Amazon Web Service (AWS) & Jenkins Configuration

If you’re using a locally hosted Jenkins instance, please ensure it is within your corporate Demilitarized Zone (DMZ) and can accept incoming connections from Salesforce. If so, you can skip to the next section. This guide page is about configuring Jenkins on Amazon Web Services.

The range of Salesforce IP addresses is long and ever-changing so we recommend a cloud-hosted instance.

An AWS instance should be configured by following the Setup a Jenkins Build Server on Amazon Web Services (AWS) guide.

Note: The full public AWS DNS JENKINS_URL must be used, not just the IP address:

e.g. http://[email protected]IP.REGION.compute.amazonaws.com:8080

After completing your setup, ensure that you can access your new Jenkins admin screen remotely using the JENKINS_URL from your local desktop browser before continuing and not just on the AWS instance using localhost:8080 or localhost:8443. If this fails, you need to check your AWS Configure Security Group and ensure that it has been applied to your AWS instance. Do not proceed until this is working.

If installing onto a Windows server, you will also need to also create an Inbound Port Forwarding rule on Windows Firewall for port 8080 or 8443. Do not restrict source IP access unless you plan to whitelist every Salesforce IP address (highly discouraged as Salesforce is a SaaS application, and as such, these are quite vast and always subject to change).

It is your responsibility to lock down this AWS instance and Jenkins to meet your corporate security standards. The instance must be accessible from Salesforce.

Jenkins Configuration

If your ecosystem does not already have an operational Jenkins server, please refer to the Setting up continuous integration support article.

Worth noting that this configuration is meant to be agnostic of the calling system. In other words, you can use a similar configuration for all of the following tools:

Copado
Gearset
Flosum

Throughout this guide, we will be referring to these collectively as your Release Management (RM) tool.

After provisioning the server, the Cross-site Request Forgery (CSRF) protection needs to be disabled. This can be disabled by navigating to Manage Jenkins -> Configure Global Security. This is no longer required in Jenkins 2.96 or later.

Prior to Jenkins 2.96, this setting was required to allow triggering builds remotely from a Salesforce RM tool. You can read more about the Jenkins changes here.

The default settings for the Access Control should be left as below until you have your integration working and then can be locked down using Matrix Based Security.

Note: By enabling Read Only Anonymous access, you can allow non-authenticated users to inspect the results of the build action.

Disable this if you do not want to allow this to be publicly visible to anyone with the Jenkins server URL and setup any additional non-admin user access you may require instead.

We do not recommend using your Jenkins Admin user credentials for triggering remote builds. Instead, we recommend that you create a new user specifically for this purpose using Manage Jenkins -> Manage Users to add a new user.

In order to create an API token, navigate to the Configure screen for the user you want to create the token for. Click Add new Token, provide a token name, then select Generate.

For the Jenkins user you want to use to trigger tests remotely, make a note of the username and API token to be used. The password is not required for API access.

Note: You need to login as the user to be used and click the Show API token BEFORE you restrict access if you are using matrix-based security.

While you can integrate with the Jenkins Admin user, we strongly recommend that you create a new user identity in the Manage Jenkins -> Manage Users and limit their execution to execute build jobs only once you have your integration working and have captured the API Token as above for the new user.