CloudForge CI - Quick Start Guide
Get CloudForge CI running in your AWS account in under 10 minutes with zero compliance overhead, or configure a fully compliant production environment in under 30 minutes.
Prerequisitesโ
- AWS Account with admin access
- AWS CLI configured (
aws configure) - Node.js 18+ and npm
- AWS CDK installed (
npm install -g aws-cdk) - Java 21 (for building from source)
Path 1: Fastest Start (5 Minutes)โ
Goal: Get Jenkins running with minimal configuration for evaluation/development.
Step 1: Clone and Setupโ
git clone https://github.com/CloudForgeCI/cfc-core.git
cd cfc-core
mvn clean install -DskipTests
cd cfc-testing
Step 2: Use Minimal Dev Templateโ
cp docs/examples/dev-minimal.json deployment-context.json
Step 3: Bootstrap CDK (First Time Only)โ
cdk bootstrap
Step 4: Deployโ
cdk deploy
Note: The Interactive Deployer will automatically prompt you to configure if deployment-context.json doesn't exist.
Step 5: Access Jenkinsโ
After deployment completes (3-5 minutes):
# Get ALB DNS name
aws cloudformation describe-stacks \
--stack-name CloudForge-Dev \
--query 'Stacks[0].Outputs[?OutputKey==`LoadBalancerDNS`].OutputValue' \
--output text
Navigate to the DNS name in your browser. No authentication required for dev-minimal.
What You Getโ
- โ Application on Fargate (no server management)
- โ Public ALB (internet accessible)
- โ EFS storage (persistent data)
- โ Auto-scaling (1 task)
- โ CloudWatch monitoring
- โ No encryption
- โ No authentication
- โ No compliance controls
- Cost: ~$35/month
โ ๏ธ WARNING: This setup is for development/evaluation only. Do not use for production.
Path 2: Standard Development (10 Minutes)โ
Goal: Team development environment with basic security.
Step 1: Setupโ
cd cfc-testing
cp docs/examples/dev-standard.json deployment-context.json
Step 2: Customize Configurationโ
Edit deployment-context.json:
{
"stackName": "MyTeam-Jenkins-Dev",
"cognitoDomainPrefix": "myteam-jenkins-dev-unique123" // Must be globally unique
}
Step 3: Deployโ
cdk deploy
Step 4: Access Jenkinsโ
# Get ALB DNS and Cognito info
aws cloudformation describe-stacks \
--stack-name MyTeam-Jenkins-Dev \
--query 'Stacks[0].Outputs'
Navigate to ALB DNS, authenticate with Cognito (you'll create an account on first access).
What You Getโ
- โ Application on Fargate with auto-scaling (1-2 tasks)
- โ Private subnets with NAT
- โ Cognito authentication (no MFA)
- โ Encryption at rest
- โ CloudWatch monitoring
- โ No compliance controls
- Cost: ~$95/month
Path 3: Production with SOC 2 (30 Minutes)โ
Goal: Production-ready deployment with SOC 2 compliance.
Step 1: Prepare Configurationโ
cd cfc-testing
cp docs/examples/production-soc2.json deployment-context.json
Step 2: Customize for Your Environmentโ
Edit deployment-context.json:
{
"stackName": "MyCompany-Jenkins-Prod",
"region": "us-east-1",
"domain": "mycompany.com",
"subdomain": "jenkins",
"createZone": false, // Set true if Route53 zone doesn't exist
"cognitoDomainPrefix": "mycompany-jenkins-prod", // Must be globally unique
"enableS3VersioningRemediation": true,
"enableCloudTrailBucketAccessRemediation": true
}
Step 3: Verify Prerequisitesโ
# Verify Route53 hosted zone exists (if createZone=false)
aws route53 list-hosted-zones-by-name --dns-name mycompany.com
# Verify AWS Config is not already configured (or set createConfigInfrastructure=false)
aws configservice describe-configuration-recorders
Step 4: Review Templateโ
# Synthesize and review CloudFormation template
cdk synth > /tmp/template.yaml
# Check resource counts
grep "Type: AWS::" /tmp/template.yaml | wc -l
Step 5: Deployโ
cdk deploy --require-approval never
Deployment takes 15-20 minutes. Components deployed:
- VPC, subnets, NAT gateways (2 min)
- Security groups (1 min)
- ALB, target groups (3 min)
- EFS file system (2 min)
- EC2 Auto Scaling Group (5 min)
- Cognito User Pool (2 min)
- AWS Config, CloudTrail, GuardDuty (3 min)
- Config Rules and auto-remediation (2 min)
Step 6: Verify Deploymentโ
# Get outputs
aws cloudformation describe-stacks \
--stack-name MyCompany-Jenkins-Prod \
--query 'Stacks[0].Outputs' \
--output table
# Verify Config Recorder is running
aws configservice describe-configuration-recorder-status
# Check compliance status
aws configservice describe-compliance-by-config-rule \
--compliance-types COMPLIANT NON_COMPLIANT \
--output table
Step 7: Initial Admin Setupโ
# Create Cognito admin user
aws cognito-idp admin-create-user \
--user-pool-id <pool-id-from-outputs> \
--username admin@mycompany.com \
--user-attributes Name=email,Value=admin@mycompany.com \
--temporary-password TempPassword123! \
--message-action SUPPRESS
Step 8: Access Applicationโ
Navigate to https://jenkins.mycompany.com (or ALB DNS if domain not configured).
- Authenticate with Cognito
- Complete MFA setup (TOTP - use Google Authenticator, Authy, etc.)
- Complete application-specific setup (varies by application)
What You Getโ
- โ Application on EC2 with auto-scaling (2-6 instances)
- โ Private subnets with NAT
- โ Custom domain with SSL/TLS
- โ Cognito authentication with MFA
- โ Encryption at rest and in transit
- โ 20+ AWS Config rules (SOC 2)
- โ Auto-remediation (S3 versioning, CloudTrail logging, RDS security)
- โ CloudTrail audit logging
- โ GuardDuty threat detection
- โ WAF web application firewall
- โ VPC Flow Logs
- โ AWS Audit Manager
- โ 2-year log retention
- Cost: ~$400/month
โ SOC 2 Type II Ready - All technical controls implemented
Path 4: HIPAA Compliance (30 Minutes)โ
For healthcare applications handling PHI/ePHI.
Quick Setupโ
cd cfc-testing
cp docs/examples/production-hipaa.json deployment-context.json
# Customize (same as SOC 2 Path 3 above)
vim deployment-context.json
# Deploy
cdk deploy
What's Different from SOC 2?โ
- โ 30+ Config rules (HIPAA + SOC 2)
- โ 6-year log retention (HIPAA ยง164.316(b)(2)(i))
- โ Enhanced encryption validation
- โ Additional audit controls
- Cost: ~$550/month
Path 5: PCI-DSS Compliance (30 Minutes)โ
For payment card processing systems.
Quick Setupโ
cd cfc-testing
cp docs/examples/production-pci-dss.json deployment-context.json
# Customize
vim deployment-context.json
# Deploy
cdk deploy
What's Different?โ
- โ 40+ Config rules (PCI-DSS + HIPAA + SOC 2)
- โ Certificate expiration monitoring
- โ Enhanced WAF rules
- โ CloudFront access logging (if enabled)
- โ Comprehensive network segmentation validation
- Cost: ~$710/month
Path 6: Applications with Databases (20 Minutes)โ
Goal: Deploy applications that require RDS databases (GitLab, Mattermost, Metabase, etc.)
Quick Setupโ
cd cfc-testing
# Create deployment context for application with database
cat > deployment-context.json <<EOF
{
"stackName": "MyCompany-GitLab",
"context": {
"applicationId": "gitlab",
"securityProfile": "production",
"runtime": "FARGATE",
"domain": "mycompany.com",
"subdomain": "gitlab",
"enableSsl": true,
"cognitoDomainPrefix": "mycompany-gitlab-unique123"
}
}
EOF
# Deploy (database automatically provisioned)
cdk deploy
What's Different?โ
- โ RDS PostgreSQL automatically provisioned
- โ Secrets Manager for database credentials
- โ Encryption at rest with KMS
- โ Automated backups (7-30 days based on profile)
- โ Multi-AZ for production environments
- โ Auto-remediation for database compliance (deletion protection, auto-upgrades)
Optional Database Provisioningโ
For applications that support both RDS and embedded databases (Metabase, Grafana):
{
"applicationId": "metabase",
"securityProfile": "production",
"provisionDatabase": true // โ Optional: use RDS instead of H2
}
Cost: Add ~$15-80/month for RDS (depending on instance size)
Common Customizationsโ
Change Instance Typeโ
{
"instanceType": "t3.large" // t3.small, t3.medium, t3.large, m5.xlarge
}
Adjust Auto-Scalingโ
{
"minInstanceCapacity": 3,
"maxInstanceCapacity": 10,
"cpuTargetUtilization": 50
}
Scope Config Rules to Stack Onlyโ
{
"scopeConfigRulesToDeployment": true // Only monitor this stack's resources
}
Enable Automated Remediationโ
{
"awsConfigEnabled": true,
"complianceFrameworks": "SOC2,HIPAA",
"enableS3VersioningRemediation": true,
"enableCloudTrailBucketAccessRemediation": true,
"enableRdsDeletionProtectionRemediation": true,
"enableRdsAutoMinorVersionUpgradeRemediation": true
}
Enable CloudFront CDNโ
{
"cloudfront": true
}
Add Bastion Host Accessโ
{
"bastionCidr": "203.0.113.0/24" // Your office IP range
}
Upgrading Between Environmentsโ
Dev โ Stagingโ
# Start with dev config
cat deployment-context.json > deployment-context-staging.json
# Add compliance
cat > patch.json <<EOF
{
"stackName": "MyCompany-Jenkins-Staging",
"securityProfile": "staging",
"awsConfigEnabled": true,
"complianceFrameworks": "SOC2",
"guardDutyEnabled": true,
"wafEnabled": true,
"cognitoMfaEnabled": true,
"logRetentionDays": 365
}
EOF
# Merge configurations
jq -s '.[0] * .[1]' deployment-context-staging.json patch.json > temp.json
mv temp.json deployment-context-staging.json
# Deploy
cdk deploy
Staging โ Productionโ
# Copy staging config
cp deployment-context-staging.json deployment-context-prod.json
# Update for production
jq '.stackName = "MyCompany-Jenkins-Prod" |
.securityProfile = "production" |
.runtime = "ec2" |
.instanceType = "t3.medium" |
.minInstanceCapacity = 2 |
.auditManagerEnabled = true |
.scopeConfigRulesToDeployment = false |
.logRetentionDays = 730' \
deployment-context-prod.json > temp.json
mv temp.json deployment-context-prod.json
# Deploy
cdk deploy
Troubleshootingโ
Error: "Cognito domain prefix already in use"โ
# Generate unique prefix
UNIQUE_PREFIX="mycompany-jenkins-$(openssl rand -hex 4)"
jq ".cognitoDomainPrefix = \"$UNIQUE_PREFIX\"" deployment-context.json > temp.json
mv temp.json deployment-context.json
Error: "Route53 hosted zone not found"โ
# Option 1: Create zone automatically
jq '.createZone = true' deployment-context.json > temp.json
mv temp.json deployment-context.json
# Option 2: Remove domain requirement
jq 'del(.domain, .subdomain)' deployment-context.json > temp.json
mv temp.json deployment-context.json
Error: "Config recorder already exists"โ
# Use existing recorder
jq '.createConfigInfrastructure = false' deployment-context.json > temp.json
mv temp.json deployment-context.json
Deployment Stuck or Failedโ
# Check CloudFormation events
aws cloudformation describe-stack-events \
--stack-name YourStackName \
--max-items 20
# Rollback if needed
cdk destroy
Post-Deployment Tasksโ
1. Configure Jenkinsโ
# Access Jenkins via ALB DNS or custom domain
# Install recommended plugins
# Configure:
# - GitHub integration
# - Pipeline libraries
# - Build agents
# - Credentials
2. Set Up Monitoringโ
# Subscribe to SNS topics for alerts
aws sns subscribe \
--topic-arn <guardduty-topic-arn> \
--protocol email \
--notification-endpoint security@mycompany.com
3. Verify Complianceโ
# Run compliance check
aws configservice describe-compliance-by-config-rule \
--compliance-types NON_COMPLIANT \
--output table
# Fix any non-compliant resources
# Auto-remediation will handle some automatically
4. Backup Configurationโ
# Export deployment context
aws s3 cp deployment-context.json \
s3://my-backup-bucket/jenkins/deployment-context-$(date +%Y%m%d).json
# Export CloudFormation template
aws cloudformation get-template \
--stack-name YourStackName \
--query 'TemplateBody' > template-backup.yaml
Cost Optimization Tipsโ
-
Use Fargate Spot (50% savings):
{
"runtime": "fargate",
"capacityProviderStrategy": [{"capacityProvider": "FARGATE_SPOT", "weight": 1}]
} -
Reduce NAT Gateway costs (dev only):
{
"networkMode": "public-no-nat" // Only for dev!
} -
Scope Config rules:
{
"scopeConfigRulesToDeployment": true // Fewer evaluations
} -
Adjust log retention:
{
"logRetentionDays": 30 // Instead of 730 for non-production
} -
Use Reserved Instances (production EC2 - 40% savings)
-
Enable S3 lifecycle policies for log archival
Next Stepsโ
- Development: Extended Testing Guide
- Production: Deployment Guide
- Compliance: Quick Start Compliance Guide
- Auditing: Audit Readiness Guide
- Security: IAM Rules Guide
Supportโ
- Documentation:
/docsdirectory - Issues: GitHub Issues
- AWS Support: AWS Support Center
- Compliance: See Auditor Compliance Mapping
Quick Reference Commandsโ
# Deploy
cdk deploy
# Check status
aws cloudformation describe-stacks --stack-name StackName
# Get outputs
aws cloudformation describe-stacks \
--stack-name StackName \
--query 'Stacks[0].Outputs'
# Check compliance
aws configservice describe-compliance-by-config-rule
# View logs
aws logs tail /aws/ecs/jenkins --follow
# Destroy stack
cdk destroy