Buildkite Elastic CI Stack for AWS

Buildkite is a platform for running fast, secure, and scalable continuous integration pipelines on your own infrastructure.

The Buildkite Elastic CI Stack for AWS gives you a private, autoscalingBuildkite Agent cluster. Use it to parallelizelarge test suites across thousands of nodes, run tests and deployments for Linux or Windowsbased services and apps, or run AWS ops tasks.

Getting started

See the Elastic CI Stack for AWS tutorial for a step-by-step guide, the Elastic CI Stack for AWS documentation, or the full list of recommended resources for detailed information.

Or jump straight in:

The current release is . See Releases for older releases.

Although the stack creates its own VPC by default, we highly recommend following best practice by setting up a separate development AWS account and using role switching and consolidated billing — see the Delegate Access Across AWS Accounts tutorial for more information.

If you want to use the AWS CLI, download config.json.example, rename it to config.json, and then run the below command:

aws cloudformation create-stack \
  --output text \
  --stack-name buildkite \
  --template-url "https://s3.amazonaws.com/buildkite-aws-stack/latest/aws-stack.yml" \
  --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
  --parameters "$(cat config.json)"

Supported Features

Most features are supported across both Linux and Windows. See below for detailsof per-operating system support:

Security

This repository hasn't been reviewed by security researchers so exercise caution and careful thought with what credentials you make available to your builds.

Anyone with commit access to your codebase (including third-party pull-requests if you've enabled them in Buildkite) will have access to your secrets bucket files.

Also keep in mind the EC2 HTTP metadata server is available from within builds, which means builds act with the same IAM permissions as the instance.

Limiting CloudFormation Permissions

By default, CloudFormation will operate using the permissions granted to theidentity of the credentials used to initiate a stack deployment or update.

If you want to explicitly specify which actions CloudFormation can perform onyour behalf, you can either create your stack using credentials for an IAMidentity with limited permissions, or provide an AWS CloudFormation service role.

��‍�� templates/service-role.yml template contains anexperimental service role and set of IAM Policies that list the IAMActions necessary to create, update, and delete a CloudFormation Stack createdwith the Buildkite Elastic CI Stack template. The role created by this templateis currently being tested, but it has not been tested enough to be depended on.There are likely to be missing permissions for some stack parameterpermutations.

aws cloudformation deploy --template-file templates/service-role.yml --stack-name buildkite-elastic-ci-stack-service-role --region us-east-1 --capabilities CAPABILITY_IAM

Development

To get started with customizing your own stack, or contributing fixes and features:

# Checkout all submodules
git submodule update --init --recursive

# Build all AMIs and render a cloud formation template - this requires AWS credentials (in the ENV)
# to build an AMI with packer
make build

# To create a new stack on AWS using the local template
make create-stack

# You can use any of the AWS* environment variables that the aws-cli supports
AWS_PROFILE="some-profile" make create-stack

# You can also use aws-vault or similar
aws-vault exec some-profile -- make create-stack

If you need to build your own AMI (because you've changed something in thepacker directory), run packer with AWS credentials in your shell environment:

make packer

This will boot and image three AWS EC2 instances in your account’s us-east-1default VPC:

• Linux (64-bit x86)
• Linux (64-bit Arm)
• Windows (64-bit x86)

Support Policy

We provide support for security and bug fixes on the current major release only.

If there are any changes in the master branch since the last tagged release, weaim to publish a new tagged release of this template at the end of each month.

AWS Regions

We support all AWS Regions, except China and US GovCloud.

We aim to support new regions within one month of general availability.

Operating Systems

We build and deploy the following AMIs to all our supported regions:

• Amazon Linux 2 (64-bit x86)
• Amazon Linux 2 (64-bit Arm)
• Windows Server 2019 (64-bit x86)

Buildkite Agent

The Elastic CI Stack template published from the master branchtracks the latest Buildkite Agent release.

You may wish to preview any updates to your stack from this templateusing a CloudFormation Stack Change Setto decide whether to apply it.

Recommended reading

To gain a better understanding of how Elastic CI Stack works and how to use it most effectively and securely, see the following resources:

• Elastic CI Stack for AWS overview
• Elastic CI Stack for AWS tutorial
• Running Buildkite Agent on AWS
• Template parameters for Elastic CI Stack for AWS
• Using AWS Secrets Manager
• VPC Design
• CloudFormation Service Role

Questions and support

Feel free to drop an email to support@buildkite.com with questions. It helps us if you can provide the following details:

# List your stack parameters
aws cloudformation describe-stacks --stack-name MY_STACK_NAME \
  --query 'Stacks[].Parameters[].[ParameterKey,ParameterValue]' --output table

Provide us with logs from CloudWatch Logs:

/buildkite/elastic-stack/{instance-id}
/buildkite/systemd/{instance-id}

You can also drop by #aws-stack and #aws channels in Buildkite Community Slack and ask your question!

Licence

See Licence.md (MIT)