Table of Contents
On this lab we will use automate deployment, migrate to AWS RDS and integrate logging.
Use Restacker to deploy the template developed on lab 2.
- Download and install Restacker.
git clone https://github.com/devsecops/restacker.git
cd restacker/source
gem install bundler
bundle install
gem build restacker.gemspec
gem install restacker-0.0.11.gem
rbenv init -
- Use Restacker to open the AWS console.
Log out of the AWS console if you are logged in and then run restacker console -l myapp -u $AWS_STUDENT_ID -c dso. If this fails, ensure restacker is configured as per the following step.
- Ensure that the Restacker configuration matches the information provided by the instructor.
E.g.,
$ cat ~/.restacker/restacker.yml
:myapp:
:region: us-west-2
:master:
:label: control
:account_number: '100352119871'
:role_name: CTL-my-app-DeploymentAdmin
:role_prefix: "/dso/ctrl/my-app/"
:target:
:label: target
:account_number: '717986480831'
:role_name: TGT-dso-DeploymentAdmin
:role_prefix: "/human/dso/"
- Use stacker to list all current stacks.
$ restacker list -l myapp -u student1 -c dso
Did you get promoted for MFA? Do you know why? Look under ~/.restacker/.
-
Export template configuration.
Stacker expects parameters to be passed in. Use
restacker dumpto dump default parameters into a file. Modify the values in the parameters to match the parameter values you have been passing into the CloudFormation console.$ restacker dump -t mytemplate.json > parameters.jsonThe resulting parameters file should look something like parameters.json.
-
Add Restacker required parameters to your CloudFormation template.
Add StackCreator and TimeStamp as new parameters of type String to your CloudFormation template.
- Deploy your stack using Restacker.
$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID
- Use Restacker to delete previous stack.
E.g.,
$ restacker remove -n student1-20160622-2349 -l myapp -c dso -u student1
- Change
RAILS_ENVto userdsinstead ofmysql.
From:
"echo \"export RAILS_ENV=mysql\" >> .bash_profile\n",
To:
"echo \"export RAILS_ENV=rds\" >> .bash_profile\n",
- Add functionality to the CloudFormation template to make use of RDS.
Add RDS configuration into config/database.yml before Rails Goat is started (by bundle exec rails server).
You can do this by adding the lines below before ...bundle exec rake db:setup... to the UserData subsection of the WebServerInstance launch configuration resource.
"cd railsgoat\n",
"cat <<EOF>> config/database.yml\n",
"rds:\n",
" adapter: mysql2\n",
" database: railsgoatdb\n",
" pool: 5\n",
" timeout: 5000\n",
" host: railsgoatdb.cfkyvk9ybkal.us-west-2.rds.amazonaws.com\n",
" username: railsgoat\n",
" password: dsogoat1\n",
"EOF\n",
- Deploy your stack using Restacker.
E.g.,
$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID
For posterity, integrate logging into the CloudFormation template.
- Add a section in the
UserDatasubsection of theWebServerInstancelaunch configuration resource to install Splunk.
"ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime\n",
"yum -y install wget\n",
"cd /opt\n",
"wget -O splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.1&product=universalforwarder&filename=splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm&wget=true'\n",
"rpm -ivh splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm\n",
- Add a section in the
UserDatasubsection of theWebServerInstancelaunch configuration resource to configure Splunk.
Configure outputs:
"echo \"[tcpout]\n",
"defaultGroup = dso-autolb-group\n",
"\n",
"[tcpout:dso-autolb-group]\n",
"disabled = false\n",
"dropEventsOnQueueFull = 10\n",
"server = appliance:9997\n",
"sslCertPath = \\$SPLUNK_HOME/etc/auth/server.pem\n",
"sslPassword = password\n",
"sslRootCAPath = \\$SPLUNK_HOME/etc/auth/cacert.pem\n",
"sslVerifyServerCert = false\n",
"useACK = false\" >> /opt/splunkforwarder/etc/system/local/outputs.conf\n",
Configure inputs:
"echo \"[default]\n",
"host = \\\\$decideOnStartup\n",
"\n",
"[monitor:///home/ec2-user/railsgoat/log/]\n",
"recursive=true\n",
"\n",
"[monitor:///var/log/]\n",
"recursive=true\" >> /opt/splunkforwarder/etc/system/local/inputs.conf\n",
Start Splunk:
"/opt/splunkforwarder/bin/splunk start --accept-license\n",
"/opt/splunkforwarder/bin/splunk start\n"
- Use Restacker to delete previous stack.
E.g.,
$ restacker remove -n student1-20160622-2349 -l myapp -c dso -u student1
- Deploy your stack using Restacker.
E.g.,
$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID
** The resulting template should look something like lab-3.json.
How would you make this template even better?
Suggestions:
- Remove hardcoded secrets from UserData
- Remove other hardcoded values from UserData
- Remove Bash code from user data and make it a retrievable script that can be maintained separately