Add environment variables using configuration as code

README.md

@@ -9,6 +9,7 @@
     - [SSL Configuration](#ssl-configuration)
     - [Setup OpenId Connect (OIDC) via Federate](#setup-openid-connect-oidc-via-federate)
     - [Data Retention](#data-retention)
+    - [Add environment variable](#add-environment-variables)
     - [Assume role](#cross-account-assume-role)
   - [Troubleshooting](#troubleshooting)
     - [Main Node](#main-node)
@@ -114,7 +115,17 @@ Change in any EC2 config (specially init config) leads to replacement of EC2. Th
 See inital [jenkins.yaml](./resources/baseJenkins.yaml)
 If you want to retain all the jobs and its build history, 
 1. Update the `dataRetention` property in `ciSettings` to true (defaults to false) see [CIStackProps](./lib/ci-stack.ts) for details.
-This will create an EFS (Elastic File System) and mount it on `/var/lib/jenkins/jobs` which will retain all jobs and its build history.
+This will create an EFS (Elastic File System) and mount it on `/var/lib/jenkins` which will retain all jobs and its build history.
+
+#### Add environment variables
+Users can add global level environment variables using configuration as code as follows:
+
+Update the `envVarsFilePath` property in `ciSettings` to the file path containing all environment variables in the form of key:value pair. See [CIStackProps](./lib/ci-stack.ts) for details.
+
+Example: See [env.txt](./test/data/env.txt)
+```
+envVarsFilePath = 'test/data/env.txt'
+```
 
 #### Assume role
 The Created jenkins agent role can assume cross account role by passing `agentAssumeRole` parameter

bin/ci-stack.ts

@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-import { App, RemovalPolicy } from '@aws-cdk/core';
+import { App } from '@aws-cdk/core';
 import { CIStack } from '../lib/ci-stack';
 import { CIConfigStack } from '../lib/ci-config-stack';
 

lib/ci-stack.ts

@@ -9,10 +9,9 @@
 import { FlowLogDestination, FlowLogTrafficType, Vpc } from '@aws-cdk/aws-ec2';
 import { Secret } from '@aws-cdk/aws-secretsmanager';
 import {
-  CfnParameter, Construct, Fn, RemovalPolicy, Stack, StackProps,
+  CfnParameter, Construct, Fn, Stack, StackProps,
 } from '@aws-cdk/core';
 import { ListenerCertificate } from '@aws-cdk/aws-elasticloadbalancingv2';
-import { FileSystem } from '@aws-cdk/aws-efs';
 import { CIConfigStack } from './ci-config-stack';
 import { JenkinsMainNode } from './compute/jenkins-main-node';
 import { JenkinsMonitoring } from './monitoring/ci-alarms';
@@ -38,6 +37,8 @@ export interface CIStackProps extends StackProps {
   readonly dataRetention?: boolean;
   /** Policy for agent node role to assume a cross-account role */
   readonly agentAssumeRole?: string;
+  /** File path containing global environment variables to be added to jenkins enviornment */
+  readonly envVarsFilePath?: string;
 }
 
 export class CIStack extends Stack {
@@ -103,6 +104,7 @@ export class CIStack extends Stack {
       sg: securityGroups.mainNodeSG,
       efsSG: securityGroups.efsSG,
       dataRetention: props.dataRetention ?? false,
+      envVarsFilePath: props.envVarsFilePath ?? '',
       sslCertContentsArn: importedContentsSecretBucketValue.toString(),
       sslCertChainArn: importedContentsChainBucketValue.toString(),
       sslCertPrivateKeyContentsArn: importedCertSecretBucketValue.toString(),

lib/compute/env-config.ts

@@ -0,0 +1,42 @@
+import { readFileSync } from 'fs';
+
+/**
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+export class Env {
+  public readonly key: string
+
+  public readonly value: string
+
+  constructor(key : string, value: string) {
+    this.key = key;
+    this.value = value;
+  }
+}
+
+export class EnvConfig {
+  public static addEnvConfigToJenkinsYaml(yamlObject: any, envVarsFilePath: string): any {
+    const jenkinsYaml: any = yamlObject;
+    const envArray: Env[] = [];
+    const envFile: string = readFileSync(envVarsFilePath, 'utf-8');
+    const c = envFile.split('\n');
+    c.forEach((item) => {
+      const e = item.split(':');
+      envArray.push(new Env(e[0], e[1]));
+    });
+
+    const newEnvVars: Env[] = envArray;
+
+    const envConfig: { [x: string]: any; } = {
+      envVars: {
+        env: newEnvVars,
+      },
+    };
+    jenkinsYaml.jenkins.globalNodeProperties = [envConfig];
+    return jenkinsYaml;
+  }
+}

lib/compute/jenkins-main-node.ts

@@ -35,6 +35,7 @@ import { FileSystem, PerformanceMode, ThroughputMode } from '@aws-cdk/aws-efs';
 import { OidcConfig } from './oidc-config';
 import { AgentNodeConfig, AgentNodeNetworkProps, AgentNodeProps } from './agent-node-config';
 import { CloudwatchAgent } from '../constructs/cloudwatch-agent';
+import { EnvConfig } from './env-config';
 
 interface HttpConfigProps {
   readonly redirectUrlArn: string;
@@ -58,6 +59,7 @@ interface DataRetentionProps {
 export interface JenkinsMainNodeProps extends HttpConfigProps, OidcFederateProps, AgentNodeNetworkProps, DataRetentionProps{
   readonly vpc: Vpc;
   readonly sg: SecurityGroup;
+  readonly envVarsFilePath: string;
   readonly failOnCloudInitError?: boolean;
 }
 
@@ -105,7 +107,7 @@ export class JenkinsMainNode {
     };
 
     const agentNodeConfig = new AgentNodeConfig(stack, assumeRole);
-    const jenkinsyaml = JenkinsMainNode.addConfigtoJenkinsYaml(stack, props, agentNodeConfig, props, agentNode);
+    const jenkinsyaml = JenkinsMainNode.addConfigtoJenkinsYaml(props, props, agentNodeConfig, props, agentNode);
     if (props.dataRetention) {
       const efs = new FileSystem(stack, 'EFSfilesystem', {
         vpc: props.vpc,
@@ -393,13 +395,18 @@ export class JenkinsMainNode {
     ];
   }
 
-  public static addConfigtoJenkinsYaml(stack: Stack, oidcProps: OidcFederateProps, agentNodeObject: AgentNodeConfig,
+  public static addConfigtoJenkinsYaml(jenkinsMainNodeProps:JenkinsMainNodeProps, oidcProps: OidcFederateProps, agentNodeObject: AgentNodeConfig,
     props: AgentNodeNetworkProps, agentNode: AgentNodeProps[]): string {
     let updatedConfig = agentNodeObject.addAgentConfigToJenkinsYaml(agentNode, props);
+
     if (oidcProps.runWithOidc) {
       updatedConfig = OidcConfig.addOidcConfigToJenkinsYaml(updatedConfig, oidcProps.adminUsers);
     }
+    if (jenkinsMainNodeProps.envVarsFilePath !== '' && jenkinsMainNodeProps.envVarsFilePath != null) {
+      updatedConfig = EnvConfig.addEnvConfigToJenkinsYaml(updatedConfig, jenkinsMainNodeProps.envVarsFilePath);
+    }
     const newConfig = dump(updatedConfig);
+
     writeFileSync(JenkinsMainNode.NEW_JENKINS_YAML_PATH, newConfig, 'utf-8');
     return JenkinsMainNode.NEW_JENKINS_YAML_PATH;
   }

lib/compute/oidc-config.ts

@@ -7,7 +7,7 @@
  */
 
 export class OidcConfig {
-    public static readonly adminRolePermissions: string[] = [
+    private static readonly adminRolePermissions: string[] = [
       'Overall/Administer',
       'Overall/Read',
       'Job/Move',
@@ -47,7 +47,7 @@ export class OidcConfig {
       'SCM/Tag',
     ];
 
-    public static readonly readOnlyRolePermissions: string[] = [
+    private static readonly readOnlyRolePermissions: string[] = [
       'Overall/Read',
       'Job/Read',
     ];