[WIP] Improve Tasking Manager Cloudformation template #5471
Conversation
The most important enhancement is to remove soon-to-be deprecated LaunchConfiguration pieces and replace with LaunchTemplates - Parameterise several values previously hardcoded in the template - AMI ID - Backend instance type - Load balancer TLS Policy - DNS Zone ID - Rename some parameters to reflect their meaning better - Improve parameter types to make validation easier - Add secrets to AWS Secrets Manager and add their ARN tail as params - DB credentials - SMTP credentials - OAuth2 credentials - TM Secret - Remove parameters replaced by Secrets Manager entries - Simplify condition names - Remove Launch Configuration and replace with Launch Templates - Move package install from user-data to Metadata section
eternaltyro
added
type: enhancement
|
@AfiMaameDufie @dakotabenjamin There seems to be something wrong with the template in that the LaunchTemplate is "deleted" immediately after its created. Then the deployment fails with the AutoScalingGroup complaining that the referenced Launch Template is "not found". I am not sure if the LaunchTemplate is "deleted" or if the creation fails. Either way, we need to look into why this happens. My suspicion is that the |
There was a problem hiding this comment.
Had a look at the file in general then the Launch Template and the metadata specifically. Things look as it should. I also doubt that its an authorization issue. Could it be the AZ or region? Any errors or logs I can reference? @eternaltyro
|
Well, this is embarrassing. Apparently, |
| 'export LC_CTYPE="en_US.UTF-8"', | ||
| 'dpkg-reconfigure --frontend=noninteractive locales', | ||
| 'sudo apt-get -y update', | ||
| 'sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" dist-upgrade', |
There was a problem hiding this comment.
Is it advisable to run dist-upgrade?
There was a problem hiding this comment.
No it's not. Will fix.
- [MISC] Move default backend instance type to t3.small
- [MISC] Add us-east-1e to AZ list
- [ENHANCE] Upgrade PostgreSQL version to 13.x
- [ENHANCE] Create a parameter group and assign to RDS instance based on
parameter group family
- [MISC] Move default datase instance type to db.t4g.xlarge
- [MISC] Rename Parameters to make them more meaningful
- [ENHANCE] Fix names of resources - instead of using cf.stackName, use a simpler
one.
- [FIX] Switch to LaunchTemplateId from LaunchTemplateName
- [ENHANCE] Parameterize disk size, snapshot retention period, etc.,
based on IsProduction condition
- [SECURITY] Add a more restricted S3 Bucket Policy for frontend bucket
- [ENHANCE] Add an Origin Access Control policy to CloudFront
- [ENHANCE] Add a custom cache policy to CloudFront
- [ENHANCE] Better defaults for CloudFront distribution
- Enable http2
- Enable IPV6
- Add Route53 Recordset Group instead of a standalone RecordSet
to add both A records and AAA records
- Upgraded TLS Protocol Version option
The issue: If CloudFront needs to connect to S3 - We add an S3Origin. However, if the S3 bucket is configured as a website, it needs to be considered a custom origin. And custom origins can't have OriginAccessControl. The Solution: Removed Origin Access Control.
|
@dakotabenjamin @AfiMaameDufie With the latest push, I have fixed almost all problems with CloudFormation and the infra. I will now have to validate everything about the new infra that has been created in my test. |
- User data needed python to be installed in order to get cfn-init to work. Fixed that. - Cloud init scripts are run as root by default. so removed sudo
|
SonarCloud Quality Gate failed.
|
The most important enhancement is to remove soon-to-be deprecated LaunchConfiguration pieces and replace with LaunchTemplates