gsa / jenkins-deploy Goto Github PK
View Code? Open in Web Editor NEWdeploy Jenkins to AWS with Terraform and Ansible
License: Other
deploy Jenkins to AWS with Terraform and Ansible
License: Other
You mentioned Blue Ocean...anything else?
https://github.com/GSA/jenkins-deploy/blob/master/ansible/group_vars/all/defaults.yml
...or at least consider them.
https://www.sans.org/reading-room/whitepapers/bestprac/securing-jenkins-ci-systems-36872
/cc #3
The implementation details here may depend on if/how Docker is used.
Lots here for general reuse, regardless of what's behind the nginx proxy. Credit to @JJediny for inspiring the idea. Existing examples:
This should be relatively easy, as most of the heavy lifting is done by the included roles.
Some commands will need conditionals to check before trying to execute, or ansible gets mad and fails. For instance, trying to add another Docker group will fail when doing an update of the deployment.
There is probably one out there already we can steal. Maybe data.gov?
data.gov (and probably others) need terraform and terragrunt installed on jenkins instance for pipelines.
https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Best+Practices
We likely want to split this up to discrete tasks/issues.
The instance module should support the use of tags.
The include_tasks module is new in ansible v2.4 and not supported in earlier versions.
Started sketching it out here:
https://docs.google.com/drawings/d/1GsDIRJmT7oizqLbQfrsb_yJ-StaxKlkZW4P2B1cvE14/edit
...after some acceptable retention period.
Instance module should support changing public_dns and private_dns from parameters. These should be cleverly stitched together based on input for the hostname and the declared private DNS zone in the variables calling the module.
Likely makes sense to address authorization as a separate issue.
From @maverickquant:
Other General Nginx Security concerns and recommendations:
Disable Unwanted HTTP Methods in Nginx
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
Disable weak cipher suites-Enable Strong TLS Ciphers
Set your cipher strength to something secure, yet compatible. Add following under server block in ssl.conf file:
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SH
Not sure if there is a GSA standard for this ciphers-.Will confirm and let you know.
Avoid self-signed certs especially in prod.
Remove Unnecessary Modules in Nginx -if any
Setup Monitor Logs for Nginx
proxy_ssl_verify: on :: ensure on:: Verifies the validity of certificates.
Restrict Access by IP from Nginx.
Limit Input Traffic via IPTables.
Disable server_tokens Directive in Nginx. The server_tokens directive tells Nginx to display its current version on error pages.
Crossed off items that I don't believe are applicable.
We likely want to split this up to discrete tasks/issues.
We are probably going to want to do the bootstrapping of the Job DSL Plugin in this repository, and give an easy way for users to provide their job configuration files on top.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.