Merge pull request #373 from paul-unifra/paul/aws-deploy

doc: update aws-deployment guide
scroll-tech · Oct 17, 2024 · 4b7437e · 4b7437e
2 parents 0562457 + 5c4692a
commit 4b7437e
Showing 1 changed file with 108 additions and 9 deletions.
diff --git a/src/content/docs/en/sdk/guides/aws-deployment.mdx b/src/content/docs/en/sdk/guides/aws-deployment.mdx
@@ -148,11 +148,27 @@ To ensure that your Kubernetes pods can automatically provision EBS volumes:
 # Verify available storage classes:
 kubectl get sc
 
-# Set the gp2 storage class as the default:
-kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+# Create a new gp3 storage class:
+cat <<EOF | kubectl apply -f -
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: gp3
+provisioner: ebs.csi.aws.com
+parameters:
+  type: gp3
+  encrypted: "true"
+volumeBindingMode: WaitForFirstConsumer
+EOF
+
+# Set the gp3 storage class as the default:
+kubectl patch storageclass gp3 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+
+# Remove the default annotation from gp2 (if it exists):
+kubectl patch storageclass gp2 -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
 ```
 
-These steps will configure your EKS cluster to use EBS volumes for persistent storage, which is crucial for many components of the Scroll SDK deployment.
+These steps will configure your EKS cluster to use gp3 EBS volumes for persistent storage, which is crucial for many components of the Scroll SDK deployment
 
 ### Installing Kubernetes Add-Ons
 
@@ -192,10 +208,17 @@ VPC_ID=$(aws eks describe-cluster --name scroll-sdk-cluster --region us-west-2 -
 SECURITY_GROUP_ID=$(aws ec2 create-security-group --group-name scroll-sdk-db-sg --description "Security group for Scroll SDK RDS" --vpc-id $VPC_ID --output text --region us-west-2)
 
 # Get the EKS cluster security group ID
-EKS_SG_ID=$(aws ec2 describe-security-groups --filters "Name=vpc-id,Values=$VPC_ID" "Name=group-name,Values=eksctl-scroll-sdk-cluster-cluster-ControlPlaneSecurityGroup*" --query "SecurityGroups[0].GroupId" --output text --region us-west-2)
+CLUSTER_SG_ID=$(aws ec2 describe-security-groups \
+--filters "Name=vpc-id,Values=$VPC_ID" "Name=group-name,Values=eks-cluster-sg-scroll-sdk-cluster-*" \
+--query "SecurityGroups[0].GroupId" --output text --region us-west-2)
 
 # Allow inbound traffic on port 5432 (PostgreSQL) from the EKS cluster security group
-aws ec2 authorize-security-group-ingress --group-id $SECURITY_GROUP_ID --protocol tcp --port 5432 --source-group $EKS_SG_ID --region us-west-2
+aws ec2 authorize-security-group-ingress \
+--group-id $SECURITY_GROUP_ID \
+--protocol tcp \
+--port 5432 \
+--source-group $CLUSTER_SG_ID \
+--region us-west-2
 
 # Get the public subnet IDs in the VPC
 SUBNET_IDS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=map-public-ip-on-launch,Values=true" --query "Subnets[].SubnetId" --output json --region us-west-2)
@@ -228,7 +251,8 @@ aws rds wait db-instance-available --db-instance-identifier scroll-sdk-db --regi
 This command sequence does the following:
 - Gets the VPC ID of our EKS cluster
 - Creates a new security group for our RDS instance in the same VPC
-- Allows inbound PostgreSQL traffic from the EKS cluster's security group
+- Gets the security group ID for the EKS cluster
+- Allows inbound PostgreSQL traffic from the EKS cluster security group
 - Gets the subnet IDs in the VPC
 - Creates a DB subnet group using the VPC subnets
 - Creates a PostgreSQL database named `scrolldb`
@@ -490,6 +514,33 @@ When prompted “Do you want to connect to a different database cluster for this
 
 Lastly, when asked “Do you want to update the config.toml file with the new DSNs?” select “yes” to update your config.
 
+4. Reverting RDS to Private Access:
+
+After initializing your databases, it's important to revert the RDS instance to private access for improved security. Follow these steps:
+
+
+```bash
+# 1. Remove the public accessibility:
+aws rds modify-db-instance \
+    --db-instance-identifier scroll-sdk-db \
+    --no-publicly-accessible \
+    --apply-immediately \
+    --region us-west-2
+
+# 2. Remove the temporary security group rule that allowed public access:
+aws ec2 revoke-security-group-ingress \
+    --group-id $SECURITY_GROUP_ID \
+    --protocol tcp \
+    --port 5432 \
+    --cidr 0.0.0.0/0 \
+    --region us-west-2
+
+# 3. Wait for the changes to take effect:
+aws rds wait db-instance-available --db-instance-identifier scroll-sdk-db --region us-west-2
+```
+
+These steps ensure that your RDS instance is only accessible from within your VPC, enhancing the security of your deployment.
+
 ### Generate Keystore Files
 
 Next, we need to generate new private keys for the sequencer signer and the SDK accounts used for on-chain activity. The prompt will also ask if you want to setup backup sequencers. These will be standby fullnodes ready to take over the sequencer role if needed for recovery or key rotation. This step will also allow you to setup pre-defined bootnodes.
@@ -529,7 +580,55 @@ You will be prompted with each update, and even flagged for empty values. Be sur
 
 Lastly, we need to take the configuration values that are sensitive and publish them to wherever we're deploying "secrets."
 
-We'll use AWS Secrets Manager to store our secrets. First, create a SecretStore:
+We'll use AWS Secrets Manager to store our secrets. First, let's set up the necessary permissions and create a ServiceAccount:
+
+1. Create an IAM policy for accessing Secrets Manager:
+
+```bash
+cat <<EOF > secretsmanager-policy.json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret",
+                "secretsmanager:PutSecretValue",
+                "secretsmanager:CreateSecret",
+                "secretsmanager:DeleteSecret",
+                "secretsmanager:TagResource"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+
+aws iam create-policy --policy-name ExternalSecretsPolicy --policy-document file://secretsmanager-policy.json
+```
+
+2. Associate an IAM OIDC provider with your cluster:
+
+```bash
+eksctl utils associate-iam-oidc-provider --region=us-west-2 --cluster=scroll-sdk-cluster --approve
+```
+
+3. Create a ServiceAccount and associate it with the IAM role:
+
+```bash
+eksctl create iamserviceaccount \
+    --name external-secrets \
+    --namespace default \
+    --cluster scroll-sdk-cluster \
+    --attach-policy-arn arn:aws:iam::YOUR_AWS_ACCOUNT_ID:policy/ExternalSecretsPolicy \
+    --approve \
+    --region us-west-2
+```
+
+Replace `YOUR_AWS_ACCOUNT_ID` with your actual AWS account ID.
+
+4. Create a SecretStore:
 
 ```yaml
 apiVersion: external-secrets.io/v1beta1
@@ -544,10 +643,10 @@ spec:
       auth:
         jwt:
           serviceAccountRef:
-            name: external-secrets-sa
+            name: external-secrets
 ```
 
-Apply this **configuration**:
+Apply this configuration:
 
 ```bash
 kubectl apply -f secretstore.yaml