Triển khai dự án trên AWS
04/01/2022 AWS
Triển khai dự án trên AWS (staging)
#############################
+ Infrastructure Design Image
++ AWS Account
++ Region
++ Service URL/Basic Auth
++ how to login to the Fargate Container.
1. Get environment variables for this AWS account, and set them in your Terminal. (Same procedure as above.)
2. You need to install AWS CLI version2 and Session Manager plugin for the AWS CLI in your PC.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2
3. Run this command.
$ export AWS_ACCESS_KEY_ID=xxxxxxxxxx
$ export AWS_SECRET_ACCESS_KEY=yyyyyyyyyy
$ export AWS_REGION=us-west-2
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-api
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-api --interactive --command "/bin/sh" --task <task id>
or
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-worker
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-worker --interactive --command "/bin/sh" --task <task id>
+ Deploy Pipeline Image (Frontend)
+ Deploy Pipeline Image (Backend)
#############################
+ IAM
++ How to login to the Fargate Container.
1. Get environment variables for this AWS account, and set them in your Terminal. (Same procedure as above.)
2. You need to install AWS CLI version2 and Session Manager plugin for the AWS CLI in your PC.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2
3. Run this command.
$ export AWS_ACCESS_KEY_ID=xxxxxxxxxxxx
$ export AWS_SECRET_ACCESS_KEY=yyyyyyyyyyy
$ export AWS_REGION=us-west-2
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-api
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-api --interactive --command "/bin/sh" --task <task id>
or
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-worker
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-worker --interactive --command "/bin/sh" --task <task id>
#############################
+ Network
++ VPC
|
name |
cidr |
|---|---|
|
vpc_plg |
x.x.0.0/16 |
++ Subnet
|
name |
network address |
description |
|---|---|---|
|
public_us-west-2a_plg |
x.x.1.0/24 |
ALB, NAT Gateway |
|
public_us-west-2c_plg |
x.x.2.0/24 |
- |
|
protected_us-west-2a_plg |
x.x.11.0/24 |
ECS |
|
protected_us-west-2c_plg |
x.x.12.0/24 |
ECS |
|
private_us-west-2a_plg |
x.x.21.0/24 |
RDS, Elasticache |
|
private_us-west-2c_plg |
x.x.22.0/24 |
- |
++ NAT Gateway
|
NAT Gateway ID |
Elastic IP |
Private IP |
|---|---|---|
|
nat- |
|
x.x.1. |
++ VPC EndPoint
|
service name |
subnets/route tables |
securitygroup |
access policy |
|---|---|---|---|
|
com.amazonaws.us-west-2.ecr.dkr |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
|
com.amazonaws.us-west-2.ecr.api |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
|
com.amazonaws.us-west-2.s3 |
protected |
|
Full |
|
com.amazonaws.us-west-2.secretmanager |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
++ Route Table
|
name |
routes |
subnet associations |
|
|---|---|---|---|
|
destination |
target |
||
|
public_plg |
0.0.0.0/0 |
internet-gw |
public_us-west-2a public_us-west-2c |
|
x.x.0.0/16 |
local |
||
|
protected_plg |
0.0.0.0/0 |
nat-gw |
protected_us-west-2a protected_us-west-2c |
|
|
vpc-endpoint
|
||
|
x.x.0.0/16 |
local |
||
|
private_plg |
x.x.0.0/16 |
local |
private_us-west-2a private_us-west-2c |
++ SecurityGroup
|
name |
in bound |
out bound |
||||||
|---|---|---|---|---|---|---|---|---|
|
type |
protocol |
port |
source |
type |
protocol |
port |
destination |
|
|
sg_alb_backend_plg_stg |
HTTPS |
TCP |
443 |
0.0.0.0/0 |
ALL Traffic |
ALL |
ALL |
0.0.0.0/0 |
|
HTTP |
TCP |
80 |
0.0.0.0/0 |
|
|
|
|
|
|
sg_backend_plg_stg |
HTTP |
TCP |
80 |
sg_alb_api_nt_stg |
HTTP |
TCP |
80 |
0.0.0.0/0 |
|
|
HTTPS |
TCP |
443 |
0.0.0.0/0 |
||||
|
Custom TCP |
TCP |
587 |
0.0.0.0/0 |
|||||
|
Custom TCP |
TCP |
6379 |
x.x.0.0/16 |
|||||
|
PostgreSQL |
TCP |
5432 |
x.x.0.0/16 |
|||||
|
sg_cache_plg_stg |
Custom TCP |
TCP |
6379 |
sg_api_plg_stg |
ALL Traffic |
ALL |
ALL |
0.0.0.0/0 |
|
Custom TCP |
TCP |
6379 |
sg_bastion_plg_stg |
|
||||
|
sg_rds_plg_stg |
PostgreSQL |
TCP |
5432 |
sg_api_plg_stg |
ALL Traffic |
ALL |
ALL |
0.0.0.0/0 |
|
PostgreSQL |
TCP |
5432 |
sg_bastion_plg_stg |
|
||||
|
sg_bastion_plg_stg |
Custom TCP |
TCP |
60101 |
0.0.0.0/0 |
SSH |
TCP |
22 |
0.0.0.0/0 |
|
|
HTTP |
TCP |
80 |
0.0.0.0/0 |
||||
|
HTTPS |
TCP |
443 |
0.0.0.0/0 |
|||||
|
Custom TCP |
TCP |
6379 |
x.x.0.0/16 |
|||||
|
PostgreSQL |
TCP |
5432 |
x.x.0.0/16 |
|||||
|
sg_end_point_plg_stg |
HTTPS |
TCP |
443 |
x.x.0.0/16 |
ALL Traffic |
ALL |
ALL |
0.0.0.0/0 |
+ VPC EndPoint
|
service name |
subnets/route tables |
securitygroup |
access policy |
endpoint type |
|---|---|---|---|---|
|
com.amazonaws.us-west-2.ecr.dkr |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
Interface |
|
com.amazonaws.us-west-2.ecr.api |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
Interface |
|
com.amazonaws.us-west-2.secretmanager |
protected_us-west-2a |
sg_end_point_plg_stg |
Full |
Interface |
|
com.amazonaws.us-west-2.s3 |
protected |
None |
Full |
Gateway |
#############################
+ ACM
|
domain name |
region |
validation method |
additional domain |
|---|---|---|---|
|
stg.plg-work.net |
us-west-2 |
DNS validation |
*.stg.plg-work.net |
|
stg.plg-work.net |
us-east-1 |
DNS validation |
*.stg.plg-work.net |
++ ALB
+++ api
|
Name |
CNAME |
DNS |
AvailavilityZone |
SecurityGroup |
Target Group |
|---|---|---|---|---|---|
|
alb-backend-plg-stg |
|
|
us-west-2a |
sg_alb_backend_plg_stg |
api-blue-plg-stg / api-green-plg-stg |
+++ listener
|
load balancer listener protocol |
load balancer listner port |
instance listener protol |
instance listener port |
certificate / ACM |
|---|---|---|---|---|
|
HTTPS |
443 |
HTTP |
80 |
ACM: stg.plg-work.net |
|
HTTP |
80 |
HTTP |
80 |
- |
#############################
+ ECR
|
name |
URI |
scan on push |
tag immutability |
|---|---|---|---|
|
plg-stg |
|
Enabled |
Disabled |
#############################
+ ECS
++ Cluster
|
name |
description |
|---|---|
|
plg-stg-api |
|
Service
|
name |
Task Definition |
Desired tasks |
Launch type |
Platform version |
|---|---|---|---|---|
|
plg-stg-api |
plg-stg-api:* |
2 |
FARGATE |
1.4.0 |
#############################
+ RDS
++ rds aurora PostgreSQL
|
item |
value |
|---|---|
|
Engine |
PostgreSQL 12.10 |
|
Aurora Engine Version |
- |
|
InstanceType |
db.t4g.medium |
|
Write Endpoint |
plg-stg.cluster-ckqtez2yfydu.us-west-2.rds.amazonaws.com |
|
Read Endpoint |
plg-stg.cluster-ro-ckqtez2yfydu.us-west-2.rds.amazonaws.com |
|
Port |
5432 |
|
database |
ntstgdb |
|
username / password |
00. Credentials |
rds cluster parametergroup
|
item |
value |
|---|---|
|
autovacuum_vacuum_threshold |
200 |
|
log_autovacuum_min_duration |
0 |
rds db parametergroup
|
item |
value |
|---|---|
|
application_name |
plg |
|
rds.log_retention_period |
10080 |
|
lc_messages |
C |
|
log_min_duration_statement |
500 |
|
log_filename |
postgresql.log.%Y-%m-%d |
#############################
+ Elasticache
++ redis
|
item |
value |
|---|---|
|
Engine |
Redis 6.2.5 |
|
InstanceType |
cache.t3.micro |
|
Nuber of Nodes |
1 |
|
Primary Endpoint |
redis-plg-stg.jhvvyl.ng.0001.usw2.cache.amazonaws.com |
|
Reader Endpoint |
redis-plg-stg-ro.jhvvyl.ng.0001.usw2.cache.amazonaws.com |
|
Port |
6379 |
++ cache parametergroup
|
item |
value |
|---|---|
|
"activerehashing" |
"yes" |
#############################
+ S3
++ bucket
|
name |
region |
bucket url |
versioning |
lifecycle rule |
acl |
cors |
bucket policy |
|---|---|---|---|---|---|---|---|
|
bucket-plg-stg-private |
us-west-2 |
https://bucket-plg-stg-private.s3.amazonaws.com/ |
none |
none |
private |
none |
none |
|
|
us-west-2 |
|
none |
none |
private |
none |
1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "RestrictBucketAccess", 6 "Effect": "Allow", 7 "Principal": { 8 "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXXX" 9 }, 10 "Action": "s3:GetObject", 11 "Resource": "arn:aws:s3:::bucket-plg-stg-admin-restrict-access-bucket/*" 12 } 13 ] 14} |
|
developer-tools-bucket-plg-stg |
us-west-2 |
https://developer-tools-bucket-plg-stg.s3.amazonaws.com/ |
none |
none |
private |
none |
none |
#############################
+ EC2
++ bastion
|
item |
value |
|---|---|
|
Name |
plg-stg-bastion |
|
OS |
Amazon Linux 2 |
|
Instance Type |
t3a.nano |
|
ssh user |
ec2-user |
|
ssh port |
|
|
ssh key |
00. Credentials |
|
Elastic IP |
|
|
IAM Role |
AllowEc2AccessBastion |
|
SecurityGroup |
sg_bastion_plg_stg |
#############################
+ SES
++ domains
|
item |
value |
|---|---|
|
region |
us-west-2 |
|
domain |
stg.plg-work.net |
|
DKIM |
enable |
|
Email Receive |
none |
|
SMTP Endpoint |
https://email-smtp.us-west-2.amazonaws.com/ |
|
SMTP Port |
587 |
#############################
smtp credentials
|
user name |
credentials |
policy |
|---|---|---|
|
ses-smtp-user-plg-stg |
00. Credentials |
1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "", 6 "Effect": "Allow", 7 "Action": [ 8 "ses:SendRawEmail", 9 "ses:SendEmail" 10 ], 11 "Resource": "*", 12 } 13 ] 14} |
#############################
TƯ VẤN MIỄN PHÍ
XÂY DỰNG ỨNG DỤNG & WEBSITE
Bài viết cùng chủ đề
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|