strapi-elb/tempnotes.md

<!-- vscode-markdown-toc -->

- [Decoupling](#Decoupling)
- [Creating Database + VPC + Subnets in Cloudformation](#CreatingDatabaseVPCSubnetsinCloudformation)
- [Single instance (no load balancer)](#Singleinstancenoloadbalancer)
  _ [EC2::VPC](#EC2::VPC)
  _ [Enable DNS](#EnableDNS)
  _ [EC2::Subnet](#EC2::Subnet)
  _ [EC2::InternetGateway](#EC2::InternetGateway)
  _ [EC2::VPCGatewayAttachment](#EC2::VPCGatewayAttachment)
  _ [AWS::EC2::RouteTable](#AWS::EC2::RouteTable)
  _ [AWS::EC2::Route](#AWS::EC2::Route)
  _ [AWS::EC2::SubnetRouteTableAssociation](#AWS::EC2::SubnetRouteTableAssociation)
- [Running notes](#Runningnotes)
- [Reference an input parameter, or a resource ID from inside current template](#ReferenceaninputparameteroraresourceIDfrominsidecurrenttemplate) \* [Using `Fn::Sub`](#UsingFn::Sub)
- [Dynamically referencing resources from another stack.](#Dynamicallyreferencingresourcesfromanotherstack.)

<!-- vscode-markdown-toc-config
	numbering=false
	autoSave=true
	/vscode-markdown-toc-config -->
<!-- /vscode-markdown-toc -->

# Temp Notes

## <a name='Decoupling'></a>Decoupling

When creating an ELB instance with `--single` and `--database` the following is created as part of the ELB deployment:

- security group
- EIP
- RDS database

Is the security group created without a databse? (probably yes...)

## <a name='CreatingDatabaseVPCSubnetsinCloudformation'></a>Creating Database + VPC + Subnets in Cloudformation

Template from AWS showing cross-stack referencing and creating and referencing a VPC: <https://s3.amazonaws.com/cloudformation-examples/user-guide/cross-stack/SampleNetworkCrossStack.template>.

Export these in the CF template with stackname (<https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html>)

A security group is a resource that defines what IPs/Ports are allowed on inbound/outbound for an AWS resource. You can have one for EC2 instance, or RDS among others.

ELB will create a VPC for your EC2 instances.

You should use this VPC for you RDS instance.

Creating a VPC for ELB (with RDS) <https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-rds.html>

## <a name='Singleinstancenoloadbalancer'></a>Single instance (no load balancer)

Example cloudformation template that ELB uses: <https://raw.githubusercontent.com/awslabs/elastic-beanstalk-samples/master/cfn-templates/vpc-public.yaml>.

Create a VPC - this is an object that spans all availability zones in a region. You assign a VPC a CIDR block. This is a set of IP addresses that this VPC has access to.

You should create public subnets inside this VPC - these subnets should cover all availablility zones in your region. The CIDR block you specified in the VPC defines all the ips, you should create N subnets that equally contain these IP addresses for your region.

For example a VPC in `eu-west-1` has a CIDR block of `172.31.0.0/16`.

There are 3 availablity zones in `eu-west-1`: `eu-west-1a`, `eu-west-1b` and `eu-west-1c`.

To find other availablity zones you should go to the EC2 Dashboard for the region you want to work in, and scroll down to the Service health header. Here, a list of all availability zones will be shown.

You should create subnets with the following:

| Availability Zone | Subnet CIDR    | Real IP Range               |
| ----------------- | -------------- | --------------------------- |
| `eu-west-1a`      | 172.31.0.0/20  | 172.31.0.0 - 172.31.15.255  |
| `eu-west-1b`      | 172.31.16.0/20 | 172.31.16.0 - 172.31.31.255 |
| `eu-west-1c`      | 172.31.32.0/20 | 172.31.32.0 - 172.31.47.255 |

This covers all IP addresses across all availability zones in the VPC.

To make these subnets actually public, you should associate them with an internet gateway.

An internet gateway is an object that allows communication to the internet. In Cloudformation you should create an internet gateway and a VPC Gateway attachment. This attachment should reference the VPC you have created and reference the internet gateway object you create as well. Then, in your subnets (which are public) you can use `MapPublicIpOnLaunch: true` in the `Properties` block for each subnet.

You should then create a public route table and associate it with the VPC you have created.

You should then create a public route. You can then attach the internet gateway attachment to this route and specify a list of IPs that will go out to the internet. To allow all trafic to the internet set a `DestinationCidrBlock` of `0.0.0.0/0`.

### <a name='EC2::VPC'></a>EC2::VPC

#### <a name='EnableDNS'></a>Enable DNS

Enable `EnableDnsHostnames` + `EnableDnsSupport` - this allows resources in the VPC to use DNS in AWS.

### <a name='EC2::Subnet'></a>EC2::Subnet

Go to the EC2 dashboard to find all availability zones. Create a subnet for each zone.

- `AvailabilityZone`
- `VpcId`
- `CidrBlock`
- `MapPublicIpOnLaunch`

### <a name='EC2::InternetGateway'></a>EC2::InternetGateway

### <a name='EC2::VPCGatewayAttachment'></a>EC2::VPCGatewayAttachment

- `VpcId`
- `InternetGatewayId`

### <a name='AWS::EC2::RouteTable'></a>AWS::EC2::RouteTable

- `VpcId`

### <a name='AWS::EC2::Route'></a>AWS::EC2::Route

- `RouteTableId`
- `DestinationCidrBlock`
- `GatewayId`

### <a name='AWS::EC2::SubnetRouteTableAssociation'></a>AWS::EC2::SubnetRouteTableAssociation

- `SubnetId`
- `RouteTableId`

## <a name='Runningnotes'></a>Running notes

If we specify the VPC + Subnets from Cloudformation in a config file, will it create the security groups automatically for the EC2 instances? - Yes

Database can use existing subnets.
Database needs a security group creating
EC2 security groups automatically created and associated with the VPC.
Use aws:ec2:vpc (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-ec2vpc)

### Database

Needs:

- `AWS::RDS::DBSubnetGroup`
- `AWS::EC2::SecurityGroupIngress`
- `AWS::RDS::DBInstance`

Default ports:

| Database Engine      | Default Port |
| -------------------- | ------------ |
| Aurora/MySQL/MariaDB | 3306         |
| PostgreSQL           | 5432         |
| Oracle               | 1521         |
| SQL Server           | 1433         |
| DynamoDB             | 8000         |

## Work Commands

### tags

`--tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`

### deploy

`aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name strapi-vpc --taws:elbv2:listener:defaultags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`

`aws --profile admin cloudformation deploy --template-file ./03-stack-rdsinstance.yaml --stack-name strapi-rds --parameter-overrides StackName=strapi-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`

### delete

`aws --profile admin cloudformation delete-stack --stack-name strapi-vpc`

`aws --profile admin cloudformation delete-stack --stack-name strapi-rds`

`aws --profile admin cloudformation delete-stack --stack-name temp`

List of all RDS Engines available under "Engine" header: <https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html>.

### describe-stack-resources

Will print a json list of all resources in the stack

`aws --profile admin cloudformation describe-stack-resources --stack-name strapi-vpc`

Using `jq` for formatting:

`aws --profile admin cloudformation describe-stack-resources --stack-name strapi-vpc | jq -r '.StackResources[] | .ResourceType + ": " + .PhysicalResourceId'`

## Adding SSL to ELB

### With load balancer

- Generate the SSL cert in Certificate Manager for your domain
- Configure the load balancer listener

Good repo for examples: <https://github.com/awsdocs/elastic-beanstalk-samples>

Doc:
Add the ELB subnets to the VPC config

Create another custom security group for the EC2 instance - should be private
autoscaling should have current public security group

Load balancer should have the current subnets

Loadbalancer security group should have inbound + outbound to 80+443 on 0.0.0.0/0

The option_settings: aws:elbv2:loadbalancer has two options for security groups

ManagedSecurityGroup - defines the security group that is used for the load balancer itself.
SecurityGroups - is a list of additional security groups you want to attach.

If you define a ManagedSecurityGroup you should set SecurityGroups as well to the same one.

Load balancer needs a security group that allows incoming 80 + 443 from anywhere
It should also set the same for outbound as well

This security group should be set in `aws:elbv2:loadbalancer` under
`ManagedSecurityGroup` and `SecurityGroups`

Additional security groups (in addition to the default one created by ELB) for the EC2 instances are defined in `aws:autoscaling:launchconfiguration` under `SecurityGroups`
A security group will be created for you. You can ammend this (add 443 for https for example) by using `.config` file and creating a `AWS::EC2::SecurityGroupIngress` resource. (see 06-https.config)

Security group rule to allow instances in the same security group to talk to one another: <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-other-instances>.

LB SG: inbound/outbound 80/443 0.0.0.0/0
Scaling SG: inbound 80/443 from LBSG
DB SG: inbound 5432 from Scaling SG + home ip