✅ Complete Industry-Standard Setup

Jenkins Multibranch Pipeline + Shared Library + Folder Properties + AWS AssumeRole

1️⃣ Overall Architecture (Simple Words)

Jenkins (Central)
 ├─ Shared Library (devOps)
 │    └─ generateAwsCreds()
 ├─ Folder (dev)
 │    ├─ Folder Properties (environment, product)
 │    └─ Multibranch Pipeline (vpc-test)
 │         └─ Jenkinsfile (from repo subfolder)
 └─ AWS
      ├─ Jenkins Base User (admin / jenkins-base-creds)
      └─ common-jenkins-assumable-role

2️⃣ Jenkins – Required Plugins (System Level)

Go to Manage Jenkins → Plugins Ensure these are installed:

🔹 Mandatory

Pipeline
Pipeline: Multibranch
Pipeline: Shared Groovy Libraries
Git
Git client
Credentials
Credentials Binding
Folder Properties Plugin
AWS Credentials Plugin
Pipeline: AWS Steps

👉 Without Folder Properties Plugin, withFolderProperties {} will NOT work.

3️⃣ Jenkins – Shared Library Configuration (ONE TIME)

Location

Manage Jenkins → Configure System → Global Pipeline Libraries

Configuration

Field	Value
Name	`devOps`
Default version	`master`
Retrieval method	Modern SCM
SCM	Git
Repo	`Repo-url`
Credentials	`devOps`
Library path	(empty or `src` if structured)

✅ This makes @Library('devOps') _ work everywhere ✅ generateAwsCreds() available to all pipelines

4️⃣ Folder Properties (SYSTEM-LEVEL PRACTICE)

Why folder properties?

No parameters duplication
Environment & product controlled centrally
Works perfectly with Multibranch

Folder Structure

Jenkins
 └─ dev   ← Folder
     ├─ Folder Properties
     │    ├─ environment = dev
     │    └─ product     = project
     └─ vpc-test (Multibranch)

Add Folder Properties

Jenkins → dev (folder) → Configure → Folder Properties

Add:

Name	Value
environment	dev
product	project

Click Save

✅ These values are auto-available in all Jenkinsfiles inside folder

5️⃣ AWS IAM – Combined & Clean Setup

5.1 Jenkins Base User Policy

(Used by jenkins-base-creds)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACC-ID:role/common-jenkins-assumable-role"
    }
  ]
}

Command:

aws iam put-user-policy \
  --profile 81 \
  --user-name admin \
  --policy-name AllowAssumeCommonJenkinsRole \
  --policy-document file://allow-assume-role.json

5.2 Trust Policy for `common-jenkins-assumable-role`

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACC-ID:user/admin"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create role:

aws iam create-role \
  --profile 81 \
  --role-name common-jenkins-assumable-role \
  --assume-role-policy-document file://trust-policy.json

5.3 Role Permissions (CloudFormation + Infra)

Attach policy:

aws iam put-role-policy \
  --profile 81 \
  --role-name common-jenkins-assumable-role \
  --policy-name common-jenkins-assumable-role-policy \
  --policy-document file://common-jenkins-assumable-role-policy.json

5.4 Mandatory Verification

aws sts assume-role \
  --profile 81 \
  --role-arn arn:aws:iam::ACC-ID:role/common-jenkins-assumable-role \
  --role-session-name admin-test

✅ If this works → Jenkins will work ❌ If this fails → Pipeline will fail

6️⃣ Multibranch Pipeline Setup (FINAL)

Key Points

NO parameters required at job level
Everything comes from:
- Folder Properties
- Jenkinsfile parameters (runtime)
Jenkinsfile path works for all subfolders

Multibranch Config

Setting	Value
Branch Source	Git
Repo	`reo-url`
Script Path	`pipeline/jenkinsfunctions/vpc/Jenkinsfile`
Scan	Manual or webhook

7️⃣ Jenkinsfile – Correct Usage Pattern (Your Logic Preserved)

✅ Correct Design Decision

Folder → environment, product
Jenkinsfile → infra params
Shared Library → AWS auth logic

@Library('devOps') _
 
pipeline {
    agent any
 
    parameters {
        string(name: 'service', defaultValue: 'vpc')
        choice(name: 'natType', choices: ['nat-gateway', 'nat-instance'])
        choice(name: 'natInstanceType', choices: ['t3.nano','t3.micro','t3a.nano'])
        choice(name: 'useArmArchitecture', choices: ['false','true'])
        string(name: 'customAmiId', defaultValue: '')
        choice(name: 'awsRegion', choices: ['ap-south-1','us-east-1'])
    }
 
    stages {
        stage('Setup') {
            steps {
                script {
                    withFolderProperties {
                        env.ENVIRONMENT = env.environment
                        env.PRODUCT     = env.product
                    }
 
                    if (!env.ENVIRONMENT || !env.PRODUCT) {
                        error "Folder properties environment/product missing"
                    }
                }
            }
        }
 
        stage('Deploy') {
            steps {
                script {
                    Map awsConfig = generateAwsCreds(env.ENVIRONMENT)
                    awsConfig.region = params.awsRegion
 
                    withAWS(awsConfig) {
                        cfnUpdate(
                            stack: "${env.ENVIRONMENT}-${env.PRODUCT}-${params.service}",
                            file: "iac/aws/cloudformation/${params.service}/${params.service}.yaml",
                            params: [
                                environment: env.ENVIRONMENT,
                                product: env.PRODUCT,
                                service: params.service,
                                NatType: params.natType,
                                NatInstanceType: params.natInstanceType,
                                UseArmArchitecture: params.useArmArchitecture
                            ],
                            timeoutInMinutes: 60
                        )
                    }
                }
            }
        }
    }
}

8️⃣ Branching Strategy (Simple & Clean)

Multibranch auto-detects:

new branches
PRs (if enabled)
deletes jobs when branch removed

9️⃣ Why this setup is SOLID

✅ Central Jenkins ✅ Cross-account ready ✅ No secrets in code ✅ Folder-level governance ✅ Scales to 100+ services ✅ Matches AWS + Jenkins best practices

CI CD Gitfast