Financial-Times · dbelev · Mar 16, 2022 · Apr 26, 2022 · Apr 26, 2022 · Jun 1, 2022
@@ -0,0 +1,17 @@
+FROM ubuntu:20.04
+
+COPY cloudformation /cloudformation/
+COPY sh/* /usr/local/bin/
+COPY config/* /config/
+
+RUN chmod +x /usr/local/bin/*
+
+RUN apt-get update && apt-get install -y \
+    less \
+    zip \
+    curl \
+    wget \
+    jq \
+    vim \
+  && rm -rf /var/lib/apt/lists/* \
+  && get-latest-awscli2  
@@ -0,0 +1,31 @@
+.PHONY: rosette-provisioner staging-rosette-ras destroy-staging-rosette-ras prod-rosette-ras destroy-prod-rosette-ras help
+
+help:    ## Show this help.
+	@sed -ne '/@sed/!s/##//p' $(MAKEFILE_LIST)
+
+rosette-ras-provisioner: ## Build  provisioner
+	@docker build -t rosette-ras-provisioner:local .
+
+staging-rosette-ras: ## Deploy staging rosette stack
+	@docker run --rm -it \
+			-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \
+			-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \
+			rosette-ras-provisioner:local provision.sh staging
+
+prod-rosette-ras: ## Deploy prod rosette stack
+	@docker run --rm -it \
+			-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \
+			-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \
+			rosette-ras-provisioner:local provision.sh prod
+
+destroy-staging-rosette-ras: ## Destroys staging rosette steack
+	@docker run --rm -it \
+			-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \
+			-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \
+			rosette-ras-provisioner:local destroy.sh staging
+
+destroy-prod-rosette-ras: ## Destroys prod rosette stack
+	@docker run --rm -it \
+			-e "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}" \
+			-e "AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}" \
+			rosette-ras-provisioner:local destroy.sh prod
@@ -0,0 +1,57 @@
+# upp-rosette-ras-provisioner
+
+## Description
+
+This repository contains the files required to provision a Rosette RAS - PROD and STAGING environment
+
+## Prerequisites
+
+1. [Install docker](https://docs.docker.com/engine/installation/) locally
+
+## Building the Docker image
+
+```
+make rosette-ras-provisioner
+```
+
+## Provisioning a new instance
+
+Here are the steps for provisioning a new instance:
+
+1. [Build your docker image locally](#building-the-docker-image)
+1. Set the environment variables to provision a Rosette RAS. Get credentials for upp-rosette-provisioner user in PROD account and export them:
+```
+export AWS_ACCESS_KEY=
+export AWS_SECRET_ACCESS_KEY=
+export AWS_REGION=
+```
+
+1. Run the following that will provision the stack in AWS:
+
+```
+
+make staging-rosette-ras
+
+```
+
+## Deleting the cluster
+
+1. [Build your docker image locally](#building-the-docker-image)
+1. Set the environment variables to provision a Rosette RAS. Get credentials for upp-rosette-provisioner user in PROD account and export them:
+
+```
+export AWS_ACCESS_KEY=
+export AWS_SECRET_ACCESS_KEY=
+export AWS_REGION=
+```
+
+1. Run the following that will decommission the stack in AWS:
+
+```
+
+make destroy-staging-rosette-ras
+
+```
+
+## Usage
+
@@ -0,0 +1,188 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: This template deploys Rosette RAS
+Parameters:
+  VpcID:
+      Description: The ID of the VPC
+      Type: String
+      Default: vpc-ee57bf89
+  SubnetIds:
+      Description: List of comma separated subnet IDs
+      Type: CommaDelimitedList
+  EnvironmentName:
+      Description: An environment name that will be prefixed to resource names
+      Type: String
+      Default: prod
+  EnvironmentType:
+      Description: Tag detail for the Environment
+      Type: String
+      Default: p
+  Ec2InstanceType:
+      Description: Size of ec2 Instance
+      Type: String
+      Default: m6a.2xlarge
+  ImageId:
+      Description: The Image ID of Amazon Linux 2 kto use
+      Type: String
+      Default: 'ami-0069d66985b09d219'
+  TagTeamDL:
+      Description: Tag of the TeamDL
+      Type: String
+      AllowedPattern: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
+      ConstraintDescription: There must be a valid email address for the TeamDL
+      Default: universal.publishing.platform@ft.com
+  TagSystemCode:
+      Description: The system code for the environment
+      Type: String
+      Default: upp
+  TagDescription:
+      Description: Tag detail for the describing the instance
+      Type: String
+      Default: UPP Rosette stack
+
+Resources:
+    RosetteRasSecurityGroup:
+      Type: AWS::EC2::SecurityGroup
+      Properties:
+        GroupName: !Join ["" , ["Rosette-ras-", !Ref EnvironmentName]]
+        GroupDescription: "Security group for Rosette RAS Instance"
+        VpcId: !Ref VpcID
+        Tags:
+            - Key: Name
+              Value: !Join ["" , ["UPP Rosette RAS Security Group ", !Ref EnvironmentName]]
+            - Key: environment
+              Value: !Ref EnvironmentName
+            - Key: teamDL
+              Value: !Ref TagTeamDL
+            - Key: systemCode
+              Value: !Ref TagSystemCode
+            - Key: description
+              Value: "Security group for UPP Rosette RAS Instance"
+        SecurityGroupIngress:
+            - Description: "AWS VPN range"
+              IpProtocol: tcp
+              FromPort: 22
+              ToPort: 22
+              CidrIp: 10.165.0.0/24
+            - Description: "Rosette RAS app port withing VPC"
+              IpProtocol: tcp
+              FromPort: 80
+              ToPort: 80
+              CidrIp: 10.169.64.0/18
+            - Description: "SSH port within VPC"
+              IpProtocol: tcp
+              FromPort: 80
+              ToPort: 80
+              CidrIp: 10.165.0.0/24
+    ElasticLoadBalancer:
+       Type: "AWS::ElasticLoadBalancing::LoadBalancer"
+       Properties:
+         LoadBalancerName: !Sub upp-rosette-elb-ras-${EnvironmentType}
+         CrossZone: false
+         Subnets: !Ref SubnetIds
+         SecurityGroups: [!Ref RosetteRasSecurityGroup]
+         Scheme: internal
+         Listeners:
+         - LoadBalancerPort: "80"
+           InstancePort: "80"
+           Protocol: "HTTP"
+         HealthCheck:
+           Target: HTTP:80/rest/v1/info
+           HealthyThreshold: '3'
+           UnhealthyThreshold: '5'
+           Interval: '30'
+           Timeout: '5'
+         Tags:
+             - Key: Name
+               Value: !Join ["" , ["UPP Rosette RAS ", !Ref EnvironmentType]]
+             - Key: environment
+               Value: !Ref EnvironmentType
+             - Key: teamDL
+               Value: !Ref TagTeamDL
+             - Key: systemCode
+               Value: !Ref TagSystemCode
+             - Key: description
+               Value: !Ref TagDescription
+    AutoScalingGroup:
+      Type: AWS::AutoScaling::AutoScalingGroup
+      Properties:
+        AutoScalingGroupName: !Sub upp-rosette-ras-${EnvironmentName}
+        MinSize: '1'
+        MaxSize: '1'
+        DesiredCapacity: "1"
+        LoadBalancerNames:
+          [ Ref: ElasticLoadBalancer ]
+        LaunchConfigurationName:
+          Ref: LaunchConfigRosetteRAS
+        VPCZoneIdentifier: !Ref SubnetIds
+        Tags:
+            - Key: Name
+              Value: !Join ["" , ["UPP Rosette RAS ", !Ref EnvironmentType]]
+              PropagateAtLaunch: true
+            - Key: environment
+              Value: !Ref EnvironmentType
+              PropagateAtLaunch: true
+            - Key: teamDL
+              Value: !Ref TagTeamDL
+              PropagateAtLaunch: true
+            - Key: systemCode
+              Value: !Ref TagSystemCode
+              PropagateAtLaunch: true
+            - Key: description
+              Value: !Ref TagDescription
+              PropagateAtLaunch: true
+
+    LaunchConfigRosetteRAS:
+      Type: AWS::AutoScaling::LaunchConfiguration
+      Properties:
+        IamInstanceProfile: "FT-EC2-Role"
+        ImageId: !Ref ImageId
+        InstanceType: !Ref Ec2InstanceType
+        KeyName: "upp-k8s-provisioning-debug"
+        SecurityGroups: [!Ref RosetteRasSecurityGroup]
+        BlockDeviceMappings:
+          - DeviceName: /dev/xvda
+            Ebs:
+              VolumeType: gp3
+              VolumeSize: 100
+              Encrypted: false
+        UserData:
+          Fn::Base64: !Sub |
+             #!/bin/bash -x
+             yum update -y
+             yum install git -y
+             cat > /etc/systemd/system/authorized_keys.service << EOF
+             [Unit]
+             Description=Update authorized_keys
+             [Service]
+             Type=oneshot
+             ExecStartPre=/bin/sh -c 'mkdir -p /home/ec2-user/.ssh && touch /home/ec2-user/.ssh/authorized_keys'
+             ExecStart=/bin/sh -c 'curl -sSL --retry 5 --retry-delay 2 -o /tmp/authorized_keys.sha512 https://raw.githubusercontent.com/Financial-Times/up-ssh-keys/master/authorized_keys.sha512'
+             ExecStart=/bin/sh -c 'curl -sSL --retry 5 --retry-delay 2 -o /tmp/authorized_keys https://raw.githubusercontent.com/Financial-Times/up-ssh-keys/master/authorized_keys'
+             ExecStart=/bin/sh -c 'cd /tmp/ && sha512sum -c authorized_keys.sha512 && cp authorized_keys /home/ec2-user/.ssh/authorized_keys && chmod 700 /home/ec2-user/.ssh && chmod 600 /home/ec2-user/.ssh/authorized_keys && chown -R ec2-user:ec2-user /home/ec2-user/.ssh'
+             Restart=no
+             EOF
+
+             systemctl start authorized_keys.service
+             systemctl enable authorized_keys.service
+
+             cat > /etc/systemd/system/authorized_keys.timer << EOF
+             [Unit]
+             Description=Authorized keys timer
+             [Timer]
+             OnBootSec=1min
+             OnUnitActiveSec=1min
+             [Install]
+             WantedBy=timers.target
+             EOF
+
+             systemctl start authorized_keys.timer
+             systemctl enable authorized_keys.timer
+
+             yum update -y
+             yum install git -y
+ #update the command            docker-compose -f /rosette/docker-compose.yaml up -d
+
+Outputs:
+  RosetteELBDNSname:
+    Description: Rosette ELB DNS record
+    Value: !GetAtt ElasticLoadBalancer.DNSName
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+export AWS_REGION="eu-west-1"
+export SUBNET_IDS="subnet-024e2e32aefaa01c5,subnet-02526d7213a359f48,subnet-0f2c8a8f1e3db176a"
+export EnvironmentType="p"
+export EnvironmentName='prod'
+export IMAGE_ID="ami-0069d66985b09d219"
+export DNS_HOSTED_ZONE_NAME="upp.ft.com"
+export DNS_HOSTED_ZONE_ID="ZE8P6HDQA4Y9N"
+export VpcID="vpc-ee57bf89"
+export CF_STACK_NAME="upp-prod-rosette-ras"
+export DNS_STS_ASSUME_ROLE_ARN="arn:aws:iam::345152836601:role/route53-iam-dnsonlyroleuppprodE94AAA36-CAPB27QPX3K8"
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+export AWS_REGION="eu-west-1"
+export SUBNET_IDS="subnet-024e2e32aefaa01c5,subnet-02526d7213a359f48,subnet-0f2c8a8f1e3db176a"
+#export SECURITY_GROUPS="sg-39ef7b40,sg-f294008b"
+export EnvironmentType="t"
+export EnvironmentName='staging'
+export IMAGE_ID="ami-0069d66985b09d219"
+export DNS_HOSTED_ZONE_NAME="upp.ft.com"
+export DNS_HOSTED_ZONE_ID="ZE8P6HDQA4Y9N"
+export VpcID="vpc-ee57bf89"
+export CF_STACK_NAME="upp-staging-rosette-ras"
+export DNS_STS_ASSUME_ROLE_ARN="arn:aws:iam::345152836601:role/route53-iam-dnsonlyroleuppprodE94AAA36-CAPB27QPX3K8"
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+ENVIRONMENT_NAME=$1
+
+INSTANCE_CONFIG="/config/rosette-${ENVIRONMENT_NAME}.sh"
+
+if [ ! -f "${INSTANCE_CONFIG}" ]; then
+  echo "No configuration exist at ${INSTANCE_CONFIG}"
+  exit 1
+else
+  source "${INSTANCE_CONFIG}"
+fi
+
+
+manage-cname-rosette.sh "DELETE"
+
+aws cloudformation  delete-stack \
+  --stack-name "${CF_STACK_NAME}"
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+
+cd /tmp
+
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install --update
+
+rm awscliv2.zip
+rm -rf ./aws/