Merge pull request #620 from bigchaindb/make-aws-security-group-a-parameter

Made the security group an AWS deployment parameter
2024-10-13 13:34:05 +00:00 · 2016-09-06 15:55:18 +02:00 · 2016-09-06 15:55:18 +02:00 · 8e6f0804e2
commit 8e6f0804e2
parent 288aad6446 eff44463ff
4 changed files with 21 additions and 7 deletions
--- a/deploy-cluster-aws/awsdeploy.sh
+++ b/deploy-cluster-aws/awsdeploy.sh
@ -42,6 +42,7 @@ echo "SSH_KEY_NAME" = $SSH_KEY_NAME
 echo "USE_KEYPAIRS_FILE = "$USE_KEYPAIRS_FILE
 echo "IMAGE_ID = "$IMAGE_ID
 echo "INSTANCE_TYPE = "$INSTANCE_TYPE
+echo "SECURITY_GROUP = "$SECURITY_GROUP
 echo "USING_EBS = "$USING_EBS
 if [ "$USING_EBS" = True ]; then
    echo "EBS_VOLUME_SIZE = "$EBS_VOLUME_SIZE
--- a/deploy-cluster-aws/example_deploy_conf.py
+++ b/deploy-cluster-aws/example_deploy_conf.py
@ -55,6 +55,11 @@ IMAGE_ID="ami-accff2b1"
 # For all options, see https://aws.amazon.com/ec2/instance-types/
 INSTANCE_TYPE="m3.2xlarge"

+# SECURITY_GROUP is the name of the AWS security group to use.
+# That security group must exist.
+# Examples: "bigchaindb", "bcdbsecure"
+SECURITY_GROUP="bigchaindb"
+
 # USING_EBS is True if you want to attach an Amazon EBS volume
 USING_EBS=False

--- a/deploy-cluster-aws/launch_ec2_nodes.py
+++ b/deploy-cluster-aws/launch_ec2_nodes.py
@ -27,8 +27,8 @@ from awscommon import get_naeips


 SETTINGS = ['NUM_NODES', 'BRANCH', 'WHAT_TO_DEPLOY', 'SSH_KEY_NAME',
-            'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'USING_EBS',
-            'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED']
+            'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'SECURITY_GROUP',
+            'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED']


 class SettingsTypeError(TypeError):
@ -92,6 +92,9 @@ if not isinstance(IMAGE_ID, str):
 if not isinstance(INSTANCE_TYPE, str):
    raise SettingsTypeError('INSTANCE_TYPE should be a string')

+if not isinstance(SECURITY_GROUP, str):
+    raise SettingsTypeError('SECURITY_GROUP should be a string')
+
 if not isinstance(USING_EBS, bool):
    raise SettingsTypeError('USING_EBS should be a boolean (True or False)')

@ -182,6 +185,8 @@ if NUM_NODES > len(non_associated_eips):
 print('Commencing launch of {} instances on Amazon EC2...'.
      format(NUM_NODES))

+sg_list = [SECURITY_GROUP]
+
 for _ in range(NUM_NODES):
    # Request the launch of one instance at a time
    # (so list_of_instances should contain only one item)
@ -206,7 +211,7 @@ for _ in range(NUM_NODES):
            MaxCount=1,
            KeyName=SSH_KEY_NAME,
            InstanceType=INSTANCE_TYPE,
-            SecurityGroupIds=['bigchaindb'],
+            SecurityGroupIds=sg_list,
            BlockDeviceMappings=[dm],
            EbsOptimized=EBS_OPTIMIZED
        )
@ -217,7 +222,7 @@ for _ in range(NUM_NODES):
            MaxCount=1,
            KeyName=SSH_KEY_NAME,
            InstanceType=INSTANCE_TYPE,
-            SecurityGroupIds=['bigchaindb']
+            SecurityGroupIds=sg_list
        )

    # Tag the just-launched instances (should be just one)
--- a/docs/source/clusters-feds/aws-testing-cluster.md
+++ b/docs/source/clusters-feds/aws-testing-cluster.md
@ -43,16 +43,18 @@ The AWS cluster deployment scripts use elastic IP addresses (although that may c

 ## Create an Amazon EC2 Security Group

-Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. Name it `bigchaindb`. The description probably doesn't matter; you can also put `bigchaindb` for that.
+Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. You can name it whatever you like. (Notes: The default name in the example AWS deployment configuration file is `bigchaindb`. We had problems with names containing dashes.) The description should be something to help you remember what the security group is for.

-Add these rules for Inbound traffic:
+For a super lax, somewhat risky, anything-can-enter security group, add these rules for Inbound traffic:

 * Type = All TCP, Protocol = TCP, Port Range = 0-65535, Source = 0.0.0.0/0
 * Type = SSH, Protocol = SSH, Port Range = 22, Source = 0.0.0.0/0
 * Type = All UDP, Protocol = UDP, Port Range = 0-65535, Source = 0.0.0.0/0
 * Type = All ICMP, Protocol = ICMP, Port Range = 0-65535, Source = 0.0.0.0/0

-**Note: These rules are extremely lax! They're meant to make testing easy.** For example, Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address."
+(Note: Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address.")
+
+If you want to set up a more secure security group, see the [Notes for Firewall Setup](../appendices/firewall-notes.html).


 ## Deploy a BigchainDB Monitor
@ -126,6 +128,7 @@ SSH_KEY_NAME="not-set-yet"
 USE_KEYPAIRS_FILE=False
 IMAGE_ID="ami-accff2b1"
 INSTANCE_TYPE="m3.2xlarge"
+SECURITY_GROUP="bigchaindb"
 USING_EBS=False
 EBS_VOLUME_SIZE=30
 EBS_OPTIMIZED=False