Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rb:aws-cli [25/09/2018 16:57]
andrew [Creating a new repo]
rb:aws-cli [04/09/2019 15:45] (current)
andrew [AWS CodeCommit]
Line 34: Line 34:
  
  
-AWS linux 2 does have a awscli tool in the linux repo, but it is not as recent as the pip installed one:-+AWS linux 2 does have a awscli tool in the linux repo, based on python2, but it is not as recent as the pip installed one, this is the python3 based version, check if you need py3 or py2 before installing:-
  
 <​code>​ <​code>​
Line 48: Line 48:
 aws-cli/​1.16.15 Python/​3.7.0rc1 Linux/​4.14.47-64.38.amzn2.x86_64 botocore/​1.12.5 aws-cli/​1.16.15 Python/​3.7.0rc1 Linux/​4.14.47-64.38.amzn2.x86_64 botocore/​1.12.5
 [root@amazonlinux02 ~]# [root@amazonlinux02 ~]#
 +</​code>​
 +
 +
 +
 +===== Setting up profiles =====
 +
 +The ''​aws configure''​ command will set up a default profile, if you need to use different accounts or keys, these can be set in a named profile, the two files, ''​config''​ and ''​credentials''​ in ''​~/​.aws/''​ control this (needless to say, these are made up keys and secrets!):-
 +
 +config
 +<​code>​
 +[default]
 +output = text
 +
 +
 +[profile admin1]
 +role_arn = arn:​aws:​iam::​0123456781234:​role/​role_admin
 +source_profile = default
 +region = eu-west-1
 +
 +
 +[profile profile2]
 +region = eu-west-2
 +source_profile = default
 +output = text
 +</​code>​
 +
 +credentials
 +<​code>​
 +[default]
 +aws_access_key_id = QWERTYUIOPASDFGHKEYQ
 +aws_secret_access_key = HaMPb65IFf0bVoEiLSKEJtuCUo3490nWlrJBES9n
 +
 +
 +[profile2]
 +aws_access_key_id = QWERTYUIOPASDFGHKEYA
 +aws_secret_access_key = wifisUMegS9pY_tpOnQpSY0YJYSiqgeKneMWqqIa
 </​code>​ </​code>​
  
Line 78: Line 114:
 server:​~/​.aws$ server:​~/​.aws$
 </​code>​ </​code>​
 +
 +
 +==== Errors ====
 +
 +<​code>​
 +$ aws ec2 describe-instances --profile nonprod_admin
 +
 +An error occurred (InvalidClientTokenId) when calling the AssumeRole operation: The security token included in the request is invalid.
 +$
 +</​code>​
 +
 +This was solved by updating the ''​aws_access_key_id''​ and ''​aws_secret_access_key''​ in ~/​.aws/​credentials.
 +As it said "The security token included in the request is invalid."​ Obvious in hindsight.
 +===== Using roles and profiles with Boto3 =====
 +
 +''​boto3''​ is Amazon'​s python library to interface with the aws cli commands.
 +
 +A client needs to be set up, and for local cli usage, this needs to be linked with a profile as set above.
 +
 +<code python>
 +#​!/​usr/​bin/​env python
 +
 +import boto3
 +
 +profile = '​nonprod_admin'​
 +
 +# Create ec2 client
 +session = boto3.session.Session(profile_name=profile)
 +ec2 = session.client('​ec2'​)
 +
 +# Create SQS client
 +session = boto3.session.Session(profile_name=profile)
 +sqs = session.client('​sqs'​)
 +
 +</​code>​
 +
 +This client (ec2, sqs etc) can be used to set or retreive information as the user in the profile:-
 +
 +<code python>
 +AMIResponse = ec2.describe_images(Filters=[{'​Name':​ '​name',​ '​Values':​ [Regex]}, ], Owners=['​self'​])
 +</​code>​
 +
 ===== AWS CodeCommit ===== ===== AWS CodeCommit =====
  
Line 94: Line 172:
 git config --global credential.UseHttpPath true git config --global credential.UseHttpPath true
 </​code>​ </​code>​
 +
 +Profiles can be defined per repository by using ''​--local''​ instead of ''​--global''​. ​
  
  
Line 108: Line 188:
 </​code>​ </​code>​
  
-My understanding is that ''​git''​ feeds a string of arguments to the credential-helper ($@) and consumes the string returned to forward on to CodeCommit as the user password. ​ As it is an ''​aws''​ command it can take the --profile option. Without that, the helper will try to return the IAM users credentials not the role's credentials,​ git will present these and it will pushes and pulls will fail with ''​fatal:​ unable to access <​xx-repo>​ : The requested URL returned error: 403''​+My understanding is that ''​git''​ feeds a string of arguments to the credential-helper ($@) and consumes the string returned to forward on to CodeCommit as the user password. ​ As it is an ''​aws''​ command it can take the ''​--profile'' ​option. Without that, the helper will try to return the IAM users credentials not the role's credentials,​ git will present these and it will pushes and pulls will fail with ''​fatal:​ unable to access <​xx-repo>​ : The requested URL returned error: 403''​
  
  
Line 151: Line 231:
  
 See the [[rb:​git-cheatsheet|Git cheatsheet]] for adding files etc to the repo. See the [[rb:​git-cheatsheet|Git cheatsheet]] for adding files etc to the repo.
 +
 +
 +===== AWS Time Sync =====
 +
 +
 +Use 169.254.169.123 with ntp or chrony.
 +
 +  server 169.254.169.123 prefer iburst
 +
 +
 +
 +===== Getting info from within a running instance =====
 +
 +The 169.254.169.254 address allows access to metadata about an instance from within THAT instance, eg. :-
 +
 +<​code>​
 +[root@ip-172-31-21-109 ~]# curl http://​169.254.169.254/​latest/​meta-data/​ami-id
 +ami-0f1229ec7823be3db
 +[root@ip-172-31-21-109 ~]# 
 +
 +[root@ip-172-31-21-109 ~]# curl http://​169.254.169.254/​latest/​meta-data/​public-keys/​
 +0=AndrewAWS
 +[root@ip-172-31-21-109 ~]#
 +
 +[root@ip-172-31-21-109 ~]# curl http://​169.254.169.254/​latest/​meta-data/​network/​interfaces/​macs/​06:​b7:​e8:​98:​98:​0a/​public-hostname/​
 +ec2-34-244-253-26.eu-west-1.compute.amazonaws.com
 +[root@ip-172-31-21-109 ~]#
 +</​code>​
 +
 +
 +===== AWS cli =====
 +
 +<​code>​
 +[ec2-user@ip-10-96-10-231 ~]$ aws ec2 describe-instances --query '​Reservations[].Instances[].[InstanceId,​Tags[?​Key==`Name`].Value|[0],​ IamInstanceProfile.Arn]'​ --output table
 +-----------------------------------------------------------------------------------------------------------------------------------
 +|                                                        DescribeInstances ​                                                       |
 ++---------------------+---------------------------------+-------------------------------------------------------------------------+
 +|  i-0ec2f28f95c0b4396| ​ MadLib API Tier - AutoScaled ​  ​| ​ arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-APIrole ​             |
 +|  i-0fd0f2f4e072463b0| ​ MadLib Save Tier - AutoScaled ​ |  arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-Saverole ​            |
 +|  i-0ac39407f3b79e43b| ​ MadLib API Tier - AutoScaled ​  ​| ​ arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-APIrole ​             |
 +|  i-0eba4f6906abf1833| ​ MadLib Web Tier - AutoScaled ​  ​| ​ arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-AppRole ​             |
 +|  i-0b558db478ac2bdbc| ​ CommandHost ​                   |  arn:​aws:​iam::​399862743030:​instance-profile/​CommandHostInstanceProfile ​ |
 +|  i-09a53d2758f4d749d| ​ MadLib Web Tier - AutoScaled ​  ​| ​ arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-AppRole ​             |
 +|  i-03804db70790dc0ed| ​ MadLib Save Tier - AutoScaled ​ |  arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-Saverole ​            |
 ++---------------------+---------------------------------+-------------------------------------------------------------------------+
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +
 +[ec2-user@ip-10-96-10-231 ~]$ aws ec2 describe-instances --filter "​Name=tag:​Name,​Values=MadLib Save*" --query '​Reservations[].Instances[].[InstanceId,​Tags[?​Key==`Name`].Value|[0],​ IamInstanceProfile.Arn]'​ --output table
 +------------------------------------------------------------------------------------------------------------------------
 +|                                                   ​DescribeInstances ​                                                 |
 ++---------------------+---------------------------------+--------------------------------------------------------------+
 +|  i-0fd0f2f4e072463b0| ​ MadLib Save Tier - AutoScaled ​ |  arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-Saverole ​ |
 +|  i-03804db70790dc0ed| ​ MadLib Save Tier - AutoScaled ​ |  arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-Saverole ​ |
 ++---------------------+---------------------------------+--------------------------------------------------------------+
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +</​code>​
 +
 +
 +<​code>​
 +[ec2-user@ip-10-96-10-231 ~]$ aws ec2 describe-instances --filter "​Name=tag:​Name,​Values=MadLib Web*" --query '​Reservations[0].Instances[0].IamInstanceProfile.Arn'​ --output text
 +arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-AppRole
 +[ec2-user@ip-10-96-10-231 ~]$
 +
 +
 +[ec2-user@ip-10-96-10-231 ~]$ appROLEARN=$(aws ec2 describe-instances --filter "​Name=tag:​Name,​Values=MadLib Web*" --query '​Reservations[0].Instances[0].IamInstanceProfile.Arn'​ --output text)
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +
 +[ec2-user@ip-10-96-10-231 ~]$ echo ${appROLEARN}
 +arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-AppRole
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +
 +[ec2-user@ip-10-96-10-231 ~]$ aws iam list-instance-profiles --query "​InstanceProfiles[?​Arn=='​$appROLEARN'​]"​
 +[
 +    {
 +        "​InstanceProfileId":​ "​AIPAJJGZDTBTYGJDSLFVM", ​
 +        "​Roles":​ [
 +            {
 +                "​AssumeRolePolicyDocument":​ {
 +                    "​Version":​ "​2008-10-17", ​
 +                    "​Statement":​ [
 +                        {
 +                            "​Action":​ "​sts:​AssumeRole", ​
 +                            "​Effect":​ "​Allow", ​
 +                            "​Principal":​ {
 +                                "​Service":​ "​ec2.amazonaws.com"​
 +                            }
 +                        }
 +                    ]
 +                }, 
 +                "​RoleId":​ "​AROAJ7OSABF7346MV6RIY", ​
 +                "​CreateDate":​ "​2018-10-09T08:​06:​50Z", ​
 +                "​RoleName":​ "​qls-1577787-84859361afe35637-AppLayerWebSi-AppRole-5CZ1MUJYE8Y4", ​
 +                "​Path":​ "/", ​
 +                "​Arn":​ "​arn:​aws:​iam::​399862743030:​role/​qls-1577787-84859361afe35637-AppLayerWebSi-AppRole-5CZ1MUJYE8Y4"​
 +            }
 +        ], 
 +        "​CreateDate":​ "​2018-10-09T08:​07:​07Z", ​
 +        "​InstanceProfileName":​ "​MadLib-AppRole", ​
 +        "​Path":​ "/", ​
 +        "​Arn":​ "​arn:​aws:​iam::​399862743030:​instance-profile/​MadLib-AppRole"​
 +    }
 +]
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +
 +
 +[ec2-user@ip-10-96-10-231 ~]$ aws iam list-instance-profiles --query "​InstanceProfiles[?​Arn=='​$appROLEARN'​].Roles[0].RoleName"​
 +[
 +    "​qls-1577787-84859361afe35637-AppLayerWebSi-AppRole-5CZ1MUJYE8Y4"​
 +]
 +[ec2-user@ip-10-96-10-231 ~]$
 +
 +
 +[ec2-user@ip-10-96-10-231 ~]$ appROLENAME=$(aws iam list-instance-profiles --query "​InstanceProfiles[?​Arn=='​$appROLEARN'​].Roles[0].RoleName"​ --output text)
 +[ec2-user@ip-10-96-10-231 ~]$ aws iam list-role-policies --role-name ${appROLENAME}
 +{
 +    "​PolicyNames":​ [
 +        "​MabLib-App-Policy"​
 +    ]
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ appPOLNAME=$(aws iam list-role-policies --role-name ${appROLENAME} --query PolicyNames[] --output text)
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +[ec2-user@ip-10-96-10-231 ~]$ aws iam get-role-policy --role-name ${appROLENAME} --policy-name ${appPOLNAME}
 +{
 +    "​RoleName":​ "​qls-1577787-84859361afe35637-AppLayerWebSi-AppRole-5CZ1MUJYE8Y4", ​
 +    "​PolicyDocument":​ {
 +        "​Statement":​ [
 +            {
 +                "​Action":​ [
 +                    "​s3:​List*", ​
 +                    "​s3:​Get*"​
 +                ], 
 +                "​Resource":​ "​*", ​
 +                "​Effect":​ "​Allow"​
 +            }
 +        ]
 +    }, 
 +    "​PolicyName":​ "​MabLib-App-Policy"​
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +</​code>​
 +
 +
 +
 +<​code>​
 +[ec2-user@ip-10-96-10-231 ~]$ aws deploy list-applications
 +{
 +    "​applications":​ [
 +        "​qls-1577787-84859361afe35637-AppLayerWebSite-1P4CE84PXN67F-MadLibsSite-1AG3943MCP2N9", ​
 +        "​qls-1577787-84859361afe35637-AppStackAPI-FO024805JDNG-MadLibsAPI-1Q30CGWVEPZDA", ​
 +        "​qls-1577787-84859361afe35637-AppStackSave-1O3LTSI3CAKLB-MadLibsSave-XM6SBRZK607M"​
 +    ]
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ aws deploy list-deployments
 +{
 +    "​deployments":​ [
 +        "​d-W13R99NVV", ​
 +        "​d-Y639UTFVV", ​
 +        "​d-EAQ1SUMVV"​
 +    ]
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ DEPLOYARRAY=$(aws deploy list-deployments --output text)
 +[ec2-user@ip-10-96-10-231 ~]$ IFS=' ' read -r -a DEPLOYID <<<​ $DEPLOYARRAY
 +[ec2-user@ip-10-96-10-231 ~]$ echo "​${DEPLOYID[1]}"​
 +d-W13R99NVV
 +[ec2-user@ip-10-96-10-231 ~]$ echo "​${DEPLOYID[3]}"​
 +d-Y639UTFVV
 +[ec2-user@ip-10-96-10-231 ~]$ echo "​${DEPLOYID[5]}"​
 +d-EAQ1SUMVV
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +[ec2-user@ip-10-96-10-231 ~]$ aws deploy list-deployment-instances --deployment-id ${DEPLOYID[1]}
 +{
 +    "​instancesList":​ [
 +        "​i-09a53d2758f4d749d", ​
 +        "​i-0eba4f6906abf1833"​
 +    ]
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ aws ec2 describe-instances --filter "​Name=tag:​Name,​Values=MadLib*"​ --query '​Reservations[].Instances[].[InstanceId,​ Tags[?​Key==`Name`].Value | [0]]' --output table
 +----------------------------------------------------------
 +|                    DescribeInstances ​                  |
 ++----------------------+---------------------------------+
 +|  i-0ec2f28f95c0b4396 |  MadLib API Tier - AutoScaled ​  |
 +|  i-0fd0f2f4e072463b0 |  MadLib Save Tier - AutoScaled ​ |
 +|  i-0ac39407f3b79e43b |  MadLib API Tier - AutoScaled ​  |
 +|  i-0eba4f6906abf1833 |  MadLib Web Tier - AutoScaled ​  |
 +|  i-09a53d2758f4d749d |  MadLib Web Tier - AutoScaled ​  |
 +|  i-03804db70790dc0ed |  MadLib Save Tier - AutoScaled ​ |
 ++----------------------+---------------------------------+
 +[ec2-user@ip-10-96-10-231 ~]$
 +
 +
 +[ec2-user@ip-10-96-10-231 ~]$ aws deploy get-deployment --deployment-id ${DEPLOYID[1]}
 +{
 +    "​deploymentInfo":​ {
 +        "​applicationName":​ "​qls-1577787-84859361afe35637-AppLayerWebSite-1P4CE84PXN67F-MadLibsSite-1AG3943MCP2N9", ​
 +        "​status":​ "​Succeeded", ​
 +        "​deploymentOverview":​ {
 +            "​Skipped":​ 0, 
 +            "​Succeeded":​ 2, 
 +            "​Failed":​ 0, 
 +            "​Ready":​ 0, 
 +            "​InProgress":​ 0, 
 +            "​Pending":​ 0
 +        }, 
 +        "​description":​ "​[CFN-DSHWMLJA] Deploying App MadLibs-Site Version-1.0\n", ​
 +        "​deploymentConfigName":​ "​MadLibs-Site", ​
 +        "​creator":​ "​user", ​
 +        "​fileExistsBehavior":​ "​DISALLOW", ​
 +        "​deploymentId":​ "​d-W13R99NVV", ​
 +        "​deploymentStatusMessages":​ [], 
 +        "​ignoreApplicationStopFailures":​ true, 
 +        "​autoRollbackConfiguration":​ {
 +            "​enabled":​ false
 +        }, 
 +        "​deploymentStyle":​ {
 +            "​deploymentType":​ "​IN_PLACE", ​
 +            "​deploymentOption":​ "​WITHOUT_TRAFFIC_CONTROL"​
 +        }, 
 +        "​updateOutdatedInstancesOnly":​ false, ​
 +        "​instanceTerminationWaitTimeStarted":​ false, ​
 +        "​computePlatform":​ "​Server", ​
 +        "​deploymentGroupName":​ "​WebAppDeplyGroup", ​
 +        "​createTime":​ 1539072614.847, ​
 +        "​completeTime":​ 1539072703.42, ​
 +        "​revision":​ {
 +            "​revisionType":​ "​S3", ​
 +            "​s3Location":​ {
 +                "​bundleType":​ "​zip", ​
 +                "​bucket":​ "​us-east-1-tcprod", ​
 +                "​key":​ "​courses/​AWS-200-DOP/​v2.1.5/​lab-1-CLI/​scripts/​MadLibs-WebSite-Package.zip"​
 +            }
 +        }
 +    }
 +}
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +
 +</​code>​
 +
 +
 +===== Cloud Formation =====
 +
 +
 +<​code>​
 +[ec2-user@ip-10-96-10-231 ~]$ aws cloudformation get-template --stack-name qls-1577787-84859361afe35637-AppLayerWebSite-1P4CE84PXN67F --query TemplateBody --output text
 +AWSTemplateFormatVersion:​ "​2010-09-09"​
 +Description:​ >
 +  Template to build the Web Tier for Lab 1
 +Parameters:
 +  VPCID:
 +    Description:​ VPC ID from the Base Networking Stack
 +    Type: String
 +  PUBSUBA:
 +    Description:​ Public Subnet A ID
 +    Type: String
 +  PUBSUBB:
 +    Description:​ Public Subnet B ID
 +    Type: String
 +  AppNamePram:​
 +    Description:​ App Being Installed
 +    Type: String
 +  AppVerPram:
 +    Description:​ "App Verson"​
 +    Type: String
 +  CodeBucketPram:​
 +    Description:​ "​Bucket Name that the Application Package is Saved"
 +    Type: String
 +  CodeObjectKeyPram:​
 +    Description:​ "​Object Key to be Installed"​
 +    Type: String
 +# Calling out the CORRECT version of the package to be installed via CodeDeploy
 +# Help fight the eventual consistency of S3
 +#  CodePackageETagPram:​
 +#    Description:​ "Etag of the Package to be installed"​
 +#    Type: String
 +  KeyName:
 +    Type: AWS::​EC2::​KeyPair::​KeyName
 +    Description:​ Keyname for the keypair that Qwiklab will use to launch EC2 instances
 +  ApiElbDns:
 +    Type: String
 +    Description:​ The DNS Name of the ELB in Front of the API Tier
 +  SaveElbDns:
 +    Type: String
 +    Description:​ The DNS Name of the ELB in Front of the Save Tier
 +Mappings:
 +  AmazonLinuxAMI:​
 +    us-east-1:
 +      AMI: ami-08111162
 +    us-east-2:
 +      AMI: ami-06547163
 +    us-west-1:
 +      AMI: ami-1b0f7d7b
 +    us-west-2:
 +      AMI: ami-f0091d91
 +    eu-west-1:
 +      AMI: ami-31328842
 +    eu-central-1:​
 +      AMI: ami-e2df388d
 +    ap-northeast-1:​
 +      AMI: ami-f80e0596
 +    ap-northeast-2:​
 +      AMI: ami-6598510b
 +    ap-southeast-1:​
 +      AMI: ami-c9b572aa
 +    ap-southeast-2:​
 +      AMI: ami-f2210191
 +    sa-east-1:
 +      AMI: ami-1e159872
 +Resources:
 +# Networking
 +  AppTierSG:
 +    Type: AWS::​EC2::​SecurityGroup
 +    DependsOn:
 +      - MadLibSiteELB
 +    Properties:
 +     ​GroupDescription:​ Security Group for Web Tier
 +     ​VpcId:​ !Ref VPCID
 +     Tags:
 +       - Key: "​Name"​
 +         ​Value:​ "​MadLib Web Tier SG"
 +       - Key: "​ENV"​
 +         ​Value:​ "​Production"​
 +       - Key: "​App"​
 +         ​Value:​ "​MadLib Site"
 +     ​SecurityGroupIngress:​
 +       - IpProtocol: tcp
 +         ​FromPort:​ 22
 +         ​ToPort:​ 22
 +         ​CidrIp:​ 0.0.0.0/0
 +       - IpProtocol: tcp
 +         ​FromPort:​ 80
 +         ​ToPort:​ 80
 +         ​SourceSecurityGroupId:​ !Ref ELBsg
 +  ELBsg:
 +    Type: AWS::​EC2::​SecurityGroup
 +    Properties:
 +     ​GroupDescription:​ Security Group Web Tier ELB
 +     ​VpcId:​ !Ref VPCID
 +     Tags:
 +       - Key: "​Name"​
 +         ​Value:​ "ELB SG"
 +       - Key: "​ENV"​
 +         ​Value:​ "​Production"​
 +       - Key: "​App"​
 +         ​Value:​ "​Madlib Site - Public"​
 +     ​SecurityGroupIngress:​
 +       - IpProtocol: tcp
 +         ​FromPort:​ 80
 +         ​ToPort:​ 80
 +         ​CidrIp:​ 0.0.0.0/0
 +  MadLibSiteELB:​
 +    Type: "​AWS::​ElasticLoadBalancing::​LoadBalancer"​
 +    DependsOn:
 +      - ELBsg
 +    Properties:
 +      CrossZone: true
 +      HealthCheck:​
 +        HealthyThreshold:​ 2
 +        Interval: 60
 +        Target: HTTP:​80/​site/​index.html
 +        Timeout: 59
 +        UnhealthyThreshold:​ 10
 +      LoadBalancerName:​ MadLib-Site
 +      Listeners:
 +        - InstancePort:​ 80
 +          InstanceProtocol:​ HTTP
 +          LoadBalancerPort:​ 80
 +          Protocol: HTTP
 +      Scheme: internet-facing
 +      SecurityGroups:​
 +        - !Ref ELBsg
 +      Subnets:
 +        - !Ref PUBSUBA
 +        - !Ref PUBSUBB
 +
 +# IAM Setup
 +  CodeDeployRole:​
 +    Type: "​AWS::​IAM::​Role"​
 +    Properties:
 +      AssumeRolePolicyDocument:​
 +        Statement:
 +          - Effect: "​Allow"​
 +            Principal:
 +              Service:
 +                - '​codedeploy.amazonaws.com'​
 +            Action:
 +              - '​sts:​AssumeRole'​
 +
 +      Path: '/'​
 +      Policies:
 +        - PolicyName: "​CodeDeployRole"​
 +          PolicyDocument:​
 +            Statement:
 +              - Effect: "​Allow"​
 +                Action: ['​autoscaling:​CompleteLifecycleAction',​
 +                    '​autoscaling:​DeleteLifecycleHook',​
 +                    '​autoscaling:​DescribeAutoScalingGroups',​
 +                    '​autoscaling:​DescribeLifecycleHooks',​
 +                    '​autoscaling:​PutLifecycleHook',​
 +                    '​autoscaling:​RecordLifecycleActionHeartbeat',​
 +                    '​autoscaling:​CreateAutoScalingGroup',​
 +                    '​autoscaling:​UpdateAutoScalingGroup',​
 +                    '​autoscaling:​EnableMetricsCollection',​
 +                    '​autoscaling:​DescribeAutoScalingGroups',​
 +                    '​autoscaling:​DescribePolicies',​
 +                    '​autoscaling:​DescribeScheduledActions',​
 +                    '​autoscaling:​DescribeNotificationConfigurations',​
 +                    '​autoscaling:​DescribeLifecycleHooks',​
 +                    '​autoscaling:​SuspendProcesses',​
 +                    '​autoscaling:​ResumeProcesses',​
 +                    '​autoscaling:​AttachLoadBalancers',​
 +                    '​autoscaling:​PutScalingPolicy',​
 +                    '​autoscaling:​PutScheduledUpdateGroupAction',​
 +                    '​autoscaling:​PutNotificationConfiguration',​
 +                    '​autoscaling:​PutLifecycleHook',​
 +                    '​autoscaling:​DescribeScalingActivities',​
 +                    '​autoscaling:​DeleteAutoScalingGroup',​
 +                    '​ec2:​DescribeInstances',​
 +                    '​ec2:​DescribeInstanceStatus',​
 +                    '​ec2:​TerminateInstances',​
 +                    '​tag:​GetTags',​
 +                    '​tag:​GetResources',​
 +                    '​sns:​Publish',​
 +                    '​cloudwatch:​DescribeAlarms',​
 +                    '​elasticloadbalancing:​DescribeLoadBalancers',​
 +                    '​elasticloadbalancing:​DescribeInstanceHealth',​
 +                    '​elasticloadbalancing:​RegisterInstancesWithLoadBalancer',​
 +                    '​elasticloadbalancing:​DeregisterInstancesFromLoadBalancer'​]
 +                Resource:
 +                  '​*'​
 +  AppRole:
 +    Type: "​AWS::​IAM::​Role"​
 +    Properties:
 +      AssumeRolePolicyDocument:​
 +        Statement:
 +          - Effect: "​Allow"​
 +            Principal:
 +              Service:
 +                - '​ec2.amazonaws.com'​
 +            Action:
 +              - '​sts:​AssumeRole'​
 +
 +      Path: '/'​
 +      Policies:
 +        - PolicyName: MabLib-App-Policy
 +          PolicyDocument:​
 +            Statement:
 +            - Effect: Allow
 +              Action: ['​s3:​List*',​
 +                  '​s3:​Get*'​]
 +              Resource:
 +                '​*'​
 +# Code Deploy
 +  InstProfMadLibSite:​
 +   Type: "​AWS::​IAM::​InstanceProfile"​
 +   ​DependsOn:​
 +     - AppRole
 +   ​Properties:​
 +     ​Roles:​
 +       - !Ref AppRole
 +     ​InstanceProfileName:​ MadLib-AppRole
 +  MadLibsSite:​
 +    Type: "​AWS::​CodeDeploy::​Application"​
 +  WebAppDeplyGroup:​
 +    Type: "​AWS::​CodeDeploy::​DeploymentGroup"​
 +    DependsOn:
 +      - MadLibsSite
 +      - CodeDeployRole
 +    Properties:
 +    #  AlarmConfiguration:​
 +    #    AlarmConfiguration
 +      ApplicationName:​ !Ref MadLibsSite
 +      DeploymentConfigName:​ !Ref WebAppDeplyConfig
 +      DeploymentGroupName:​ WebAppDeplyGroup
 +      AutoScalingGroups:​
 +        - !Ref WebServersAutoScalingGroup
 +      Deployment:
 +        Description:​
 +          !Sub |
 +          Deploying App ${AppNamePram} Version-${AppVerPram}
 +        IgnoreApplicationStopFailures:​ true
 +        Revision:
 +          RevisionType:​ S3
 +          S3Location:
 +            Bucket: !Ref CodeBucketPram
 +            Key: !Ref CodeObjectKeyPram
 +            BundleType: Zip
 +    # Would Suggest you use this feature to ensure that the correct package gets deployed
 +    #      ETag: !Ref CodePackageETagPram
 +      Ec2TagFilters:​
 +        - Key: App
 +          Value: !Ref AppNamePram
 +          Type: "​KEY_AND_VALUE"​
 +      ServiceRoleArn:​ !GetAtt CodeDeployRole.Arn
 +  WebAppDeplyConfig:​
 +    Type: "​AWS::​CodeDeploy::​DeploymentConfig"​
 +    DependsOn:
 +      - MadLibsSite
 +    Properties:
 +      DeploymentConfigName:​ !Ref AppNamePram
 +      MinimumHealthyHosts:​
 +        Type: "​FLEET_PERCENT"​
 +        Value: 50
 +  WebServersAutoScalingGroup:​
 +    Type: "​AWS::​AutoScaling::​AutoScalingGroup"​
 +    DependsOn:
 +      - WebServersLaunchConfig
 +      - AppTierSG
 +      - MadLibSiteELB
 +    UpdatePolicy:​
 +      AutoScalingReplacingUpdate:​
 +        WillReplace:​ '​true'​
 +    Properties:
 +      Cooldown: 60
 +      DesiredCapacity:​ 2
 +      HealthCheckGracePeriod:​ 60
 +      LaunchConfigurationName:​ !Ref WebServersLaunchConfig
 +      LoadBalancerNames:​
 +        - !Ref MadLibSiteELB
 +      MaxSize: 4
 +      MinSize: 1
 +      VPCZoneIdentifier:​
 +        - !Ref PUBSUBA
 +        - !Ref PUBSUBB
 +      Tags:
 +       - Key: "​Name"​
 +         ​Value:​ "​MadLib Web Tier - AutoScaled"​
 +         ​PropagateAtLaunch:​ true
 +       - Key: "​ENV"​
 +         ​Value:​ "​Prod"​
 +         ​PropagateAtLaunch:​ true
 +       - Key: "​App"​
 +         ​Value:​ !Ref AppNamePram
 +         ​PropagateAtLaunch:​ true
 +
 +  # AutoScaling
 +  WebServersLaunchConfig:​
 +    Type: "​AWS::​AutoScaling::​LaunchConfiguration"​
 +    DependsOn:
 +      - AppTierSG
 +      - AppRole
 +    Properties:
 +      IamInstanceProfile:​ !Ref InstProfMadLibSite
 +      ImageId: !FindInMap [AmazonLinuxAMI,​ !Ref "​AWS::​Region",​ AMI]
 +      InstanceMonitoring:​ true
 +      InstanceType:​ t2.micro
 +      KeyName: !Ref KeyName
 +      SecurityGroups:​
 +        - !Ref AppTierSG
 +      UserData:
 +        '​Fn::​Base64':​
 +          !Sub |
 +            #!/bin/bash -ex
 +
 +            # Env Setup
 +            echo "​export APITierELBDNS=${ApiElbDns}"​ >> ~/.bashrc
 +            echo "​export SaveTierELBDNS=${SaveElbDns}"​ >> ~/.bashrc
 +            source ~/.bashrc
 +
 +            # Updates & Install
 +            yum update -y
 +            yum install -y ruby wget
 +
 +            cd /​home/​ec2-user
 +            wget https://​aws-codedeploy-${AWS::​Region}.s3.amazonaws.com/​latest/​install
 +            chmod +x ./install
 +
 +            ./install auto
 +Outputs:
 +  WebTierDNS:
 +    Description:​ "DNS Name for the ELB infront of the Site Tier"
 +    Value: !GetAtt MadLibSiteELB.DNSName
 +
 +[ec2-user@ip-10-96-10-231 ~]$ 
 +</​code>​
 +
 +
 +
  

rb/aws-cli.1537891075.txt.gz ยท Last modified: 25/09/2018 16:57 by andrew