Successfully deploy to production

2020-12-26 11:28:51 -08:00 · 2020-12-26 11:28:51 -08:00 · 2b13f8d8bf
parent f521eda40e
commit 2b13f8d8bf
6 changed files with 82 additions and 34 deletions
--- a/packer/provision.bash
+++ b/packer/provision.bash
@ -20,8 +20,6 @@ EOF
 sudo -E apt-get update
 sudo -E apt-get install -y docker-ce docker-ce-cli containerd.io whois

-sudo sed -i "s#DOCKER_REPO_BASE_REPLACED_BY_PACKER#${DOCKER_REPO_BASE}#" /tmp/riju-deploy
-
 sudo chown root:root /tmp/riju /tmp/riju-deploy /tmp/riju.service
 sudo mv /tmp/riju /tmp/riju-deploy /usr/local/bin/
 sudo mv /tmp/riju.service /etc/systemd/system/
@ -51,7 +49,7 @@ for user in admin deploy; do
    sudo chmod -R go-rwx "/home/${user}/.ssh"
 done

-sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy",restrict/' /home/deploy/.ssh/authorized_keys
+sudo runuser -u deploy -- sed -i 's/^/command="sudo riju-deploy ${SSH_ORIGINAL_COMMAND}",restrict /' /home/deploy/.ssh/authorized_keys

 sudo tee /etc/sudoers.d/riju >/dev/null <<"EOF"
 deploy ALL=(root) NOPASSWD: /usr/local/bin/riju-deploy
--- a/packer/riju
+++ b/packer/riju
@ -2,7 +2,7 @@

 set -euo pipefail

-domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)"
+domain="$(ls /etc/letsencrypt/live | grep -v README | head -n1)" || true

 if [[ -n "${domain}" ]]; then
    echo "Detected cert for domain: ${domain}, enabling TLS" >&2
@ -33,4 +33,4 @@ port_args="${PORT_MAPPING:--p 0.0.0.0:80:6119 -p 0.0.0.0:443:6120}"
 docker run --rm ${port_args} ${extra_args} \
       -e TLS -e TLS_PRIVATE_KEY -e TLS_CERTIFICATE -e ANALYTICS \
       -h riju --name "${CONTAINER_NAME:-riju-prod}" \
-       "${IMAGE_NAME}:-riju:app"
+       "${IMAGE_NAME:-riju:app}"
--- a/packer/riju-deploy
+++ b/packer/riju-deploy
@ -2,21 +2,12 @@

 set -euo pipefail

-DOCKER_REPO_BASE="${DOCKER_REPO_BASE:-DOCKER_REPO_BASE_REPLACED_BY_PACKER}"
-
 if (( $# != 1 )); then
-    echo "usage: ssh deploy@riju COMMIT-SHA" >&2
+    echo "usage: ssh deploy@riju IMAGE" >&2
    exit 1
 fi

-commit="$1"
-
-if [[ "$(echo -n "${commit}" | wc -c)" != 40 ]]; then
-    echo "riju-deploy: invalid commit SHA: ${commit}" >&2
-    exit 1
-fi
-
-image="${DOCKER_REPO_BASE}:app-${commit}"
+image="$1"

 echo "Pull image to be deployed..."
 docker pull "${image}"
@ -26,7 +17,7 @@ CONTAINER_NAME=riju-test IMAGE_NAME="${image}" DETACH=1 \
              PORT_MAPPING="-p 127.0.0.1:6119:6119" riju

 echo "Wait for web server to come up..." >&2
-sleep 10
+sleep 5

 echo "Test web server health..." >&2
 curl -fsSL http://localhost:6119 | head -n15
--- a/packer/server.json
+++ b/packer/server.json
@ -1,6 +1,5 @@
 {
  "variables": {
-    "docker_repo_base": "{{env `DOCKER_REPO_BASE`}}",
    "admin_password": "{{env `ADMIN_PASSWORD`}}",
    "admin_ssh_public_key_file": "{{env `ADMIN_SSH_PUBLIC_KEY_FILE`}}",
    "deploy_ssh_public_key_file": "{{env `DEPLOY_SSH_PUBLIC_KEY_FILE`}}"
@ -27,7 +26,6 @@
      "type": "shell",
      "script": "validate.bash",
      "environment_vars": [
-        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
        "ADMIN_PASSWORD={{user `admin_password`}}",
        "ADMIN_SSH_PUBLIC_KEY_FILE={{user `admin_ssh_public_key_file`}}",
        "DEPLOY_SSH_PUBLIC_KEY_FILE={{user `deploy_ssh_public_key_file`}}"
@ -61,10 +59,7 @@
    {
      "type": "shell",
      "script": "provision.bash",
-      "environment_vars": [
-        "DOCKER_REPO_BASE={{user `docker_repo_base`}}",
-        "ADMIN_PASSWORD={{user `admin_password`}}"
-      ]
+      "environment_vars": ["ADMIN_PASSWORD={{user `admin_password`}}"]
    }
  ]
 }
--- a/tf/.terraform.lock.hcl
+++ b/tf/.terraform.lock.hcl
@ -20,3 +20,20 @@ provider "registry.terraform.io/hashicorp/aws" {
    "zh:f6c05e20d9a3fba76ca5f47206dde35e5b43b6821c6cbf57186164ce27ba9f15",
  ]
 }
+
+provider "registry.terraform.io/hashicorp/external" {
+  version = "2.0.0"
+  hashes = [
+    "h1:Q5xqryWI3tCY8yr+fugq7dz4Qz+8g4GaW9ZS8dc6Ob8=",
+    "zh:07949780dd6a1d43e7b46950f6e6976581d9724102cb5388d3411a1b6f476bde",
+    "zh:0a4f4636ff93f0644affa8474465dd8c9252946437ad025b28fc9f6603534a24",
+    "zh:0dd7e05a974c649950d1a21d7015d3753324ae52ebdd1744b144bc409ca4b3e8",
+    "zh:2b881032b9aa9d227ac712f614056d050bcdcc67df0dc79e2b2cb76a197059ad",
+    "zh:38feb4787b4570335459ca75a55389df1a7570bdca8cdf5df4c2876afe3c14b4",
+    "zh:40f7e0aaef3b1f4c2ca2bb1189e3fe9af8c296da129423986d1d99ccc8cfb86c",
+    "zh:56b361f64f0f0df5c4f958ae2f0e6f8ba192f35b720b9d3ae1be068fabcf73d9",
+    "zh:5fadb5880cd31c2105f635ded92b9b16f918c1dd989627a4ce62c04939223909",
+    "zh:61fa0be9c14c8c4109cfb7be8d54a80c56d35dbae49d3231cddb59831e7e5a4d",
+    "zh:853774bf97fbc4a784d5af5a4ca0090848430781ae6cfc586adeb48f7c44af79",
+  ]
+}
--- a/tf/infra.tf
+++ b/tf/infra.tf
@ -1,9 +1,8 @@
 terraform {
-  backend "remote" {
-    organization = "riju"
-    workspaces {
-      name = "riju"
-    }
+  backend "s3" {
+    bucket = "riju-tf"
+    key    = "state"
+    region = "us-west-1"
  }
  required_providers {
    aws = {
@ -24,8 +23,7 @@ data "external" "env" {
 }

 provider "aws" {
-  profile = "default"
-  region  = "us-west-1"
+  region = "us-west-1"
 }

 data "aws_region" "current" {}
@ -36,14 +34,63 @@ resource "aws_s3_bucket" "riju_debs" {
  tags   = local.tags
 }

+data "aws_ami" "server" {
+  owners = ["self"]
+
+  filter {
+    name   = "name"
+    values = [data.external.env.result.AMI_NAME]
+  }
+}
+
+resource "aws_security_group" "server" {
+  name        = "riju-server"
+  description = "Security group for Riju server"
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = local.tags
+}
+
 resource "aws_instance" "server" {
-  instance_type = "t3.micro"
-  ami           = data.external.env.result.AMI_ID
-  tags          = local.tags
+  instance_type     = "t3.micro"
+  ami               = data.aws_ami.server.id
+  availability_zone = "${data.aws_region.current.name}b"
+  security_groups   = [aws_security_group.server.name]
+  tags              = local.tags
 }

 resource "aws_ebs_volume" "data" {
-  availability_zone = "${data.aws_region.current.name}a"
+  availability_zone = "${data.aws_region.current.name}b"
  size              = 100
  tags              = local.tags
 }