There are six roles:
- common : common tasks
- lb : shunt streams based on rules
- waf : performs security tasks for HTTP/HTTPS streams
- vpn : grant customers access to theirs VPC
- fw : filter access to customers VPC
- met : statistics about this VPC
The cloudformation template aims to build all needed components for OCTANE stack.
A CLI is provided. This CLI is a makefile. Several targets are defined.
For example, if you want to deploy a new stack:
./make deploy octanetst
then the CLI will launch the template yml file named "service_octanetst.yml".
A yaml file is provided as example.
Nine targets are available :
- describe: describe an existing OCTANE stack
- output: retrieve output ressources from an existing OCTANE stack
- deploy: deploy a new OCTANE stack
- update: update an existing OCTANE stack
- events: retrieve all events from an existing OCTANE stack
- watch-events: watch events from an existing OCTANE stack
- destroy: Destroy an existing OCTANE stack
- create-set: Create a change set for an existing OCTANE stack
- check: Check template syntax
I'm a big fan of Makefile files :-), so I have use it for managing the AWS stack. The only mandatory parameter is the stack name. I use it for reading a YAML file (cloudformation template, described below).
There are several targets on this makefile:
- help: basic information
- describe: describe an existing stack (json format)
- output: return outputs from an existing stack (json format)
- deploy: upload the cloudformation template onto a S3 bucket and build the stack.
- update: upload the cloudformation template onto a S3 bucket and update the stack.
- wait: if you need to wait the end of a stack creation before doing another action, you may use this target
- events: return existing events from Cloudformation from an existing stack
- watch-events: return last five existing events from Cloudformation from an existing stack in order to follow the stack creation/update/destruction
- destroy: delete an existing stack
- create-set: create an AWS change-set
- destroy-peering: destroy an existing peering
- check: Validate template
This file is the barebone for the OCTANE infrastructure deployment. In order to be used by the makefile, the format name is quite simple: service_
<stackname>.yml
.
As every cloudformation template, this cloudformation is splitted onto two main sections:
- Parameters
- Resources
You nust customise the parameter section, all resources are based upon it.
VPCName:
Default: OCTANE
Description: VPC name
Type: String
The main stack name.
VPCUuid:
Default: SMOKETEST
Description: VPC uuid
Type: String
If you want more than one OCTANE stack, you have to define a unique ID.
VPCCidr:
Default: a.b.c.d/24
Description: VPC instances Cidr root
Type: String
The OCTANE Cidr (must be unique, otherwise you will find some routing problems)
adminCidr:
Default: x.y.w.z/21
Description: VPC where admin instances are
Type: String
In case you have a centralized administration, you put it there.
If you does not have usage of this, you may delete it. But then you have to delete these resources:
- PrivaterouteVPCadmin
- PublicrouteVPCadmin
- SGADM
- routeadminVPC
- adminVPCPeeringConnection
- admRouteTable
browsingCidr:
Default: e.f.g.h/16
Description: VPC browsing
Type: String
Proxy access for items in the infrastructure.
You may have no use of it, but it's a good practice to know what goes outside.
If you do not want to use this, you have also to delete these resources:
- routebrowsingVPC
- PrivaterouteVPCbrowsing
- PublicrouteVPCbrowsing
- browsingVPCPeeringConnection
admRouteTable:
Default: rtb-wwewedss
Description: RouteTable to allow admin to communicate with this VPC
Type: String
Admin route table in case of you use a centralized administration.
Must be deleted if no use.
browsingRouteTable:
Default: rtb-eddsaaeed
Description: RouteTable to allow browsing to communicate with this VPC
Type: String
Proxy route table in case of you use a proxy for accessing foreign resources.
Must be deleted if no use.
adminSecurityGroup:
Default: sg-eaaswddd
Description: Security group for admin servers
Type: 'AWS::EC2::SecurityGroup::Id'
Admin Security group in case of you use a centralized administration.
Must be deleted if no use.
adminVpc:
Default: vpc-evvsasdfdf
Description: VPC where admin instances are
Type: 'AWS::EC2::VPC::Id'
Admin VPC in case of you use a centralized administration.
Must be deleted if no use.
browsingVpc:
Default: vpc-012345
Description: VPC for browsing
Type: 'AWS::EC2::VPC::Id'
Proxy VPC in case of you use a centralized proxy.
Must be deleted if no use.
sshPublicKey:
Default: SSH_KEY
Description: SSH pub key to connect with
Type: 'AWS::EC2::KeyPair::KeyName'
SSH key for accessing EC2 instances
zone53:
AllowedValues:
- ciap-prd.
- ciap-hml.
- ciap-dev.
Default: ciap-dev.
Type: String
DNS zone declaration.
I think it's easy to remember structured DNS name likeoctane_tst_dev_hosting_clb_up_mid.ciap-dev
than something likeinternal-octanetst-CLBUPMID-9A7999MDRO9C-99999999.eu-west-1.elb.amazonaws.com
.
bl:
AllowedValues:
- BL1
- BL2
Default: BL1
Type: String
Business line declaration.
If you have several BL, you msut put them here.
If you have none, you put one allowed value and set it as default.
env:
AllowedValues:
- DEV
- HML
- PRD
- TMP
Default: DEV
Type: String
Environment declaration.
If you have several environments, you must put them here.
If you have none, you put one allowed value and set it as default.
AZ1:
Description: AZ 1
Type: String
Default: "eu-west-1a"
First availability zone
AZ2:
Description: AZ 2
Type: String
Default: "eu-west-1b"
Second availability zone
instanceTypeUPLB:
Description: UPLB instance type
Type: String
Default: t2.micro
Define EC instance type for UPLB
instanceTypeMIDWAF:
Description: MIDWAF instance type
Type: String
Default: t2.micro
Define EC instance type for MIDWAF
instanceTypeLOWFW:
Description: LOWFW instance type
Type: String
Default: t2.micro
Define EC instance type for LOWFW
instanceTypeLOWMET:
Description: LOWMET instance type
Type: String
Default: c4.xlarge
Define EC instance type for LOWMET
instanceTypeMIDVPN:
Description: MIDVPN instance type
Type: String
Default: t2.nano
Define EC instance type for MIDVPN
Define AMI id for ec2 instances
ImageId:
Description: AMI used for EC2 instances
Default: "imageid"
- A template file
- A bucket file
- Need to have sufficients rights (AdministratorAccess for example) in order to perform the cloudformation tasks.