This is a sample Bamboo CI/CD pipeline to run the Checkov IaC code security analysis tool on terraform config.
- A Linux server (4GB RAM recommended) with java>=11, maven and docker installed, with appropriate enviroment setup (e.g., JAVA_HOME environment variable, adding maven to the system PATH, etc.). You can also refer to this for system requirements.
- An account on Docker Hub to push the docker image to.
- Java>=11 and maven installed on your local machine(s) from where you will create Bamboo plans.
- Install Bamboo on the server to
/opt/atlassian-bamboo-<version>
. - Setup a
systemd service
using the example service config file given inscripts/bamboo.service
in this repo. Make the necessary changes in the .service file. - Before starting the service, run a postgres database instance using docker (feel free to change the username and password, but don't change the database name).
mkdir db-data
docker container run -d --net host --name bamboo-postgres -v ./db-data:/var/lib/postgresql/data -e POSTGRES_USER=bamboo-admin -e POSTGRES_PASSWORD=bamboo -e POSTGRES_DB=bamboo postgres:latest
- To be able to access the bamboo server from the internet, you need to run it on the public IP or hostname of your server, instead of the default
localhost
. Make sure you have appropriate networking rules set up to allow inbound TCP traffic on port 8085, and 54663 (for remote agents). Then, go to/opt/atlassian-bamboo-<version>/conf
and open the fileserver.xml
. Find the block<Engine name="Catalina" defaultHost="localhost">
and replace all instances of "localhost" with either0.0.0.0
, your public IP or hostname. - Enable and start the bamboo service.
- Visit
http://<server_ip_or_hostname>:8085
on your browser and follow the on-screen instructions to complete the initial setup of Bamboo. It will also prompt you for a license, so if you haven't already, get a license by logging into your atlassian account. - Once the setup is done, you can proceed further to the agent installation part.
Elastic Bamboo instances are automatically created AWS EC2 instances which are managed directly by Bamboo. When you create a new elastic instance in Bamboo, it automatically runs a Bamboo Agent on the EC2 instance. To get started:
- Open the configuration page in the Bamboo web UI.
- In the Elastic Bamboo section in the left navigation bar, go to
Configuration
, and enable EC2. This will ask for your AWS credentials, like access keys, so keep them handy. - Once configured, you can go to the
Instances
menu in the left navigation bar and start a new instance, or multiple instances (by specifying the number of instances, this can lead to high AWS and Bamboo costs so use wisely). Once the instance(s) is/are spin up, it will wait for the agents to start on these instances. Once the agents are running, and the status saysIdle
, then they are ready for use.
Note: The elastic instances are ephemeral, and are automatically deleted if not in use. If you see that the plan is not running, you should check whether there is an instance online with an agent running on it.
We can also download the remote agent program manually and install it on a VM and make it connect to and manageable by our main Bamboo server. To get started:
- Make sure the VM has atleast 4GB RAM and java>=11, maven, git and docker installed, with appropriate enviroment setup (e.g., JAVA_HOME environment variable, adding maven to the system PATH, etc.).
- On you Bamboo server, go to
<server_url>/admin/agent/addRemoteAgent.action
and download the.jar
file for the remote agent onto your agent VM. - Then run the following command (replace
<server_url>
with the URL of your Bamboo server and<version>
with your Bamboo version):
java -jar atlassian-bamboo-agent-installer-<version>.jar <server_url>/agentServer/
- To run the above as a background process:
nohup java -jar atlassian-bamboo-agent-installer-<version>.jar <server_url>/agentServer/ &
- Authenticate the agent when prompted.
- Wait for the setup to complete. The agent will be up and running and ready to use.
- Repeat the above steps for all the agents that you need.
Local agents are the ones that run on the same machine as the Bamboo server, and are managed by the server itself. No additional installation is required. Just go to the agents
page, click on Add local agent
on the top-right corner, give it a name and optionally a description, and the agent is good to go.
- Clone this repo to your local machine.
- The
bamboo-specs
directory contains the java code for the Bamboo plan.cd
into this directory and run the following:
cp .env.example .env
touch .credentials
- In the
.credentials
file, declare two variables,username
andpassword
, with their values set to the username and password configured while setting up Bamboo, respectively. For example -
username=bamboo
password=bamboo
- In the
.env
file, set the appropriate values of the variables. - This repo was created with Bamboo version 9.4.2, which is also pinned in the
pom.xml
file present in thebamboo-specs
directory. If you installed a different version of Bamboo, then you need to make the appropriate changes on line 9 ofpom.xml
, in thebamboo-specs-parent
artifactId section. - Now run the following command to create the plan in Bamboo from this spec:
mvn -Ppublish-specs
- If the above step is successful, you should now have a working plan in Bamboo, ready to use.
- To run the plan, first make sure you have an agent up and running. Once you have an agent running, run the plan manually by opening it in the web UI of Bamboo, and clicking on the "Run plan" button on the top-right corner of the page. The logs will be streamed to the UI after every 10 seconds.
- Wait for the plan to complete. The plan will fail if checkov reports any failed cases in the given terraform config. If no security issues are found, then the plan will report a successful execution.
- To run the plan after a
github push
event, add the following webhook to your github repo:
<BAMBOO_URL>/rest/triggers/latest/remote/changeDetection?planKey=<PLAN-KEY>
- Set the content-type as
application/json
. - In your Bamboo server, go to
Security Settings
and enable theAllow anonymous users to trigger remote repository change detection and Bamboo Specs detection
option to allow triggering the build from webhooks. - On the top-most navigation bar, go to the
Specs
dropdown and click on theSet up Specs repository
option. - In project type, select
Build project
, and select your project from the dropdown. - Link your repository in repository host, by providing your GitHub username and personal access token.
- Now your webhook is ready to trigger builds from
github push
events.