From c421b154b858ee76ae81ed7ffc2a7072829d6daf Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 12:41:32 +0100 Subject: [PATCH 1/7] Remove AMI list docs --- README.md | 6 +++--- _docs/amazon-linux-ami-list.md | 22 ---------------------- _docs/ubuntu16-ami-list.md | 22 ---------------------- 3 files changed, 3 insertions(+), 47 deletions(-) delete mode 100644 _docs/amazon-linux-ami-list.md delete mode 100644 _docs/ubuntu16-ami-list.md diff --git a/README.md b/README.md index a34f075e..fbe60ad9 100644 --- a/README.md +++ b/README.md @@ -28,9 +28,9 @@ To deploy Consul servers using this Module: Here is an [example Packer template](https://github.com/hashicorp/terraform-aws-consul/tree/master/examples/consul-ami#quick-start). If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs: - - [Latest Ubuntu 16 AMIs](https://github.com/hashicorp/terraform-aws-consul/tree/master/_docs/ubuntu16-ami-list.md). - - [Latest Amazon Linux AMIs](https://github.com/hashicorp/terraform-aws-consul/tree/master/_docs/amazon-linux-ami-list.md). - + - **Latest Ubuntu 16 AMIs**: search for AMIs with names starting with `consul-ubuntu-` owned by account ID `562637147889`. + - **Latest Amazon Linux AMIs**: search for AMIs with names starting with `consul-amazon-linux-` owned by account ID `562637147889`. + **WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your own AWS account.** diff --git a/_docs/amazon-linux-ami-list.md b/_docs/amazon-linux-ami-list.md deleted file mode 100644 index a7bc31b6..00000000 --- a/_docs/amazon-linux-ami-list.md +++ /dev/null @@ -1,22 +0,0 @@ -# amazon-linux-ami: Latest Public AMIs - -**WARNING! Do NOT use these AMIs in a production setting.** They are meant only to make - initial experiments with this module more convenient. - -| AWS Region | AMI ID | -| ---------- | ------ | -| ap-south-1 | ami-04238a3b4e34579e4 | -| eu-west-3 | ami-08f71d5d25b5cf5ab | -| eu-west-2 | ami-0f27942710a168390 | -| eu-west-1 | ami-0d78cd8cb29c43b97 | -| ap-northeast-2 | ami-0dc9fc2dbb4708333 | -| ap-northeast-1 | ami-059aacbc2062a4c31 | -| sa-east-1 | ami-00df1a246975ae9ea | -| ca-central-1 | ami-096d6692ed63e4bf3 | -| ap-southeast-1 | ami-0c6b7bf1bd28116fc | -| ap-southeast-2 | ami-0b4b5fcb7fba0b831 | -| eu-central-1 | ami-081b6375552502391 | -| us-east-1 | ami-0cefe1c6ca6cb38f6 | -| us-east-2 | ami-0d3d95eb01b632834 | -| us-west-1 | ami-0264ee2b29e9013b7 | -| us-west-2 | ami-041e5f2f7f70258d2 | diff --git a/_docs/ubuntu16-ami-list.md b/_docs/ubuntu16-ami-list.md deleted file mode 100644 index 96e1bd23..00000000 --- a/_docs/ubuntu16-ami-list.md +++ /dev/null @@ -1,22 +0,0 @@ -# ubuntu16-ami: Latest Public AMIs - -**WARNING! Do NOT use these AMIs in a production setting.** They are meant only to make - initial experiments with this module more convenient. - -| AWS Region | AMI ID | -| ---------- | ------ | -| ap-south-1 | ami-0816afb9d329f6519 | -| eu-west-3 | ami-056c0a1d3b4fac990 | -| eu-west-2 | ami-0f70476d8cb54c314 | -| eu-west-1 | ami-06bcd55d3dbb30a2e | -| ap-northeast-2 | ami-09509dc3d47d23ca7 | -| ap-northeast-1 | ami-0ceea7d2792eac240 | -| sa-east-1 | ami-041aaace4f751b9e3 | -| ca-central-1 | ami-069f9b97957901019 | -| ap-southeast-1 | ami-03d3aca3e97b75b18 | -| ap-southeast-2 | ami-044a4d59df862bfbe | -| eu-central-1 | ami-0fa9a66c79de34596 | -| us-east-1 | ami-085df16e55e2c22d9 | -| us-east-2 | ami-0d318e905761168c8 | -| us-west-1 | ami-0405d1682e80f9d9f | -| us-west-2 | ami-0252817ebd1ff7e64 | From 4e97f68e0b38fcb186bdf0255169245e52ab0ba3 Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 12:47:37 +0100 Subject: [PATCH 2/7] Use Packer to share AMIs with all regions and accounts --- _ci/publish-amis-in-new-account.md | 26 -------------------- _ci/publish-amis.sh | 39 ++++++------------------------ circle.yml | 8 ------ examples/consul-ami/consul.json | 15 ++++++------ 4 files changed, 16 insertions(+), 72 deletions(-) delete mode 100644 _ci/publish-amis-in-new-account.md diff --git a/_ci/publish-amis-in-new-account.md b/_ci/publish-amis-in-new-account.md deleted file mode 100644 index b57f542b..00000000 --- a/_ci/publish-amis-in-new-account.md +++ /dev/null @@ -1,26 +0,0 @@ -# How to Publish AMIs in a New AWS Account - -This readme discusses how to migrate the `publish-amis.sh` script to a new AWS account. - -To make using this Module as easy as possible, we want to automatically build and publish AMIs based on the -[/examples/consul-ami/consul.json](https://github.com/hashicorp/terraform-aws-consul/tree/master/examples/consul-ami/consul.json) Packer template upon every release of this repo. -This way, users can simply git clone this repo and `terraform apply` the [consul-cluster](https://github.com/hashicorp/terraform-aws-consul/tree/master/MAIN.md) -without first having to build their own AMI. Note that the auto-built AMIs are meant mostly for first-time users to -easily try out a Module. In a production setting, many users will want to validate the contents of their AMI by -manually building it in their own account. - -Unfortunately, auto-building AMIs creates a chicken-and-egg problem. How can we run code that automatically finds the -latest AMI until that AMI actually exists? But to build those AMIs, we have to run a build in CircleCI, which also runs -automated tests, which will fail when they cannot find the desired AMI. - -Our solution is that, for the `publish-amis` git branch only, on every commit, we will build and publish AMIs but we will -not run tests. For all other branches, AMIs will only be built upon a new git tag (GitHub release), and tests will be -run on every commit as usual. These settings are configured in the [circle.yml](https://github.com/hashicorp/terraform-aws-consul/tree/master/circle.yml) file. - -In addition to the above, don't forget to update the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment -variables in CircleCI to reflect the new AWS account. - -Finally, note that, on a brand new account, many AWS regions are limited to just 5 EC2 Instances in an Auto Scaling Group, -but the automated tests in this repo create up to 10 EC2 Instances. Therefore, automated tests will fail if they run in -a region with too small a limit. To avoid this issue, request an increase in the number of t2-family EC2 Instances -allowed in every AWS region from AWS support. \ No newline at end of file diff --git a/_ci/publish-amis.sh b/_ci/publish-amis.sh index 0a501df2..e5beddc5 100755 --- a/_ci/publish-amis.sh +++ b/_ci/publish-amis.sh @@ -9,11 +9,6 @@ set -e readonly PACKER_TEMPLATE_PATH="/home/ubuntu/$CIRCLE_PROJECT_REPONAME/examples/consul-ami/consul.json" readonly PACKER_TEMPLATE_DEFAULT_REGION="us-east-1" -readonly AMI_PROPERTIES_FILE="/tmp/ami.properties" -readonly AMI_LIST_MARKDOWN_DIR="/home/ubuntu/$CIRCLE_PROJECT_REPONAME/_docs" -readonly GIT_COMMIT_MESSAGE="Add latest AMI IDs." -readonly GIT_USER_NAME="gruntwork-ci" -readonly GIT_USER_EMAIL="ci@gruntwork.io" # In CircleCI, every build populates the branch name in CIRCLE_BRANCH except builds triggered by a new tag, for which # the CIRCLE_BRANCH env var is empty. We assume tags are only issued against the master branch. @@ -29,29 +24,11 @@ fi echo "Checking out branch $BRANCH_NAME to make sure we do all work in a branch and not in detached HEAD state" git checkout "$BRANCH_NAME" -# Build the example AMI. WARNING! In a production setting, you should build your own AMI to ensure it has exactly the -# configuration you want. We build this example AMI solely to make initial use of this Module as easy as possible. -build-packer-artifact \ - --packer-template-path "$PACKER_TEMPLATE_PATH" \ - --build-name "$PACKER_BUILD_NAME" \ - --output-properties-file "$AMI_PROPERTIES_FILE" - -# Copy the AMI to all regions and make it public in each -source "$AMI_PROPERTIES_FILE" -publish-ami \ - --all-regions \ - --source-ami-id "$ARTIFACT_ID" \ - --source-ami-region "$PACKER_TEMPLATE_DEFAULT_REGION" \ - --output-markdown > "$AMI_LIST_MARKDOWN_DIR/$PACKER_BUILD_NAME-list.md" \ - --markdown-title-text "$PACKER_BUILD_NAME: Latest Public AMIs" \ - --markdown-description-text "**WARNING! Do NOT use these AMIs in a production setting.** They are meant only to make - initial experiments with this module more convenient." - -# Git add, commit, and push the newly created AMI IDs as a markdown doc to the repo -git-add-commit-push \ - --path "$AMI_LIST_MARKDOWN_DIR/$PACKER_BUILD_NAME-list.md" \ - --message "$GIT_COMMIT_MESSAGE" \ - --user-name "$GIT_USER_NAME" \ - --user-email "$GIT_USER_EMAIL" \ - --git-push-behavior "current" \ - --branch-name "$BRANCH_NAME" +regions_response=$(aws ec2 describe-regions --region "$PACKER_TEMPLATE_DEFAULT_REGION") +all_aws_regions=$(echo "$regions_response" | jq -r '.Regions | map(.RegionName) | join(",")') + +packer build \ + --only="$PACKER_BUILD_NAME" \ + -var copy_ami_to_regions="$all_aws_regions" \ + -var share_ami_with_groups="all" \ + "$PACKER_TEMPLATE_PATH" diff --git a/circle.yml b/circle.yml index 73bf7ae5..8f0a3793 100644 --- a/circle.yml +++ b/circle.yml @@ -28,12 +28,4 @@ deployment: commands: # If a new release is tagged in GitHub, build the AMIs and publish them to all regions. - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "ubuntu16-ami" - - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "amazon-linux-ami" - - branch: publish-amis - commands: - # We generally only want to build AMIs on new releases, but when we are setting up AMIs in a new account for the - # first time, we want to build the AMIs but NOT run automated tests, since those tests will fail without an existing - # AMI already in the AWS Account. - - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "ubuntu16-ami" - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "amazon-linux-ami" \ No newline at end of file diff --git a/examples/consul-ami/consul.json b/examples/consul-ami/consul.json index d5b7db57..ad357aa9 100644 --- a/examples/consul-ami/consul.json +++ b/examples/consul-ami/consul.json @@ -2,8 +2,9 @@ "min_packer_version": "0.12.0", "variables": { "aws_region": "us-east-1", - "consul_version": "1.2.2", - "download_url": "" + "consul_version": "1.0.0", + "copy_ami_to_regions": "", + "share_ami_with_groups": "" }, "builders": [{ "name": "ubuntu16-ami", @@ -11,6 +12,8 @@ "ami_description": "An Ubuntu 16.04 AMI that has Consul installed.", "instance_type": "t2.micro", "region": "{{user `aws_region`}}", + "ami_regions": "{{user `copy_ami_to_regions`}}", + "ami_groups": "{{user `share_ami_with_groups`}}", "type": "amazon-ebs", "source_ami_filter": { "filters": { @@ -30,6 +33,8 @@ "ami_description": "An Amazon Linux AMI that has Consul installed.", "instance_type": "t2.micro", "region": "{{user `aws_region`}}", + "ami_regions": "{{user `copy_ami_to_regions`}}", + "ami_groups": "{{user `share_ami_with_groups`}}", "type": "amazon-ebs", "source_ami_filter": { "filters": { @@ -51,11 +56,7 @@ },{ "type": "shell", "inline": [ - "if [[ -n '{{user `download_url`}}' ]]; then", - " /tmp/terraform-aws-consul/modules/install-consul/install-consul --download-url {{user `download_url`}};", - "else", - " /tmp/terraform-aws-consul/modules/install-consul/install-consul --version {{user `consul_version`}};", - "fi", + "/tmp/terraform-aws-consul/modules/install-consul/install-consul --version {{user `consul_version`}}", "/tmp/terraform-aws-consul/modules/install-dnsmasq/install-dnsmasq" ], "pause_before": "30s" From c1cf12c37ccb6363f066f7528e5f32ea6370c2a8 Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 12:54:43 +0100 Subject: [PATCH 3/7] Fix script params --- _ci/publish-amis.sh | 25 +++++++++---------------- circle.yml | 4 ++-- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/_ci/publish-amis.sh b/_ci/publish-amis.sh index e5beddc5..7d97196e 100755 --- a/_ci/publish-amis.sh +++ b/_ci/publish-amis.sh @@ -7,28 +7,21 @@ set -e -readonly PACKER_TEMPLATE_PATH="/home/ubuntu/$CIRCLE_PROJECT_REPONAME/examples/consul-ami/consul.json" -readonly PACKER_TEMPLATE_DEFAULT_REGION="us-east-1" - -# In CircleCI, every build populates the branch name in CIRCLE_BRANCH except builds triggered by a new tag, for which -# the CIRCLE_BRANCH env var is empty. We assume tags are only issued against the master branch. -readonly BRANCH_NAME="${CIRCLE_BRANCH:-master}" - -readonly PACKER_BUILD_NAME="$1" - -if [[ -z "$PACKER_BUILD_NAME" ]]; then - echo "ERROR: You must pass in the Packer build name as the first argument to this function." +if [[ "$#" -ne 2 ]]; then + echo "Usage: publish-amis.sh PACKER_TEMPLATE_PATH BUILDER_NAME" exit 1 fi -echo "Checking out branch $BRANCH_NAME to make sure we do all work in a branch and not in detached HEAD state" -git checkout "$BRANCH_NAME" +readonly packer_template_path="$1" +readonly builder_name="$2" -regions_response=$(aws ec2 describe-regions --region "$PACKER_TEMPLATE_DEFAULT_REGION") +regions_response=$(aws ec2 describe-regions --region "us-east-1") all_aws_regions=$(echo "$regions_response" | jq -r '.Regions | map(.RegionName) | join(",")') +echo "Building Packer template $packer_template_path (builder: $builder_name) and sharing it with all AWS accounts in the following regions: $all_aws_regions" + packer build \ - --only="$PACKER_BUILD_NAME" \ + --only="$builder_name" \ -var copy_ami_to_regions="$all_aws_regions" \ -var share_ami_with_groups="all" \ - "$PACKER_TEMPLATE_PATH" + "$packer_template_path" diff --git a/circle.yml b/circle.yml index 8f0a3793..f996cf3e 100644 --- a/circle.yml +++ b/circle.yml @@ -27,5 +27,5 @@ deployment: tag: /v.*/ commands: # If a new release is tagged in GitHub, build the AMIs and publish them to all regions. - - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "ubuntu16-ami" - - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "amazon-linux-ami" \ No newline at end of file + - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "/home/ubuntu/$CIRCLE_PROJECT_REPONAME/examples/consul-ami/consul.json" "ubuntu16-ami" + - ~/$CIRCLE_PROJECT_REPONAME/_ci/publish-amis.sh "/home/ubuntu/$CIRCLE_PROJECT_REPONAME/examples/consul-ami/consul.json" "amazon-linux-ami" \ No newline at end of file From 2f3a49e5b43d7221c0aeb7380e730ae259cade23 Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 13:20:00 +0100 Subject: [PATCH 4/7] Increase packer retries --- _ci/publish-amis.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/_ci/publish-amis.sh b/_ci/publish-amis.sh index 7d97196e..8106897d 100755 --- a/_ci/publish-amis.sh +++ b/_ci/publish-amis.sh @@ -20,6 +20,11 @@ all_aws_regions=$(echo "$regions_response" | jq -r '.Regions | map(.RegionName) echo "Building Packer template $packer_template_path (builder: $builder_name) and sharing it with all AWS accounts in the following regions: $all_aws_regions" +# Copying AMIs to many regions can take longer than Packer's default wait timeouts, so we increase them here per +# https://github.com/hashicorp/packer/issues/6536 +export AWS_MAX_ATTEMPTS=240 +export AWS_POLL_DELAY_SECONDS=15 + packer build \ --only="$builder_name" \ -var copy_ami_to_regions="$all_aws_regions" \ From e75ddd20fe96da199fde13c9f0d89ffc6c19b7f7 Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 14:29:14 +0100 Subject: [PATCH 5/7] Configure credentials for AMI account --- _ci/publish-amis.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/_ci/publish-amis.sh b/_ci/publish-amis.sh index 8106897d..56bf462c 100755 --- a/_ci/publish-amis.sh +++ b/_ci/publish-amis.sh @@ -12,6 +12,11 @@ if [[ "$#" -ne 2 ]]; then exit 1 fi +if [[ -z "$PUBLISH_AMI_AWS_ACCESS_KEY_ID" || -z "$PUBLISH_AMI_AWS_SECRET_ACCESS_KEY" ]]; then + echo "The PUBLISH_AMI_AWS_ACCESS_KEY_ID and PUBLISH_AMI_AWS_SECRET_ACCESS_KEY environment variables must be set to the AWS credentials to use to publish the AMIs." + exit 1 +fi + readonly packer_template_path="$1" readonly builder_name="$2" @@ -25,6 +30,10 @@ echo "Building Packer template $packer_template_path (builder: $builder_name) an export AWS_MAX_ATTEMPTS=240 export AWS_POLL_DELAY_SECONDS=15 +# We publish the AMIs to a different AWS account, so set those credentials +export AWS_ACCESS_KEY_ID="$PUBLISH_AMI_AWS_ACCESS_KEY_ID" +export AWS_SECRET_ACCESS_KEY="$PUBLISH_AMI_AWS_SECRET_ACCESS_KEY" + packer build \ --only="$builder_name" \ -var copy_ami_to_regions="$all_aws_regions" \ From 6b813fb3a9d6cc6ff2ffad87ab0f8e622c992198 Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 14:55:51 +0100 Subject: [PATCH 6/7] Put back download_url functionality --- examples/consul-ami/consul.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/examples/consul-ami/consul.json b/examples/consul-ami/consul.json index ad357aa9..d877dd0e 100644 --- a/examples/consul-ami/consul.json +++ b/examples/consul-ami/consul.json @@ -4,7 +4,8 @@ "aws_region": "us-east-1", "consul_version": "1.0.0", "copy_ami_to_regions": "", - "share_ami_with_groups": "" + "share_ami_with_groups": "", + "download_url": "" }, "builders": [{ "name": "ubuntu16-ami", @@ -56,7 +57,11 @@ },{ "type": "shell", "inline": [ - "/tmp/terraform-aws-consul/modules/install-consul/install-consul --version {{user `consul_version`}}", + "if [[ -n '{{user `download_url`}}' ]]; then", + " /tmp/terraform-aws-consul/modules/install-consul/install-consul --download-url {{user `download_url`}};", + "else", + " /tmp/terraform-aws-consul/modules/install-consul/install-consul --version {{user `consul_version`}};", + "fi", "/tmp/terraform-aws-consul/modules/install-dnsmasq/install-dnsmasq" ], "pause_before": "30s" From b9497f321f02a6be51513233aa5e9e7667ea266a Mon Sep 17 00:00:00 2001 From: Yevgeniy Brikman Date: Fri, 24 Aug 2018 15:26:28 +0100 Subject: [PATCH 7/7] Fix Consul default version --- examples/consul-ami/consul.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/consul-ami/consul.json b/examples/consul-ami/consul.json index d877dd0e..d9a5877b 100644 --- a/examples/consul-ami/consul.json +++ b/examples/consul-ami/consul.json @@ -2,7 +2,7 @@ "min_packer_version": "0.12.0", "variables": { "aws_region": "us-east-1", - "consul_version": "1.0.0", + "consul_version": "1.2.2", "copy_ami_to_regions": "", "share_ami_with_groups": "", "download_url": ""