DEV Community: Emmanuel K The latest articles on DEV Community by Emmanuel K (@emmanuelnk). https://dev.to/emmanuelnk https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F60750%2Fae073f24-1fde-4c54-8196-8758faaa71cd.jpg DEV Community: Emmanuel K https://dev.to/emmanuelnk en Simplifying GitHub Actions Workflows Through Typescript Emmanuel K Wed, 30 Aug 2023 12:09:46 +0000 https://dev.to/emmanuelnk/simplifying-github-actions-workflows-through-typescript-3f31 https://dev.to/emmanuelnk/simplifying-github-actions-workflows-through-typescript-3f31 <h2> Quick Summary </h2> <p>Harness the power of Typescript for designing your GitHub Actions Workflows. Check out <a href="https://github.com/emmanuelnk/github-actions-workflow-ts">github-actions-workflow-ts</a></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4uk9k5r6jpefdnwdtk85.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4uk9k5r6jpefdnwdtk85.png" alt="github-actions-workflow-ts logo" width="800" height="419"></a></p> <h2> The Challenge with YAML </h2> <p>Despite its widespread use in DevOps and CI/CD pipelines—think Kubernetes, Jenkins, CircleCI, Bitbucket Pipelines, CloudFormation, and of course, GitHub Actions—YAML comes with its own set of complexities. Issues often arise from poor indentation, block referencing, and the tedious nature of code reuse.</p> <h2> Why Not YAML for GitHub Actions? </h2> <p>While YAML is somewhat versatile, it's not the most readable or maintainable choice for composing GitHub Actions Workflows. Attempting to implement complex functionality can make your YAML files convoluted, making the process of maintaining, updating or even remembering their function painful.</p> <h2> The Epiphany </h2> <p>Enter my introduction to AWS CDK a few years ago — a tool that lets you write infrastructure code in your preferred language and then compiles it into Cloudformation YAML. This sparked an idea: why not apply the same principle to GitHub Actions Workflows?</p> <h2> The Inspiration </h2> <p>Initially, I stumbled upon <a href="https://github.com/webiny/github-actions-wac">webiny/github-actions-wac</a>, an incredible package that did exactly what I was envisioning. While it's a remarkable tool, I encountered some limitations concerning type exports, file naming, and directory placement. These led me down a path of extensive modifications and enhancements.</p> <h2> Introducing github-actions-workflow-ts </h2> <p>Instead of merely tweaking the existing package, I found myself reimagining many of its core functionalities. Thus, I introduce <a href="https://github.com/emmanuelnk/github-actions-workflow-ts">github-actions-workflow-ts</a> — a package heavily inspired by the original but with expanded capabilities. While it's still in its beta stage (version 0.X.X), I'm close to releasing a stable 1.0.0 version. However, the current API is robust and already implemented in several of my projects.</p> <h2> Get Started Now </h2> <p>Curious to see it in action? Explore these Replit examples:</p> <ul> <li><a href="https://replit.com/@EmmanuelKyeyune/github-actions-workflow-ts-example#workflows/simple.example.wac.ts">Simple Example</a></li> <li><a href="https://replit.com/@EmmanuelKyeyune/github-actions-workflow-ts-example#src/workflows/advanced.example.wac.ts">Advanced Example</a></li> </ul> <h2> About the Author </h2> <p>I'm <a href="https://emmanuelnk.com">Emmanuel</a>, passionate about software, AWS, and DevOps. If you found this article valuable, feel free to connect with me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a>.</p> githubactions github typescript cicd How to monitor long running ALTERS in AWS RDS MySQL 5.7+ using the Performance Schema Emmanuel K Fri, 07 Oct 2022 20:02:19 +0000 https://dev.to/emmanuelnk/how-to-monitor-long-running-alters-in-aws-rds-mysql-57-using-the-performance-schema-4m4o https://dev.to/emmanuelnk/how-to-monitor-long-running-alters-in-aws-rds-mysql-57-using-the-performance-schema-4m4o <p>You've probably landed on this page because you have a MySQL RDS database that has one/many massive tables and anytime you run an <code>ALTER</code> it takes hours, maybe even days. Unfortunately, MySQL does not provide an easy way to monitor this and neither does RDS monitoring or RDS Performance Insights on AWS.</p> <p>Luckily, since MySQL 5.7 there has been support for Progress information and that is implemented with the Performance Schema using the stage events. I recommend you read this excellent <a href="https://mysql.wisborg.dk/2018/08/10/innodb-progress-information/">article</a> for a detailed explanation (and also a better way to do the below in MySQL 8). In this article I will focus on MySQL 5.7</p> <p>So how do you do it on RDS?</p> <ol> <li>Set <code>performance_schema</code> parameter to 1 in your database's parameter group (⚠Requires instance reboot so that parameter is applied) <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgt8qqvvvzh39h1kpl202.png" alt="Image description" width="800" height="385"> </li> <li> <p>Once the parameter has been applied. Run the following queries<br> </p> <pre class="highlight sql"><code><span class="c1">-- Enable events_stages_current to monitor threads</span> <span class="k">UPDATE</span> <span class="n">performance_schema</span><span class="p">.</span><span class="n">setup_consumers</span> <span class="k">SET</span> <span class="n">ENABLED</span> <span class="o">=</span> <span class="s1">'YES'</span> <span class="k">WHERE</span> <span class="n">NAME</span> <span class="o">=</span> <span class="s1">'events_stages_current'</span><span class="p">;</span> <span class="c1">-- Check results of below to see that ENABLED </span> <span class="c1">-- and EnabledWithHierarchy are both "YES"</span> <span class="k">SELECT</span> <span class="n">NAME</span><span class="p">,</span> <span class="n">ENABLED</span><span class="p">,</span> <span class="n">sys</span><span class="p">.</span><span class="n">ps_is_consumer_enabled</span><span class="p">(</span><span class="n">NAME</span><span class="p">)</span> <span class="k">AS</span> <span class="n">EnabledWithHierarchy</span> <span class="k">FROM</span> <span class="n">performance_schema</span><span class="p">.</span><span class="n">setup_consumers</span> <span class="k">WHERE</span> <span class="n">NAME</span> <span class="o">=</span> <span class="s1">'events_stages_current'</span><span class="p">;</span> </code></pre> </li> <li> <p>If the above works then you are good to go. You can now start an alter and execute this query to see its progress<br> </p> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">stmt</span><span class="p">.</span><span class="n">THREAD_ID</span><span class="p">,</span> <span class="n">stmt</span><span class="p">.</span><span class="n">SQL_TEXT</span><span class="p">,</span> <span class="n">stage</span><span class="p">.</span><span class="n">EVENT_NAME</span> <span class="k">AS</span> <span class="k">State</span><span class="p">,</span> <span class="n">stage</span><span class="p">.</span><span class="n">WORK_COMPLETED</span><span class="p">,</span> <span class="n">stage</span><span class="p">.</span><span class="n">WORK_ESTIMATED</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span><span class="mi">100</span><span class="o">*</span><span class="n">stage</span><span class="p">.</span><span class="n">WORK_COMPLETED</span><span class="o">/</span><span class="n">stage</span><span class="p">.</span><span class="n">WORK_ESTIMATED</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="k">AS</span> <span class="n">CompletedPct</span> <span class="k">FROM</span> <span class="n">performance_schema</span><span class="p">.</span><span class="n">events_statements_current</span> <span class="n">stmt</span> <span class="k">INNER</span> <span class="k">JOIN</span> <span class="n">performance_schema</span><span class="p">.</span><span class="n">events_stages_current</span> <span class="n">stage</span> <span class="k">ON</span> <span class="n">stage</span><span class="p">.</span><span class="n">THREAD_ID</span> <span class="o">=</span> <span class="n">stmt</span><span class="p">.</span><span class="n">THREAD_ID</span> <span class="k">AND</span> <span class="n">stage</span><span class="p">.</span><span class="n">NESTING_EVENT_ID</span> <span class="o">=</span> <span class="n">stmt</span><span class="p">.</span><span class="n">EVENT_ID</span> <span class="c1">-- ALTERNATIVELY</span> <span class="c1">----------------</span> <span class="c1">-- SELECT </span> <span class="c1">-- thd_id, </span> <span class="c1">-- conn_id, </span> <span class="c1">-- db, </span> <span class="c1">-- command, </span> <span class="c1">-- state, </span> <span class="c1">-- current_statement,</span> <span class="c1">-- statement_latency, </span> <span class="c1">-- progress, </span> <span class="c1">-- current_memory, </span> <span class="c1">-- program_name</span> <span class="c1">-- FROM sys.session</span> <span class="c1">-- WHERE progress IS NOT NULL;</span> </code></pre> </li> <li><p>You should see something like this (where <code>WORK_COMPLETED</code> is how many rows have been altered and <code>WORK_ESTIMATED</code> is how many rows are left to alter and <code>CompletedPct</code> is the completion percent). Run this query everytine you need to see the updated values.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj92j2at7cmzq6f1jyfre.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj92j2at7cmzq6f1jyfre.png" alt="Image description" width="800" height="296"></a></p></li> </ol> <p>And that's it -- hopefully now you can monitor long running queries on an RDS database!</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about software, AWS and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> mysql queries rds aws How to get old LinkedIn app in China Emmanuel K Wed, 22 Dec 2021 20:41:34 +0000 https://dev.to/emmanuelnk/how-to-get-old-linkedin-app-in-china-3ac8 https://dev.to/emmanuelnk/how-to-get-old-linkedin-app-in-china-3ac8 <p>TLDR -- The China-localised LinkedIn app has been replaced with InJobs app. If you are unfortunate like me, that localised LinkedIn app is not easily replaceable with a non-China-localised version on your phone (e.g. on most Samsung phones) -- which means you simply cannot use the LinkedIn app on your phone anymore because if you open it, you are prompted to download InJobs app instead. Scroll to 'The solution' section to see how to fix this.</p> <h2> The Problem </h2> <p>Recently, the LinkedIn mobile app <a href="https://www.nytimes.com/2021/10/14/technology/linkedin-china-microsoft.html">exited the China market</a> -- more specifically, <a href="https://blog.linkedin.com/2021/october/14/china-sunset-of-localized-version-of-linkedin-and-launch-of-new-injobs-app">they sunsetted the normal LinkedIn app and replaced it with a new application called InJobs specifically for China region</a>.</p> <p>So as the new InJob app rollout is underway, users of the old China-localised LinkedIn app are now blocked from logging in and are instead prompted to download the new InJobs app. This happened to me yesterday. </p> <p>This would usually be fine because it means all you have to do is uninstall the China-localised LinkedIn application and install a non-China-localised LinkedIn application from the Google Playstore to continue using the LinkedIn app you are used to.</p> <p>But... What happens when you cannot remove it? Unfortunately for most Samsung users, apps like Facebook (HK, TW, Rest of the world), LinkedIn (Mainland, HK, TW, Rest of the world) and many Microsoft apps are in most cases pre-installed bloatware. This means they cannot be uninstalled easily -- only disabled.</p> <p>These are apps I use (or at least did not mind being bloatware) so this hasn't been an issue for me -- until now. Unfortunately for users who got their Samsung (and probably other phones) from China region (Mainland, HK, Taiwan) the uninstallable LinkedIn app is the now discontinued China-localised version. </p> <p>Since I'm no longer in the China region (where I bought my phone), the InJobs app is useless to me. And even if I wasn't I would probably still want to use the regular LinkedIn app and not a stripped down version. </p> <h2> The Solution </h2> <p>Fortunately, there is a work-around. It is quite technical so I hope you know how to use the terminal.</p> <p><strong>NOTE:</strong> Don't attempt this if you don't know what you are doing or have never used the terminal. I am not responsible for you bricking yor phone.</p> <h3> Pre-requisites </h3> <ul> <li>Computer</li> <li>Data wire</li> <li>Your mobile phone</li> <li>Internet</li> </ul> <h3> Initial Steps </h3> <ol> <li>Enable USB debugging on your Phone</li> <li><a href="https://www.verizon.com/support/knowledge-base-223020/">https://www.verizon.com/support/knowledge-base-223020/</a></li> <li>Download Android SDK platform tools for your operating system (I use Linux and it is what I will show from now on)</li> <li><a href="https://developer.android.com/studio/releases/platform-tools">https://developer.android.com/studio/releases/platform-tools</a></li> <li>Unzip platform tools you just downloaded</li> <li>Enter the platform tools folder and open your terminal there <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fywekqqletke3vnzui43u.png" alt="Image description" width="800" height="351"> </li> <li>Connect your phone to computer and allow it to share data if prompted</li> <li>Download the latest version of LinkedIn APK from APKPure. Download <a href="https://m.apkpure.com/linkedin-jobs-business-news/com.linkedin.android/download">here</a>. We need this non-China-localised version to overwrite the existing China localised version -- Don't worry its safe to install. Also, we only need it for a few minutes and all future versions will be from your trusted Google Playstore. Copy the location of the downloaded LinkedIn APK </li> <li>Prepare your phone -- Set the screen timeout to be at least 10 minutes. You don't want your screen going odd during this process. Make sure you do not disconnect the wire during any of the following steps.</li> </ol> <h3> Next steps </h3> <ol> <li>Open your terminal and do the following </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>./adb devices </code></pre> </div> <p>You should see your device connected.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flez29pk11q4ma0g8jy4m.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flez29pk11q4ma0g8jy4m.png" alt="Image description" width="424" height="141"></a></p> <ol> <li>Run the following command to ensure you grant permissions to run commands on your device </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./adb shell pm list packages | <span class="nb">grep </span>linkedin </code></pre> </div> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvciuuitv42l8rfrhf0kq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvciuuitv42l8rfrhf0kq.png" alt="Image description" width="638" height="99"></a><br> You should see that <code>linkedin</code> is installed</p> <ol> <li>Install the LinkedIn apk you just downloaded </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./adb <span class="nb">install</span> <span class="nt">-r</span> <span class="nt">-d</span> ~/Downloads/LinkedIn<span class="se">\ </span>Jobs<span class="se">\ </span>Business<span class="se">\ </span>News_v4.1.649.1_apkpure.com.apk </code></pre> </div> <p>In this command, <code>-r</code> will force the APK to update with the new APK and <code>-d</code> will force the phone to ignore the possibly lower LinkedIn version you want to install</p> <ol> <li>If prompted to grant permission on your phone, ensure you grant it. If the command fails because of this, just run it again.</li> <li>When it is done (may take a while -- give it up to 3 min) -- You should see <code>success</code> <img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3mvyyargoshjpp9v5x6t.png" alt="Image description" width="800" height="96"> </li> </ol> <p>That's it. You can now disconnect your phone from your computer and now you should have the correct non-China localised LinkedIn application installed on your phone. </p> <p>If the version you downloaded from APKPure is lower than the latest version on Google Play, you will see a prompt to update the app in Google Play. Update it.</p> <p>That's all.</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about software, devOps and other random technical stuff.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> android samsung linkedin adb Saving and Retrieving Well-known Text (WKT) in MySQL or Postgres with TypeORM Emmanuel K Wed, 09 Jun 2021 19:50:49 +0000 https://dev.to/emmanuelnk/saving-and-retrieving-well-known-text-wkt-in-mysql-or-postgres-with-typeorm-19gf https://dev.to/emmanuelnk/saving-and-retrieving-well-known-text-wkt-in-mysql-or-postgres-with-typeorm-19gf <p>Sometimes in TypeORM you want to save location/coordinates in a type that can take advantage of GIS functions like distance, closeness etc MySQL and Postgres have these functions that get this information when you have <code>geometry</code> data column types.</p> <p>This was surprisingly difficult to find information on so here's my implementation.</p> <p>I assume you already have a TypeORM project set up.</p> <p>Install these packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>wkx geojson npm <span class="nb">install</span> @types/geojson <span class="nt">--save-dev</span> </code></pre> </div> <p>Then add this custom transformer that converts GeoJSON to WKT and WKT back to GeoJSON</p> <p>Example GeoJSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">location</span> <span class="o">=</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">point</span><span class="dl">'</span><span class="p">,</span> <span class="na">coordinates</span><span class="p">:</span> <span class="p">[</span><span class="o">-</span><span class="mf">74.534</span><span class="p">,</span> <span class="mf">39.123</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Example WKT (like you would use in MySQL query):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">POINT</span><span class="p">(</span><span class="o">-</span><span class="mi">74</span><span class="p">.</span><span class="mi">534</span><span class="p">,</span> <span class="mi">39</span><span class="p">.</span><span class="mi">123</span><span class="p">)</span> </code></pre> </div> <p>This would be saved as <code>BLOB</code> type in MySQL</p> <h2> Files </h2> <p>First you need to add the transformer class<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ./src/lib/transformers.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">wkx</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">wkx</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Geometry</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">geojson</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ValueTransformer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typeorm/decorator/options/ValueTransformer</span><span class="dl">'</span> <span class="cm">/** * TypeORM transformer to convert GeoJSON to MySQL WKT (Well Known Text) e.g. POINT(LAT, LON) and back */</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">GeometryTransformer</span> <span class="k">implements</span> <span class="nx">ValueTransformer</span> <span class="p">{</span> <span class="nf">to</span><span class="p">(</span><span class="nx">geojson</span><span class="p">:</span> <span class="nx">Geometry</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">wkx</span><span class="p">.</span><span class="nx">Geometry</span><span class="p">.</span><span class="nf">parseGeoJSON</span><span class="p">(</span><span class="nx">geojson</span><span class="p">).</span><span class="nf">toWkt</span><span class="p">()</span> <span class="p">}</span> <span class="k">from</span><span class="p">(</span><span class="nx">wkb</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span> <span class="o">|</span> <span class="kc">undefined</span> <span class="p">{</span> <span class="k">if</span><span class="p">(</span><span class="o">!</span><span class="nx">wkb</span><span class="p">)</span> <span class="k">return</span> <span class="k">return</span> <span class="nx">wkx</span><span class="p">.</span><span class="nx">Geometry</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">wkb</span><span class="p">).</span><span class="nf">toGeoJSON</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then inside your target entity class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ./src/entities/user.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Entity</span><span class="p">,</span> <span class="nx">PrimaryGeneratedColumn</span><span class="p">,</span> <span class="nx">Column</span><span class="p">,</span> <span class="nx">BaseEntity</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typeorm</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GeometryTransformer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../transformers</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Geometry</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">geojson</span><span class="dl">'</span> <span class="p">@</span><span class="nd">Entity</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">User</span> <span class="kd">extends</span> <span class="nc">BaseEntity</span> <span class="p">{</span> <span class="p">@</span><span class="nd">PrimaryGeneratedColumn</span><span class="p">()</span> <span class="nx">idUser</span><span class="o">!</span><span class="p">:</span> <span class="kr">number</span> <span class="p">@</span><span class="nd">Column</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">geometry</span><span class="dl">'</span><span class="p">,</span> <span class="na">spatialFeatureType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Point</span><span class="dl">'</span><span class="p">,</span> <span class="na">srid</span><span class="p">:</span> <span class="mi">4326</span><span class="p">,</span> <span class="c1">// WGS84 reference system</span> <span class="na">transformer</span><span class="p">:</span> <span class="k">new</span> <span class="nc">GeometryTransformer</span><span class="p">(),</span> <span class="p">})</span> <span class="nx">location</span><span class="p">?:</span> <span class="nx">Geometry</span> <span class="p">}</span> </code></pre> </div> <h2> Insert GeoJSON </h2> <p>And then finally if you want to insert location data, insert geoJSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ./src/services/user.service.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Geometry</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">geojson</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getRepository</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">typeorm</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">User</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../entities/user</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">createUser</span> <span class="o">=</span> <span class="k">async </span><span class="p">():</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">User</span><span class="o">|</span><span class="kc">undefined</span><span class="o">&gt;</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="na">location</span><span class="p">:</span> <span class="nx">Geometry</span> <span class="o">=</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Point</span><span class="dl">'</span><span class="p">,</span> <span class="na">coordinates</span><span class="p">:</span> <span class="p">[</span><span class="o">-</span><span class="mf">74.534</span><span class="p">,</span> <span class="mf">39.123</span><span class="p">]</span> <span class="p">}</span> <span class="c1">// you should validate the geojson here</span> <span class="c1">// https://www.npmjs.com/package/geojson-validation</span> <span class="c1">// if(!validGeoJson(location))throw new Error('invalid GeoJSON')</span> <span class="k">return</span> <span class="nf">getRepository</span><span class="p">(</span><span class="nx">User</span><span class="p">)</span> <span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">location</span> <span class="p">})</span> <span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <h2> Retrieve GeoJSON </h2> <p>And then when you query the object you will get <code>location</code> as type <code>Geometry</code>.</p> <p>That's it!</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> typescript typeorm wkt geojson Part 4 - Wordpress EC2 instance in ASG with RDS database and ALB- Awesome AWS CDK Emmanuel K Mon, 24 May 2021 10:48:41 +0000 https://dev.to/emmanuelnk/part-4-wordpress-ec2-instance-in-asg-with-rds-database-and-alb-awesome-aws-cdk-3cij https://dev.to/emmanuelnk/part-4-wordpress-ec2-instance-in-asg-with-rds-database-and-alb-awesome-aws-cdk-3cij <ul> <li>Introduction</li> <li>Abbreviations</li> <li> Setup <ul> <li>Setup AWS configuration and CDK</li> <li>Create a new project</li> <li>Project structure</li> <li>Config</li> </ul> </li> <li> VPC <ul> <li>Setup</li> </ul> </li> <li> RDS <ul> <li>Setup</li> </ul> </li> <li> Application Load Balancer <ul> <li>Important Load Balancer concepts</li> <li>Setup</li> </ul> </li> <li> EC2 via Autoscaling Group <ul> <li>Setup</li> <li>User script</li> <li>EC2 instance in ASG</li> </ul> </li> <li> Deployment <ul> <li>Local machine</li> <li>Github Actions</li> <li>Destroying the stack</li> </ul> </li> <li>Final result</li> <li> Conclusion <ul> <li>Debugging</li> <li>Homework Assignments</li> </ul> </li> </ul> <h1> Introduction </h1> <p>Hot off the heels (more than one month ago lol) of the last post, we're going to provision better infrastructure for our Wordpress powered website using the AWS CDK!</p> <p>In this tutorial, you will learn how to:</p> <ul> <li>setup a Wordpress EC2 instance in an Autoscaling Group (ASG) that is attached to an Application Load Balancer (ALB)</li> <li>setup AWS RDSMySQL database using the CDK</li> <li>place your RDS MySQL database in an isolated subnet in a custom VPC for better security</li> <li>SSH into the Wordpress instance using AWS SSM and IAM credentials</li> <li>add CI/CD to your deployment so that you can deploy to multiple environments via Github actions</li> </ul> <p>All of this will be done in the CDK without needing you to even open the AWS web console. How awesome is that?</p> <p>The repository of this project is <a href="https://github.com/emmanuelnk/wordpress-ec2-rds" rel="noopener noreferrer">emmanuelnk/wordpress-ec2-rds</a>. You can find all the final code files here.</p> <p>Alright, let's go!</p> <h1> Abbreviations </h1> <p>I may use certain abbreviations throughout this tutorial. When using AWS generally, these abbreviations are quite common due to the insanely verbose names AWS gives its services</p> <ul> <li>ALB - <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html" rel="noopener noreferrer">Application Load Balancer</a> </li> <li>ASG - <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html" rel="noopener noreferrer">AutoScaling Group</a> </li> <li>AWS SM - <a href="https://aws.amazon.com/secrets-manager/" rel="noopener noreferrer">AWS Secrets Manager</a> </li> <li>GA - <a href="https://github.com/features/actions" rel="noopener noreferrer">Github Actions</a> </li> </ul> <h1> Setup </h1> <h2> Setup AWS configuration and CDK </h2> <ul> <li>As usual, you're going to have to ensure you have your AWS dev environment set up (crendentials and config). </li> <li>See <a href="https://dev.to/emmanuelnk/awesome-aws-cdk-part-2-setting-up-aws-cdk-3ggj">Awesome AWS CDK - Part 2 - Setting up AWS CDK</a> for how to do this.</li> </ul> <h2> Create a new project </h2> <ul> <li> <p>Make a new directory and init a new TS project:<br> </p> <pre class="highlight shell"><code><span class="nb">mkdir </span>wordpress-ec2-rds <span class="o">&amp;&amp;</span> <span class="nb">cd </span>wordpress-ec2-rds cdk init <span class="nt">--language</span> typescript </code></pre> </li> <li><p><strong>NOTE:</strong> Sometimes it so happens that the <code>cdk init</code> installs an old verison of <code>cdk-core</code>. A version mismatch between <code>@aws-cdk/core</code> and <code>@aws-cdk/aws-SOME_SERVICE</code> can cause errors in Typescript. </p></li> <li> <p>If you get any weird TS errors while writing CDK code, try checking <code>package.json</code> to ensure you're using the latest version of <code>@aws-cdk/core</code> and that that version matches exactly with other CDK packages e.g. below <code>aws-core</code> and other <code>aws-cdk</code> packages are all on version <code>1.102.0</code><br> </p> <pre class="highlight json"><code><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">package.json</span><span class="w"> </span><span class="nl">"dependencies"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@aws-cdk/aws-ec2"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.102.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@aws-cdk/aws-rds"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.102.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@aws-cdk/aws-secretsmanager"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.102.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"@aws-cdk/core"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^1.102.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"dotenv"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^8.4.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"source-map-support"</span><span class="p">:</span><span class="w"> </span><span class="s2">"^0.5.16"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </li> <li> <p>To be on the safe side, everytime you start a new CDK project, just run:<br> </p> <pre class="highlight shell"><code>npm <span class="nb">install</span> @aws-cdk/core@latest </code></pre> </li> </ul> <h2> Project structure </h2> <p>In the last tutorial, we put all of our infrastructure in one file. This is fine if you're provisioning a few resources. However it's always better to split your resources logically into different files to make the project easier to manage. </p> <p>This time, we will create a folder called constructs (a construct is just a particular class that is created from a base service class) i.e. we will then create the following files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mkdir </span>lib/constructs <span class="nb">touch </span>lib/constructs/ec2.ts <span class="nb">touch </span>lib/constructs/alb.ts <span class="nb">touch </span>lib/constructs/rds.ts <span class="nb">touch </span>lib/constructs/vpc.ts <span class="nb">touch </span>lib/config.ts <span class="nb">touch</span> .env </code></pre> </div> <p>where each construct file will contains a specfic AWS service. These constructs will then be imported into the base infrastructure file that the CDK created for us (<code>lib/wordpress-ec2-rds-stack.ts</code>)</p> <p>We also create a <code>config.ts</code> file to hold our configurations and a <code>.env</code> file to contain our envrionment variables.</p> <p>(Optional) add a CI file for Github Actions. At the end of the tutorial I will show you how to deploy to either or both <code>prod</code> and <code>dev</code> using Github Actions<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">mkdir</span> <span class="nt">-p</span> .github/workflows/deploy.yml </code></pre> </div> <p>These are thus the files we will concentrate on:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── bin │ └── wordpress-ec2-rds.ts <span class="c"># entry file</span> ├── lib │ ├── config.ts <span class="c"># stack and account config</span> │ ├── constructs │ │ └── ec2.ts │ │ └── rds.ts │ │ └── alb.ts │ │ └── vpc.ts │ └── wordpress-ec2-rds-stack.ts <span class="c"># where we import the constructs</span> ├── <span class="nb">test</span> │ └── wordpress-ec2-rds.test.ts <span class="c"># where we test our infrastructure</span> ├── .github │ ├── workflows │ │ └── deploy.yml <span class="c"># CI/CD config file (Github Actions)</span> └── .env <span class="c"># environment variables</span> </code></pre> </div> <h2> Config </h2> <ul> <li> <p>Let's install some required dependencies first<br> </p> <pre class="highlight plaintext"><code>npm install dotenv </code></pre> </li> <li> <p>Let's write our configuration file (<code>lib/config.ts</code>):<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/config.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">dotenv</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span> <span class="c1">// load our environment variables from .env</span> <span class="nx">dotenv</span><span class="p">.</span><span class="nf">config</span><span class="p">()</span> <span class="c1">// this will be used in resource names</span> <span class="kd">const</span> <span class="nx">stage</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STAGE</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">dev</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">// we'll use this prefix to help name our provisioned resources</span> <span class="na">projectName</span><span class="p">:</span> <span class="s2">`wordpress-ec2-rds-</span><span class="p">${</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">stage</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_ACCOUNT_NUMBER</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">us-west-2</span><span class="dl">'</span> <span class="p">},</span> <span class="na">deployedBy</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEPLOYED_BY</span> <span class="o">||</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">USER</span><span class="p">,</span> <span class="p">}</span> </code></pre> </li> <li> <p>Let's create our <code>.env</code> file. The variables below are used to aid deployment from localhost as you will see later.<br> </p> <pre class="highlight plaintext"><code>STAGE=dev AWS_ACCOUNT_NUMBER=XXXXXXXXXXXXX AWS_REGION=us-west-2 DEPLOYED_BY=john.doe </code></pre> </li> <li> <p>Let's modify our entry file (<code>bin/wordpress-ec2-rds.ts</code>) from this<br> </p> <pre class="highlight typescript"><code><span class="c1">// bin/wordpress-ec2-rds.ts</span><span class="cp"> #!/usr/bin/env node </span><span class="k">import</span> <span class="dl">'</span><span class="s1">source-map-support/register</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WordpressEc2RdsStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/wordpress-ec2-rds-stack</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">WordpressEc2RdsStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WordpressEc2RdsStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="cm">/* If you don't specify 'env', this stack will be environment-agnostic. * Account/Region-dependent features and context lookups will not work, * but a single synthesized template can be deployed anywhere. */</span> <span class="cm">/* Uncomment the next line to specialize this stack for the AWS Account * and Region that are implied by the current CLI configuration. */</span> <span class="c1">// env: { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION },</span> <span class="cm">/* Uncomment the next line if you know exactly what Account and Region you * want to deploy the stack to. */</span> <span class="c1">// env: { account: '123456789012', region: 'us-east-1' },</span> <span class="cm">/* For more information, see https://docs.aws.amazon.com/cdk/latest/guide/environments.html */</span> <span class="p">});</span> </code></pre> </li> <li> <p>to this:<br> </p> <pre class="highlight typescript"><code><span class="c1">// bin/wordpress-ec2-rds.ts</span> <span class="k">import</span> <span class="dl">'</span><span class="s1">source-map-support/register</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WordpressEc2RdsStack</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/wordpress-ec2-rds-stack</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/config</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="k">new</span> <span class="nc">WordpressEc2RdsStack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WordpressEc2RdsStack</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Deploys resources for RDS and S3 powered Wordpress infrastructure</span><span class="dl">'</span><span class="p">,</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">Project</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">Deployedby</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">deployedBy</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </li> <li><p><strong>Note:</strong> It's very important to let the CDK know what account and region you will deploy the stack to. This is why we explicitly set the <code>env</code> object (which contains <code>account</code> and <code>region</code> from your environment variables)</p></li> </ul> <p>Our configuration files and entry files are nopw mostly set up. Let's get to creating our construct files.</p> <h1> VPC </h1> <p>In short, a VPC (Virtual Private Cloud) is virtual local network (VLAN) that you create on your cloud service provider. You can then add resources to this network and rest assured this network is separated (isolated) from other people's resources on the cloud provider. This has many advantages, the biggest one being security. </p> <p>A VPC, essentially being a virtual LAN looks like this: <code>172.25.0.0/16</code>. To understand what I just wrote, its important to understand:</p> <ul> <li> <a href="https://www.computernetworkingnotes.com/ip-tutorials/ip-address-network-address-and-host-address-explained.html" rel="noopener noreferrer">network addresses, host addresses, subnet masks</a> </li> <li><a href="https://www.keycdn.com/support/what-is-cidr" rel="noopener noreferrer">CIDR - Classless Inter-Domain Routing</a></li> </ul> <p>Additionally, <a href="https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html" rel="noopener noreferrer">here is a great explanation from Amazon on VPCs</a>.</p> <h2> Setup </h2> <ul> <li><code>mkdir -p lib/constructs/vpc.ts</code></li> <li>You can either create a new VPC or import an existing one.</li> <li>Since I do not have a VPC with isolated subnets, I will create a new VPC</li> <li> <p>We need to install the <code>ec2</code> cdk module to get access to VPC creation functions<br> </p> <pre class="highlight shell"><code>npm <span class="nb">install</span> @aws-cdk/aws-ec2 </code></pre> </li> <li> <p>Here we create the new VPC<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/constructs/vpc.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">prefix</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">cidr</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="cm">/** * Creates a new custom VPC * * @param {cdk.Construct} scope stack application scope * @param {StackProps} props props needed to create the resource * */</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CustomVPC</span> <span class="p">{</span> <span class="c1">// we export the vpc we just created so other resources can use it</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IVpc</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">vpc</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Vpc</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-vpc`</span><span class="p">,</span> <span class="p">{</span> <span class="na">maxAzs</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="c1">// RDS requires at least 2 availability zones</span> <span class="na">cidr</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">cidr</span><span class="p">,</span> <span class="c1">// the ip address block of the vpc e.g. '172.22.0.0/16'</span> <span class="na">enableDnsHostnames</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">enableDnsSupport</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// expensive -- we don't need that yet (we have no PRIVATE subnets)</span> <span class="na">natGateways</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">subnetConfiguration</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-public-`</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span><span class="p">,</span> <span class="c1">// for WP instance</span> <span class="p">},</span> <span class="p">{</span> <span class="na">cidrMask</span><span class="p">:</span> <span class="mi">22</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-isolated-`</span><span class="p">,</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">ISOLATED</span><span class="p">,</span> <span class="c1">// for RDS DB</span> <span class="p">},</span> <span class="p">],</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li><p>Here it's important to note that <code>scope</code> represents the base infrastructure class constructor that the new DefaultVPC instance will be created in. It comes from <code>lib/wordpress-ec2-rds-stack.ts</code></p></li> <li><p>Thus let's fetch our custom VPC inside the <code>lib/wordpress-ec2-rds-stack.ts</code> contructor.</p></li> <li> <p>Change <code>lib/wordpress-ec2-rds-stack.ts</code> from:<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/wordpress-ec2-rds-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressEc2RdsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// The code that defines your stack goes here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li> <p>to this:<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/wordpress-ec2-rds-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomVPC</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/vpc</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressEc2RdsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// The code that defines your stack goes here</span> <span class="c1">// VPC -- fetch the custom VPC</span> <span class="kd">const</span> <span class="nx">customVPC</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CustomVPC</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">172.22.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li><p>If you're not sure about what all these configurations mean, you can read more about configuring VPCs in AWS in this <a href="https://www.simplilearn.com/tutorials/aws-tutorial/aws-vpc" rel="noopener noreferrer">tutorial</a></p></li> <li><p>The important takeaway for this tutorial is that your custom VPC has both PUBLIC and ISOLATED (or PRIVATE) subnets</p></li> </ul> <h1> RDS </h1> <p>From the horse's <a href="https://aws.amazon.com/rds/" rel="noopener noreferrer">mouth</a>:</p> <blockquote> <p>Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.</p> <p>Amazon RDS is available on several <a href="https://aws.amazon.com/rds/instance-types/" rel="noopener noreferrer">database instance types</a> - optimized for memory, performance or I/O - and provides you with six familiar database engines to choose from, including <a href="https://aws.amazon.com/rds/aurora/" rel="noopener noreferrer">Amazon Aurora</a>, <a href="https://aws.amazon.com/rds/postgresql/" rel="noopener noreferrer">PostgreSQL</a>, <a href="https://aws.amazon.com/rds/mysql/" rel="noopener noreferrer">MySQL</a>, <a href="https://aws.amazon.com/rds/mariadb/" rel="noopener noreferrer">MariaDB</a>, <a href="https://aws.amazon.com/rds/oracle/" rel="noopener noreferrer">Oracle Database</a>, and <a href="https://aws.amazon.com/rds/sqlserver/" rel="noopener noreferrer">SQL Server</a>. You can use the <a href="https://aws.amazon.com/dms/" rel="noopener noreferrer">AWS Database Migration Service</a> to easily migrate or replicate your existing databases to Amazon RDS.</p> </blockquote> <p>In the last tutorial, we installed and ran the MySQL database on the same instance running Wordpress. You usually want to have your database on a separate (and managed) instance so that you can easily configure it, scale or resize it, back it up, secure it behind a private subnet etc AWS RDS is thus perfect for our use case</p> <h2> Setup </h2> <ul> <li> <p>Create the cdk construct file<br> </p> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> lib/constructs/rds.ts </code></pre> </li> <li> <p>Let's install the cdk modules that we need<br> </p> <pre class="highlight shell"><code>npm <span class="nb">install</span> @aws-cdk/aws-rds @aws-cdk/aws-secretsmanager </code></pre> </li> <li> <p>Let's import what we need<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/constructs/rds.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">rds</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-rds</span><span class="dl">'</span> <span class="c1">// this is where we will keep our database credentials e.g. user, password, host etc</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">secrets</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-secretsmanager</span><span class="dl">'</span> </code></pre> </li> <li><p>Since the RDS construct is initialized from the base infrastructure class, when we create a new instance we can pass some needed properties</p></li> <li> <p>For example, we need to know the vpc we want to use, the database port or user we would like to use, the name of the secret in secretsmanager that will keep our db secrets etc<br> </p> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="c1">// this is useful when deploying to multiple environments e.g. prod, dev</span> <span class="nl">prefix</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span> <span class="nx">user</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">port</span><span class="p">:</span> <span class="kr">number</span> <span class="nx">database</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">secretName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="cm">/** * Creates a MySQL DB on AWS RDS * * @param {cdk.Construct} scope stack application scope * @param {StackProps} props props needed to create the resource * */</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">MySQLRdsInstance</span> <span class="p">{</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">databaseSecretName</span><span class="p">:</span> <span class="kr">string</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">){</span> <span class="c1">// this is where all the following code will go</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> </ul> <p>Eveything that follows is inside the constructor of <code>MySQLRdsInstance</code> i.e. right below the <code>// this is where all the following code will go</code> comment:</p> <ul> <li> <p>Let's get our vpc from the props we just created<br> </p> <pre class="highlight typescript"><code> <span class="c1">// use the vpc we expoted from lib/constructs/vpc.ts</span> <span class="kd">const</span> <span class="nx">customVPC</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span> </code></pre> </li> <li> <p>Create a security group to allow connections only from inside the vpc<br> </p> <pre class="highlight typescript"><code> <span class="c1">// create the security group for RDS instance</span> <span class="kd">const</span> <span class="nx">ingressSecurityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-rds-ingress`</span><span class="p">,{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">,</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-rds-ingress-sg`</span><span class="p">,</span> <span class="p">})</span> <span class="nx">ingressSecurityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="c1">// defaultVPC.vpcCidrBlock refers to all the IP addresses in defaultVPC</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">defaultVPC</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">port</span> <span class="o">||</span> <span class="mi">3306</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allows only local resources inside VPC to access this MySQL port (default -- 3306)</span><span class="dl">'</span> <span class="p">)</span> </code></pre> </li> <li> <p>Generate the database secrets using Secrets Manager<br> </p> <pre class="highlight typescript"><code> <span class="c1">// Dynamically generate the username and password, then store in secrets manager</span> <span class="kd">const</span> <span class="nx">databaseCredentialsSecret</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">secrets</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span> <span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-MySQLCredentialsSecret`</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">secretName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Credentials to access Wordpress MYSQL Database on RDS</span><span class="dl">'</span><span class="p">,</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">user</span> <span class="p">}),</span> <span class="na">excludePunctuation</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">includeSpace</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="p">)</span> </code></pre> </li> <li> <p>Now let's create our RDS MySQL instance<br> </p> <pre class="highlight typescript"><code> <span class="kd">const</span> <span class="nx">mysqlRDSInstance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">rds</span><span class="p">.</span><span class="nc">DatabaseInstance</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-MySqlRDSInstance`</span><span class="p">,</span> <span class="p">{</span> <span class="na">credentials</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">Credentials</span><span class="p">.</span><span class="nf">fromSecret</span><span class="p">(</span><span class="nx">databaseCredentialsSecret</span><span class="p">),</span> <span class="na">engine</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">DatabaseInstanceEngine</span><span class="p">.</span><span class="nf">mysql</span><span class="p">({</span> <span class="na">version</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">MysqlEngineVersion</span><span class="p">.</span><span class="nx">VER_5_7_31</span> <span class="p">}),</span> <span class="na">port</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">port</span><span class="p">,</span> <span class="na">allocatedStorage</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">storageType</span><span class="p">:</span> <span class="nx">rds</span><span class="p">.</span><span class="nx">StorageType</span><span class="p">.</span><span class="nx">GP2</span><span class="p">,</span> <span class="na">backupRetention</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Duration</span><span class="p">.</span><span class="nf">days</span><span class="p">(</span><span class="mi">7</span><span class="p">),</span> <span class="c1">// t2.micro is free tier so we use it </span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T2</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span> <span class="p">),</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">,</span> <span class="c1">// we chose to place our database in an isolated subnet of our VPC</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">ISOLATED</span> <span class="p">},</span> <span class="c1">// if we destroy our database, AWS will take a snapshot of the database instance before terminating it</span> <span class="na">removalPolicy</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">RemovalPolicy</span><span class="p">.</span><span class="nx">SNAPSHOT</span><span class="p">,</span> <span class="c1">// accidental deletion protection -- you need to manually disable this in AWS web console to delete the database</span> <span class="na">deletionProtection</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">securityGroups</span><span class="p">:</span> <span class="p">[</span><span class="nx">ingressSecurityGroup</span><span class="p">],</span> <span class="p">})</span> </code></pre> </li> <li><p>View the final file <a href="https://github.com/emmanuelnk/wordpress-ec2-rds/blob/master/lib/constructs/rds.ts" rel="noopener noreferrer">here</a></p></li> <li> <p>Then let's import the RDS construct in our <code>lib/wordpress-ec2-rds-stack.ts</code> file:<br> </p> <pre class="highlight typescript"><code> <span class="c1">// lib/wordpress-ec2-rds-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DefaultVPC</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/vpc</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MySQLRdsInstance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/rds</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressEc2RdsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// The code that defines your stack goes here</span> <span class="c1">// VPC -- fetch the default VPC</span> <span class="kd">const</span> <span class="nx">defaultVPC</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultVPC</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="c1">// RDS -- create the mysql database</span> <span class="k">new</span> <span class="nc">MySQLRdsInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">defaultVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="c1">// deploy the database in the default VPC!</span> <span class="na">user</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wordpress_admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">awesome-wp-site-db</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3306</span><span class="p">,</span> <span class="c1">// DB credentials will be saved under this pathname in AWS Secrets Manager</span> <span class="na">secretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">/rds/mysql/credentials`</span><span class="p">,</span> <span class="c1">// secret pathname</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> </ul> <h1> Application Load Balancer </h1> <p>From the horse's <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html" rel="noopener noreferrer">mouth</a>:</p> <blockquote> <p>Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets, and routes traffic only to the healthy targets. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time. It can automatically scale to the vast majority of workloads.<br> Elastic Load Balancing supports the following load balancers: Application Load Balancers (ALBs), Network Load Balancers (NLBs), Gateway Load Balancers (GLBs), and Classic Load Balancers (CLBs).</p> </blockquote> <h2> Important Load Balancer concepts </h2> <ul> <li>A <em>load balancer</em> serves as the single point of contact for clients. The load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of your application. You add one or more listeners to your load balancer.</li> <li>A <em>listener</em> checks for connection requests from clients, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to its registered targets. Each rule consists of a priority, one or more actions, and one or more conditions. When the conditions for a rule are met, then its actions are performed. You must define a default rule for each listener, and you can optionally define additional rules.</li> <li>Each <em>target group</em> routes requests to one or more registered targets, such as EC2 instances, using the protocol and port number that you specify. You can register a target with multiple target groups. You can configure health checks on a per target group basis. Health checks are performed on all targets registered to a target group that is specified in a listener rule for your load balancer.</li> </ul> <h2> Setup </h2> <ul> <li>For this tutorial we will be setting up an ALB.</li> <li>You can read about the difference between ALB, NLB and CLB <a href="https://medium.com/awesome-cloud/aws-difference-between-application-load-balancer-and-network-load-balancer-cb8b6cd296a4" rel="noopener noreferrer">here</a> </li> <li> <p>Create a new file to define the ALB in and install required CDK dependency<br> </p> <pre class="highlight shell"><code><span class="nb">touch </span>lib/constructs/alb.ts npm <span class="nb">install</span> @aws-cdk/aws-elasticloadbalancingv2 </code></pre> </li> <li><p>In the newly created file:<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/constructs/alb.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">elbv2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-elasticloadbalancingv2</span><span class="dl">'</span> <span class="kr">interface</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">prefix</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IVpc</span> <span class="p">}</span> <span class="cm">/** * Creates an Application Load Balancer for our Wordpress stack * * @param {cdk.Construct} scope stack application scope * @param {StackProps} props props needed to create the resource * */</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressApplicationLoadBalancer</span> <span class="p">{</span> <span class="c1">// export the DNS name of the load balancer for WP install </span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">loadBalancerDnsName</span><span class="p">:</span> <span class="kr">string</span> <span class="c1">// export ALB listener so we can attach autoscaling group</span> <span class="nx">listener</span><span class="p">:</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nx">IApplicationListener</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">alb</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">elbv2</span><span class="p">.</span><span class="nc">ApplicationLoadBalancer</span><span class="p">(</span> <span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-alb`</span><span class="p">,</span> <span class="p">{</span> <span class="na">loadBalancerName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-alb`</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">internetFacing</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// we need to expose the dns name of the load balancer</span> <span class="c1">// so we can use it when installing Wordpress later</span> <span class="k">this</span><span class="p">.</span><span class="nx">loadBalancerDnsName</span> <span class="o">=</span> <span class="nx">alb</span><span class="p">.</span><span class="nx">loadBalancerDnsName</span> <span class="c1">// we will need the listener to add our autoscaling group later</span> <span class="k">this</span><span class="p">.</span><span class="nx">listener</span> <span class="o">=</span> <span class="nx">alb</span><span class="p">.</span><span class="nf">addListener</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-alb-listener`</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">open</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// print out the dns name of the alb</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-alb-dns-name`</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">alb</span><span class="p">.</span><span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then let’s import the ALB construct in our <code>lib/wordpress-ec2-rds-stack.ts</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/wordpress-ec2-rds-stack.ts</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DefaultVPC</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/vpc</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MySQLRdsInstance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/rds</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WordpressApplicationLoadBalancer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/alb</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressEc2RdsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">);</span> <span class="c1">// The code that defines your stack goes here</span> <span class="c1">// VPC -- fetch the default VPC</span> <span class="kd">const</span> <span class="nx">defaultVPC</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">DefaultVPC</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="c1">// RDS -- create the mysql database</span> <span class="k">new</span> <span class="nc">MySQLRdsInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">defaultVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="c1">// deploy the database in the default VPC!</span> <span class="na">user</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wordpress_admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">awesome-wp-site-db</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3306</span><span class="p">,</span> <span class="c1">// DB credentials will be saved under this pathname in AWS Secrets Manager</span> <span class="na">secretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">/rds/mysql/credentials`</span><span class="p">,</span> <span class="c1">// secret pathname</span> <span class="p">})</span> <span class="c1">// ALB -- for our single instance</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="nx">listener</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WordpressApplicationLoadBalancer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> EC2 via Autoscaling Group </h1> <p>In the last tutorial, we used the CDK to launch a single EC2 instance. This time, we will do the same thing, however, we will launch the instance using an ASG. </p> <p>From the horse's <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html" rel="noopener noreferrer">mouth</a>:</p> <blockquote> <p>An <em>Auto Scaling group</em> contains a collection of Amazon EC2 instances that are treated as a logical grouping for the purposes of automatic scaling and management. An Auto Scaling group also enables you to use Amazon EC2 Auto Scaling features such as health check replacements and scaling policies. Both maintaining the number of instances in an Auto Scaling group and automatic scaling are the core functionality of the Amazon EC2 Auto Scaling service.</p> <p>The size of an Auto Scaling group depends on the number of instances that you set as the desired capacity. You can adjust its size to meet demand, either manually or by using automatic scaling.</p> <p>An Auto Scaling group starts by launching enough instances to meet its desired capacity. It maintains this number of instances by performing periodic health checks on the instances in the group. The Auto Scaling group continues to maintain a fixed number of instances even if an instance becomes unhealthy. If an instance becomes unhealthy, the group terminates the unhealthy instance and launches another instance to replace it. For more information, see <a href="https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html" rel="noopener noreferrer">Health checks for Auto Scaling instances</a>.</p> </blockquote> <ul> <li>In our use case, we will use just one instance. This is because Wordpress is installed to the volume attached to this singular instance. If we launched more than two instances, then we would be redirecting users to two seperate WP installations (that may end up having different uploaded content, plugins etc because these files are installed to the file volumes).</li> <li>This is desirable in certain cases e.g. if you want to serve users in different geographic regions different website content (without changing the url).</li> <li>For most users however, the main use case of autoscaling is to spread server load horizonatally across instances. </li> <li>A work-around that I did not implement in this tutorial is to sync uploaded content to S3 and use a shared EFS file system for the wordpress installation (something which I may look at in detail in another tutorial or at the ednof this one)</li> <li> <em>What then is the purpose of using an ASG with just one desired instance?</em> Good question. For this tutorial, it is mostly used to warm you up to the concept of using ASGs and Load Balancers. In later tutorials, I will write applications that are better at utilizing ASGs than Wordpress. Also, if you instance should get accidentally terminated somehow, the ASG will immediately spin up another one. Awesome!</li> </ul> <h2> Setup </h2> <ul> <li> <p>Create the file to hold our EC2 constructs and install dependecies<br> </p> <pre class="highlight shell"><code><span class="nb">touch </span>lib/constructs/ec2/ts npm <span class="nb">install</span> @aws-cdk/aws-secretsmanager @aws-cdk/aws-autoscaling </code></pre> </li> <li><p>This time, instead of using an SSH key, we will use <code>aws-ssm</code> and IAM to access our instances via SSH</p></li> <li><p>We will place our instance in an autoscaling group with a maximum and minimum capacity of 1</p></li> <li><p>We are also going to define a helper function to help do some string replacement later on. We will be using this function to insert envrionment secrets into our user script.</p></li> <li> <p><code>touch lib/utils.ts</code><br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/utils.ts</span> <span class="cm">/** * Replaces all given substring in a text with new substring e.g. * * @example * const text = 'The woman and man and woman and man' * const wordsArray = [{ man: 'boy' }, { woman: 'girl' }] * * console.log(replaceAllSubstrings(wordsArray, text)) * // The girl and boy and girl and boy * * @param {Array&lt;Record&lt;string, string&gt;&gt;} wordsArray the words to be substituted and the words to substitute them with * @param {string} text the text from which to substitute the given sub strings * @returns the altered text */</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">replaceAllSubstrings</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">wordsArray</span><span class="p">:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;&gt;</span><span class="p">,</span> <span class="nx">text</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">wordsArray</span><span class="p">.</span><span class="nf">reduce</span><span class="p">(</span> <span class="p">(</span><span class="nx">f</span><span class="p">,</span> <span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`</span><span class="p">${</span><span class="nx">f</span><span class="p">}</span><span class="s2">`</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="k">new</span> <span class="nc">RegExp</span><span class="p">(</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">s</span><span class="p">)[</span><span class="mi">0</span><span class="p">],</span> <span class="dl">'</span><span class="s1">g</span><span class="dl">'</span><span class="p">),</span> <span class="nx">s</span><span class="p">[</span><span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">s</span><span class="p">)[</span><span class="mi">0</span><span class="p">]]),</span> <span class="nx">text</span> <span class="p">)</span> </code></pre> </li> <li> <p>Inside <code>lib/constructs/ec2.ts</code>, we start by getting our imports<br> </p> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">secrets</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-secretsmanager</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">autoscaling</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-autoscaling</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-iam</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../config</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">replaceAllSubstrings</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../utils</span><span class="dl">'</span> </code></pre> </li> <li> <p>We then define the <code>props</code> for the EC2 instance class we are defining<br> </p> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">StackProps</span> <span class="p">{</span> <span class="nl">prefix</span><span class="p">:</span> <span class="kr">string</span> <span class="nx">vpc</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">IVpc</span> <span class="cm">/* the dns name of the ALB */</span> <span class="nx">dnsName</span><span class="p">:</span> <span class="kr">string</span> <span class="cm">/* the path of the db access secret in AWS SM */</span> <span class="nx">dbSecretName</span><span class="p">:</span> <span class="kr">string</span> <span class="cm">/* the path of the wp admin secret in AWS SM */</span> <span class="nx">wpSecretName</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> </code></pre> </li> <li> <p>We then define a new class to hold our construct code<br> </p> <pre class="highlight typescript"><code><span class="cm">/** * Creates the Wordpress EC2 AutoscalingGroup * * @param {cdk.Construct} scope stack application scope * @param {StackProps} props props needed to create the resource * */</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressAutoScalingGroup</span> <span class="p">{</span> <span class="c1">// export our newly created instance</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">asg</span><span class="p">:</span> <span class="nx">autoscaling</span><span class="p">.</span><span class="nx">AutoScalingGroup</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">props</span><span class="p">:</span> <span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// all the code will go here</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li> <p>Inside the constructor, we can start by importing the custom vpc, defining a role for ur ec2 instance and creating the necessary security groups:<br> </p> <pre class="highlight typescript"><code> <span class="c1">// use the vpc we just created</span> <span class="kd">const</span> <span class="nx">customVPC</span> <span class="o">=</span> <span class="nx">props</span><span class="p">.</span><span class="nx">vpc</span> <span class="c1">// define a role for the wordpress instances</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-instance-role`</span><span class="p">,</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">CompositePrincipal</span><span class="p">(</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">),</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ssm.amazonaws.com</span><span class="dl">'</span><span class="p">)</span> <span class="p">),</span> <span class="na">managedPolicies</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// allows us to access instance via SSH using IAM and SSM</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span> <span class="dl">'</span><span class="s1">AmazonSSMManagedInstanceCore</span><span class="dl">'</span> <span class="p">),</span> <span class="c1">// allows ec2 instance to access secrets maanger and retrieve secrets</span> <span class="nx">iam</span><span class="p">.</span><span class="nx">ManagedPolicy</span><span class="p">.</span><span class="nf">fromAwsManagedPolicyName</span><span class="p">(</span><span class="dl">'</span><span class="s1">SecretsManagerReadWrite</span><span class="dl">'</span><span class="p">),</span> <span class="p">],</span> <span class="p">})</span> <span class="c1">// lets create a security group for the wordpress instance</span> <span class="kd">const</span> <span class="nx">securityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">wordpress-instances-sg</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wordpress-instances-sg</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// NB: the WP instance will not be exposed to the public Internet this time</span> <span class="c1">// the Internet can access it through the ALB only</span> <span class="c1">// the admin can access it (the console) via SSM</span> <span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">ipv4</span><span class="p">(</span><span class="nx">customVPC</span><span class="p">.</span><span class="nx">vpcCidrBlock</span><span class="p">),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allows HTTP access from resources inside our VPC (like the ALB)</span><span class="dl">'</span> <span class="p">)</span> </code></pre> </li> <li><p>Since we want to automate the entire installation of WP on our instance, we will need to automate the famous <a href="https://winningwp.com/how-to-install-wordpress-the-famous-five-minute-install-made-simple/" rel="noopener noreferrer">Wordpress 5 minute install</a> (See step 9 in this article).</p></li> <li><p>In order to do this, we need to define secrets for our WP Admin</p></li> <li> <p>Inside <code>lib/config.ts</code>, we can add a new object <code>wordpress</code> to keep some of those secrets:<br> </p> <pre class="highlight typescript"><code><span class="c1">// lib/config.ts</span> <span class="p">...</span> <span class="p">...</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">projectName</span><span class="p">:</span> <span class="s2">`wordpress-ec2-rds-</span><span class="p">${</span><span class="nx">stage</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">...</span> <span class="na">wordpress</span><span class="p">:</span> <span class="p">{</span> <span class="na">admin</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WP_ADMIN_USER</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WP_ADMIN_EMAIL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">admin@whatever.com</span><span class="dl">'</span> <span class="p">},</span> <span class="na">site</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// name of the database WP will use (cannot have hyphens) </span> <span class="na">databaseName</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WP_DB_NAME</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">awesome_wp_site_db</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// the name of our WP website</span> <span class="na">title</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WP_SITE_TITLE</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">awesome-wp-site</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// where we will install WP on our instance volume</span> <span class="na">installPath</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">WP_SITE_INSTALL_PATH</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/var/www/html/</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li> <p>Make sure you add those variables in your <code>.env</code> file:<br> </p> <pre class="highlight plaintext"><code>STAGE=dev AWS_ACCOUNT_NUMBER=XXXXXXXXXXXXX AWS_REGION=us-west-2 DEPLOYED_BY=john.doe # Wordpress Site Variables WP_DB_NAME='awesome_wp_site_db' WP_SITE_TITLE='awesome_wp_site' WP_SITE_INSTALL_PATH=/var/www/html/ # Wordpress Admin Secrets WP_ADMIN_EMAIL=admin@awesomewpsite.com WP_ADMIN_USER=admin </code></pre> </li> <li> <p>Let's add the code to add our WP admin secrets in AWS SM for Wordpress Admin as well as generate a new WP Admin password inside the <code>WordpressAutoScalingGroup</code> constructor<br> </p> <pre class="highlight typescript"><code> <span class="p">...</span> <span class="p">...</span> <span class="c1">// secrets for wp admin</span> <span class="k">new</span> <span class="nx">secrets</span><span class="p">.</span><span class="nc">Secret</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="dl">'</span><span class="s1">WordpressAdminSecrets</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">secretName</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">wpSecretName</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Admin credentials to access Wordpress</span><span class="dl">'</span><span class="p">,</span> <span class="na">generateSecretString</span><span class="p">:</span> <span class="p">{</span> <span class="na">secretStringTemplate</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">wordpress</span><span class="p">.</span><span class="nx">admin</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">wordpress</span><span class="p">.</span><span class="nx">admin</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="p">}),</span> <span class="c1">// will generate a random password under the object key 'password'</span> <span class="na">generateStringKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </li> </ul> <h2> User script </h2> <ul> <li>We now need to write our user script to configure Wordpress on our instance and automate the famous 5 minute WP install</li> <li>In summary, we need to first install the dependencies (e.g. Apache, PHP and Wordpress etc) on the instance</li> <li>Then we need to wait for the RDS MySQL database to initialize and be in a ready state <strong>(very important)</strong>. If the database is not ready, then WP installation will fail because you won't be able to create the necessary tables in the database.</li> <li>When the database is ready, we install Wordpress and that's it!</li> <li> <p>Read the comments in the script to understand what's going on<br> </p> <pre class="highlight shell"><code><span class="nb">mkdir </span>lib/scripts <span class="o">&amp;&amp;</span> <span class="nb">touch </span>lib/scripts/wordpress_install.sh </code></pre> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>```bash #! /bin/bash # lib/scripts/wordpress_install.sh #------------------ 0.USEFUL FUNCTIONS # Checks to see if an env is defined (not null) in the bash session is_defined () { for var in "$@" ; do if [ ! -z "${!var}" ] &amp; [ "${!var}" != "null" ]; then echo "$var is set to ${!var}" else echo "$var is not set" return 1 fi done } # Checks if desired db secrets in secrets manager are ready # Db secrets are only fully ready when the RDS DB is ready db_secrets_ready () { if ! is_defined "AWS_REGION" "DB_SECRETS_PATH";then return 0 fi echo "Retrieving secrets..." DB_SECRETS_JSON=$(aws secretsmanager get-secret-value --secret-id $DB_SECRETS_PATH --region $AWS_REGION | jq -r '.SecretString') echo "Retrieved secrets." DB_USER=$(echo $DB_SECRETS_JSON | jq -r '.username') DB_PASS=$(echo $DB_SECRETS_JSON | jq -r '.password') DB_HOST=$(echo $DB_SECRETS_JSON | jq -r '.host') DB_PORT=$(echo $DB_SECRETS_JSON | jq -r '.port') echo "Checking secrets..." if ! is_defined "DB_USER" "DB_PASS" "DB_HOST" "DB_PORT";then echo "Secrets are not ready." return 1 fi echo "Secrets are ready." return 0 } #------------------ 1.INSTALL DEPENDECIES # update dependencies yum -y update # Install Apache yum -y install httpd # Start Apache service httpd start # Install PHP, PHP CLI, JQ, MySQL yum -y install php php-cli php-mysql jq mysql mysqladmin # PHP7 needed for latest wordpress amazon-linux-extras install php7.4 -y # Restart Apache service httpd restart # Install the Wordpress CLI which will help us install Wordpress correctly curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod +x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp #------------------ 2.SET SCRIPT GLOBAL VARIABLES # AWS and Wordpress variables to replace # We will replace these variables in the CDK ec2 construct file # before using the script to launch an ec2 instance DB_SECRETS_PATH=_DB_SECRETS_PATH_ WP_SECRETS_PATH=_WP_SECRETS_PATH_ AWS_REGION=_AWS_REGION_ WP_DB_NAME=_WP_DB_NAME_ WP_SITE_TITLE=_WP_SITE_TITLE_ WP_SITE_INSTALL_PATH=_WP_SITE_INSTALL_PATH_ WP_SITE_BASE_DOMAIN=_WP_SITE_BASE_DOMAIN_ # Wait for Secrets Manager to have RDS secret ready # Certain database secrets (e.g host, port) won't be ready until the database is ready echo "Waiting up to 20 minutes for Secrets Manager to be ready with Secrets"; for i in {1..240}; do echo "try count: $i" db_secrets_ready &amp;&amp; break; # retry every 30 seconds sleep 30s; done echo "Secrets Manager is ready with Secrets"; # Use the AWS CLI to get secrets from Secrets Manager DB_SECRETS_JSON=$(aws secretsmanager get-secret-value --secret-id $DB_SECRETS_PATH --region $AWS_REGION | jq -r '.SecretString') WP_SECRETS_JSON=$(aws secretsmanager get-secret-value --secret-id $WP_SECRETS_PATH --region $AWS_REGION | jq -r '.SecretString') # Parse secrets from JSON response using the useful jq DB_USER=$(echo $DB_SECRETS_JSON | jq -r '.username') DB_PASS=$(echo $DB_SECRETS_JSON | jq -r '.password') DB_HOST=$(echo $DB_SECRETS_JSON | jq -r '.host') DB_PORT=$(echo $DB_SECRETS_JSON | jq -r '.port') WP_ADMIN_USER=$(echo $WP_SECRETS_JSON | jq -r '.username') WP_ADMIN_PASSWORD=$(echo $WP_SECRETS_JSON | jq -r '.password') WP_ADMIN_EMAIL=$(echo $WP_SECRETS_JSON | jq -r '.email') # If some ENV is not defined, stop the script if ! is_defined \ "DB_SECRETS_PATH" \ "WP_SECRETS_PATH" \ "AWS_REGION" \ "WP_DB_NAME" \ "WP_SITE_TITLE" \ "WP_SITE_INSTALL_PATH" \ "WP_SITE_BASE_DOMAIN" \ "DB_USER" \ "DB_PASS" \ "DB_HOST" \ "DB_PORT" \ "WP_ADMIN_USER" \ "WP_ADMIN_PASSWORD" \ "WP_ADMIN_EMAIL" \ ; then echo "Exiting WP installation script because some variables were undefined" exit 0 fi #------------------ 3.CREATE WORDPRESS MYSQL DATABASE # Wait for the database to be ready # Usually this should only run once because of the DB secrets in AWS SM are ready # then it means the database is likely ready as well for i in {1..30}; do echo "try count: $i" mysqladmin ping -h "$DB_HOST" -u$DB_USER -p$DB_PASS -P $DB_PORT --silent &amp;&amp; break; # retry every 30s sleep 30s done # Create the database. echo "Creating the database $WP_DB_NAME..." mysql -h $DB_HOST -u$DB_USER -p$DB_PASS -P $DB_PORT -e"CREATE DATABASE $WP_DB_NAME" #------------------ 4.SETUP WORDPRESS INSTALLATION # Download WP Core. /usr/local/bin/wp core download --path=$WP_SITE_INSTALL_PATH # Generate the wp-config.php file /usr/local/bin/wp core config \ --path=$WP_SITE_INSTALL_PATH \ --dbname=$WP_DB_NAME \ --dbuser=$DB_USER \ --dbpass=$DB_PASS \ --dbhost=$DB_HOST \ --extra-php &lt;&lt;PHP define('WP_DEBUG', true); define('WP_DEBUG_LOG', true); define('WP_DEBUG_DISPLAY', true); define('WP_MEMORY_LIMIT', '256M'); PHP # Install the WordPress database. /usr/local/bin/wp core install \ --path=$WP_SITE_INSTALL_PATH \ --url=$WP_SITE_BASE_DOMAIN \ --title=$WP_SITE_TITLE \ --admin_user=$WP_ADMIN_USER \ --admin_password=$WP_ADMIN_PASSWORD \ --admin_email=$WP_ADMIN_EMAIL # Restart Apache service httpd restart # Wordpress is now installed! ``` </code></pre> </div> <ul> <li>If all goes well, when yuo navigate to the loadbalancer DNS name, the wordpress website should just pop up without any need for any configuration </li> <li>Let's now add the user script and insert some required environment variables in the CDK file</li> <li> <p>In the <code>WordpressAutoScalingGroup</code> constructor<br> </p> <pre class="highlight typescript"><code> <span class="p">...</span> <span class="p">...</span> <span class="c1">// Fetch the user script from file system as a string</span> <span class="kd">const</span> <span class="nx">userScript</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span> <span class="dl">'</span><span class="s1">lib/scripts/wordpress_install.sh</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span> <span class="p">)</span> <span class="c1">// Replace the following variable substrings in the userScript</span> <span class="kd">const</span> <span class="nx">modifiedUserScript</span> <span class="o">=</span> <span class="nf">replaceAllSubstrings</span><span class="p">(</span> <span class="p">[</span> <span class="p">{</span> <span class="na">_DB_SECRETS_PATH_</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">dbSecretName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_WP_SECRETS_PATH_</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">wpSecretName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_AWS_REGION_</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">region</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_WP_DB_NAME_</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">wordpress</span><span class="p">.</span><span class="nx">site</span><span class="p">.</span><span class="nx">databaseName</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_WP_SITE_TITLE_</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">wordpress</span><span class="p">.</span><span class="nx">site</span><span class="p">.</span><span class="nx">title</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_WP_SITE_INSTALL_PATH_</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">wordpress</span><span class="p">.</span><span class="nx">site</span><span class="p">.</span><span class="nx">installPath</span> <span class="p">},</span> <span class="p">{</span> <span class="na">_WP_SITE_BASE_DOMAIN_</span><span class="p">:</span> <span class="nx">props</span><span class="p">.</span><span class="nx">dnsName</span> <span class="p">},</span> <span class="c1">// our load balancer dns name</span> <span class="p">],</span> <span class="nx">userScript</span> <span class="p">)</span> </code></pre> </li> </ul> <h2> EC2 instance in ASG </h2> <ul> <li> <p>Finally, we can create our ec2 instance in an ASG<br> </p> <pre class="highlight typescript"><code><span class="p">...</span> <span class="p">...</span> <span class="c1">// finally create and export out autoscaling group</span> <span class="k">this</span><span class="p">.</span><span class="nx">asg</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">autoscaling</span><span class="p">.</span><span class="nc">AutoScalingGroup</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="s2">`</span><span class="p">${</span><span class="nx">props</span><span class="p">.</span><span class="nx">prefix</span><span class="p">}</span><span class="s2">-asg`</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">,</span> <span class="c1">// add the role we created (needs access to AWS SM)</span> <span class="nx">role</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T2</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span> <span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux</span><span class="p">({</span> <span class="na">generation</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">AmazonLinuxGeneration</span><span class="p">.</span><span class="nx">AMAZON_LINUX_2</span><span class="p">,</span> <span class="p">}),</span> <span class="c1">// add our modified user script to launch with instances in this ASG</span> <span class="na">userData</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">UserData</span><span class="p">.</span><span class="nf">custom</span><span class="p">(</span><span class="nx">modifiedUserScript</span><span class="p">),</span> <span class="c1">// we only want one instance in our ASG</span> <span class="na">minCapacity</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">maxCapacity</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="na">associatePublicIpAddress</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">vpcSubnets</span><span class="p">:</span> <span class="p">{</span> <span class="na">subnetType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">SubnetType</span><span class="p">.</span><span class="nx">PUBLIC</span> <span class="p">},</span> <span class="p">})</span> </code></pre> </li> <li><p>The final file should look like <a href="https://github.com/emmanuelnk/wordpress-ec2-rds/blob/master/lib/constructs/ec2.ts" rel="noopener noreferrer">this</a></p></li> <li><p>We then need to attach the ASG we just created as a target to the the listener of the ALB we created earlier, using port 80 </p></li> <li><p>This will redirect all requests for WP at the loadblancer to port 80 of our WP instance.</p></li> <li> <p>Right below the EC2 construct in the <code>WordpressEc2RdsStack</code> constructor, add:<br> </p> <pre class="highlight typescript"><code> <span class="c1">// lets add our autoscaling group to our load balancer</span> <span class="nx">listener</span><span class="p">.</span><span class="nf">addTargets</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">-wp-asg-targets`</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="nx">asg</span><span class="p">]</span> <span class="p">})</span> </code></pre> </li> <li> <p>The final <code>lib/wordpress-ec2-rds-stack.ts</code> should look like:<br> </p> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CustomVPC</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/vpc</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MySQLRdsInstance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/rds</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WordpressAutoScalingGroup</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/ec2</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">WordpressApplicationLoadBalancer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./constructs/alb</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">config</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./config</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">WordpressEc2RdsStack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">props</span><span class="p">)</span> <span class="c1">// The code that defines your stack goes here</span> <span class="c1">// VPC -- fetch the custom VPC</span> <span class="kd">const</span> <span class="nx">customVPC</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CustomVPC</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">cidr</span><span class="p">:</span> <span class="dl">'</span><span class="s1">172.22.0.0/16</span><span class="dl">'</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// RDS -- create the mysql database</span> <span class="k">new</span> <span class="nc">MySQLRdsInstance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="dl">'</span><span class="s1">wordpress_admin</span><span class="dl">'</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">awesome-wp-site-db</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3306</span><span class="p">,</span> <span class="c1">// DB credentials will be saved under this pathname in AWS Secrets Manager</span> <span class="na">secretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">/rds/mysql/credentials`</span><span class="p">,</span> <span class="c1">// secret pathname</span> <span class="p">})</span> <span class="c1">// Application Loadbalancer -- for our single instance</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="nx">listener</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WordpressApplicationLoadBalancer</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// EC2 -- create the Wordpress instance in an autoscaling group</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">asg</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WordpressAutoScalingGroup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="p">{</span> <span class="na">prefix</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">,</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">customVPC</span><span class="p">.</span><span class="nx">vpc</span><span class="p">,</span> <span class="na">dnsName</span><span class="p">:</span> <span class="nx">loadBalancerDnsName</span><span class="p">,</span> <span class="na">dbSecretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">/rds/mysql/credentials`</span><span class="p">,</span> <span class="na">wpSecretName</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">/wordpress/admin/credentials`</span><span class="p">,</span> <span class="p">})</span> <span class="c1">// lets add our autoscaling group to our load balancer</span> <span class="nx">listener</span><span class="p">.</span><span class="nf">addTargets</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">config</span><span class="p">.</span><span class="nx">projectName</span><span class="p">}</span><span class="s2">-wp-asg-targets`</span><span class="p">,</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">80</span><span class="p">,</span> <span class="na">targets</span><span class="p">:</span> <span class="p">[</span><span class="nx">asg</span><span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </li> <li> <p>At this point, all the resources are ready to be deployed!</p> <h1> Deployment </h1> <h2> Local machine </h2> </li> <li><p>To deploy from your local machine, make sure all your aws credentials and configurations are correctly setup</p></li> <li> <p>Ensure you have the <code>.env</code> file with the following environment variables setup:<br> </p> <pre class="highlight plaintext"><code>STAGE=dev AWS_ACCOUNT_NUMBER=XXXXXXXXXXXXXXX AWS_REGION=us-west-2 DEPLOYED_BY=john.doe # Wordpress Variables WP_DB_NAME='awesome_wp_site_db' WP_SITE_TITLE='awesome_wp_site' WP_SITE_INSTALL_PATH=/var/www/html/ # Wordpress Admin Secrets WP_ADMIN_EMAIL=admin@awesomewpsite.com WP_ADMIN_USER=admin </code></pre> </li> <li> <p>You can then first try to synthesize the stack and make sure everything is correct<br> </p> <pre class="highlight shell"><code>cdk synth <span class="nt">--profile</span> default </code></pre> </li> <li> <p>If the CDK outputs a YAML file to the console without any issue, then you can deploy<br> </p> <pre class="highlight shell"><code>cdk deploy <span class="nt">--profile</span> default </code></pre> </li> <li><p>You will be asked to approve of IAM changes before the deployment can continue</p></li> </ul> <h2> Github Actions </h2> <ul> <li>Deploying from your local machine is not recommended in a production environment.</li> <li>Fortunately, Github provides a free CI/CD service called <a href="https://github.com/features/actions" rel="noopener noreferrer">Github Actions</a> </li> <li>All we have to do in this instance is create a simple YAML configuration file that can help us deploy to different stages using GA (for the purposes of this tutorial, just <code>dev</code> and <code>prod</code>)</li> <li> <p>From the root of your project<br> </p> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> .github/workflows <span class="o">&amp;&amp;</span> <span class="nb">touch</span> .github/workflows/deploy.yml </code></pre> </li> <li> <p>Open up <code>.github/workflows/deploy.yml</code> and add the following code<br> </p> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Deploy</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">master</span> <span class="pi">-</span> <span class="s">dev</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">nelonoel/branch-name@v1.0.1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cdk deploy</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">youyo/aws-cdk-github-actions@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">cdk_subcommand</span><span class="pi">:</span> <span class="s1">'</span><span class="s">deploy'</span> <span class="na">cdk_args</span><span class="pi">:</span> <span class="s1">'</span><span class="s">--require-approval</span><span class="nv"> </span><span class="s">never'</span> <span class="na">env</span><span class="pi">:</span> <span class="na">STAGE</span><span class="pi">:</span> <span class="s">${{ env.BRANCH_NAME == 'master' &amp;&amp; 'prod' || 'dev' }}</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="na">AWS_DEFAULT_REGION</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_DEFAULT_REGION }}</span> <span class="na">AWS_ACCOUNT_NUMBER</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCOUNT_NUMBER }}</span> <span class="na">DEPLOYED_BY</span><span class="pi">:</span> <span class="s">${{ secrets.DEPLOYED_BY }}</span> </code></pre> </li> <li> <p>What's going on?</p> <ul> <li>GA will only run this script when a push/merge to the branches <code>dev</code> or <code>master</code> happens</li> <li>GA will create an Ubuntu container, checkout the repository and run CDK deploy</li> <li>A useful GA action called <code>branch-name@v1.0.1</code> gets the name fo the branch we are working on and deploys to the correct stage based on that branch (it sets the <code>STAGE</code> env variable)</li> <li>GA action <code>aws-cdk-github-actions@v1</code> runs <code>cdk deploy</code> and deploys the resources to AWS</li> </ul> </li> <li> <p>In order for this to work, you have to to go the settings of your repository on Github and add the follwowing secrets:</p> <ul> <li>AWS_ACCESS_KEY_ID</li> <li>AWS_SECRET_ACCESS_KEY</li> <li>AWS_DEFAULT_REGION</li> <li>AWS_ACCOUNT_NUMBER</li> <li>DEPLOYED_BY</li> </ul> </li> <li><p>For AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, you can create a new user in IAM in the AWS console called <code>github.actions.bot</code> that has administrator privileges and only PROGRAMMATIC ACCESS and paste those values in Github settings as secrets</p></li> </ul> <h2> Destroying the stack </h2> <ul> <li> <p>To destroy the stack from your local machine using the CDK, just run<br> </p> <pre class="highlight shell"><code>cdk destroy <span class="nt">--profile</span> default </code></pre> </li> <li> <p>To destroy the stack from AWS console</p> <ul> <li>Log in to the AWS console</li> <li>Go to Cloudformation</li> <li>Find your stack &gt; Destroy/Delete</li> </ul> </li> </ul> <h1> Final result </h1> <p>Whether you deploy from your local machine or via Github actions, if all goes well, after about 20 minutes (RDS databases take a while to initialize) you should see this output:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjwgk7u4pm2wjmto309up.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjwgk7u4pm2wjmto309up.png" alt="Alt Text" width="800" height="139"></a></p> <ul> <li>In your browser, navigate to the DNS name printed in the output of your local machine console or the GA console(replace the asteriks with the region you deployed in).</li> <li>Alternatively, you can find the DNS name of the ALB via EC2 console &gt; Load balancers</li> <li>You should then see:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4akkty7z2mfkbpvxgqcn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4akkty7z2mfkbpvxgqcn.png" alt="Alt Text" width="800" height="561"></a></p> <h1> Conclusion </h1> <ul> <li>In this tutorial I tried to keep things simple and did not add many improvements that I would likely add in a real production scenario (See the Homework Assignments section for improvements that can make your WP installation Production ready on AWS)</li> </ul> <h2> Debugging </h2> <ul> <li>To access the ec2 instance your ASG just spn up, you need to get the instance id from the AWS EC2 console</li> <li> <p>Once you have the instance id, to log into your instance, just do:<br> </p> <pre class="highlight shell"><code>aws ssm start-session <span class="nt">--target</span> <span class="s2">"i-0191364267ad972a2"</span> <span class="nt">--profile</span> default </code></pre> </li> <li><p>where <code>i-0191364267ad972a2</code> is the id of the instance as seen in the AWS console. Cool right? No need for SSH keys! </p></li> <li><p>Of course, if you still want to use regular SSH then in the CDK you have to open port 22 and create an SSH key pair on your machine and upload the public key to the ec2 instance.</p></li> <li><p>If Wordpress does not load correctly when you navigate to the ALB DNS name, then it is likely something with the configuration of the database, or access to secrets manager went wrong.</p></li> <li> <p>You can check the user script logs in the ec2 instance<br> </p> <pre class="highlight shell"><code><span class="c"># list all log files related to ec2 start up scripts</span> find / <span class="nt">-name</span> <span class="s2">"*cloud*log"</span> </code></pre> </li> </ul> <h2> Homework Assignments </h2> <p>There are many improvements you can make to this CDK stack to make a better WP installation. I'll leave them as homework</p> <ul> <li>Create an S3 bucket using the CDK and use this <a href="https://github.com/humanmade/S3-Uploads" rel="noopener noreferrer">Wordpress plugin</a> to sync Wordpress uploads to AWS S3. <em>Hint: You install this plugin via the user script.</em> </li> <li>Use the CDK to create an <a href="https://aws.amazon.com/efs/" rel="noopener noreferrer">EFS filesystem</a> to install Wordpress to instead of installing Wordpress to <code>var/www/html</code> on the default attached volume (which limits WP to one instance). The key here is the same EFS filesystem can be used by many instances. </li> <li>The above two improvements combined will allow you to use more than one instance in the WP ASG and make your Wordpress Installation much more highly available and resilient.</li> <li>Create a cloudfront distribution to serve the WP content from the S3 bucket you just created</li> <li>Buy a cheap 5 dollar <code>.link</code> domain on AWS Route53 and use it in the CDK instead of the ALB dnsName. That way, your site can be accessed via something like <code>mywebsite.link</code> </li> <li>Add <code>CloudWatchAgentServerPolicy</code> to Wordpress instance role and in the user script, install Cloudwatch Agent so that you can collect logs and internal metrics from the instance in AWS Cloudwatch. See this <a href="https://aws.amazon.com/blogs/mt/simplifying-apache-server-logs-with-amazon-cloudwatch-logs-insights/" rel="noopener noreferrer">tutorial</a>.</li> </ul> <p>Hi I'm <a href="https://emmanuelnk.com" rel="noopener noreferrer">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/" rel="noopener noreferrer">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k" rel="noopener noreferrer">Twitter</a></p> aws awscdk ec2 devops Quickly install software on a new Ubuntu installation with GMUAR Emmanuel K Fri, 19 Mar 2021 08:47:21 +0000 https://dev.to/emmanuelnk/quickly-install-software-on-a-new-ubuntu-installation-with-gmuar-457i https://dev.to/emmanuelnk/quickly-install-software-on-a-new-ubuntu-installation-with-gmuar-457i <p>GMUAR -- Get Me Up And Running -- is a pure bash command-line utility program to install a host of common software on Ubuntu/Debian. This helps get software onto fresh Ubuntu installs fast.</p> <p><a href="https://github.com/emmanuelnk/GetMeUpAndRunning"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LRB6IO4_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://gh-card.dev/repos/emmanuelnk/GetMeUpAndRunning.svg" alt="emmanuelnk/GetMeUpAndRunning - GitHub" width="442" height="151"></a></p> <p>I was inspired to create this by all the <code>sudo apt install</code> commands I would have to get through just to get a new development machine up and running. Some software also wasn't easily installable via <code>apt</code> and need the addition of repositories, <code>curl</code>ing scripts etc.</p> <p>This is my solution to all of that.</p> <p>Simply clone the <a href="https://github.com/emmanuelnk/GetMeUpAndRunning">repository</a> and run <code>./gmuar.sh</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2v8ybbyo55udxejf23za.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2v8ybbyo55udxejf23za.png" alt="Alt Text" width="800" height="356"></a></p> <p>The program runs through several categories of software to install:</p> <ul> <li>setup (e.g. <code>curl</code> or <code>pip3</code>)</li> <li>utilities (e.g. <code>net-tools</code>)</li> <li>desktop (e.g. <code>spotify</code>)</li> <li>customization (e.g <code>zsh</code>)</li> <li>development (e.g. <code>node.js</code> )</li> </ul> <p>It has the ability to check via <code>apt</code>, <code>PATH</code> or even filename to determine whether a program has been installed (since not all programs are installed via <code>apt</code> or <code>snap</code>).</p> <p>GMUAR can be extended by adding your own scripts to add your own desired software. Instructions are in the repository <a href="https://github.com/emmanuelnk/GetMeUpAndRunning">README</a></p> <p>Check it out now!</p> <p><a href="https://github.com/emmanuelnk/GetMeUpAndRunning"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--LRB6IO4_--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://gh-card.dev/repos/emmanuelnk/GetMeUpAndRunning.svg" alt="emmanuelnk/GetMeUpAndRunning - GitHub" width="442" height="151"></a></p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> showdev ubuntu bash terminal Part 3 - Simple EC2 instance - Awesome AWS CDK Emmanuel K Thu, 18 Mar 2021 11:06:56 +0000 https://dev.to/emmanuelnk/part-3-simple-ec2-instance-awesome-aws-cdk-37ia https://dev.to/emmanuelnk/part-3-simple-ec2-instance-awesome-aws-cdk-37ia <ul> <li>Introduction</li> <li>Bootstrapping a new CDK Application</li> <li> Structure and Setup of a CDK application <ul> <li>Structure</li> <li>Setup</li> </ul> </li> <li>Writing the infrastructure code</li> <li>Creating a new Key Pair in the AWS Console</li> <li>Deploy</li> <li>Accessing the instance</li> <li>Updating the deployed stack<br> </li> <li> Testing the stack <ul> <li>Test requirements</li> </ul> </li> <li>Destroying the stack</li> <li>Notes</li> <li>Conclusion</li> <li>Up next</li> </ul> <h2> <a></a> Introduction </h2> <p>Most tutorials on AWS try to get you to deploy the world famous <code>t2.micro</code> instance (a small virtual server under the free usage tier on AWS) using the AWS console. You then go on to install something like Wordpress through SSH or through a <em>user script</em> (a script that runs when an instance is created) that you define in the AWS console. </p> <p>So that's exactly what we're going to deploy. But we're going to use the AWS CDK instead.</p> <p>This is what you'll learn in this tutorial:</p> <ul> <li>Bootstrapping a new CDK application</li> <li>The structure and setup of a CDK application</li> <li>How to provision and setup an ec2 instance </li> <li>How to setup terminal access to the instance via SSH key.</li> <li>How to update the ec2 instance with a user script and update the deployed cdk stack</li> <li>How to write tests for the cdk application</li> <li>How to destroy the deployed stack</li> </ul> <p>Let's go!</p> <h2> <a></a> Bootstrapping a new CDK Application </h2> <p>Using your terminal, create a new directory <code>simple-ec2</code> and cd into it:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> mkdir simple-ec2 &amp;&amp; cd simple-ec2 </code></pre> </div> <p>We previously setup the AWS CDK cli globally. If you haven't done that see <a href="https://dev.to/emmanuelnk/awesome-aws-cdk-part-2-setting-up-aws-cdk-3ggj">Part 2</a> in this series. </p> <p>Bootstrap a new cdk project template that uses Typescript:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> cdk init --language=typescript </code></pre> </div> <p>This will initialize a new cdk project for you in Typescript.</p> <ul> <li>Run <code>npm update</code> to ensure you're using the latest version of the CDK. </li> <li>If you have version conflicts between <code>@aws-cdk/core</code> and other <code>@aws-cdk</code> sub-packages, then you'll come across some weird errors. <code>@aws-cdk/core</code> and every other imported <code>@aws-cdk/PACKAGE</code> should have the same version.</li> </ul> <h2> <a></a>Structure and Setup of a CDK application </h2> <h3> <a></a> Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> bash # tree -I 'node_modules' . ├── bin │ └── simple-ec2.ts # entry point ├── cdk.json ├── jest.config.js # for tests ├── lib # where the infrastructure code you write will go │ └── simple-ec2-stack.ts ├── package.json ├── package-lock.json ├── README.md ├── test # test folder │ └── simple-ec2.test.ts └── tsconfig.json </code></pre> </div> <ul> <li> <code>./bin/simple-ec2.ts</code> is the entry point file used by the cdk. This is where you define your stack(s).</li> <li>The IaC that provisions the resources will be inside the <code>lib</code> folder and is required by <code>./bin/simple-ec2.ts</code> during <code>synth</code> and <code>deploy</code> actions. I'll explain both commands later.</li> <li> <code>./test/simple-ec2.test.ts</code> contains the template code to test your CDK application</li> </ul> <h3> <a></a> Setup </h3> <p>In <code>./bin/simple-ec2.ts</code> a new <code>App()</code> is defined and this represents a single stack. </p> <ul> <li>We can add a description for our stack in this file. </li> <li>This description will be visible in the Cloudformation console: ```ts </li> </ul> <p>// ./bin/simple-ec2.ts</p> <p>import 'source-map-support/register';<br> import * as cdk from '@aws-cdk/core';<br> import { SimpleEc2Stack } from '../lib/simple-ec2-stack';</p> <p>const app = new cdk.App();<br> new SimpleEc2Stack(app, 'SimpleEc2Stack', {<br> description: 'This is a simple EC2 stack'<br> });</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Let's head over to `./lib/simple-ec2-stack.ts` and see what the CDK boostrapped for us: ```ts // ./lib/simple-ec2-stack.ts import * as cdk from '@aws-cdk/core'; export class SimpleEc2Stack extends cdk.Stack { constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) { super(scope, id, props); // The code that defines your stack goes here } } </code></pre> </div> <p>As you can see, the <code>cdk init</code> command bootstrapped a nice template for us to get to writing our IaC fast. The base class <code>cdk.Stack</code> gives us the ability to create a new Cloudformation stack. </p> <p>We also need to create a <code>.env</code> file to keep our AWS Account number and the region we will use. In the root of the project create a file called <code>.env</code> and add the following. Replace the <code>xxXxXxxXXxXxx</code> with your AWS account number and use the region you want.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> AWS_ACCOUNT_NUMBER=xxXxXxxXXxXxx AWS_ACCOUNT_REGION=us-west-2 </code></pre> </div> <h2> <a></a> Writing the infrastructure code </h2> <p>We want to create an ec2 instance so we will need the <code>@aws-cdk/ec2</code> library. (This is the same process for any other AWS service you need to provision resources). We will also need <code>@aws-cdk/aws-iam</code> library to give permissions to our instance to do stuff. We also want to be able to read our <code>.env</code> file so lets also install <code>dotenv</code> package</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> npm install @aws-cdk/aws-ec2 @aws-cdk/aws-iam dotenv </code></pre> </div> <p>Remember, since the CDK is written in Typescript and is typed excellently, while typing you can access intellisense and see the various properties of CDK resources e.g. in the image below I can see what properties an instance of <code>ec2.Instance()</code> class has.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frwvn83wjbix9cgv72j5r.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frwvn83wjbix9cgv72j5r.gif" alt="Alt Text"></a></p> <p>Here goes our first iteration:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="c1">// import ec2 library </span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-iam</span><span class="dl">'</span> <span class="c1">// import iam library for permissions</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dotenv</span><span class="dl">'</span><span class="p">).</span><span class="nf">config</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">env</span><span class="p">:</span> <span class="p">{</span> <span class="na">account</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_ACCOUNT_NUMBER</span><span class="p">,</span> <span class="na">region</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">SimpleEc2Stack</span> <span class="kd">extends</span> <span class="nc">cdk</span><span class="p">.</span><span class="nx">Stack</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">scope</span><span class="p">:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">Construct</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">props</span><span class="p">?:</span> <span class="nx">cdk</span><span class="p">.</span><span class="nx">StackProps</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// its important to add our env config here otherwise CDK won't know our AWS account number</span> <span class="k">super</span><span class="p">(</span><span class="nx">scope</span><span class="p">,</span> <span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">props</span><span class="p">,</span> <span class="na">env</span><span class="p">:</span> <span class="nx">config</span><span class="p">.</span><span class="nx">env</span> <span class="p">})</span> <span class="c1">// Get the default VPC. This is the network where your instance will be provisioned</span> <span class="c1">// All activated regions in AWS have a default vpc. </span> <span class="c1">// You can create your own of course as well. https://aws.amazon.com/vpc/</span> <span class="kd">const</span> <span class="nx">defaultVpc</span> <span class="o">=</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Vpc</span><span class="p">.</span><span class="nf">fromLookup</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">VPC</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">isDefault</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="c1">// Lets create a role for the instance</span> <span class="c1">// You can attach permissions to a role and determine what your</span> <span class="c1">// instance can or can not do</span> <span class="kd">const</span> <span class="nx">role</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">simple-instance-1-role</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// this is a unique id that will represent this resource in a Cloudformation template</span> <span class="p">{</span> <span class="na">assumedBy</span><span class="p">:</span> <span class="k">new</span> <span class="nx">iam</span><span class="p">.</span><span class="nc">ServicePrincipal</span><span class="p">(</span><span class="dl">'</span><span class="s1">ec2.amazonaws.com</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// lets create a security group for our instance</span> <span class="c1">// A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.</span> <span class="kd">const</span> <span class="nx">securityGroup</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">SecurityGroup</span><span class="p">(</span> <span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">simple-instance-1-sg</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">defaultVpc</span><span class="p">,</span> <span class="na">allowAllOutbound</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// will let your instance send outboud traffic</span> <span class="na">securityGroupName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">simple-instance-1-sg</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="c1">// lets use the security group to allow inbound traffic on specific ports</span> <span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">22</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allows SSH access from Internet</span><span class="dl">'</span> <span class="p">)</span> <span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">80</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allows HTTP access from Internet</span><span class="dl">'</span> <span class="p">)</span> <span class="nx">securityGroup</span><span class="p">.</span><span class="nf">addIngressRule</span><span class="p">(</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Peer</span><span class="p">.</span><span class="nf">anyIpv4</span><span class="p">(),</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">Port</span><span class="p">.</span><span class="nf">tcp</span><span class="p">(</span><span class="mi">443</span><span class="p">),</span> <span class="dl">'</span><span class="s1">Allows HTTPS access from Internet</span><span class="dl">'</span> <span class="p">)</span> <span class="c1">// Finally lets provision our ec2 instance</span> <span class="kd">const</span> <span class="nx">instance</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">ec2</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">simple-instance-1</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">vpc</span><span class="p">:</span> <span class="nx">defaultVpc</span><span class="p">,</span> <span class="na">role</span><span class="p">:</span> <span class="nx">role</span><span class="p">,</span> <span class="na">securityGroup</span><span class="p">:</span> <span class="nx">securityGroup</span><span class="p">,</span> <span class="na">instanceName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">simple-instance-1</span><span class="dl">'</span><span class="p">,</span> <span class="na">instanceType</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nb">InstanceType</span><span class="p">.</span><span class="k">of</span><span class="p">(</span> <span class="c1">// t2.micro has free tier usage in aws</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceClass</span><span class="p">.</span><span class="nx">T2</span><span class="p">,</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">InstanceSize</span><span class="p">.</span><span class="nx">MICRO</span> <span class="p">),</span> <span class="na">machineImage</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">MachineImage</span><span class="p">.</span><span class="nf">latestAmazonLinux</span><span class="p">({</span> <span class="na">generation</span><span class="p">:</span> <span class="nx">ec2</span><span class="p">.</span><span class="nx">AmazonLinuxGeneration</span><span class="p">.</span><span class="nx">AMAZON_LINUX_2</span><span class="p">,</span> <span class="p">}),</span> <span class="na">keyName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">simple-instance-1-key</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// we will create this in the console before we deploy</span> <span class="p">})</span> <span class="c1">// cdk lets us output prperties of the resources we create after they are created</span> <span class="c1">// we want the ip address of this new instance so we can ssh into it later</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">simple-instance-1-output</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">instancePublicIp</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> <a></a> Creating a new Key Pair in the AWS Console </h2> <p>Before we try to deploy our newly created instance, we need to go to the AWS console and create a key pair that we will use to access the instance called <code>simple-instance-1-key</code></p> <ul> <li>Log into the AWS console. </li> <li>Go to <code>EC2</code> dashboard. </li> <li>Go to Key Pairs and click create Key Pair</li> <li>Enter key name as <code>simple-instance-1-key</code> and click create</li> <li>Your new key pair will be created and your browser will automatically download a new <code>.pem</code> file called <code>simple-instance-1-key.pem</code> </li> <li>this is the key file you'll use to gain access to your instance via SSH</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvo9h9zejdykpkapld38a.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvo9h9zejdykpkapld38a.gif" alt="Alt Text"></a></p> <ul> <li>Create a new directory under <code>.aws/</code> called <code>pems</code> ```bash </li> </ul> <p>mkdir ~./aws/pems/</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- move the newly downloaded file to this directory and give it the necessary permissions ```bash mv ~/Downloads/simple-instance-1-key.pem ~/.aws/pems # important step or your key file won't work chmod 400 ~/.aws/pems/simple-instance-1-key.pem </code></pre> </div> <ul> <li>Now that we have our key file properly setup, lets deploy our instance!</li> </ul> <h2> <a></a> Deploy </h2> <p>Remember we set up our aws profiles and crednetials in <code>~/.aws/config</code> and <code>~/.aws/credentials</code> back in <a href="https://dev.to/emmanuelnk/awesome-aws-cdk-part-2-setting-up-aws-cdk-3ggj">part 2</a> </p> <p>I will be deploying to my <code>default</code> profile which is linked to my personal AWS account with the region <code>us-west-2</code>. </p> <p>If you have another profile you want to use then in the commands below use that profile name instead of <code>default</code>.</p> <p>In your terminal:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> cdk synth --profile default </code></pre> </div> <p>This command will synthesize your stack.</p> <blockquote> <p>When CDK apps are executed, they produce (or “synthesize”, in CDK parlance) an AWS CloudFormation template for each stack defined in your application.</p> </blockquote> <ul> <li>Essentially it will print the cloudformation template for your stack to your console. </li> <li>It's a good way to check that there's nothing wrong with your stack before trying to deploy since <code>cdk synth</code> will verify the resources you are trying to provision can actually be provisioned. </li> <li>You should something like this:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ❯ cdk synth <span class="nt">--profile</span> default Resources: simpleinstance1role9EEDA67C: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ec2.amazonaws.com Version: <span class="s2">"2012-10-17"</span> ... ... ... </code></pre> </div> <p>If the entire stack prints without error then you're okay to go.</p> <p>Now we can deploy:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cdk deploy <span class="nt">--profile</span> default </code></pre> </div> <p>You should get a prompt accessing for Cloudformation to allow the creation of resources that need approval. Type <code>y</code> and press <code>ENTER</code> to continue with the deployment:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7c6qw50t0bidqoyhxp25.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7c6qw50t0bidqoyhxp25.png" alt="Alt Text"></a></p> <p>You'll start seeing the output from Cloudformation in your console as the stack is being created.</p> <p>When the stack has been successfully deployed, you should see:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffso15euru0fnvaksym5j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffso15euru0fnvaksym5j.png" alt="Alt Text"></a></p> <p>Notice the output which we defined at the end of the stack. The CDK printed the public ip address of the newly created instance for us because we told it to, awesome! You can use this method to print out any value when a stack has successfully deployed.</p> <p>You can alternatively get this information from the ec2 console by checking on the instances dashboard.</p> <h2> <a></a> Accessing the instance </h2> <p>Let's ssh into our newly created instance with our key file and the public ip address.</p> <p><em>Note:</em> that the default <em>user</em> for AMAZON LINUX images is <code>ec2-user</code></p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ssh <span class="nt">-i</span> ~/.aws/pems/simple-instance-1-key.pem ec2-user@34.220.79.175 </code></pre> </div> <p>You should now be able to log into your instance!<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbau99kvx3em1ks61oxe.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdbau99kvx3em1ks61oxe.png" alt="Alt Text"></a></p> <p>Unfortunately, we have an instance that isn't running anything on it. </p> <p>Let's fix that!</p> <h2> <a></a> Adding User script </h2> <ul> <li>Let's create a new file under <code>./lib/</code> directory called <code>user_script.sh</code>. Paste this code into that file. </li> <li>This code will deploy Apache, Wordpress, Mysql server on this intance. In this script, the database password will be <code>pl55w0rd</code>.</li> <li>It's very insecure to add passwords to scripts but in this case I'm doing this just for demonstration purposes. </li> <li>In production you should first of all never use such a weak password and secondly, not inside such a script.</li> <li>Rather, you should deploy the Mysql database on AWS RDS and setup credentials for that database using AWS Secrets Manager.</li> </ul> <p>Here's the setup file:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="c">#! /bin/bash</span> <span class="c"># become root user</span> <span class="nb">sudo </span>su <span class="c"># update dependencies</span> yum <span class="nt">-y</span> update <span class="c"># we'll install 'expect' to input keystrokes/y/n/passwords</span> yum <span class="nt">-y</span> <span class="nb">install </span>expect <span class="c"># Install Apache</span> yum <span class="nt">-y</span> <span class="nb">install </span>httpd <span class="c"># Start Apache</span> service httpd start <span class="c"># Install PHP</span> yum <span class="nt">-y</span> <span class="nb">install </span>php php-mysql <span class="c"># php 7 needed for latest wordpress</span> amazon-linux-extras <span class="nt">-y</span> <span class="nb">install </span>php7.2 <span class="c"># Restart Apache</span> service httpd restart <span class="c"># Install MySQL</span> wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm rpm <span class="nt">-ivh</span> mysql-community-release-el7-5.noarch.rpm yum <span class="nt">-y</span> update yum <span class="nt">-y</span> <span class="nb">install </span>mysql-server <span class="c"># Start MySQL</span> service mysqld start <span class="c"># Create a database named blog</span> mysqladmin <span class="nt">-uroot</span> create blog <span class="c"># Secure database</span> <span class="c"># non interactive mysql_secure_installation with a little help from expect.</span> <span class="nv">SECURE_MYSQL</span><span class="o">=</span><span class="si">$(</span>expect <span class="nt">-c</span> <span class="s2">" set timeout 10 spawn mysql_secure_installation expect </span><span class="se">\"</span><span class="s2">Enter current password for root (enter for none):</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Change the root password?</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">y</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">New password:</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">pl55w0rd</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Re-enter new password:</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">pl55w0rd</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Remove anonymous users?</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">y</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Disallow root login remotely?</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">y</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Remove test database and access to it?</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">y</span><span class="se">\r\"</span><span class="s2"> expect </span><span class="se">\"</span><span class="s2">Reload privilege tables now?</span><span class="se">\"</span><span class="s2"> send </span><span class="se">\"</span><span class="s2">y</span><span class="se">\r\"</span><span class="s2"> expect eof "</span><span class="si">)</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$SECURE_MYSQL</span><span class="s2">"</span> <span class="c"># Change directory to web root</span> <span class="nb">cd</span> /var/www/html <span class="c"># Download Wordpress</span> wget http://wordpress.org/latest.tar.gz <span class="c"># Extract Wordpress</span> <span class="nb">tar</span> <span class="nt">-xzvf</span> latest.tar.gz <span class="c"># Rename wordpress directory to blog</span> <span class="nb">mv </span>wordpress blog <span class="c"># Change directory to blog</span> <span class="nb">cd</span> /var/www/html/blog/ <span class="c"># Create a WordPress config file </span> <span class="nb">mv </span>wp-config-sample.php wp-config.php <span class="c">#set database details with perl find and replace</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/database_name_here/blog/g"</span> /var/www/html/blog/wp-config.php <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/username_here/root/g"</span> /var/www/html/blog/wp-config.php <span class="nb">sed</span> <span class="nt">-i</span> <span class="s2">"s/password_here/pl55w0rd/g"</span> /var/www/html/blog/wp-config.php <span class="c"># create uploads folder and set permissions</span> <span class="nb">mkdir </span>wp-content/uploads <span class="nb">chmod </span>777 wp-content/uploads <span class="c">#remove wp file</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/www/html/latest.tar.gz </code></pre> </div> <p>We will need to add <code>fs</code> module at the top of our <code>./lib/simple-ec2-stack.ts</code> file since <code>instance.addUserData()</code> needs to access the file system during deployment.</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">ec2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-ec2</span><span class="dl">'</span> <span class="c1">// import ec2 library </span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">iam</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/aws-iam</span><span class="dl">'</span> <span class="c1">// import iam library for permissions</span> <span class="c1">// lets include fs module</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span> </code></pre> </div> <p>Then we can the function <code>instance.addUserData()</code> right before our output function:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="p">...</span> <span class="c1">// add user script to instance</span> <span class="c1">// this script runs when the instance is started </span> <span class="nx">instance</span><span class="p">.</span><span class="nf">addUserData</span><span class="p">(</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">lib/user_script.sh</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">)</span> <span class="p">)</span> <span class="c1">// cdk lets us output prperties of the resources we create after they are created</span> <span class="c1">// we want the ip address of this new instance so we can ssh into it later</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">CfnOutput</span><span class="p">(</span><span class="k">this</span><span class="p">,</span> <span class="dl">'</span><span class="s1">simple-instance-1-output</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">value</span><span class="p">:</span> <span class="nx">instance</span><span class="p">.</span><span class="nx">instancePublicIp</span> <span class="p">})</span> <span class="p">...</span> </code></pre> </div> <h2> <a></a> Update the deployed stack </h2> <p>Let's re-synthesize to check everything is okay:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cdk <span class="nt">--synth</span> <span class="nt">--profile</span> default </code></pre> </div> <ul> <li>You should now see the user script commands in the <code>synth</code> output</li> <li>Let's deploy our new changes. </li> <li>Cloudformation will only update resources that are being updated. </li> <li>In this case, only ec2 instance is being updated. </li> <li>Other things like roles and security groups will remain as they are since there are no changes to them in the updated stack.</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> cdk <span class="nt">--deploy</span> <span class="nt">--profile</span> default </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fion34zyeoyj2zuv2xwv8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fion34zyeoyj2zuv2xwv8.png" alt="Alt Text"></a></p> <p><em>Take note:</em> Since we are not using an elastic IP, its highly likely that the public ip address of the instance has changed.</p> <p>Let's use the outputted IP address and check to see that Wordpress, Mysql and PHP were installed correctly:</p> <ul> <li><p>In your browser, navigate to http:///blog</p></li> <li><p>You should then see:</p></li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fif3mfuajrtxfqb06x185.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fif3mfuajrtxfqb06x185.png" alt="Alt Text"></a></p> <ul> <li>and then you can complete the installation of Wordpress! </li> <li>Remember your database credentials <code>root</code> and <code>pl55w0rd</code> as defined in the script</li> </ul> <h2> <a></a> Testing the stack </h2> <p>Well we know our CDK code works and can provision an ec2 instance to run our Wordpress server and database. Good. </p> <p>But how can we make sure that changes to the CDK code do not do what we don't want it to do? </p> <p>This is where tests come in.</p> <h3> <a></a> Test requirements </h3> <ul> <li>I do not want any instance other <code>t2.micro</code> to be used as my server instance type because I always want to remain under AWS free tier usage for EC2. Let's ensure that.</li> <li>I want to ensure that my instance uses the SSH key with the name <code>simple-instance-1-key</code> </li> </ul> <p>To accomplish this, we change the code inside the file <code>./test/simple-ec2.test.ts</code> to:</p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">expect</span> <span class="k">as</span> <span class="nx">expectCDK</span><span class="p">,</span> <span class="nx">haveResourceLike</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/assert</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cdk</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-cdk/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">SimpleEc2</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../lib/simple-ec2-stack</span><span class="dl">'</span><span class="p">;</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">Check InstanceType and SSH KeyName</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">stack</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">SimpleEc2</span><span class="p">.</span><span class="nc">SimpleEc2Stack</span><span class="p">(</span><span class="nx">app</span><span class="p">,</span> <span class="dl">'</span><span class="s1">MyTestStack</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expectCDK</span><span class="p">(</span><span class="nx">stack</span><span class="p">).</span><span class="nf">to</span><span class="p">(</span> <span class="nf">haveResourceLike</span><span class="p">(</span><span class="dl">'</span><span class="s1">AWS::EC2::Instance</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">InstanceType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">t2.micro</span><span class="dl">'</span><span class="p">,</span> <span class="na">KeyName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">simple-instance-1-key</span><span class="dl">'</span> <span class="p">})</span> <span class="p">)</span> <span class="p">});</span> </code></pre> </div> <p>As you can see from the test code, the test will check the generated Cloudformation template generated by the CDK. </p> <p>In our case we want to check that the instance is a <code>t2.micro</code> and that it uses the SSH key <code>simple-instance-1-key</code>. These are two crucial properties to us. </p> <p>You can read more about testing infrastructure with the CDK here <a href="https://aws.amazon.com/blogs/developer/testing-infrastructure-with-the-aws-cloud-development-kit-cdk/" rel="noopener noreferrer">here</a></p> <p>Run the test:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> npm test </code></pre> </div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyipv0hu8l8f3owkdxkh.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyipv0hu8l8f3owkdxkh.png" alt="Alt Text"></a></p> <p>All good!</p> <p>And now your code should be able to run a test before deploying your infrastructure! Fantastic!</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> npm test &amp;&amp; cdk deploy --profile default </code></pre> </div> <h2> <a></a> Destroying the stack </h2> <p>If you would like to destroy the infrastructure you just provisioned, it's as simple as:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> cdk destroy --profile default </code></pre> </div> <p>And Cloudformation will remove your entire stack!</p> <h2> <a></a> Notes: </h2> <ul> <li>It's not advisable to run mysql on the same instance as your Wordpress server. You can instead use AWS managed Database service <a href="https://aws.amazon.com/rds/" rel="noopener noreferrer">RDS</a> to deploy the database that Wordpress will use. </li> <li>Don't put sensitive information like passwords in user scripts since in many cases they are committed to source control or their output is visible in a CI/CD console or instance terminal history</li> </ul> <h2> <a></a> Conclusion </h2> <p>The AWS CDK makes writing IaC, provisioning, deploying, updating and destroying infrastructure very painless. You can write tests to make sure you do not deploy the wrong things.</p> <p>This was a simple example and may seem quite a lot just to deploy an ec2 instance. However, as we progress through the series, you will realize how its very beneficial to complex infrastructure.</p> <h2> <a></a>Up next </h2> <p>In part 4, using the CDK, we will make our Wordpress server more more production ready. We will: </p> <ul> <li>create AWS RDS Mysql database instead of running the database on the ec2 instance </li> <li>provision this database in an isolated subnet to keep it secure from the public Internet</li> <li>use AWS SSM to access our instance instead of an SSH key and gain all the benefits of IAM permissions/roles</li> <li>deploy an Application Load Balancer</li> <li>Create our EC2 instance with better/more advanced script</li> <li>Place the Wordpress instance in an AutoScaling Group</li> </ul> <p>Hi I'm <a href="https://emmanuelnk.com" rel="noopener noreferrer">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/" rel="noopener noreferrer">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k" rel="noopener noreferrer">Twitter</a></p> aws awscdk ec2 devops Awesome AWS CDK - Part 2 - Setting up AWS CDK Emmanuel K Sun, 14 Mar 2021 09:39:04 +0000 https://dev.to/emmanuelnk/awesome-aws-cdk-part-2-setting-up-aws-cdk-3ggj https://dev.to/emmanuelnk/awesome-aws-cdk-part-2-setting-up-aws-cdk-3ggj <h2> What you will learn in this part </h2> <p>In this tutorial, you will learn:</p> <ul> <li>How to install AWS CDK</li> </ul> <p>Let's go!</p> <h2> Pre-requisites </h2> <p>You are going to need:</p> <ul> <li><a href="https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html">An AWS account with programmatic access</a></li> <li><a href="https://nodejs.org/en/">Node.js</a></li> </ul> <h2> Setup </h2> <ul> <li>Make sure you have Node.js setup</li> <li>Make sure your aws credentials are properly configured.</li> </ul> <p>Here's an example of my AWS configured access files where I have my own personal aws account as the <code>default</code> profile and two other aws accounts for my work company -- acme-corp👨🏿‍💻.</p> <p>AWS <code>credentials</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Linux and MacOS: ~/.aws/credentials # Windows: %USERPROFILE%\.aws\credentials [default] aws_access_key_id=xXXxxxxXXXXxxxxxxx aws_secret_access_key=xxXXXXxxxXXxXxx [acme-corp-prod-acc] aws_access_key_id=xXXxxxxXXXXxxxxxxx aws_secret_access_key=xxXXXXxxxXXxXxx [acme-corp-dev-acc] aws_access_key_id=xXXxxxxXXXXxxxxxxx aws_secret_access_key=xxXXXXxxxXXxXxx </code></pre> </div> <p>AWS <code>config</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Linux and MacOS: ~/.aws/config # Windows: %USERPROFILE%\.aws\config [default] region=us-west-2 output=json [profile acme-corp-prod-acc] region=us-west-2 output=json [profile acme-corp-dev-acc] region=us-west-2 output=json </code></pre> </div> <ul> <li>The AWS CDK will look for these files when it needs access to whatever AWS accounts it needs to deploy resources to.</li> <li>It helps that the IAM credentials used have administrator privileges when deploying resources as this will reduce a lot of headache regarding permissions. </li> <li>You can filter out permissions and privileges if you have a good understanding of AWS IAM and the permission needs of your deployments.</li> </ul> <h3> Install the AWS CDK globally (so that you can bootstrap a new CDK project in your language choice) in any folder </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install -g aws-cdk </code></pre> </div> <p>Check that its installed<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cdk --version </code></pre> </div> <p>That's it!</p> <p>In the next part, we will set up a project with the cdk and deploy it!</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> Awesome AWS CDK - Part 1 - A series on common and practical deployments with the AWS CDK Emmanuel K Sun, 14 Mar 2021 09:24:34 +0000 https://dev.to/emmanuelnk/awesome-aws-cdk-a-series-on-common-and-practical-deployments-with-the-aws-cdk-4opk https://dev.to/emmanuelnk/awesome-aws-cdk-a-series-on-common-and-practical-deployments-with-the-aws-cdk-4opk <h1> PART 1 </h1> <h2> Introduction </h2> <p>This is going to be the first in a series of articles about using the AWS CDK (Cloud Development Kit) for common and practical deployment of cloud resources on AWS. This is to help those who are already familiar with AWS to deploy cloud resources using this awesome IaC (Infrastructure as Code) library from AWS.</p> <p>As you may have figured, the AWS CDK is targeted at the deployment of AWS cloud infrastructure only. So if you are afraid of AWS vendor lock-in for your cloud deployments, then maybe this will not be the series for you. There are other tools that can do multi-vendor cloud deployments and provisioning (like <a href="https://www.terraform.io/">Terraform</a>, <a href="https://www.pulumi.com/">Pulumi</a>, <a href="https://www.serverless.com/">Serverless</a>). </p> <p>However, if you feel like you use AWS a lot like many DevOps/Solutions Architects/Developers do then this is the series to show you practical examples of using the AWS CDK to deploy resources.</p> <h2> Background </h2> <h3> In the beginning... </h3> <p>You can manually create resources on AWS using the console, command line interface or other IaC tools. And this is what people did when AWS was new. But it became evident pretty fast that this mode of provisioning cloud infrastructure was error prone and not sustainable, especially for massive and complex stacks of resources. These frustrations led to the birth of <a href="https://aws.amazon.com/cloudformation/">Cloudformation</a> in 2011.</p> <h3> Cloudformation </h3> <p>AWS Cloudformation is AWS' managed service for provisioning cloud infrastructure and services. You do this using a JSON or YAML template file that defines what resources you would like AWS to Create, Update or Destroy. Cloudformation consumes file and makes the necessary changes to your deployed stack of resources.</p> <p>Cloudformation is the backbone service of automatically deployed resources on AWS. It ensures consistency of your deployed resources and can keep track of drifts (when resources are created, updated or destroyed outside of the Cloudformation template file).</p> <p>The problem is Cloudformation template files are ridiculously hard to write, read, update and manage. After all they are basic YAML/JSON. Its fine if you are provisioning a few resources. But it is completely unmanageable with human effort once you exceed 20 resources. </p> <p>This is where the CDK comes in.</p> <h3> Cloud Development Kit </h3> <p>The AWS CDK is a library of functions that will generate a Cloudformation template and use it to provision resources in AWS. It allows you to write code to define in your favorite language to create these Cloudformation templates.</p> <p>With the CDK, the ability to have access to intellisense from your code editor, ability to break up resources into logical parts, type checking, enums etc means that the tendency to make errors when configuring resources dramatically reduces. You can also write tests for the infrastructure you want to deploy to ensure that whatever changes made in the IaC are not going to break your deployed stack of resources or cost you millions when you mistakenly provision beyond your means. </p> <p>Its been a joy working with CDK for the past year for me and it is hard to go back to other solutions like Terraform, Serverless, SAM for AWS resource provisioning. </p> <h3> It's not all roses yet though </h3> <p>No project is perfect. The AWS CDK, as great as it is, is also a recent project (launched in July 2019) so it doesn't yet cover everything possible to deploy on AWS (Even Cloudformation doesn't cover everything possible in AWS yet). Some things will need manual configuration via the console or command line interface. There are also minor bugs, fast changing interfaces, deprecations etc as the CDK development tries to catch up to and keep up with the pace at which AWS releases new services and updates. Maybe within a year many of my own code examples from this series will have some deprecations. But the core API and concepts will remain the same. Also, for most common services, the CDK will have you covered. </p> <h2> Conclusion </h2> <p>Note:</p> <ul> <li>I will focus on simple and common deployments. </li> <li>I will use github actions as my CI/CD tool.</li> </ul> <p>There are other projects out there that focus on patterns like the awesome <a href="https://cdkpatterns.com/">cdk patterns project</a> which concentrates on serverless deployments with the cdk and AWS' own <a href="https://github.com/aws-samples/aws-cdk-examples">aws-cdk-examples project</a> which has tons of great examples on using the cdk. I drew tons of inspiration and learning from these projects.</p> <p>My series will focus on simple common deployments with a heavy leaning on practicality. This means I will take you through some best practices as well as well as my own experience.</p> <p>I will use Typescript because:</p> <ul> <li>The CDK API is essentially the same in Typescript, Python, .Net, Java. The language itself isn't too important. </li> <li>The CDK is also written in Typescript and then wrapped for use in other languages.</li> <li>It's awesome!</li> </ul> <p>Hope you can stick with me throughout. See you in part 2!</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about Software and DevOps.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> aws awscdk devops iac Is the AWS Solutions Architect Certification worth it? A review Emmanuel K Wed, 17 Feb 2021 07:53:39 +0000 https://dev.to/emmanuelnk/is-the-aws-solutions-architect-certification-worth-it-a-review-2lem https://dev.to/emmanuelnk/is-the-aws-solutions-architect-certification-worth-it-a-review-2lem <p><strong>TLDR:</strong> Yes it is! But not for the reasons you may think.</p> <h2> Intro </h2> <p>AWS has <strong>very many</strong> services. And every year when <a href="https://aws.amazon.com/new/reinvent">re:Invent</a> rolls around, <a href="https://www.infoq.com/news/2020/12/aws-reinvent-2020/">they add even more</a>. Most people don't even dare venture into any other services beyond EC2, S3, Lambda and RDS. These are the primary services you'd use to setup a simple web server, for example. If you're a little more involved you may use Route53 to manage domains, VPC to manage your resource networks and subnets and Cloudfront as a CDN. Most people would find little use for SQS, Kinesis, DynamoDB, Step Functions etc</p> <p>Additionally, many DevOps engineers like to keep the deployed cloud infrastructure as high level as possible to prevent over-reliance on managed AWS services and avoid vendor lock-in (the concern of which is usually <a href="https://thenewstack.io/should-you-really-be-so-worried-about-cloud-lock-in/">overblown</a>). However even if you are unnecessarily afraid of vendor lock-in, content with managing cloud infrastructure yourself or you really have legitimate reasons to avoid using AWS managed services, getting (or at least studying for) an AWS Solutions Architect certificate is still worth it.</p> <p>This is because the AWS Solutions Architect exam (both Associate and Professional), doesn't just challenge you on your knowledge of AWS services, it challenges how you think about cloud infrastructure <strong>altogether</strong> in order to... yes you guessed it -- architect solutions.</p> <h2> A Solutions Architect with bad solutions? </h2> <p>Nothing is worse than a mechanic with a box full of tools who doesn't really know how to fix things. The AWS Solutions Architect Associate exam (the one I did) is truly a test of understanding the world of managed cloud services and how one can deliver practical and reliable solutions. You WILL need to know and understand not only many AWS services but also how they work together to produce the best possible results according to various scenarios. </p> <p>Because of this, this is not an exam you can study for on a weekend and pass on Monday. Even though some people may be able to memorize common solutions, the questions can and will be quite challenging and even seasoned AWS pros need to study for it. </p> <p>I had used AWS for about 3 years before doing the AWS Solutions Architect Associate exam in July 2020. I had deployed instances, serverless functions, message brokers and queues, databases etc But I only started to realize the many gaps in my knowledge once I started reading for the exam. I realized certain things I would do were either not best practice, impractical, not secure or just plain ridiculous. And a lot of it had nothing to do specifically with AWS services, but more to do with doing DevOps and cloud infrastrcture design in a correct way. I ended up reading many of the famous AWS <a href="https://aws.amazon.com/whitepapers/?whitepapers-main.sort-by=item.additionalFields.sortDate&amp;whitepapers-main.sort-order=desc">whitepapers</a> like <a href="https://docs.aws.amazon.com/wellarchitected/latest/framework/wellarchitected-framework.pdf#welcome">Well Architected Framework</a> and <a href="https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pdf?did=wp_card&amp;trk=wp_card">AWS Security Checklist</a> and gained a wealth of knowledge I wouldn't have obtained otherwise because I <em>thought I knew</em> what I was doing and I would never have taken the time to dive deeper into AWS.</p> <h2> A new understanding </h2> <p>Within one week of starting my revision, I knew several things:</p> <ul> <li>I wasn't ready to do the exam anytime soon</li> <li>I had deployed poor or insecure architecture</li> <li>I was eager to apply my new found knowledge and understanding almost immediately</li> </ul> <p>Around this time I started to see the real value in what I was training myself for. See, my original intention was to get the certification just to look good on my resume and I really thought I'd only need about two weeks to prepare for the test (after all, I had used AWS for quite a while). I ended up using about 5 weeks in total for preparation (usually more than 7 hours a day). I also took two video courses to supplement my knowledge (one from <a href="https://acloud.guru">ACloud Guru</a> and one from <a href="https://www.udemy.com/course/aws-solutions-architect-professional/#instructor-1">Stephane Maarek</a>)</p> <p>This is not to frighten/discourage you. Most people who attempt the test with good preparation WILL pass. But the point of this post is to shed light on the value studying for this kind of exam will bring in your DevOps/Cloud journey beyond the certification itself. A lot of the knowledge I gained from SAA-C02 can easily be applied to other cloud providers such as Azure and GCP. Their services may have different names and may be slightly different in their capabilities and functionality but the core principles of deploying robust, highly scalable, highly available, fault tolerant, disaster tolerant and manageable cloud infrastructure still apply.</p> <p>It's been about 8 months since I did my test and while it has helped my profile gain more notice in the DevOps hiring space, the greater gift is the expanded knowledge that I'm utilizing in my daily DevOps life of writing good Infrastructure as Code and managing existing cloud infrastructure. It makes me much more confident in whatever I'm doing inside AWS. </p> <h2> Conclusion: Bite the bullet </h2> <p>So if you are a:</p> <ul> <li>DevOps Engineer</li> <li>Software Engineer</li> <li>Full-stack Developer</li> <li>Web Developer</li> <li>CTO</li> <li>Principal Tech Lead</li> <li>Curious noob who wants to be any of the above </li> <li>or even an AWS employee who has to interact with AWS services a lot </li> </ul> <p>then the certification is definitely worth <strong>studying for</strong> and obtaining.</p> <p><strong>But don't do it for the wrong reasons</strong> i.e. its a hot commodity that everyone talks about constantly, <em>so you must have it</em>. The certification itself is a nice to have and does look good on your profile/resume/CV and will open more doors for you, but the deeper understanding of how AWS and similar cloud providers works is much more valuable. You will forego years of trial and error experience by learning so many essentials in one fell swoop.</p> <p>If you would like more information about how to start this journey towards certification or any other general questions, send me a message here, on <a href="https://twitter.com/emmanuel_n_k">Twitter</a> or on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> .</p> <p>Hi I'm <a href="https://emmanuelnk.com">Emmanuel</a>! I write about Software and DevOps.</p> <p>I will be writing a series on AWS CDK, Terraform and other great deployment tools and what many lessons I've learned from them.</p> <p>If you liked this article and want to see more, add me on <a href="https://www.linkedin.com/in/emmanuel-nsubuga-kyeyune/">LinkedIn</a> or follow me on <a href="https://twitter.com/emmanuel_n_k">Twitter</a></p> aws certification devops cloudskills Using sudo without password prompt as non-root docker user Emmanuel K Tue, 17 Nov 2020 06:50:43 +0000 https://dev.to/emmanuelnk/using-sudo-without-password-prompt-as-non-root-docker-user-52bg https://dev.to/emmanuelnk/using-sudo-without-password-prompt-as-non-root-docker-user-52bg <p>Follow me on twitter: <a href="https://twitter.com/emmanuel_n_k">emmanuelnk</a> </p> <blockquote> <p>WARNING: This is generally considered NOT SECURE and thus do not use the methods in this article in a production container.</p> </blockquote> <p>I have a particular use case that justifies this usage. Now you can read on.</p> <p>Recently I wrote a pure bash menu program that has install scripts for various Ubuntu software I use. This is to allow me to reproduce my dev environment as fast as possible on a new Ubuntu installation.</p> <p>I want to release this program as an open source tool and for that reason it needs testing and CI. Docker is perfect for this. Except for one thing. Most docker images use user <code>root</code> to execute commands. This is fine for most intent and purposes. But to appropriately test my program, I would need to be a non-root user inside the docker container.</p> <h1> Changing the root user </h1> <p>This is trivial and actually quite common in Dockerfiles. By default, most docker images, including <code>ubuntu:latest</code> have <code>USER</code> set to <code>root</code>. This can be changed by creating a new user in a <code>Dockerfile</code> by:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">RUN </span>useradd <span class="nt">-ms</span> /bin/bash newuser <span class="c"># where</span> <span class="c"># -m -&gt; Create the user's home directory</span> <span class="c"># -s /bin/bash -&gt; Set as the user's </span> <span class="c"># default shell</span> <span class="k">USER</span><span class="s"> newuser</span> </code></pre> </div> <p>This will create a <code>newuser</code> without root privileges to run commands in the container. <br> NB: You can add <code>&amp;&amp; echo 'pa55w0rd' | chpasswd</code> right after the <code>useradd</code> to set a password.</p> <p>For my use case, I need the password disabled and I need to NOT be prompted for a password when using <code>sudo</code> command. Now you may be asking, why would someone want to do this?</p> <p>Well if you're using docker in CI and need to test certain commands being run as a regular user then this is the way. For example, on my machine, I am the <code>USER=emmanuel</code>. I don't have root privileges and when I need to install something, I do <code>sudo apt-get install</code> and enter my password to give me su access.</p> <p>For my project, I'm trying to test install scripts as a regular user and thus these scripts use <code>sudo</code> and variables such as <code>$HOME</code> a lot (<code>$HOME</code> for <code>root</code> is <code>/root</code>). Hence using the default that most docker images have, programs would not install in the correct locations or not install correctly at all. This is not good.</p> <p>Anyway, enought talking. This is what my <code>Dockerfile</code> looks like to accomplish this. Explanations in the comments.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Get latest official Ubuntu image</span> <span class="k">FROM</span><span class="s"> ubuntu</span> <span class="c"># ubuntu:latest does not have sudo</span> <span class="c"># fetch it and install it</span> <span class="k">RUN </span>apt-get update <span class="o">&amp;&amp;</span> apt-get <span class="nb">install</span> <span class="nt">-y</span> <span class="nb">sudo</span> <span class="c"># Create new user `docker` and disable </span> <span class="c"># password and gecos for later</span> <span class="c"># --gecos explained well here:</span> <span class="c"># https://askubuntu.com/a/1195288/635348</span> <span class="k">RUN </span>adduser <span class="nt">--disabled-password</span> <span class="se">\ </span><span class="nt">--gecos</span> <span class="s1">''</span> docker <span class="c"># Add new user docker to sudo group</span> <span class="k">RUN </span>adduser docker <span class="nb">sudo</span> <span class="c"># Ensure sudo group users are not </span> <span class="c"># asked for a password when using </span> <span class="c"># sudo command by ammending sudoers file</span> <span class="k">RUN </span><span class="nb">echo</span> <span class="s1">'%sudo ALL=(ALL) NOPASSWD:ALL'</span> <span class="o">&gt;&gt;</span> <span class="se">\ </span>/etc/sudoers <span class="c"># now we can set USER to the </span> <span class="c"># user we just created</span> <span class="k">USER</span><span class="s"> docker</span> <span class="c"># we can now run sudo commands </span> <span class="c"># as non-root user `docker` without</span> <span class="c"># password prompt</span> <span class="k">RUN </span><span class="nb">sudo </span>apt-get update <span class="k">WORKDIR</span><span class="s"> /home/docker/src</span> <span class="k">COPY</span><span class="s"> . .</span> </code></pre> </div> <p>That's it. Thanks!</p> <p>If you have suggestions, improvements or want to correct me, let me know in the comments! </p> <p>If this helped you out, follow me on twitter: <a href="https://twitter.com/emmanuel_n_k">emmanuelnk</a></p> docker ubuntu sudo dockerfile Local Python Module imports when using virtualenv Emmanuel K Sun, 15 Nov 2020 07:49:44 +0000 https://dev.to/emmanuelnk/local-python-module-imports-when-using-virtualenv-1ke https://dev.to/emmanuelnk/local-python-module-imports-when-using-virtualenv-1ke <p>Importing modules in python3 can be unnecessarily confusing, especially when using virtualenv</p> <p>Suppose you have this file structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.env test.py cool_modules |--__init__.py |--cool_module1.py |--cool_module2.py </code></pre> </div> <p>To prevent import errors while using virtualenv <code>.env</code>:</p> <p>cool_module1.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CoolModule1</span><span class="p">():</span> <span class="bp">...</span> </code></pre> </div> <p>cool_module2.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">CoolModule2</span><span class="p">():</span> <span class="bp">...</span> </code></pre> </div> <p>Here's the critical part. <br> <strong>init</strong>.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># The part to note here is you have to use `parent_folder.child_file` </span><span class="kn">from</span> <span class="n">cool_modules.cool_module1</span> <span class="kn">import</span> <span class="n">CoolModule1</span> <span class="kn">from</span> <span class="n">cool_modules.cool_module2</span> <span class="kn">import</span> <span class="n">CoolModule2</span> </code></pre> </div> <p>test.py:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">cool_modules</span> <span class="kn">import</span> <span class="n">CoolModule1</span><span class="p">,</span> <span class="n">CoolModule2</span> </code></pre> </div> <p>That's it!</p> <p>If this helped you out, follow me on Twitter: <a href="https://twitter.com/emmanuel_n_k">emmanuel_n_k</a></p>