diff --git a/demos/aws-cluster/1.1_init_followers b/demos/aws-cluster/1.1_init_followers new file mode 100755 index 00000000..9c817469 --- /dev/null +++ b/demos/aws-cluster/1.1_init_followers @@ -0,0 +1,64 @@ +#!/bin/bash -eux + +: ${SSH_KEY_FILE?"Need to set SSH_KEY_FILE"} + +source bin/lib/aws_context +source bin/lib/conjur_context + +SEED_DIR="./tmp/conjur/seeds" + +function create_follower_seed() { + local filename=$1 + + mkdir -p $SEED_DIR + + # Create Follower Seed + ssh -i "$SSH_KEY_FILE" \ + -o "StrictHostKeyChecking no" \ + core@$MASTER_1_PUBLIC /bin/bash << EOF + docker exec conjur-appliance bash -c " \ + evoke seed follower "$LB_FOLLOWER_DNS" "$LB_DNS" > "/opt/conjur/backup/$filename" + " +EOF + + # Copy seed to host + scp -i "$SSH_KEY_FILE" \ + -o "StrictHostKeyChecking no" \ + "core@$MASTER_1_PUBLIC:/opt/conjur/backup/$filename" \ + "$SEED_DIR/$filename" +} + +function configure_follower() { + local follower_public=$1 + local filename=$2 + + # Copy seed + scp -i "$SSH_KEY_FILE" \ + -o "StrictHostKeyChecking no" \ + "$SEED_DIR/$filename" \ + "core@$follower_public:~/$filename" + + # Configure node + ssh -i "$SSH_KEY_FILE" \ + -o "StrictHostKeyChecking no" \ + core@$follower_public /bin/bash << EOF + sudo mv "\$HOME/$filename" "/opt/conjur/backup/$filename" + + docker exec conjur-appliance \ + evoke unpack seed "/opt/conjur/backup/$filename" + + docker exec conjur-appliance \ + evoke configure follower +EOF +} + +function configure_followers() { + for follower in $FOLLOWERS_PUBLIC; do + echo "Configuring follower on '$follower'..." + configure_follower "$follower" "follower-seed.tar" + done +} + +create_follower_seed "follower-seed.tar" + +configure_followers \ No newline at end of file diff --git a/demos/aws-cluster/1_init_cluster b/demos/aws-cluster/1_init_cluster index 490accbb..700e62e0 100755 --- a/demos/aws-cluster/1_init_cluster +++ b/demos/aws-cluster/1_init_cluster @@ -17,6 +17,9 @@ function configure_master() { --master-altnames "$LB_DNS,$MASTER_2_PRIVATE,$MASTER_3_PRIVATE" \ -p "$CONJUR_ADMIN_PASSWORD" \ "$CONJUR_ACCOUNT" + + docker exec conjur-appliance \ + evoke ca issue --force $LB_FOLLOWER_DNS EOF } diff --git a/demos/aws-cluster/README.md b/demos/aws-cluster/README.md index 8a1d9cdd..71e2f59b 100644 --- a/demos/aws-cluster/README.md +++ b/demos/aws-cluster/README.md @@ -92,8 +92,11 @@ To initially install the cluster: Successful Health Checks: 10 ``` -4. Deploy a Follower in AWS - > TBD +4. (Optional) Deploy Followers in AWS + To also configure followers with the cluster, run the command: + ``` + $ ./1.1_init_followers + ``` ## HA Scenarios diff --git a/demos/aws-cluster/bin/lib/aws_context b/demos/aws-cluster/bin/lib/aws_context index 09d23365..f8f80cd9 100644 --- a/demos/aws-cluster/bin/lib/aws_context +++ b/demos/aws-cluster/bin/lib/aws_context @@ -3,6 +3,9 @@ export LB_DNS_DEFAULT=$(terraform output conjur_master_lb_public) export LB_DNS="${LB_DNS:-${LB_DNS_DEFAULT}}" +export LB_FOLLOWER_DNS_DEFAULT=$(terraform output conjur_follower_lb_public) +export LB_FOLLOWER_DNS="${LB_FOLLOWER_DNS:-${LB_FOLLOWER_DNS_DEFAULT}}" + export MASTER_1_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[0]') export MASTER_1_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[0]') @@ -11,3 +14,6 @@ export MASTER_2_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq export MASTER_3_PRIVATE=$(terraform output -json conjur_master_nodes_private | jq -r '.value[2]') export MASTER_3_PUBLIC=$(terraform output -json conjur_master_nodes_public | jq -r '.value[2]') + +# Follower public DNS address, 1 per line +export FOLLOWERS_PUBLIC=$(terraform output -json conjur_follower_nodes_public | jq -r '.value | .[]') diff --git a/demos/aws-cluster/main.tf b/demos/aws-cluster/main.tf index 65f3d7e6..dda0dda6 100644 --- a/demos/aws-cluster/main.tf +++ b/demos/aws-cluster/main.tf @@ -77,6 +77,7 @@ resource "aws_security_group" "lb" { } } +# Load balancer for master cluster resource "aws_elb" "lb" { name = "${var.resource_prefix}conjur-ha-lb" @@ -120,6 +121,34 @@ resource "aws_elb" "lb" { } } +# Load balancer for followers +resource "aws_elb" "follower_lb" { + name = "${var.resource_prefix}conjur-ha-follower-lb" + + subnets = ["${data.aws_subnet.subnet.*.id}"] + security_groups = ["${aws_security_group.lb.id}"] + + # API and UI + listener { + instance_port = 443 + instance_protocol = "tcp" + lb_port = 443 + lb_protocol = "tcp" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTPS:443/health" + interval = 30 + } + + tags = { + Name = "${var.resource_prefix}conjur-ha-follower-lb" + } +} + ############################################# # 3-Node Master Cluster Config ############################################# @@ -188,6 +217,60 @@ resource "aws_elb_attachment" "lb_nodes" { instance = "${element(aws_instance.conjur_master_node.*.id, count.index)}" } +############################################# +# Follower config +############################################# + +# Security Group for Node Instances +resource "aws_security_group" "follower_node" { + name = "${var.resource_prefix}conjur-ha-follower-node" + description = "Allow Conjur Follower Node Traffic" + vpc_id = "${var.vpc_id}" + + ingress { + from_port = 443 + to_port = 443 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 22 + to_port = 22 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +# Instances +resource "aws_instance" "conjur_follower_node" { + count = 2 + + ami = "${var.ami_id}" + instance_type = "m4.large" + availability_zone = "${element(var.availability_zones, count.index)}" + subnet_id = "${element(data.aws_subnet.subnet.*.id, count.index)}" + key_name = "${var.key_name}" + vpc_security_group_ids = ["${aws_security_group.follower_node.id}"] + + tags = { + Name = "${var.resource_prefix}conjur-follower-${count.index + 1}" + } +} + +resource "aws_elb_attachment" "follower_lb_nodes" { + count = "${aws_instance.conjur_follower_node.count}" + elb = "${aws_elb.follower_lb.id}" + instance = "${element(aws_instance.conjur_follower_node.*.id, count.index)}" +} + ############################################# # Outputs ############################################# @@ -196,10 +279,18 @@ output "conjur_master_lb_public" { value = "${aws_elb.lb.dns_name}" } +output "conjur_follower_lb_public" { + value = "${aws_elb.follower_lb.dns_name}" +} + output "conjur_master_nodes_public" { value = "${aws_instance.conjur_master_node.*.public_dns}" } output "conjur_master_nodes_private" { value = "${aws_instance.conjur_master_node.*.private_dns}" -} \ No newline at end of file +} + +output "conjur_follower_nodes_public" { + value = "${aws_instance.conjur_follower_node.*.public_dns}" +}