ciinabox_version: 0.1
#ciinabox ECS cluster name
cluster_name: ciinabox
#you may want a different ciinabox-stack name, e.g if you have 2 ciinaboxes
stack_name: ciinabox
#log level - change to :debug to see the AWS commands being executed
log_level: ':info'
#change this to your own timezone
timezone: GMT
#change for internal ELBs
internal_elb: false
#add if you want ecs root volume != 8GB - must be > 8
#ecs_root_volume_size: 30
#add if you want ecs docker volume != 22GB - must be > 22
#ecs_docker_volume_size: 100
#use this to change volume snapshot for running ciinabox
#ecs_data_volume_name: "ECSDataVolume2s"
#set the snapshot to restore from
#ecs_data_volume_snapshot: snap-49e2b3b5
#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
#ecs_data_volume_size: 250
#optional ciinabox name if you need more than one or you want a different name
#stack_name: ciinabox-tools
#for internal elb for jenkins
#internal_elb: false
#icinga2_image: AWS_ACCOUNT_ID.dkr.ecr.AWS_REGION/base2/icinga2:VERSION_TAG
#AWS Availability Zones Idenifers
availability_zones:
- 'A'
- 'B'
azId:
A: 0
B: 1
C: 2
D: 3
E: 4
#Subnet offsets 10.150.x.0/26
vpc:
SubnetOctetA: "0"
SubnetOctetB: "1"
ecs:
SubnetOctetA: "2"
SubnetOctetB: "3"
lambdaSubnets:
SubnetOctetA: "4"
SubnetOctetB: "5"
#ciinabox environment config
Mappings:
EnvironmentType:
ciinabox:
KeyName: ciinabox
NetworkPrefix: 10
StackOctet: 150
StackMask: 16
SubnetMask: 26
NatInstanceType: t2.micro
ECSInstanceType: t2.large
ecs_ami:
us-east-1:
ami: ami-04351e12
us-east-2:
ami: ami-1b90a67e
us-west-1:
ami: ami-9cbbaffc
eu-west-3:
ami: ami-914afcec
eu-west-2:
ami: ami-a48d6bc3
eu-west-1:
ami: ami-bfb5fec6
eu-central-1:
ami: ami-ac055447
us-west-2:
ami: ami-05b5277d
ap-southeast-2:
ami: ami-4cc5072e
ap-southeast-1:
ami: ami-acbcefd0
ap-northeast-2:
ami: ami-ba74d8d4
ap-northeast-1:
ami: ami-5add893c
ca-central-1:
ami: ami-a535b2c1
ap-south-1:
ami: ami-2149114e
sa-east-1:
ami: ami-d3bce9bf
#Webhook access only via https
webHooks:
#github
- 192.30.252.0/22
#bitbucket cloud
- 104.192.142.0/24
- 104.192.136.0/21
- 131.103.26.0/23
- 131.103.26.0/24
- 131.103.27.0/24
- 131.103.29.0/24
- 165.254.226.0/23
- 165.254.226.0/24
- 165.254.227.0/24
- 131.103.28.0/24
- 185.166.140.0/22
# if set to true, security group allowing connections from NAT gateway will be assigned to
# ecs cluster (useful for windows jenkins slaves)
allow_nat_connections: false
# This option applies only for docker-in-docker jenkins slave
# If slave is volatile, docker images data is not volume-mounted from EBS drive, and is lost once
# jenkins slave is stopped (e.g. service task restarted)
volatile_jenkins_slave: false
# Include docker-in-docker jenkins slave as part of service task definition
include_diind_slave: true
# Include docker-outside-of-docker jenkins slave as part of service task definition
# Docker version will be dependant on underlying ECS host
include_dood_slave: false
# allows overwrite for ciinabox docker slave version
# currently 17.03.2-ce (tagged as latest) and 17.06.1-ce are supported
# see https://hub.docker.com/r/base2/ciinabox-docker-slave/tags/ for further details
docker_slave_version: 17.03.2-ce
# Feature toggle for ECR Credentials helper, controlled via USE_ECR_CREDENTIAL_HELPER environment variable
# If ecr credential helper is configured, it will fail on docker login command
docker_slave_enable_ecr_credentials_helper: false
# Uncomment line below if you want to use external IAM role for Instance Profile
# Note that if this options is used, permissions from 'ecs_iam_role_permissions_default'
# and 'ecs_iam_role_permissions_extras' are disregarded
# ciinabox_iam_role_name: 'ciinabox'
# Indicates whether bastion stack allowing user to access ciinabox host
# from public network will be created or not
include_bastion_stack: false
# if set to true, docker volume will be formatted as ext4 and volume-mounted under /var/lib/docker.
# Used if ECS AMI is configured with overlay2 driver. Defaults to false, as Amazon ECS AMIs (default)
# are using devicemapper, which gets configured automatically. Main advantage of using overlay2 over devicemapper is
# device size limitation
ecs_docker_volume_volumemount: false
# if set to true, EBS data volumes will be tagged to be backed up with shelvery aws backup manager
# also, retention periods can be controlled from here
data_volume_shelvery_backups: true
data_volume_retain_daily_backups: 7
data_volume_retain_weekly_backups: 4
data_volume_reatin_monthly_backups: 12
ecs_iam_role_permissions_default:
- name: assume-role
actions:
- sts:AssumeRole
resource: '*'
- name: read-only
actions:
- ec2:Describe*
- s3:Get*
- s3:List*
resource: '*'
- name: s3-write
actions:
- s3:PutObject
- s3:PutObject*
resource: '*'
- name: Route53
actions:
- route53:ChangeResourceRecordSets
- route53:ListHostedZonesByName
resource: '*'
- name: ecsServiceRole
actions:
- ecs:CreateCluster
- ecs:DeregisterContainerInstance
- ecs:DiscoverPollEndpoint
- ecs:Poll
- ecs:RegisterContainerInstance
- ecs:StartTelemetrySession
- ecs:Submit*
- ec2:AuthorizeSecurityGroupIngress
- ec2:Describe*
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:Describe*
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
resource: '*'
- name: ssm-run-command
actions:
- ssm:DescribeAssociation
- ssm:GetDocument
- ssm:ListAssociations
- ssm:UpdateAssociationStatus
- ssm:UpdateInstanceInformation
- ec2messages:AcknowledgeMessage
- ec2messages:DeleteMessage
- ec2messages:FailMessage
- ec2messages:GetEndpoint
- ec2messages:GetMessages
- ec2messages:SendReply
- cloudwatch:PutMetricData
- ec2:DescribeInstanceStatus
- ds:CreateComputer
- ds:DescribeDirectories
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- s3:PutObject
- s3:GetObject
- s3:AbortMultipartUpload
- s3:ListMultipartUploadParts
- s3:ListBucketMultipartUploads
resource: '*'
- name: ecr
actions:
- ecr:*
resource: '*'
- name: packer
actions:
- cloudformation:*
- ec2:AttachVolume
- ec2:CreateVolume
- ec2:DeleteVolume
- ec2:CreateKeypair
- ec2:DeleteKeypair
- ec2:CreateSecurityGroup
- ec2:DeleteSecurityGroup
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateImage
- ec2:RunInstances
- ec2:TerminateInstances
- ec2:StopInstances
- ec2:DescribeVolumes
- ec2:DetachVolume
- ec2:DescribeInstances
- ec2:CreateSnapshot
- ec2:DeleteSnapshot
- ec2:DescribeSnapshots
- ec2:DescribeImages
- ec2:RegisterImage
- ec2:CreateTags
- ec2:ModifyImageAttribute
- ec2:GetPasswordData
- iam:PassRole
- dynamodb:*
resource: '*'
#extra_stacks:
# elk:
# #define template name? - optional
# file_name: elk
# parameters:
# RoleName: search
# CertName: x
# StackOctetA: 11
# StackOctetB: 12
bastionInstanceType: t2.micro
bastionAMI:
us-east-1:
ami: ami-55ef662f
us-east-2:
ami: ami-c5062ba0
us-west-2:
ami: ami-e689729e
us-west-1:
ami: ami-02eada62
ap-southeast-1:
ami: ami-0797ea64
ap-southeast-2:
ami: ami-8536d6e7
eu-west-1:
ami: ami-acd005d5
eu-west-2:
ami: ami-1a7f6d7e
eu-central-1:
ami: ami-c7ee5ca8
acm_auto_issue_validate: true