Deploy Jenkins Instance

.eslintrc.js

@@ -20,6 +20,7 @@ module.exports = {
   ],
   rules: {
     hasTrailingComma: 'off',
+    indent: ['error', 2],
     'import/extensions': 'off',
     'import/no-unresolved': 'off',
     'import/no-extraneous-dependencies': 'off',

README.md

@@ -1,6 +1,12 @@
 <img src="https://opensearch.org/assets/brand/SVG/Logo/opensearch_logo_default.svg" height="64px"/>
 
 - [OpenSearch Continous Integration](#opensearch-continous-integration)
+- [Getting Started](#getting-started)
+- [Deployment](#deployment)
+  - [Troubleshooting](#troubleshooting)
+    - [Main Node](#main-node)
+  - [Useful commands](#useful-commands)
+  - [Architecture Overview](#architecture-overview)
 - [Contributing](#contributing)
 - [Getting Help](#getting-help)
 - [Code of Conduct](#code-of-conduct)
@@ -17,7 +23,24 @@ OpenSearch Continous Integration is an open source CI system for OpenSearch and
 - Requires [NPM](https://docs.npmjs.com/cli/v7/configuring-npm/install) to be installed
 - Install project dependencies using `npm install` from this project directory
 - Configure [aws credentials](https://docs.aws.amazon.com/cdk/latest/guide/getting_started.html#getting_started_prerequisites)
-- Deploy with `npm run cdk deploy`
+- Deploy stacks with `npm run cdk deploy`
+
+## Deployment
+1. Setup your local machine to credentials to deploy to the AWS Account
+2. Deploy the ci config stack, `npm run cdk deploy CI-Config-Dev`, takes ~1 minute to deploy
+3. [Optional] Configure the elements of the config stack for SSL configuration
+4. Deploy the ci stack, without ssl, `npm run cdk deploy CI-Dev -- --parameters useSsl=false`, takes ~10 minutes to deploy
+5. Log onto the AWS Console of the account, navigate to [cloud watch](https://console.aws.amazon.com/cloudwatch/home), open log groups, looking for `JenkinsMainNode/var/log/jenkins/jenkins.log`
+6. Search the logs for `Jenkins initial setup is required. An admin user has been created and a password generated.` After that entry the password for the jenkins instance will be in the cloudwatch logs.
+7. Go to the `CI-Dev.JenkinsExternalLoadBalancerDns` url returned by CDK output to access the jenkins host.
+
+### Troubleshooting
+#### Main Node
+Useful links
+- Log are found in [Cloud Watch Logs](https://console.aws.amazon.com/cloudwatch/home)
+- Need to access the host, ssh via Session Manager in [EC2 Console](https://console.aws.amazon.com/ec2/v2/home)
+- Instance instance isn't coming up, get the system log in [EC2 Console](https://console.aws.amazon.com/ec2/v2/home)
+
 
 ### Useful commands
 

bin/ci-stack.ts

@@ -1,5 +1,3 @@
-#!/usr/bin/env node
-
 /**
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -11,6 +9,10 @@
 import 'source-map-support/register';
 import * as cdk from '@aws-cdk/core';
 import { CIStack } from '../lib/ci-stack';
+import { CIConfigStack } from '../lib/ci-config-stack';
 
 const app = new cdk.App();
+
+new CIConfigStack(app, 'CI-Config-Dev', {});
+
 new CIStack(app, 'CI-Dev', { });

lib/ci-config-stack.ts

@@ -0,0 +1,52 @@
+/**
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+import {
+  CfnOutput, Construct, Stack, StackProps,
+} from '@aws-cdk/core';
+
+import { Secret } from '@aws-cdk/aws-secretsmanager';
+
+export class CIConfigStack extends Stack {
+    static readonly CERTIFICATE_ARN_SECRET_EXPORT_VALUE: string = 'certificateArnSecret';
+
+    static readonly CERTIFICATE_CONTENTS_SECRET_EXPORT_VALUE: string = 'certContentsSecret';
+
+    static readonly PRIVATE_KEY_SECRET_EXPORT_VALUE: string = 'privateKeySecret';
+
+    static readonly REDIRECT_URL_SECRET_EXPORT_VALUE: string = 'redirectUrlSecret';
+
+    constructor(scope: Construct, id: string, props?: StackProps) {
+      super(scope, id, props);
+
+      const arnSecret = new Secret(this, 'certificateArn', {});
+      const certContentsSecret = new Secret(this, 'certContents', {});
+      const privateKeySecret = new Secret(this, 'privateKey', {});
+      const redirectUrlSecret = new Secret(this, 'redirectUrl', {});
+
+      new CfnOutput(this, 'certificateArnSecret', {
+        value: arnSecret.secretArn,
+        exportName: CIConfigStack.CERTIFICATE_ARN_SECRET_EXPORT_VALUE,
+      });
+
+      new CfnOutput(this, 'certContentsSecret', {
+        value: certContentsSecret.secretArn,
+        exportName: CIConfigStack.CERTIFICATE_CONTENTS_SECRET_EXPORT_VALUE,
+      });
+
+      new CfnOutput(this, 'privateKeySecret', {
+        value: privateKeySecret.secretArn,
+        exportName: CIConfigStack.PRIVATE_KEY_SECRET_EXPORT_VALUE,
+      });
+
+      new CfnOutput(this, 'redirectUrlSecret', {
+        value: redirectUrlSecret.secretArn,
+        exportName: CIConfigStack.REDIRECT_URL_SECRET_EXPORT_VALUE,
+      });
+    }
+}

lib/ci-stack.ts

@@ -6,21 +6,58 @@
  * compatible open source license.
  */
 
-import { Construct, Stack, StackProps } from '@aws-cdk/core';
+import { Vpc } from '@aws-cdk/aws-ec2';
+import { Secret } from '@aws-cdk/aws-secretsmanager';
+import {
+  CfnParameter,
+  Construct, Fn, Stack, StackProps,
+} from '@aws-cdk/core';
+import { ListenerCertificate } from '@aws-cdk/aws-elasticloadbalancingv2';
+import { CIConfigStack } from './ci-config-stack';
+import { JenkinsMainNode } from './compute/jenkins-main-node';
+import { JenkinsMonitoring } from './monitoring/ci-alarms';
+import { JenkinsExternalLoadBalancer } from './network/ci-external-load-balancer';
+import { JenkinsSecurityGroups } from './security/ci-security-groups';
 
 export class CIStack extends Stack {
   // eslint-disable-next-line no-useless-constructor
   constructor(scope: Construct, id: string, props?: StackProps) {
     super(scope, id, props);
 
-    // Network / VPC
+    const vpc = new Vpc(this, 'JenkinsVPC');
 
-    // Security Groups
+    const useSslParameter = new CfnParameter(this, 'useSsl', {
+      description: 'If the jenkins instance should be access via SSL',
+      allowedValues: ['true', 'false'],
+    });
+    const useSsl = useSslParameter.valueAsString === 'true';
 
-    // Compute
+    const securityGroups = new JenkinsSecurityGroups(this, vpc, useSsl);
 
-    // Load Balancers
+    const importedContentsSecretBucketValue = Fn.importValue(`${CIConfigStack.CERTIFICATE_CONTENTS_SECRET_EXPORT_VALUE}`);
+    const importedCertSecretBucketValue = Fn.importValue(`${CIConfigStack.PRIVATE_KEY_SECRET_EXPORT_VALUE}`);
+    const importedArnSecretBucketValue = Fn.importValue(`${CIConfigStack.CERTIFICATE_ARN_SECRET_EXPORT_VALUE}`);
+    const importedRedirectUrlSecretBucketValue = Fn.importValue(`${CIConfigStack.REDIRECT_URL_SECRET_EXPORT_VALUE}`);
+    const certificateArn = Secret.fromSecretCompleteArn(this, 'certificateArn', importedArnSecretBucketValue.toString());
+    const listenerCertificate = ListenerCertificate.fromArn(certificateArn.secretValue.toString());
 
-    // Monitoring
+    const mainJenkinsNode = new JenkinsMainNode(this, {
+      vpc,
+      sg: securityGroups.mainNodeSG,
+      sslCertContentsArn: importedContentsSecretBucketValue.toString(),
+      sslCertPrivateKeyContentsArn: importedCertSecretBucketValue.toString(),
+      redirectUrlArn: importedRedirectUrlSecretBucketValue.toString(),
+      useSsl,
+    });
+
+    const externalLoadBalancer = new JenkinsExternalLoadBalancer(this, {
+      vpc,
+      sg: securityGroups.externalAccessSG,
+      targetInstance: mainJenkinsNode.ec2Instance,
+      listenerCertificate,
+      useSsl,
+    });
+
+    const monitoring = new JenkinsMonitoring(this, externalLoadBalancer, mainJenkinsNode);
   }
 }