Skip to content

Latest commit

 

History

History
132 lines (90 loc) · 3.05 KB

README.md

File metadata and controls

132 lines (90 loc) · 3.05 KB
Raw

Infrastructure

Accounts

We are using 2 root accounts to keep resources completely isolated (see #3 from this article).

Root account

Where our domain and emails are managed - all billing is under this account.

email: ****@gmail.com

Samhstn specific root account

Where all our logic specific to this project is handled.

email: aws+samhstn@samhstn.com

IAM user

IAM user who can switch roles and access certain parts of the two above root accounts.

account alias: samhstn
IAM user name: admin
Role1:
  Account: samhstnroot
  Role: SamhstnRoot
Role2:
  Account: samhstn
  Role: Admin

When set up, it should look something like this:

Templates

To set this up, we need to deploy the following templates:

# with our samhstn-root aws profile (or initially our root user).
infra/root/iam.yml

# with our samhstn-admin aws profile (or initially our Samhstn specific root user).
infra/root/samhstn-iam.yml

CLI

Our IAM user should be configured as follows:

~/.aws/credentials

[samhstn]
aws_access_key_id = <aws_access_key_id>
aws_secret_access_key = <aws_secret_access_key>

~/.aws/config

[profile samhstn-root]
role_arn = arn:aws:iam::<root_account_id>:role/SamhstnRoot
source_profile = samhstn
region = eu-west-1
output = json

[profile samhstn-admin]
role_arn = arn:aws:iam::<admin_account_id>:role/Admin
source_profile = samhstn
region = eu-west-1
output = json

Environment variables

We will need a Github personal access token SAMHSTN_PA_TOKEN for aws to access our Github repository.

  • Go to your Github personal access tokens.
  • Click Generate new token.
  • Give the token a description of Full repo access.
  • Tick the repo scope.
  • Tick the admin:repo_hook scope.
  • Click Generate token.

Now set this token locally as an environment variable called SAMHSTN_PA_TOKEN.

We also need to set a SAMHSTN_FROM_EMAIL environment variable for the email address to notify

when we receive an email to @samhstn.com.

Deploying

We can now look to deploy our entire stack by running:

./infra/deploy-infra.sh

Docker upload

We can upload our docker base image to ecr with:

ACCOUNT_ID=$(aws sts get-caller-identity --profile samhstn-admin --query Account --output text)

# log in to ecr
aws ecr get-login-password | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com

# build the base image
docker build -t samhstn_base -f infra/Dockerfile .

IMAGE_ID=$(docker image ls | grep samhstn_base | awk '{ print $3 }')

docker tag $IMAGE_ID $ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/samhstn

docker push $ACCOUNT_ID.dkr.ecr.eu-west-1.amazonaws.com/samhstn

Ssm sessions

We can start an ssm session with an ec2 instance with:

aws ssm start-session --target <instance_id>
$ sudo su ec2-user