Skip to content

Commit

Permalink
[QOLDEV-545] refactor stack template
Browse files Browse the repository at this point in the history
- Restore roles to their original state, split off parameter store values instead
  • Loading branch information
ThrawnCA committed Apr 3, 2024
1 parent c2f06e3 commit 4dea021
Show file tree
Hide file tree
Showing 8 changed files with 197 additions and 340 deletions.
23 changes: 0 additions & 23 deletions CKAN-extensions.yml

This file was deleted.

2 changes: 1 addition & 1 deletion build-CKAN.sh
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,8 @@ run-all-playbooks () {
run-playbook "database-config"
fi
run-playbook "CloudFormation" "vars/s3_buckets.var.yml"
run-playbook "instance-roles"
run-playbook "CKAN-Stack"
run-playbook "CloudFormation" "vars/CKAN-extensions.var.yml"
run-playbook "CloudFormation" "vars/instances-${INSTANCE_NAME}.var.yml"
run-playbook "CloudFormation" "vars/cloudfront-lambda-at-edge.var.yml"
run-playbook "cloudfront"
Expand Down
37 changes: 0 additions & 37 deletions instance-roles.yml

This file was deleted.

60 changes: 42 additions & 18 deletions templates/Datashades-OpsWorks-CKAN-Extensions.cfn.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -28,25 +28,49 @@ Parameters:
ConstraintDescription: Must contain only lowercase/numeric/hyphen/underscore.
AllowedPattern: '[-_a-z0-9]*'


Resources:

{% for key in EnvExtensions %}
PluginListParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_app_names"
Type: String
Value: "{{ extensions[Environment] | join(',') }}"

{% for plugin in extensions[Environment] %}
{{ plugin }}AppNameParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/name"
Type: String
Value: "{{ extensions[Environment][plugin].name }}"

{{ plugin }}AppShortNameParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/shortname"
Type: String
Value: "{{ extensions[Environment][plugin].shortname }}"

{{ key }}:
Type: AWS::OpsWorks::App
{{ plugin }}AppSourceTypeParameter:
Type: AWS::SSM::Parameter
Properties:
AppSource:
Type: "{{ EnvExtensions[key].type }}"
Url: "{{ EnvExtensions[key].url }}"
{% if EnvExtensions[key].version is defined %}Revision: "{{ EnvExtensions[key].version }}"{% endif %}
#new line required for jinja to not merge groups
Description: {{ EnvExtensions[key].description }}
EnableSsl: !!bool false
Name: "{{ EnvExtensions[key].name }}"
Shortname: "{{ EnvExtensions[key].shortname }}"
StackId:
Fn::ImportValue: !Ref OpsWorksStack
Type: "other"

{% endfor %}
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/type"
Type: String
Value: git

{{ plugin }}AppSourceURLParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/url"
Type: String
Value: "{{ extensions[Environment][plugin].url }}"

{{ plugin }}AppSourceRevisionParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/revision"
Type: String
Value: "{{ extensions[Environment][plugin].version }}"
{% endfor %}

201 changes: 153 additions & 48 deletions templates/Datashades-OpsWorks-CKAN-Stack.cfn.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,9 @@ Parameters:
ACMCertificateARN:
Description: ARN for certificate to be used by the application load balancer.
Type: String
SSMKey:
Type: String
Description: KMS key for alias/aws/ssm
GTMContainerId:
Description: Google Tag Manager container ID
Type: String
Expand Down Expand Up @@ -186,21 +189,167 @@ Resources:
Effect: Allow
Resource: "*"

SmtpRelayPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Provides access to retrieve SSM parameters related to the AWS SMTP relay, including KMS decryption, and send emails.
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: ses:SendRawEmail
Resource: "*"
- Effect: Allow
Action: ssm:DescribeParameters
Resource: "*"
- Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
- ssm:GetParametersByPath
Resource:
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/smtpRelay"
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/smtpRelay/*"
- Effect: Allow
Action: kms:Decrypt
Resource: !Ref SSMKey

AttachmentsPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Provides access to s3 attachments bucket.
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:AbortMultipartUpload
- s3:ListMultipartUploadParts
- s3:ListBucket
- s3:*Upload*
- s3:GetObject
- s3:GetObjectAcl
- s3:GetObjectVersion
- s3:PutObject
- s3:PutObjectAcl
- s3:PutObjectTagging
- s3:DeleteObject
- s3:DeleteObjectTagging
- s3:GetBucketAcl
- s3:GetBucketCORS
- s3:GetBucketPolicy
Resource:
- !Sub "arn:aws:s3:::${AttachmentsBucketName}"
- !Sub "arn:aws:s3:::${AttachmentsBucketName}/*"
- Effect: Allow
Action:
- s3:ListAllMyBuckets
Resource:
- !Sub "arn:aws:s3:::"

EBSTaggingPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: Allows EC2 instances to tag their EBS root volumes (eg for automatic backups)
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: ec2:CreateTags
Resource: "*"

InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${ApplicationName}-${Environment}-CustomPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
# allow the service layer to update internal DNS
- Effect: Allow
Action:
- route53:ChangeResourceRecordSets
Resource:
Fn::Join:
- ""
- - "arn:aws:route53:::hostedzone/"
- Fn::ImportValue: !Ref InternalStackZone
# allow the servers to retrieve a subset of SSM Parameter Store values
- Effect: Allow
Action:
- ssm:GetParameter
- ssm:GetParameters
- ssm:GetParametersByPath
Resource:
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/app/${ApplicationId}/cookbook/*"
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/common/*"
ManagedPolicyArns:
- !Ref EBSTaggingPolicy
- !Ref SmtpRelayPolicy
- !Ref AttachmentsPolicy
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
- arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs
- arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess # for domain name lookups
- arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess # for domain name lookups

InstanceRoleProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Fn::ImportValue:
!Sub "${Environment}${ApplicationName}InstanceRole"
- !Ref InstanceRole

WebInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${ApplicationName}-${Environment}-Web-CustomPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
# allow the web layer to retrieve a subset of SSM Parameter Store values
- Effect: Allow
Action:
- ssm:GetParameter
- ssm:GetParameters
- ssm:GetParametersByPath
Resource:
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/app/${ApplicationId}/"
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/app/${ApplicationId}/*"
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/db/${ApplicationId}_*"
- !Sub "arn:aws:ssm:*:*:parameter/config/CKAN/${Environment}/common/*"
ManagedPolicyArns:
- !Ref EBSTaggingPolicy
- !Ref SmtpRelayPolicy
- !Ref AttachmentsPolicy
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
- arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs
- arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess # for domain name lookups
- arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess # for domain name lookups

WebInstanceRoleProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles:
- Fn::ImportValue:
!Sub "${Environment}${ApplicationName}WebInstanceRole"
- !Ref WebInstanceRole

# Populate SSM Parameter Store with all the information needed to deploy.
# This should allow a blank instance to set itself up based only on the tags applied to it.
Expand Down Expand Up @@ -332,50 +481,6 @@ Resources:
Type: String
Value: !Ref SolrSource

PluginListParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_app_names"
Type: String
Value: "{{ extensions[Environment] | join(',') }}"

{% for plugin in extensions[Environment] %}
{{ plugin }}AppNameParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/name"
Type: String
Value: "{{ extensions[Environment][plugin].name }}"

{{ plugin }}AppShortNameParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/shortname"
Type: String
Value: "{{ extensions[Environment][plugin].shortname }}"

{{ plugin }}AppSourceTypeParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/type"
Type: String
Value: git

{{ plugin }}AppSourceURLParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/url"
Type: String
Value: "{{ extensions[Environment][plugin].url }}"

{{ plugin }}AppSourceRevisionParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "/config/CKAN/${Environment}/app/${ApplicationId}/plugin_apps/{{ plugin }}/app_source/revision"
Type: String
Value: "{{ extensions[Environment][plugin].version }}"
{% endfor %}

OpsWorksStack:
Type: AWS::OpsWorks::Stack
Properties:
Expand Down
Loading

0 comments on commit 4dea021

Please sign in to comment.