This documentation relates to an earlier version of Bamboo.
View

Unknown macro: {spacejump}

or visit the current documentation home.

Elastic Bamboo is a feature in Bamboo that allows Bamboo to dynamically source computing resources from the Amazon Elastic Compute Cloud (EC2). If you choose to enable Elastic Bamboo, the broker port (port 54663 by default) of your Bamboo server must be made available to remote agent instances created in the EC2.

Please be warned that this can expose your Bamboo installation to number of security vulnerabilities, if any of your remote agent instances are compromised. These include confidential data (e.g. source code, VCS credentials) being stolen, malicious code being injected into elastic agents, unauthorised access to build queues and false information being submitted to Bamboo servers.

To mitigate some of these security risks, Elastic Bamboo incorporates an SSH tunnelling implementation to provide a secure communication channel between your Bamboo server and the EC2. This tunnelling implementation encrypts traffic between the Bamboo server and elastic agents using SSL, which means that you do not need to compromise your firewall by opening it up to outside connections.

SSH tunnelling is not implemented for VCS (Version Control System) to EC2 traffic though. You will need to make your VCS available to the EC2 to use Elastic Bamboo. Please see the section on setting up your VCS for Elastic Bamboo, which contains guidelines on securing your VCS.

Screenshot: Elastic Bamboo Security Architecture

以下のセクションでは、リモート エージェント インスタンスの既定のアクセス ルールと、必要に応じてこれらのルールを変更する方法について説明します。

既定の EC2 アクセス ルール

Elastic Bamboo の初回使用時、つまりエラスティック インスタンスの起動時に、AWS アカウントに「elasticbamboo」セキュリティ グループが設定されます。このセキュリティ グループは、基本的には EC2 へのアクセスを許可される IP アドレスのセットです。既定では、セキュリティ グループには 2 つのルールが含まれます。1 つは Elastic Bamboo 自体の接続を許可するルールで、もう 1 つは SSH 経由の接続を許可するルールです。

The EC2 security groups can be accessed via the AWS management console (see 'Security Groups' in the left-hand menu under 'Configuration').

Screenshot: AWS Console - Security Groups

既定の EC2 アクセス ルールの変更

If you wish to change the default access rules for Elastic Bamboo (e.g. remove SSH access, permit additional connections), you can do this by adding or removing entries from the 'Allowed Connections' for the 'elasticbamboo' security group. See the previous section on 'Default EC2 Access Rules' for instructions on how to access your EC2 security groups.

Setting up your VCS for Elastic Bamboo

We recommend that you take the following steps to ensure that your VCS is set up securely for Elastic Bamboo:

  1. Make your VCS accessible to the public internet
  2. Configure your AWS security group
  3. VCS 認証とアクセス制御を使用する
  4. VCS への暗号化された接続を使用する

1. Make your VCS accessible to the public internet

 

As SSH tunnelling is not implemented for VCS to EC2 connections, you will need to make your VCS accessible to the public internet to use Elastic Bamboo. If your VCS is behind a firewall this will involve configuring an access point in your firewall. Please consult the documentation for your firewall software for details on how to do this.

2. Configure your AWS security group

 

Once you have made your VCS available to the public internet, the next step is to allow your VCS to connect to EC2. This involves adding the necessary access rule to the 'elasticbamboo' security group in your AWS account, to allow a connection from your VCS. Please see the section on Changing the Default EC2 Access Rules above for instructions on how to do this.

3.VCS 認証とアクセス制御を使用する

 

As you have made your VCS available to the public internet, we highly recommend that you secure access to your VCS by enabling the authentication and access control features on your VCS. The instructions for doing this vary from VCS to VCS. Please consult the documentation for your VCS for details.

4.VCS への暗号化された接続を使用する

 

We also highly recommend that you use encrypted connections for your VCS (e.g. SSL). Again, the instructions for doing this vary from VCS to VCS. Please consult the documentation for your VCS for details.



Log a request with our support team.



Raise an issue for our developers.



See answers from the community.



Blog and update our documentation.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.