AWS Account Bootstrapping
The first step in working with hamlet is establishing the baseline services that will be used by all of your deployed applications. For AWS this includes a number of deployments that are set up in each account.
Some of the account deployments include:
- S3 Registry - this is used to stage the images used to deploy your application
- Audit logging - enables forwarding S3 access logs to a central location
- Volume Encryption - EBS volume encryption across all volumes created in the account.
hamlet provides a set of these deployments to provide best practice hardening and configuration to your AWS account.
Deploying the S3 registry
The first step is to create the registry where our code images will be deployed.
If you haven't already, create a CMDB using the create CMDB guide
-
From your CMDB workspace change into the account directory.
hamlet uses your current directory to determine where this deployment should run
# Make sure we are in our CMDB cd ~/hamlet_hello/mycmdb # Change into the account repo cd accounts/acct01/config -
Check the available deployments that you can run.
hamlet deploy list-deployments --district account| Deployment Group | Deployment Unit | Provider | State | District | |--------------------|-------------------|------------|-------------|------------| | account | cmk | aws | notdeployed | account | | account | iam | aws | notdeployed | account | | account | lg | aws | notdeployed | account | | account | audit | aws | notdeployed | account | | account | s3 | aws | notdeployed | account | | account | apigateway | aws | notdeployed | account | | account | console | aws | notdeployed | account | | account | ecs | aws | notdeployed | account | | account | ses | aws | notdeployed | account | | account | sms | aws | notdeployed | account | | account | volumeencrypt | aws | notdeployed | account |Deployments are collections of cloud resources which perform a function. For AWS, each deployment maps to a CloudFormation stack. Separating resources into smaller groups allows for a clearer understanding of what is being deployed and isolates changes when a deployment is run.
-
Let's run a deployment now to create the S3 registry.
hamlet deploy run-deployments --district account -u s3If you have MFA configured you will be prompted to enter your MFA token
[*] account/s3 (Info) Generating outputs: [*] entrance: deployment | output: contract | subset: generationcontract [*] entrance: deployment | output: resource [*] entrance: deployment | output: script | subset: epilogue (Info) ~ no change in account-s3-acct01-ap-southeast-2-template.json detected (Info) ~ no change in account-s3-acct01-ap-southeast-2-epilogue.sh detected (Info) ~ no differences detected (Info) Preparing the context... (Info) Running stack operation for account-s3 Status: >>>> (Info) Stack account-s3 completed with status UPDATE_COMPLETE (Info) Processing epilogue script (Info) Initialising the registry bucket ... upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/dataset/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/contentnode/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/lambda/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/pipeline/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/scripts/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/spa/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/swagger/.registry upload: ../../../../../../../../../../tmp/hamletc_wWxUu7/manage_stack_CVqEg3/registry to s3://account-registry-d7x9ksa85n/openapi/.registry
What does a deployment do?
A lot happened here so we will go through some of the key parts of the output.
(Info) Generating outputs:
[*] entrance: deployment | output: contract | subset: generationcontract
[*] entrance: deployment | output: resource
[*] entrance: deployment | output: script | subset: epilogue
Outputs are files generated by hamlet to implement what has been configured in hamlet. The engine is configured to translate its configuration into files that can be used by other services.
In this case we are generating 3 files:
- generationcontract: outlines the required files for this task along with the configuration to create them
- resource: a cloud formation template that will be provided to AWS CloudFormation to create the infrastructure
- script - epilogue: a Bash script which performs some extra tasks after the CloudFormation template is deployed.
(Info) Preparing the context...
The context here sets up the executor which will use the generated files to complete the task that is being run, in this case a deployment. It includes getting your AWS credentials and making sure the credentials can access the account that you are deploying to.
(Info) Running stack operation for account-s3
Status: >>>>
(Info) Stack account-s3 completed with status CREATE_COMPLETE
Now we are ready to go, the executor is running the creation of the CloudFormation Stack using the resource file that was generated before. The executor watches the stack creation to make sure everything works as expected. Once this finishes the stack outputs are saved locally so that we can reference the outputs of the stack in future tasks.
(Info) Processing epilogue script
Deployments in hamlet can create scripts that are run during the deployment process. These scripts allow you to perform extra tasks that might not be supported in CloudFormation.
Next Step
We now have a registry which will be used to stage build artefacts in future steps of this guide. The next step is to set up the product base infrastructure.