Initializing CloudCore
This page provides instructions to initialize CloudCore, a component of Elastic Path CloudOps for AWS.
The bootstrap script runs an initialization script, init.sh
, inside a bootstrap Docker container. This initialization script creates CloudFormation stacks to set up CloudCore’s infrastructure using settings from a version set file.
Prerequisites
The following requirements and preparations are needed before initializing CloudCore:
- Requirements are fulfilled
- CloudCore
runBootstrap.sh
Settings values are gathered, to be used in step 4. Edit the runBootstrap.sh script
Procedure
Clone the CloudCore repository from the Git repository hosting service as described in the Requirements page
Check out the correct branch for the version of CloudCore that you want to initialize
Run the following command to copy a private SSH key authorized to clone from the Git repository hosting service to the
Containers/bootstrap/
sub-directory. The private SSH key must not be password protected:cp /path/to/${PRIVATE_GIT_KEY} path/to/cloud-core-aws/Containers/bootstrap/
Edit the
runBootstrap.sh
script with the required parameters. For information about the parameters, see the comments in the script.Note: For additional information on each CloudCore
runBootstrap.sh
parameter, see CloudCore runBootstrap.sh Settings.Run the
runBootstrap.sh
script. You can monitor the progress of the initialization on the terminal window and in the AWS (Amazon Web Services) CloudFormation web console.Tip: Monitor the progress of the initialization in the terminal window and in the AWS CloudFormation web console
Tip: Save console output to file:
bash runBootstrap.sh |& tee cloudcore-bootstrap-`date '+%Y-%m-%d-%H-%M-%S'`.txt
When the script is run, ensure that an SSH key named
ep-bastion
is copied into the same directory as therunBootstrap.sh
script.Important: This is the only copy of the key. You cannot access the application servers using SSH without the key
In the CloudCore bootstrap log file, generated by the runBootstrap.sh script, copy the preshared consul acl token, vault root token, and vault recovery key
Important: The CloudCore bootstrap log contains the only copy of these tokens and key, so make sure you make a copy of them. These keys and tokens do not expire. Keep in a secure location and do not use them unless it is necessary.
Update the name servers to the domain name with the values generated by the initialization script
Check the installation in the following Validating CloudCore Initialization section
Validating Initialization
After running the bootstrap containers to initialize the component to initialize CloudCore, validate the following to ensure that CloudCore is setup as required.
AWS Security Groups
Access to resources created by CloudOps is controlled through AWS Security Groups. This includes the Bastion and Jenkins servers and the Config Store. By default, CloudOps only grants access to these resources to the IP address from which CloudCore was initialized. For more information about the security groups, see Security in Elastic Path CloudOps for AWS.
Warning: Access to the Public and Bastion security groups must be restricted as they grant access to the Config Store. The Config Store contains sensitive information including EC2 keys and other credentials.
Granting additional access to the Jenkins server and Config Store
- Identify the external IP address of the users who will need access to the Jenkins server and the Config Store
- Update the Public security group as needed
Granting additional access to the Bastion server
- Identify the external IP address of the users who will need access to the Bastion server
- Update the Bastion security group as needed
AWS CloudFormation Stacks
Ensure that the following Amazon CloudFormation stacks are completed successfully:
EP-CC-Network
: Initializes the CloudOps networkEP-CC-Bastion
: Creates the Bastion server used to access VMs in private subnetsEP-CC-Route53
: Creates the Route53 hosted zone and DNS entriesEP-CC-Config-Store
: Creates the Consul and vault cluster used to store configurationEP-CC-Jenkins-Server
: Creates the master Jenkins server
Note: You may see additional CloudFormation stacks named
EP-CC-AMI
orEP-CC-ECS-AMI
during the initialization of CloudCore. These stacks must be automatically deleted before CloudCore initialization is completed.
AWS S3 Bucket
Ensure that the ep-cloudops-<account_id>
Amazon S3 bucket exists and contains:
- A
CloudCore
folder with the following structure:
CloudCore/
|
|---/
|---Files/
| |
| |---consul/
| |
| |---vault/
| |
| |---jenkins/
|
|---Scripts/
AWS Machine Images (AMIs)
Ensure that the following two AMIs are created, are owned by your AWS account, and are private:
baseEpAmi
baseEpEcsAmi
Jenkins Server
Before proceeding, update DNS name server records if you haven’t already. Name server record values will have been outputted by the CloudCore bootstrap script. For more information on DNS and CloudOps, see CloudCore DNS configuration.
Confirm that a Jenkins instance is created and accessible. See default CloudOps endpoints and credentials for Jenkins server access information.
Reference Materials
runBootstrap.sh
Parameters
You must provide the following details to initialize CloudCore:
Field | Description |
---|---|
versionSetFileName | The file name of the component version set to use. This file and the default files for supported versions of Elastic Path Commerce can be found in the folder cloud-core-aws/Containers/bootstrap/versionsets/ . An example filename for Elastic Path Commerce version 7.3 would be: ep73.conf . For more information on each version set file parameter, see CloudCore version set file settings section below. |
epCloudCoreGitRepoUrl | The SSH URL to the CloudCore repository. |
epCloudCoreBranch | The CloudCore branch and release version to use for CloudCore initialization. This setting is optional. The default setting for this parameter is master. |
cloudCoreGitSSHKeyFileName | The name of a private SSH key authorized to clone CloudCore from your Git repository hosting service. Ensure that the private key is in the same folder as the bootstrap Dockerfile, Containers/bootstrap/ , and that the key is not password protected. |
cloudCoreGitUsername | This setting is optional if you don’t use AWS CodeCommit. If you use AWS CodeCommit as a Git service for all CloudOps repositories, use the "SSH Key ID" as mentioned in the Setup Steps for SSH Connections to AWS CodeCommit Repositories. |
awsAccessKeyId | The access key ID for the AWS account in which you want to initialize CloudCore. |
awsSecretAccessKey | The secret access key for the AWS account in which you want to initialize CloudCore. |
awsRegion | The AWS region in which you want to deploy CloudOps. |
accountRoleTag | The tag to apply to every EC2 instance in the AWS account you are initializing. It should describe the purpose of the account. For example, dev or prod . The default setting is dev . For more information about EC2 tags CloudOps uses see the EC2 Tags page. |
epCloudOpsDomain | The new and unique sub-domain name to use with CloudOps, identified when reviewing the CloudOps Requirements. This value is optional. However, you should set it to a valid value. If left blank, it defaults to aws.epcloudops.com . If the default is used then your CloudOps domain names will only resolve and be accessible from within AWS, and will not be accessible from browsers or servers outside of AWS. |
certificateArn | The ARN (Amazon Resource Name) for an HTTPS certificate in AWS Certificate Manager. This setting is optional. If left empty, CloudCore does not use SSL. |
initialVaultUsername | User name and password for vault access (Important: Do not set for production). Leave blank to disable user/password authentication |
initialVaultPassword | User name and password for vault access (Important: Do not set for production). Leave blank to disable user/password authentication |
CloudCore Version Set File Settings
During CloudCore initialization, the bootstrap process consumes a file that specifies several version parameters for various technologies CloudOps for AWS uses. This file is called the version set file.
During CloudCore bootstrap, you must provide a version set file that is compatible with the EP Commerce version used in your deployment of the CloudOps components. For example, if using EP Commerce version 7.3
, you must use the version set file ep73.conf
. If you provide your own version set file you must commit and push the changes to your Git repository hosting service and specify that branch and version set file to the bootstrap script before deploying the CloudOps Components.
Default files for supported versions of EP Commerce can be found in the CloudCore component in the folder cloud-core-aws/Containers/bootstrap/versionsets/
The version set file provides the following parameters when initializing CloudCore:
Field | Description |
---|---|
customEcsAmiId | The AMI (Amazon Machine Image) id of a custom Amazon AMI. It is used to build the base Elastic Path ECS (Elastic Container Service) AMI. This setting is optional. If left blank, CloudCore will use the AMI specified in amazonOptimizedEcsAmiName . For CloudOps for AWS 3.2, images based off of Amazon Linux must use Amazon Linux 2. |
customLinuxAmiId | The AMI id of a custom Amazon AMI. It is used to build the base Elastic Path Linux AMI. This setting is optional. If left blank, CloudCore will use the AMI specified in amazonLinuxAmiName . For CloudOps for AWS 3.2, images based off of Amazon Linux must use Amazon Linux 2. |
amazonOptimizedEcsAmiName | An Amazon provided ECS-optimized Amazon Linux AMI. Used as the default AMI to build the base Elastic Path ECS AMI. This parameter should not be modified. |
amazonLinuxAmiName | An Amazon provided Amazon Linux AMI. Used as the default AMI to build the base Elastic Path Linux AMI. This parameter should not be modified. |
jenkinsVersion | The version of Jenkins CloudCore will use to create the Jenkins server. |
consulVersion | The version of Consul CloudCore will use to create the configuration store. |
vaultVersion | The version of Vault CloudCore uses to manage Access Control List (ACL) keys for consul. |
activemqVersion | The version of ActiveMQ CloudOps will use when deploying EP Commerce. |
tomcatVersion | The version of Tomcat CloudOps will use with EP application servers. |
javaDownloadUrl | A Java JRE (Java Runtime Environment) download link. |
rdsVersion | The RDS (Relational Database Service) engine version CloudOps will use when deploying EP Commerce databases. |
rdsParameterGroup | The RDS parameter group CloudOps will use when deploying EP Commerce databases. |
CloudCore Jenkins Jobs
During CloudCore initialization, the bootstrap container runs the Jenkins job bootstrap
. The bootstrap
job generates the AddSshCredentials
job. AddSshCredentials
is run twice during CloudTeam initialization to set up credentials for cloning the cloud-team-aws
and ep-commerce
repositories. Finally, AddSshCredentials
sets up credentials for the cloud-deploy-aws
and ep-commerce
repositories.
bootstrap
Jenkins Job
This job populates the Jenkins server with the AddSshCredentials
job. The required parameters for this job are:
Parameter | Description |
---|---|
CLOUDCORE_GIT_REPO_URL | The URL of the CloudCore Git repository. |
CLOUDCORE_BRANCH | The branch in the CloudCore repository that you want to use. |
AddSshCredentials
Jenkins Job
This job creates ssh credentials in Jenkins for cloning Elastic Path repositories. The job is kicked off during initialization of the CloudTeam and CloudDeploy components, and does not need to be run again. The required parameters for this job are:
Parameter | Description |
---|---|
CONSUL_URL | The URL to the Consul server that CloudCore creates. Jenkins jobs use Consul to store the default values for some parameters. |
GIT_REPO_NAME | The name of the Elastic Path repository that you are creating credentials for. The options are cloud-core-aws , cloud-deploy-aws , cloud-team-aws , docker , and ep-commerceupdate_db |
ProductionSecurityGroups
Jenkins jobs
This job secures the public
, private
, and bastion
EC2 Security Groups:
Security Group | Protocol | Port | Destination |
---|---|---|---|
Public Security Group | All | Any | Private Security Group |
Private Security Group | All | Any | Public Security Group |
All | Any | Private Security Group | |
All | Any | Bastion Security Group | |
TCP | 22 | 0.0.0.0/0 | |
UDP | 53 | 0.0.0.0/0 | |
TCP | 80 | 0.0.0.0/0 | |
TCP | 443 | 0.0.0.0/0 | |
TCP | 465 | 0.0.0.0/0 | |
Bastion Security Group | TCP | 22 | Private Security Group |
TCP | 80 | 0.0.0.0/0 | |
TCP | 443 | 0.0.0.0/0 | |
TCP | 3306 | Private Security Group | |
Terms
- UDP (User Datagram Protocol)
- TCP (Transmission Control Protocol)