ciinabox-ecs 0.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Gemfile +7 -0
- data/LICENSE.txt +22 -0
- data/README.md +458 -0
- data/Rakefile +649 -0
- data/bin/Rakefile +1 -0
- data/bin/ciinabox-ecs +2 -0
- data/bin/ciinabox-ecs.rb +60 -0
- data/config/ciinabox_params.yml.erb +71 -0
- data/config/default_lambdas.yml +26 -0
- data/config/default_params.yml +303 -0
- data/config/default_params.yml.example +124 -0
- data/config/default_services.yml +62 -0
- data/ext/common_helper.rb +21 -0
- data/ext/config/managed_policies.yml +156 -0
- data/ext/helper.rb +29 -0
- data/ext/policies.rb +53 -0
- data/ext/zip_helper.rb +57 -0
- data/lambdas/acm_issuer_validator/lib/install.sh +20 -0
- data/templates/bastion.rb +121 -0
- data/templates/ciinabox.rb +159 -0
- data/templates/ecs-cluster.rb +252 -0
- data/templates/ecs-services.rb +340 -0
- data/templates/lambdas.rb +172 -0
- data/templates/services/bitbucket.rb +81 -0
- data/templates/services/drone.rb +394 -0
- data/templates/services/hawtio.rb +100 -0
- data/templates/services/icinga2.rb +79 -0
- data/templates/services/jenkins.rb +209 -0
- data/templates/services/nexus.rb +96 -0
- data/templates/vpc.rb +290 -0
- metadata +144 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 353e5b07dfebb932b4853d1a614e59a587877dfa
|
4
|
+
data.tar.gz: a167bceccc62cfd3a4ba48d03fc1442bfe76ba03
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 0de55a2bb67c0cb9bc43bdc98f55b3fa97896f491304d0b02d27bd07033189bb979ec2e1a47d7c37f427e3579db5cacff714083375582e5ac7358ad8d70159a6
|
7
|
+
data.tar.gz: 170ee8dde7a66bc109ad5b5d594e52497e0113be1e7b84bb96766b8d696b572b231d43f9b5bb4e95e6d8b377f897b68609a938dd9adda8ae58fa787dc1cb867b
|
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
Copyright (c) 2015 base2Services
|
2
|
+
|
3
|
+
MIT License
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
6
|
+
a copy of this software and associated documentation files (the
|
7
|
+
"Software"), to deal in the Software without restriction, including
|
8
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
9
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
10
|
+
permit persons to whom the Software is furnished to do so, subject to
|
11
|
+
the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be
|
14
|
+
included in all copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
17
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
18
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
19
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
20
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
21
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
22
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,458 @@
|
|
1
|
+
# ciinabox ECS
|
2
|
+
|
3
|
+
ciinabox pronounced ciin a box is a set of automation for building
|
4
|
+
and managing a bunch of CI tools in AWS using the Elastic Container Service (ECS).
|
5
|
+
|
6
|
+
Right Now ciinabox supports deploying:
|
7
|
+
|
8
|
+
* [jenkins](https://jenkins.io/)
|
9
|
+
* [drone](http://docs.drone.io)
|
10
|
+
* [bitbucket](https://www.atlassian.com/software/bitbucket)
|
11
|
+
* [hawtio](http://hawt.io/)
|
12
|
+
* [nexus](http://www.sonatype.org/nexus/)
|
13
|
+
* plus custom tasks and stacks
|
14
|
+
|
15
|
+
## Setup
|
16
|
+
|
17
|
+
requires ruby 2.3+
|
18
|
+
|
19
|
+
install [ciinabox-ecs](https://rubygems.org/gems/ciinabox-ecs/) gem
|
20
|
+
|
21
|
+
```bash
|
22
|
+
$ gem install ciinabox-ecs
|
23
|
+
...
|
24
|
+
Done installing documentation for ciinabox-ecs after xx seconds
|
25
|
+
1 gem installed
|
26
|
+
|
27
|
+
$ ciinabox-ecs help
|
28
|
+
Usage: ciinabox-ecs action1 action2 action3 ciinabox_name
|
29
|
+
Valid actions:
|
30
|
+
name |description
|
31
|
+
|
32
|
+
active |Switch active ciinabox
|
33
|
+
create |Creates the ciinabox environment
|
34
|
+
create_server_cert |Create self-signed SSL certs for use with ciinabox
|
35
|
+
create_source_bucket |Creates the source bucket for deploying ciinabox
|
36
|
+
deploy |Deploy Cloudformation templates to S3
|
37
|
+
down |Turn off your ciinabox environment
|
38
|
+
full_install |Initialize configuration, create required assets in AWS account, create Cloud Formation stack
|
39
|
+
generate |Generate CloudFormation templates
|
40
|
+
generate_keypair |Generate ciinabox AWS keypair
|
41
|
+
init |Initialise a new ciinabox environment
|
42
|
+
package_lambdas |Package Lambda Functions as ZipFiles
|
43
|
+
ssh |SSH into your ciinabox environment
|
44
|
+
status |Current status of the active ciinabox
|
45
|
+
tear_down |Deletes/tears down the ciinabox environment
|
46
|
+
up |Turn on your ciinabox environment
|
47
|
+
update |Updates the ciinabox environment
|
48
|
+
update_cert_to_acm |Replace previously auto-generated IAM certificate with auto-validated ACM certificate (if one exists)
|
49
|
+
upload_server_cert |Uploads SSL server certs for ciinabox
|
50
|
+
|
51
|
+
```
|
52
|
+
|
53
|
+
If setting your own parameters and additional services, they should be configured as such:
|
54
|
+
|
55
|
+
#### User-defined parameters:
|
56
|
+
ciinaboxes/ciinabox_name/config/params.yml
|
57
|
+
|
58
|
+
e.g:
|
59
|
+
```ruby
|
60
|
+
log_level: ':debug'
|
61
|
+
timezone: 'Australia/Melbourne'
|
62
|
+
```
|
63
|
+
|
64
|
+
#### User-defined services:
|
65
|
+
If you wish to add additional containers to your ciinabox environment, you can specify them like so:
|
66
|
+
ciinaboxes/ciinabox_name/config/services.yml
|
67
|
+
|
68
|
+
e.g:
|
69
|
+
```yaml
|
70
|
+
---
|
71
|
+
services:
|
72
|
+
- jenkins:
|
73
|
+
- bitbucket:
|
74
|
+
LoadBalancerPort: 22
|
75
|
+
InstancePort: 7999
|
76
|
+
Protocol: TCP
|
77
|
+
- hawtio:
|
78
|
+
- nexus:
|
79
|
+
```
|
80
|
+
|
81
|
+
Please note that if you wish to do this, that you also need to create a CFNDSL template for the service under templates/services, with the name of the service as the filename (e.g. bitbucket.rb)
|
82
|
+
|
83
|
+
Note the drone service requires a minimum yaml configuration of below
|
84
|
+
```yml
|
85
|
+
services:
|
86
|
+
- drone:
|
87
|
+
params:
|
88
|
+
-
|
89
|
+
VPC:
|
90
|
+
Ref: VPC
|
91
|
+
-
|
92
|
+
SubnetPublicA:
|
93
|
+
Ref: SubnetPublicA
|
94
|
+
-
|
95
|
+
SubnetPublicB:
|
96
|
+
Ref: SubnetPublicB
|
97
|
+
-
|
98
|
+
ECSSubnetPrivateA:
|
99
|
+
Ref: ECSSubnetPrivateA
|
100
|
+
-
|
101
|
+
ECSSubnetPrivateB:
|
102
|
+
Ref: ECSSubnetPrivateB
|
103
|
+
-
|
104
|
+
SecurityGroupBackplane:
|
105
|
+
Ref: SecurityGroupBackplane
|
106
|
+
-
|
107
|
+
SecurityGroupOps:
|
108
|
+
Ref: SecurityGroupOps
|
109
|
+
-
|
110
|
+
SecurityGroupDev:
|
111
|
+
Ref: SecurityGroupDev
|
112
|
+
-
|
113
|
+
SecurityGroupNatGateway:
|
114
|
+
Ref: SecurityGroupNatGateway
|
115
|
+
-
|
116
|
+
SecurityGroupWebHooks:
|
117
|
+
Ref: SecurityGroupWebHooks
|
118
|
+
-
|
119
|
+
ECSENIPrivateIpAddress:
|
120
|
+
Ref: ECSENIPrivateIpAddress
|
121
|
+
tasks:
|
122
|
+
drone-server:
|
123
|
+
env:
|
124
|
+
DRONE_OPEN: true
|
125
|
+
```
|
126
|
+
to further configure drone ci refer to the drone ci's environment variable in the documentation http://docs.drone.io/installation/, you can add/override drone's environment variable to their corresponding yaml section (`drone-server` and `drone-agent`), example
|
127
|
+
```yml
|
128
|
+
tasks:
|
129
|
+
drone-server:
|
130
|
+
env:
|
131
|
+
DRONE_OPEN: true
|
132
|
+
DRONE_SECRET: base2services # if this value is not specified, a secure random hex will be used
|
133
|
+
drone-agent:
|
134
|
+
env:
|
135
|
+
DRONE_SECRET: base2services # if this value is not specified, a secure random hex will be used
|
136
|
+
```
|
137
|
+
|
138
|
+
## Getting Started
|
139
|
+
|
140
|
+
To get started install `ciinabox-ecs` ruby gem
|
141
|
+
|
142
|
+
```bash
|
143
|
+
$ gem install ciinabox-ecs
|
144
|
+
```
|
145
|
+
|
146
|
+
### Quick setup
|
147
|
+
|
148
|
+
You can be guided through full installation of ciinabox by running `full_install` action. Interactive
|
149
|
+
command line prompt will offer you defaults for most of required options.
|
150
|
+
|
151
|
+
```bash
|
152
|
+
$ ciinabox-ecs full_install
|
153
|
+
|
154
|
+
```
|
155
|
+
|
156
|
+
### Step by step setup
|
157
|
+
|
158
|
+
1. Initialize/Create a new ciinabox environment. Please note that any user-defined services and parameters will be merged during this task into the default templates
|
159
|
+
```bash
|
160
|
+
$ ciinabox-ecs init
|
161
|
+
Enter the name of ypur ciinabox:
|
162
|
+
myciinabox
|
163
|
+
Enter the id of your aws account you wish to use with ciinabox
|
164
|
+
111111111111
|
165
|
+
Enter the AWS region to create your ciinabox (e.g: ap-southeast-2):
|
166
|
+
us-west-2
|
167
|
+
Enter the name of the S3 bucket to deploy ciinabox to:
|
168
|
+
source.myciinabox.com
|
169
|
+
Enter top level domain (e.g tools.example.com), must exist in Route53 in the same AWS account:
|
170
|
+
myciinabox.com
|
171
|
+
# Enable active ciinabox by executing or override ciinaboxes base directory:
|
172
|
+
export CIINABOXES_DIR="ciinaboxes/"
|
173
|
+
export CIINABOX="myciinabox"
|
174
|
+
```
|
175
|
+
You can override the default ciinaboxes directory by setting the CIINABOXES_DIR environment variable. Also the DNS domain you entered about must already exist in Route53
|
176
|
+
|
177
|
+
|
178
|
+
3. Generate self-signed wild-card cert for your ciinabox
|
179
|
+
```bash
|
180
|
+
$ ciinabox-ecs create_server_cert [ciinabox_name]
|
181
|
+
Generating a 4096 bit RSA private key
|
182
|
+
.......................................................................................................................................++
|
183
|
+
....................++
|
184
|
+
writing new private key to 'ciinaboxes/myciinabox/ssl/ciinabox.key'
|
185
|
+
-----
|
186
|
+
```
|
187
|
+
|
188
|
+
4. Create IAM server-certificates
|
189
|
+
```bash
|
190
|
+
$ ciinabox-ecs upload_server_cert [ciinabox_name]
|
191
|
+
Successfully uploaded server-certificates
|
192
|
+
```
|
193
|
+
|
194
|
+
5. Create ciinabox S3 source deployment bucket
|
195
|
+
```bash
|
196
|
+
$ ciinabox-ecs create_source_bucket [ciinabox_name]
|
197
|
+
Successfully created S3 source deployment bucket source.myciinabox.com
|
198
|
+
```
|
199
|
+
|
200
|
+
6. Create ssh ec2 keypair
|
201
|
+
```bash
|
202
|
+
$ ciinabox-ecs generate_keypair [ciinabox_name]
|
203
|
+
Successfully created ciinabox ssh keypair
|
204
|
+
```
|
205
|
+
|
206
|
+
7. Generate ciinabox cloudformation templates
|
207
|
+
```bash
|
208
|
+
$ ciinabox-ecs generate [ciinabox_name]
|
209
|
+
Writing to output/ciinabox.json
|
210
|
+
using extras [[:yaml, "ciinaboxes/myciinabox/config/default_params.yml"], [:yaml, "config/services.yml"], [:ruby, "ext/helper.rb"]]
|
211
|
+
Loading YAML file ciinaboxes/myciinabox/config/default_params.yml
|
212
|
+
Setting local variable ciinabox_version to 0.1
|
213
|
+
Setting local variable ciinabox_name to myciinabox
|
214
|
+
......
|
215
|
+
......
|
216
|
+
$ ls -al output/
|
217
|
+
total 72
|
218
|
+
drwxr-xr-x 9 ciinabox staff 306 9 Sep 21:52 .
|
219
|
+
drwxr-xr-x 14 ciinabox staff 476 19 Oct 10:26 ..
|
220
|
+
-rw-r--r-- 1 ciinabox staff 0 7 Sep 14:30 .gitkeep
|
221
|
+
-rw-r--r-- 1 ciinabox staff 1856 19 Oct 13:27 ciinabox.json
|
222
|
+
-rw-r--r-- 1 ciinabox staff 6096 19 Oct 13:27 ecs-cluster.json
|
223
|
+
-rw-r--r-- 1 ciinabox staff 1358 9 Sep 17:39 ecs-service-elbs.json
|
224
|
+
-rw-r--r-- 1 ciinabox staff 3250 19 Oct 13:27 ecs-services.json
|
225
|
+
drwxr-xr-x 4 ciinabox staff 136 9 Sep 21:53 services
|
226
|
+
-rw-r--r-- 1 ciinabox staff 13218 19 Oct 13:27 vpc.json
|
227
|
+
```
|
228
|
+
This will render the cloudformation templates locally in the output directory
|
229
|
+
|
230
|
+
8. Deploy/upload cloudformation templates to source deployment bucket
|
231
|
+
```bash
|
232
|
+
$ ciinabox-ecs deploy [ciinabox_name]
|
233
|
+
upload: output/vpc.json to s3://source.myciinabox.com/ciinabox/0.1/vpc.json
|
234
|
+
upload: output/ecs-services.json to s3://source.myciinabox.com/ciinabox/0.1/ecs-services.json
|
235
|
+
upload: output/ciinabox.json to s3://source.myciinabox.com/ciinabox/0.1/ciinabox.json
|
236
|
+
upload: output/services/jenkins.json to s3://source.myciinabox.com/ciinabox/0.1/services/jenkins.json
|
237
|
+
upload: output/ecs-service-elbs.json to s3://source.myciinabox.com/ciinabox/0.1/ecs-service-elbs.json
|
238
|
+
upload: output/ecs-cluster.json to s3://source.myciinabox.com/ciinabox/0.1/ecs-cluster.json
|
239
|
+
Successfully uploaded rendered templates to S3 bucket source.myciinabox.com
|
240
|
+
```
|
241
|
+
|
242
|
+
9. Create/Lanuch ciinabox environment
|
243
|
+
```bash
|
244
|
+
$ ciinabox-ecs create base2
|
245
|
+
Starting updating of ciinabox environment
|
246
|
+
# checking status using
|
247
|
+
$ ciinabox-ecs status base2
|
248
|
+
base2 ciinabox is in state: CREATE_IN_PROGRESS
|
249
|
+
# When your ciinabox environment is ready the status will be
|
250
|
+
base2 ciinabox is alive!!!!
|
251
|
+
ECS cluster private ip:10.xx.xx.xx
|
252
|
+
```
|
253
|
+
You can access jenkins using http://jenkins.myciinabox.com
|
254
|
+
|
255
|
+
## Additional Tasks
|
256
|
+
|
257
|
+
### ciinabox-ecs update
|
258
|
+
|
259
|
+
Runs a cloudformation update on the current ciinabox environment. You can use this task if you've modified the default_params.yml config file for your ciinabox and you want to apply these changes to your ciinabox.
|
260
|
+
|
261
|
+
A common update would be to lock down ip access to your ciinabox environment
|
262
|
+
|
263
|
+
1. edit ciinaboxes/myciinabox/config/default_params.yml
|
264
|
+
|
265
|
+
```yaml
|
266
|
+
....
|
267
|
+
#Environment Access
|
268
|
+
#add list of public IP addresses you want to access the environment from
|
269
|
+
#default to public access probably best to change this
|
270
|
+
opsAccess:
|
271
|
+
- my-public-ip
|
272
|
+
- my-my-other-ip
|
273
|
+
#add list of public IP addresses for your developers to access the environment
|
274
|
+
#default to public access probably best to change this
|
275
|
+
devAccess:
|
276
|
+
- my-dev-teams-ip
|
277
|
+
....
|
278
|
+
```
|
279
|
+
|
280
|
+
2. update your ciinabox
|
281
|
+
```bash
|
282
|
+
$ ciinabox-ecs generate deploy update [ciinabox_name]
|
283
|
+
$ ciinabox-ecs status [ciinabox_name]
|
284
|
+
```
|
285
|
+
|
286
|
+
### ciinabox-ecs tear_down [ciinabox_name]
|
287
|
+
|
288
|
+
Tears down your ciinabox environment. But why would you want to :)
|
289
|
+
|
290
|
+
|
291
|
+
### ciinabox-ecs up [ciinabox_name]
|
292
|
+
|
293
|
+
Relies on [cfn_manage](https://rubygems.org/gems/cfn_manage) gem to bring stack up. Stack needs to be stopped using `ciinabox:down` task
|
294
|
+
|
295
|
+
### ciinabox-ecs down [ciinabox_name]
|
296
|
+
|
297
|
+
Relies on [cfn_manage](https://rubygems.org/gems/cfn_manage) gem to stop the stack. Will set ASG size to 0 (and optionally set bastion ASG size to 0).
|
298
|
+
|
299
|
+
## Adding Custom Templates per ciinabox
|
300
|
+
|
301
|
+
Custom templates should be defined under <CIINABOXES_DIR>/<CIINABOX>/templates.
|
302
|
+
|
303
|
+
For each stack that needs to be included add a stack under extra_stacks in the config.yml.
|
304
|
+
|
305
|
+
By default the name of the nested stack will be assumed to be the file name when the template is getting called. This can be overriden.
|
306
|
+
|
307
|
+
Parameters get passed in as a hash and all get passed in from the top level.
|
308
|
+
|
309
|
+
\#extra_stacks:
|
310
|
+
\# elk:
|
311
|
+
\# #define template name? - optional
|
312
|
+
\# file_name: elk
|
313
|
+
\# parameters:
|
314
|
+
\# RoleName: search
|
315
|
+
\# CertName: x
|
316
|
+
|
317
|
+
# Extra configs
|
318
|
+
|
319
|
+
## To restore the volume from a snapshot in an existing ciinabox update the following 2 values
|
320
|
+
|
321
|
+
ecs_data_volume_snapshot: (Note: if ciinabox exists this is two step approach you will need to change volume name and change back volume name)
|
322
|
+
|
323
|
+
ecs_data_volume_name: override this if you need to re-generate the volume, e.g. from snapshot
|
324
|
+
|
325
|
+
\#add if you want ecs docker volume != 22GB - must be > 22
|
326
|
+
|
327
|
+
\#ecs_docker_volume_size: 100
|
328
|
+
|
329
|
+
\#use this to change volume snapshot for running ciinabox
|
330
|
+
|
331
|
+
\#ecs_data_volume_name: "ECSDataVolume2s"
|
332
|
+
|
333
|
+
\#set the snapshot to restore from
|
334
|
+
|
335
|
+
\#ecs_data_volume_snapshot: snap-49e2b3b5
|
336
|
+
|
337
|
+
\#set the size of the ecs data volume -- NOTE: would take a new volume - i.e. change volume name
|
338
|
+
|
339
|
+
\#ecs_data_volume_size: 250
|
340
|
+
|
341
|
+
\#optional ciinabox name if you need more than one or you want a different name
|
342
|
+
|
343
|
+
\#stack_name: ciinabox-tools
|
344
|
+
|
345
|
+
## For internal elb for jenkins
|
346
|
+
|
347
|
+
```
|
348
|
+
internal_elb: false
|
349
|
+
|
350
|
+
- jenkins:
|
351
|
+
LoadBalancerPort: 50000
|
352
|
+
InstancePort: 50000
|
353
|
+
Protocol: TCP
|
354
|
+
# needs internal_elb: true
|
355
|
+
```
|
356
|
+
|
357
|
+
# Ciinabox configuration
|
358
|
+
|
359
|
+
## Bastion (Jumpbox) instance
|
360
|
+
|
361
|
+
If you have need to access ECS Cluster instance running Jenkins server via secure shell, you may do so by logging
|
362
|
+
into bastion host first. By default, bastion is disabled for ciinabox Cloud Formation stack, however you can enable
|
363
|
+
it by using `bastion_stack` configuration key. Bastion will be launched as part of AutoScaling Group of size 1,
|
364
|
+
allowing it to self heal in case of system or instance check failure.
|
365
|
+
|
366
|
+
```yaml
|
367
|
+
include_bastion_stack: true
|
368
|
+
```
|
369
|
+
|
370
|
+
It is also possible to override other bastion host parameters, such as Amazon Machine Image and instance type
|
371
|
+
used for Launch Configuration. Defaults are below
|
372
|
+
|
373
|
+
```yaml
|
374
|
+
bastionInstanceType: t2.micro
|
375
|
+
# Amazon Linux 2017.09
|
376
|
+
bastionAMI:
|
377
|
+
us-east-1:
|
378
|
+
ami: ami-c5062ba0
|
379
|
+
us-east-2:
|
380
|
+
ami: ami-c5062ba0
|
381
|
+
us-west-2:
|
382
|
+
ami: ami-e689729e
|
383
|
+
us-west-1:
|
384
|
+
ami: ami-02eada62
|
385
|
+
ap-southeast-1:
|
386
|
+
ami: ami-0797ea64
|
387
|
+
ap-southeast-2:
|
388
|
+
ami: ami-8536d6e7
|
389
|
+
eu-west-1:
|
390
|
+
ami: ami-acd005d5
|
391
|
+
eu-west-2:
|
392
|
+
ami: ami-1a7f6d7e
|
393
|
+
eu-central-1:
|
394
|
+
ami: ami-c7ee5ca8
|
395
|
+
|
396
|
+
```
|
397
|
+
|
398
|
+
|
399
|
+
## IAM Roles
|
400
|
+
|
401
|
+
Default IAM permission for ciinabox stack running Jenkins server are set in `config/default_params.yml`, under
|
402
|
+
`ecs_iam_role_permissions_default` configuration key. You can extend this permissions on a ciinabox level
|
403
|
+
using `ecs_iam_role_permissions_extras` key. E.g.
|
404
|
+
|
405
|
+
(within `$CIINABOXES_DIR/$CIINABOX/config/params.yml`)
|
406
|
+
```yaml
|
407
|
+
|
408
|
+
ecs_iam_role_permissions_extras:
|
409
|
+
-
|
410
|
+
name: allow-bucket-policy
|
411
|
+
actions:
|
412
|
+
- s3:PutBucketPolicy
|
413
|
+
|
414
|
+
```
|
415
|
+
|
416
|
+
## Allowing connections from NAT gateway
|
417
|
+
|
418
|
+
If ECS Cluster and running Jenkins will try to access itself via public route and url, you will need
|
419
|
+
to allow such traffic using Security Group rules. As NAT Gateway is used for sending all requests to internet,
|
420
|
+
it is NAT Gateways IP address that should be added to Group rules. Use `allow_nat_connections` configuration
|
421
|
+
key for this.
|
422
|
+
|
423
|
+
```yaml
|
424
|
+
allow_nat_connections: false
|
425
|
+
```
|
426
|
+
|
427
|
+
## Automatic issuance and validation of ACM SSL certificate
|
428
|
+
|
429
|
+
This setting is enabled by default in default parameters. During the ciinabox init stage, you will be
|
430
|
+
asked if you want to utilise this functionality. Essentially, custom cloudformation resource based on
|
431
|
+
python [aws-acm-validator](https://pypi.python.org/pypi/aws-acm-cert-validator) python package will
|
432
|
+
request and validate ACM certificate through appropriate Route 53 DNS validation record.
|
433
|
+
|
434
|
+
### To disable during ciinabox setup
|
435
|
+
|
436
|
+
Answer question below with 'y' during ciinabox init stage
|
437
|
+
|
438
|
+
```text
|
439
|
+
Use selfsigned rather than ACM issued and validated certificate (y/n)? [n]
|
440
|
+
```
|
441
|
+
|
442
|
+
### To disable for existing ciinaboxes
|
443
|
+
|
444
|
+
Within `$CIINABOXES_DIR/$CIINABOX/params.yml`
|
445
|
+
|
446
|
+
```yaml
|
447
|
+
acm_auto_issue_validate: false
|
448
|
+
```
|
449
|
+
|
450
|
+
### To migrate previous versions of ciinabox to this functionality
|
451
|
+
|
452
|
+
After updating to latest ciinabox version including this functionality, you may want to update value of `default_ssl_cert_id`
|
453
|
+
configuration key to ARN of the freshly issued ACM certificate. You can do that using `update_cert_to_acm` action
|
454
|
+
|
455
|
+
```yaml
|
456
|
+
$ ciinabox-ecs update_cert_to_acm [ciinabox_name]
|
457
|
+
Set arn:aws:acm:ap-southeast-2:123456789012:certificate/2f2f3f9f-aaaa-bbbb-cccc-11dac04e7fb9 as default_cert_arn
|
458
|
+
```
|