-
Notifications
You must be signed in to change notification settings - Fork 20
AWS Deployment Guide
-
Install the AWS CLI
-
In the IAM Management section of AWS, create a user called
ECR_BUILDER
with programatic access only.- Attach the
AmazonEC2ContainerRegistryPowerUser
policy to the user. - Create and save the user's credentials to
~/.aws/credentials
- Attach the
-
Create an Elastic Container Registry using the most up-to-date AWS Documentation
-
Note down the repository URI, and set it as an environment variable called
REPOSITORY_URI
-
Run
build_ecs.sh
in the root directory to build and save your deployment docker images to AWS
- In the S3 Management console, create a new bucket called
ctp-prod-secrets
. Make sure the bucket has no public access - In the IAM Management section of AWS, create a policy that provides read access to the secrets bucket. The following JSON policy will achieve this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::ctp-prod-secrets"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListObject"
],
"Resource": "arn:aws:s3:::ctp-prod-secrets/*"
}
]
}
- Create a new roll called
EC2_WITH_SECRETS_ACCESS
, and attach the policy you created.
-
Install the AWS EB CLI.
-
In the root directory, run
eb create
.- Suggested name is blockchain-app-[Deployment_name]
- Enter DNS CNAME prefix - Default
- Choose application load balancer
-
Confirm that the environment was created successfully (endpoint will not work yet).
-
Navigate to the elastic beanstalk configuration page and under the "modify software" subsection, create an environment variable called
DEPLOYMENT_NAME
with value[Deployment_name]
, for exampleacme
. -
In your config file set the APP_HOST to the url of the new instance, including http://
-
Navigate to the EC2 console, select the instance and note down the instance id
-
Note down the security group for the NON load balancer.
-
For the instance select modify, and choose ‘Attach/replace IAM role’. Apply
EC2_WITH_SECRETS_ACCESS
-
In the EC2 sidebar, select load balancers, find the load balancer with the matching instance id
-
Under listeners, choose edit and then add an https listener with a
*.[your_domain]
ssl cert -
Forward incoming traffic to the same target group used for http traffic.
-
Add the https port to the load balancer security group.
-
In route 53, point an A record alias to the new endpoint.
-
In RDS, launch a postgres instance
-
Choose a medium for production (anything smaller will crash on bulk disbursements).
-
Set the instance identifier to sempo-[deployment]
-
Set a username to admin_[deployment]
-
Set a password. Make sure you choose something with plenty of entropy, and don't forget it!
-
Set the security group to the one noted in Create Application and Worker
-
Set the database to be publicly accessible (we use this temporarily for setup)
-
Launch
-
Once launched, record down the endpoint name.
-
Navigate to elasticache
-
Select Create Cluster
-
Select Redis
-
Name sempo-[deployment]
-
Add the instance to the security group noted down in Create Application and Worker
-
Launch
-
Once launched, record the primary endpoint
- With the security group noted in Create Application and Worker, note the group id
- Open up inbound ports for postgres (5432) redis (6379), http (80) with the source being the security group’s own id
- Open up an an inbound port for postres (5432) pointing to your local IP
- Log into the RDS Server using your chosen credentials (the host is the rds endpoint) and preferred interface (such as PGADMIN or PSQL)
- Create a database called
app
- Create a database called
eth_worker
- Set the RDS to no longer be publicly accessible
- Remove your IP from the security group
Sempo uses three types of .ini files to configure the platform and store secrets.
-
common secrets
files are used to store secrets that may be used across more than one deployment, such as keys for third-party services -
specific secrets
files are used to store secrets that change on a per-deployment basis, such as database passwords, and third-party project IDs. -
specific config
files are used to less sensitive settings that change on a per-deployment basis, such as contract blockchain addresses.
Templates for all three types of files can be found in /config_files/templates
.
The common secrets file should be named common_secrets.ini
, while specific secrets and configs files should follow the following patterns:
- Secrets:
[deployment_name]_secrets.ini
for exampleacme_secrets.ini
. - Config:
[deployment_name]_config.ini
for exampleacme_config.ini
.
The platform will run with limited functionality with most of common secrets
empty.
In order to quickly generate the necessary secrets to launch the platform, /config_files/generate_dev_test_secrets.py
can be helpful, as it will create randomly seeded keys as required.
For reasonable general settings for specific config
files, see /config_files/public/local_config.ini
-
For the
specific config
file, set:-
[APP] deployment_name
to the deployment name, for exampleacme
-
[DATABASE] host
to the RDS endpoint name noted down -
[DATABASE] database
toapp
-
[DATABASE] eth_database
toeth_worker
-
[REDIS] uri
to the primary redis endpoint recorded -
[ETHEREUM] http_provider
to an http RPC endpoint (you can easily obtain one from infura) -
[ETHEREUM] contract_address
to the address of the ERC20 token that you wish to use as the base reserve
-
-
For the
specific secrets
file, set:-
[DATABASE] password
to the database password noted down -
[DATABASE] user
topostgres
-
-
For the
common secrets
file, set the AWSses_key_id
andses_secret
to keys obtained for Amazon SES -
Upload the configs and secrets files to your secret bucket
- In the AWS Elastic Beanstalk console for your app, select
actions > Restart App Servers
to apply the new configs and secrets - After the app has rebooted, Navigate to the elastic beanstalk configuration page and under the "Capacity" subsection, set the EC2 instance type to
t2.medium
. - The app should now function as expected!