Merge pull request ecamp#3641 from BacLuc/aws-document-setup

Document AWS Setup
BacLuc · Sep 30, 2023 · a7b78e9 · a7b78e9
2 parents c814a15 + 0bc20ec
commit a7b78e9
Show file tree

Hide file tree

Showing 12 changed files with 5,345 additions and 0 deletions.
diff --git a/.ops/aws-setup/.gitignore b/.ops/aws-setup/.gitignore
@@ -0,0 +1,4 @@
+/.aws
+/.pulumi
+/bin/
+/node_modules/
diff --git a/.ops/aws-setup/.prettierignore b/.ops/aws-setup/.prettierignore
@@ -0,0 +1,3 @@
+/.aws
+/.pulumi
+/package*.json
diff --git a/.ops/aws-setup/Pulumi.dev.yaml b/.ops/aws-setup/Pulumi.dev.yaml
@@ -0,0 +1,4 @@
+encryptionsalt: v1:CdKPMfceMA4=:v1:rlPnkGuNOMP44Lvd:E0r294YKkNTLweaqLUICMda0uPHKEg==
+config:
+  aws:region: eu-west-3
+  ecamp-core:env: dev
diff --git a/.ops/aws-setup/Pulumi.prod.yaml b/.ops/aws-setup/Pulumi.prod.yaml
@@ -0,0 +1,4 @@
+encryptionsalt: v1:fMldUZIpLOs=:v1:0Vd6ZXTXZIlciRYQ:IlSxNR4210bawhbGLeYUFdT3LJL8Fg==
+config:
+  aws:region: eu-west-3
+  ecamp-core:env: prod
diff --git a/.ops/aws-setup/Pulumi.staging.yaml b/.ops/aws-setup/Pulumi.staging.yaml
@@ -0,0 +1,4 @@
+encryptionsalt: v1:XBD0QUsfJx8=:v1:kE3gKM26lHSNXQql:hTPT6LNJt9u/qKKfo9PlrAYY/oX7Sw==
+config:
+  aws:region: eu-west-3
+  ecamp-core:env: staging
diff --git a/.ops/aws-setup/Pulumi.yaml b/.ops/aws-setup/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: ecamp-core
+runtime: nodejs
+description: The aws setup for ecamp3
diff --git a/.ops/aws-setup/README.md b/.ops/aws-setup/README.md
@@ -0,0 +1,57 @@
+# ecampV3 AWS Setup
+
+We currently use AWS S3 for additional DB Backups.
+Because AWS is a little complicated, we use the aws-cli and [Pulumi](https://www.pulumi.com) to provision
+the setup for aws.
+
+## Initial setup
+
+1. Make a personal user with the ecampCore Amazon User of the KeePass
+2. Login with your personal user here: <https://d-90679ce1c6.awsapps.com/start#/>
+3. Configure [.aws/credentials](.aws/credentials) according to the option 2 of
+   "Command line or programmatic access".\
+   Name the profile "default"
+
+## Working with pulumi
+
+1. Make sure the dependencies are up to date
+
+   ```shell
+   docker compose run --rm aws-setup npm ci
+   ```
+
+2. Fix the permissions of the node_modules folder
+
+   ```shell
+   sudo chown -R $USER:$USER .
+   ```
+
+3. Set the aws bucket as state backend
+
+   ```shell
+   docker compose run --rm aws-setup pulumi login s3://ecampcore-pulumi/
+   ```
+
+4. Choose the stack
+
+   ```shell
+   docker compose run --rm aws-setup pulumi stack select
+   ```
+
+5. Deploy your changes
+
+   ```shell
+   docker compose run --rm aws-setup pulumi up
+   ```
+
+6. Get secrets
+
+   ```shell
+   docker compose run --rm aws-setup pulumi stack output --show-secrets
+   ```
+
+7. Lint
+
+   ```shell
+   docker compose run --rm aws-setup npm run lint
+   ```
diff --git a/.ops/aws-setup/docker-compose.yml b/.ops/aws-setup/docker-compose.yml
@@ -0,0 +1,24 @@
+version: "3.9"
+
+services:
+  aws-setup:
+    image: pulumi/pulumi-nodejs:3.76.1
+    container_name: 'ecamp3-aws-setup'
+    volumes:
+      - ../../.prettierrc:/.prettierrc:delegated
+      - ../../.cache/npm:/root/.npm/_cacache:delegated
+      - ./:/aws-setup:delegated
+      - ./.aws:/root/.aws:delegated
+      - ./.pulumi:/root/.pulumi:delegated
+    working_dir: /aws-setup
+    environment:
+      - AWS_DEFAULT_REGION=eu-west-3
+
+  aws-cli:
+    image: amazon/aws-cli:2.11.21
+    container_name: 'ecamp3-aws-cli'
+    volumes:
+      - ./.aws:/root/.aws:delegated
+    working_dir: /aws-setup
+    environment:
+      - AWS_DEFAULT_REGION=eu-west-3
diff --git a/.ops/aws-setup/index.ts b/.ops/aws-setup/index.ts
@@ -0,0 +1,123 @@
+import { AccessKey, Policy, User, UserPolicyAttachment } from '@pulumi/aws/iam'
+import { Bucket } from '@pulumi/aws/s3'
+import { Config, interpolate } from '@pulumi/pulumi'
+
+const config = new Config()
+const environment = config.require('env') || 'dev'
+
+const retentionPolicies = {
+  transitions: [
+    {
+      days: 30,
+      storageClass: 'GLACIER',
+    },
+  ],
+  expiration: {
+    days: 365,
+  },
+}
+
+let objectLockRetentionDays = 365
+if (environment === 'dev') {
+  retentionPolicies.transitions[0].days = 1
+  retentionPolicies.expiration.days = 7
+  objectLockRetentionDays = 8
+}
+
+const backupBucket = new Bucket(`ecamp3-${environment}-bucket`, {
+  acl: 'private',
+  versioning: {
+    enabled: true,
+  },
+  lifecycleRules: [
+    {
+      enabled: true,
+      abortIncompleteMultipartUploadDays: 1,
+      ...retentionPolicies,
+    },
+  ],
+  objectLockConfiguration: {
+    objectLockEnabled: 'Enabled',
+    rule: {
+      defaultRetention: {
+        mode: 'GOVERNANCE',
+        days: objectLockRetentionDays,
+      },
+    },
+  },
+})
+
+const putObjectPolicy = new Policy('put-object', {
+  policy: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Action: 's3:PutObject',
+        Resource: [backupBucket.arn, interpolate`${backupBucket.arn}/*`],
+      },
+    ],
+  },
+})
+
+const putOnlyUser = new User(`ecamp3-${environment}-put-only-user`, {
+  name: `ecamp3-${environment}-put-only-user`,
+  permissionsBoundary: putObjectPolicy.arn,
+})
+
+const putOnlyUserAccessKey = new AccessKey(
+  `ecamp3-${environment}-put-only-user-access-key`,
+  {
+    user: putOnlyUser.name,
+  }
+)
+
+const downloadObjectPolicy = new Policy('download-object', {
+  policy: {
+    Version: '2012-10-17',
+    Statement: [
+      {
+        Effect: 'Allow',
+        Action: ['s3:GetObjectVersion', 's3:ListBucket', 's3:ListBucketVersions'],
+        Resource: [backupBucket.arn, interpolate`${backupBucket.arn}/*`],
+      },
+    ],
+  },
+})
+
+const downloadOnlyUser = new User(`ecamp3-${environment}-download-only-user`, {
+  name: `ecamp3-${environment}-download-only-user`,
+  permissionsBoundary: downloadObjectPolicy.arn,
+})
+
+const downloadOnlyAccessKey = new AccessKey(
+  `ecamp3-${environment}-download-only-user-access-key`,
+  {
+    user: downloadOnlyUser.name,
+  }
+)
+
+new UserPolicyAttachment(`ecamp3-${environment}-put-only-policy-attachment`, {
+  user: putOnlyUser.name,
+  policyArn: putObjectPolicy.arn,
+})
+
+new UserPolicyAttachment(`ecamp3-${environment}-download-only-policy-attachment`, {
+  user: downloadOnlyUser.name,
+  policyArn: downloadObjectPolicy.arn,
+})
+
+// noinspection JSUnusedGlobalSymbols
+export const bucketEndpoint = backupBucket.bucketDomainName
+// noinspection JSUnusedGlobalSymbols
+export const bucketName = backupBucket.bucket
+
+// noinspection JSUnusedGlobalSymbols
+export const putOnlyUserAccessKeyId = putOnlyUserAccessKey.id
+// noinspection JSUnusedGlobalSymbols
+export const putOnlyUserSecretAccessKey = putOnlyUserAccessKey.secret
+
+// noinspection JSUnusedGlobalSymbols
+export const downloadOnlyUserAccessKeyId = downloadOnlyAccessKey.id
+// noinspection JSUnusedGlobalSymbols
+export const downloadOnlyUserSecretAccessKey = downloadOnlyAccessKey.secret