adding latest documentation from loadbalanced branch
This commit is contained in:
96
tempnotes.md
96
tempnotes.md
@@ -1,35 +1,33 @@
|
||||
<!-- vscode-markdown-toc -->
|
||||
* [Decoupling](#Decoupling)
|
||||
* [Creating Database + VPC + Subnets in Cloudformation](#CreatingDatabaseVPCSubnetsinCloudformation)
|
||||
* [Single instance (no load balancer)](#Singleinstancenoloadbalancer)
|
||||
* [EC2::VPC](#EC2::VPC)
|
||||
* [Enable DNS](#EnableDNS)
|
||||
* [EC2::Subnet](#EC2::Subnet)
|
||||
* [EC2::InternetGateway](#EC2::InternetGateway)
|
||||
* [EC2::VPCGatewayAttachment](#EC2::VPCGatewayAttachment)
|
||||
* [AWS::EC2::RouteTable](#AWS::EC2::RouteTable)
|
||||
* [AWS::EC2::Route](#AWS::EC2::Route)
|
||||
* [AWS::EC2::SubnetRouteTableAssociation](#AWS::EC2::SubnetRouteTableAssociation)
|
||||
* [Running notes](#Runningnotes)
|
||||
* [Database](#Database)
|
||||
* [Work Commands](#WorkCommands)
|
||||
* [tags](#tags)
|
||||
* [deploy](#deploy)
|
||||
* [delete](#delete)
|
||||
* [describe-stack-resources](#describe-stack-resources)
|
||||
* [Adding SSL to ELB](#AddingSSLtoELB)
|
||||
* [With load balancer](#Withloadbalancer)
|
||||
* [EB Templates/Resources](#EBTemplatesResources)
|
||||
* [Configuring security groups](#Configuringsecuritygroups)
|
||||
* [Elastic Load Balancer](#ElasticLoadBalancer)
|
||||
* [Elastic Scaler](#ElasticScaler)
|
||||
* [RDS](#RDS)
|
||||
* [Security group to allow EC2 instances to talk to each other](#SecuritygrouptoallowEC2instancestotalktoeachother)
|
||||
* [Custom VPC + Subnets in EB](#CustomVPCSubnetsinEB)
|
||||
* [Using cloudformation functions in EB config files](#UsingcloudformationfunctionsinEBconfigfiles)
|
||||
* [Creating a read replica RDS](#CreatingareadreplicaRDS)
|
||||
* [Multiple security groups on the same resource](#Multiplesecuritygroupsonthesameresource)
|
||||
* [Private subnets](#Privatesubnets)
|
||||
|
||||
- [Decoupling](#Decoupling)
|
||||
- [Creating Database + VPC + Subnets in Cloudformation](#CreatingDatabaseVPCSubnetsinCloudformation)
|
||||
- [Single instance (no load balancer)](#Singleinstancenoloadbalancer)
|
||||
_ [EC2::VPC](#EC2::VPC)
|
||||
_ [Enable DNS](#EnableDNS)
|
||||
_ [EC2::Subnet](#EC2::Subnet)
|
||||
_ [EC2::InternetGateway](#EC2::InternetGateway)
|
||||
_ [EC2::VPCGatewayAttachment](#EC2::VPCGatewayAttachment)
|
||||
_ [AWS::EC2::RouteTable](#AWS::EC2::RouteTable)
|
||||
_ [AWS::EC2::Route](#AWS::EC2::Route)
|
||||
_ [AWS::EC2::SubnetRouteTableAssociation](#AWS::EC2::SubnetRouteTableAssociation)
|
||||
- [Running notes](#Runningnotes) \* [Database](#Database)
|
||||
- [Work Commands](#WorkCommands)
|
||||
_ [tags](#tags)
|
||||
_ [deploy](#deploy)
|
||||
_ [delete](#delete)
|
||||
_ [describe-stack-resources](#describe-stack-resources)
|
||||
- [Adding SSL to ELB](#AddingSSLtoELB) \* [With load balancer](#Withloadbalancer)
|
||||
- [EB Templates/Resources](#EBTemplatesResources)
|
||||
- [Configuring security groups](#Configuringsecuritygroups)
|
||||
- [Elastic Load Balancer](#ElasticLoadBalancer)
|
||||
_ [Elastic Scaler](#ElasticScaler)
|
||||
_ [RDS](#RDS) \* [Security group to allow EC2 instances to talk to each other](#SecuritygrouptoallowEC2instancestotalktoeachother)
|
||||
- [Custom VPC + Subnets in EB](#CustomVPCSubnetsinEB)
|
||||
- [Using cloudformation functions in EB config files](#UsingcloudformationfunctionsinEBconfigfiles)
|
||||
- [Creating a read replica RDS](#CreatingareadreplicaRDS)
|
||||
- [Multiple security groups on the same resource](#Multiplesecuritygroupsonthesameresource)
|
||||
- [Private subnets](#Privatesubnets)
|
||||
|
||||
<!-- vscode-markdown-toc-config
|
||||
numbering=false
|
||||
@@ -304,3 +302,39 @@ If you use private subnets, the nat gateway is not cheap - £30 a month.
|
||||
You dont need the nat gateway, you can achieve the same thing with security groups (block all incoming) (explained <https://www.reddit.com/r/aws/comments/75bjei/private_subnets_nats_vs_simply_only_allowing/>).
|
||||
|
||||
An advantage to NAT is all outgoing requests to the internet come from a single IP.
|
||||
|
||||
## Using certbot CLI to generate SSL
|
||||
|
||||
### Wildcard certificate
|
||||
|
||||
In a new virtualenv install certbot:
|
||||
|
||||
```bash
|
||||
pip install certbot
|
||||
```
|
||||
|
||||
Run the `certbot` command:
|
||||
|
||||
```bash
|
||||
sudo certbot certonly --manual --preferred-challenges=dns --email dtomlinson@panaetius.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d "*.panaetius.co.uk"
|
||||
```
|
||||
|
||||
Follow the instructions to add a `TXT` record to your DNS server for validation.
|
||||
|
||||
When finished you should see:
|
||||
|
||||
```markdown
|
||||
- Congratulations! Your certificate and chain have been saved at:
|
||||
/etc/letsencrypt/live/panaetius.co.uk/fullchain.pem
|
||||
Your key file has been saved at:
|
||||
/etc/letsencrypt/live/panaetius.co.uk/privkey.pem
|
||||
Your cert will expire on 2020-08-01. To obtain a new or tweaked
|
||||
version of this certificate in the future, simply run certbot
|
||||
again. To non-interactively renew _all_ of your certificates, run
|
||||
"certbot renew"
|
||||
- Your account credentials have been saved in your Certbot
|
||||
configuration directory at /etc/letsencrypt. You should make a
|
||||
secure backup of this folder now. This configuration directory will
|
||||
also contain certificates and private keys obtained by Certbot so
|
||||
making regular backups of this folder is ideal.
|
||||
```
|
||||
|
||||
53
todo.md
53
todo.md
@@ -5,7 +5,9 @@
|
||||
Merge the CF templates into one, make sure all the importing and other snippets are documented.
|
||||
|
||||
- Create single instance deployment + https (document)
|
||||
- Terraform it all up
|
||||
- For https: use letsencrypt to generate ssl, configure the eb config to use this.
|
||||
- Final git branch for each version of the app (load balanced https/http, single http/https).
|
||||
- Terraform it all up (excluding single + https).
|
||||
|
||||
## Long term
|
||||
|
||||
@@ -17,3 +19,52 @@ Cloudformation template to deploy an S3 bucket
|
||||
## Documentation
|
||||
|
||||
Summarise the flow -> VPC, internet gateway, attachment + route tables, subnets etc. Mention the nat gateway but show how it can be replaced with security groups. Document each individual resource needed bullet point and link to the git repo for the TF/CF templates.
|
||||
|
||||
## Running Notes
|
||||
|
||||
Various deployments:
|
||||
|
||||
- Single instance with EBCLI
|
||||
- Load balanced with EBCLI
|
||||
|
||||
- Single instance with terraform
|
||||
- Load balanced with terraform
|
||||
|
||||
HTTP + HTTPS
|
||||
|
||||
Single instance with terraform isn't possible with HTTPS - this is because you can't edit `Resources` or `Files` (and the other advanced EB configs). A workaround would be to create a docker image.
|
||||
|
||||
Single instance with EBCLI isn't possible with HTTPS if you're using Certificate Manager to generate the certificates - this is because you need to edit the nginx proxy config locally on the instance to allow https. You don't have access to the private certificate with Cerficiate Manager.
|
||||
One solution would be to generate your SSL using letsencrypt - then configure the instance with this.
|
||||
|
||||
Another solution would be to use Docker and build a custom image. In this image you could install and configure nginx, (using lets encrypt as multistage build to get your certificate).
|
||||
|
||||
HTTPS for load balanced environment just requires pointing a domain to the EB endpoint. You can tell the load balancer to forward 443 in the security group without using it.
|
||||
|
||||
For final deployment - use an EC2 instance (deploy with TF).
|
||||
|
||||
### Other
|
||||
|
||||
Work:
|
||||
Can we use APIGateway + Fargate to run an API containerised?
|
||||
|
||||
Fargate documentation: <https://aws.amazon.com/fargate/>.
|
||||
Fargate option in ECS terraform: <https://www.terraform.io/docs/providers/aws/r/ecs_service.html#launch_type>.
|
||||
Lambda vs Fargate differences: <https://www.learnaws.org/2019/09/14/deep-dive-aws-fargate/>.
|
||||
Fargate vs EC2 pricing: <https://www.reddit.com/r/aws/comments/8reem9/fargate_t2small_cost_comparison_dollar_to_dollar/>.
|
||||
Reddit thread on using API Gateway + Fargate: <https://www.reddit.com/r/aws/comments/bgqz4g/can_api_gateway_route_to_a_container_in_fargate/>.
|
||||
Using API Gateway + Private endpoints (in a VPC): <https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/>.
|
||||
|
||||
Fargate is just running containers serverless - but it isn't a direct replacement to lambda. The spin up times can be long, but if you need to run a task on a schedule and this doesn't matter, you can save money and time as you don't need to manage and run an EC2 instance for docker containers. It's not ideal for tasks that need to be running 24/7.
|
||||
|
||||
Have a seperate repos for Terraform + Ansible. Split them inside by project. One central place for all TF and Ansible will make things easier to reference from later.
|
||||
|
||||
Generate SSH keys for EC2.
|
||||
Provision EC2 using TF - set SG to allow SSH from your IP.
|
||||
Configure EC2 with an Ansible playbook.
|
||||
|
||||
## Single options
|
||||
|
||||
- Dockerise it + run on EC2/ECS/Fargate
|
||||
- Use EBCLI + Config options for https. Generate SSL using lets encrypt.
|
||||
Using certbot with docker: <https://certbot.eff.org/docs/install.html#running-with-docker>
|
||||
|
||||
Reference in New Issue
Block a user