This repository hosts the infrastructure-as-code definition for all the Amazon Web Services (AWS)-hosted resources for the Jenkins Infrastructure Project.
-
An AWS account with the ability to assume the role
infra-adminon the AWS account used for the Jenkins infrastructure -
The requirements (of the shared tools) listed at shared-tools/terraform#requirements
-
The Terraform S3 Backend Configuration on a local file named
backend-config:-
The content can be retrieved from the outputs of the (private) repository terraform-states
-
This file (
backend-config) is git-ignored
-
-
The git command line to allow cloning the repository and its submodule shared-tools
-
This repository has submodules. Once you cloned the repository, execute the following command to obtain the shared tools:
-
git submodule update --init --recursive|
Important
|
Don’t blindly execute the terraform code located in this repository on your own account as it may lead your account bill to significantly increase. |
Once you’ve fulfilled the Requirements, you may execute any command from https://github.com/jenkins-infra/shared-tools/blob/main/terraform/README.adoc#available-commands by adding the correct flag --directory pointing to .shared-tools/terraform/:
make --directory=.shared-tools/terraform help
make --directory=.shared-tools/terraform lint
# ...A usual change to this repository looks like the following:
-
Fork the repository and clone it locally
-
Follow the Requirements steps to obtain the shared tools
-
Start by running a full
make --directory=.shared-tools/terraform validatecommand to ensure that you work on a sane base (should generate a report TXT file with no changes to be applied) -
Edit the Terraform project files
-
Run the command
make --directory=.shared-tools/terraform validateagain to ensure that your changes are OK -
Commit, push and open a pull request to let the Jenkins pipeline run the test + plan (as per https://github.com/jenkins-infra/shared-tools/blob/main/terraform/README.adoc#jenkins-pipeline)
Sometimes, the CI users are missing an authorization on a resource. You would see a message like the following:
Error: error updating tags for IAM Policy (arn:aws:iam::XXXXXXXXXXX:policy/jenkins-YYYYYYYYYY): error tagging resource (arn:aws:iam::XXXXXXXXXXX:policy/jenkins-YYYYYYYYYY): AccessDenied: User: arn:aws:iam::ZZZZZZZZZZZZZ:user/production-terraform is not authorized to perform: XXXX:Yyyyyyy on resource: policy arn:aws:iam::XXXXXXXXXXX:policy/jenkins-YYYYYYYYYY
status code: 403, request id: <redacted>To solve this issues, you have to update the IAM policies for the technical user, found in the (private) repository terraform-states.