Amazon Web Service (AWS) & Jenkins Configuration

If you’re using a locally hosted Jenkins instance, please ensure it is within your corporate Demilitarized Zone (DMZ) and can accept incoming connections from Salesforce. If so, you can skip to the next section. This guide page is about configuring Jenkins on Amazon Web Services.

The range of Salesforce IP addresses is long and ever-changing, so we recommend a cloud-hosted instance.

An AWS instance should be configured following the Setup a Jenkins Build Server on Amazon Web Services (AWS) guide.

Note: The entire public AWS DNS JENKINS_URL must be used, not just the IP address:

e.g., http://ec2-user@IP.REGION.compute.amazonaws.com:8080

After completing your setup, ensure you can access your new Jenkins admin screen remotely using the JENKINS_URL from your local desktop browser before continuing and not just on the AWS instance using localhost:8080 or localhost:8443. If this fails, you must check your AWS Configure Security Group and ensure it has been applied to your AWS instance. Do not proceed until this is working.

If installing onto a Windows server, you must create an Inbound Port Forwarding rule on Windows Firewall for port 8080 or 8443. Do not restrict source IP access unless you plan to allow every Salesforce IP address (highly discouraged as Salesforce is a SaaS application, and as such, these are pretty vast and always subject to change).

You are responsible for locking down this AWS instance and Jenkins to meet your corporate security standards. The instance must be accessible from Salesforce.

Jenkins Configuration

If your ecosystem does not already have an operational Jenkins server, please refer to the Setting up continuous integration support article.

This configuration is meant to be agnostic of the calling system. In other words, you can use a similar configuration for all of the following tools:

Copado
Gearset
Flosum

Throughout this guide, we will collectively refer to these as your Release Management (RM) tool.

After provisioning the server, the Cross-site Request Forgery (CSRF) protection needs to be disabled. This can be disabled by navigating to Manage Jenkins -> Configure Global Security. This is no longer required in Jenkins 2.96 or later.

Before Jenkins 2.96, this setting was required to allow triggering builds remotely from a Salesforce RM tool. You can read more about the Jenkins changes here.

The default settings for the Access Control should be left below until your integration is working and then can be locked down using Matrix-Based Security.

Note: By enabling Read Only Anonymous access, you can allow non-authenticated users to inspect the results of the build action.

Disable this if you do not want to allow this to be publicly visible to anyone with the Jenkins server URL, and set up any additional non-admin user access you may require instead.

We do not recommend using your Jenkins Admin user credentials for triggering remote builds. Instead, we recommend creating a new user specifically for this purpose using Manage Jenkins -> Manage Users to add a new user.

To create an API token, navigate to the Configure screen for the user you want to generate the token for. Click Add new Token, provide a token name, then select Generate.

For the Jenkins user you want to use to trigger tests remotely, note the username and API token to be used. The password is not required for API access.

Note: You need to log in as the user to be used and click the Show API token BEFORE restricting access if you use matrix-based security.

While you can integrate with the Jenkins Admin user, we strongly recommend creating a new user identity in the Manage Jenkins -> Manage Users and limiting their execution to execute build jobs only once you have your integration working and have captured the API Token as above for the new user.