Add followers to AWS Cluster demo

conjurdemos · Mar 12, 2019 · 39a419a · 39a419a
1 parent d085650
commit 39a419a
Show file tree

Hide file tree

Showing 5 changed files with 170 additions and 3 deletions.
diff --git a/demos/aws-cluster/1.1_init_followers b/demos/aws-cluster/1.1_init_followers
@@ -0,0 +1,64 @@
+#!/bin/bash -eux
+
+: ${SSH_KEY_FILE?"Need to set SSH_KEY_FILE"}
+
+source bin/lib/aws_context
+source bin/lib/conjur_context
+
+SEED_DIR="./tmp/conjur/seeds"
+
+function create_follower_seed() {
+  local filename=$1
+
+  mkdir -p $SEED_DIR
+
+  # Create Follower Seed
+  ssh -i "$SSH_KEY_FILE" \
+    -o "StrictHostKeyChecking no" \
+    core@$MASTER_1_PUBLIC /bin/bash << EOF
+    docker exec conjur-appliance bash -c " \
+      evoke seed follower "$LB_FOLLOWER_DNS" "$LB_DNS" > "/opt/conjur/backup/$filename"
+    "
+EOF
+
+  # Copy seed to host
+  scp -i "$SSH_KEY_FILE" \
+    -o "StrictHostKeyChecking no" \
+    "core@$MASTER_1_PUBLIC:/opt/conjur/backup/$filename" \
+    "$SEED_DIR/$filename"
+}
+
+function configure_follower() {
+  local follower_public=$1
+  local filename=$2
+
+  # Copy seed
+  scp -i "$SSH_KEY_FILE" \
+    -o "StrictHostKeyChecking no" \
+    "$SEED_DIR/$filename" \
+    "core@$follower_public:~/$filename"
+
+  # Configure node
+  ssh -i "$SSH_KEY_FILE" \
+    -o "StrictHostKeyChecking no" \
+    core@$follower_public /bin/bash << EOF
+    sudo mv "\$HOME/$filename" "/opt/conjur/backup/$filename"
+    
+    docker exec conjur-appliance \
+      evoke unpack seed "/opt/conjur/backup/$filename"
+
+    docker exec conjur-appliance \
+      evoke configure follower
+EOF
+}
+
+function configure_followers() {
+  for follower in $FOLLOWERS_PUBLIC; do 
+    echo "Configuring follower on '$follower'..."
+    configure_follower "$follower" "follower-seed.tar"
+  done
+}
+
+create_follower_seed "follower-seed.tar"
+
+configure_followers
diff --git a/demos/aws-cluster/1_init_cluster b/demos/aws-cluster/1_init_cluster
@@ -17,6 +17,9 @@ function configure_master() {
       --master-altnames "$LB_DNS,$MASTER_2_PRIVATE,$MASTER_3_PRIVATE" \
       -p "$CONJUR_ADMIN_PASSWORD" \
       "$CONJUR_ACCOUNT"
+
+    docker exec conjur-appliance \
+      evoke ca issue --force $LB_FOLLOWER_DNS
 EOF
 }
 

diff --git a/demos/aws-cluster/README.md b/demos/aws-cluster/README.md
@@ -92,8 +92,11 @@ To initially install the cluster:
     Successful Health Checks: 10
     ```
 
-4. Deploy a Follower in AWS
-    > TBD
+4. (Optional) Deploy Followers in AWS
+    To also configure followers with the cluster, run the command:
+    ```
+    $ ./1.1_init_followers
+    ```
 
 
 ## HA Scenarios

diff --git a/demos/aws-cluster/bin/lib/aws_context b/demos/aws-cluster/bin/lib/aws_context
@@ -3,6 +3,9 @@
 export LB_DNS_DEFAULT=$(terraform output conjur_master_lb_public)
 export LB_DNS="${LB_DNS:-${LB_DNS_DEFAULT}}"
 
+export LB_FOLLOWER_DNS_DEFAULT=$(terraform output conjur_follower_lb_public)
+export LB_FOLLOWER_DNS="${LB_FOLLOWER_DNS:-${LB_FOLLOWER_DNS_DEFAULT}}"
+
 export MASTER_1_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[0]')
 export MASTER_1_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[0]')
 
@@ -11,3 +14,6 @@ export MASTER_2_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq
 
 export MASTER_3_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[2]')
 export MASTER_3_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[2]')
+
+# Follower public DNS address, 1 per line
+export FOLLOWERS_PUBLIC=$(terraform output -json conjur_follower_nodes_public | jq -r '.value | .[]')
diff --git a/demos/aws-cluster/main.tf b/demos/aws-cluster/main.tf
@@ -77,6 +77,7 @@ resource "aws_security_group" "lb" {
   }
 }
 
+# Load balancer for master cluster
 resource "aws_elb" "lb" {
   name = "${var.resource_prefix}conjur-ha-lb"
 
@@ -120,6 +121,34 @@ resource "aws_elb" "lb" {
   }
 }
 
+# Load balancer for followers
+resource "aws_elb" "follower_lb" {
+  name = "${var.resource_prefix}conjur-ha-follower-lb"
+
+  subnets             = ["${data.aws_subnet.subnet.*.id}"]
+  security_groups     = ["${aws_security_group.lb.id}"]
+
+  # API and UI
+  listener {
+    instance_port     = 443
+    instance_protocol = "tcp"
+    lb_port           = 443
+    lb_protocol       = "tcp"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "HTTPS:443/health"
+    interval            = 30
+  }
+
+  tags = {
+    Name = "${var.resource_prefix}conjur-ha-follower-lb"
+  }
+}
+
 #############################################
 # 3-Node Master Cluster Config
 #############################################
@@ -188,6 +217,60 @@ resource "aws_elb_attachment" "lb_nodes" {
   instance = "${element(aws_instance.conjur_master_node.*.id, count.index)}"
 }
 
+#############################################
+# Follower config
+#############################################
+
+# Security Group for Node Instances
+resource "aws_security_group" "follower_node" {
+  name        = "${var.resource_prefix}conjur-ha-follower-node"
+  description = "Allow Conjur Follower Node Traffic"
+  vpc_id      = "${var.vpc_id}"
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "6"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "6"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
+
+# Instances
+resource "aws_instance" "conjur_follower_node" {
+  count                   = 2
+
+  ami                     = "${var.ami_id}"
+  instance_type           =  "m4.large"
+  availability_zone       = "${element(var.availability_zones, count.index)}"
+  subnet_id               = "${element(data.aws_subnet.subnet.*.id, count.index)}"
+  key_name                = "${var.key_name}"
+  vpc_security_group_ids  = ["${aws_security_group.follower_node.id}"]
+
+  tags = {
+    Name                  = "${var.resource_prefix}conjur-follower-${count.index + 1}"
+  }
+}
+
+resource "aws_elb_attachment" "follower_lb_nodes" {
+  count     = "${aws_instance.conjur_follower_node.count}"
+  elb      = "${aws_elb.follower_lb.id}"
+  instance = "${element(aws_instance.conjur_follower_node.*.id, count.index)}"
+}
+
 #############################################
 # Outputs
 #############################################
@@ -196,10 +279,18 @@ output "conjur_master_lb_public" {
   value = "${aws_elb.lb.dns_name}"
 }
 
+output "conjur_follower_lb_public" {
+  value = "${aws_elb.follower_lb.dns_name}"
+}
+
 output "conjur_master_nodes_public" {
   value = "${aws_instance.conjur_master_node.*.public_dns}"
 }
 
 output "conjur_master_nodes_private" {
   value = "${aws_instance.conjur_master_node.*.private_dns}"
-}
+}
+
+output "conjur_follower_nodes_public" {
+  value = "${aws_instance.conjur_follower_node.*.public_dns}"
+}