-
Notifications
You must be signed in to change notification settings - Fork 20
AWS Deployment Guide
TODO
-
Install the AWS EB CLI. Then, in the root directory, run
eb create
.- Suggested name is blockchain-app-[Deployment_name]
- Enter DNS CNAME prefix - Default
- Choose application load balancer
-
Confirm that the environment was created successfully (endpoint will not work yet).
-
Go to elastic beanstalk config > modify software and create an environment variable called
DEPLOYMENT_NAME
with value[Deployment_name]
, for exampleacme
. -
In your config file set the APP_HOST to the url of the new instance, including http://
-
Navigate to the EC2 console, select the instance and note down the instance id
-
Note down the security group for the NON load balancer.
-
For the instance select modify, and choose ‘Attach/replace IAM role’. Apply
EC2_WITH_SECRETS_ACCESS
-
In the EC2 sidebar, select load balancers, find the load balancer with the matching instance id
-
Under listeners, choose edit and then add an https listener with a
*.[your_domain]
ssl cert -
Forward incoming traffic to the same target group used for http traffic.
-
Add the https port to the load balancer security group.
-
In route 53, point an A record alias to the new endpoint.
-
In RDS, launch a postgres instance
-
Choose a medium for production (anything smaller will crash on bulk disbursements).
-
Set the instance identifier to sempo-[deployment]
-
Set a username to admin_[deployment]
-
Set a password. Make sure you choose something with plenty of entropy, and don't forget it!
-
Set the security group to the one noted in Create Application and Worker
-
Set the database to be publicly accessible (we use this temporarily for setup)
-
Launch
-
Once launched, record down the endpoint name.
-
Navigate to elasticache
-
Select Create Cluster
-
Select Redis
-
Name sempo-[deployment]
-
Add the instance to the security group noted down in Create Application and Worker
-
Launch
-
Once launched, record the primary endpoint
- With the security group noted in Create Application and Worker, note the group id
- Open up inbound ports for postgres (5432) redis (6379), http (80) with the source being the security group’s own id
- Open up an an inbound port for postres (5432) pointing to your local IP
- Log into the RDS Server using your chosen credentials (the host is the rds endpoint) and preferred interface (such as PGADMIN or PSQL)
- Create a database called
app
- Create a database called
eth_worker
- Set the RDS to no longer be publicly accessible
- Remove your IP from the security group
Sempo uses three types of .ini files to configure the platform and store secrets.
-
common secrets
files are used to store secrets that may be used across more than one deployment, such as keys for third-party services -
specific secrets
files are used to store secrets that change on a per-deployment basis, such as database passwords, and third-party project IDs. -
specific config
files are used to less sensitive settings that change on a per-deployment basis, such as contract blockchain addresses.
Templates for all three types of files can be found in /config_files/templates
.
The common secrets file should be named common_secrets.ini
, while specific secrets and configs files should follow the following patterns:
- Secrets:
[deployment_name]_secrets.ini
for exampleacme_secrets.ini
. - Config:
[deployment_name]_config.ini
for exampleacme_config.ini
.
The platform will run with limited functionality with most of common secrets
empty.
In order to quickly generate the necessary secrets to launch the platform, /config_files/generate_dev_test_secrets.py
can be helpful, as it will create randomly seeded keys as required.
For reasonable general settings for specific config
files, see /config_files/public/local_config.ini
-
For the
specific config
file, set:-
[APP] deployment_name
to the deployment name, for exampleacme
-
[DATABASE] host
to the RDS endpoint name noted down -
[DATABASE] database
toapp
-
[DATABASE] eth_database
toeth_worker
-
[REDIS] uri
to the primary redis endpoint recorded -
[ETHEREUM] http_provider
to an http RPC endpoint (you can easily obtain one from infura) -
[ETHEREUM] contract_address
to the address of the ERC20 token that you wish to use as the base reserve
-
-
For the
specific secrets
file, set:-
[DATABASE] password
to the database password noted down -
[DATABASE] user
topostgres
-
-
For the
common secrets
file, set the AWSses_key_id
andses_secret
to keys obtained for Amazon SES -
Upload the configs and secrets files to your secret bucket
-
Reboot the app. You should now be able to create an account