aboutsummaryrefslogtreecommitdiff
path: root/app/models
diff options
context:
space:
mode:
authorChristopher Baines <mail@cbaines.net>2019-05-27 21:35:53 +0100
committerChristopher Baines <mail@cbaines.net>2019-05-30 08:33:03 +0100
commit859302774c4d719cf949f419d0efcfd8cbad6ca2 (patch)
treea83c053f6a0e95554ea30784caf2837eb6837179 /app/models
parent1acde9a21a50f4227930afb5b6b9eda1cace54b8 (diff)
downloadgovuk-mini-environment-admin-859302774c4d719cf949f419d0efcfd8cbad6ca2.tar
govuk-mini-environment-admin-859302774c4d719cf949f419d0efcfd8cbad6ca2.tar.gz
Add a new AWS backend using Amazon Machine Images
The existing AWS backend uses system containers backed on to the AWS hosted NFS service (EFS). This has some advantages, but also some disadvantages. Using the EFS service allows building a container on one instance, with the state being held on the EFS, and then launching a new instance to run the container. Using EFS also provides persistence, at least beyond individual EC2 instances. However, build performance when using EFS is poor compared with a local store without the overhead of the network latency. Additionally, the startup speed of the container running off EFS is slow compared to local storage. This backend doesn't use EFS, instead the Guix store sits on instance storage. Rather than using a system container for a Mini Environment, an Amazon Machine Image (AMI) is built instead. The fast local storage makes builds faster, and using EBS storage for the Mini Envirnoments as well as not having the overhead of starting Ubuntu, then starting the container also makes startup faster.
Diffstat (limited to 'app/models')
-rw-r--r--app/models/backends.rb3
-rw-r--r--app/models/backends/terraform_aws.rb4
-rw-r--r--app/models/backends/terraform_aws_using_ami.rb90
-rw-r--r--app/models/backends/terraform_aws_using_ami/backend_methods.rb146
-rw-r--r--app/models/backends/terraform_aws_using_ami/mini_environment_methods.rb117
5 files changed, 357 insertions, 3 deletions
diff --git a/app/models/backends.rb b/app/models/backends.rb
index 526ae76..2a3bceb 100644
--- a/app/models/backends.rb
+++ b/app/models/backends.rb
@@ -1,5 +1,5 @@
# GOV.UK Mini Environment Admin
-# Copyright © 2018 Christopher Baines <mail@cbaines.net>
+# Copyright © 2018, 2019 Christopher Baines <mail@cbaines.net>
#
# This file is part of the GOV.UK Mini Environment Admin.
#
@@ -26,6 +26,7 @@ module Backends
def self.classes
[
Backends::TerraformAws,
+ Backends::TerraformAwsUsingAmi,
Backends::TerraformLibvirt
]
end
diff --git a/app/models/backends/terraform_aws.rb b/app/models/backends/terraform_aws.rb
index d3d56d1..64d24ef 100644
--- a/app/models/backends/terraform_aws.rb
+++ b/app/models/backends/terraform_aws.rb
@@ -1,5 +1,5 @@
# GOV.UK Mini Environment Admin
-# Copyright © 2018 Christopher Baines <mail@cbaines.net>
+# Copyright © 2018, 2019 Christopher Baines <mail@cbaines.net>
#
# This file is part of the GOV.UK Mini Environment Admin.
#
@@ -47,7 +47,7 @@ class Backends::TerraformAws < ApplicationRecord
self.table_name = 'terraform_aws_backends'
def self.label
- 'Amazon Web Services'
+ 'Amazon Web Services (using EFS)'
end
def self.available?
diff --git a/app/models/backends/terraform_aws_using_ami.rb b/app/models/backends/terraform_aws_using_ami.rb
new file mode 100644
index 0000000..bb9f90d
--- /dev/null
+++ b/app/models/backends/terraform_aws_using_ami.rb
@@ -0,0 +1,90 @@
+# GOV.UK Mini Environment Admin
+# Copyright © 2018, 2019 Christopher Baines <mail@cbaines.net>
+#
+# This file is part of the GOV.UK Mini Environment Admin.
+#
+# The GOV.UK Mini Environment Admin is free software: you can
+# redistribute it and/or modify it under the terms of the GNU Affero
+# General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later
+# version.
+#
+# The GOV.UK Mini Environment Admin is distributed in the hope that it
+# will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with the GOV.UK Mini Environment Admin. If not, see
+# <http://www.gnu.org/licenses/>.
+
+# == Schema Information
+#
+# Table name: terraform_aws_backends
+#
+# id :integer not null, primary key
+# label :string
+# aws_region :string
+# aws_access_key_id :string
+# aws_secret_access_key :string
+# created_at :datetime not null
+# updated_at :datetime not null
+# domain :string
+# route_53_zone_id :string not null
+# vpc_id :string not null
+# ssh_public_key :string
+# ssh_private_key :string
+#
+
+require 'ruby_terraform'
+
+class Backends::TerraformAwsUsingAmi < ApplicationRecord
+ include MiniEnvironmentMethods
+ include BackendMethods
+
+ has_many :mini_environments, as: :backend
+
+ self.table_name = 'terraform_aws_using_ami_backends'
+
+ def self.label
+ 'Amazon Web Services (using AMIs)'
+ end
+
+ def self.available?
+ File.exist? "#{ENV['PATH'].split(':').first}/terraform-provider-aws"
+ end
+
+ def type_and_id
+ "#{self.class.name}=#{id}"
+ end
+
+ def common_terraform_variables
+ {
+ aws_access_key: aws_access_key_id,
+ aws_secret_key: aws_secret_access_key,
+ aws_region: aws_region,
+ ssh_private_key: ssh_private_key,
+ aws_route_53_zone_id: route_53_zone_id
+ }
+ end
+
+ def build_remote_host
+ RemoteHost.new(
+ 'ubuntu',
+ backend_latest_terraform_state.output_value('guix_daemon_public_dns'),
+ ssh_private_key
+ )
+ end
+
+ def terraform_state_id
+ "backend/terraform_aws_using_ami/#{id}"
+ end
+
+ def guix_public_key
+ "(entry #{File.read("/etc/guix/signing-key.pub")} (tag (guix import)))"
+ rescue Errno::ENOENT
+ # This is optional, as if it doesn't exist, it means that `guix
+ # copy` won't be used
+ ''
+ end
+end
diff --git a/app/models/backends/terraform_aws_using_ami/backend_methods.rb b/app/models/backends/terraform_aws_using_ami/backend_methods.rb
new file mode 100644
index 0000000..10bf872
--- /dev/null
+++ b/app/models/backends/terraform_aws_using_ami/backend_methods.rb
@@ -0,0 +1,146 @@
+# GOV.UK Mini Environment Admin
+# Copyright © 2018, 2019 Christopher Baines <mail@cbaines.net>
+#
+# This file is part of the GOV.UK Mini Environment Admin.
+#
+# The GOV.UK Mini Environment Admin is free software: you can
+# redistribute it and/or modify it under the terms of the GNU Affero
+# General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later
+# version.
+#
+# The GOV.UK Mini Environment Admin is distributed in the hope that it
+# will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with the GOV.UK Mini Environment Admin. If not, see
+# <http://www.gnu.org/licenses/>.
+
+module Backends::TerraformAwsUsingAmi::BackendMethods
+ def create_data_snapshot
+ GovukGuix::CreateDataSnapshotJob.enqueue(
+ backend_type: self.class.name,
+ backend_id: id
+ )
+ end
+
+ def backend_terraform_variables
+ public_ip_addresses = ENV[
+ 'GOVUK_MINI_ENVIRONMENT_ADMIN_PUBLIC_IP_ADDRESSES'
+ ].split(',')
+
+ raise 'missing public ip addresses' if public_ip_addresses.nil?
+
+ egress_cidr_blocks = public_ip_addresses.map { |x| "#{x}/32" }
+
+ common_terraform_variables.merge(
+ aws_vpc_id: vpc_id,
+ ssh_public_key: ssh_public_key,
+ backend_slug: label.parameterize,
+ mini_environment_admin_guix_public_key: guix_public_key,
+ mini_environment_admin_egress_cidr_blocks: egress_cidr_blocks
+ )
+ end
+
+ def deploy_backend
+ within_backend_terraform_working_directory do
+ RubyTerraform.apply(
+ vars: backend_terraform_variables,
+ auto_approve: true
+ )
+ end
+ end
+
+ def refresh_backend_state
+ within_backend_terraform_working_directory do
+ RubyTerraform.refresh(
+ vars: backend_terraform_variables
+ )
+ end
+ end
+
+ def destroy_backend
+ within_backend_terraform_working_directory do
+ RubyTerraform.destroy(
+ vars: backend_terraform_variables,
+ force: true
+ )
+ end
+ end
+
+ def stop_backend
+ within_backend_terraform_working_directory do
+ RubyTerraform.destroy(
+ vars: backend_terraform_variables,
+ target: 'aws_spot_instance_request.main',
+ force: true
+ )
+ end
+ end
+
+ def in_use_store_paths
+ [
+ GovukGuix::Revision.where(archived: false).pluck(:store_path),
+ available_data_snapshots.pluck(:store_path),
+ mini_environments
+ .where(archived: false)
+ .pluck(:backend_data)
+ .map { |x| x&.dig('build_output') }
+ ].flatten.compact
+ end
+
+ def update_guix_gcroots
+ GovukGuix::UpdateGcrootsDirectory.set_in_use_store_paths(
+ in_use_store_paths,
+ run_remotely_on_host: build_remote_host
+ )
+ end
+
+ def add_in_use_store_path(store_path)
+ GovukGuix::UpdateGcrootsDirectory.add_store_path(
+ store_path,
+ run_remotely_on_host: build_remote_host
+ )
+ end
+
+ def within_backend_terraform_working_directory(&block)
+ with_advisory_lock(
+ "terraform"
+ ) do
+ TerraformWorkingDirectory.new(
+ terraform_state_id,
+ 'terraform/aws_using_ami/backend'
+ ).within_working_directory(&block)
+ end
+ end
+
+ def available_data_snapshots
+ GovukGuix::DataSnapshot.where(backend: self)
+ end
+
+ def backend_terraform_states
+ TerraformState.where(
+ state_id: terraform_state_id
+ )
+ end
+
+ def backend_latest_terraform_state
+ backend_terraform_states.order(:id).last
+ end
+
+ def status
+ latest_terraform_state = backend_terraform_states.order(:id).last
+
+ running = (
+ latest_terraform_state &&
+ (latest_terraform_state.output_value('backend_up') == 'true')
+ )
+
+ {
+ running: running,
+ updated_at: latest_terraform_state.try(:created_at)
+ }
+ end
+end
diff --git a/app/models/backends/terraform_aws_using_ami/mini_environment_methods.rb b/app/models/backends/terraform_aws_using_ami/mini_environment_methods.rb
new file mode 100644
index 0000000..839bc3b
--- /dev/null
+++ b/app/models/backends/terraform_aws_using_ami/mini_environment_methods.rb
@@ -0,0 +1,117 @@
+# GOV.UK Mini Environment Admin
+# Copyright © 2018, 2019 Christopher Baines <mail@cbaines.net>
+#
+# This file is part of the GOV.UK Mini Environment Admin.
+#
+# The GOV.UK Mini Environment Admin is free software: you can
+# redistribute it and/or modify it under the terms of the GNU Affero
+# General Public License as published by the Free Software Foundation,
+# either version 3 of the License, or (at your option) any later
+# version.
+#
+# The GOV.UK Mini Environment Admin is distributed in the hope that it
+# will be useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with the GOV.UK Mini Environment Admin. If not, see
+# <http://www.gnu.org/licenses/>.
+
+module Backends::TerraformAwsUsingAmi::MiniEnvironmentMethods
+ def build(mini_environment)
+ slug = mini_environment.name.parameterize
+
+ GovukGuix::BuildMiniEnvironment.build(
+ mini_environment.id,
+ services: mini_environment.services.map(&:build_argument_string),
+ arguments: {
+ type: 'aws-packer-ami',
+ base_os: 'aws',
+ ami_name: "govuk-mini-environment-admin-#{slug}",
+ app_domain: "#{slug}.#{domain}",
+ web_domain: "www.#{slug}.#{domain}",
+ use_https: 'certbot',
+ signon_instance_name: slug,
+ admin_environment_label: mini_environment.name,
+ use_error_pages: 'true',
+ origin_basic_auth: "#{slug}=#{slug}",
+ },
+ run_remotely_on_host: mini_environment.backend.build_remote_host
+ )
+ end
+
+ def start(mini_environment)
+ logger.info "Setting up #{mini_environment.name}"
+
+ within_terraform_working_directory(mini_environment) do
+ RubyTerraform.apply(
+ vars: terraform_variables(mini_environment),
+ auto_approve: true
+ )
+ end
+ end
+
+ def destroy(mini_environment)
+ within_terraform_working_directory(mini_environment) do
+ RubyTerraform.destroy(
+ vars: terraform_variables(mini_environment),
+ force: true
+ )
+ end
+ end
+
+ def refresh(mini_environment)
+ within_terraform_working_directory(mini_environment) do
+ RubyTerraform.refresh(
+ vars: terraform_variables(mini_environment)
+ )
+ end
+ end
+
+ def terraform_states(mini_environment)
+ TerraformState.where(
+ state_id: mini_environment_state_id(mini_environment)
+ )
+ end
+
+ def within_terraform_working_directory(mini_environment, &block)
+ with_advisory_lock(
+ "terraform"
+ ) do
+ TerraformWorkingDirectory.new(
+ mini_environment_state_id(mini_environment),
+ 'terraform/aws_using_ami/mini_environment'
+ ).within_working_directory(&block)
+ end
+ end
+
+ def mini_environment_state_id(mini_environment)
+ "mini_environment/#{mini_environment.id}"
+ end
+
+ def signon_url(mini_environment)
+ "https://signon.#{mini_environment.name.parameterize}.#{domain}"
+ end
+
+ def terraform_variables(mini_environment)
+ credentials = TerraformHttpBackendController.credentials
+
+ ami_id = mini_environment.backend_data['build_output'].split(' ')[1]
+
+ common_terraform_variables.merge(
+ slug: mini_environment.name.parameterize,
+ ami_id: ami_id,
+ backend_remote_state_address: (
+ Plek.new.external_url_for('mini-environment-admin') +
+ Rails
+ .application
+ .routes
+ .url_helpers
+ .terraform_http_backend_path(terraform_state_id)
+ ),
+ backend_remote_state_username: credentials[:name],
+ backend_remote_state_password: credentials[:password]
+ )
+ end
+end