Last active
June 28, 2022 23:33
-
-
Save phillippbertram/ee312b09c3982d76b9799653ed6d6201 to your computer and use it in GitHub Desktop.
Example of a production ready, high available containerized wordpress aws infrastructure using AWS-Fargate, AWS-Aurora, EFS via aws-cdk
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Copyright (c) 2020 Phillipp Bertram | |
* | |
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: | |
* | |
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. | |
* | |
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | |
*/ | |
import * as cdk from '@aws-cdk/core'; | |
import * as ec2 from '@aws-cdk/aws-ec2'; | |
import * as rds from '@aws-cdk/aws-rds'; | |
import * as ecs from '@aws-cdk/aws-ecs'; | |
import * as efs from '@aws-cdk/aws-efs'; | |
import * as logs from '@aws-cdk/aws-logs'; | |
import * as secretsManager from '@aws-cdk/aws-secretsmanager'; | |
import * as ecsPatterns from '@aws-cdk/aws-ecs-patterns'; | |
export interface AwsFargateWordpressStackProps extends cdk.StackProps { | |
readonly wordpressRegistryName: string; | |
readonly dbConfig: { | |
readonly dbUser: string; | |
readonly dbName: string; | |
readonly dbPort: number; | |
} | |
/// add your ip address(es) here to allow ssh access to the bastion host with mounted efs | |
readonly bastionConfig: { | |
readonly ipv4?: string | |
readonly ipv6?: string | |
} | |
} | |
export class AwsFargateWordpressStack extends cdk.Stack { | |
constructor(scope: cdk.Construct, id: string, props: AwsFargateWordpressStackProps) { | |
super(scope, id, props); | |
// ==================================== | |
// CONFIGURATION | |
// ==================================== | |
const dbSecret = new secretsManager.Secret(this, 'DbSecret', { | |
generateSecretString: { | |
secretStringTemplate: JSON.stringify({ username: props.dbConfig.dbUser }), | |
generateStringKey: 'password', | |
passwordLength: 8, | |
} | |
}) | |
// ==================================== | |
// VPC | |
// ==================================== | |
// Creates a vpc with 3 subnets (public, private isolated). | |
// The included NAT gateway will cause higher costs. | |
// A more cheaper but unsecure setup would be to have only one public subnet | |
// and put all services here in that subnet. | |
const vpc = new ec2.Vpc(this, 'Vpc'); | |
new cdk.CfnOutput(this, 'VpcId', { value: vpc.vpcId, description: 'VPC' }); | |
// ==================================== | |
// DATABASE | |
// ==================================== | |
// security Group used for database and fargate | |
const wordpressSg = new ec2.SecurityGroup(this, 'WordpressSG', { | |
vpc: vpc, | |
description: 'Wordpress SG', | |
}); | |
// database cluster for wordpress database | |
const dbCluster = new rds.DatabaseCluster(this, 'DBluster', { | |
engine: rds.DatabaseClusterEngine.auroraMysql({ version: rds.AuroraMysqlEngineVersion.VER_2_08_1 }), | |
deletionProtection: false, // not recommended for production | |
removalPolicy: cdk.RemovalPolicy.DESTROY, // not recommended for production | |
defaultDatabaseName: props.dbConfig.dbName, | |
port: props.dbConfig.dbPort, | |
// By default, the master password will be generated and stored in AWS Secrets Manager with auto-generated description. | |
// Optional - will default to 'admin' username and generated password | |
credentials: rds.Credentials.fromSecret(dbSecret), | |
instanceProps: { | |
instanceType: ec2.InstanceType.of(ec2.InstanceClass.BURSTABLE2, ec2.InstanceSize.SMALL), | |
vpc, | |
vpcSubnets: { | |
subnetType: ec2.SubnetType.PRIVATE, | |
}, | |
securityGroups: [wordpressSg], | |
} | |
}); | |
new cdk.CfnOutput(this, 'DbClusterAddress', { value: dbCluster.clusterEndpoint.socketAddress }); | |
// ==================================== | |
// FILE SYSTEM (EFS) | |
// ==================================== | |
const fileSystem = new efs.FileSystem(this, 'WordpressEFS', { | |
vpc, | |
lifecyclePolicy: efs.LifecyclePolicy.AFTER_14_DAYS, // transition files to the Infrequent Access (IA) storage class | |
performanceMode: efs.PerformanceMode.GENERAL_PURPOSE, | |
throughputMode: efs.ThroughputMode.BURSTING, | |
removalPolicy: cdk.RemovalPolicy.DESTROY, // TODO: not recommended for Production | |
}); | |
new cdk.CfnOutput(this, 'FileSystemId', { value: fileSystem.fileSystemId }); | |
// ==================================== | |
// FARGATE | |
// ==================================== | |
const wordpressContainerPort = 80; | |
const efsSecurityGroupPort = 2049; | |
// ECS Cluster which will be used to host the Fargate services | |
const ecsCluster = new ecs.Cluster(this, 'ECSCluster', { | |
vpc: vpc, | |
}); | |
const wordpressVolume: ecs.Volume = { | |
name: 'ecs-fargate-wordpress', | |
efsVolumeConfiguration: { | |
fileSystemId: fileSystem.fileSystemId, | |
} | |
} | |
const fargateTaskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef', { | |
family: id, | |
volumes: [wordpressVolume] | |
}); | |
const containerLogGroup = new logs.LogGroup(this, "LogGroup", { | |
logGroupName: `/wordpress/${id}`, | |
retention: logs.RetentionDays.ONE_DAY, | |
}); | |
const container = fargateTaskDefinition.addContainer('container', { | |
image: ecs.ContainerImage.fromRegistry(props.wordpressRegistryName), | |
environment: { | |
WORDPRESS_DB_HOST: dbCluster.clusterEndpoint.socketAddress, | |
WORDPRESS_DB_USER: props.dbConfig.dbUser, | |
WORDPRESS_DB_NAME: props.dbConfig.dbName, | |
}, | |
logging: new ecs.AwsLogDriver({ | |
streamPrefix: "app", | |
logGroup: containerLogGroup, | |
}), | |
// Retrieved from AWS Secrets Manager or AWS Systems Manager Parameter Store at container start-up. | |
secrets: { | |
WORDPRESS_DB_PASSWORD: ecs.Secret.fromSecretsManager(dbSecret, 'password'), | |
} | |
}); | |
if (container.logDriverConfig) { | |
new cdk.CfnOutput(this, 'LogGroupName', { value: containerLogGroup.logGroupName }); | |
} | |
container.addPortMappings({ | |
containerPort: wordpressContainerPort | |
}); | |
container.addMountPoints({ | |
containerPath: '/var/www/html', | |
sourceVolume: wordpressVolume.name, | |
readOnly: false, | |
}); | |
const fargateService = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'WordpressFargateService', { | |
cluster: ecsCluster, | |
desiredCount: 2, | |
cpu: 512, // Default is 256 | |
memoryLimitMiB: 2048, // Default is 512 | |
// need platform version 1.4.0 to mount EFS volumes | |
platformVersion: ecs.FargatePlatformVersion.VERSION1_4, | |
// because we are running tasks using the Fargate launch type in a public subnet, we must choose ENABLED | |
// for Auto-assign public IP when we launch the tasks. | |
// This allows the tasks to have outbound network access to pull an image. | |
// @see https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-error-ecr/ | |
assignPublicIp: true, | |
// specify taskDefinition | |
taskDefinition: fargateTaskDefinition, | |
}); | |
new cdk.CfnOutput(this, 'FargateServiceArn', { value: fargateService.service.serviceArn }); | |
// allow connection between Fargate service and wordpress database | |
fargateService.service.connections.addSecurityGroup(wordpressSg); | |
fargateService.service.connections.allowTo(wordpressSg, ec2.Port.tcp(props.dbConfig.dbPort)); | |
// allow fargate to access efs | |
fargateService.service.connections.allowFrom(fileSystem, ec2.Port.tcp(efsSecurityGroupPort)); | |
fargateService.service.connections.allowTo(fileSystem, ec2.Port.tcp(efsSecurityGroupPort)); | |
// ==================================== | |
// Bastion Host | |
// ==================================== | |
// As there are no SSH public keys deployed on this machine, | |
// you need to use EC2 Instance Connect with the command | |
// | |
// $ aws ec2-instance-connect send-ssh-public-key | |
// | |
// to provide your SSH public key. | |
const host = new ec2.BastionHostLinux(this, 'BastionHost', { | |
vpc, | |
subnetSelection: { subnetType: ec2.SubnetType.PUBLIC }, | |
}); | |
if (props.bastionConfig.ipv4) { | |
host.allowSshAccessFrom(ec2.Peer.ipv4(`${props.bastionConfig.ipv4}/32`)); | |
} | |
if (props.bastionConfig.ipv6) { | |
host.allowSshAccessFrom(ec2.Peer.ipv6(`${props.bastionConfig.ipv6}/128`)); | |
} | |
new cdk.CfnOutput(this, 'BastionHostId', { value: host.instanceId }); | |
new cdk.CfnOutput(this, 'BastionHostPublicIp', { value: host.instancePublicIp }); | |
new cdk.CfnOutput(this, 'BastionHostDnsName', { value: host.instancePublicDnsName }); | |
new cdk.CfnOutput(this, 'BastionHostAZ', { value: host.instanceAvailabilityZone }); | |
fileSystem.connections.allowDefaultPortFrom(host.instance); | |
host.instance.userData.addCommands( | |
"yum check-update -y", | |
"yum upgrade -y", | |
"yum install -y amazon-efs-utils", | |
"yum install -y nfs-utils", | |
"file_system_id_1=" + fileSystem.fileSystemId, | |
"efs_mount_point_1=/mnt/efs/fs1", | |
"mkdir -p \"${efs_mount_point_1}\"", | |
"test -f \"/sbin/mount.efs\" && echo \"${file_system_id_1}:/ ${efs_mount_point_1} efs defaults,_netdev\" >> /etc/fstab || " + | |
"echo \"${file_system_id_1}.efs." + cdk.Stack.of(this).region + ".amazonaws.com:/ ${efs_mount_point_1} nfs4 nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport,_netdev 0 0\" >> /etc/fstab", | |
"mount -a -t efs,nfs4 defaults"); | |
/* | |
* HOW TO CONNECT TO BASTION HOST | |
* https://aws.amazon.com/de/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ | |
* | |
* 1. Generate the new private and public keys mynew_key and mynew_key.pub, respectively: | |
* | |
* $ ssh-keygen -t rsa -f mynew_key | |
* | |
* 2. Use the following AWS CLI command to authorize the user and push the public key to the | |
* instance using the send-ssh-public-key command. To support this, you | |
* need the latest version of the AWS CLI. | |
* | |
* $ aws ec2-instance-connect send-ssh-public-key --region eu-central-1 --instance-id i-0f288da72a8335cfe --availability-zone eu-central-1a --instance-os-user ec2-user --ssh-public-key file://mynew_key.pub | |
* | |
* 3. After authentication, the public key is made available to the instance through the | |
* instance metadata for 60 seconds. During this time, connect to the instance using the associated private key: | |
* | |
* $ ssh -i mynew_key ec2-user@ec2-3-123-32-51.eu-central-1.compute.amazonaws.com | |
* | |
* 4. navigate to efs | |
* | |
* $ cd /mnt/efs/fs1 | |
* | |
* 5. Update Upload Limit | |
* | |
* $ sudo vi .htaccess | |
* | |
* add following line to the bottom of the file to increase the upload limit | |
* | |
* php_value upload_max_filesize 300M | |
*/ | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment