Table of Contents

• Automate Deployment with Restacker
• Integrate RDS
• Integrate Logging
• Challenge

End-to-end Infrastructure as Code

On this lab we will use automate deployment, migrate to AWS RDS and integrate logging.

---

Automate Deployment with Restacker

Use Restacker to deploy the template developed on lab 2.

1. Download and install Restacker.

git clone https://github.com/devsecops/restacker.git
cd restacker/source
gem install bundler
bundle install
gem build restacker.gemspec
gem install restacker-0.0.11.gem
rbenv init -

2. Use Restacker to open the AWS console.

Log out of the AWS console if you are logged in and then run restacker console -l myapp -u $AWS_STUDENT_ID -c dso. If this fails, ensure restacker is configured as per the following step.

3. Ensure that the Restacker configuration matches the information provided by the instructor.

E.g.,

$ cat ~/.restacker/restacker.yml
:myapp:
  :region: us-west-2
  :master:
    :label: control
    :account_number: '100352119871'
    :role_name: CTL-my-app-DeploymentAdmin
    :role_prefix: "/dso/ctrl/my-app/"
  :target:
    :label: target
    :account_number: '717986480831'
    :role_name: TGT-dso-DeploymentAdmin
    :role_prefix: "/human/dso/"

4. Use stacker to list all current stacks.

$ restacker list -l myapp -u student1 -c dso

Did you get promoted for MFA? Do you know why? Look under ~/.restacker/.

5. Export template configuration.

   Stacker expects parameters to be passed in. Use restacker dump to dump default parameters into a file. Modify the values in the parameters to match the parameter values you have been passing into the CloudFormation console.

   $ restacker dump -t mytemplate.json > parameters.json
   

   The resulting parameters file should look something like parameters.json.

6. Add Restacker required parameters to your CloudFormation template.

Add StackCreator and TimeStamp as new parameters of type String to your CloudFormation template.

7. Deploy your stack using Restacker.

$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID

Integrate RDS

1. Use Restacker to delete previous stack.

E.g.,

$ restacker remove -n student1-20160622-2349 -l myapp -c dso -u student1

2. Change RAILS_ENV to use rds instead of mysql.

From:

"echo \"export RAILS_ENV=mysql\" >> .bash_profile\n",

To:

"echo \"export RAILS_ENV=rds\" >> .bash_profile\n",

3. Add functionality to the CloudFormation template to make use of RDS.

Add RDS configuration into config/database.yml before Rails Goat is started (by bundle exec rails server).

You can do this by adding the lines below before ...bundle exec rake db:setup... to the UserData subsection of the WebServerInstance launch configuration resource.

"cd railsgoat\n",
"cat <<EOF>> config/database.yml\n",
"rds:\n",
"  adapter: mysql2\n",
"  database: railsgoatdb\n",
"  pool: 5\n",
"  timeout: 5000\n",
"  host: railsgoatdb.cfkyvk9ybkal.us-west-2.rds.amazonaws.com\n",
"  username: railsgoat\n",
"  password: dsogoat1\n",
"EOF\n",

4. Deploy your stack using Restacker.

E.g.,

$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID

Integrate Logging

For posterity, integrate logging into the CloudFormation template.

1. Add a section in the UserData subsection of the WebServerInstance launch configuration resource to install Splunk.

"ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime\n",
"yum -y install wget\n",
"cd /opt\n",
"wget -O splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=6.4.1&product=universalforwarder&filename=splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm&wget=true'\n",
"rpm -ivh splunkforwarder-6.4.1-debde650d26e-linux-2.6-x86_64.rpm\n",

2. Add a section in the UserData subsection of the WebServerInstance launch configuration resource to configure Splunk.

Configure outputs:

"echo \"[tcpout]\n",
"defaultGroup = dso-autolb-group\n",
"\n",
"[tcpout:dso-autolb-group]\n",
"disabled = false\n",
"dropEventsOnQueueFull = 10\n",
"server = appliance:9997\n",
"sslCertPath = \\$SPLUNK_HOME/etc/auth/server.pem\n",
"sslPassword = password\n",
"sslRootCAPath = \\$SPLUNK_HOME/etc/auth/cacert.pem\n",
"sslVerifyServerCert = false\n",
"useACK = false\" >> /opt/splunkforwarder/etc/system/local/outputs.conf\n",

Configure inputs:

"echo \"[default]\n",
"host = \\\\$decideOnStartup\n",
"\n",
"[monitor:///home/ec2-user/railsgoat/log/]\n",
"recursive=true\n",
"\n",
"[monitor:///var/log/]\n",
"recursive=true\" >> /opt/splunkforwarder/etc/system/local/inputs.conf\n",

Start Splunk:

"/opt/splunkforwarder/bin/splunk start --accept-license\n",
"/opt/splunkforwarder/bin/splunk start\n"

3. Use Restacker to delete previous stack.

E.g.,

$ restacker remove -n student1-20160622-2349 -l myapp -c dso -u student1

4. Deploy your stack using Restacker.

E.g.,

$ restacker deploy -t mytemplate.json -P parameters.json -c dso -l myapp -n $AWS_STUDENT_ID -u $AWS_STUDENT_ID

** The resulting template should look something like lab-3.json.

Challenge

How would you make this template even better?

Suggestions:

• Remove hardcoded secrets from UserData
• Remove other hardcoded values from UserData
• Remove Bash code from user data and make it a retrievable script that can be maintained separately