neongreen · July 13, 2018 10:06
diff --git a/amazonmq.yml b/amazonmq.yml
 ---

 # Amazon MQ can only be set up in a VPC (created in vpc.yml). However, all
 # the other services are running on EC2-Classic, and it's impossible for
 # security groups to filter traffic between EC2-VPC and EC2-Classic.
 #
 # One solution is to leave Amazon MQ accessible on the public internet and
 # use credentials for controlling access. We don't want to go this way
 # because it's one more set of credentials to maintain.
 #
 # There is a different solution (used here), which relies on the
 # "ClassicLink" feature. Any EC2-Classic instance can be linked to exactly
 # one VPC and from that point on it can use resources in that VPC. We create
 # a single broker per environment (staging or prod) and allow Brig and the
 # office VPN to access that broker.

 - name: Set up Amazon MQ for the internal event queue
  hosts: localhost
  gather_facts: no
  become: no
  tasks:
    - name: Create default broker configuration
      local_action: >
        shell aws --region={{ khan_region }} mq create-configuration \
                  --engine-type ACTIVEMQ --engine-version 5.15.0 \
                  --name {{ khan_env }}-amazonmq
              | jq '.Id'
      register: conf_id

    - name: Upload our own broker configuration
      local_action: >
        shell aws --region={{ khan_region }} mq update-configuration \
                  --configuration-id {{ conf_id.stdout }} \
                  --data <base64>

    - name: Resolve VPC ID
      ec2_vpc_net_facts:
        filters:
          "tag:Name": vpc
      register: vpcs

    - name: Ensure the VPC has been resolved
      when: vpcs.vpcs|length != 1
      fail:
        msg: 'Expected exactly one VPC with name "vpc", got: {{ vpcs.vpcs }}'

    - name: Resolve subnet IDs
      ec2_vpc_subnet_facts:
        filters:
          vpc-id: '{{ vpcs.vpcs[0].vpc_id }}'
      register: subnets

    - name: Ensure the subnets have been resolved
      when: subnets.subnets|length < 2
      fail:
        msg: 'Expected at least two subnets in VPC "vpc", got: {{ subnets.subnets }}'

    - name: Create a security group for the broker
      ec2_group:
        name: '{{ khan_env }}-amazonmq'
        description: '({{ khan_env }}) brig and VPN should have access to AmazonMQ'
        vpc_id: '{{ vpcs.vpcs[0].vpc_id }}'
        rules:
          - proto: tcp
            from_port: 61614              # STOMP
            to_port: 61614
            group_name: '{{ khan_env }}-brig-vpc'
          - proto: tcp
            from_port: 61614              # STOMP
            to_port: 61614
            group_name: vpn-vpc
          - proto: tcp
            from_port: 8162               # management console
            to_port: 8162
            group_name: vpn-vpc
      register: env_amazonmq

    - name: Create a broker
      local_action: >
        shell aws --region={{ khan_region }} mq create-broker \
                  --broker-name {{ khan_env }}-amazonmq \
                  --configuration Id={{ khan_env }}-amazonmq,Revision=2 \
                  --deployment-mode ACTIVE_STANDBY_MULTI_AZ \
                  --engine-type ACTIVEMQ --engine-version 5.15.0 \
                  --host-instance-type mq.t2.micro \
                  --auto-minor-version-upgrade \
                  --no-publicly-accessible \
                  --security-groups {{ env_amazonmq.group_id }} \
                  --subnet-ids {{ subnets|json_query('subnets[*].subnet_id')|join(',') }} \
                  --users ConsoleAccess=false,Password=dummypassword,Username=brig \
                          ConsoleAccess=true,Password=dummypassword,Username=admin
      # Notes:
      #   * The password doesn't matter but setting an empty password
      #     seems to be impossible
      #   * Given our workload, a 't2.micro' instance should be just fine,
      #     but this might change in the future

 TODO    make brig and VPN be able to talk to AmazonMQ
          make brig classic-linked to the VPC and tag it with security group
          make VPN classic-linked to the VPC and tag it with security group
 TODO    figure out how to re-link VPN when it's restarted or smth
 TODO    figure out whether vpc.yml will be run once or twice (should be "once")
 TODO    actually run the playbooks in concourse or smth
	---

	# Amazon MQ can only be set up in a VPC (created in vpc.yml). However, all
	# the other services are running on EC2-Classic, and it's impossible for
	# security groups to filter traffic between EC2-VPC and EC2-Classic.
	#
	# One solution is to leave Amazon MQ accessible on the public internet and
	# use credentials for controlling access. We don't want to go this way
	# because it's one more set of credentials to maintain.
	#
	# There is a different solution (used here), which relies on the
	# "ClassicLink" feature. Any EC2-Classic instance can be linked to exactly
	# one VPC and from that point on it can use resources in that VPC. We create
	# a single broker per environment (staging or prod) and allow Brig and the
	# office VPN to access that broker.

	- name: Set up Amazon MQ for the internal event queue
	hosts: localhost
	gather_facts: no
	become: no
	tasks:
	- name: Create default broker configuration
	local_action: >
	shell aws --region={{ khan_region }} mq create-configuration \
	--engine-type ACTIVEMQ --engine-version 5.15.0 \
	--name {{ khan_env }}-amazonmq
	\| jq '.Id'
	register: conf_id

	- name: Upload our own broker configuration
	local_action: >
	shell aws --region={{ khan_region }} mq update-configuration \
	--configuration-id {{ conf_id.stdout }} \
	--data <base64>

	- name: Resolve VPC ID
	ec2_vpc_net_facts:
	filters:
	"tag:Name": vpc
	register: vpcs

	- name: Ensure the VPC has been resolved
	when: vpcs.vpcs\|length != 1
	fail:
	msg: 'Expected exactly one VPC with name "vpc", got: {{ vpcs.vpcs }}'

	- name: Resolve subnet IDs
	ec2_vpc_subnet_facts:
	filters:
	vpc-id: '{{ vpcs.vpcs[0].vpc_id }}'
	register: subnets

	- name: Ensure the subnets have been resolved
	when: subnets.subnets\|length < 2
	fail:
	msg: 'Expected at least two subnets in VPC "vpc", got: {{ subnets.subnets }}'

	- name: Create a security group for the broker
	ec2_group:
	name: '{{ khan_env }}-amazonmq'
	description: '({{ khan_env }}) brig and VPN should have access to AmazonMQ'
	vpc_id: '{{ vpcs.vpcs[0].vpc_id }}'
	rules:
	- proto: tcp
	from_port: 61614 # STOMP
	to_port: 61614
	group_name: '{{ khan_env }}-brig-vpc'
	- proto: tcp
	from_port: 61614 # STOMP
	to_port: 61614
	group_name: vpn-vpc
	- proto: tcp
	from_port: 8162 # management console
	to_port: 8162
	group_name: vpn-vpc
	register: env_amazonmq

	- name: Create a broker
	local_action: >
	shell aws --region={{ khan_region }} mq create-broker \
	--broker-name {{ khan_env }}-amazonmq \
	--configuration Id={{ khan_env }}-amazonmq,Revision=2 \
	--deployment-mode ACTIVE_STANDBY_MULTI_AZ \
	--engine-type ACTIVEMQ --engine-version 5.15.0 \
	--host-instance-type mq.t2.micro \
	--auto-minor-version-upgrade \
	--no-publicly-accessible \
	--security-groups {{ env_amazonmq.group_id }} \
	--subnet-ids {{ subnets\|json_query('subnets[*].subnet_id')\|join(',') }} \
	--users ConsoleAccess=false,Password=dummypassword,Username=brig \
	ConsoleAccess=true,Password=dummypassword,Username=admin
	# Notes:
	# * The password doesn't matter but setting an empty password
	# seems to be impossible
	# * Given our workload, a 't2.micro' instance should be just fine,
	# but this might change in the future

	TODO make brig and VPN be able to talk to AmazonMQ
	make brig classic-linked to the VPC and tag it with security group
	make VPN classic-linked to the VPC and tag it with security group
	TODO figure out how to re-link VPN when it's restarted or smth
	TODO figure out whether vpc.yml will be run once or twice (should be "once")
	TODO actually run the playbooks in concourse or smth
No results found