diff --git a/CHANGELOG.MD b/CHANGELOG.MD index 73623ce..a6aa34b 100644 --- a/CHANGELOG.MD +++ b/CHANGELOG.MD @@ -2,6 +2,27 @@ # Change Log All notable changes to this project will be documented in this file. +## [3.0.0] - 2021-05-10 + +### Upgrade Notes: +- the Big Blue Button version defaults now to 2.3.0. if you need to stay on 2.2.X please make sure to alter the BBB version parameter to xenial-22 and the Ubuntu version parameter to xenial-16.04. +- the deployment now defaults to "Serverless" deployments for ECS and Aurora. this will optimize costs especially in small/test environments. switching from instanced to serverless will resetup the database means you will have to restore the DB from a backup afterwards or start fresh with testings. to prevent this, ensure you're not just using defaults for your environment. +- now you should have docker locally installed when planning a scalable deployment. this is due our approach to mirror the needed images to ensure availability when using scaling of the frontend and Scalelite LBs + +### Fixed +- #75: Serverless Aurora did not deploy due a missing !IF condition for the parametergroup +- #81: Single deployments failed due a missing condition + +### Changed +- #84: Default Big Blue Button version defaults to 2.3.0 (stable since 7 Days) +- #77: SES automation is now optional and can be overwritten by using the parameter +- #77: an existing ACM Certificate ARN can be added to reuse an existing or imported SSL certificate +- #76: Cloudformation can now validate ACM certificates natively, so we do not need the custom resource anymore. +- #85: we're now utilizing IAM Roles when mounting the Shared Storage. Also the Storage now limits access to the APs utilizing these Roles. +- #86: adding ECR as container registry to prevent failures due dockerhub limitations +- Versions of Greenlight and Scalelite are now current and reflect the new default Big Blue Button Version +- Fargate deployment version of Scalelite was broken, this is now fixed. + ## [2.3.0] - 2021-03-10 ### Upgrade Notes: diff --git a/README.md b/README.md index b9a7fec..4845130 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ To run the automated, [setup script](./setup.sh) based deployment you need to ha - an [installed and configured ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) aws-cli - [a named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) at the aws-cli configuration reflecting the account you are planning to use for the deployment - [jq](https://stedolan.github.io/jq/) +- [docker](https://www.docker.com/) To run the step-by-step setup: @@ -125,6 +126,8 @@ The deployment parameters are placed into the bbb-on-aws-param.json or to be set | BBBScaleliteMemory | 2048 | Memory limit for the Scalelite tasks | setting per task for all inheritated containers | BBBScaleliteCPU | 1024 | vCPU limit for the Scalelite tasks if deployed | setting once per task for all containers | BBBSesRegion| - | Region of the SES Service to be used | if the setup is planned to be deployed in a Region w/o Amazon SES, choose a proper region here. +| BBBSESValidated| false | controls if a pre validated SES domain is used | set to true if you setup the SES domain outside of this deployment +| BBBACMCertArn | - | existing SSL/TLS Certificate ARN for HTTPS | add your Certificate ARN here. e.g. if you imported your own Cert into ACM. # Deployment @@ -335,7 +338,6 @@ Be sure NOT to use the main branch if you want to be sure not pulling potential - [Scalelite](https://github.com/blindsidenetworks/scalelite) - [Coturn](https://github.com/coturn/coturn) - [cfn-ses-provider](https://github.com/binxio/cfn-ses-provider) - - [cfn-certificate-provider](https://github.com/binxio/cfn-certificate-provider) - [cli53](https://github.com/barnybug/cli53) # Security @@ -356,6 +358,5 @@ Please be aware of the deviating licenses of the deployed open-source software c - cli53: [MIT License](https://github.com/barnybug/cli53/blob/master/LICENSE) - Coturn: [New BSD License](https://github.com/coturn/coturn/blob/master/LICENSE) - cfn-ses-provider - [Apache-2.0 License](https://github.com/binxio/cfn-ses-provider/blob/master/LICENSE) -- cfn-certificate-provider - [Apache-2.0 License](https://github.com/binxio/cfn-certificate-provider/blob/master/LICENSE) Please note that running this code will cause software that is licensed under [AGPL-3.0](https://www.gnu.org/licenses/agpl-3.0.de.html) to be deployed in the user’s account. \ No newline at end of file diff --git a/bbb-on-aws-master.template.yaml b/bbb-on-aws-master.template.yaml index 31664ca..57ab385 100644 --- a/bbb-on-aws-master.template.yaml +++ b/bbb-on-aws-master.template.yaml @@ -107,7 +107,7 @@ Parameters: BBBECSInstanceType: Description: Instance type for ECS Cluster worker nodes Type: String - Default: t3a.large + Default: fargate AllowedValues: - fargate - t3a.small @@ -321,12 +321,13 @@ Parameters: - db.r4.4xlarge - db.r4.8xlarge - db.r4.16xlarge + - db.t3.micro - db.t3.small - db.t3.medium - db.t3.large - db.t3.xlarge - db.t3.2xlarge - Default: db.t3.medium + Default: serverless BBBServerlessAuroraMinCapacity: Description: The minimum capacity for the Amazon Aurora Serverless Cluster. Type: Number @@ -394,6 +395,10 @@ Parameters: Description: Scalelite Importer docker image identifier Type: String Default: "blindsidenetwks/scalelite:v1-recording-importer" + BBBECRRegistry: + Description: ECR Registry to be used. + Type: String + Default: "" BBBCacheAZMode: Description: Redis Cache AZ Mode Type: String @@ -455,6 +460,15 @@ Parameters: Description: Set the Region for the SES Service if deployment in a non-SES Region Type: String Default: "AWS::NoValue" + BBBSESValidated: + Description: If the SES Domain is already validated manually we do not need the automation + Type: String + Default: false + AllowedValues: [ true, false ] + BBBACMCertArn: + Description: Set this parameter if you want to reuse an existing ACM certificate for your deployment + Type: String + Default: "AWS::NoValue" Conditions: BBBProdEnvironment: !Equals [!Ref BBBEnvironmentStage, prod] @@ -463,6 +477,7 @@ Conditions: BBBSingleEnvironment: !Equals [!Ref BBBEnvironmentType, single] BBBExistingVPC: !And [ !Not [ !Equals [ !Ref BBBVPCs, "" ]], !Equals [ !Select [ 0, !Split [ vpc-, !Ref BBBVPCs ]], "" ]] BBBNewVPC: !Not [ Condition: BBBExistingVPC ] + BBBSESNotValidated: !Equals [false, !Ref BBBSESValidated] Resources: @@ -486,28 +501,6 @@ Resources: LogGroupName: !Join ["", ["/", !Ref "AWS::StackName", "/applicationlogs"]] RetentionInDays: 7 - BBBACMCertStack: - Type: AWS::CloudFormation::Stack - Condition: BBBScalableEnvironment - Properties: - TemplateURL: - Fn::Join: - - "" - - - "https://s3.amazonaws.com/" - - Fn::ImportValue: !Sub "${BBBStackBucketStack}-BBBStackBucket" - - "/bbb-on-aws-acmcert.template.yaml" - Parameters: - BBBEnvironmentStage: - Ref: BBBEnvironmentStage - Tags: - - Key: Name - Value: - Fn::Sub: BBBACMCertStack-${BBBEnvironmentName} - - Key: Environment - Value: !Ref BBBEnvironmentName - - Key: Stage - Value: !Ref BBBEnvironmentStage - BBBAMIFinderStack: Type: AWS::CloudFormation::Stack Properties: @@ -1090,6 +1083,8 @@ Resources: - Outputs.BBBRDSDBConnectionSecret BBBEnvironmentStage: Ref: BBBEnvironmentStage + BBBSESValidated: + Ref: BBBSESValidated BBBECSCluster: Fn::GetAtt: - BBBECSStack @@ -1111,10 +1106,8 @@ Resources: Fn::GetAtt: - BBBSecurityGroupStack - Outputs.BBBScaleliteELBSecurityGroup - BBBACMCertProviderArn: - Fn::GetAtt: - - BBBACMCertStack - - Outputs.BBBACMCertProviderArn + BBBACMCertArn: + Ref: BBBACMCertArn BBBSESProviderArn: Fn::GetAtt: - BBBSESProviderStack @@ -1135,6 +1128,8 @@ Resources: Ref: BBBScalelitePollerImage BBBScaleliteImporterImage: Ref: BBBScaleliteImporterImage + BBBECRRegistry: + Ref: BBBECRRegistry BBBCacheDBAddress: Fn::GetAtt: - BBBCacheDBStack diff --git a/bbb-on-aws-param.json b/bbb-on-aws-param.json index 76bf655..cddc5c8 100755 --- a/bbb-on-aws-param.json +++ b/bbb-on-aws-param.json @@ -1,14 +1,14 @@ { "Parameters" : { - "BBBApplicationVersion": "xenial-22", - "BBBApplicationInstanceOSVersion": "xenial-16.04", + "BBBApplicationVersion": "bionic-230", + "BBBApplicationInstanceOSVersion": "bionic-18.04", "BBBTurnInstanceOSVersion": "focal-20.04", - "BBBECSInstanceType": "t3a.medium", + "BBBECSInstanceType": "fargate", "BBBApplicationInstanceType": "t3a.medium", "BBBApplicationDataVolumeSize": 50, "BBBApplicationRootVolumeSize": 20, "BBBTurnInstanceType": "t3a.micro", - "BBBDBInstanceType": "db.t3.medium", + "BBBDBInstanceType": "serverless", "BBBServerlessAuroraMinCapacity": 2, "BBBServerlessAuroraMaxCapacity": 4, "BBBCACHEDBInstanceType": "cache.t3.micro", @@ -27,15 +27,15 @@ "BBBTurnMinInstances": 1, "BBBTurnDesiredInstances": 1, "BBBDBName": "frontendapp", - "BBBDBEngineVersion": "12.4", + "BBBDBEngineVersion": "10.12", "BBBEnvironmentStage": "dev", "BBBEnvironmentName": "bbbonaws", "BBBEnvironmentType": "scalable", - "BBBgreenlightImage": "bigbluebutton/greenlight:release-2.7.20", - "BBBScaleliteApiImage": "blindsidenetwks/scalelite:v1.0.7-api", - "BBBScaleliteNginxImage": "blindsidenetwks/scalelite:v1.0.7-nginx", - "BBBScalelitePollerImage": "blindsidenetwks/scalelite:v1.0.7-poller", - "BBBScaleliteImporterImage": "blindsidenetwks/scalelite:v1.0.7-recording-importer", + "BBBgreenlightImage": "bigbluebutton/greenlight:v2", + "BBBScaleliteApiImage": "blindsidenetwks/scalelite:v1.1-beta.4-api", + "BBBScaleliteNginxImage": "blindsidenetwks/scalelite:v1.1-beta.4-nginx", + "BBBScalelitePollerImage": "blindsidenetwks/scalelite:v1.1-beta.4-poller", + "BBBScaleliteImporterImage": "blindsidenetwks/scalelite:v1.1-beta.4-recording-importer", "BBBCacheAZMode": "cross-az", "BBBGreenlightMemory": 1024, "BBBGreenlightCPU": 512, @@ -43,3 +43,5 @@ "BBBScaleliteCPU": 1024 } } + + diff --git a/destroy.sh b/destroy.sh index 10cafb1..c5809d6 100755 --- a/destroy.sh +++ b/destroy.sh @@ -62,6 +62,9 @@ echo "##################################################" aws cloudformation delete-stack --stack-name $BBBPREPSTACK --profile=$BBBPROFILE aws cloudformation wait stack-delete-complete --profile=$BBBPROFILE --stack-name $BBBPREPSTACK +aws cloudformation delete-stack --stack-name $BBBECRSTACK --profile=$BBBPROFILE +aws cloudformation wait stack-delete-complete --profile=$BBBPROFILE --stack-name $BBBECRSTACK + echo "##################################################" echo "Deletion done" diff --git a/setup.sh b/setup.sh index c7e0509..7f307c1 100755 --- a/setup.sh +++ b/setup.sh @@ -98,11 +98,57 @@ fi echo "##################################################" echo "File Copy finished" +ENVIRONMENTTYPE=$(jq -r ".Parameters.BBBEnvironmentType" bbb-on-aws-param.json) + +if [ "$ENVIRONMENTTYPE" == 'scalable' ] +then + BBBECRStack="${BBBSTACK}-registry" + aws cloudformation deploy --profile=$BBBPROFILE --stack-name $BBBECRStack \ + --parameter-overrides $PARAMETERS \ + $(jq -r '.Parameters | to_entries | map("\(.key)=\(.value)") | join(" ")' bbb-on-aws-param.json) \ + --template ./templates/bbb-on-aws-registry.template.yaml + + GREENLIGHTREGISTRY=`aws cloudformation describe-stacks --profile=$BBBPROFILE --query "Stacks[0].Outputs[0].OutputValue" --stack-name $BBBECRStack` + GREENLIGHTREGISTRY=`echo "${GREENLIGHTREGISTRYREGISTRY//\"}"` + SCALEILITEREGISTRY=`aws cloudformation describe-stacks --profile=$BBBPROFILE --query "Stacks[0].Outputs[1].OutputValue" --stack-name $BBBECRStack` + SCALEILITEREGISTRY=`echo "${SCALEILITEREGISTRY//\"}"` + + # we will mirror the needed images from dockerhub and push towards ECR + echo "##################################################" + echo "Mirror docker images to ECR for further usage" + echo "##################################################" + + IMAGES=( BBBgreenlightImage BBBScaleliteNginxImage BBBScaleliteApiImage BBBScalelitePollerImage BBBScaleliteImporterImage ) + + ACCOUNTID=$(aws sts get-caller-identity --query Account --output text --profile=$BBBPROFILE) + REGION=$(aws configure get region --profile=$BBBPROFILE) + REGISTRY=$ACCOUNTID.dkr.ecr.$REGION.amazonaws.com + SCALEILITEREGISTRY=$ACCOUNTID.dkr.ecr.$REGION.amazonaws.com/$SCALEILITEREGISTRY + GREENLIGHTREGISTRY=$ACCOUNTID.dkr.ecr.$REGION.amazonaws.com/$GREENLIGHTREGISTRY + + aws ecr get-login-password --profile=$BBBPROFILE | docker login --username AWS --password-stdin $SCALEILITEREGISTRY + aws ecr get-login-password --profile=$BBBPROFILE | docker login --username AWS --password-stdin $GREENLIGHTREGISTRY + + for IMAGE in "${IMAGES[@]}" + do + IMAGE=$(jq -r ".Parameters.$IMAGE" bbb-on-aws-param.json) + docker pull $IMAGE + docker tag $IMAGE $REGISTRY/$IMAGE + docker push $REGISTRY/$IMAGE + done + + echo "##################################################" + echo "Registry Preperation finished" +else + REGISTRY="Dockerhub" +fi + # Setting the dynamic Parameters for the Deployment PARAMETERS=" BBBOperatorEMail=$OPERATOREMAIL \ BBBStackBucketStack=$BBBSTACK-Sources \ BBBDomainName=$DOMAIN \ - BBBHostedZone=$HOSTEDZONE" + BBBHostedZone=$HOSTEDZONE \ + BBBECRRegistry=$REGISTRY" # Deploy the BBB infrastructure. echo "Building the BBB Environment" @@ -116,4 +162,4 @@ aws cloudformation deploy --profile=$BBBPROFILE --stack-name $BBBSTACK \ echo "##################################################" echo "Deployment finished" -exit 0 +exit 0 \ No newline at end of file diff --git a/templates/bbb-on-aws-acmcert.template.yaml b/templates/bbb-on-aws-acmcert.template.yaml deleted file mode 100644 index 21b996c..0000000 --- a/templates/bbb-on-aws-acmcert.template.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -AWSTemplateFormatVersion: '2010-09-09' -Description: > - - This Cloudformation Template deploys a Custom Certificate Provider with DNS validation support. - - Disclaimer: Not for production use. Demo and testing purposes only. - - Author: David Surey , Bastian Klein - -Parameters: - BBBEnvironmentStage: - Type: String - Description: Select the appropriate environment - AllowedValues: - - stage - - prod - - dev - -Resources: - BBBACMCertLambdaRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Action: sts:AssumeRole - Effect: Allow - Principal: - Service: lambda.amazonaws.com - Policies: - - PolicyName: CFNCertificateDomainResourceRecordProvider - PolicyDocument: - Version: '2012-10-17' - Statement: - - Action: - - acm:RequestCertificate - - acm:DescribeCertificate - - acm:UpdateCertificateOptions - - acm:DeleteCertificate - Effect: Allow - Resource: "*" - - Effect: Allow - Action: - - lambda:InvokeFunction - Resource: - - !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-cert-provider' - ManagedPolicyArns: - - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - - BBBACMCertProviderLogGroup: - Type: AWS::Logs::LogGroup - Properties: - RetentionInDays: 7 - LogGroupName: !Join ["", ["/", !Ref "AWS::StackName", "/", !Ref BBBACMCertProvider]] - - BBBACMCertProvider: - Type: AWS::Lambda::Function - Properties: - FunctionName: !Sub ${AWS::StackName}-cert-provider - Description: CFN Certificate Domain Resource Record Provider - Code: - S3Bucket: !Sub "binxio-public-${AWS::Region}" - S3Key: lambdas/cfn-certificate-provider-0.2.5.zip - Handler: provider.handler - MemorySize: 128 - Role: !Sub ${BBBACMCertLambdaRole.Arn} - Runtime: python3.6 - Timeout: 300 - -Outputs: - BBBACMCertProvider: - Description: Name of the Certificate Provider - Value: - Ref: BBBACMCertProvider - BBBACMCertProviderLogGroup: - Description: Name of the Certificate Provider Log Group - Value: - Ref: BBBACMCertProviderLogGroup - BBBACMCertLambdaRole: - Description: Name of the Certificate Provider Lambda Role - Value: - Ref: BBBACMCertLambdaRole - BBBACMCertProviderArn: - Description: The Arn of the ACM Custom Resource Lambda Function - Value: !Sub ${BBBACMCertProvider.Arn} - - - - - - diff --git a/templates/bbb-on-aws-amifinder.template.yaml b/templates/bbb-on-aws-amifinder.template.yaml index 87af00d..57cb8e7 100644 --- a/templates/bbb-on-aws-amifinder.template.yaml +++ b/templates/bbb-on-aws-amifinder.template.yaml @@ -18,7 +18,7 @@ Parameters: - focal-20.04 BBBApplicationInstanceOSVersion: Description: Ubuntu Version to be deployed for Application Instances - Default: xenial-16.04 + Default: bionic-18.04 Type: String AllowedValues: - xenial-16.04 diff --git a/templates/bbb-on-aws-bbbappscalable.template.yaml b/templates/bbb-on-aws-bbbappscalable.template.yaml index b0014ed..ddd8a12 100644 --- a/templates/bbb-on-aws-bbbappscalable.template.yaml +++ b/templates/bbb-on-aws-bbbappscalable.template.yaml @@ -12,7 +12,7 @@ Parameters: BBBApplicationVersion: Description: Database engine version for Aurora PostgreSQL Type: String - Default: xenial-22 + Default: bionic-230 BBBOperatorEMail: Description: E-Mail address to notify if there are any operational issues Type: String @@ -199,6 +199,7 @@ Resources: BBBApplicationEC2Role: Type: AWS::IAM::Role Properties: + RoleName: BBBApplicationEC2Role AssumeRolePolicyDocument: Statement: - Effect: Allow @@ -341,7 +342,7 @@ Resources: systemctl start route53-handler mkdir -p /mnt/bbb-recordings - echo "${BBBSharedStorageFS}: /mnt/bbb-recordings efs defaults,tls,accesspoint=${BBBSharedStorageAPspool},rw 0 0" >> /etc/fstab + echo "${BBBSharedStorageFS}: /mnt/bbb-recordings efs defaults,tls,iam,accesspoint=${BBBSharedStorageAPspool},rw 0 0" >> /etc/fstab mkdir -p /var/bigbluebutton @@ -362,7 +363,6 @@ Resources: echo "$UUID /var/bigbluebutton ext4 defaults,nofail 0 2" >> /etc/fstab mount -a - turn_hostname=$(aws ssm get-parameter --region ${AWS::Region} --name "${BBBTurnHostnameParameter}" --with-decryption --output text --query Parameter.Value) turn_fqdn=$turn_hostname.${BBBDomainName} turnsecret=$(aws secretsmanager get-secret-value --region ${AWS::Region} --secret-id ${BBBTurnSecret} --query SecretString --output text | jq -r .turnkeyvalue) @@ -377,7 +377,7 @@ Resources: done wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -v ${BBBApplicationVersion} -s $instance_fqdn -e ${BBBOperatorEMail} -c $turn_fqdn:$turnsecret - + groupadd -g 2000 scalelite-spool usermod -a -G scalelite-spool bigbluebutton @@ -390,8 +390,13 @@ Resources: aws s3 cp s3://${BBBStackBucketStack}/scalelite-handler.sh /usr/local/bin/scalelite-handler.sh chmod +x /usr/local/bin/scalelite-handler.sh - SERVER="$(bbb-conf --secret | head -2 | tail -1 | sed -r 's/.*URL: //g')api" - SECRET=$(bbb-conf --secret | head -3 | tail -1 | sed -r 's/.*Secret: //g') + if [[ ${BBBApplicationVersion} == *"23"* ]]; then + SERVER="$(bbb-conf --secret | head -3 | tail -1 | sed -r 's/.*URL: //g')api" + SECRET=$(bbb-conf --secret | head -4 | tail -1 | sed -r 's/.*Secret: //g') + else + SERVER="$(bbb-conf --secret | head -2 | tail -1 | sed -r 's/.*URL: //g')api" + SECRET=$(bbb-conf --secret | head -3 | tail -1 | sed -r 's/.*Secret: //g') + fi sed -i "s/SECRET_PLACEHOLDER/$SECRET/g" /etc/systemd/system/scalelite-handler.service sed -i "s|SERVER_PLACEHOLDER|$SERVER|g" /etc/systemd/system/scalelite-handler.service diff --git a/templates/bbb-on-aws-bbbappsingle.template.yaml b/templates/bbb-on-aws-bbbappsingle.template.yaml index 43d9d68..78188d8 100644 --- a/templates/bbb-on-aws-bbbappsingle.template.yaml +++ b/templates/bbb-on-aws-bbbappsingle.template.yaml @@ -12,7 +12,7 @@ Parameters: BBBApplicationVersion: Description: Database engine version for Aurora PostgreSQL Type: String - Default: xenial-22 + Default: bionic-230 BBBOperatorEMail: Description: E-Mail address to notify if there are any operational issues Type: String @@ -182,6 +182,7 @@ Resources: BBBApplicationEC2Role: Type: AWS::IAM::Role Properties: + RoleName: BBBApplicationEC2Role AssumeRolePolicyDocument: Statement: - Effect: Allow diff --git a/templates/bbb-on-aws-database.template.yaml b/templates/bbb-on-aws-database.template.yaml index f2966d5..621adff 100755 --- a/templates/bbb-on-aws-database.template.yaml +++ b/templates/bbb-on-aws-database.template.yaml @@ -38,6 +38,7 @@ Parameters: - db.r4.4xlarge - db.r4.8xlarge - db.r4.16xlarge + - db.t3.micro - db.t3.small - db.t3.medium - db.t3.large @@ -129,7 +130,7 @@ Resources: DBSubnetGroupName: Ref: BBBDBSubnetGroup DBClusterParameterGroupName: - Ref: "BBBRDSDBClusterParameterGroupPostgres12" + Ref: "BBBRDSDBClusterParameterGroupPostgres" VpcSecurityGroupIds: - Ref: BBBDBSecurityGroup ScalingConfiguration: @@ -156,7 +157,7 @@ Resources: DBClusterIdentifier: Ref: BBBRDSCluster DBParameterGroupName: - Ref: "BBBRDSDBParameterGroupPostgres12" + Ref: BBBRDSDBParameterGroupPostgres AvailabilityZone: Fn::Select: - '0' @@ -187,11 +188,11 @@ Resources: DBInstanceClass: Ref: BBBDBInstanceType - BBBRDSDBParameterGroupPostgres12: + BBBRDSDBParameterGroupPostgres: Type: AWS::RDS::DBParameterGroup Properties: Description: Aurora PG 12 Database Instance Parameter Group for Cloudformation Stack - Family: aurora-postgresql12 + Family: !If [ BBBServerlessAurora, aurora-postgresql10, aurora-postgresql12 ] Parameters: shared_preload_libraries: auto_explain,pg_stat_statements,pg_hint_plan,pgaudit log_statement: "ddl" @@ -210,11 +211,11 @@ Resources: statement_timeout: 7200000 search_path: '"$user",public' - BBBRDSDBClusterParameterGroupPostgres12: + BBBRDSDBClusterParameterGroupPostgres: Type: AWS::RDS::DBClusterParameterGroup Properties: - Description: CloudFormation Sample Aurora Cluster PG 12 Parameter Group - Family: aurora-postgresql12 + Description: CloudFormation Sample Aurora Cluster PG Parameter Group + Family: !If [ BBBServerlessAurora, aurora-postgresql10, aurora-postgresql12 ] Parameters: timezone: Europe/Berlin @@ -377,7 +378,7 @@ Outputs: BBBRDSDBClusterParameterGroup: Description: The Big Blue Button DB Cluster Parameter Group Value: - Ref: "BBBRDSDBClusterParameterGroupPostgres12" + Ref: "BBBRDSDBClusterParameterGroupPostgres" BBBDBSubnetGroup: Description: The Big Blue Button DB Subnet Group Value: @@ -399,4 +400,4 @@ Outputs: BBBRDSDBParameterGroup: Description: The Big Blue Button DB Parameter Group Value: - Ref: "BBBRDSDBParameterGroupPostgres12" + Ref: "BBBRDSDBParameterGroupPostgres" diff --git a/templates/bbb-on-aws-frontendapps.template.yaml b/templates/bbb-on-aws-frontendapps.template.yaml index 3997474..6eda923 100644 --- a/templates/bbb-on-aws-frontendapps.template.yaml +++ b/templates/bbb-on-aws-frontendapps.template.yaml @@ -72,6 +72,10 @@ Parameters: Description: Scalelite Importer docker image identifier Type: String Default: "blindsidenetwks/scalelite:v1-recording-importer" + BBBECRRegistry: + Description: ECR Registry to be used. + Type: String + Default: "" BBBCacheDBAddress: Description: Amazon ElastiCache Cluster address Type: String @@ -97,9 +101,6 @@ Parameters: Description: CPU constraints for Scalelite Fargate Task Type: Number Default: 1024 - BBBACMCertProviderArn: - Description: ARN of the custom certificate provider - Type: String BBBSESProviderArn: Description: ARN of the custom SES provider Type: String @@ -163,15 +164,27 @@ Parameters: BBBApplicationLogsGroup: Description: Log group to be used for the Application logs Type: String + BBBSESValidated: + Description: If the SES Domain is already validated manually we do not need the automation + Type: String + Default: false + AllowedValues: [ true, false ] + BBBACMCertArn: + Description: Set this parameter if you want to reuse an existing ACM certificate for your deployment + Type: String + Default: "AWS::NoValue" Conditions: BBBSESRegionSet: !Not [ !Equals [ !Ref BBBSesRegion, "AWS::NoValue" ] ] BBBECSFargate: !Equals [ !Ref BBBECSInstanceType, fargate ] BBBECSEC2: !Not [ !Equals [ !Ref BBBECSInstanceType, fargate ] ] + BBBSESNotValidated: !Equals [ false, !Ref BBBSESValidated ] + BBBACMNewCert: !Equals [ !Ref BBBACMCertArn, "AWS::NoValue" ] Resources: BBBSESDomainIdentity: Type: Custom::DomainIdentity + Condition: BBBSESNotValidated Properties: Domain: !Ref BBBDomainName Region: !If [ BBBSESRegionSet, !Ref BBBSesRegion, !Ref "AWS::Region" ] @@ -183,6 +196,7 @@ Resources: BBBSESVerifiedIdentity: Type: Custom::VerifiedIdentity + Condition: BBBSESNotValidated DependsOn: - BBBSESDkimRecords - BBBSESVerificationRecords @@ -194,6 +208,7 @@ Resources: BBBSESVerificationRecords: Type: AWS::Route53::RecordSetGroup + Condition: BBBSESNotValidated Properties: Comment: !Sub 'SES identity for ${BBBDomainName}' HostedZoneId: !Ref BBBHostedZone @@ -201,6 +216,7 @@ Resources: BBBSESDkimTokens: Type: Custom::DkimTokens + Condition: BBBSESNotValidated Properties: Domain: !GetAtt 'BBBSESDomainIdentity.Domain' Region: !GetAtt 'BBBSESDomainIdentity.Region' @@ -208,6 +224,7 @@ Resources: BBBSESDkimRecords: Type: AWS::Route53::RecordSetGroup + Condition: BBBSESNotValidated Properties: Comment: !Sub 'DKIM records for ${BBBDomainName}' HostedZoneId: !Ref BBBHostedZone @@ -215,6 +232,7 @@ Resources: BBBSESIdentityNotifications: Type: Custom::IdentityNotifications + Condition: BBBSESNotValidated Properties: Identity: !GetAtt BBBSESVerifiedIdentity.Identity Region: !GetAtt BBBSESVerifiedIdentity.Region @@ -317,6 +335,16 @@ Resources: - !Ref BBBApplicationBaseSecret - !Ref BBBLoadbalancerSecret + BBBScaleliteRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: 'sts:AssumeRole' + BBBGreenlightTaskExecutionRole: Type: AWS::IAM::Role Properties: @@ -345,6 +373,16 @@ Resources: - !Ref BBBAdministratorlogin - !Ref BBBLoadbalancerSecret + BBBGreenlightTaskRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: 'sts:AssumeRole' + BBBAutoscalingRole: Type: AWS::IAM::Role Properties: @@ -371,38 +409,19 @@ Resources: - !Ref BBBScaleliteService - !Sub "arn:aws:cloudwatch:${AWS::Region}:${AWS::AccountId}:alarm:*" - BBBPublicCertificate: - Type: Custom::Certificate + BBBPublicCertificate: + Condition: BBBACMNewCert + Type: 'AWS::CertificateManager::Certificate' Properties: - DomainName: !Sub "*.${BBBDomainName}" ValidationMethod: DNS - ServiceToken: !Ref BBBACMCertProviderArn - - BBBPublicIssuedCertificate: - Type: Custom::IssuedCertificate - Properties: - CertificateArn: !Ref BBBPublicCertificate - ServiceToken: !Ref BBBACMCertProviderArn - - BBBPublicCertificateDNSRecord: - Type: Custom::CertificateDNSRecord - Properties: - CertificateArn: !Ref BBBPublicCertificate DomainName: !Sub "*.${BBBDomainName}" - ServiceToken: !Ref BBBACMCertProviderArn - - BBBPublicDomainValidationRecord: - Type: AWS::Route53::RecordSetGroup - Properties: - HostedZoneId: !Ref BBBHostedZone - RecordSets: - - Name: !GetAtt BBBPublicCertificateDNSRecord.Name - Type: !GetAtt BBBPublicCertificateDNSRecord.Type - TTL: 60 - Weight: 1 - SetIdentifier: !Ref BBBPublicCertificate - ResourceRecords: - - !GetAtt BBBPublicCertificateDNSRecord.Value + SubjectAlternativeNames: + - !Ref BBBDomainName + - !Sub "*.${BBBDomainName}" + DomainValidationOptions: + - DomainName: !Ref BBBDomainName + HostedZoneId: !Ref BBBHostedZone + ValidationMethod: DNS BBBFrontendALB: Type: AWS::ElasticLoadBalancingV2::LoadBalancer @@ -417,9 +436,6 @@ Resources: BBBFrontendALBListener: Type: AWS::ElasticLoadBalancingV2::Listener - DependsOn: - - BBBPublicIssuedCertificate - - BBBPublicDomainValidationRecord Properties: DefaultActions: - Type: redirect @@ -430,7 +446,7 @@ Resources: Port: 443 Protocol: HTTPS Certificates: - - CertificateArn: !Ref BBBPublicCertificate + - CertificateArn: !If [ BBBACMNewCert, !Ref BBBPublicCertificate, !Ref BBBACMCertArn ] BBBFrontendALBListenerRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule @@ -512,9 +528,6 @@ Resources: BBBScaleliteALBListener: Type: AWS::ElasticLoadBalancingV2::Listener - DependsOn: - - BBBPublicIssuedCertificate - - BBBPublicDomainValidationRecord Properties: DefaultActions: - Type: forward @@ -523,7 +536,7 @@ Resources: Port: 443 Protocol: HTTPS Certificates: - - CertificateArn: !Ref BBBPublicCertificate + - CertificateArn: !If [ BBBACMNewCert, !Ref BBBPublicCertificate, !Ref BBBACMCertArn ] BBBScaleliteALBListenerRule: Type: AWS::ElasticLoadBalancingV2::ListenerRule @@ -562,6 +575,7 @@ Resources: NetworkMode: !If [ BBBECSFargate, awsvpc, !Ref "AWS::NoValue" ] Memory: !Ref BBBGreenlightMemory Cpu: !Ref BBBGreenlightCPU + TaskRoleArn: !Ref BBBGreenlightTaskRole RequiresCompatibilities: !If - BBBECSFargate @@ -570,7 +584,11 @@ Resources: ContainerDefinitions: - Name: greenlight Essential: true - Image: !Ref BBBgreenlightImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBgreenlightImage LogConfiguration: LogDriver: awslogs Options: @@ -699,6 +717,7 @@ Resources: NetworkMode: !If [ BBBECSFargate, awsvpc, !Ref "AWS::NoValue" ] Memory: !Ref BBBScaleliteMemory Cpu: !Ref BBBScaleliteCPU + TaskRoleArn: !Ref BBBScaleliteRole RequiresCompatibilities: !If - BBBECSFargate @@ -706,33 +725,41 @@ Resources: - !Ref "AWS::NoValue" Volumes: - Name: !Join [ "", [ scalelite-recordings-volume-spool, !Ref BBBEnvironmentStage ] ] - efsVolumeConfiguration: - fileSystemId: !Ref BBBSharedStorageFS - transitEncryption: ENABLED + EFSVolumeConfiguration: + FilesystemId: !Ref BBBSharedStorageFS + TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref BBBSharedStorageAPspool + IAM: ENABLED - Name: !Join [ "", [ scalelite-recordings-volume-published, !Ref BBBEnvironmentStage ] ] - efsVolumeConfiguration: - fileSystemId: !Ref BBBSharedStorageFS - transitEncryption: ENABLED + EFSVolumeConfiguration: + FilesystemId: !Ref BBBSharedStorageFS + TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref BBBSharedStorageAPpublished + IAM: ENABLED - Name: !Join [ "", [ scalelite-recordings-volume-unpublished, !Ref BBBEnvironmentStage ] ] - efsVolumeConfiguration: - fileSystemId: !Ref BBBSharedStorageFS - transitEncryption: ENABLED + EFSVolumeConfiguration: + FilesystemId: !Ref BBBSharedStorageFS + TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref BBBSharedStorageAPunpublished + IAM: ENABLED - Name: !Join [ "", [ scalelite-recordings-volume-recordings, !Ref BBBEnvironmentStage ] ] - efsVolumeConfiguration: - fileSystemId: !Ref BBBSharedStorageFS - transitEncryption: ENABLED + EFSVolumeConfiguration: + FilesystemId: !Ref BBBSharedStorageFS + TransitEncryption: ENABLED AuthorizationConfig: AccessPointId: !Ref BBBSharedStorageAPrecordings + IAM: ENABLED ContainerDefinitions: - Name: scalelite-importer Essential: true - Image: !Ref BBBScaleliteImporterImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBScaleliteImporterImage MountPoints: - ContainerPath: /var/bigbluebutton/spool SourceVolume: !Join [ "", [ scalelite-recordings-volume-spool, !Ref BBBEnvironmentStage ] ] @@ -740,7 +767,7 @@ Resources: SourceVolume: !Join [ "", [ scalelite-recordings-volume-published, !Ref BBBEnvironmentStage ] ] - ContainerPath: /var/bigbluebutton/unpublished SourceVolume: !Join [ "", [ scalelite-recordings-volume-unpublished, !Ref BBBEnvironmentStage ] ] - - ContainerPath: /var/bigbluebutton/recordings + - ContainerPath: /var/bigbluebutton/recording/scalelite SourceVolume: !Join [ "", [ scalelite-recordings-volume-recordings, !Ref BBBEnvironmentStage ] ] LogConfiguration: LogDriver: awslogs @@ -769,9 +796,14 @@ Resources: Value: 'true' - Name: NGINX_BEHIND_PROXY Value: 'true' + - Name: scalelite-poller Essential: true - Image: !Ref BBBScalelitePollerImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBScalelitePollerImage LogConfiguration: LogDriver: awslogs Options: @@ -804,7 +836,11 @@ Resources: DependsOn: - ContainerName: scalelite-importer Condition: START - Image: !Ref BBBScaleliteNginxImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBScaleliteNginxImage EntryPoint: !If - BBBECSFargate @@ -814,7 +850,7 @@ Resources: Command: !If - BBBECSFargate - - - "/bin/sh -c \"sed -i 's/scalelite-api/localhost/g' /etc/nginx/conf.d/scalelite.common && /etc/nginx/start -g daemon off\"" + - - "/bin/sh -c \"sed -i 's/scalelite-api/127.0.0.1/g' /etc/nginx/conf.d/scalelite-proxy.template && /etc/nginx/start -g daemon off\"" - !Ref "AWS::NoValue" Links: !If @@ -828,7 +864,7 @@ Resources: SourceVolume: !Join [ "", [ scalelite-recordings-volume-published, !Ref BBBEnvironmentStage ] ] - ContainerPath: /var/bigbluebutton/unpublished SourceVolume: !Join [ "", [ scalelite-recordings-volume-unpublished, !Ref BBBEnvironmentStage ] ] - - ContainerPath: /var/bigbluebutton/recordings + - ContainerPath: /var/bigbluebutton/recording/scalelite SourceVolume: !Join [ "", [ scalelite-recordings-volume-recordings, !Ref BBBEnvironmentStage ] ] LogConfiguration: LogDriver: awslogs @@ -863,7 +899,11 @@ Resources: Value: !Sub scalelite.${BBBDomainName} - Name: scalelite-api Essential: true - Image: !Ref BBBScaleliteApiImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBScaleliteApiImage MountPoints: - ContainerPath: /var/bigbluebutton/spool SourceVolume: !Join [ "", [ scalelite-recordings-volume-spool, !Ref BBBEnvironmentStage ] ] @@ -871,7 +911,7 @@ Resources: SourceVolume: !Join [ "", [ scalelite-recordings-volume-published, !Ref BBBEnvironmentStage ] ] - ContainerPath: /var/bigbluebutton/unpublished SourceVolume: !Join [ "", [ scalelite-recordings-volume-unpublished, !Ref BBBEnvironmentStage ] ] - - ContainerPath: /var/bigbluebutton/recordings + - ContainerPath: /var/bigbluebutton/recording/scalelite SourceVolume: !Join [ "", [ scalelite-recordings-volume-recordings, !Ref BBBEnvironmentStage ] ] LogConfiguration: LogDriver: awslogs @@ -921,7 +961,11 @@ Resources: ContainerDefinitions: - Name: scalelite-handle-server Essential: true - Image: !Ref BBBScaleliteApiImage + Image: + !Join + - '/' + - - !Ref BBBECRRegistry + - !Ref BBBScaleliteApiImage LogConfiguration: LogDriver: awslogs Options: @@ -1029,6 +1073,7 @@ Outputs: Value: !Ref BBBAutoscalingRole BBBPublicCertificate: Description: SSL Cert for the Frontend + Condition: BBBACMNewCert Value: !Ref BBBPublicCertificate BBBFrontendALB: Description: Frontend Application Load Balancer diff --git a/templates/bbb-on-aws-registry.template.yaml b/templates/bbb-on-aws-registry.template.yaml new file mode 100644 index 0000000..17f4b02 --- /dev/null +++ b/templates/bbb-on-aws-registry.template.yaml @@ -0,0 +1,31 @@ +--- +AWSTemplateFormatVersion: '2010-09-09' +Description: > + + This Cloudformation Template deploys the registry to handle the BigBlueButton container deployment. The Template deploys an ECR + registry for images to be pulled. + + Disclaimer: Not for production use. Demo and testing purposes only. + + Author: David Surey , Bastian Klein +Resources: + + BBBScaleliteRegistry: + Type: AWS::ECR::Repository + Properties: + RepositoryName: blindsidenetwks/scalelite + + BBBGreenlightRegistry: + Type: AWS::ECR::Repository + Properties: + RepositoryName: bigbluebutton/greenlight + +Outputs: + BBBGreenlightRegistry: + Description: Registry name for the ECR registry holding Greenlight and Scalelite Images + Value: + Ref: BBBGreenlightRegistry + BBBScaleliteRegistry: + Description: Registry name for the ECR registry holding Greenlight and Scalelite Images + Value: + Ref: BBBScaleliteRegistry \ No newline at end of file diff --git a/templates/bbb-on-aws-storage.template.yaml b/templates/bbb-on-aws-storage.template.yaml index c4a5816..cba0f50 100644 --- a/templates/bbb-on-aws-storage.template.yaml +++ b/templates/bbb-on-aws-storage.template.yaml @@ -40,7 +40,28 @@ Resources: Type: AWS::EFS::FileSystem Properties: Encrypted: true - + FileSystemPolicy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "elasticfilesystem:ClientMount" + - "elasticfilesystem:ClientWrite" + Principal: + AWS: "*" + Condition: + StringLike: + aws:PrincipalTag/Name: "*BBBFrontendApplicationStack*" + - Effect: "Allow" + Action: + - "elasticfilesystem:ClientMount" + - "elasticfilesystem:ClientWrite" + Principal: + AWS: "*" + Condition: + StringLike: + aws:PrincipalTag/Name: "*BBBApplicationStack*" + BBBSharedStorageMountTarget1: Type: AWS::EFS::MountTarget Properties: @@ -76,12 +97,12 @@ Resources: FileSystemId: !Ref BBBSharedStorageFS PosixUser: Uid: "1000" - Gid: "1000" + Gid: "2000" RootDirectory: CreationInfo: OwnerGid: "1000" - OwnerUid: "1000" - Permissions: "0775" + OwnerUid: "2000" + Permissions: "0777" Path: "/spool" BBBSharedStorageAPpublished: @@ -90,12 +111,12 @@ Resources: FileSystemId: !Ref BBBSharedStorageFS PosixUser: Uid: "1000" - Gid: "1000" + Gid: "2000" RootDirectory: CreationInfo: OwnerGid: "1000" - OwnerUid: "1000" - Permissions: "0775" + OwnerUid: "2000" + Permissions: "0777" Path: "/published" BBBSharedStorageAPunpublished: @@ -104,12 +125,12 @@ Resources: FileSystemId: !Ref BBBSharedStorageFS PosixUser: Uid: "1000" - Gid: "1000" + Gid: "2000" RootDirectory: CreationInfo: OwnerGid: "1000" - OwnerUid: "1000" - Permissions: "0775" + OwnerUid: "2000" + Permissions: "0777" Path: "/unpublished" BBBSharedStorageAPrecordings: @@ -118,12 +139,12 @@ Resources: FileSystemId: !Ref BBBSharedStorageFS PosixUser: Uid: "1000" - Gid: "1000" + Gid: "2000" RootDirectory: CreationInfo: OwnerGid: "1000" - OwnerUid: "1000" - Permissions: "0775" + OwnerUid: "2000" + Permissions: "0777" Path: "/recordings" Outputs: