioning/cloudformation/templates/workshop-jenkins.json @@ -335,6 +335,7 @@ { "Ref": "ConfigRulesUser" }, + "\"\n", "export git_repo_url=\"", { "Ref": "GitRepoUrl"