Skip to content

Latest commit

 

History

History
141 lines (97 loc) · 5.3 KB

README.md

File metadata and controls

141 lines (97 loc) · 5.3 KB

nubis-consul

Version Build Status Issues

Consul Deployment

The Consul project is designed to be deployed into a standard Nubis Account. It takes advantage of the standard deployment found here. For further specifics about Consul consult the documentation here.

Deployment Diagram

Deployment Diagram

NOTE: The line colors are representative and are for readability only. They are not intended to indicate any underlying protocol or specific communication details.

Deployment Notes

The Nubis Consul deployment consists of:

  • Instances deployed on EC2 in an Auto Scaling group
  • An external Elastic Load Balancer (ELB) which has a Security Group which restricts access to a list of IP addresses. The primary function is to allow access to the Continuous Integration (CI) system in the Admin VPC.
  • An internal Elastic Load Balancer (ELB) with a Security Group which restricts access to Nubis Deployed Instances. The function of this ELB is to provide access to instances running within the VPC and ensures a stable endpoint in the event of AutoScaling.
  • A Dynamo DB table which contains startup configuration information. This information is encrypted at rest. The EC2 instances are created with an IAM instance profile which allows access to a KMS key which is used to decrypt the configuration information.
  • A S3 bucket which contains backup data. This bucket is accessible only to Consul EC2 instances via an IAM Policy which is attached at boot via the AutoScaling Launch Configuration.

Deployment Resources

Details for the deployment including; naming conventions, relationships, permissions, etcetera, can be found in the Terraform template used for deployment. Links to specific resources can be found in the following table.

Resource Type Resource Title Code Location
aws_launch_configuration consul nubis/terraform/main.tf#L8
aws_autoscaling_group consul nubis/terraform/main.tf#L36
aws_security_group consul nubis/terraform/main.tf#L73
aws_elb consul nubis/terraform/main.tf#L130
aws_elb consul-public nubis/terraform/main.tf#L169
aws_security_group elb nubis/terraform/main.tf#L199
aws_security_group elb-public nubis/terraform/main.tf#L228
aws_route53_record ui nubis/terraform/main.tf#L250
aws_route53_record public nubis/terraform/main.tf#L258
aws_s3_bucket consul_backups nubis/terraform/main.tf#L266
aws_iam_instance_profile consul nubis/terraform/main.tf#L280
aws_iam_role consul nubis/terraform/main.tf#L285
aws_iam_role_policy consul nubis/terraform/main.tf#L306
aws_iam_role_policy consul_backups nubis/terraform/main.tf#L343
aws_iam_role_policy credstash nubis/terraform/main.tf#L372
tls_private_key consul_web nubis/terraform/main.tf#L461
tls_self_signed_cert consul_web_public nubis/terraform/main.tf#L465
tls_self_signed_cert consul_web_ui nubis/terraform/main.tf#L489
aws_iam_server_certificate consul_web_public nubis/terraform/main.tf#L519
aws_iam_server_certificate consul_web_ui nubis/terraform/main.tf#L530
null_resource credstash-public nubis/terraform/main.tf#L546
null_resource credstash nubis/terraform/main.tf#L563

Dependencies

You need credstash locally installed (in your PATH) to be able to deploy Consul

Mozilla Nubis Consul

You need to run

$> nubis/bin/makecert

Before deploying, to generate the SSL key and cert

Building project

This assumes you are in the project directory

  • Build AMI and make note of AMI ID

    nubis-builder build
    
  • Generate certificate

    cd nubis/terraform
    ../bin/makecert
    
  • Configure tfvars file

    cd nubis/terraform
    cp terraform.tfvars-dist terraform.tfvars
    <edit tfvar files with appropriate info>
    
  • Check if terraform plan gives you the right info (for sanity sake)

    cd nubis/terraform
    terraform plan
    
  • Verify if output looks sane and then deploy

    terraform apply
    
  • ???

  • Profit

NOTE