From eff44463ff3e7b340654eb5a66919d3c6805e0df Mon Sep 17 00:00:00 2001 From: troymc Date: Mon, 5 Sep 2016 17:05:13 +0200 Subject: [PATCH] Made the security group an AWS deployment parameter --- deploy-cluster-aws/awsdeploy.sh | 1 + deploy-cluster-aws/example_deploy_conf.py | 5 +++++ deploy-cluster-aws/launch_ec2_nodes.py | 13 +++++++++---- docs/source/clusters-feds/aws-testing-cluster.md | 9 ++++++--- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/deploy-cluster-aws/awsdeploy.sh b/deploy-cluster-aws/awsdeploy.sh index e2154155..07a2585e 100755 --- a/deploy-cluster-aws/awsdeploy.sh +++ b/deploy-cluster-aws/awsdeploy.sh @@ -42,6 +42,7 @@ echo "SSH_KEY_NAME" = $SSH_KEY_NAME echo "USE_KEYPAIRS_FILE = "$USE_KEYPAIRS_FILE echo "IMAGE_ID = "$IMAGE_ID echo "INSTANCE_TYPE = "$INSTANCE_TYPE +echo "SECURITY_GROUP = "$SECURITY_GROUP echo "USING_EBS = "$USING_EBS if [ "$USING_EBS" = True ]; then echo "EBS_VOLUME_SIZE = "$EBS_VOLUME_SIZE diff --git a/deploy-cluster-aws/example_deploy_conf.py b/deploy-cluster-aws/example_deploy_conf.py index ed755a0d..d569bf1a 100644 --- a/deploy-cluster-aws/example_deploy_conf.py +++ b/deploy-cluster-aws/example_deploy_conf.py @@ -55,6 +55,11 @@ IMAGE_ID="ami-accff2b1" # For all options, see https://aws.amazon.com/ec2/instance-types/ INSTANCE_TYPE="m3.2xlarge" +# SECURITY_GROUP is the name of the AWS security group to use. +# That security group must exist. +# Examples: "bigchaindb", "bcdbsecure" +SECURITY_GROUP="bigchaindb" + # USING_EBS is True if you want to attach an Amazon EBS volume USING_EBS=False diff --git a/deploy-cluster-aws/launch_ec2_nodes.py b/deploy-cluster-aws/launch_ec2_nodes.py index 339b3519..230ddc16 100644 --- a/deploy-cluster-aws/launch_ec2_nodes.py +++ b/deploy-cluster-aws/launch_ec2_nodes.py @@ -27,8 +27,8 @@ from awscommon import get_naeips SETTINGS = ['NUM_NODES', 'BRANCH', 'WHAT_TO_DEPLOY', 'SSH_KEY_NAME', - 'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'USING_EBS', - 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED'] + 'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'SECURITY_GROUP', + 'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED'] class SettingsTypeError(TypeError): @@ -92,6 +92,9 @@ if not isinstance(IMAGE_ID, str): if not isinstance(INSTANCE_TYPE, str): raise SettingsTypeError('INSTANCE_TYPE should be a string') +if not isinstance(SECURITY_GROUP, str): + raise SettingsTypeError('SECURITY_GROUP should be a string') + if not isinstance(USING_EBS, bool): raise SettingsTypeError('USING_EBS should be a boolean (True or False)') @@ -182,6 +185,8 @@ if NUM_NODES > len(non_associated_eips): print('Commencing launch of {} instances on Amazon EC2...'. format(NUM_NODES)) +sg_list = [SECURITY_GROUP] + for _ in range(NUM_NODES): # Request the launch of one instance at a time # (so list_of_instances should contain only one item) @@ -206,7 +211,7 @@ for _ in range(NUM_NODES): MaxCount=1, KeyName=SSH_KEY_NAME, InstanceType=INSTANCE_TYPE, - SecurityGroupIds=['bigchaindb'], + SecurityGroupIds=sg_list, BlockDeviceMappings=[dm], EbsOptimized=EBS_OPTIMIZED ) @@ -217,7 +222,7 @@ for _ in range(NUM_NODES): MaxCount=1, KeyName=SSH_KEY_NAME, InstanceType=INSTANCE_TYPE, - SecurityGroupIds=['bigchaindb'] + SecurityGroupIds=sg_list ) # Tag the just-launched instances (should be just one) diff --git a/docs/source/clusters-feds/aws-testing-cluster.md b/docs/source/clusters-feds/aws-testing-cluster.md index 7aa447fa..6fd85641 100644 --- a/docs/source/clusters-feds/aws-testing-cluster.md +++ b/docs/source/clusters-feds/aws-testing-cluster.md @@ -43,16 +43,18 @@ The AWS cluster deployment scripts use elastic IP addresses (although that may c ## Create an Amazon EC2 Security Group -Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. Name it `bigchaindb`. The description probably doesn't matter; you can also put `bigchaindb` for that. +Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. You can name it whatever you like. (Notes: The default name in the example AWS deployment configuration file is `bigchaindb`. We had problems with names containing dashes.) The description should be something to help you remember what the security group is for. -Add these rules for Inbound traffic: +For a super lax, somewhat risky, anything-can-enter security group, add these rules for Inbound traffic: * Type = All TCP, Protocol = TCP, Port Range = 0-65535, Source = 0.0.0.0/0 * Type = SSH, Protocol = SSH, Port Range = 22, Source = 0.0.0.0/0 * Type = All UDP, Protocol = UDP, Port Range = 0-65535, Source = 0.0.0.0/0 * Type = All ICMP, Protocol = ICMP, Port Range = 0-65535, Source = 0.0.0.0/0 -**Note: These rules are extremely lax! They're meant to make testing easy.** For example, Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address." +(Note: Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address.") + +If you want to set up a more secure security group, see the [Notes for Firewall Setup](../appendices/firewall-notes.html). ## Deploy a BigchainDB Monitor @@ -126,6 +128,7 @@ SSH_KEY_NAME="not-set-yet" USE_KEYPAIRS_FILE=False IMAGE_ID="ami-accff2b1" INSTANCE_TYPE="m3.2xlarge" +SECURITY_GROUP="bigchaindb" USING_EBS=False EBS_VOLUME_SIZE=30 EBS_OPTIMIZED=False