Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/igwtcode/aws-multimaster-saltstack
infrastructure in aws using cdk in typescript for a secure high available and scalable multi master SaltStack setup
https://github.com/igwtcode/aws-multimaster-saltstack
aws aws-cdk cdk cdk-examples cloudformation saltstack
Last synced: about 20 hours ago
JSON representation
infrastructure in aws using cdk in typescript for a secure high available and scalable multi master SaltStack setup
- Host: GitHub
- URL: https://github.com/igwtcode/aws-multimaster-saltstack
- Owner: igwtcode
- License: mit
- Archived: true
- Created: 2023-01-07T10:12:57.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-01-07T11:33:17.000Z (over 1 year ago)
- Last Synced: 2024-09-22T20:01:41.736Z (5 days ago)
- Topics: aws, aws-cdk, cdk, cdk-examples, cloudformation, saltstack
- Language: TypeScript
- Homepage:
- Size: 276 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# aws-multimaster-saltstack
## Intro
This is a demo project, creating an infrastructure in [aws (amazon web services)](https://aws.amazon.com/) using [CDK (cloud development kit) v2](https://docs.aws.amazon.com/cdk/v2/guide/home.html) in [Typescript](https://www.typescriptlang.org/) to achieve the objective described below
## Objective
secure high available and scalable multi master [SaltStack](https://saltproject.io/) master/minion setup
### Features
- master instances should register/deregister themselves automatically in all minions
- minion instances should register/deregister themselves automatically in all masters
- all master instances are also minions
- `salt-api` should be accessible via an application load balancer isolated in vpc, connecting to all masters
- dynamodb table to collect ec2 instances (master and minion) attributes such as: _minion_id, instance_id, ip address, instance tier, etc..._
- api gateway to access salt-api and dynamodb table data with apikey and api usage plan> **Security**:
>
> - iam policies and permissions
> - data encryption at rest and in transit (kms key, acm tls certificate)
> - security groups
> - private and isolated subnets with _nat_, _s3_ and _dynamodb_ gateway
> - _custom header_ for application load balancer
> - apikey and usage plan for api gateway
>
> **High Availability and Scale**: auto scaling groups with application load balancer using multiple subnets across multiple availability zones (at least 3) with an event driven architecture to automatically register/deregister nodes## aws services and tools
here is a brief overview of aws services and tools used in this app
- budgets: _budget alarm_
- vpc: _vpc, subnet, security group, nat gateway, s3 gateway, dynamodb gateway_
- ec2 image builder: _pipeline_ with custom recipe
- iam: _policy, permissions_
- kms: _kms key_ for data encryption at rest _(s3 bucket, dynamodb table, efs)_
- acm: _tls certificate_ for data encryption in transit _(api gateway and application load balancer)_
- dynamodb: _table, ttl, autoscaling_
- ec2: _instance, launch template, ami, target group, autoscaling group, application load balancer_
- ssm: _run command, parameter store, ssm agent (ec2 instance)_
- eventbridge: _event_
- sns: _topic_
- s3: _bucket, bucket policy, lifecycle policy, replication rule_
- route53: _public and private hosted zone, alias record_
- lambda: _layer, function, alias, autoscaling, policy and permissions, integration with: vpc, eventbridge event, sns notification, efs, dynamodb, application load balancer, ssm run command, ssm parameter store, ec2 ami, snapshot, volume, launch template and autoscaling_
- cloudwatch: _cloudwatch agent (ec2 instance)_## Architecture
![image](docs/architecture-1.png)
## Requirements
### Knowledge
- [SaltStack](https://saltproject.io/)
- aws [CDK](https://docs.aws.amazon.com/cdk/v2/guide/home.html) and [Cloudformation](https://aws.amazon.com/cloudformation/)
- [Typescript](https://www.typescriptlang.org/) language
- [Bash](https://www.gnu.org/software/bash/)### Tools
- code editor or IDE. ([vscode](https://code.visualstudio.com/))
- [aws account](https://portal.aws.amazon.com/billing/signup?refid=d97c9d89-00ee-48c6-84a2-4f1d2dd976da&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start/email)
- [aws cli](https://aws.amazon.com/cli/)
- aws profile (aws iam user with admin permissions)
```bash
# check if aws cli is installed
aws --version# configure profile
aws configure
```## Deploy
### create `.env` file in project root directory with following entries:
```bash
# required, ex: 123456789012
ACCOUNT_ID=# required, ex: example.com
DOMAIN=# required, ex: iuhfskjbbe87ggjgsd765ajhf765afHJGFSDtasewr76HFJ
API_KEY=# required, ex: admin
CDK_IAM_USER=# required, ex: [email protected]
EMAIL=# optional, default: us-east-1
REGION=# optional, default: saltuser
SALT_API_USER=# optional, default: saltPassword
SALT_API_PASSWORD=
```### install npm packages
```bash
npm install
```### install aws cdk
```bash
sudo npm install -g aws-cdk
```### bootstrap cdk
> this is only required, if it's not done before
```bash
cdk bootstrap
```### synthesize app _(optional)_
> to create and review cloudformation template
```bash
cdk synth > template.yml
```### deploy app to aws account
```bash
cdk deploy
```> ```bash
> # make scripts executable
> chmod +x src/scripts/*
> ```> **NOTE** execute all scripts from project root directory
### copy files to s3 buckets
after app deployment is successfully finished, several files should be copied to s3 buckets. this could be done by executing a script
> **NOTE** check the bucket names and data directory paths in `src/scripts/s3_sync.sh`
> bucket names should be automatically set in the script file during synth process```bash
bash src/scripts/s3_sync.sh
```### execute/run ec2 image builder pipelines
when files are successfully copied to s3 buckets, execute the ec2 image builder pipelines to build _salt-master_ and _salt-minion_ ami. this could be also done by executing the following script.
> **NOTE** check the image builder pipeline arn in `src/scripts/imagebuilder_pipeline_exec.sh`
> they should be automatically set in the script file during synth process```bash
bash src/scripts/imagebuilder_pipeline_exec.sh
```after about 30-45 minutes image builder pipelines should be done. they will automatically:
- put the created ami id in ssm parameter store
- create a new launch template version with the new ami id and set it as default
- modify the autoscaling groups to use the latest launch template version
- update autoscaling groups instances with new ami
- delete older ami _(images, snapshots, volumes)_### start salt-master cluster
when deploying the cdk infrastructure app, 2 autoscaling groups for salt-master and salt-minion would be created having the _amazon linux 2_ as ami set in launch template with (min:0, max: 3) capacity, so there should be no instance running from these autoscaling groups at first
> **NOTE** make sure that new ec2 images (ami) are created for both salt-master and salt-minion by ec2 image builder from previous step
change/increase desired or minimum capacity for salt-master autoscaling group to create ec2 instances. in [aws management console](https://signin.aws.amazon.com/)
### start salt-minion cluster
> **NOTE** make sure, that at least 1 salt-master instance is running to accept minions
do the same steps as above for salt-minion autoscaling group
### app api
following 2 api endpoints should be available, which could be tested by executing following script
> **NOTE** `X-API-Key` Header with _apiKey value_ must be set in request, which is done in script
- **GET** `https:///instances`
returns the dynamodb table data containing information about ec2 instances
- **GET** `https:///salt`
returns ping result from `salt-api` of all registered minions
> **NOTE** it takes some time (about 2-5 minutes) after an ec2 instance comes up or goes down, for the changes to be reflected in masters and minions (register/deregister), namely accepting or deleting the minion key or adding new salt-master ip to salt-minion master ip list> **NOTE** check the _api domain name_ and _api key_ in `src/scripts/api.sh`
> they should be automatically set in the script file during synth process.
> `curl` package is used in script```bash
bash src/scripts/api.sh
```## Destroy/Delete
```bash
cdk destroy
```