From 544d18b82a6db407ae641568f40502e95900db3b Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 11:57:55 -0500 Subject: [PATCH 01/22] update cmft templates with stackrefs --- dev-resources/template/1_db.yml | 47 +++++---- dev-resources/template/2_lrs.yml | 160 +++++++++++++++++-------------- 2 files changed, 118 insertions(+), 89 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 13bcaea34..6a483f2bf 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -1,13 +1,9 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "Postgres DB for SQL LRS" Parameters: - # Networking - VPCId: - Description: "VPC on which to run SQL LRS" - Type: AWS::EC2::VPC::Id - DBSubnets: - Description: Subnets on which to run services - Type: List + VPCStackName: + Description: Name of VPC Stack + Type: String # Postgres # PostgreSQL Storage @@ -25,13 +21,14 @@ Parameters: DBEngineVersion: Description: PostgreSQL engine version on RDS Type: String - Default: "12.9" + Default: "14.3" AllowedValues: - "12.9" + - "14.3" DBInstanceClass: Description: For provisioned aurora, the instance class to use Type: String - Default: "db.r4.large" + Default: "db.t4g.medium" DBName: Description: PG Database name. Ignored if DBSnapshotIdentifier is provided Type: String @@ -58,26 +55,34 @@ Parameters: AllowedValues: - true - false - Default: true + Default: false Conditions: - DBProvisioned: !Equals [!Ref DBEngineMode, "provisioned"] - DBSnapshotIdentifierProvided: !Not [!Equals [!Ref DBSnapshotIdentifier, ""]] + DBProvisioned: + !Equals [!Ref DBEngineMode, "provisioned"] + DBSnapshotIdentifierProvided: + !Not [!Equals [!Ref DBSnapshotIdentifier, ""]] Resources: + # PostgreSQL Database DBSubnetGroup: Description: Subnet group to allow instance access to db Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: SQL LRS App Instance Subnet Group - SubnetIds: !Ref DBSubnets + SubnetIds: + - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] + - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] DBInstanceSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to RDS instances - VpcId: !Ref VPCId + VpcId: + Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] DBCluster: Description: PostgreSQL DB Cluster @@ -99,7 +104,7 @@ Resources: - DBSnapshotIdentifierProvided - !Ref AWS::NoValue - !Sub "{{resolve:ssm-secure:${DBMasterUserPasswordPath}:${DBMasterUserPasswordVersion}}}" - # DBClusterIdentifier: !Sub '${AWS::StackName}-db' + # DBClusterIdentifier: !Sub "${AWS::StackName}-db" BackupRetentionPeriod: !If - DBSnapshotIdentifierProvided - !Ref AWS::NoValue @@ -108,7 +113,7 @@ Resources: VpcSecurityGroupIds: - !Ref DBInstanceSG DBSubnetGroupName: !Ref DBSubnetGroup - DBClusterParameterGroupName: default.aurora-postgresql12 + DBClusterParameterGroupName: default.aurora-postgresql14 EnableCloudwatchLogsExports: !If - DBProvisioned - [postgresql] @@ -145,3 +150,13 @@ Outputs: Value: !Ref DBInstanceSG Export: Name: !Sub "${AWS::StackName}:DBInstanceSG" + DBName: + Description: Name of the DB + Value: !Ref DBName + Export: + Name: !Sub "${AWS::StackName}:DBName" + DBMasterUserName: + Description: DB Master username + Value: !Ref DBMasterUserName + Export: + Name: !Sub "${AWS::StackName}:DBMasterUserName" diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index c435d3616..41e34e3ab 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -2,29 +2,12 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "SQL LRS and DB Init Script" Parameters: # Networking - VPCId: - Description: "VPC on which to run SQL LRS" - Type: AWS::EC2::VPC::Id - DBSubnets: - Description: Subnets on which the DB is running - Type: List - # DB Details - DBName: - Description: PG Database name. Ignored if DBSnapshotIdentifier is provided - Type: String - Default: "lrsql_demo" - DBHost: - Description: Write hostname of PG db + VPCStackName: + Description: Name of VPC Stack Type: String - DBPort: - Description: Port of PG db - Type: String - Default: 3306 - DBInstanceSG: - Type: AWS::EC2::SecurityGroup::Id - Description: DB instance security group - DBMasterUserName: - Description: Name of admin user + # DB Details + DBStackName: + Description: DB Stack Reference Type: String Default: yetadmin DBAppUserName: @@ -75,10 +58,7 @@ Parameters: InstanceSSHCidr: Description: CIDR Range for SSH Access to instances (Typically VPC CIDR Range) Type: String - Default: "173.147.0.0/16" - InstanceSubnets: - Description: Subnet on which to run the lrsql server - Type: List + Default: "172.147.0.0/16" InstanceHttpPort: Description: Port on which the server runs HTTP Type: String @@ -110,16 +90,13 @@ Parameters: ASGCPUPolicyTargetValue: Type: String # according to docs a Double Description: Target CPU utilization of instances. Leave blank to disable CPU autoscaling. - Default: "" # '60.0' + Default: "" # "60.0" ASGALBRequestCountTargetValue: Type: String # according to docs a Double Description: Target requests per instance. Leave blank to disable request count autoscaling. - Default: "" # '10000.0' + Default: "" # "10000.0" # Front-end (ALB) specific settings - ALBSubnets: - Description: Subnets on which to run the ALB. - Type: List ALBHostName: Type: String Description: The hostname to use for the Elastic Load Balancer. @@ -131,22 +108,26 @@ Parameters: Type: String Description: Route53 Hosted Zone in which to set a DNS record. If unset no record will be updated Default: "" - # CORS Settings CORSAllowedOrigins: Type: CommaDelimitedList Description: A comma-separated list of origins to allow. If not provided ALBHostName will be used if present, otherwise no origins will be allowed. + Conditions: - SetDNS: !Not [!Equals [!Ref ALBHostedZone, ""]] - SetCORS: !Not [!Equals [!Join ["", !Ref CORSAllowedOrigins], ""]] + SetDNS: + !Not [!Equals [!Ref ALBHostedZone, ""]] + SetCORS: + !Not [!Equals [!Join ["", !Ref CORSAllowedOrigins], ""]] ASGCPUPolicyTargetValueProvided: !Not [!Equals [!Ref ASGCPUPolicyTargetValue, ""]] ASGALBRequestCountTargetValueProvided: !Not [!Equals [!Ref ASGALBRequestCountTargetValue, ""]] - InstanceKeyNameProvided: !Not [!Equals [!Ref InstanceKeyName, ""]] + InstanceKeyNameProvided: + !Not [!Equals [!Ref InstanceKeyName, ""]] Resources: + # DB Initialization Function and custom resource to run it DBInitFn: @@ -162,22 +143,30 @@ Resources: VpcConfig: SecurityGroupIds: - !Ref DBInitFnSG - SubnetIds: !Ref DBSubnets - + SubnetIds: + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] DBInitFnSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SG For Lambda Init Fn - VpcId: !Ref VPCId + VpcId: + Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "VPC"]] DBInstanceInitIngress: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Ingress from the init fn to RDS instance - GroupId: !Ref DBInstanceSG + GroupId: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBInstanceSG"]] IpProtocol: tcp - FromPort: !Ref DBPort - ToPort: !Ref DBPort + FromPort: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBPort"]] + ToPort: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBPort"]] SourceSecurityGroupId: !Ref DBInitFnSG DBInitPolicy: @@ -225,7 +214,8 @@ Resources: DependsOn: DBInitFn Properties: ServiceToken: !GetAtt DBInitFn.Arn - DBMasterUsername: !Ref DBMasterUserName + DBMasterUsername: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBMasterUserName"]] DBMasterPasswordPath: !Join - ":" - - !Ref DBMasterUserPasswordPath @@ -235,9 +225,15 @@ Resources: - ":" - - !Ref DBAppUserPasswordPath - !Ref DBAppUserPasswordVersion - DBHost: !Ref DBHost - DBPort: !Ref DBPort - DBName: !Ref DBName + DBHost: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBEndpoint"]] + DBPort: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBPort"]] + DBName: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBName"]] # Servers @@ -269,10 +265,10 @@ Resources: Properties: AssumeRolePolicyDocument: Statement: - - Effect: Allow - Principal: - Service: [ec2.amazonaws.com] - Action: ["sts:AssumeRole"] + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ["sts:AssumeRole"] Path: / ManagedPolicyArns: - !Ref InstancePolicy @@ -287,7 +283,8 @@ Resources: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the LRS Instance - VpcId: !Ref VPCId + VpcId: + Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 @@ -298,10 +295,15 @@ Resources: Type: AWS::EC2::SecurityGroupIngress Properties: Description: Ingress from the LRS instance to RDS instance - GroupId: !Ref DBInstanceSG + GroupId: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBInstanceSG"]] IpProtocol: tcp - FromPort: !Ref DBPort - ToPort: !Ref DBPort + FromPort: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBPort"]] + ToPort: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBPort"]] SourceSecurityGroupId: !Ref InstanceSG LrsInstances: @@ -383,14 +385,13 @@ Resources: files: "/opt/lrsql/config/lrsql.json": content: !Sub - - | - { - "database": { + - '{ + "database": { "dbHost": "${DBHost}", "dbPort": ${DBPort}, "dbName": "${DBName}", "dbUser": "${DBAppUserName}", - "dbPassword": "${InitDBCustomResource.dbAppPass}" + "dbPassword": "${DBPass}" }, "lrs" : { "adminUserDefault": "${DefaultAdminUser}", @@ -399,19 +400,20 @@ Resources: }, "webserver": { "httpHost": "0.0.0.0", - "httpPort": ${InstanceHttpPort}, - "allowedOrigins": ${AllowedOrigins} + "httpPort": ${InstanceHttpPort} } - } - - AllowedOrigins: !If - - SetCORS - - !Sub - - '["${JoinedAllowedOrigins}"]' - - JoinedAllowedOrigins: !Join ['","', !Ref CORSAllowedOrigins] - - !If - - SetDNS - - !Sub '["https://${ALBHostName}"]' - - "[]" + }' + - DBName: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBName"]] + DBHost: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBEndpoint"]] + DBAppUserName: !Ref DBAppUserName + DBPass: !GetAtt InitDBCustomResource.dbAppPass + DefaultAdminUser: !Ref DefaultAdminUser + DefaultAdminPass: !Ref DefaultAdminPass + InstanceHttpPort: !Ref InstanceHttpPort + DBPort: + Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBPort"]] mode: "000755" owner: root group: root @@ -502,11 +504,16 @@ Resources: - !GetAtt TargetGroup.TargetGroupFullName TargetValue: !Ref ASGALBRequestCountTargetValue + # ASG AutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: - VPCZoneIdentifier: !Ref InstanceSubnets + VPCZoneIdentifier: + - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] + - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] LaunchConfigurationName: !Ref LrsInstances MinSize: !Ref ASGMinSize MaxSize: !Ref ASGMaxSize @@ -535,13 +542,15 @@ Resources: - AlarmNotification - ScheduledActions + # Load Balancer LoadBalancerSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the load balancer - VpcId: !Ref VPCId + VpcId: + Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] SecurityGroupIngress: # Allow access to ALB from anywhere on the internet # on 80 as redirect-only @@ -562,7 +571,9 @@ Resources: LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: "30" - Subnets: !Ref ALBSubnets + Subnets: + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] SecurityGroups: - !Ref LoadBalancerSG @@ -620,7 +631,8 @@ Resources: Port: !Ref InstanceHttpPort Protocol: HTTP UnhealthyThresholdCount: 2 - VpcId: !Ref VPCId + VpcId: + Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] #DNS Update for Domain @@ -648,3 +660,5 @@ Outputs: - "" - - "https://" - !Ref ALBHostName + Export: + Name: !Sub "${AWS::StackName}:LrsAddress" From 915d4d1f4d8d4935f1372605276a685be175ecf5 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 12:29:38 -0500 Subject: [PATCH 02/22] readded CORS config stuff --- dev-resources/template/2_lrs.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 41e34e3ab..617aec046 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -385,7 +385,8 @@ Resources: files: "/opt/lrsql/config/lrsql.json": content: !Sub - - '{ + - | + { "database": { "dbHost": "${DBHost}", "dbPort": ${DBPort}, @@ -401,8 +402,9 @@ Resources: "webserver": { "httpHost": "0.0.0.0", "httpPort": ${InstanceHttpPort} + "allowedOrigins": ${AllowedOrigins} } - }' + } - DBName: Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBName"]] DBHost: @@ -414,6 +416,14 @@ Resources: InstanceHttpPort: !Ref InstanceHttpPort DBPort: Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBPort"]] + AllowedOrigins: !If + - SetCORS + - !Sub + - '["${JoinedAllowedOrigins}}"]' + - !If + - SetDNS + - !Sub '["https://${ALBHostName}"]' + - "[]" mode: "000755" owner: root group: root From 0e3302efcc140216d62ce1239f434ad804a06552 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 13:10:42 -0500 Subject: [PATCH 03/22] made VPCId and DBSubnets optional parameters --- dev-resources/template/1_db.yml | 28 +++++++++++---- dev-resources/template/2_lrs.yml | 61 +++++++++++++++++++++----------- 2 files changed, 62 insertions(+), 27 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 6a483f2bf..fd72491c8 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -4,6 +4,12 @@ Parameters: VPCStackName: Description: Name of VPC Stack Type: String + VPCId: + Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" + Type: AWS::EC2::VPC::Id + DBSubnets: + Description: Subnets on which the DB is running (if no subnets are provided, will attempt to deploy with PrivateSubnetOne and PrivateSubnetTwo on the VPC provided via VPCStackName) + Type: List # Postgres # PostgreSQL Storage @@ -62,6 +68,10 @@ Conditions: !Equals [!Ref DBEngineMode, "provisioned"] DBSnapshotIdentifierProvided: !Not [!Equals [!Ref DBSnapshotIdentifier, ""]] + VPCIdProvided: + !Not [!Equals [!Ref VPCId, ""]] + DBSubnetsProvided: + !Not [!Equals [!Ref DBSubnets, !Ref "AWS::NoValue"]] Resources: @@ -71,18 +81,22 @@ Resources: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: SQL LRS App Instance Subnet Group - SubnetIds: - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] + SubnetIds: !If + - DBSubnetsProvided + - !Ref DBSubnets + - - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] + - Fn::ImportValue: + !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] DBInstanceSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to RDS instances - VpcId: - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !If + - VPCIdProvided + - !Ref VPCId + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] DBCluster: Description: PostgreSQL DB Cluster diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 617aec046..cbec3701d 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -5,6 +5,12 @@ Parameters: VPCStackName: Description: Name of VPC Stack Type: String + VPCId: + Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" + Type: AWS::EC2::VPC::Id + DBSubnets: + Description: Subnets on which the DB is running (if not provided, will use PrivateSubnetOne and PrivateSubnetTwo on VPCStackName) + Type: List # DB Details DBStackName: Description: DB Stack Reference @@ -125,6 +131,10 @@ Conditions: !Not [!Equals [!Ref ASGALBRequestCountTargetValue, ""]] InstanceKeyNameProvided: !Not [!Equals [!Ref InstanceKeyName, ""]] + VPCIdProvided: + !Not [!Equals [!Ref VPCId, ""]] + DBSubnetsProvided: + !Not [!Equals [!Ref DBSubnets, !Ref "AWS::NoValue"]] Resources: @@ -143,16 +153,19 @@ Resources: VpcConfig: SecurityGroupIds: - !Ref DBInitFnSG - SubnetIds: - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] + SubnetIds: !If + - DBSubnetsProvided + - !Ref DBSubnets + - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] DBInitFnSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SG For Lambda Init Fn - VpcId: - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !If + - VPCIdProvided + - !Ref VPCId + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] DBInstanceInitIngress: Type: AWS::EC2::SecurityGroupIngress @@ -283,8 +296,10 @@ Resources: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the LRS Instance - VpcId: - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !If + - VPCIdProvided + - !Ref VPCId + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 @@ -519,11 +534,11 @@ Resources: AutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: - VPCZoneIdentifier: - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] + VPCZoneIdentifier: !If + - DBSubnetsProvided + - !Ref DBSubnets + - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] LaunchConfigurationName: !Ref LrsInstances MinSize: !Ref ASGMinSize MaxSize: !Ref ASGMaxSize @@ -559,8 +574,10 @@ Resources: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the load balancer - VpcId: - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !If + - VPCIdProvided + - !Ref VPCId + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] SecurityGroupIngress: # Allow access to ALB from anywhere on the internet # on 80 as redirect-only @@ -581,9 +598,11 @@ Resources: LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: "30" - Subnets: - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] + Subnets: !If + - DBSubnetsProvided + - !Ref DBSubnets + - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] SecurityGroups: - !Ref LoadBalancerSG @@ -641,8 +660,10 @@ Resources: Port: !Ref InstanceHttpPort Protocol: HTTP UnhealthyThresholdCount: 2 - VpcId: - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !If + - VPCIdProvided + - !Ref VPCId + - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] #DNS Update for Domain From 469608f4a803a816294fb0c541e5480830242289 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 14:29:24 -0500 Subject: [PATCH 04/22] fixed missing comma in launch script --- dev-resources/template/2_lrs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index cbec3701d..3a31a5c91 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -416,7 +416,7 @@ Resources: }, "webserver": { "httpHost": "0.0.0.0", - "httpPort": ${InstanceHttpPort} + "httpPort": ${InstanceHttpPort}, "allowedOrigins": ${AllowedOrigins} } } From 1a9d2f8f676130356fcddc57bd4b77b64c40f7f9 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 14:39:23 -0500 Subject: [PATCH 05/22] updated DBSubnets condition with list --- dev-resources/template/1_db.yml | 2 +- dev-resources/template/2_lrs.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index fd72491c8..67355a315 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -71,7 +71,7 @@ Conditions: VPCIdProvided: !Not [!Equals [!Ref VPCId, ""]] DBSubnetsProvided: - !Not [!Equals [!Ref DBSubnets, !Ref "AWS::NoValue"]] + !Not [!Equals [!Join ["", !Ref DBSubnets], !Ref "AWS::NoValue"]] Resources: diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 3a31a5c91..bc440aeb6 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -134,7 +134,7 @@ Conditions: VPCIdProvided: !Not [!Equals [!Ref VPCId, ""]] DBSubnetsProvided: - !Not [!Equals [!Ref DBSubnets, !Ref "AWS::NoValue"]] + !Not [!Equals [!Join ["", !Ref DBSubnets], !Ref "AWS::NoValue"]] Resources: From aeaebef49b9141a564b96f3ada9072f35ee08ed3 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 16:03:49 -0500 Subject: [PATCH 06/22] fixed broken params in templates --- dev-resources/template/1_db.yml | 4 ++-- dev-resources/template/2_lrs.yml | 9 +++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 67355a315..41bb60b0b 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -71,7 +71,7 @@ Conditions: VPCIdProvided: !Not [!Equals [!Ref VPCId, ""]] DBSubnetsProvided: - !Not [!Equals [!Join ["", !Ref DBSubnets], !Ref "AWS::NoValue"]] + !Not [!Equals [!Join ["", !Ref DBSubnets], ""]] Resources: @@ -127,7 +127,7 @@ Resources: VpcSecurityGroupIds: - !Ref DBInstanceSG DBSubnetGroupName: !Ref DBSubnetGroup - DBClusterParameterGroupName: default.aurora-postgresql14 + DBClusterParameterGroupName: default.aurora-postgresql12 EnableCloudwatchLogsExports: !If - DBProvisioned - [postgresql] diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index bc440aeb6..053536870 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -134,7 +134,7 @@ Conditions: VPCIdProvided: !Not [!Equals [!Ref VPCId, ""]] DBSubnetsProvided: - !Not [!Equals [!Join ["", !Ref DBSubnets], !Ref "AWS::NoValue"]] + !Not [!Equals [!Join ["", !Ref DBSubnets], ""]] Resources: @@ -400,9 +400,9 @@ Resources: files: "/opt/lrsql/config/lrsql.json": content: !Sub - - | - { - "database": { + - | + { + "database": { "dbHost": "${DBHost}", "dbPort": ${DBPort}, "dbName": "${DBName}", @@ -435,6 +435,7 @@ Resources: - SetCORS - !Sub - '["${JoinedAllowedOrigins}}"]' + - JoinedAllowedOrigins: !Join ['","', !Ref CORSAllowedOrigins] - !If - SetDNS - !Sub '["https://${ALBHostName}"]' From c8065160f73210f44faa63d563556f479cac46bb Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 16:08:44 -0500 Subject: [PATCH 07/22] added information to VPCStackName doc string --- dev-resources/template/1_db.yml | 2 +- dev-resources/template/2_lrs.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 41bb60b0b..16e17f2bb 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -2,7 +2,7 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "Postgres DB for SQL LRS" Parameters: VPCStackName: - Description: Name of VPC Stack + Description: Name of VPC Stack (Optional, but if not provided must provide VPCId and DBSubnets). Type: String VPCId: Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 053536870..0d5e105f5 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -3,7 +3,7 @@ Description: "SQL LRS and DB Init Script" Parameters: # Networking VPCStackName: - Description: Name of VPC Stack + Description: Name of VPC Stack (Optional, but if not provided must provide VPCId and DBSubnets) Type: String VPCId: Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" From 934c4dc485c3a592c16f20a5b3bad23ace15932e Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Fri, 27 Jan 2023 16:20:52 -0500 Subject: [PATCH 08/22] fixed db version to 12.9 --- dev-resources/template/1_db.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 16e17f2bb..96426bdb0 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -27,10 +27,9 @@ Parameters: DBEngineVersion: Description: PostgreSQL engine version on RDS Type: String - Default: "14.3" + Default: "12.9" AllowedValues: - "12.9" - - "14.3" DBInstanceClass: Description: For provisioned aurora, the instance class to use Type: String From 3c7f48d1241392ef7f13e63c1d829d66fc7d2d3d Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 12:08:45 -0500 Subject: [PATCH 09/22] removed stackrefs for VPC --- dev-resources/template/1_db.yml | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 96426bdb0..f01284639 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -1,9 +1,6 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "Postgres DB for SQL LRS" Parameters: - VPCStackName: - Description: Name of VPC Stack (Optional, but if not provided must provide VPCId and DBSubnets). - Type: String VPCId: Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" Type: AWS::EC2::VPC::Id @@ -30,6 +27,7 @@ Parameters: Default: "12.9" AllowedValues: - "12.9" + - "14.3" DBInstanceClass: Description: For provisioned aurora, the instance class to use Type: String @@ -62,15 +60,18 @@ Parameters: - false Default: false +Mappings: + DBClusterParameterGroupMap: + "12.9": + Name: default.aurora-postgresql12 + "14.3": + Name: default.aurora-postgresql14 + Conditions: DBProvisioned: !Equals [!Ref DBEngineMode, "provisioned"] DBSnapshotIdentifierProvided: !Not [!Equals [!Ref DBSnapshotIdentifier, ""]] - VPCIdProvided: - !Not [!Equals [!Ref VPCId, ""]] - DBSubnetsProvided: - !Not [!Equals [!Join ["", !Ref DBSubnets], ""]] Resources: @@ -80,22 +81,14 @@ Resources: Type: AWS::RDS::DBSubnetGroup Properties: DBSubnetGroupDescription: SQL LRS App Instance Subnet Group - SubnetIds: !If - - DBSubnetsProvided - - !Ref DBSubnets - - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] - - Fn::ImportValue: - !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] + SubnetIds: + !Ref DBSubnets DBInstanceSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to RDS instances - VpcId: !If - - VPCIdProvided - - !Ref VPCId - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !Ref VPCId DBCluster: Description: PostgreSQL DB Cluster @@ -126,7 +119,7 @@ Resources: VpcSecurityGroupIds: - !Ref DBInstanceSG DBSubnetGroupName: !Ref DBSubnetGroup - DBClusterParameterGroupName: default.aurora-postgresql12 + DBClusterParameterGroupName: !FindInMap [DBClusterParameterGroupMap, !Ref "DBEngineVersion", Name] EnableCloudwatchLogsExports: !If - DBProvisioned - [postgresql] From 33bd462f03948f6581179a77bc1f30d733e1ad32 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 12:26:36 -0500 Subject: [PATCH 10/22] removed stackrefs for vpc resources on 2_lrs --- dev-resources/template/2_lrs.yml | 69 ++++++++++---------------------- 1 file changed, 21 insertions(+), 48 deletions(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 0d5e105f5..87206e30c 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -1,10 +1,6 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "SQL LRS and DB Init Script" Parameters: - # Networking - VPCStackName: - Description: Name of VPC Stack (Optional, but if not provided must provide VPCId and DBSubnets) - Type: String VPCId: Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" Type: AWS::EC2::VPC::Id @@ -107,6 +103,9 @@ Parameters: Type: String Description: The hostname to use for the Elastic Load Balancer. Default: "sqllrs.yetanalytics.io" + ALBSubnets: + Description: Subnets that are used by the Elastic Load Balancer. + Type: List ALBCertArn: Type: String Description: The ARN of an ACM cert to use on the ALB @@ -131,10 +130,6 @@ Conditions: !Not [!Equals [!Ref ASGALBRequestCountTargetValue, ""]] InstanceKeyNameProvided: !Not [!Equals [!Ref InstanceKeyName, ""]] - VPCIdProvided: - !Not [!Equals [!Ref VPCId, ""]] - DBSubnetsProvided: - !Not [!Equals [!Join ["", !Ref DBSubnets], ""]] Resources: @@ -153,19 +148,14 @@ Resources: VpcConfig: SecurityGroupIds: - !Ref DBInitFnSG - SubnetIds: !If - - DBSubnetsProvided - - !Ref DBSubnets - - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetOne"]] - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PrivateSubnetTwo"]] + SubnetIds: !Ref DBSubnets + + DBInitFnSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SG For Lambda Init Fn - VpcId: !If - - VPCIdProvided - - !Ref VPCId - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !Ref VPCId DBInstanceInitIngress: Type: AWS::EC2::SecurityGroupIngress @@ -296,10 +286,7 @@ Resources: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the LRS Instance - VpcId: !If - - VPCIdProvided - - !Ref VPCId - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !Ref VPCId SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 @@ -442,7 +429,7 @@ Resources: - "[]" mode: "000755" owner: root - group: root + "/lib/systemd/system/lrsql.service": content: !Sub | [Unit] @@ -492,13 +479,14 @@ Resources: - !Ref InstanceSG IamInstanceProfile: !Ref InstanceProfile UserData: - Fn::Base64: !Sub | - #!/bin/bash -xe - echo 'Yet SQL LRS ${LrsVersion}' - # run configsets - /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource LrsInstances --region ${AWS::Region} --configsets default - # signal CF - /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource AutoScalingGroup --region ${AWS::Region} + Fn::Base64: !Sub + | + #!/bin/bash -xe + echo 'Yet SQL LRS ${LrsVersion}' + # run configsets + /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource LrsInstances --region ${AWS::Region} --configsets default + # signal CF + /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource AutoScalingGroup --region ${AWS::Region} # Autoscaling Policies @@ -535,11 +523,7 @@ Resources: AutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: - VPCZoneIdentifier: !If - - DBSubnetsProvided - - !Ref DBSubnets - - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] + VPCZoneIdentifier: !Ref DBSubnets LaunchConfigurationName: !Ref LrsInstances MinSize: !Ref ASGMinSize MaxSize: !Ref ASGMaxSize @@ -568,17 +552,13 @@ Resources: - AlarmNotification - ScheduledActions - # Load Balancer LoadBalancerSG: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Access to the load balancer - VpcId: !If - - VPCIdProvided - - !Ref VPCId - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !Ref VPCId SecurityGroupIngress: # Allow access to ALB from anywhere on the internet # on 80 as redirect-only @@ -599,11 +579,7 @@ Resources: LoadBalancerAttributes: - Key: idle_timeout.timeout_seconds Value: "30" - Subnets: !If - - DBSubnetsProvided - - !Ref DBSubnets - - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetOne"]] - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "PublicSubnetTwo"]] + Subnets: !Ref ALBSubnets SecurityGroups: - !Ref LoadBalancerSG @@ -661,10 +637,7 @@ Resources: Port: !Ref InstanceHttpPort Protocol: HTTP UnhealthyThresholdCount: 2 - VpcId: !If - - VPCIdProvided - - !Ref VPCId - - Fn::ImportValue: !Join [":", [!Ref "VPCStackName", "VPC"]] + VpcId: !Ref VPCId #DNS Update for Domain From f73b9d4860031fecb6f69012f7a56ef687321f6f Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 14:19:30 -0500 Subject: [PATCH 11/22] made DBMassterUserPasswordPath a ref --- dev-resources/template/1_db.yml | 10 ++++++++++ dev-resources/template/2_lrs.yml | 22 +++++++++------------- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index f01284639..47696b11d 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -166,3 +166,13 @@ Outputs: Value: !Ref DBMasterUserName Export: Name: !Sub "${AWS::StackName}:DBMasterUserName" + DBMasterUserPasswordPath: + Description: Path to the DB Master password + Value: !Ref DBMasterUserPasswordPath + Export: + Name: !Sub "${AWS::StackName}:DBMasterUserPasswordPath" + DBMasterUserPasswordVersion: + Description: Path to the DB Master password + Value: !Ref DBMasterUserPasswordVersion + Export: + Name: !Sub "${AWS::StackName}:DBMasterUserPasswordVersion" diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 87206e30c..208f1f73d 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -2,10 +2,10 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "SQL LRS and DB Init Script" Parameters: VPCId: - Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" + Description: VPC on which to run SQL LRS Type: AWS::EC2::VPC::Id DBSubnets: - Description: Subnets on which the DB is running (if not provided, will use PrivateSubnetOne and PrivateSubnetTwo on VPCStackName) + Description: Subnets on which the DB is running Type: List # DB Details DBStackName: @@ -16,14 +16,6 @@ Parameters: Description: Name of app db user Type: String Default: lrsqldbuser - DBMasterUserPasswordPath: - Description: SSM Path to the secret password - Type: String - Default: "/lrsql/demo/DB_MASTER_USER_PASSWORD" - DBMasterUserPasswordVersion: - Description: SSM version - Type: Number - Default: 1 DBAppUserPasswordPath: Description: SSM Path to the secret password Type: String @@ -187,7 +179,11 @@ Resources: - "secretsmanager:GetSecretValue" Resource: - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${DBAppUserPasswordPath}" - - !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${DBMasterUserPasswordPath}" + - !Sub + - "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter${DBMasterUserPasswordPath}" + - DBMasterUserPasswordPath: + Fn::ImportValue: + !Join [":", [!Ref "DBStackName", "DBMasterUserPasswordPath"]] - Effect: Allow Action: - ec2:DescribeNetworkInterfaces @@ -221,8 +217,8 @@ Resources: Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBMasterUserName"]] DBMasterPasswordPath: !Join - ":" - - - !Ref DBMasterUserPasswordPath - - !Ref DBMasterUserPasswordVersion + - - Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBMasterUserPasswordPath"]] + - Fn::ImportValue: !Join [":", [!Ref "DBStackName", "DBMasterUserPasswordVersion"]] DBUsername: !Ref DBAppUserName DBPasswordPath: !Join - ":" From 2a4a0688bfb8001f838113370510e4ab505b095a Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 14:20:26 -0500 Subject: [PATCH 12/22] removed unecessary instructions from docs --- doc/aws.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/doc/aws.md b/doc/aws.md index 9d0199035..5fc410ced 100644 --- a/doc/aws.md +++ b/doc/aws.md @@ -93,12 +93,6 @@ This template deploys the application servers, the load balancer, and also a sma - CORSAllowedOrigins: If you are using your own DNS and do not provide ALBHostName and ALBHostedZone above, put the HTTPS address of your LRS here, ie. `https://mydomain.com` to allow CORS requests. - DBAppUserName: Choose a desired database username for the application - DBAppUserPasswordPath: Use the name selected in Systems Manager for the App Password in Step 1 - - DBHost: Copy and paste the DBEndpoint Output from Step 3 - - DBInstanceSG: Select the DBInstanceSG Output from Step 3 - - DBMasterUserName: Must be the same value as in Step 3 - - DBMasterUserPasswordPath: Must be the same value as in Step 3 - - DBName: Must be the same value as in Step 3 - - DBPort: 3306 - DBSubnets: Select the two Private Subnets from Step 2 - DefaultAdminPass: Enter a temporary seed password for the LRS Admin login (for first login). - DefaultAdminUser: Enter initial seed username for LRS Admin Login From 127046c62b11988167f331e10703ce452ab5c5d8 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 14:27:26 -0500 Subject: [PATCH 13/22] formatting fixes --- dev-resources/template/2_lrs.yml | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 208f1f73d..03e12124f 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -124,7 +124,6 @@ Conditions: !Not [!Equals [!Ref InstanceKeyName, ""]] Resources: - # DB Initialization Function and custom resource to run it DBInitFn: @@ -142,7 +141,6 @@ Resources: - !Ref DBInitFnSG SubnetIds: !Ref DBSubnets - DBInitFnSG: Type: AWS::EC2::SecurityGroup Properties: @@ -264,10 +262,10 @@ Resources: Properties: AssumeRolePolicyDocument: Statement: - - Effect: Allow - Principal: - Service: [ec2.amazonaws.com] - Action: ["sts:AssumeRole"] + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ["sts:AssumeRole"] Path: / ManagedPolicyArns: - !Ref InstancePolicy @@ -425,7 +423,7 @@ Resources: - "[]" mode: "000755" owner: root - + group: root "/lib/systemd/system/lrsql.service": content: !Sub | [Unit] @@ -475,14 +473,13 @@ Resources: - !Ref InstanceSG IamInstanceProfile: !Ref InstanceProfile UserData: - Fn::Base64: !Sub - | - #!/bin/bash -xe - echo 'Yet SQL LRS ${LrsVersion}' - # run configsets - /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource LrsInstances --region ${AWS::Region} --configsets default - # signal CF - /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource AutoScalingGroup --region ${AWS::Region} + Fn::Base64: !Sub | + #!/bin/bash -xe + echo 'Yet SQL LRS ${LrsVersion}' + # run configsets + /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource LrsInstances --region ${AWS::Region} --configsets default + # signal CF + /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource AutoScalingGroup --region ${AWS::Region} # Autoscaling Policies From 6dea98fece5e6da49cd726cf7e44e8bd242eb963 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 14:30:54 -0500 Subject: [PATCH 14/22] more formatting fixes --- dev-resources/template/1_db.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 47696b11d..cb5049343 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -74,7 +74,6 @@ Conditions: !Not [!Equals [!Ref DBSnapshotIdentifier, ""]] Resources: - # PostgreSQL Database DBSubnetGroup: Description: Subnet group to allow instance access to db @@ -110,7 +109,7 @@ Resources: - DBSnapshotIdentifierProvided - !Ref AWS::NoValue - !Sub "{{resolve:ssm-secure:${DBMasterUserPasswordPath}:${DBMasterUserPasswordVersion}}}" - # DBClusterIdentifier: !Sub "${AWS::StackName}-db" + # DBClusterIdentifier: !Sub '${AWS::StackName}-db' BackupRetentionPeriod: !If - DBSnapshotIdentifierProvided - !Ref AWS::NoValue From 37205e089a5e82e9772b0f96750f52e305408ce3 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Tue, 31 Jan 2023 14:32:43 -0500 Subject: [PATCH 15/22] updated doc strings --- dev-resources/template/1_db.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index cb5049343..0a99ec971 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -2,10 +2,10 @@ AWSTemplateFormatVersion: "2010-09-09" Description: "Postgres DB for SQL LRS" Parameters: VPCId: - Description: "VPC on which to run SQL LRS (if not provided, will attempt to use parameter VPC on VPCStackName)" + Description: "VPC on which to run SQL LRS" Type: AWS::EC2::VPC::Id DBSubnets: - Description: Subnets on which the DB is running (if no subnets are provided, will attempt to deploy with PrivateSubnetOne and PrivateSubnetTwo on the VPC provided via VPCStackName) + Description: Subnets on which the DB is running Type: List # Postgres From 867614e623032b6c5840919d5474840085abbac4 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 10:08:17 -0500 Subject: [PATCH 16/22] added DBStackName to docs --- doc/aws.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/aws.md b/doc/aws.md index 5fc410ced..d04e12843 100644 --- a/doc/aws.md +++ b/doc/aws.md @@ -91,6 +91,7 @@ This template deploys the application servers, the load balancer, and also a sma - ALBHostedZone: (Optional) Set the Hosted Zone ID if the domain registrar is Route53 to enable automatic DNS management - ALBSubnets: Choose the two Public Subnets from Step 2 - CORSAllowedOrigins: If you are using your own DNS and do not provide ALBHostName and ALBHostedZone above, put the HTTPS address of your LRS here, ie. `https://mydomain.com` to allow CORS requests. + - DBStackName: Choose the name of the stack deployed in Step 3 - DBAppUserName: Choose a desired database username for the application - DBAppUserPasswordPath: Use the name selected in Systems Manager for the App Password in Step 1 - DBSubnets: Select the two Private Subnets from Step 2 From 8c33026e3f8a90bb26bcd5d8f0b10a836f07b172 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 10:09:35 -0500 Subject: [PATCH 17/22] added InstanceSubnets as own param --- dev-resources/template/2_lrs.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index 03e12124f..dbd7b3a70 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -53,6 +53,9 @@ Parameters: Description: CIDR Range for SSH Access to instances (Typically VPC CIDR Range) Type: String Default: "172.147.0.0/16" + InstanceSubnets: + Description: Subnet on which to run the lrsql server + Type: List InstanceHttpPort: Description: Port on which the server runs HTTP Type: String @@ -516,7 +519,7 @@ Resources: AutoScalingGroup: Type: AWS::AutoScaling::AutoScalingGroup Properties: - VPCZoneIdentifier: !Ref DBSubnets + VPCZoneIdentifier: !Ref InstanceSubnets LaunchConfigurationName: !Ref LrsInstances MinSize: !Ref ASGMinSize MaxSize: !Ref ASGMaxSize From f4112ab6ffa5608f7f85a6ef1460f5c4ab9aefd3 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 10:46:10 -0500 Subject: [PATCH 18/22] set dbdeletion default to true --- dev-resources/template/1_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 0a99ec971..da132a1c5 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -58,7 +58,7 @@ Parameters: AllowedValues: - true - false - Default: false + Default: true Mappings: DBClusterParameterGroupMap: From c2acf07e55fd5860527b8919683e4c5fa1af35a6 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 10:53:53 -0500 Subject: [PATCH 19/22] reverted default db instance type to r4.large --- dev-resources/template/1_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index da132a1c5..61ebaa68f 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -31,7 +31,7 @@ Parameters: DBInstanceClass: Description: For provisioned aurora, the instance class to use Type: String - Default: "db.t4g.medium" + Default: "db.r4.large" DBName: Description: PG Database name. Ignored if DBSnapshotIdentifier is provided Type: String From e0d190ce91168c22c1d99a61206f14b3da2646d8 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 11:21:05 -0500 Subject: [PATCH 20/22] removed default DBStackName --- dev-resources/template/2_lrs.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index e166531b4..c35a7dbd1 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -11,7 +11,6 @@ Parameters: DBStackName: Description: DB Stack Reference Type: String - Default: yetadmin DBAppUserName: Description: Name of app db user Type: String From 84a3fd8e8aaf995eb84faa9df0e158cbe4f9113e Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 11:23:24 -0500 Subject: [PATCH 21/22] updated docs on DBSubnets --- dev-resources/template/1_db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-resources/template/1_db.yml b/dev-resources/template/1_db.yml index 61ebaa68f..2cab03bf3 100644 --- a/dev-resources/template/1_db.yml +++ b/dev-resources/template/1_db.yml @@ -5,7 +5,7 @@ Parameters: Description: "VPC on which to run SQL LRS" Type: AWS::EC2::VPC::Id DBSubnets: - Description: Subnets on which the DB is running + Description: Subnets on which to run the DB initialization Lambda function Type: List # Postgres From 8c3944b45c6e5914ea1e3a8b7d5533f0d36bf6c0 Mon Sep 17 00:00:00 2001 From: Henk Reder Date: Wed, 1 Feb 2023 11:56:29 -0500 Subject: [PATCH 22/22] removed text fragment from cors stuff --- dev-resources/template/2_lrs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-resources/template/2_lrs.yml b/dev-resources/template/2_lrs.yml index c35a7dbd1..31c9b7199 100644 --- a/dev-resources/template/2_lrs.yml +++ b/dev-resources/template/2_lrs.yml @@ -519,7 +519,7 @@ Resources: AllowedOrigins: !If - SetCORS - !Sub - - '["${JoinedAllowedOrigins}}"]' + - '["${JoinedAllowedOrigins}"]' - JoinedAllowedOrigins: !Join ['","', !Ref CORSAllowedOrigins] - !If - SetDNS