Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using CloudFormation, Packr, etc. for Immutable Infrastructure to build DC/OS and deploy it to Amazon Web Services

We setup a dev env for DC/OS in AWS (subnets, multi-az, ags groups, ami images, etc), tagged everything as dcos-dev, and then used Cloudformer to generate a starter AWS CloudFormation script. Cloudformer allows you to reverse engineer your AWS environment into cloudformation scripts. We then modified what cloudformer produced (to make it work as cloudformer just gets you about 90% of the way there), and then we added mappings, parameters and outputs to our cloudformation script.

Included are the cloudformation and packer scripts. Hope it helps you get setup. Feedback is welcome.

We in this case is my client, DC/OS support, Amazon support, and I. We did this instead of using the canned Amazon support because we needed to run masters, and agents in multiple AZs per region.

Production servers are setup, and integration servers are also setup. It is all immutable infrastructure (for the most part). We have scripts that build a DC/OS cluster from nothing to the full network, security, ELB, auto-scale groups for public agents & private agents, master instances, user-data etc. stack using AWS cloud formation.

The two parts that are not yet automated are the enterprise marathon-lb setup (you have to fire up a micro into bastion security group, install DCOS cli and then run one script which is checked into git), and the CNAME/DNS bits which are controlled by IT. We might install an NS record to delegate to AWS Route53 and then control virtual host setup with Route53 aliases, which means that we can automate via cloud formation. Then we might add a Lambda/SNS/event to our cloud formation to handle the marathon-lb install when the cloud formation is done running.

All the AMI image creation is automated as well. The cloud formations point to AMI images which we create using Packr that have all of the advance prequisites for DC/OS. Packr has excellent support for Amazon AMIs as well as Docker, and just about every other image container that exists. We choose CentOS over Amazon Linux so we are less locked in and could move images to other clouds or containers more readily.

The cloudformation script has a drop down cloudformation parameter which picks which env (prod, int, dev) and it sets up all of the CIDR addresses etc. via cloudformation mappings.

The DC/OS advanced install tar files and config were uploaded to S3. We use IAM roles, and s3 bucket policies to lock down the S3 bucket where the DC/OS advanced install params are. (We run sudo bash dcos_generate_config.ee.sh and aws s3 sync genconf/serve/ s3://somebucket-dcos-install-bootstrap/prod to upload the install packages from the DC/OS advanced install.)

The cloudformation script supports multiple AWS regions and multiple AZs. To do this support we use cloudformation mappings, parameters and outputs.

We plan on improving the cloudformation scripts and packer script as follows:

{
"variables": {
"aws_access_key": "",
"aws_secret_key": "",
"aws_region": "us-east-1",
"aws_ami_image": "ami-6d1c2007",
"aws_instance_type": "m4.large"
},
"builders": [
{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_region`}}",
"source_ami": "{{user `aws_ami_image`}}",
"instance_type": "{{user `aws_instance_type`}}",
"ssh_username": "centos",
"ami_name": "base-centos-7-dcos-{{timestamp}}",
"tags": {
"Name": "ami-centos7-dcos-v1",
"OS_Version": "LinuxCentOs7",
"Release": "7",
"Description": "Base CentOs7 image with prerequisites for DC/OS"
},
"user_data_file": "files/user-data.txt"
}
],
"provisioners": [
{
"type": "file",
"source": "files/overlay.conf",
"destination": "/home/centos/install/overlay.conf"
},
{
"type": "shell",
"inline": [
"sudo mkdir -p /etc/modules-load.d",
"sudo mv /home/centos/install/overlay.conf /etc/modules-load.d/overlay.conf",
"sudo reboot"
]
},
{
"type": "file",
"source": "files/docker.repo",
"destination": "/home/centos/install/docker.repo"
},
{
"type": "file",
"source": "files/override.conf",
"destination": "/home/centos/install/override.conf"
},
{
"type": "shell",
"inline": [
"echo installing Docker -----------------------------------",
"sudo mkdir -p /etc/systemd/system/docker.service.d",
"sudo mv /home/centos/install/override.conf /etc/systemd/system/docker.service.d/override.conf",
"sudo mv /home/centos/install/docker.repo /etc/yum.repos.d/docker.repo",
"sudo yum install -y docker-engine-1.11.2",
"sudo systemctl start docker",
"sudo systemctl enable docker",
"sudo docker ps",
"echo DONE installing Docker -----------------------------",
"sudo yum install -y tar xz unzip curl ipset nano tree",
"sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config",
"sudo groupadd nogroup",
"sudo reboot"
]
},
{
"type": "shell",
"inline": [
"echo installing aws cli -------------------------------",
"mkdir /tmp/awscli",
"cd /tmp/awscli",
"curl https://s3.amazonaws.com/aws-cli/awscli-bundle.zip -o awscli-bundle.zip",
"unzip awscli-bundle.zip",
"sudo ./awscli-bundle/install -i /usr/lib/aws -b /usr/bin/aws",
"echo DONE installing aws cli -------------------------------"
]
},
{
"type": "shell",
"inline": [
"echo DONE installing packages for CentOS7 DC/OS"
]
}
]
}
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Create VPC, subnets, auto-scale groups for DC/OS",
"Conditions": {
"RegionIsUsEast1": {
"Fn::Equals": [
{
"Ref": "AWS::Region"
},
"us-east-1"
]
}
},
"Parameters": {
"Env": {
"Type": "String",
"Default": "int",
"AllowedValues": [
"dev",
"int",
"prod"
],
"Description": "Enter an environment"
},
"MasterInstanceType" : {
"Type" : "String",
"Default" : "m4.large",
"AllowedValues" : [ "m3.medium", "m4.large", "m4.xlarge"],
"Description" : "Enter in master instance type"
},
"PvtAgentInstanceType" : {
"Type" : "String",
"Default" : "m4.2xlarge",
"AllowedValues" : [ "m3.medium", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge", "m4.10xlarge", "m4.16xlarge"],
"Description" : "Enter in dcos private agent instance type"
},
"PubAgentInstanceType" : {
"Type" : "String",
"Default" : "m4.xlarge",
"AllowedValues" : [ "m3.medium", "m4.large", "m4.xlarge", "m4.2xlarge", "m4.4xlarge"],
"Description" : "Enter in dcos private agent instance type"
},
"SSLCertificateId": {
"Type": "String",
"Default": "arn:aws:acm:us-west-2:REDACTED:certificate/REDACTED",
"AllowedValues" : ["arn:aws:acm:us-east-1:REDACTED:certificate/REDACTED",
"arn:aws:acm:us-west-2:REDACTED:certificate/REDACTED-4bb3-41f1-REDACTED-REDACTED"],
"Description": "The ARN of the SSL certificate to use."
},
"KeyName": {
"Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
"Type": "AWS::EC2::KeyPair::KeyName",
"ConstraintDescription": "must be the name of an existing EC2 KeyPair."
}
},
"Mappings": {
"AMIRegionMap": {
"us-east-1": {
"baseCentOs": "ami-3a81a52d"
},
"us-west-2": {
"baseCentOs": "ami-a164c5c1"
}
},
"VpcCidrs": {
"dev": {
"vpc": "10.16.193.0/24",
"subnetPvtA": "10.16.193.0/26",
"subnetPvtB": "10.16.193.64/26",
"subnetExtA": "10.16.193.128/27",
"subnetExtB": "10.16.193.160/27",
"subnetPubA": "10.16.193.192/27",
"subnetPubB": "10.16.193.224/27"
},
"int": {
"vpc": "10.16.194.0/24",
"subnetPvtA": "10.16.194.0/26",
"subnetPvtB": "10.16.194.64/26",
"subnetExtA": "10.16.194.128/27",
"subnetExtB": "10.16.194.160/27",
"subnetPubA": "10.16.194.192/27",
"subnetPubB": "10.16.194.224/27"
},
"prod": {
"vpc": "10.16.197.0/24",
"subnetPvtA": "10.16.197.0/26",
"subnetPvtB": "10.16.197.64/26",
"subnetExtA": "10.16.197.128/27",
"subnetExtB": "10.16.197.160/27",
"subnetPubA": "10.16.197.192/27",
"subnetPubB": "10.16.197.224/27"
},
"prodW1": {
"vpc": "10.16.196.0/24",
"subnetPvtA": "10.16.196.0/26",
"subnetPvtB": "10.16.196.64/26",
"subnetExtA": "10.16.196.128/27",
"subnetExtB": "10.16.196.160/27",
"subnetPubA": "10.16.196.192/27",
"subnetPubB": "10.16.196.224/27"
}
},
"Ips": {
"dev": {
"master0": "10.16.193.205",
"master1": "10.16.193.206",
"master2": "10.16.193.230"
},
"int": {
"master0": "10.16.194.205",
"master1": "10.16.194.206",
"master2": "10.16.194.230"
},
"prod": {
"master0": "10.16.197.205",
"master1": "10.16.197.206",
"master2": "10.16.197.230"
},
"prodW2": {
"master0": "10.16.196.205",
"master1": "10.16.196.206",
"master2": "10.16.196.230"
}
}
},
"Outputs" : {
"vpc" : {
"Description": "VPC id",
"Value" : { "Ref":"vpc"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-vpc" }
}
},
"subnetExtA" : {
"Description": "subnetExtA id",
"Value" : { "Ref":"subnetExtA"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetExtA" }
}
},
"subnetExtB" : {
"Description": "subnetExtB id",
"Value" : { "Ref":"subnetExtB"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetExtB" }
}
},
"subnetPubA" : {
"Description": "subnetPubA id",
"Value" : { "Ref":"subnetPubA"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetPubA" }
}
},
"subnetPubB" : {
"Description": "subnetPubB id",
"Value" : { "Ref":"subnetPubB"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetPubB" }
}
},
"subnetPvtA" : {
"Description": "subnetPvtA id",
"Value" : { "Ref":"subnetPvtA"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetPvtA" }
}
},
"subnetPvtB" : {
"Description": "subnetPvtB id",
"Value" : { "Ref":"subnetPvtB"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-subnetPvtB" }
}
},
"instanceMaster0" : {
"Description": "instanceMaster0 id",
"Value" : { "Ref":"instanceMaster0"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster0" }
}
},
"instanceMaster1" : {
"Description": "instanceMaster1 id",
"Value" : { "Ref":"instanceMaster1"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster1" }
}
},
"instanceMaster2" : {
"Description": "instanceMaster2 id",
"Value" : { "Ref":"instanceMaster2"},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster2" }
}
},
"instanceMaster0PubIp" : {
"Description": "instanceMaster0 Public IP",
"Value" : { "Fn::GetAtt" : [ "instanceMaster0", "PublicIp" ]},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster0PupIp" }
}
},
"instanceMaster1PubIp" : {
"Description": "instanceMaster1 Public IP",
"Value" : { "Fn::GetAtt" : [ "instanceMaster1", "PublicIp" ]},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster1PupIp" }
}
},
"instanceMaster2PubIp" : {
"Description": "instanceMaster2 Public IP",
"Value" : { "Fn::GetAtt" : [ "instanceMaster2", "PublicIp" ]},
"Export" : {
"Name" : {"Fn::Sub": "${AWS::StackName}-instanceMaster2PupIp" }
}
}
},
"Resources": {
"vpc": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"vpc"
]
},
"InstanceTenancy": "default",
"EnableDnsSupport": "true",
"EnableDnsHostnames": "false",
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"vpc",
{
"Ref": "Env"
},
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"subnetExtA": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetExtA"
]
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"ext",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
}
]
}
},
"subnetExtB": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetExtB"
]
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"ext",
{
"Ref": "AWS::Region"
},
"b"
]
]
}
}
]
}
},
"subnetPvtA": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetPvtA"
]
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"pvt",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
}
]
}
},
"subnetPubB": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetPubB"
]
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"pub",
{
"Ref": "AWS::Region"
},
"b"
]
]
}
}
]
}
},
"subnetPvtB": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetPvtB"
]
},
"AvailabilityZone": {
"Fn::Select": [
"1",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"pvt",
{
"Ref": "AWS::Region"
},
"b"
]
]
}
}
]
}
},
"subnetPubA": {
"Type": "AWS::EC2::Subnet",
"Properties": {
"CidrBlock": {
"Fn::FindInMap": [
"VpcCidrs",
{
"Ref": "Env"
},
"subnetPubA"
]
},
"AvailabilityZone": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": ""
}
]
},
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"net",
{
"Ref": "Env"
},
"pub",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
},
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
}
]
}
},
"internetGateway": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"igw",
{
"Ref": "Env"
},
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"elbPub": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"Properties": {
"Policies": [
{
"PolicyName": "AWSConsole-SSLNegotiationPolicy-elb-dev-pub-1477609307891",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{
"Name": "Reference-Security-Policy",
"Value": "ELBSecurityPolicy-2016-08"
}
]
}
],
"Subnets": [
{
"Ref": "subnetPubA"
},
{
"Ref": "subnetPubB"
}
],
"HealthCheck": {
"HealthyThreshold": "10",
"Interval": "30",
"Target": "HTTP:9090/_haproxy_health_check",
"Timeout": "5",
"UnhealthyThreshold": "2"
},
"ConnectionDrainingPolicy": {
"Enabled": "true",
"Timeout": "300"
},
"ConnectionSettings": {
"IdleTimeout": "60"
},
"CrossZone": "true",
"SecurityGroups": [
{
"Ref": "sgPubAgent"
},
{
"Ref": "sgDefault"
}
],
"Listeners": [
{
"InstancePort": "80",
"LoadBalancerPort": "443",
"Protocol": "HTTPS",
"InstanceProtocol": "HTTP",
"SSLCertificateId": {
"Ref": "SSLCertificateId"
}
}
],
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
}
]
}
},
"dhcpOptions": {
"Type": "AWS::EC2::DHCPOptions",
"Properties": {
"DomainNameServers": [
"AmazonProvidedDNS"
],
"DomainName": {
"Fn::If": [
"RegionIsUsEast1",
"ec2.internal",
{
"Fn::Join": [
"",
[
{
"Ref": "AWS::Region"
},
".compute.internal"
]
]
}
]
}
}
},
"networkAcl": {
"Type": "AWS::EC2::NetworkAcl",
"Properties": {
"VpcId": {
"Ref": "vpc"
}
}
},
"routeTableNatB": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"rtb",
{
"Ref": "Env"
},
"nat",
{
"Ref": "AWS::Region"
},
"b"
]
]
}
}
]
}
},
"routeTableNatA": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"rtb",
{
"Ref": "Env"
},
"nat",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
}
]
}
},
"routeTablePublic": {
"Type": "AWS::EC2::RouteTable",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"rtb",
{
"Ref": "Env"
},
"public",
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"natGatewayA": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"eipNatGatewayA",
"AllocationId"
]
},
"SubnetId": {
"Ref": "subnetPubA"
}
},
"DependsOn": [
"instanceMaster0",
"instanceMaster1",
"instanceMaster2"
]
},
"natGatewayB": {
"Type": "AWS::EC2::NatGateway",
"Properties": {
"AllocationId": {
"Fn::GetAtt": [
"eipNatGatewayB",
"AllocationId"
]
},
"SubnetId": {
"Ref": "subnetPubB"
}
},
"DependsOn": [
"instanceMaster0",
"instanceMaster1",
"instanceMaster2"
]
},
"eipNatGatewayA": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"eipNatGatewayB": {
"Type": "AWS::EC2::EIP",
"Properties": {
"Domain": "vpc"
}
},
"agsPvtAgent": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": [
{
"Fn::Select": [
"0",
{
"Fn::GetAZs": ""
}
]
},
{
"Fn::Select": [
"1",
{
"Fn::GetAZs": ""
}
]
}
],
"Cooldown": "30",
"DesiredCapacity": "2",
"HealthCheckGracePeriod": "30",
"HealthCheckType": "EC2",
"MaxSize": "2",
"MinSize": "2",
"VPCZoneIdentifier": [
{
"Ref": "subnetPvtA"
},
{
"Ref": "subnetPvtB"
}
],
"LaunchConfigurationName": {
"Ref": "agsLaunchConfigPvtAgent"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
},
"PropagateAtLaunch": true
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"i",
{
"Ref": "Env"
},
"dcos-pvt-agent",
{
"Ref": "AWS::Region"
}
]
]
},
"PropagateAtLaunch": true
}
],
"TerminationPolicies": [
"Default"
]
},
"DependsOn": [
"instanceMaster0",
"instanceMaster1",
"instanceMaster2",
"natGatewayB",
"natGatewayA"
]
},
"asgPubAgent": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"Properties": {
"AvailabilityZones": [
{
"Fn::Select": [
"0",
{
"Fn::GetAZs": ""
}
]
},
{
"Fn::Select": [
"1",
{
"Fn::GetAZs": ""
}
]
}
],
"Cooldown": "30",
"DesiredCapacity": "2",
"HealthCheckGracePeriod": "30",
"HealthCheckType": "EC2",
"MaxSize": "4",
"MinSize": "2",
"VPCZoneIdentifier": [
{
"Ref": "subnetPubB"
},
{
"Ref": "subnetPubA"
}
],
"LaunchConfigurationName": {
"Ref": "agsLaunchConfigPubAgent"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
},
"PropagateAtLaunch": true
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"i",
{
"Ref": "Env"
},
"dcos-pub-agent",
{
"Ref": "AWS::Region"
}
]
]
},
"PropagateAtLaunch": true
}
],
"TerminationPolicies": [
"Default"
],
"LoadBalancerNames": [
{
"Ref": "elbPub"
}
]
},
"DependsOn": [
"instanceMaster0",
"instanceMaster1",
"instanceMaster2"
]
},
"agsLaunchConfigPvtAgent": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"ImageId": {
"Fn::FindInMap": [
"AMIRegionMap",
{
"Ref": "AWS::Region"
},
"baseCentOs"
]
},
"InstanceType": {"Ref" : "PvtAgentInstanceType"},
"KeyName": {
"Ref": "KeyName"
},
"IamInstanceProfile": "ROLE-DCOS",
"InstanceMonitoring": "true",
"SecurityGroups": [
{
"Ref": "sgPvtAgent"
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 400
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"ROLE=slave",
{
"Fn::Join": [
"=",
[
"DEPLOY_ENV",
{
"Ref": "Env"
}
]
]
},
"AZ=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone`",
"BOOTSTRAP_BUCKET_FOLDER=\"s3://some-bucket-name-dcos-install-bootstrap/$DEPLOY_ENV\"",
"echo \"Installing from $BOOTSTRAP_BUCKET_FOLDER FOR ROLE $ROLE, ENV $DEPLOY_ENV for AZ $AZ\"",
"mkdir /tmp/dcos && cd /tmp/dcos",
"mkdir -p /var/lib/dcos/",
"echo \"MESOS_ATTRIBUTES=AZ:$AZ\" > /var/lib/dcos/mesos-slave-common",
"aws s3 cp $BOOTSTRAP_BUCKET_FOLDER/dcos_install.sh . ",
"/bin/bash dcos_install.sh \"$ROLE\" \n"
]
]
}
}
}
},
"agsLaunchConfigPubAgent": {
"Type": "AWS::AutoScaling::LaunchConfiguration",
"Properties": {
"AssociatePublicIpAddress": true,
"ImageId": {
"Fn::FindInMap": [
"AMIRegionMap",
{
"Ref": "AWS::Region"
},
"baseCentOs"
]
},
"InstanceType": {"Ref" : "PubAgentInstanceType"},
"KeyName": {
"Ref": "KeyName"
},
"IamInstanceProfile": "ROLE-DCOS",
"InstanceMonitoring": "true",
"SecurityGroups": [
{
"Ref": "sgPubAgent"
}
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 400
}
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"ROLE=slave_public",
{
"Fn::Join": [
"=",
[
"DEPLOY_ENV",
{
"Ref": "Env"
}
]
]
},
"AZ=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone`",
"BOOTSTRAP_BUCKET_FOLDER=\"s3://somebucketname-dcos-install-bootstrap/$DEPLOY_ENV\"",
"echo \"Installing from $BOOTSTRAP_BUCKET_FOLDER FOR ROLE $ROLE, ENV $DEPLOY_ENV for AZ $AZ\"",
"mkdir /tmp/dcos && cd /tmp/dcos",
"mkdir -p /var/lib/dcos/",
"echo \"MESOS_ATTRIBUTES=AZ:$AZ\" > /var/lib/dcos/mesos-slave-common",
"aws s3 cp $BOOTSTRAP_BUCKET_FOLDER/dcos_install.sh . ",
"/bin/bash dcos_install.sh \"$ROLE\" \n"
]
]
}
}
}
},
"instanceMaster0Profile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
"ROLE-DCOS"
]
}
},
"instanceMaster1Profile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
"ROLE-DCOS"
]
}
},
"instanceMaster2Profile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [
"ROLE-DCOS"
]
}
},
"instanceMaster2": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"InstanceInitiatedShutdownBehavior": "stop",
"IamInstanceProfile": {
"Ref": "instanceMaster2Profile"
},
"ImageId": {
"Fn::FindInMap": [
"AMIRegionMap",
{
"Ref": "AWS::Region"
},
"baseCentOs"
]
},
"InstanceType": {"Ref" : "MasterInstanceType"},
"KeyName": {
"Ref": "KeyName"
},
"Monitoring": "true",
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"i",
{
"Ref": "Env"
},
"dcos-master2",
{
"Ref": "AWS::Region"
},
"b"
]
]
}
}
],
"NetworkInterfaces": [
{
"DeleteOnTermination": "true",
"DeviceIndex": 0,
"SubnetId": {
"Ref": "subnetPubB"
},
"PrivateIpAddresses": [
{
"PrivateIpAddress": {
"Fn::FindInMap": [
"Ips",
{
"Ref": "Env"
},
"master2"
]
},
"Primary": "true"
}
],
"GroupSet": [
{
"Ref": "sgMaster"
}
],
"AssociatePublicIpAddress": "true"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"ROLE=master",
{
"Fn::Join": [
"=",
[
"DEPLOY_ENV",
{
"Ref": "Env"
}
]
]
},
"AZ=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone`",
"BOOTSTRAP_BUCKET_FOLDER=\"s3://somebucket-dcos-install-bootstrap/$DEPLOY_ENV\"",
"echo \"Installing from $BOOTSTRAP_BUCKET_FOLDER FOR ROLE $ROLE, ENV $DEPLOY_ENV for AZ $AZ\"",
"mkdir /tmp/dcos && cd /tmp/dcos",
"aws s3 cp $BOOTSTRAP_BUCKET_FOLDER/dcos_install.sh . ",
"/bin/bash dcos_install.sh \"$ROLE\" \n"
]
]
}
}
}
},
"instanceMaster1": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"InstanceInitiatedShutdownBehavior": "stop",
"IamInstanceProfile": {
"Ref": "instanceMaster1Profile"
},
"ImageId": {
"Fn::FindInMap": [
"AMIRegionMap",
{
"Ref": "AWS::Region"
},
"baseCentOs"
]
},
"InstanceType": {"Ref" : "MasterInstanceType"},
"KeyName": {
"Ref": "KeyName"
},
"Monitoring": "true",
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"i",
{
"Ref": "Env"
},
"dcos-master1",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
}
],
"NetworkInterfaces": [
{
"DeleteOnTermination": "true",
"DeviceIndex": 0,
"SubnetId": {
"Ref": "subnetPubA"
},
"PrivateIpAddresses": [
{
"PrivateIpAddress": {
"Fn::FindInMap": [
"Ips",
{
"Ref": "Env"
},
"master1"
]
},
"Primary": "true"
}
],
"GroupSet": [
{
"Ref": "sgMaster"
}
],
"AssociatePublicIpAddress": "true"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"ROLE=master",
{
"Fn::Join": [
"=",
[
"DEPLOY_ENV",
{
"Ref": "Env"
}
]
]
},
"AZ=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone`",
"BOOTSTRAP_BUCKET_FOLDER=\"s3://somebucket-dcos-install-bootstrap/$DEPLOY_ENV\"",
"echo \"Installing from $BOOTSTRAP_BUCKET_FOLDER FOR ROLE $ROLE, ENV $DEPLOY_ENV for AZ $AZ\"",
"mkdir /tmp/dcos && cd /tmp/dcos",
"aws s3 cp $BOOTSTRAP_BUCKET_FOLDER/dcos_install.sh . ",
"/bin/bash dcos_install.sh \"$ROLE\" \n"
]
]
}
}
}
},
"instanceMaster0": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"InstanceInitiatedShutdownBehavior": "stop",
"IamInstanceProfile": {
"Ref": "instanceMaster0Profile"
},
"ImageId": {
"Fn::FindInMap": [
"AMIRegionMap",
{
"Ref": "AWS::Region"
},
"baseCentOs"
]
},
"InstanceType": {"Ref" : "MasterInstanceType"},
"KeyName": {
"Ref": "KeyName"
},
"Monitoring": "true",
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"i",
{
"Ref": "Env"
},
"dcos-master0",
{
"Ref": "AWS::Region"
},
"a"
]
]
}
},
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
}
],
"NetworkInterfaces": [
{
"DeleteOnTermination": "true",
"DeviceIndex": 0,
"SubnetId": {
"Ref": "subnetPubA"
},
"PrivateIpAddresses": [
{
"PrivateIpAddress": {
"Fn::FindInMap": [
"Ips",
{
"Ref": "Env"
},
"master0"
]
},
"Primary": "true"
}
],
"GroupSet": [
{
"Ref": "sgMaster"
}
],
"AssociatePublicIpAddress": "true"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"\n",
[
"#!/bin/bash",
"ROLE=master",
{
"Fn::Join": [
"=",
[
"DEPLOY_ENV",
{
"Ref": "Env"
}
]
]
},
"AZ=`curl http://169.254.169.254/latest/meta-data/placement/availability-zone`",
"BOOTSTRAP_BUCKET_FOLDER=\"s3://somebucket-dcos-install-bootstrap/$DEPLOY_ENV\"",
"echo \"Installing from $BOOTSTRAP_BUCKET_FOLDER FOR ROLE $ROLE, ENV $DEPLOY_ENV for AZ $AZ\"",
"mkdir /tmp/dcos && cd /tmp/dcos",
"aws s3 cp $BOOTSTRAP_BUCKET_FOLDER/dcos_install.sh . ",
"/bin/bash dcos_install.sh \"$ROLE\" \n"
]
]
}
}
}
},
"sgBastion": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "This security group was generated by AWS Marketplace and is based on recommended settings for CentOS 7 (x86_64) - with Updates HVM version 1602 provided by Centos.org",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"bastion",
{
"Ref": "AWS::Region"
}
]
]
}
},
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
}
]
}
},
"sgMaster": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Master DCOS security group",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"dcos-master",
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"sgDefault": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "default VPC security group",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"default",
{
"Ref": "AWS::Region"
}
]
]
}
},
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
}
]
}
},
"sgPvtAgent": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Agent for Agent Subnet running DC/OS agents",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"dcos-pvt-agent",
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"sgPubAgent": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Public agent ",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"dcos-pub-agent",
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"sgInfluxDb": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "InfluxDb SG",
"VpcId": {
"Ref": "vpc"
},
"Tags": [
{
"Key": "CFID",
"Value": {
"Fn::Join": [
"-",
[
"dcos",
{
"Ref": "Env"
}
]
]
}
},
{
"Key": "Name",
"Value": {
"Fn::Join": [
".",
[
"sg",
{
"Ref": "Env"
},
"influxdb",
{
"Ref": "AWS::Region"
}
]
]
}
}
]
}
},
"netAclEntryEgress": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Egress": "true",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "networkAcl"
}
}
},
"netAclEntryIngress": {
"Type": "AWS::EC2::NetworkAclEntry",
"Properties": {
"CidrBlock": "0.0.0.0/0",
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": "100",
"NetworkAclId": {
"Ref": "networkAcl"
}
}
},
"subnetAclExt": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetExtB"
}
}
},
"subnetAclPubA": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetPubA"
}
}
},
"subnetAclPvtB": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetPvtB"
}
}
},
"subnetAclPubB": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetPubB"
}
}
},
"subnetAclExtA": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetExtA"
}
}
},
"subnetToNetAclAssociation": {
"Type": "AWS::EC2::SubnetNetworkAclAssociation",
"Properties": {
"NetworkAclId": {
"Ref": "networkAcl"
},
"SubnetId": {
"Ref": "subnetPvtA"
}
}
},
"vpcToInternetGatewayAttachment": {
"Type": "AWS::EC2::VPCGatewayAttachment",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"InternetGatewayId": {
"Ref": "internetGateway"
}
}
},
"subnetroute14": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTableNatB"
},
"SubnetId": {
"Ref": "subnetExtB"
}
}
},
"subnetroute15": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTableNatB"
},
"SubnetId": {
"Ref": "subnetPvtB"
}
}
},
"subnetroute16": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTableNatA"
},
"SubnetId": {
"Ref": "subnetPvtA"
}
}
},
"subnetroute17": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTableNatA"
},
"SubnetId": {
"Ref": "subnetExtA"
}
}
},
"subnetroute18": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTablePublic"
},
"SubnetId": {
"Ref": "subnetPubA"
}
}
},
"subnetroute19": {
"Type": "AWS::EC2::SubnetRouteTableAssociation",
"Properties": {
"RouteTableId": {
"Ref": "routeTablePublic"
},
"SubnetId": {
"Ref": "subnetPubB"
}
}
},
"route14": {
"Type": "AWS::EC2::Route",
"Properties": {
"NatGatewayId": {
"Ref": "natGatewayB"
},
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "routeTableNatB"
}
}
},
"route17": {
"Type": "AWS::EC2::Route",
"Properties": {
"NatGatewayId": {
"Ref": "natGatewayA"
},
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "routeTableNatA"
}
}
},
"route20": {
"Type": "AWS::EC2::Route",
"Properties": {
"DestinationCidrBlock": "0.0.0.0/0",
"RouteTableId": {
"Ref": "routeTablePublic"
},
"GatewayId": {
"Ref": "internetGateway"
}
},
"DependsOn": "vpcToInternetGatewayAttachment"
},
"dchpassoc6": {
"Type": "AWS::EC2::VPCDHCPOptionsAssociation",
"Properties": {
"VpcId": {
"Ref": "vpc"
},
"DhcpOptionsId": {
"Ref": "dhcpOptions"
}
}
},
"ingress31": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgBastion"
},
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": {
"Ref": "sgMaster"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress32": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgBastion"
},
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": {
"Ref": "sgPvtAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress33": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgBastion"
},
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": {
"Ref": "sgPubAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress34": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgBastion"
},
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
},
"ingress35": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgPvtAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress36": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgPubAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress37": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgMaster"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress39": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
}
},
"ingress49": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgBastion"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress40": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgDefault"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgDefault"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress41": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPvtAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgMaster"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress42": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPvtAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgPvtAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress43": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPvtAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgPubAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress44": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPvtAgent"
},
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"SourceSecurityGroupId": {
"Ref": "sgBastion"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress45": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
},
"ingress46": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgMaster"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress47": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgBastion"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress48": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "-1",
"SourceSecurityGroupId": {
"Ref": "sgPubAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress50": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "tcp",
"FromPort": "9090",
"ToPort": "9090",
"CidrIp": "0.0.0.0/0"
}
},
"ingress51": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "tcp",
"FromPort": "443",
"ToPort": "443",
"CidrIp": "0.0.0.0/0"
}
},
"ingress52": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "tcp",
"FromPort": "22",
"ToPort": "22",
"CidrIp": "0.0.0.0/0"
}
},
"ingress53": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "tcp",
"FromPort": "8086",
"ToPort": "8086",
"SourceSecurityGroupId": {
"Ref": "sgPubAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress54": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "tcp",
"FromPort": "8086",
"ToPort": "8086",
"SourceSecurityGroupId": {
"Ref": "sgMaster"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress55": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "tcp",
"FromPort": "8086",
"ToPort": "8086",
"SourceSecurityGroupId": {
"Ref": "sgPvtAgent"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"ingress56": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "tcp",
"FromPort": "8086",
"ToPort": "8086",
"SourceSecurityGroupId": {
"Ref": "sgBastion"
},
"SourceSecurityGroupOwnerId": "309159580642"
}
},
"egress10": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgBastion"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"egress11": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgMaster"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"egress12": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgDefault"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"egress13": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgPvtAgent"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"egress14": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgPubAgent"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
},
"egress15": {
"Type": "AWS::EC2::SecurityGroupEgress",
"Properties": {
"GroupId": {
"Ref": "sgInfluxDb"
},
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
}
}
}
#!/usr/bin/env bash
### As is from DC/OS guys.
set -e
set -o pipefail
dcos config set core.ssl_verify false
echo Install DC/OS security CLI
dcos package install dcos-enterprise-cli
echo Generate public/private keypair
dcos security org service-accounts keypair private-key.pem public-key.pem
echo Create new service account called dcos_mlb
dcos security org service-accounts create -p public-key.pem -d "service account" dcos_mlb
#echo Verify new service account
#dcos security org service-accounts show dcos_mlb
echo Create new secret with private key and service account
dcos security secrets create-sa-secret private-key.pem dcos_mlb mlb
#echo Verify secret created successfully
#dcos security secrets list /
#echo Verify secret has correct service account and private key
#dcos security secrets get /mlb --json | jq -r .value | jq
echo Assign MLB permissions
curl -X PUT -k -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F -d '{"description":"Allows access to any service launched by the native Marathon instance"}' -H 'Content-Type: application/json'
curl -X PUT -k -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:admin:events -d '{"description":"Allows access to Marathon events"}' -H 'Content-Type: application/json'
echo Grant permissions and allowed action to MLB service account
curl -X PUT -k -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/users/dcos_mlb/read
curl -X PUT -k -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:admin:events/users/dcos_mlb/read
echo Install MLB
tee mlb-options.json <<'EOF'
{
"marathon-lb": {
"secret_name": "mlb",
"instances": 2
}
}
EOF
dcos package install --options=mlb-options.json --yes marathon-lb
echo cleanup
rm public-key.pem private-key.pem mlb-options.json
echo done!
#!/bin/bash
sed -i -e '/Defaults requiretty/{ s/.*/# Defaults requiretty/ }' /etc/sudoers
sed -i -e '/%wheel\tALL=(ALL)\tALL/{ s/.*/%wheel\tALL=(ALL)\tNOPASSWD:\tALL/ }' /etc/sudoers
mkdir /etc/modules-load.d/
mkdir -p /home/centos/install
chown -R centos /home/centos
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment