AWS Cross Account Access for Team City Slave
My company has 3 AWS environments setup (3 VPCs). TeamCity master and slaves are deployed in AWS DEV VPC and we have been doing deployments in DEV/QA using the TeamCity slaves and an auto-scaling group with launch configs. AWS DEV has a VPC peering connection with AWS OPS. AWS Prod is restricted and only has access to AWS OPS via VPC peering.
Note: There is no peering connection between PROD and Dev.
With our OPS VPC finally coming together, we have migrated a lot of our operations and management tools from Dev VPC to OPS. Team city is on our list of tools to be migrated. However, migrating TeamCity master DEV to OPS seems like a bigger effort and we were wondering if its possible to keep TeamCity master in Dev VPC, give Team city master an IAM role to deploy a slave in OPS. This slave in OPS would in-turn have an IAM role to do code deployments in Prod (IF THATS A POSSIBILITY)?
If this configuration is not possible, we would have to migrate our TeamCity master in DEV VPC to OPS VPC and deploy slaves with IAM roles into Dev and Prod, which we already understand would work. Is there a way to cut the overhead work in this situation? Any help would be appreciated.
Please sign in to leave a comment.
Hi,
I'm not too familiar with AWS terminology and capabilities, but I'm not sure I see where the problem would be for it to be possible. At the end of the day, TeamCity runs builds with its agent processes. As long as this processes have the permissions (are run by users with them), the actions should be successful, independently of whether the server is in one or another environment. As long as the agents can also connect to the server, that is. For that, connectivity and permissions to the processes should be the only requirement. Is there anything I'm missing?
Thanks for responding Denis. I guess this question requires some kind of AWS expertise. We realize that slaves need to speak to master instance. Since OPS is the only environment that has a peering connection to Dev and Prod environments, we wanted to launch a slave in OPS and give it necessary permissions to have access to resources in Prod.
To summarize, TeamCity master would be in Dev environment with enough permissions to call TeamCity in OPS which in turn has permissions to launch instances behind an auto-scalling group in Prod. We understand cross-account roles are possible on AWS but wanted clarification over TeamCity being able to hold up their end in terms of master and slave being in different subnets, across different environments and still being able to connect?