Triển khai dự án trên AWS

04/01/2022   AWS

Triển khai dự án trên AWS (staging)

#############################
+ Infrastructure Design Image
++  AWS Account
++ Region
++ Service URL/Basic Auth
++ how to login to the Fargate Container.
1. Get environment variables for this AWS account, and set them in your Terminal. (Same procedure as above.)
2. You need to install AWS CLI version2 and Session Manager plugin for the AWS CLI in your PC.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2
3. Run this command.
$ export AWS_ACCESS_KEY_ID=xxxxxxxxxx
$ export AWS_SECRET_ACCESS_KEY=yyyyyyyyyy
$ export AWS_REGION=us-west-2
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-api
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-api --interactive --command "/bin/sh" --task <task id>
or
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-worker
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-worker --interactive --command "/bin/sh" --task <task id>
+ Deploy Pipeline Image (Frontend)

+ Deploy Pipeline Image (Backend)

#############################
+ IAM
++ How to login to the Fargate Container.
1. Get environment variables for this AWS account, and set them in your Terminal. (Same procedure as above.)
2. You need to install AWS CLI version2 and Session Manager plugin for the AWS CLI in your PC.
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html#welcome-versions-v2
3. Run this command.
$ export AWS_ACCESS_KEY_ID=xxxxxxxxxxxx
$ export AWS_SECRET_ACCESS_KEY=yyyyyyyyyyy
$ export AWS_REGION=us-west-2
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-api
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-api --interactive --command "/bin/sh" --task <task id>
or
$ aws ecs list-tasks --cluster plg-stg-api --service-name plg-stg-worker
$ aws ecs execute-command --cluster plg-stg-api --container plg-stg-worker --interactive --command "/bin/sh" --task <task id>

#############################

+ Network

++ VPC 

name

cidr

vpc_plg

x.x.0.0/16

++ Subnet

name

network address

description

public_us-west-2a_plg

x.x.1.0/24

ALB, NAT Gateway

public_us-west-2c_plg

x.x.2.0/24

-

protected_us-west-2a_plg

x.x.11.0/24

ECS

protected_us-west-2c_plg

x.x.12.0/24

ECS

private_us-west-2a_plg

x.x.21.0/24

RDS, Elasticache

private_us-west-2c_plg

x.x.22.0/24

-

++ NAT Gateway

NAT Gateway ID

Elastic IP

Private IP

nat-

 

x.x.1.

++ VPC EndPoint

service name

subnets/route tables

securitygroup

access policy

com.amazonaws.us-west-2.ecr.dkr

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

com.amazonaws.us-west-2.ecr.api

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

com.amazonaws.us-west-2.s3

protected


Full

com.amazonaws.us-west-2.secretmanager

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

++ Route Table

name

routes

subnet associations

destination

target

public_plg

0.0.0.0/0

internet-gw

public_us-west-2a

public_us-west-2c

x.x.0.0/16

local

protected_plg

0.0.0.0/0

nat-gw

protected_us-west-2a

protected_us-west-2c

 

vpc-endpoint

 

x.x.0.0/16

local

private_plg

x.x.0.0/16

local

private_us-west-2a

private_us-west-2c

++ SecurityGroup

name

in bound

out bound

type

protocol

port

source

type

protocol

port

destination

sg_alb_backend_plg_stg

HTTPS

TCP

443

0.0.0.0/0

ALL Traffic

ALL

ALL

0.0.0.0/0

HTTP

TCP

80

0.0.0.0/0

 

 

 

 

sg_backend_plg_stg

HTTP

TCP

80

sg_alb_api_nt_stg

HTTP

TCP

80

0.0.0.0/0

 

 

 

 

HTTPS

TCP

443

0.0.0.0/0

Custom TCP

TCP

587

0.0.0.0/0

Custom TCP

TCP

6379

x.x.0.0/16

PostgreSQL

TCP

5432

x.x.0.0/16

sg_cache_plg_stg

Custom TCP

TCP

6379

sg_api_plg_stg

ALL Traffic

ALL

ALL

0.0.0.0/0

Custom TCP

TCP

6379

sg_bastion_plg_stg

 

sg_rds_plg_stg

PostgreSQL

TCP

5432

sg_api_plg_stg

ALL Traffic

ALL

ALL

0.0.0.0/0

PostgreSQL

TCP

5432

sg_bastion_plg_stg

 

sg_bastion_plg_stg

Custom TCP

TCP

60101

0.0.0.0/0

SSH

TCP

22

0.0.0.0/0

 

HTTP

TCP

80

0.0.0.0/0

HTTPS

TCP

443

0.0.0.0/0

Custom TCP

TCP

6379

x.x.0.0/16

PostgreSQL

TCP

5432

x.x.0.0/16

sg_end_point_plg_stg

HTTPS

TCP

443

x.x.0.0/16

ALL Traffic

ALL

ALL

0.0.0.0/0

+ VPC EndPoint

service name

subnets/route tables

securitygroup

access policy

endpoint type

com.amazonaws.us-west-2.ecr.dkr

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

Interface

com.amazonaws.us-west-2.ecr.api

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

Interface

com.amazonaws.us-west-2.secretmanager

protected_us-west-2a
protected_us-west-2c

sg_end_point_plg_stg

Full

Interface

com.amazonaws.us-west-2.s3

protected

None

Full

Gateway

#############################
+ ACM

domain name

region

validation method

additional domain

stg.plg-work.net

us-west-2

DNS validation

*.stg.plg-work.net

stg.plg-work.net

us-east-1

DNS validation

*.stg.plg-work.net

++ ALB

+++ api

Name

CNAME

DNS

AvailavilityZone

SecurityGroup

Target Group

alb-backend-plg-stg

 

 

us-west-2a
us-west-2c

sg_alb_backend_plg_stg

api-blue-plg-stg / api-green-plg-stg

+++ listener

load balancer

listener protocol

load balancer

listner port

instance

listener protol

instance

listener port

certificate / ACM

HTTPS

443

HTTP

80

ACM: stg.plg-work.net

HTTP

80

HTTP

80

-

#############################

+ ECR

name

URI

scan on push

tag immutability

plg-stg

 

Enabled

Disabled

#############################

+ ECS

++ Cluster

name

description

plg-stg-api

 

Service

name

Task Definition

Desired tasks

Launch type

Platform version

plg-stg-api

plg-stg-api:*

2

FARGATE

1.4.0

#############################

+ RDS

++ rds aurora PostgreSQL

item

value

Engine

PostgreSQL 12.10

Aurora Engine Version

-

InstanceType

db.t4g.medium

Write Endpoint

plg-stg.cluster-ckqtez2yfydu.us-west-2.rds.amazonaws.com

Read Endpoint

plg-stg.cluster-ro-ckqtez2yfydu.us-west-2.rds.amazonaws.com

Port

5432

database

ntstgdb

username / password

00. Credentials

rds cluster parametergroup

item

value

autovacuum_vacuum_threshold

200

log_autovacuum_min_duration

0

rds db parametergroup

item

value

application_name

plg

rds.log_retention_period

10080

lc_messages

C

log_min_duration_statement

500

log_filename

postgresql.log.%Y-%m-%d

#############################

+ Elasticache

++ redis

item

value

Engine

Redis 6.2.5

InstanceType

cache.t3.micro

Nuber of Nodes

1

Primary Endpoint

redis-plg-stg.jhvvyl.ng.0001.usw2.cache.amazonaws.com

Reader Endpoint

redis-plg-stg-ro.jhvvyl.ng.0001.usw2.cache.amazonaws.com

Port

6379

++ cache parametergroup

item

value

"activerehashing"

"yes"

#############################

+ S3

++ bucket

name

region

bucket url

versioning

lifecycle rule

acl

cors

bucket policy

bucket-plg-stg-private

us-west-2

https://bucket-plg-stg-private.s3.amazonaws.com/

none

none

private

none

none

 

us-west-2

 

none

none

private

none

 

1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "RestrictBucketAccess", 6 "Effect": "Allow", 7 "Principal": { 8 "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXXX" 9 }, 10 "Action": "s3:GetObject", 11 "Resource": "arn:aws:s3:::bucket-plg-stg-admin-restrict-access-bucket/*" 12 } 13 ] 14}

developer-tools-bucket-plg-stg

us-west-2

https://developer-tools-bucket-plg-stg.s3.amazonaws.com/

none

none

private

none

none

#############################

+ EC2

++ bastion

item

value

Name

plg-stg-bastion

OS

Amazon Linux 2

Instance Type

t3a.nano

ssh user

ec2-user

ssh port

 

ssh key

00. Credentials

Elastic IP

 

IAM Role

AllowEc2AccessBastion

SecurityGroup

sg_bastion_plg_stg

#############################

+ SES

++ domains

item

value

region

us-west-2

domain

stg.plg-work.net

DKIM

enable

Email Receive

none

SMTP Endpoint

https://email-smtp.us-west-2.amazonaws.com/

SMTP Port

587

#############################

smtp credentials

user name

credentials

policy

ses-smtp-user-plg-stg

00. Credentials

 

 

1{ 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Sid": "", 6 "Effect": "Allow", 7 "Action": [ 8 "ses:SendRawEmail", 9 "ses:SendEmail" 10 ], 11 "Resource": "*", 12 } 13 ] 14}

#############################

Bài viết cùng chủ đề