diff --git a/.ebextensions/07-custom-vpc.config b/.ebextensions/07-custom-vpc.config index 531d645..b948e6a 100644 --- a/.ebextensions/07-custom-vpc.config +++ b/.ebextensions/07-custom-vpc.config @@ -5,8 +5,8 @@ option_settings: # Subnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58" # DBSubnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58" # ELBSubnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58" - # aws:autoscaling:launchconfiguration: - # SecurityGroups: sg-07a97fc88ba143f26 + aws:autoscaling:launchconfiguration: + SecurityGroups: sg-07a97fc88ba143f26 # aws:elbv2:loadbalancer: # ManagedSecurityGroup: sg-0e6f91df2ed07050a # SecurityGroups: sg-0e6f91df2ed07050a diff --git a/documentation/running_notes.md b/documentation/running_notes.md index ae087e6..badfb6f 100644 --- a/documentation/running_notes.md +++ b/documentation/running_notes.md @@ -40,3 +40,41 @@ VPC terraform will create - You create subnets for a VPC. These subnets will be split evenly across availability zones (for redundancy) and private/local (whether they have internet access or not). - Behind the scenes (if using TF), internet gateway, routing tables, attachments will all be created for you. If using CF you will need to create these yourself. - A security group is a firewall that is _attached to an EC2 instance_. A security group belongs to a VPC. You can permit instances to talk to each other by setting the source and destination to be the security group itself. You can control ports/ips exactly on an instance basis using security groups. + +## HTTPS + +### Single instance + +As it terminates on the Ec2 instance itself, you need to ammend the nginx config locally. This is specific for each application you are deploying. + +. + +You need to generate a certificate locally. + +`pip install certbot` + +`sudo certbot certonly --manual --preferred-challenges=dns --email dtomlinson@panaetius.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.panaetius.co.uk"` + +### Load balanced + +You have two options: + +1. Terminate on the load balancer (easiest). + +. + +You can use AWS Certificate manager to generate your SSL cert, or you can upload your own. + +Use a .config file as documented above and EB will handle the rest. + +2. Pass through to the instance. + +. + +If you do this you need to set up termination on the EC2 instances using the config for a single instance above. + +You can TCP pass through without the load balancer decrypting the traffic. The traffic is encrypted all the way to the instance. The instances between themselves are HTTP. + +Additionally you can configure end-to-end encryption between the EC2 instances if you have strict security requirements. + +. diff --git a/documentation/steps.todo b/documentation/steps.todo index 26d524e..a58d6fc 100644 --- a/documentation/steps.todo +++ b/documentation/steps.todo @@ -4,6 +4,9 @@ Connecting external DB: RDS Config: ☐ Try using `associate_security_group_ids` and creating a security group to allow all incoming traffic to the RDS instance. +Email: + ☐ Add `strapi-provider-email-amazon-ses` and configure. + Deployments: One: ✔ Create S3 bucket for strapi s3. @done (7/29/2020, 2:07:55 PM) diff --git a/infrastructure/main.tf b/infrastructure/main.tf index bdee806..9844fd7 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -13,13 +13,6 @@ locals { } } -# Name - -module "name" { - source = "git::" - -} - # Network module "vpc" { @@ -54,7 +47,7 @@ resource "aws_security_group" "ec2_security_group" { from_port = 80 to_port = 80 protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] + cidr_blocks = ["0.0.0.0/0"] } ingress { @@ -62,7 +55,15 @@ resource "aws_security_group" "ec2_security_group" { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Outbound to all" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } @@ -73,16 +74,16 @@ module "rds_instance" { stage = var.stage name = var.name - allocated_storage = 5 - database_name = "postgres" - database_user = "mainuser" - database_password = "password" - database_port = 5432 - db_parameter_group = "postgres12" - engine = "postgres" - engine_version = "12.3" - instance_class = "db.t2.micro" - # security_group_ids = + allocated_storage = 5 + database_name = "postgres" + database_user = "mainuser" + database_password = "password" + database_port = 5432 + db_parameter_group = "postgres12" + engine = "postgres" + engine_version = "12.3" + instance_class = "db.t2.micro" + security_group_ids = [aws_security_group.ec2_security_group.id] subnet_ids = module.subnets.public_subnet_ids vpc_id = module.vpc.vpc_id publicly_accessible = true @@ -92,7 +93,7 @@ module "rds_instance" { # S3 bucket resource "aws_s3_bucket" "static_assets" { - bucket = "${var.stage}-${var.name}-strapi_uploads" + bucket = "${var.stage}-${var.name}-strapi-uploads" acl = "private" tags = local.tags } diff --git a/infrastructure/outputs.tf b/infrastructure/outputs.tf index b9d4017..5825363 100644 --- a/infrastructure/outputs.tf +++ b/infrastructure/outputs.tf @@ -1,12 +1,17 @@ - - # S3 -output "s3_static_assets" { - value = "resource.aws_s3_bucket.static_assets.id" +output "s3_static_assets_id" { + value = resource.aws_s3_bucket.static_assets.id description = "Name of the static assets S3 bucket." } -output "s3_static_assets" { - value = "resource.aws_s3_bucket.static_assets.arn" +output "s3_static_assets_arn" { + value = resource.aws_s3_bucket.static_assets.arn description = "ARN of the static assets S3 bucket." } + +# Security groups + +output "aws_security_group_ec2_security_group" { + value = aws_security_group.ec2_security_group.id + description = "Security group for the EC2 instances applied by the Elastic Scaler." +}