Prerequisites - HearstAT/cloudformation-chef-ha GitHub Wiki
Prerequisites
This is to help understand what needs to be laid out initially to utilize this CF/Cookbook setup.
Existing VPC
Granted, most AWS regions will have a default region, but you may want to setup an IP scheme to utilize.
This is a good guide to get started on that path if you wish to take it. http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/GetStarted.html
- IP Scheme
- You will need a scheme that will support the ability to add 3 subnets listed here in the CF template. Keep the
172.33.0.0/16or make your own. Just update the template as required.
- You will need a scheme that will support the ability to add 3 subnets listed here in the CF template. Keep the
- SSH Security Group
- You will need to create a security group to select during the build process. This will be intended to let the IPs listed have port 22 access to the servers.
- If you don't want direct SSH access, just remove it from the template(s) or select a null group, or even a bastion host group.
Route53 Hosted Domain/Zone
If you wish to ignore this, you will have to make some changes to the template for it to be functional as it's pretty baked in.
- You will need to be sure you have a domain setup in a public hosted zone. Check out this documentation for more info.
- When created, you will only need the domain.com, the template will add the extra
.to all DNS entries. (e.g.; chef.domain.com.)
Existing SSL Certificate
This template creates a load balancer and in order to utilize 443/SSL you are required to have a cert already pre-loaded into AWS.
- Follow these instructions to get a cert in place.
- You will need the aws cli tools to get the arn required for the template to utilize the SSL cert.
- Run the following command to get your arn info
aws iam get-server-certificate --server-certificate-name
- Run the following command to get your arn info
External Secrets
Items that needs to be gathered beforehand
New Relic (optional)
- License Key
Sumologic (optional)
- Access ID
- Access Key
- Password
Certs
- Public and Private Cert
- Full chain cert may be required to avoid setting
ssl_verify_mode :verify_nonein the client.rb
- Full chain cert may be required to avoid setting
Mail (optional)
Mail account that is support via postfix, tested with mailgun
- Mail Server
- Mail Credentials (in username:password format)
S3 Bucket for Citadel (only applies to <1.2 release)
We are using citadel to pull our sensitive info into chef at build time, this requires a bit of pre-work to be accomplished.
NOTE: As of version 1.2: Citadel is now done via CFN, a bucket is created then seeded with protected parameters.
Citadel/Secrets Config (only applies to <1.2 release)
You'll need to configure some S3 items before hand.
- A Bucket to be passed into the Params listed above. (see aws documentation if needed)
- Create the following folders
newrelicfolder with (optional, will just fail to start)sumologicfolder with (optional, will just fail to start)certsfolder with (Required for Blue/Green deployment)mailfolder with (optional, mail will not work)
New Relic
If using New Relic you'll need the following file(s) (case-sensitive)
- license_key
- Content:
$licensekey
Sumologic
If using Sumologic you'll need the following file(s) (case-sensitive)
- accessID
- Content:
$accessID - accessKey
- Content:
$accessKey - password
- Content:
$password
Certs
If using Sumologic you'll need the following file(s) (case-sensitive)
- chefserver.crt
- Content:
$cert # Can also be a cert bundle with the CA included - chefserver.key
- Content:
$privatekey
If using Sumologic you'll need the following file(s) (case-sensitive)
- sasl_passwd
- Content:
mail.server.com $username:$password