From 1101177b646a9398ae3805a800d3c7027f39dc60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bal=C3=A1zs=20Czoma?= Date: Thu, 7 Jan 2021 10:15:47 -0500 Subject: [PATCH] Automation improvements and updates from AWS (#52) * Synced to latest AWS hosted quickstart * Removed outdated BastionAMIOS param * Updated test script --- .github/workflows/build-test.yml | 24 ++++++++------ .gitmodules | 4 +-- ....json => solace-aws-ha-3az-prod-test.json} | 2 +- submodules/quickstart-aws-vpc | 2 +- submodules/quickstart-linux-bastion | 2 +- templates/setup_sample_new_vpc.template | 33 ++++++++++++++++--- templates/solace-master.template | 33 ++++++++++++++++--- 7 files changed, 77 insertions(+), 23 deletions(-) rename ci/{solace-aws-ha-3az-prod-travistest.json => solace-aws-ha-3az-prod-test.json} (96%) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 320ec26..c06ca40 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -2,7 +2,7 @@ name: build # Controls when the action will run. on: - pull_request: + pull_request_target: push: @@ -48,24 +48,28 @@ jobs: - name: Copy test artifacts to test S3 bucket run: | MESSAGEBROKERNODEINSTANCETYPE=t2.small - sed -i "s@SolaceDockerImageParameterValue@${{ secrets.BROKER_DOCKER_IMAGE_REF }}@g" ci/solace-aws-ha-3az-prod-travistest.json - sed -i "s@EventBrokerNodeInstanceTypeParameterValue@${MESSAGEBROKERNODEINSTANCETYPE}@g" ci/solace-aws-ha-3az-prod-travistest.json + sed -i "s@SolaceDockerImageParameterValue@${{ secrets.BROKER_DOCKER_IMAGE_REF }}@g" ci/solace-aws-ha-3az-prod-test.json + sed -i "s@EventBrokerNodeInstanceTypeParameterValue@${MESSAGEBROKERNODEINSTANCETYPE}@g" ci/solace-aws-ha-3az-prod-test.json aws s3 mb s3://${{ env.TEST_S3_BUCKET }} || echo "s3 bucket already existed" export BUCKETREGION=`aws s3api get-bucket-location --bucket ${{ env.TEST_S3_BUCKET }} | grep LocationConstraint | awk -F' ' '{print $NF}' | tr -d '"'` - sed -i "s@SolaceStackRegionNAME@${AWS_DEFAULT_REGION}@g" ci/solace-aws-ha-3az-prod-travistest.json - sed -i "s@SolaceBucketRegionNAME@${BUCKETREGION}@g" ci/solace-aws-ha-3az-prod-travistest.json + sed -i "s@SolaceStackRegionNAME@${AWS_DEFAULT_REGION}@g" ci/solace-aws-ha-3az-prod-test.json + sed -i "s@SolaceBucketRegionNAME@${BUCKETREGION}@g" ci/solace-aws-ha-3az-prod-test.json aws s3 sync . s3://${{ env.TEST_S3_BUCKET }}/solace/eventbroker/latest --acl public-read - name: Test with production deployment option (create public subnet) run: | - aws cloudformation create-stack --stack-name $TESTSTACKNAME --template-body file://templates/solace-master.template --parameters file://ci/solace-aws-ha-3az-prod-travistest.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM + aws cloudformation create-stack --stack-name $TESTSTACKNAME --template-body file://templates/solace-master.template --parameters file://ci/solace-aws-ha-3az-prod-test.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM echo "Waiting for stack create complete" sleep 30; aws cloudformation describe-stacks --stack-name $TESTSTACKNAME until aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep -m 1 -E 'CREATE_COMPLETE'; do sleep 10 - if aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep -m 1 -E 'DELETE_IN_PROGRESS'; then exit 1; fi + if aws cloudformation describe-stacks --stack-name $TESTSTACKNAME | grep -m 1 -E 'ROLLBACK_IN_PROGRESS'; then + aws cloudformation describe-stack-events --stack-name $TESTSTACKNAME + aws cloudformation describe-stacks --stack-name $TESTSTACKNAME + exit 1 + fi sleep 10 - done + done aws cloudformation describe-stack-events --stack-name $TESTSTACKNAME aws cloudformation describe-stacks --stack-name $TESTSTACKNAME echo "Pausing to get the ELB ready"; sleep 10 @@ -91,8 +95,8 @@ jobs: run: | export TESTSTACKNAME2="$TESTSTACKNAME-1" echo "TESTSTACKNAME2=$TESTSTACKNAME2" >> $GITHUB_ENV - sed -i "s@true@false@g" ci/solace-aws-ha-3az-prod-travistest.json - aws cloudformation create-stack --stack-name $TESTSTACKNAME2 --template-body file://templates/solace-master.template --parameters file://ci/solace-aws-ha-3az-prod-travistest.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM + sed -i "s@true@false@g" ci/solace-aws-ha-3az-prod-test.json + aws cloudformation create-stack --stack-name $TESTSTACKNAME2 --template-body file://templates/solace-master.template --parameters file://ci/solace-aws-ha-3az-prod-test.json --on-failure ROLLBACK --capabilities CAPABILITY_NAMED_IAM echo "Waiting for stack create complete" until aws cloudformation describe-stacks --stack-name $TESTSTACKNAME2 | grep -m 1 -E 'CREATE_COMPLETE|DELETE_IN_PROGRESS'; do sleep 10; done aws cloudformation describe-stack-events --stack-name $TESTSTACKNAME2 diff --git a/.gitmodules b/.gitmodules index bcfc47b..f90e2ff 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,8 +1,8 @@ [submodule "submodules/quickstart-aws-vpc"] path = submodules/quickstart-aws-vpc url = git@github.com:aws-quickstart/quickstart-aws-vpc.git - branch = master + branch = main [submodule "submodules/quickstart-linux-bastion"] path = submodules/quickstart-linux-bastion url = git@github.com:aws-quickstart/quickstart-linux-bastion.git - branch = master + branch = main diff --git a/ci/solace-aws-ha-3az-prod-travistest.json b/ci/solace-aws-ha-3az-prod-test.json similarity index 96% rename from ci/solace-aws-ha-3az-prod-travistest.json rename to ci/solace-aws-ha-3az-prod-test.json index a920278..4c00839 100644 --- a/ci/solace-aws-ha-3az-prod-travistest.json +++ b/ci/solace-aws-ha-3az-prod-test.json @@ -53,7 +53,7 @@ }, { "ParameterKey": "QSS3BucketName", - "ParameterValue": "solace-cf-quickstart-travistest" + "ParameterValue": "solace-cf-quickstart-ghtest" }, { "ParameterKey": "QSS3BucketRegion", diff --git a/submodules/quickstart-aws-vpc b/submodules/quickstart-aws-vpc index f6e25e5..dd78cab 160000 --- a/submodules/quickstart-aws-vpc +++ b/submodules/quickstart-aws-vpc @@ -1 +1 @@ -Subproject commit f6e25e586deda72345483dca068902fc787806d6 +Subproject commit dd78caba92ec7e31cc2d2b7b623ee53626db986a diff --git a/submodules/quickstart-linux-bastion b/submodules/quickstart-linux-bastion index de251de..cbad242 160000 --- a/submodules/quickstart-linux-bastion +++ b/submodules/quickstart-linux-bastion @@ -1 +1 @@ -Subproject commit de251de2d051d7ed11ed5606d4508dc7a69496a8 +Subproject commit cbad242d2d1bbfec41a6baa6c2ae346b54d2acfd diff --git a/templates/setup_sample_new_vpc.template b/templates/setup_sample_new_vpc.template index 1e1f474..79d54ec 100644 --- a/templates/setup_sample_new_vpc.template +++ b/templates/setup_sample_new_vpc.template @@ -113,6 +113,33 @@ Resources: CreatePrivateSubnets: !Ref 'CreatePrivateSubnets' KeyPairName: !Ref 'KeyPairName' NumberOfAZs: !Ref 'NumberOfAZs' + BastionHostRole: + Type: 'AWS::IAM::Role' + Properties: + Path: / + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + Principal: + Service: + - !Sub 'ec2.${AWS::URLSuffix}' + Effect: Allow + Version: 2012-10-17 + Policies: + - PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - s3:GetObject + Resource: !Sub + - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* + - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] + Effect: Allow + PolicyName: s3-policy + ManagedPolicyArns: + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' BastionStack: Type: AWS::CloudFormation::Stack Condition: UsePrivateSubnets @@ -124,12 +151,10 @@ Resources: S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionInstanceType: t2.micro - BastionAMIOS: Amazon-Linux-HVM EnableBanner: 'true' BastionBanner: !Sub - - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/solace-banner.txt - - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] + - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/solace-banner.txt + - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] NumBastionHosts: '2' KeyPairName: !Ref 'KeyPairName' PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' diff --git a/templates/solace-master.template b/templates/solace-master.template index 1445f81..3b82514 100644 --- a/templates/solace-master.template +++ b/templates/solace-master.template @@ -254,6 +254,33 @@ Resources: CreatePrivateSubnets: !Ref 'CreatePrivateSubnets' KeyPairName: !Ref 'KeyPairName' NumberOfAZs: !Ref 'NumberOfAZs' + BastionHostRole: + Type: 'AWS::IAM::Role' + Properties: + Path: / + AssumeRolePolicyDocument: + Statement: + - Action: + - 'sts:AssumeRole' + Principal: + Service: + - !Sub 'ec2.${AWS::URLSuffix}' + Effect: Allow + Version: 2012-10-17 + Policies: + - PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - s3:GetObject + Resource: !Sub + - arn:${AWS::Partition}:s3:::${S3Bucket}/${QSS3KeyPrefix}* + - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] + Effect: Allow + PolicyName: s3-policy + ManagedPolicyArns: + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore' + - !Sub 'arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy' BastionStack: Type: AWS::CloudFormation::Stack Condition: UsePrivateSubnets @@ -265,12 +292,10 @@ Resources: S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: BastionInstanceType: t2.micro - BastionAMIOS: Amazon-Linux-HVM EnableBanner: 'true' BastionBanner: !Sub - - https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}scripts/solace-banner.txt - - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] + - s3://${S3Bucket}/${QSS3KeyPrefix}scripts/solace-banner.txt + - S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] NumBastionHosts: '2' KeyPairName: !Ref 'KeyPairName' PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID'