-
Notifications
You must be signed in to change notification settings - Fork 5
Infrastructure repository
This section assumes you have read and followed the Quick Start pages.
If you only have a single "infrastructure", for example you're just running ce-provision for your own company servers and there really aren't that many of them, you can probably stick with basic usage and the ce-provision-config approach.
However, if you have logically separate sets of servers and services with one or more cloud or hosting providers, you may want to separate their configurations and playbooks out into separate repositories to make management easier. At Code Enigma we call these logical groupings "infrastructures" and we keep the playbooks and variables unique to the elements of each infrastructure in its own Git repository, typically on the controller server.
Firstly, we need to create the new repository on our GitLab server:
- In a web browser go to your GitLab installation, for example https://gitlab.controller.acme.com/, and login - instructions here, step 3
- Click on Groups on the left menu
- Click the
New groupbutton on the right, thenCreate group- we recommend you name it
Infrasand leave it private - this is where we will store our "infra" repositories
- we recommend you name it
- On the next page click
New project->Create a blank project- we recommend you name it something sensible and recognisable, beginning with
infra, leave it private and do not create a README - for this example we will use
infra-main-website
- we recommend you name it something sensible and recognisable, beginning with
At this point you should have a new repository at https://gitlab.controller.acme.com/infras/infra-main-website (obviously with your controller server URL, not our example one).
We have a template repository for an AWS account. To use it:
- Still in GitLab, as stated in the README for the template, create a global environment variable called
ENVinAdmin->Settings->CI/CD->Variables -
Go to our templates repository, click the green
Codebutton and clickDownload ZIP - Create a folder on your computer where you want to keep your repository and copy the contents of the extracted
NETWORKfolder into it- Be sure to get all the hidden files!
- You can delete
README.mdif you wish
-
As stated in the README for the template, find and replace all instances of these strings:
-
SHORTNAME- your infrastructure name -
CIDR_BASE- your VPC CIDR base for IPv4 addressing
-
Example:
# do this within your infra repo folder
find ./ -type f -exec sed -i -e 's/SHORTNAME/main-website/g' {} \;
find ./ -type f -exec sed -i -e 's/CIDR_BASE/10.0/g' {} \;- Back in GitLab, add an SSH key by clicking the
Add SSH keybutton in the banner, if you have not already done so - On your project page, follow the
Push an existing folderinstructions on your project front page, but use the branch nameapply
Ansible uses the Python library boto3 to manage connections to AWS accounts. In order for boto3 to have permissions to connect to your AWS account, we have to set up a profile. There is an Ansible role that will take care of this for you in our controller server set up process, it will write the ~/.aws/credentials file that Ansible needs, however you need to create the variables required to allow it to do so.
Follow this guide to create an IAM user for your controller server. Once you have done that, you need to set up the aws_credentials role for your controller.
We strongly recommend you do this using SOPS.
Firstly, follow our guide to set up SOPS.
Then, using your ce-provision-config repository, which you will need checked out on to your workstation:
- Open a local terminal and change directory to your repository location
- Create a SOPS variables file in the
_controllerhost group:sops hosts/group_vars/_controller/_encrypted.sops.yml - Place the access key details you saved in the AWS guide into the resulting file, like so:
_encrypted_aws_credentials_provision:
acme:
access_key_id: AKIAXXXXXXXXXXXXXXXX
secret_access_key: sOmeVeryloNgStriNgFrOm+aWSIf you have more than one AWS IAM user Ansible might need to use, you can add them one after the other in this file.
- Edit the provided
hosts/group_vars/_controller/aws_credentials.ymlfile, it initially looks like this:
---
# Placeholder for boto credentials later
# Docs: https://codeenigma.github.io/ce-provision-docs/2.x/roles/aws/aws_credentials/
aws_credentials:
- user: controller
profiles: []And you should add your AWS profile like this:
---
aws_credentials:
- user: controller
profiles:
- name: acme
access_key_id: "{{ _encrypted_aws_credentials_provision.acme.access_key_id }}"
secret_access_key: "{{ _encrypted_aws_credentials_provision.acme.secret_access_key }}"- Add, commit and push your changes to the config repo
- In GitLab build your controller server again
The /home/controller/.aws/credentials file should get created on the server. You can optionally verify by logging in over SSH, you should see something like this:
$ sudo cat /home/controller/.aws/credentials
[acme]
aws_access_key_id = AKIAXXXXXXXXXXXXXXXX
aws_secret_access_key = sOmeVeryloNgStriNgFrOm+aWSThis looks much the same as configuration with SOPS, but you simply put your raw AWS access credentials directly into the hosts/group_vars/_controller/aws_credentials.yml file. This is clearly a terrible idea, as the credentials have full admin access, so anyone who copies them from your repository will also have full admin access.
Now your controller is rebuilt with your AWS credentials you can have it begin orchestrating your AWS infrastructure.
In your GitLab server and within the infra repository, go to Build -> Pipelines and click the New pipeline button in the top right. On the following form pick the ENV (environment) you want to build. Convention is to do util first, then dev, stage and prod in that order. To save on cost, do not build environments you do not need, even if you might need them later. Then set TRIGGER_NETWORK_BUILD to yes and click the New pipeline button at the bottom of the form. Your environment and networks should be automatically created.
TODO