Skip to content

Commit

Permalink
Made gdb_java_opts and graphdb_properties optional.
Browse files Browse the repository at this point in the history
Added logic to apply them.
Added check if the /CWAgent/Config exists in ssm before applying it.
Made the cluster setup script exit if the cluster creation fails for unknown reason.
Added ssm:DescribeParameters permissions to the iam role
Moved graphdb_properties_path and graphdb_java_options to root level
Fixed type-o in monitoring_sns_protocol description
Updated terraform.lock.hcl
fixed description for graphdb_properties_path
Renamed gdb_java_opts to graphdb_java_options
Updated descriptions and variable names
Added additional filtering to ssm describe-parameters command in the user data script.
Reduced the permissions scope of ssm:DescribeParameters policy
  • Loading branch information
viktor-ribchev committed Mar 27, 2024
1 parent 739500a commit 755594e
Show file tree
Hide file tree
Showing 12 changed files with 124 additions and 34 deletions.
19 changes: 13 additions & 6 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
data "aws_region" "current" {}

data "aws_caller_identity" "current" {}

module "vpc" {
source = "./modules/vpc"

Expand Down Expand Up @@ -43,11 +45,13 @@ module "backup" {
module "config" {
source = "./modules/config"

resource_name_prefix = var.resource_name_prefix
graphdb_license_path = var.graphdb_license_path
graphdb_lb_dns_name = module.load_balancer.lb_dns_name
graphdb_admin_password = var.graphdb_admin_password
graphdb_cluster_token = var.graphdb_cluster_token
resource_name_prefix = var.resource_name_prefix
graphdb_license_path = var.graphdb_license_path
graphdb_lb_dns_name = module.load_balancer.lb_dns_name
graphdb_admin_password = var.graphdb_admin_password
graphdb_cluster_token = var.graphdb_cluster_token
graphdb_properties_path = var.graphdb_properties_path
graphdb_java_options = var.graphdb_java_options
}

module "load_balancer" {
Expand Down Expand Up @@ -118,10 +122,13 @@ module "vm" {
graphdb_subnets = module.vpc[0].private_subnet_ids
graphdb_target_group_arns = local.graphdb_target_group_arns
vpc_id = module.vpc[0].vpc_id
aws_region = data.aws_region.current.name
aws_subscription_id = data.aws_caller_identity.current.account_id
}

module "monitoring" {
source = "./modules/monitoring"
source = "./modules/monitoring"

aws_region = var.monitoring_aws_region
resource_name_prefix = var.resource_name_prefix
actions_enabled = var.monitoring_actions_enabled
Expand Down
16 changes: 10 additions & 6 deletions modules/config/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,19 @@ resource "aws_ssm_parameter" "graphdb_lb_dns_name" {
}

resource "aws_ssm_parameter" "graphdb_properties" {
count = var.graphdb_properties_path != null ? 1 : 0

name = "/${var.resource_name_prefix}/graphdb/graphdb_properties"
description = "Contents of graphdb.properties file."
description = "Additional properties to append to graphdb.properties file."
type = "SecureString"
value = filebase64(var.graphdb_properties)
value = filebase64(var.graphdb_properties_path)
}

resource "aws_ssm_parameter" "gdb_java_opts" {
name = "/${var.resource_name_prefix}/graphdb/gdb_java_opts"
description = "Additional configurations for GraphDB."
resource "aws_ssm_parameter" "graphdb_java_options" {
count = var.graphdb_java_options != null ? 1 : 0

name = "/${var.resource_name_prefix}/graphdb/graphdb_java_options"
description = "GraphDB options to pass to GraphDB with GRAPHDB_JAVA_OPTS environment variable."
type = "String"
value = var.gdb_java_opts
value = var.graphdb_java_options
}
10 changes: 4 additions & 6 deletions modules/config/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,12 @@ variable "graphdb_lb_dns_name" {
default = ""
}

variable "graphdb_properties" {
description = "Path to the initial config to add for GraphDB."
variable "graphdb_properties_path" {
description = "Path to a local file with with properties which will be appended to graphdb.properties"
type = string
default = "/home/kristian/Ontotext/properties-test"
}

variable "gdb_java_opts" {
variable "graphdb_java_options" {
description = "Additional configurations to add to the GDB_JAVA_OPTS environment variable"
type = string
default = "test101"
}
}
2 changes: 1 addition & 1 deletion modules/monitoring/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ resource "aws_cloudwatch_log_group" "graphdb_log_group" {
# SSM Parameter which hosts the config for the cloudwatch agent

resource "aws_ssm_parameter" "graphdb_cloudwatch_agent_config" {
name = "/CWAgent/Config"
name = "/${var.resource_name_prefix}/graphdb/CWAgent/Config"
description = "Cloudwatch Agent Configuration"
type = var.parameter_store_ssm_parameter_type
tier = var.parameter_store_ssm_parameter_tier
Expand Down
19 changes: 18 additions & 1 deletion modules/user_data/templates/03_gdb_conf_overrides.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ NODE_DNS=$(cat /tmp/node_dns)
cat << EOF > /etc/graphdb/graphdb.properties
graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN
graphdb.connector.port=7201
graphdb.external-url=http://$${NODE_DNS}:7201/
graphdb.external-url=http://$${NODE_DNS}:7201
graphdb.rpc.address=$${NODE_DNS}:7301
EOF

Expand Down Expand Up @@ -60,4 +60,21 @@ cat << EOF > /etc/systemd/system/graphdb.service.d/overrides.conf
Environment="GDB_HEAP_SIZE=$${JVM_MAX_MEMORY}g"
EOF

parameters=$(aws ssm describe-parameters --cli-connect-timeout 300 --region ${region} --query "Parameters[?starts_with(Name, '/${name}/graphdb/')].Name" --output text)

# Appends configuration overrides to graphdb.properties
if [[ $parameters == *"/${name}/graphdb/graphdb_properties"* ]]; then
aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/graphdb_properties" --with-decryption | jq -r .Parameter.Value | \
base64 -d >> /etc/graphdb/graphdb.properties
fi

# Appends environment overrides to GDB_JAVA_OPTS
if [[ $parameters == *"/${name}/graphdb/graphdb_java_options"* ]]; then
extra_graphdb_java_options="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/graphdb_java_options" --with-decryption | jq -r .Parameter.Value)"
(
source /etc/graphdb/graphdb.env
echo "GDB_JAVA_OPTS=\"$GDB_JAVA_OPTS $extra_graphdb_java_options\"" >> /etc/graphdb/graphdb.env
)
fi

echo "Completed applying overrides"
29 changes: 19 additions & 10 deletions modules/user_data/templates/06_cloudwatch_setup.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,26 @@ echo "#################################"
echo "# Cloudwatch Provisioning #"
echo "#################################"

# Parse the CW Agent Config from SSM Parameter store and put it in file
CWAGENT_CONFIG=$(aws ssm get-parameter --name "/CWAgent/Config" --query "Parameter.Value" --output text)
echo "$CWAGENT_CONFIG" > /etc/graphdb/cloudwatch-agent-config.json
parameters=$(aws ssm describe-parameters --cli-connect-timeout 300 --region ${region} --query "Parameters[?starts_with(Name, '/${name}/graphdb/')].Name" --output text)

# Appends configuration overrides to graphdb.properties
if [[ $parameters == *"/${name}/graphdb/CWAgent/Config"* ]]; then
# Parse the CW Agent Config from SSM Parameter store and put it in file
CWAGENT_CONFIG=$(aws ssm get-parameter --name "/${name}/graphdb/CWAgent/Config" --query "Parameter.Value" --output text)
echo "$CWAGENT_CONFIG" > /etc/graphdb/cloudwatch-agent-config.json

GRAPHDB_ADMIN_PASSWORD=$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/admin_password" --with-decryption --query "Parameter.Value" --output text | base64 -d)

tmp=$(mktemp)
jq '.logs.metrics_collected.prometheus.log_group_name = "${name}-graphdb"' /etc/graphdb/cloudwatch-agent-config.json > "$tmp" && mv "$tmp" /etc/graphdb/cloudwatch-agent-config.json
jq '.logs.metrics_collected.prometheus.emf_processor.metric_namespace = "${name}-graphdb"' /etc/graphdb/cloudwatch-agent-config.json > "$tmp" && mv "$tmp" /etc/graphdb/cloudwatch-agent-config.json
cat /etc/prometheus/prometheus.yaml | yq '.scrape_configs[].static_configs[].targets = ["localhost:7201"]' > "$tmp" && mv "$tmp" /etc/prometheus/prometheus.yaml
cat /etc/prometheus/prometheus.yaml | yq '.scrape_configs[].basic_auth.username = "admin"' | yq ".scrape_configs[].basic_auth.password = \"$${GRAPHDB_ADMIN_PASSWORD}\"" > "$tmp" && mv "$tmp" /etc/prometheus/prometheus.yaml
tmp=$(mktemp)
jq '.logs.metrics_collected.prometheus.log_group_name = "${name}-graphdb"' /etc/graphdb/cloudwatch-agent-config.json > "$tmp" && mv "$tmp" /etc/graphdb/cloudwatch-agent-config.json
jq '.logs.metrics_collected.prometheus.emf_processor.metric_namespace = "${name}-graphdb"' /etc/graphdb/cloudwatch-agent-config.json > "$tmp" && mv "$tmp" /etc/graphdb/cloudwatch-agent-config.json
cat /etc/prometheus/prometheus.yaml | yq '.scrape_configs[].static_configs[].targets = ["localhost:7201"]' > "$tmp" && mv "$tmp" /etc/prometheus/prometheus.yaml
cat /etc/prometheus/prometheus.yaml | yq '.scrape_configs[].basic_auth.username = "admin"' | yq ".scrape_configs[].basic_auth.password = \"$${GRAPHDB_ADMIN_PASSWORD}\"" > "$tmp" && mv "$tmp" /etc/prometheus/prometheus.yaml

amazon-cloudwatch-agent-ctl -a start
amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/etc/graphdb/cloudwatch-agent-config.json

else
echo "/${name}/graphdb/CWAgent/Config was not found! Check the deployment..."
fi

amazon-cloudwatch-agent-ctl -a start
amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/etc/graphdb/cloudwatch-agent-config.json
18 changes: 16 additions & 2 deletions modules/user_data/templates/07_cluster_setup.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@ if [ $NODE_DNS == $NODE1 ]; then
echo "# Beginning cluster setup #"
echo "##################################"

# Attempt to create a GraphDB cluster by configuring cluster nodes.
echo "Attempting to create a GraphDB cluster by configuring cluster nodes."
# Will retry several times in case 000 is returned as a HTTP response code
for ((i = 1; i <= $MAX_RETRIES; i++)); do
# /rest/monitor/cluster will return 200 only if a cluster exists, 503 if no cluster is set up.
IS_CLUSTER=$(
Expand All @@ -107,7 +108,7 @@ if [ $NODE_DNS == $NODE1 ]; then
http://localhost:7201/rest/monitor/cluster
)

# Check if GraphDB is part of a cluster; 000 indicates no HTTP code was received.
# Check if GraphDB is part of a cluster; 000 indicates no HTTP code was received.
if [[ "$IS_CLUSTER" == 000 ]]; then
echo "Retrying ($i/$MAX_RETRIES) after $RETRY_DELAY seconds..."
sleep $RETRY_DELAY
Expand All @@ -128,18 +129,30 @@ if [ $NODE_DNS == $NODE1 ]; then
elif [ "$IS_CLUSTER" == 200 ]; then
echo "Cluster exists"
break
elif [ "$IS_CLUSTER" == 412 ]; then
echo "Cluster precondition/s are not met"
exit 1
else
echo "Something went wrong! Check the log files."
# Do not continue if the cluster creation fails for another reason.
exit 1
fi
done

echo "###########################################################"
echo "# Changing admin user password and enable security #"
echo "###########################################################"

retry_count=0
max_retries=120
LEADER_NODE=""
# Before enabling security a Leader must be elected. Iterates all nodes and looks for a node with status Leader.
while [ -z "$LEADER_NODE" ]; do
if [ "$retry_count" -ge "$max_retries" ]; then
echo "Max retry limit reached. Leader node not found."
echo "Exiting..."
exit 1
fi
NODES=($NODE1 $NODE2 $NODE3)
for node in "$${NODES[@]}"; do
endpoint="http://$node:7201/rest/cluster/group/status"
Expand All @@ -158,6 +171,7 @@ if [ $NODE_DNS == $NODE1 ]; then

echo "No leader found on any node. Retrying..."
sleep 5
((retry_count++))
done

IS_SECURITY_ENABLED=$(curl -s -X GET \
Expand Down
Empty file.
18 changes: 18 additions & 0 deletions modules/vm/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,24 @@ resource "aws_iam_role_policy_attachment" "systems-manager-policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

resource "aws_iam_role_policy" "instance_ssm" {
name = "${var.resource_name_prefix}-graphdb-ssm-describe"
role = var.iam_role_id
policy = data.aws_iam_policy_document.instance_ssm.json
}

data "aws_iam_policy_document" "instance_ssm" {
statement {
effect = "Allow"

actions = [
"ssm:DescribeParameters"
]

resources = ["arn:aws:ssm:${var.aws_region}:${var.aws_subscription_id}:*"]
}
}

data "aws_iam_policy_document" "instance_volume" {
statement {
effect = "Allow"
Expand Down
2 changes: 1 addition & 1 deletion modules/vm/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ data "aws_ec2_instance_type" "graphdb" {
data "aws_ami" "graphdb" {
count = var.ami_id != null ? 0 : 1

owners = ["408414015572"] # Ontotext
owners = ["770034820396"] # Ontotext
most_recent = true

filter {
Expand Down
10 changes: 10 additions & 0 deletions modules/vm/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@ variable "instance_type" {
type = string
}

variable "aws_region" {
description = "AWS region where GraphDB is being deployed"
type = string
}

variable "aws_subscription_id" {
description = "AWS subscription ID of the account GraphDB is being deployed in"
type = string
}

# OPTIONAL parameters

variable "ami_id" {
Expand Down
15 changes: 14 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ variable "monitoring_sns_topic_endpoint" {
}

variable "monitoring_sns_protocol" {
description = "Define an SNS protocol that you will use to receive alers. Possible options are: Email, Email-JSON, HTTP, HTTPS."
description = "Define an SNS protocol that you will use to receive alerts. Possible options are: Email, Email-JSON, HTTP, HTTPS."
type = string
default = "email"
}
Expand All @@ -311,3 +311,16 @@ variable "monitoring_aws_region" {
type = string
}

# GraphDB overrides

variable "graphdb_properties_path" {
description = "Path to a local file containing GraphDB properties (graphdb.properties) that would be appended to the default in the VM."
type = string
default = null
}

variable "graphdb_java_options" {
description = "GraphDB options to pass to GraphDB with GRAPHDB_JAVA_OPTS environment variable."
type = string
default = null
}

0 comments on commit 755594e

Please sign in to comment.