Amazon's AWS ElasticBeanstalk Let's Encrypt CertBot - amazon-web-services

How can I run and automated scalable version of Let's encrypt Certbot on Elastic beanstalk ? Haven't found an answer on the web so I put together this .ebextension. I hope you find it useful.


Don't use as is, check and modify according to your needs.
Requirements:
ElasticBeanstalk Environmnet
Ec2-elastic-beanstalk-service-role with access to Route53 Resource
TCP Loadbalancer in front of EC2 instances
Deployment policy rolling (one instance at a the time)
NFS mount
It's a single .ebextension:
jq package is needed:
packages:
yum:
jq: []
Creating jsons:
files:
"/usr/local/bin/certbot/add_json.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
#Create TXT record JSON
cat > $1_TXT.json << END
{
"Comment": "TXT Verification for CertBOT",
"Changes": [
{
"Action": "$1",
"ResourceRecordSet": {
"Name": "_acme-challenge.$CERTBOT_DOMAIN",
"Type": "TXT",
"TTL": 300,
"ResourceRecords": [
{
"Value": "\"$CERTBOT_VALIDATION\""
}
]
}
}
]
}
END
Removing hook to Route53:
"/usr/local/bin/certbot/remove_txt_hook.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
PWD=`pwd`
APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`
aws route53 change-resource-record-sets \
--hosted-zone-id $ZONE_ID --change-batch file://$PWD/DELETE_TXT.json
rm CREATE_TXT.json
rm DELETE_TXT.json
Adding hook to Route53:
"/usr/local/bin/certbot/add_txt_hook.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
PWD=`pwd`
APEX_DOMAIN=$(expr match "$CERTBOT_DOMAIN" '.*\.\(.*\..*\)')
ZONE_ID=`aws route53 list-hosted-zones --output text | awk '$4 ~ /^ *'$APEX_DOMAIN'/''{print $3}' | sed 's:.*/::'`
./add_json.sh CREATE
./add_json.sh DELETE
aws route53 change-resource-record-sets \
--hosted-zone-id $ZONE_ID --change-batch file://$PWD/CREATE_TXT.json
sleep 30
Deploying:
"/usr/local/bin/certbot/start_process.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
EFS_NAME=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.EFS_NAME')
PWD=`pwd`
if [ "$MY_DOMAIN" = example.com ]; then
if [ ! -d /etc/letsencrypt ]; then
mkdir -p /etc/letsencrypt
fi
if ! grep -qs ' /etc/letsencrypt ' /proc/mounts; then
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 $EFS_NAME:/.certificates/.letsencrypt /etc/letsencrypt || exit
fi
if [ ! -f certbot-auto ]; then
yum -y install mod24_ssl augeas-libs libffi-devel python27-tools system-rpm-config
wget https://dl.eff.org/certbot-auto
chmod 550 certbot-auto
fi
if [ ! -f /etc/letsencrypt/live/$MY_DOMAIN/fullchain.pem ]; then
./certbot-auto certonly --debug -n --no-bootstrap --email <your e-mail> --agree-tos --manual-public-ip-logging-ok --manual --preferred-challenges=dns --manual-auth-hook $PWD/add_txt_hook.sh --manual-cleanup-hook $PWD/remove_txt_hook.sh -d $MY_DOMAIN
fi
echo "00 15 * * SUN root cd /usr/local/bin/certbot && ./renewal.sh >> certbot.log 2>&1" > /etc/cron.d/cron_certbot
fi
Renewing:
"/usr/local/bin/certbot/renewal.sh":
mode: "000550"
owner: root
group: root
content: |
##!/bin/bash
MY_DOMAIN=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MY_DOMAIN')
PWD=`pwd`
ENV_ID=`{"Ref": "AWSEBEnvironmentId" }`
METADATA=/opt/aws/bin/ec2-metadata
INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
TODAY=`date +%Y-%m-%d`
STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
while [ "$STATUS" != "Ready" ]; do
STATUS=`aws elasticbeanstalk describe-environments --environment-ids $ENV_ID --region $REGION | awk '/"Status"/ {print substr($2, 1, length($2)-1)}' | sed 's/\"//g'`
sleep 10
done
if ! /usr/local/bin/certbot/one_instance.sh; then
i="0"
while [ "$i" -lt 180 ] && [ ! -f /etc/letsencrypt/renewed_$TODAY ]; do
i=$[$i+1]
sleep 2
done
if [ ! -f /etc/letsencrypt/renewed_$TODAY ]; then
exit
else
/etc/init.d/httpd graceful; exit
fi
fi
./certbot-auto renew --debug --no-bootstrap --renew-hook "/etc/init.d/httpd graceful; touch /etc/letsencrypt/renewed_$TODAY; find /etc/letsencrypt/ -type f -name 'renewed_*' -mtime +0 -exec rm {} \;"
Only on one instance:
"/usr/local/bin/certbot/one_instance.sh":
mode: "000550"
owner: root
group: root
content: |
#!/bin/bash
METADATA=/opt/aws/bin/ec2-metadata
INSTANCE_ID=`$METADATA -i | awk '{print $2}'`
REGION=`$METADATA -z | awk '{print substr($2, 0, length($2)-1)}'`
ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
--region $REGION --output text | awk '/aws:autoscaling:groupName/ {print $5}'`
SOLO_I=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
--region $REGION --output text | awk '/InService/ {print $4}' | sort | head -1`
[ "$SOLO_I" = "$INSTANCE_ID" ]
Executing:
commands:
01_start_certbot_deploy:
command: "/usr/local/bin/certbot/start_process.sh &>> certbot.log"
cwd: "/usr/local/bin/certbot"
02_delete_bak_files:
command: "rm -f *.bak"
cwd: "/usr/local/bin/certbot"
Let me know if you have some remarks or improvement suggestions.
Thanks!

Related

Add instances in target group aws cli, shell script

Wrote a script to add instances to the AWS target group
#!/bin/bash
export AWS_PROFILE=***
export AWS_DEFAULT_REGION=eu-central-1
for INST_NAME in $(aws ec2 describe-instances --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value' --output text | sort); do
echo "check ${INST_NAME} in Target Group"
TARGET_GROUP=$(aws elbv2 describe-target-groups|jq -r '.[]|.[].TargetGroupArn'| grep ${INST_NAME})
RUNNING_INSTANCES=$(aws ec2 describe-instances| jq '.Reservations[].Instances[] | select(.Tags[].Value=="${INST_NAME}")'| jq -r .InstanceId| sort | uniq | wc -l)
COUNT=$(aws elbv2 describe-target-health --target-group-arn ${TARGET_GROUP}|jq -r '.TargetHealthDescriptions[].Target.Id'| wc -l)
if [[ ${RUNNING_INSTANCES} = ${COUNT} ]]; then
echo "VSE OK"
else
echo "dobavit ${RUNNING_INSTANCES} v ${TARGET_GROUP}"
for INSTANCE_ID in $(aws ec2 describe-instances --filter Name=tag-key,Values=Name --query "Reservations[*].Instances[*].{Instance:InstanceId,Name:Tags[?Key=='Name']|[0].Value}"|jq ".[][]|select(.Name==\"${TAGS}\")"|jq -r .Instance); do
ASG=$(aws autoscaling describe-auto-scaling-instances|jq '.AutoScalingInstances'|jq ".[]|select(.InstanceId==\"${INSTANCE_ID}\")"|jq -r .InstanceId)
echo "Updating ${TARGET_GROUP} to add instances from ${ASG}"
aws elbv2 register-targets --target-group-arn ${TARGET_GROUP} --targets "Id="${ASG}
done
fi
done
but he doesn't add. Need select all instances by tag and compare with the number in the target group, if the number is different, then add all instances with the tag to the target group

Update, it's working
for INSTANCE_NAME in $(aws ec2 describe-instances --query 'Reservations[].Instances[].Tags[?Key==`Name`].Value' --output text | sort | uniq ); do
echo "check ${INSTANCE_NAME} in Target Group"
TARGET_GROUP=$(aws elbv2 describe-target-groups|jq -r '.[]|.[].TargetGroupArn'| grep ${INSTANCE_NAME})
if ! [ -z "${TARGET_GROUP}" ]; then
for i in $(echo ${TARGET_GROUP}); do
RUNNING_INSTANCES=$(aws ec2 describe-instances| jq ".Reservations[].Instances[] | select(.Tags[].Value==\"${INSTANCE_NAME}\")"| jq -r .InstanceId| sort | uniq | wc -l)
COUNT=$(aws elbv2 describe-target-health --target-group-arn ${i}|jq -r '.TargetHealthDescriptions[].Target.Id'| wc -l)
if ! [[ ${RUNNING_INSTANCES} = ${COUNT} ]]; then
for INSTANCE_ID in $(aws ec2 describe-instances --filter Name=tag-key,Values=Name --query "Reservations[*].Instances[*].{Instance:InstanceId,Name:Tags[?Key=='Name']|[0].Value}"|jq ".[][]|select(.Name==\"${INSTANCE_NAME}\")"|jq -r .Instance); do
ASG=$(aws autoscaling describe-auto-scaling-instances|jq '.AutoScalingInstances'|jq ".[]|select(.InstanceId==\"${INSTANCE_ID}\")"|jq -r .InstanceId)
aws elbv2 register-targets --target-group-arn ${i} --targets "Id="${ASG}
echo "Updating ${TARGET_GROUP} to add instances from ${ASG}"
done
fi
done
fi
done

Cronjob on AWS Elastic Beanstalk Django App

Im having issue on running my cron jobs from Django EB.
When i deployed it shows no error but the cronjob is not running.
the import_incontact_statelogs.py is a script that should dump a set of data to my database.
Here's my config file inside .ebextension
-----Cronjob.config--------------
files:
"/usr/local/bin/check_leader_only_instance.sh":
mode: "000755"
owner: root
group: root
content: |
#!/bin/bash
INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null`
REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document 2>/dev/null | jq -r .region`
# Find the Auto Scaling Group name from the Elastic Beanstalk environment
ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
--region $REGION --output json | jq -r '.[][] | select(.Key=="aws:autoscaling:groupName") | .Value'`
# Find the first instance in the Auto Scaling Group
FIRST=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
--region $REGION --output json | \
jq -r '.AutoScalingGroups[].Instances[] | select(.LifecycleState=="InService") | .InstanceId' | sort | head -1`
# If the instance ids are the same exit 0
[ "$FIRST" = "$INSTANCE_ID" ]
"/usr/local/bin/my_cron_script.sh":
mode: "000755"
owner: root
group: root
content: |
#!/bin/bash
/usr/local/bin/check_leader_only_instance.sh || exit
source /opt/python/run/venv/bin/activate
source /opt/python/current/env
cd /opt/python/current/app
python manage.py shell < automations/import_incontact_statelogs.py
"/etc/cron.d/daily_cron":
mode: "000644"
owner: root
group: root
content: |
*/10 * * * * root /usr/local/bin/my_cron_script.sh
commands:
rm_old_cron:
command: "rm -fr /etc/cron.d/*.bak"
ignoreErrors: true

AWS Cloudformation - mount to existing file system

Currently, I have a json that will create a EFS in an auto scaling group. However, how can I make it so it mounts an existing EFS that is previously created (so i can pre-load data)
this is the current set up
"FileSystem": {
"Type": "AWS::EFS::FileSystem",
"Properties": {
"PerformanceMode": "generalPurpose",
"FileSystemTags": [
{
"Key": "Name",
"Value": { "Ref" : "VolumeName" }
}
]
}
},
"MountTarget": {
"Type": "AWS::EFS::MountTarget",
"Properties": {
"FileSystemId": { "Ref": "FileSystem" },
"SubnetId": { "Ref": "Subnet" },
"SecurityGroups": [ { "Ref": "MountTargetSecurityGroup" } ]
}
},

As per #MaiKaY Suggested, Just Pass the FileSystemId as a Parameter.
here is the mounting Script
container_commands:
1chown:
command: "chown webapp:webapp /wpfiles"
2create:
command: "sudo -u webapp mkdir -p wp-content/uploads"
3link:
command: "sudo -u webapp ln -s /wpfiles wp-content/uploads"
option_settings:
aws:elasticbeanstalk:application:environment:
FILE_SYSTEM_ID: 'FileSystemId' #Provide your FileSystemId
MOUNT_DIRECTORY: '/wpfiles'
REGION: '`{"Ref": "AWS::Region"}`'
packages:
yum:
nfs-utils: []
jq: []
commands:
01_mount:
command: "/tmp/mount-efs.sh"
files:
"/tmp/mount-efs.sh":
mode: "000755"
content : |
#!/bin/bash
EFS_REGION=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.REGION')
EFS_MOUNT_DIR=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.MOUNT_DIRECTORY')
EFS_FILE_SYSTEM_ID=$(/opt/elasticbeanstalk/bin/get-config environment | jq -r '.FILE_SYSTEM_ID')
echo "Mounting EFS filesystem ${EFS_DNS_NAME} to directory ${EFS_MOUNT_DIR} ..."
echo 'Stopping NFS ID Mapper...'
service rpcidmapd status &> /dev/null
if [ $? -ne 0 ] ; then
echo 'rpc.idmapd is already stopped!'
else
service rpcidmapd stop
if [ $? -ne 0 ] ; then
echo 'ERROR: Failed to stop NFS ID Mapper!'
exit 1
fi
fi
echo 'Checking if EFS mount directory exists...'
if [ ! -d ${EFS_MOUNT_DIR} ]; then
echo "Creating directory ${EFS_MOUNT_DIR} ..."
mkdir -p ${EFS_MOUNT_DIR}
if [ $? -ne 0 ]; then
echo 'ERROR: Directory creation failed!'
exit 1
fi
else
echo "Directory ${EFS_MOUNT_DIR} already exists!"
fi
mountpoint -q ${EFS_MOUNT_DIR}
if [ $? -ne 0 ]; then
echo "mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${EFS_FILE_SYSTEM_ID}:/ ${EFS_MOUNT_DIR}"
mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2 ${EFS_FILE_SYSTEM_ID}:/ ${EFS_MOUNT_DIR}
if [ $? -ne 0 ] ; then
echo 'ERROR: Mount command failed!'
exit 1
fi
chmod 777 ${EFS_MOUNT_DIR}
runuser -l ec2-user -c "touch ${EFS_MOUNT_DIR}/it_works"
if [[ $? -ne 0 ]]; then
echo 'ERROR: Permission Error!'
exit 1
else
runuser -l ec2-user -c "rm -f ${EFS_MOUNT_DIR}/it_works"
fi
else
echo "Directory ${EFS_MOUNT_DIR} is already a valid mountpoint!"
fi
echo 'EFS mount complete.'

Elastic-Beanstalk: How to find the S3 Bucket From the EB Instance

I'm interested in creating a backup of the current application as an application version. As a result I'd like to try and track down the S3 Bucket where the App Versions are saved to save a new file to that location.
Does anyone know how this is done?

To do this:
Get the Instance Id
Get the environment Id.
Get the App Name
Get the App Versions
The data is in the response of the App Versions.
Based on the above, here is my entire backup script. It will figure out steps 1-4 above, then zip up the current app directory, send it to S3, and create a new app version based on it.
#/bin/bash
EC2_INSTANCE_ID="`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id || die \"wget instance-id has failed: $?\"`"
test -n "$EC2_INSTANCE_ID" || die 'cannot obtain instance-id'
EC2_AVAIL_ZONE="`wget -q -O - http://169.254.169.254/latest/meta-data/placement/availability-zone || die \"wget availability-zone has failed: $?\"`"
test -n "$EC2_AVAIL_ZONE" || die 'cannot obtain availability-zone'
EC2_REGION="`echo \"$EC2_AVAIL_ZONE\" | sed -e 's:\([0-9][0-9]*\)[a-z]*\$:\\1:'`"
EB_ENV_ID="`aws ec2 describe-instances --instance-ids $EC2_INSTANCE_ID --region $EC2_REGION | grep -B 1 \"elasticbeanstalk:environment-id\" | grep -Po '\"Value\":\\s+\"[^\"]+\"' | cut -d':' -f 2 | grep -Po '[^\"]+'`"
EB_APP_NAME="`aws elasticbeanstalk describe-environments --environment-id $EB_ENV_ID --region $EC2_REGION | grep 'ApplicationName' | cut -d':' -f 2 | grep -Po '[^\\",]+'`"
EB_BUCKET_NAME="`aws elasticbeanstalk describe-application-versions --application-name $EB_APP_NAME --region $EC2_REGION | grep -m 1 'S3Bucket' | cut -d':' -f 2 | grep -Po '[^\", ]+'`"
DATE=$(date -d "today" +"%Y%m%d%H%M")
FILENAME=application.$DATE.zip
cd /var/app/current
sudo -u webapp zip -r -J /tmp/$FILENAME *
sudo mv /tmp/$FILENAME ~/.
sudo chmod 755 ~/$FILENAME
cd ~
aws s3 cp $FILENAME s3://$EB_BUCKET_NAME/
rm -f ~/$FILENAME
aws elasticbeanstalk create-application-version --application-name $EB_APP_NAME --version-label "$DATE-$FILENAME" --description "Auto-Save $DATE" --source-bundle S3Bucket="$EB_BUCKET_NAME",S3Key="$FILENAME" --no-auto-create-application --region $EC2_REGION

tldr: most probably you want
jq -r '..|.url?' /etc/elasticbeanstalk/metadata-cache | grep -oP '//\K(.*)(?=\.s3)
Detailed version:
Add to any of your .ebextensions
packages:
yum:
jq: []
(assuming you are using Amazon Linux or Centos)
and run
export BUCKET="$(jq -r '..|.url?' /etc/elasticbeanstalk/metadata-cache | grep -oP '//\K(.*)(?=\.s3)' || sudo !!)"
echo bucketname: $BUCKET
then full s3 path would be accessible at
bash -c 'source /etc/elasticbeanstalk/.aws-eb-stack.properties; echo s3:\\${BUCKET} -r ${region:-eu-east-3}'

Not able to SSH into the EC2 Instance with CloudFormation Template

I want to start a task from at Container Instance launch time.So I have followed the this Starting task at instance launch Document which provided the MIME multi-part user data script. I have created a cloud formation template to launch an instance with the MIME multi-part user data script.
EC2 Resource has been created with the Cloud formation template, but I am not able to SSH into that instance and I am not able to System logs from EC2 management console as well.
CloudFormation Template
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Description" :" ECS instance",
"Parameters" : {
},
"Resources" :{
"EC2Instance":{
"Type" : "AWS::EC2::Instance",
"Properties" : {
"SecurityGroupIds":["sg-16021f35"]
"ImageId" : "ami-ec33cc96",
"UserData":{
"Fn::Base64":{
"Fn::Join":[
"\n",
[
{
"Fn::Join":[
"",
[
"Content-Type: multipart/mixed; boundary=",
"==BOUNDARY=="
]
]
},
"MIME-Version: 1.0",
"--==BOUNDARY==",
{
"Fn::Join":[
"",
[
"Content-Type: text/upstart-job; charset=",
"us-ascii"
]
]
},
"#!/bin/bash",
"# Specify the cluster that the container instance should register into",
"echo ECS_CLUSTER=Demo >> /etc/ecs/ecs.config",
"# Install the AWS CLI and the jq JSON parser",
"yum install -y aws-cli jq",
"#upstart-job",
{
"Fn::Join":[
" ",[
"description",
"Amazon EC2 Container Service (start task on instance boot)"
]
]
},
{
"Fn::Join":[
" ",[
"author",
"Amazon Web Services"
]
]
},
"start on started ecs",
"script",
"exec 2>>/var/log/ecs/ecs-start-task.log",
"set -x",
"until curl -s http://localhost:51678/v1/metadata",
"do",
"sleep 1",
"done",
"# Grab the container instance ARN and AWS region from instance metadata",
"instance_arn=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F/ '{print $NF}' )",
"cluster=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .Cluster' | awk -F/ '{print $NF}' )",
"region=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F: '{print $4}')",
"# Specify the task definition to run at launch",
"task_definition=ASG-Task",
"# Run the AWS CLI start-task command to start your task on this container instance",
"aws ecs start-task --cluster $cluster --task-definition $task_definition --container-instances $instance_arn --started-by $instance_arn",
"end script",
"--==BOUNDARY==--"
]
]
}
},
"IamInstanceProfile":"ecsInstanceRole",
"InstanceType":"t2.micro",
"SubnetId":"subnet-841103e1"
}
}
},
"Outputs" : {
}
}
MIME multi-part User-Data:
Content-Type: multipart/mixed; boundary="==BOUNDARY=="
MIME-Version: 1.0
--==BOUNDARY==
Content-Type: text/x-shellscript; charset="us-ascii"
#!/bin/bash
# Specify the cluster that the container instance should register into
cluster=your_cluster_name
# Write the cluster configuration variable to the ecs.config file
# (add any other configuration variables here also)
echo ECS_CLUSTER=$cluster >> /etc/ecs/ecs.config
# Install the AWS CLI and the jq JSON parser
yum install -y aws-cli jq
--==BOUNDARY==
Content-Type: text/upstart-job; charset="us-ascii"
#upstart-job
description "Amazon EC2 Container Service (start task on instance boot)"
author "Amazon Web Services"
start on started ecs
script
exec 2>>/var/log/ecs/ecs-start-task.log
set -x
until curl -s http://localhost:51678/v1/metadata
do
sleep 1
done
# Grab the container instance ARN and AWS region from instance metadata
instance_arn=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F/ '{print $NF}' )
cluster=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .Cluster' | awk -F/ '{print $NF}' )
region=$(curl -s http://localhost:51678/v1/metadata | jq -r '. | .ContainerInstanceArn' | awk -F: '{print $4}')
# Specify the task definition to run at launch
task_definition=my_task_def
# Run the AWS CLI start-task command to start your task on this container instance
aws ecs start-task --cluster $cluster --task-definition $task_definition --container-instances $instance_arn --started-by $instance_arn --region $region
end script
--==BOUNDARY==--

you need to specify the key file and security group in your formation template as suggested by jarmod above.