Skip to content

AWS Deployment Guide

Jump to bottom
Nick Williams edited this page Mar 26, 2020 · 19 revisions

Create an S3 bucket to store secrets:

TODO

Create Application and Worker:

  1. Install the AWS EB CLI. Then, in the root directory, run eb create.

    • Suggested name is blockchain-app-[Deployment_name]
    • Enter DNS CNAME prefix - Default
    • Choose application load balancer

  2. Confirm that the environment was created successfully (endpoint will not work yet).

  3. Go to elastic beanstalk config > modify software and create an environment variable called DEPLOYMENT_NAME with value [Deployment_name], for example acme.

  4. In your config file set the APP_HOST to the url of the new instance, including http://

  5. Navigate to the EC2 console, select the instance and note down the instance id

  6. Note down the security group for the NON load balancer.

  7. For the instance select modify, and choose ‘Attach/replace IAM role’. Apply EC2_WITH_SECRETS_ACCESS

  8. In the EC2 sidebar, select load balancers, find the load balancer with the matching instance id

  9. Under listeners, choose edit and then add an https listener with a *.[your_domain] ssl cert

  10. Forward incoming traffic to the same target group used for http traffic.

  11. Add the https port to the load balancer security group.

  12. In route 53, point an A record alias to the new endpoint.

Create SQL Database

  1. In RDS, launch a postgres instance

  2. Choose a medium for production (anything smaller will crash on bulk disbursements).

  3. Set the instance identifier to sempo-[deployment]

  4. Set a username to admin_[deployment]

  5. Set a password. Make sure you choose something with plenty of entropy, and don't forget it!

  6. Set the security group to the one noted in Create Application and Worker

  7. Set the database to be publicly accessible (we use this temporarily for setup)

  8. Launch

  9. Once launched, record down the endpoint name.

Set up Redis Message Broker

  1. Navigate to elasticache

  2. Select Create Cluster

  3. Select Redis

  4. Name sempo-[deployment]

  5. Add the instance to the security group noted down in Create Application and Worker

  6. Launch

  7. Once launched, record the primary endpoint

Set up security group

  1. With the security group noted in Create Application and Worker, note the group id
  2. Open up inbound ports for postgres (5432) redis (6379), http (80) with the source being the security group’s own id
  3. Open up an an inbound port for postres (5432) pointing to your local IP

Create database tables

  1. Log into the RDS Server using your chosen credentials (the host is the rds endpoint) and preferred interface (such as PGADMIN or PSQL)
  2. Create a database called app
  3. Create a database called eth_worker
  4. Set the RDS to no longer be publicly accessible
  5. Remove your IP from the security group

Create config and secrets files:

A Note on configs and secrets

Sempo uses three types of .ini files to configure the platform and store secrets.

  • common secrets files are used to store secrets that may be used across more than one deployment, such as keys for third-party services
  • specific secrets files are used to store secrets that change on a per-deployment basis, such as database passwords, and third-party project IDs.
  • specific config files are used to less sensitive settings that change on a per-deployment basis, such as contract blockchain addresses.

Templates for all three types of files can be found in /config_files/templates. The common secrets file should be named common_secrets.ini, while specific secrets and configs files should follow the following patterns:

  • Secrets: [deployment_name]_secrets.ini for example acme_secrets.ini.
  • Config: [deployment_name]_config.ini for example acme_config.ini.

The platform will run with limited functionality with most of common secrets empty. In order to quickly generate the necessary secrets to launch the platform, /config_files/generate_dev_test_secrets.py can be helpful, as it will create randomly seeded keys as required.

For reasonable general settings for specific config files, see /config_files/public/local_config.ini

For deployment

  1. For the specific config file, set:

    • [APP] deployment_name to the deployment name, for example acme
    • [DATABASE] host to the RDS endpoint name noted down
    • [DATABASE] database to app
    • [DATABASE] eth_database to eth_worker
    • [REDIS] uri to the primary redis endpoint recorded
    • [ETHEREUM] http_provider to an http RPC endpoint (you can easily obtain one from infura)
    • [ETHEREUM] contract_address to the address of the ERC20 token that you wish to use as the base reserve

  2. For the specific secrets file, set:

    • [DATABASE] password to the database password noted down
    • [DATABASE] user to postgres

  3. For the common secrets file, set the AWS ses_key_id and ses_secret to keys obtained for Amazon SES

  4. Upload the configs and secrets files to your secret bucket

Clone this wiki locally