-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathcockroach_insecure_cluster.aws
99 lines (78 loc) · 5.96 KB
/
cockroach_insecure_cluster.aws
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Create a new VPC open to Internet to host the subnets
vpc = create vpc cidr=10.0.0.0/16 name=cockroachdb-vpc
gateway = create internetgateway
attach internetgateway id=$gateway vpc=$vpc
# Create a route table for this network and enabling routing from the Internet
rtable = create routetable vpc=$vpc
create route cidr=0.0.0.0/0 gateway=$gateway table=$rtable
# Create 3 public subnets (multi AZ)
pubsubnet1 = create subnet cidr=10.0.128.0/20 vpc=$vpc name=cockroachdb-pubsubnet-1 availabilityzone={availabilityzone.1}
update subnet id=$pubsubnet1 public=true
pubsubnet2 = create subnet cidr=10.0.144.0/20 vpc=$vpc name=cockroachdb-pubsubnet-2 availabilityzone={availabilityzone.2}
update subnet id=$pubsubnet2 public=true
pubsubnet3 = create subnet cidr=10.0.160.0/20 vpc=$vpc name=cockroachdb-pubsubnet-3 availabilityzone={availabilityzone.3}
update subnet id=$pubsubnet3 public=true
# Make the public subnets open to the Internet
attach routetable id=$rtable subnet=$pubsubnet1
attach routetable id=$rtable subnet=$pubsubnet2
attach routetable id=$rtable subnet=$pubsubnet3
# Create 3 private subnets (multi AZ)
privsubnet1 = create subnet cidr=10.0.0.0/19 vpc=$vpc name=cockroachdb-privsubnet-1 availabilityzone={availabilityzone.1}
privsubnet2 = create subnet cidr=10.0.32.0/19 vpc=$vpc name=cockroachdb-privsubnet-2 availabilityzone={availabilityzone.2}
privsubnet3 = create subnet cidr=10.0.64.0/19 vpc=$vpc name=cockroachdb-privsubnet-3 availabilityzone={availabilityzone.3}
# Add a NAT Gateway used by nodes to provision themselves with user data accessing Internet
pubip = create elasticip domain=vpc
natgw = create natgateway elasticip-id=$pubip subnet=$pubsubnet1
# Wait for the NAT Gateway
check natgateway id=$natgw state=available timeout=180
# Routing to attach nat gateway to private subnets
natgw_rtable = create routetable vpc=$vpc
attach routetable id=$natgw_rtable subnet=$privsubnet1
attach routetable id=$natgw_rtable subnet=$privsubnet2
attach routetable id=$natgw_rtable subnet=$privsubnet3
create route cidr=0.0.0.0/0 gateway=$natgw table=$natgw_rtable
## Create the firewalls for HTTP UI
loadb-uifirewall = create securitygroup vpc=$vpc description=cockroachdb-loadb-ui-securitygroup name=CockroachUIAccess
update securitygroup id=$loadb-uifirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=8080
## Create the HTTP load balancer
tgroup_ui = create targetgroup name=cockroachdb-ui port=8080 protocol=HTTP vpc=$vpc healthcheckpath="/health"
lb = create loadbalancer name=cockroachdb-cluster subnets=[$pubsubnet1, $pubsubnet2, $pubsubnet3] securitygroups=$loadb-uifirewall
create listener actiontype=forward loadbalancer=$lb port=8080 protocol=HTTP targetgroup=$tgroup_ui
## Create the TCP load balancer
tgroup_node = create targetgroup name=cockroachdb-nodes port=26257 protocol=TCP vpc=$vpc
tcplb = create loadbalancer name=cockroachdb-cluster-tcp type=network subnets=[$pubsubnet1, $pubsubnet2, $pubsubnet3]
create listener actiontype=forward loadbalancer=$tcplb port=26257 protocol=TCP targetgroup=$tgroup_node
# Create firewall for general SSH access
sshfirewall = create securitygroup vpc=$vpc description=ssh-access name=AccessSSH
update securitygroup id=$sshfirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=22
# Create nodes firewall to let: inter nodes TCP traffic, TCP traffic from loadb; UI HTTP traffic from loadb
nodefirewall = create securitygroup vpc=$vpc description=cockroachdb-node-access name=CockroachNodesAccess
update securitygroup id=$nodefirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=26257
update securitygroup id=$nodefirewall inbound=authorize protocol=tcp securitygroup=$loadb-uifirewall portrange=8080
# Create a role with policy so that cockroach node instances (ec2 resources) can list other nodes using a local `awless`
create role name=DiscoverCockroachNodeRole principal-service="ec2.amazonaws.com" sleep-after=20
attach policy role=DiscoverCockroachNodeRole service=ec2 access=readonly
## Create the cockroachdb nodes
node1 = create instance distro=canonical:ubuntu subnet=$privsubnet1 securitygroup=[$sshfirewall,$nodefirewall] keypair={my.ssh.keypair} type={instance.type} role=DiscoverCockroachNodeRole type=t2.medium count=1 name=cockroachdb-node-1 userdata=./userdata/cockroach_insecure_node.sh
check instance id=$node1 state=running timeout=180
node2 = create instance distro=canonical:ubuntu subnet=$privsubnet2 securitygroup=[$sshfirewall,$nodefirewall] keypair={my.ssh.keypair} type={instance.type} role=DiscoverCockroachNodeRole type=t2.medium count=1 name=cockroachdb-node-2 userdata=./userdata/joining_cockroach_insecure_node.sh
check instance id=$node2 state=running timeout=180
node3 = create instance distro=canonical:ubuntu subnet=$privsubnet3 securitygroup=[$sshfirewall,$nodefirewall] keypair={my.ssh.keypair} type={instance.type} role=DiscoverCockroachNodeRole type=t2.medium count=1 name=cockroachdb-node-3 userdata=./userdata/joining_cockroach_insecure_node.sh
check instance id=$node3 state=running timeout=180
# Put instances in the necessary target groups
attach instance id=$node1 targetgroup=$tgroup_node
attach instance id=$node2 targetgroup=$tgroup_node
attach instance id=$node3 targetgroup=$tgroup_node
attach instance id=$node1 targetgroup=$tgroup_ui
attach instance id=$node2 targetgroup=$tgroup_ui
attach instance id=$node3 targetgroup=$tgroup_ui
# Create a small jump instance in your public subnet to run command on your nodes
create instance distro=canonical:ubuntu keypair={my.ssh.keypair} name=jump-server subnet=$pubsubnet1 securitygroup=$sshfirewall type=t2.micro
# Retrieve the loadbalancer public DNS with `awless show cockroachdb-cluster --local`
# Then to connect to the cluster UI in a browser with http://{PUBLIC_DNS}:8080
#
# Retrieve the TCP loadbalancer public DNS with `awless show cockroachdb-cluster-tcp --local`
# Then sql connect to the cluster with `cockroach sql --insecure --host {TCP_PUBLIC_DNS}`
#
# Also use awless and the jump server to go to specific nodes:
# awless ssh cockroachdb-node-1 --through jump-server