From 633dfe3d6aff9e0bb770527e0e2cc7d1f1697bdf Mon Sep 17 00:00:00 2001 From: Rocky Breslow Date: Mon, 11 Mar 2019 20:03:48 -0400 Subject: [PATCH] Deploy production application in eu-west-1 (#286) * Deploy production application in eu-west-1 * Update S3 buckets in docker-compose.ci.yml * Update S3 buckets in Jenkinsfile * Update AWS Region in README.md and deployment/README.md * Update S3 buckets in Vagrantfile * Update Ansible group_vars S3 bucket * Use 1.0.0 of terraform-aws-acm-certificate to provision a separate certificate for CloudFront in us-east-1 * Use db.t3.micro as default RDS instance * Use eu-west-1 ECS-optimized AMI for Batch * Update S3 bucket in research/dedupe/bootstrap * Update AWS region reference in ecsmanage.py * Temporary change to Jenkinsfile Needed to test CI pipeline. * Temporary change to Jenkinsfile Needed to test CI pipeline. * Show me the env * Temporary change to Jenkinsfile Needed to test CI pipeline. * Add CloudFront certificate comment * Revert change to Jenkinsfile --- Jenkinsfile | 6 ++--- README.md | 4 ++-- Vagrantfile | 2 +- deployment/README.md | 6 ++--- deployment/ansible/group_vars/all | 2 +- deployment/terraform/cdn.tf | 2 +- deployment/terraform/certificate.tf | 23 +++++++++++++++++-- deployment/terraform/config.tf | 17 +++++++++++++- deployment/terraform/container_service.tf | 2 +- deployment/terraform/iam.tf | 4 ++-- deployment/terraform/variables.tf | 10 ++++---- docker-compose.ci.yml | 2 +- research/dedupe/bootstrap | 4 ++-- .../api/management/commands/ecsmanage.py | 2 +- 14 files changed, 60 insertions(+), 26 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 85287ffc0..b2c351f11 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -8,9 +8,9 @@ node { } env.AWS_PROFILE = 'open-apparel-registry' - env.AWS_DEFAULT_REGION = 'us-east-1' + env.AWS_DEFAULT_REGION = 'eu-west-1' - env.OAR_SETTINGS_BUCKET = 'openapparelregistry-testing-config-us-east-1' + env.OAR_SETTINGS_BUCKET = 'openapparelregistry-testing-config-eu-west-1' // Execute `setup` wrapped within a plugin that translates // ANSI color codes to something that renders inside the Jenkins @@ -27,7 +27,7 @@ node { } } - env.OAR_SETTINGS_BUCKET = 'openapparelregistry-staging-config-us-east-1' + env.OAR_SETTINGS_BUCKET = 'openapparelregistry-staging-config-eu-west-1' if (env.BRANCH_NAME == 'develop' || env.BRANCH_NAME.startsWith('release/') || env.BRANCH_NAME.startsWith('test/')) { // Publish container images built and tested during `cibuild` diff --git a/README.md b/README.md index 14a316f13..f217957fb 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ First, configure a local AWS profile with access to an S3 bucket with files cont $ aws configure --profile open-apparel-registry AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -Default region name [None]: us-east-1 +Default region name [None]: eu-west-1 Default output format [None]: ``` @@ -67,7 +67,7 @@ To start this version of OAR, first, bootstrap the database: $ vagrant ssh # Import database dumps from Sourcemap and run ElasticSearch indexing -vagrant@vagrant:/vagrant$ export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-us-east-1 +vagrant@vagrant:/vagrant$ export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-eu-west-1 vagrant@vagrant:/vagrant$ ./scripts/bootstrap --restify ``` diff --git a/Vagrantfile b/Vagrantfile index 166f9473a..afc28bd22 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -44,7 +44,7 @@ Vagrant.configure("2") do |config| fi export AWS_PROFILE=open-apparel-registry - export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-us-east-1 + export OAR_SETTINGS_BUCKET=openapparelregistry-development-config-eu-west-1 cd /vagrant su vagrant ./scripts/bootstrap diff --git a/deployment/README.md b/deployment/README.md index 21c2fe78a..0a4eb71b4 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -12,7 +12,7 @@ Using the AWS CLI, create an AWS profile named `open-apparel-registry`: $ aws configure --profile open-apparel-registry AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -Default region name [None]: us-east-1 +Default region name [None]: eu-west-1 Default output format [None]: ``` @@ -29,7 +29,7 @@ To do this, we can use the `cibuild` and `cipublish` scripts: ```bash $ vagrant ssh -vagrant@vagrant:/vagrant$ export OAR_AWS_ECR_ENDPOINT=123456789012.dkr.ecr.us-east-1.amazonaws.com +vagrant@vagrant:/vagrant$ export OAR_AWS_ECR_ENDPOINT=123456789012.dkr.ecr.eu-west-1.amazonaws.com vagrant@vagrant:/vagrant$ ./scripts/cibuild ... Successfully built 20dcf93f6907 @@ -73,7 +73,7 @@ rds_database_username = "openapparelregistry" rds_database_password = "password" ``` -This file lives at `s3://openapparelregistry-staging-config-us-east-1/terraform/terraform.tfvars`. +This file lives at `s3://openapparelregistry-staging-config-eu-west-1/terraform/terraform.tfvars`. To deploy this project's core infrastructure, use the `infra` wrapper script to lookup the remote state of the infrastructure and assemble a plan for work to be done: diff --git a/deployment/ansible/group_vars/all b/deployment/ansible/group_vars/all index f42d08b0d..dec80a7ca 100644 --- a/deployment/ansible/group_vars/all +++ b/deployment/ansible/group_vars/all @@ -2,7 +2,7 @@ aws_cli_version: "1.16.*" aws_profile: "open-apparel-registry" -oar_settings_bucket: "openapparelregistry-development-config-us-east-1" +oar_settings_bucket: "openapparelregistry-development-config-eu-west-1" docker_version: "18.*" docker_compose_version: "1.21.*" diff --git a/deployment/terraform/cdn.tf b/deployment/terraform/cdn.tf index b4c7128c4..f77d38689 100644 --- a/deployment/terraform/cdn.tf +++ b/deployment/terraform/cdn.tf @@ -73,7 +73,7 @@ resource "aws_cloudfront_distribution" "cdn" { } viewer_certificate { - acm_certificate_arn = "${module.cert.arn}" + acm_certificate_arn = "${module.cert_cdn.arn}" minimum_protocol_version = "TLSv1.2_2018" ssl_support_method = "sni-only" } diff --git a/deployment/terraform/certificate.tf b/deployment/terraform/certificate.tf index 7460afd90..440817411 100644 --- a/deployment/terraform/certificate.tf +++ b/deployment/terraform/certificate.tf @@ -1,8 +1,27 @@ # # ACM resources # -module "cert" { - source = "github.com/azavea/terraform-aws-acm-certificate?ref=0.1.0" +module "cert_cdn" { + source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0" + + providers = { + aws.acm_account = "aws.certificates" + aws.route53_account = "aws" + } + + domain_name = "${var.r53_public_hosted_zone}" + subject_alternative_names = ["*.${var.r53_public_hosted_zone}"] + hosted_zone_id = "${aws_route53_zone.external.zone_id}" + validation_record_ttl = "60" +} + +module "cert_lb" { + source = "github.com/azavea/terraform-aws-acm-certificate?ref=1.0.0" + + providers = { + aws.acm_account = "aws" + aws.route53_account = "aws" + } domain_name = "${var.r53_public_hosted_zone}" subject_alternative_names = ["*.${var.r53_public_hosted_zone}"] diff --git a/deployment/terraform/config.tf b/deployment/terraform/config.tf index 80a24e8e1..90ebb47a5 100644 --- a/deployment/terraform/config.tf +++ b/deployment/terraform/config.tf @@ -3,13 +3,28 @@ provider "aws" { version = "~> 1.56.0" } +/** +* To use an ACM Certificate with Amazon CloudFront, you must +* request or import the certificate in the US East (N. Virginia) region. +* ACM Certificates in this region that are associated with a CloudFront +* distribution are distributed to all the geographic locations configured +* for that distribution. +* +* https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html +*/ +provider "aws" { + alias = "certificates" + region = "us-east-1" + version = "~> 1.56.0" +} + provider "template" { version = "~> 1.0.0" } terraform { backend "s3" { - region = "us-east-1" + region = "eu-west-1" encrypt = "true" } } diff --git a/deployment/terraform/container_service.tf b/deployment/terraform/container_service.tf index 306277bb0..61f5d5b62 100644 --- a/deployment/terraform/container_service.tf +++ b/deployment/terraform/container_service.tf @@ -80,7 +80,7 @@ resource "aws_lb_listener" "app" { load_balancer_arn = "${aws_lb.app.id}" port = "443" protocol = "HTTPS" - certificate_arn = "${module.cert.arn}" + certificate_arn = "${module.cert_lb.arn}" default_action { target_group_arn = "${aws_lb_target_group.app.id}" diff --git a/deployment/terraform/iam.tf b/deployment/terraform/iam.tf index fe38d7f25..b1e16274b 100644 --- a/deployment/terraform/iam.tf +++ b/deployment/terraform/iam.tf @@ -51,12 +51,13 @@ data "aws_iam_policy_document" "batch_describe_and_submit" { effect = "Allow" resources = ["*"] + actions = [ "batch:DescribeJobQueues", "batch:DescribeJobs", "batch:DescribeJobDefinitions", "batch:DescribeComputeEnvironments", - "batch:SubmitJob" + "batch:SubmitJob", ] } } @@ -67,7 +68,6 @@ resource "aws_iam_role_policy" "batch_describe_and_submit" { policy = "${data.aws_iam_policy_document.batch_describe_and_submit.json}" } - # # EC2 IAM resources # diff --git a/deployment/terraform/variables.tf b/deployment/terraform/variables.tf index c062a5e50..236ade58f 100644 --- a/deployment/terraform/variables.tf +++ b/deployment/terraform/variables.tf @@ -7,11 +7,11 @@ variable "environment" { } variable "aws_region" { - default = "us-east-1" + default = "eu-west-1" } variable "aws_availability_zones" { - default = ["us-east-1a", "us-east-1b"] + default = ["eu-west-1a", "eu-west-1b"] } variable "aws_key_name" {} @@ -89,7 +89,7 @@ variable "rds_parameter_group_family" { } variable "rds_instance_type" { - default = "db.t2.micro" + default = "db.t3.micro" } variable "rds_storage_type" { @@ -213,9 +213,9 @@ variable "batch_default_ce_spot_fleet_bid_percentage" { } variable "batch_ami_id" { - # Latest ECS-optimized Amazon Linux AMI in us-east-1 + # Latest ECS-optimized Amazon Linux AMI in eu-west-1 # See: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html - default = "ami-0bf2fb355727b7faf" + default = "ami-00921cd1ce43d567a" } variable "batch_default_ce_min_vcpus" { diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml index 016572dca..e47bf2f25 100644 --- a/docker-compose.ci.yml +++ b/docker-compose.ci.yml @@ -12,7 +12,7 @@ services: - AWS_PROFILE=${AWS_PROFILE:-open-apparel-registry} - GIT_COMMIT=${GIT_COMMIT:-latest} - OAR_DEBUG=1 - - OAR_SETTINGS_BUCKET=openapparelregistry-staging-config-us-east-1 + - OAR_SETTINGS_BUCKET=openapparelregistry-staging-config-eu-west-1 - OAR_ROLLBAR_ACCESS_TOKEN - OAR_DEPLOYMENT_ENVIRONMENT=${OAR_DEPLOYMENT_ENVIRONMENT:-staging} working_dir: /usr/local/src diff --git a/research/dedupe/bootstrap b/research/dedupe/bootstrap index aa511f69e..83e9ebb2e 100755 --- a/research/dedupe/bootstrap +++ b/research/dedupe/bootstrap @@ -2,8 +2,8 @@ mkdir -p data aws s3 sync \ - s3://openapparelregistry-development-data-us-east-1/clean-supplier-lists-2019-01-08 \ + s3://openapparelregistry-development-data-eu-west-1/clean-supplier-lists-2019-01-08 \ data/supplier-lists aws s3 cp \ - s3://openapparelregistry-development-data-us-east-1/rubota_facilities_2018-02-26.csv \ + s3://openapparelregistry-development-data-eu-west-1/rubota_facilities_2018-02-26.csv \ data/rubota_facilities.csv diff --git a/src/django/api/management/commands/ecsmanage.py b/src/django/api/management/commands/ecsmanage.py index 882d681b8..b8190fc44 100644 --- a/src/django/api/management/commands/ecsmanage.py +++ b/src/django/api/management/commands/ecsmanage.py @@ -42,7 +42,7 @@ def handle(self, *args, **options): cmd) url = ( - f'https://console.aws.amazon.com/ecs/home?region=us-east-1#' + f'https://console.aws.amazon.com/ecs/home?region=eu-west-1#' f'/clusters/ecs{self.env}Cluster/tasks/{task_id}/details' )