Modified basic example to make a secrets management PoC

aws · Aug 23, 2021 · f99d4e3 · f99d4e3
1 parent 48baa18
commit f99d4e3
Show file tree

Hide file tree

Showing 14 changed files with 471 additions and 123 deletions.
diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/.gitignore b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/.gitignore
@@ -17,4 +17,6 @@ dist
 !license-header.js
 
 # The staged files for Deadline
-stage
+stage
+
+installers
diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/app.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/app.ts
@@ -5,9 +5,20 @@
  */
 
 import 'source-map-support/register';
-import { config } from './config';
+
+import {
+  InstanceClass,
+  InstanceSize,
+  InstanceType,
+  MachineImage,
+} from '@aws-cdk/aws-ec2';
 import * as cdk from '@aws-cdk/core';
+
+import { config } from './config';
+
+import { ComputeTier } from '../lib/compute-tier';
 import { NetworkTier } from '../lib/network-tier';
+import { SecurityTier } from '../lib/security-tier';
 import {
   ServiceTier,
 } from '../lib/service-tier';
@@ -16,14 +27,9 @@ import {
   StorageTierDocDB,
   StorageTierMongoDB,
 } from '../lib/storage-tier';
-import { SecurityTier } from '../lib/security-tier';
-import {
-  InstanceClass,
-  InstanceSize,
-  InstanceType,
-  MachineImage,
-} from '@aws-cdk/aws-ec2';
-import { ComputeTier } from '../lib/compute-tier';
+import { SSMInstancePolicyAspect } from '../lib/ssm-policy-aspect';
+import { WorkstationTier } from '../lib/workstation-tier';
+
 
   // ------------------------------ //
   // --- Validate Config Values --- //
@@ -119,7 +125,19 @@ new ComputeTier(app, 'ComputeTier', {
   vpc: network.vpc,
   renderQueue: service.renderQueue,
   workerMachineImage: MachineImage.genericLinux(config.deadlineClientLinuxAmiMap),
-  keyPairName: config.keyPairName ? config.keyPairName : undefined,
+  keyPairName: config.keyPairName,
   usageBasedLicensing: service.ublLicensing,
   licenses: config.ublLicenses,
 });
+
+new WorkstationTier(app, 'WorkstationTier', {
+  env,
+  vpc: network.vpc,
+  renderQueue: service.renderQueue,
+  keyPairName: config.keyPairName,
+  deadlineInstallerBucketName: config.deadlineInstallerBucketName,
+  deadlineInstallerObjectNameLinux: config.deadlineInstallerObjectNameLinux,
+  deadlineInstallerObjectNameWindows: config.deadlineInstallerObjectNameWindows,
+});
+
+cdk.Aspects.of(app).add(new SSMInstancePolicyAspect());
diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/bin/config.ts
@@ -21,7 +21,7 @@ class AppConfig {
    *
    * See https://www.awsthinkbox.com/end-user-license-agreement for the terms of the agreement.
    */
-  public readonly acceptAwsThinkboxEula: AwsThinkboxEulaAcceptance = AwsThinkboxEulaAcceptance.USER_REJECTS_AWS_THINKBOX_EULA;
+  public readonly acceptAwsThinkboxEula: AwsThinkboxEulaAcceptance = AwsThinkboxEulaAcceptance.USER_ACCEPTS_AWS_THINKBOX_EULA;
 
   /**
    * Fill this in if you want to receive alarm emails when:
@@ -38,29 +38,33 @@ class AppConfig {
    * "10.1.12"
    * @default The latest available version of Deadline is used
    */
-  public readonly deadlineVersion?: string;
+  public readonly deadlineVersion?: string = '10.1.17.4';
 
   /**
-   * A map of regions to Deadline Client Linux AMIs. As an example, the Linux Deadline 10.1.15.2 AMI ID from us-west-2
-   * is filled in. It can be used as-is, added to, or replaced. Ideally the version here should match the version of
-   * Deadline used in any connected Deadline constructs.
+   * A map of regions to Deadline Client Linux AMIs. Currently using:
+   *   Deadline Worker Base Image Linux 2 10.1.17.4 with Houdini 18.0.287 and Mantra 18.0.287 2021-06-30T073302Z
    */
-  public readonly deadlineClientLinuxAmiMap: Record<string, string> = {['us-west-2']: 'ami-0c8431fc72742c110'};
+  public readonly deadlineClientLinuxAmiMap: Record<string, string> = {['us-west-2']: 'ami-01bedc3d422729a29'};
 
   /**
    * (Optional) A secret (in binary form) in SecretsManager that stores the UBL certificates in a .zip file.
    */
-  public readonly ublCertificatesSecretArn?: string;
+  // public readonly ublCertificatesSecretArn?: string = 'arn:aws:secretsmanager:us-west-2:#:secret:Certificates-#';
+  public readonly ublCertificatesSecretArn?: string = 'arn:aws:secretsmanager:us-west-2:#:secret:UBLCertificates-#';
 
   /**
    * (Optional) The UBL licenses to use.
    */
-  public readonly ublLicenses?: UsageBasedLicense[];
+  public readonly ublLicenses?: UsageBasedLicense[] = [ UsageBasedLicense.forHoudini(), UsageBasedLicense.forMantra() ];
+
+  public readonly deadlineInstallerBucketName: string = 'rfdk-secrets-management-deadline-installers';
+  public readonly deadlineInstallerObjectNameLinux: string = 'DeadlineClient-rev.10.1.18.2.31.g1ac1c7077-linux-x64-installer_rfdk-sm-1.run';
+  public readonly deadlineInstallerObjectNameWindows: string = 'DeadlineClient-rev.10.1.18.2.31.g1ac1c7077-windows-installer_rfdk-sm-1.exe';
 
   /**
    * (Optional) The name of the EC2 keypair to associate with instances.
    */
-  public readonly keyPairName?: string;
+  public readonly keyPairName?: string = '***';
 
   /**
    * Whether to use MongoDB to back the render farm.

diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/compute-tier.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/compute-tier.ts
@@ -4,17 +4,18 @@
  */
 
 import {
-  BastionHostLinux,
+  InstanceClass,
+  InstanceSize,
+  InstanceType,
   IMachineImage,
   IVpc,
-  Port,
 } from '@aws-cdk/aws-ec2';
 import * as cdk from '@aws-cdk/core';
 import {
-  IHost,
-  InstanceUserDataProvider,
+  ConfigureSpotEventPlugin,
   IRenderQueue,
   IWorkerFleet,
+  SpotEventPluginFleet,
   UsageBasedLicense,
   UsageBasedLicensing,
   WorkerInstanceFleet,
@@ -24,8 +25,6 @@ import {
   IHealthMonitor,
   SessionManagerHelper,
 } from 'aws-rfdk';
-import { Asset } from '@aws-cdk/aws-s3-assets';
-import * as path from 'path'
 
 /**
  * Properties for {@link ComputeTier}.
@@ -51,11 +50,6 @@ export interface ComputeTierProps extends cdk.StackProps {
    */
   readonly keyPairName?: string;
 
-  /**
-   * The bastion host to allow connection to Worker nodes.
-   */
-  readonly bastion?: BastionHostLinux;
-
   /**
    * Licensing source for UBL for worker nodes.
    */
@@ -67,36 +61,6 @@ export interface ComputeTierProps extends cdk.StackProps {
   readonly licenses?: UsageBasedLicense[];
 }
 
-class UserDataProvider extends InstanceUserDataProvider {
-  preCloudWatchAgent(host: IHost): void {
-    host.userData.addCommands('echo preCloudWatchAgent');
-  }
-  preRenderQueueConfiguration(host: IHost): void {
-    host.userData.addCommands('echo preRenderQueueConfiguration');
-  }
-  preWorkerConfiguration(host: IHost): void {
-    host.userData.addCommands('echo preWorkerConfiguration');
-  }
-  postWorkerLaunch(host: IHost): void {
-    host.userData.addCommands('echo postWorkerLaunch');
-    if (host.node.scope != undefined) {
-      const testScript = new Asset(
-        host.node.scope as cdk.Construct,
-        'SampleAsset',
-        {path: path.join(__dirname, '..', '..', 'scripts', 'configure_worker.sh')},
-      );
-      testScript.grantRead(host);
-      const localPath = host.userData.addS3DownloadCommand({
-        bucket: testScript.bucket,
-        bucketKey: testScript.s3ObjectKey,
-      });
-      host.userData.addExecuteFileCommand({
-        filePath: localPath,
-      })
-    }
-  }
-}
-
 /**
  * The computer tier consists of raw compute power. For a Deadline render farm,
  * this will be the fleet of Worker nodes that render Deadline jobs.
@@ -127,6 +91,9 @@ export class ComputeTier extends cdk.Stack {
       // cleanly remove everything when this stack is destroyed. If you would like to ensure
       // that this resource is not accidentally deleted, you should set this to true.
       deletionProtection: false,
+      vpcSubnets: {
+        subnetGroupName: "WorkerFleet",
+      },
     });
 
     this.workerFleet = new WorkerInstanceFleet(this, 'WorkerFleet', {
@@ -135,7 +102,9 @@ export class ComputeTier extends cdk.Stack {
       workerMachineImage: props.workerMachineImage,
       healthMonitor: this.healthMonitor,
       keyName: props.keyPairName,
-      userDataProvider: new UserDataProvider(this, 'UserDataProvider'),
+      vpcSubnets: {
+        subnetGroupName: "WorkerFleet",
+      },
     });
 
     // This is an optional feature that will set up your EC2 instances to be enabled for use with
@@ -146,10 +115,49 @@ export class ComputeTier extends cdk.Stack {
     if (props.usageBasedLicensing && props.licenses) {
       props.usageBasedLicensing.grantPortAccess(this.workerFleet, props.licenses);
     }
+    const fleet1 = new SpotEventPluginFleet(this, 'SpotEventPluginFleet1', {
+      vpc: props.vpc,
+      renderQueue: props.renderQueue,
+      deadlineGroups: [
+        'group_name1',
+      ],
+      instanceTypes: [
+        InstanceType.of(InstanceClass.T3, InstanceSize.LARGE),
+      ],
+      workerMachineImage: props.workerMachineImage,
+      maxCapacity: 5,
+      vpcSubnets: {
+        subnetGroupName: 'SpotFleet1',
+      },
+    });
 
-    if (props.bastion) {
-      this.workerFleet.connections.allowFrom(props.bastion, Port.tcp(22));
-    }
+    const fleet2 = new SpotEventPluginFleet(this, 'SpotEventPluginFleet2', {
+      vpc: props.vpc,
+      renderQueue: props.renderQueue,
+      deadlineGroups: [
+        'group_name2',
+      ],
+      instanceTypes: [
+        InstanceType.of(InstanceClass.T3, InstanceSize.LARGE),
+      ],
+      workerMachineImage: props.workerMachineImage,
+      maxCapacity: 5,
+      vpcSubnets: {
+        subnetGroupName: 'SpotFleet2',
+      },
+    });
+
+    new ConfigureSpotEventPlugin(this, 'ConfigureSpotEventPlugin', {
+      vpc: props.vpc,
+      renderQueue: props.renderQueue,
+      spotFleets: [
+        fleet1,
+        fleet2,
+      ],
+      configuration: {
+        enableResourceTracker: true,
+      },
+    });
   }
 }
 
diff --git a/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/network-tier.ts b/examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/network-tier.ts
@@ -74,12 +74,27 @@ export class NetworkTier extends cdk.Stack {
         {
           name: 'Public',
           subnetType: SubnetType.PUBLIC,
-          cidrMask: 28,
+          cidrMask: 28, // 14 IP addresses
         },
         {
           name: 'Private',
           subnetType: SubnetType.PRIVATE,
-          cidrMask: 18, // 16,382 IP addresses
+          cidrMask: 20, // 4,094 IP addresses
+        },
+        {
+          name: 'WorkerFleet',
+          subnetType: SubnetType.PRIVATE,
+          cidrMask: 20, // 4,094 IP addresses
+        },
+        {
+          name: 'SpotFleet1',
+          subnetType: SubnetType.PRIVATE,
+          cidrMask: 20, // 4,094 IP addresses
+        },
+        {
+          name: 'SpotFleet2',
+          subnetType: SubnetType.PRIVATE,
+          cidrMask: 20, // 4,094 IP addresses
         },
       ],
       // VPC flow logs are a security best-practice as they allow us
@@ -136,7 +151,7 @@ export class NetworkTier extends cdk.Stack {
 
     this.dnsZone = new PrivateHostedZone(this, 'DnsZone', {
       vpc: this.vpc,
-      zoneName: 'deadline-test.internal',
+      zoneName: 'aws-rfdk.com',
     });
   }
 }