Skip to content

Launch EC2 instance with CloudFormation #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
khashf wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Launch EC2 instance with CloudFormation #69

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
12438fe
Change instance's volume size to a variable
khashf Apr 4, 2018
58f334c
Update: Make instance's volume type a variable loaded from file
khashf Apr 4, 2018
6e8ea8e
Update: DeleteOnTermination becomes a variable loaded from file
khashf Apr 4, 2018
ab1c7c6
Improve comment around $EC2PROFILE loading
khashf Apr 4, 2018
776f899
Definitely do *not* want to lose the databases
MikeTheCanuck Apr 8, 2018
75b42aa
Add CloudFormation template
khashf Apr 12, 2018
1da6dc8
Roll back 2 intentionally file changes
khashf Apr 12, 2018
83920cd
Update policy that limit access only to a certain s3 bucket
khashf Apr 13, 2018
a3b76e2
Update: Persist Block Device after instance Termination
khashf Apr 13, 2018
d80952c
Separate IAM Role away from EC2 instance launching
khashf Apr 20, 2018
caf9dc8
Rename directory
khashf Apr 20, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bin/create-ec2-machine-database.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,4 +58,4 @@ aws ec2 describe-instances \
--instance-ids $INSTANCE_ID \
--query 'Reservations[0].Instances[0].PublicIpAddress'

rm -f $INSTANCE_ID_FILE
rm -f $INSTANCE_ID_FILE
2 changes: 1 addition & 1 deletion bin/ec2-profile-database-development.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ KEYNAME='hackoregon-2018-database-dev-env'
REGION='us-west-2'
SECURITYGROUPIDS='sg-28154957'
SUBNETID='subnet-8794fddf'
VOLUMESIZE='8'
VOLUMESIZE='8'
108 changes: 108 additions & 0 deletions infrastructure/ec2-db.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Itention:
# Create a ec2 instance that has read permission to the existing s3 instance(s)

# USAGE:
# Run:
# aws cloudformation create-stack --stack-name <stack name here> --template-body file:///absolute/path/to/this-file.yaml --capabilities CAPABILITY_NAMED_IAM

# TODO:
# - separate parameters into a file
# - write wrapper for the aws cli command


---
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS CloudFormation to create a ec2 instance that has read permission to the existing s3 instance(s)'

Parameters:

InstanceType:
Description: Instance type used to build the machine(s)
Type: String
Default: t2.micro

ImageId:
Description: AMI ID used to build the machine(s)
Type: String
Default: ami-7f43f307

AvailabilityZone:
Description: Avalaibility Zone to deploy within (different than region)
Type: String
Default: us-west-2a

SubnetId:
Description: Subnet's ID to be located at
Type: String
Default: subnet-8794fddf

SecurityGroupId:
Description: The Security Groups to use for the EC2 hosts
Type: String
Default: sg-28154957

Resources:

DBInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro # !Ref InstanceType
ImageId: ami-7f43f307 # !Ref ImageId
SecurityGroupIds:
-
sg-28154957 # !Ref SecurityGroupId
AvailabilityZone: us-west-2a # !Ref AvailabilityZone
SubnetId: subnet-8794fddf # !Ref SubnetId
IamInstanceProfile:
!Ref InstanceProfile
BlockDeviceMappings:
-
DeviceName: /dev/sdb # !Ref DeviceName
Ebs:
VolumeType: gp2 # !Ref VolumeType
VolumeSize: 8 # !Ref VolumeSize
DeleteOnTermination: True # False # !Ref DeleteOnTermination
KeyName: hackoregon-2018-database-dev-env # !Ref KeyName
Tags:
-
Key: Name
Value: DB # !Ref InstanceName

Role:
Type: AWS::IAM::Role
Properties:
RoleName: db-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
#Policies:
# - !Ref RolePolicies

RolePolicies:
Type: AWS::IAM::Policy
Properties:
PolicyName: ec2-read-s3-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:ListBucket"
Resource: "*"
Copy link
Copy Markdown
Contributor

@DingoEatingFuzz DingoEatingFuzz Apr 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existing policy is slightly different and limited to only one bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::hacko-data-archive/*"
            ]
        }
    ]
}

Copy link
Copy Markdown
Contributor Author

@khashf khashf Apr 13, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @DingoEatingFuzz . Yes, I was aware of this. I wasn't sure which bucket to select so I left it a wildcard for easier testing. Patches incoming in a few mins

Copy link
Copy Markdown
Contributor Author

@khashf khashf Apr 13, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DingoEatingFuzz : Updated.
Is it ok if I limit the allowed actions to the 2 following ones?

Action: 
   - "s3:GetObject"
   - "s3:ListBucket"

Copy link
Copy Markdown
Contributor

@DingoEatingFuzz DingoEatingFuzz Apr 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potentially. Depends on whether or not the box will also be writing back to the bucket. I defer to @MikeTheCanuck

Copy link
Copy Markdown
Contributor

@MikeTheCanuck MikeTheCanuck Apr 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now let's just leave it as read-only, but be prepared to generate a similar policy for whatever strategy we happen to use for backups. I'm conflicted on whether backups would be appropriate to write to the hacko-data-archive bucket, otherwise no reason I can think of to open it for writes.

Roles:
- !Ref Role

InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- !Ref Role