Concourse CI

A Terraform module for deploying Concourse CI.

Prerequisites

1. Use Packer to create an AMI with Concourse (and related tooling installed) installed:

# From the project root, using task:
task ami

2. Generate key pairs for Concourse:

# Create folder
mkdir -p keys

ssh-keygen -t rsa -f ./keys/tsa_host_key -N ''
ssh-keygen -t rsa -f ./keys/worker_key -N ''
ssh-keygen -t rsa -f ./keys/session_signing_key -N ''

# Authorized workers
cp ./keys/worker_key.pub ./keys/authorized_worker_keys

Required for HTTPS

Route53 hosted zone, domain and ACM certificate.

Required for Github authentication

Github Oauth application, with an encrypted password:

aws kms encrypt \
  --key-id <aws-kms-key-id> \
  --plaintext <github-client-secret> \
  --output text \
  --query CiphertextBlob \
  --profile default

Or you can add it to SSM Parameter store/Secrets Manager and aws-env will populate the environment at runtime:

module "concourse_atc" {
  # ... other configuration

  github_client_id     = "sm:///concourse-deployment/github-oauth-client-id"
  github_client_secret = "sm:///concourse-deployment/github-oauth-client-secret"
}

By default the ATC will have permissions to read secrets from /concourse-deployment/* in secrets manager (in addition to /concourse/* for the secrets backend).

Usage

See example. If you want to learn more about how to use Concourse, check out the official documentation.

Related projects

• concourse-images: A collection of docker images for use in Concourse tasks.
• concourse-tasks: A very small collection of Concourse tasks :)
• concourse-sts-lambda: Lambda for managing temporary AWS credentials stored in Secrets Manager.
• concourse-github-lambda: Lambda for managing Github deploy keys.