Single instance, external DB

eb create --single

.ebextensions/07-custom-vpc.config

@@ -5,8 +5,8 @@ option_settings:
   #     Subnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58"
   #     DBSubnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58"
   #     ELBSubnets: "subnet-0b17872a2b9315fad,subnet-0342e8a0a77b30e23,subnet-0eacb84d238279a58"
-  #   aws:autoscaling:launchconfiguration:
-  #     SecurityGroups: sg-07a97fc88ba143f26
+  aws:autoscaling:launchconfiguration:
+    SecurityGroups: sg-07a97fc88ba143f26
   #   aws:elbv2:loadbalancer:
   #     ManagedSecurityGroup: sg-0e6f91df2ed07050a
   #     SecurityGroups: sg-0e6f91df2ed07050a

documentation/running_notes.md

@@ -40,3 +40,41 @@ VPC terraform will create
 - You create subnets for a VPC. These subnets will be split evenly across availability zones (for redundancy) and private/local (whether they have internet access or not).
 - Behind the scenes (if using TF), internet gateway, routing tables, attachments will all be created for you. If using CF you will need to create these yourself.
 - A security group is a firewall that is _attached to an EC2 instance_. A security group belongs to a VPC. You can permit instances to talk to each other by setting the source and destination to be the security group itself. You can control ports/ips exactly on an instance basis using security groups.
+
+## HTTPS
+
+### Single instance
+
+As it terminates on the Ec2 instance itself, you need to ammend the nginx config locally. This is specific for each application you are deploying.
+
+<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-singleinstance-nodejs.html>.
+
+You need to generate a certificate locally.
+
+`pip install certbot`
+
+`sudo certbot certonly --manual --preferred-challenges=dns --email dtomlinson@panaetius.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.panaetius.co.uk"`
+
+### Load balanced
+
+You have two options:
+
+1. Terminate on the load balancer (easiest).
+
+<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html>.
+
+You can use AWS Certificate manager to generate your SSL cert, or you can upload your own.
+
+Use a .config file as documented above and EB will handle the rest.
+
+2. Pass through to the instance.
+
+<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-tcp-passthrough.html>.
+
+If you do this you need to set up termination on the EC2 instances using the config for a single instance above.
+
+You can TCP pass through without the load balancer decrypting the traffic. The traffic is encrypted all the way to the instance. The instances between themselves are HTTP.
+
+Additionally you can configure end-to-end encryption between the EC2 instances if you have strict security requirements.
+
+<https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-endtoend.html>.

documentation/steps.todo

@@ -4,6 +4,9 @@ Connecting external DB:
 RDS Config:
     ☐ Try using `associate_security_group_ids` and creating a security group to allow all incoming traffic to the RDS instance.
 
+Email:
+    ☐ Add `strapi-provider-email-amazon-ses` and configure.
+
 Deployments:
     One:
         ✔ Create S3 bucket for strapi s3. @done (7/29/2020, 2:07:55 PM)

infrastructure/main.tf

@@ -13,13 +13,6 @@ locals {
   }
 }
 
-# Name
-
-module "name" {
-  source = "git::"
-
-}
-
 # Network
 
 module "vpc" {
@@ -54,7 +47,7 @@ resource "aws_security_group" "ec2_security_group" {
     from_port   = 80
     to_port     = 80
     protocol    = "tcp"
-    cidr_blocks = [module.vpc.vpc_cidr_block]
+    cidr_blocks = ["0.0.0.0/0"]
   }
 
   ingress {
@@ -62,7 +55,15 @@ resource "aws_security_group" "ec2_security_group" {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = [module.vpc.vpc_cidr_block]
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    description = "Outbound to all"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
   }
 }
 
@@ -73,16 +74,16 @@ module "rds_instance" {
   stage  = var.stage
   name   = var.name
 
-  allocated_storage  = 5
-  database_name      = "postgres"
-  database_user      = "mainuser"
-  database_password  = "password"
-  database_port      = 5432
-  db_parameter_group = "postgres12"
-  engine             = "postgres"
-  engine_version     = "12.3"
-  instance_class     = "db.t2.micro"
-  # security_group_ids	=
+  allocated_storage   = 5
+  database_name       = "postgres"
+  database_user       = "mainuser"
+  database_password   = "password"
+  database_port       = 5432
+  db_parameter_group  = "postgres12"
+  engine              = "postgres"
+  engine_version      = "12.3"
+  instance_class      = "db.t2.micro"
+  security_group_ids  = [aws_security_group.ec2_security_group.id]
   subnet_ids          = module.subnets.public_subnet_ids
   vpc_id              = module.vpc.vpc_id
   publicly_accessible = true
@@ -92,7 +93,7 @@ module "rds_instance" {
 # S3 bucket
 
 resource "aws_s3_bucket" "static_assets" {
-  bucket = "${var.stage}-${var.name}-strapi_uploads"
+  bucket = "${var.stage}-${var.name}-strapi-uploads"
   acl    = "private"
   tags   = local.tags
 }

infrastructure/outputs.tf

@@ -1,12 +1,17 @@
-
-
 # S3
-output "s3_static_assets" {
-  value       = "resource.aws_s3_bucket.static_assets.id"
+output "s3_static_assets_id" {
+  value       = resource.aws_s3_bucket.static_assets.id
   description = "Name of the static assets S3 bucket."
 }
 
-output "s3_static_assets" {
-  value       = "resource.aws_s3_bucket.static_assets.arn"
+output "s3_static_assets_arn" {
+  value       = resource.aws_s3_bucket.static_assets.arn
   description = "ARN of the static assets S3 bucket."
 }
+
+# Security groups
+
+output "aws_security_group_ec2_security_group" {
+  value       = aws_security_group.ec2_security_group.id
+  description = "Security group for the EC2 instances applied by the Elastic Scaler."
+}