-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathec2.yaml
257 lines (256 loc) · 13.1 KB
/
ec2.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
Parameters:
ParentVPCStack:
Description: 'Stack name of parent VPC stack based on vpc/vpc-*azs.yaml template.'
Type: String
Default: Helder-VPC
KeyPair:
Description: Keypair to connect to the EC2 instance
Type: String
Default: admin
InstanceSize:
Description: Instance Size
Type: String
Default: t2.medium
BucketName:
Description: Name of the Bucket
Type: String
Default: awx-backup
Resources:
AWXBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Join [ '-', [!Ref BucketName, !Select [0, !Split ["-", !Select [2, !Split ["/" , !Ref "AWS::StackId"]]]]]]
LifecycleConfiguration:
Rules:
- ExpirationInDays: 60
Status: Enabled
Transition:
StorageClass: GLACIER
TransitionInDays: 14
S3AWXIAMRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Join [ '-', [S3AWXIAMRole, !Select [0, !Split ["-", !Select [2, !Split ["/" , !Ref "AWS::StackId"]]]]]]
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
AWXS3Policy:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Join [ '-', [AWXS3Policy, !Select [0, !Split ["-", !Select [2, !Split ["/" , !Ref "AWS::StackId"]]]]]]
Roles:
-
Ref: "S3AWXIAMRole"
PolicyDocument:
Statement:
- Effect: Allow
Action: ['s3:*']
Resource: !Join [ '', ['arn:aws:s3:::', !Ref AWXBucket] ]
IAMS3AWXnstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "S3AWXIAMRole"
AWXSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Web server
GroupName: !Join [ '-', [AWXSecurityGroup, !Select [0, !Split ["-", !Select [2, !Split ["/" , !Ref "AWS::StackId"]]]]]]
VpcId: {'Fn::ImportValue': !Sub '${ParentVPCStack}-VPC'}
# VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8080
ToPort: 8080
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/8
AWXInstance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref IAMS3AWXnstanceProfile
BlockDeviceMappings:
- DeviceName: "/dev/sda1"
Ebs:
VolumeSize: 24
VolumeType: gp2
InstanceType: !Ref InstanceSize
ImageId: ami-0015b9ef68c77328d
KeyName: !Ref KeyPair
Monitoring: true
SecurityGroupIds:
- !Ref AWXSecurityGroup
SubnetId: {'Fn::ImportValue': !Sub '${ParentVPCStack}-PublicSubnet1'}
Tags:
- Key: Name
Value: !Join [ '-', [AWXInstance, !Select [0, !Split ["-", !Select [2, !Split ["/" , !Ref "AWS::StackId"]]]]]]
UserData:
Fn::Base64:
Fn::Sub:
- |
#!/bin/bash
SCRIPT_LOG='/var/log/build.log';
touch $SCRIPT_LOG;
date >> $SCRIPT_LOG
echo "Starting Build Process" >> $SCRIPT_LOG;
date >> $SCRIPT_LOG
echo "Installing packages" >> $SCRIPT_LOG;
yum -y install -y epel-release &>> $SCRIPT_LOG;
yum -y install https://centos7.iuscommunity.org/ius-release.rpm &>> $SCRIPT_LOG;
yum -y install wget.x86_64 nano.x86_64 traceroute.x86_64 bind-utils.x86_64 telnet.x86_64 nmap-ncat.x86_64 nmap.x86_64 mlocate.x86_64 jq.x86_64 rubygems.noarch centos-release-scl unzip.x86_64 git git.x86_64 iperf.x86_64 &>> $SCRIPT_LOG;
yum -y install python36u python36u-devel python36u-pip python34-setuptools &>> $SCRIPT_LOG;
yum install -y awscli.noarch
date >> $SCRIPT_LOG
echo "Finished Installing packages" >> $SCRIPT_LOG;
date >> $SCRIPT_LOG
echo "Install AWS CLI" >> $SCRIPT_LOG;
easy_install-3.4 pip &>> $SCRIPT_LOG;
pip3 install awscli --ignore-installed &>> $SCRIPT_LOG;
mkdir /root/.aws
mkdir /home/centos/.aws
echo "[default]" > /root/.aws/credentials;
echo "aws_access_key_id=" >> /root/.aws/credentials
echo "aws_secret_access_key=" >> /root/.aws/credentials
echo "region=" >> /root/.aws/credentials
echo "[default]" > /home/centos/.aws/credentials;
echo "aws_access_key_id=" >> /home/centos/.aws/credentials
echo "aws_secret_access_key=" >> /home/centos/.aws/credentials
echo "region=" >> /home/centos/.aws/credentials
date >> $SCRIPT_LOG
echo "Finished install AWS CLI" >> $SCRIPT_LOG;
date >> $SCRIPT_LOG
#################################
# s3cfg #
#################################
yum -y install s3cmd.noarch &>> $SCRIPT_LOG;
touch /root/.s3cfg &>> $SCRIPT_LOG;
echo "[default]" >> /root/.s3cfg
echo "access_key = " >> /root/.s3cfg
echo "secret_key = " >> /root/.s3cfg
echo "region = " >> /root/.s3cfg
#################################
# Backup Cron #
#################################
echo "#!/bin/bash" >> /home/centos/backup.sh
echo "# Tar Directories" >> /home/centos/backup.sh
echo "date=\$(date +"%Y%m%d%H%M%S")" >> /home/centos/backup.sh
echo "umask 133" >> /home/centos/backup.sh
echo "mkdir /tmp/jenkins/ /tmp/awx/" >> /home/centos/backup.sh
echo "tar -czvf /tmp/jenkins/jenkins-backup-\$date.tar.gz /var/lib/jenkins/" >> /home/centos/backup.sh
echo "tar -czvf /tmp/awx/awx-backup-\$date.tar.gz /home/centos/pgdocker/pgdata/" >> /home/centos/backup.sh
echo "# Upload to S3" >> /home/centos/backup.sh
echo "s3cmd put /tmp/jenkins/jenkins-backup-* s3://${Bucket}/jenkins-backup/" >> /home/centos/backup.sh
echo "s3cmd put /tmp/awx/awx-backup-* s3://${Bucket}/awx-backup/" >> /home/centos/backup.sh
echo "cd /home/centos/pgdocker" >> /home/centos/backup.sh
echo "tar -czvf awx-latest.tar.gz pgdata/" >> /home/centos/backup.sh
echo "s3cmd put -r /home/centos/pgdocker/awx-latest.tar.gz s3://${Bucket}/awx-backup/latest/" >> /home/centos/backup.sh
echo "rm /home/centos/pgdocker/awx-latest.tar.gz" >> /home/centos/backup.sh
echo "cd /var/lib/" >> /home/centos/backup.sh
echo "tar -czvf jenkins-latest.tar.gz jenkins/" >> /home/centos/backup.sh
echo "s3cmd put -r /var/lib/jenkins-latest.tar.gz s3://${Bucket}/jenkins-backup/latest/" >> /home/centos/backup.sh
echo "rm /var/lib/jenkins-latest.tar.gz" >> /home/centos/backup.sh
echo "# Clean up" >> /home/centos/backup.sh
echo "sudo rm -r /tmp/jenkins/" >> /home/centos/backup.sh
echo "sudo rm -r /tmp/awx/" >> /home/centos/backup.sh
chmod a+x /home/centos/backup.sh
cp /home/centos/backup.sh /etc/cron.daily/backup.sh
#################################
# AWX #
#################################
sudo yum install -y epel-release &>> $SCRIPT_LOG;
yum -y install git gettext ansible docker nodejs npm gcc-c++ bzip2 python-pip &>> $SCRIPT_LOG;
systemctl start docker &>> $SCRIPT_LOG;
systemctl enable docker &>> $SCRIPT_LOG;
setenforce 0 &>> $SCRIPT_LOG;
git clone https://github.com/ansible/awx.git /home/centos/awx &>> $SCRIPT_LOG;
pip install virtualenv &>> $SCRIPT_LOG;
python -m virtualenv /home/centos/awx/installer/awx &>> $SCRIPT_LOG;
source /home/centos/awx/installer/awx/bin/activate &>> $SCRIPT_LOG;
pip install docker-compose &>> $SCRIPT_LOG;
pip install docker &>> $SCRIPT_LOG;
sed -i 's/\/usr\/bin\/env python/\/home\/centos\/awx\/installer\/awx\/bin\/python/g' /home/centos/awx/installer/inventory
sed -i 's/\/tmp\/awxcompose/\/home\/centos\/awxcompose/g' /home/centos/awx/installer/inventory
sed -i 's/\/tmp\/pgdocker/\/home\/centos\/pgdocker/g' /home/centos/awx/installer/inventory
pip install selinux &>> $SCRIPT_LOG;
ansible-playbook -i /home/centos/awx/installer/inventory /home/centos/awx/installer/install.yml &>> $SCRIPT_LOG;
# sleep 600 &>> $SCRIPT_LOG;
echo "source /home/centos/awx/installer/awx/bin/activate " >> /home/centos/awx_recover_db.sh
echo "docker-compose -f /home/centos/awxcompose/docker-compose.yml stop " >> /home/centos/awx_recover_db.sh
echo "sudo rm -r /home/centos/pgdocker/pgdata " >> /home/centos/awx_recover_db.sh
echo "s3cmd get s3://${Bucket}/awx-backup/latest/awx-latest.tar.gz /home/centos/pgdocker/ " >> /home/centos/awx_recover_db.sh
echo "cd /home/centos/pgdocker" >> /home/centos/awx_recover_db.sh
echo "tar -xzvf /home/centos/pgdocker/awx-latest.tar.gz " >> /home/centos/awx_recover_db.sh
echo "sudo rm -r /home/centos/pgdocker/awx-latest.tar.gz " >> /home/centos/awx_recover_db.sh
echo "docker-compose -f /home/centos/awxcompose/docker-compose.yml up -d " >> /home/centos/awx_recover_db.sh
chmod a+x /home/centos/awx_recover_db.sh
##################################
# jenkins #
##################################
sudo yum install -y java-1.8.0-openjdk-devel &>> $SCRIPT_LOG;
curl --silent --location http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo | sudo tee /etc/yum.repos.d/jenkins.repo &>> $SCRIPT_LOG;
sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
sudo yum install -y jenkins &>> $SCRIPT_LOG;
sudo systemctl enable jenkins &>> $SCRIPT_LOG;
sed -i '/JENKINS_USER="jenkins"/c\JENKINS_USER="root"' /etc/sysconfig/jenkins
sudo systemctl start jenkins &>> $SCRIPT_LOG;
echo "sudo rm -r /var/lib/jenkins " >> /home/centos/jenkins_recover_db.sh
echo "s3cmd get s3://${Bucket}/jenkins-backup/latest/jenkins-latest.tar.gz /var/lib/ " >> /home/centos/jenkins_recover_db.sh
echo "cd /var/lib/" >> /home/centos/jenkins_recover_db.sh
echo "tar -xzvf /var/lib/jenkins-latest.tar.gz " >> /home/centos/jenkins_recover_db.sh
echo "sudo rm /var/lib/jenkins-latest.tar.gz " >> /home/centos/jenkins_recover_db.sh
echo "chown -R jenkins:jenkins /var/lib/jenkins/ " >> /home/centos/jenkins_recover_db.sh
echo "find /var/lib/jenkins/jobs -type d \( -name \"last*Build\" -o -name \"lastStable\" -o -name \"lastSuccessful\" \\) -exec mv {} {}.err \\;" >> /home/centos/jenkins_recover_db.sh
echo "sudo systemctl start jenkins " >> /home/centos/jenkins_recover_db.sh
chmod a+x /home/centos/jenkins_recover_db.sh
date >> $SCRIPT_LOG
echo "Finished Build Process" >> $SCRIPT_LOG;
##################################
# Recovery #
##################################
echo "Recovering Jenkins" &>> $SCRIPT_LOG;
/home/centos/jenkins_recover_db.sh &>> $SCRIPT_LOG;
sleep 60
echo "Recovering AWX" &>> $SCRIPT_LOG;
/home/centos/awx_recover_db.sh &>> $SCRIPT_LOG;
sleep 60
##################################
# Backup #
##################################
echo "Setting up Backup Job" &>> $SCRIPT_LOG;
cp /home/centos/backup.sh /etc/cron.daily/backup.sh &>> $SCRIPT_LOG;
date &>> $SCRIPT_LOG;
echo "Done" &>> $SCRIPT_LOG;
- {
Bucket: !Ref AWXBucket
}
# Outputs:
# AWXInstance:
# Description: A reference to the created EC2 Instance
# Value: !Ref AWXInstance
# Export:
# Name: !Sub ${AWS::StackName}-AWXInstance
# AWXSecurityGroup:
# Description: A reference to the created EC2 Instance SG
# Value: !Ref AWXSecurityGroup
# Export:
# Name: !Sub ${AWS::StackName}-AWXSecurityGroup