Skip to content
Permalink
Browse files
Updates for upcoming training
Change AMI to use Debian; abstracted domain handling, abstracted login key for initial user
  • Loading branch information
Shayna Atkinson committed Sep 21, 2021
1 parent c233252 commit 96f415e4a439aa47a6d7c2ee2147cff618c8ad6f
@@ -63,7 +63,7 @@ To set up the environment for ansible the first time:

```
git clone https://github.internet2.edu/skoranda/comanage-registry-training-ansible.git
cd comanage-registry-training-deployment
cd comanage-registry-training-ansible
python3 -m venv .
source bin/activate
pip install --upgrade pip
@@ -5,11 +5,11 @@
# ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
comanage_training_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31636362373339666232313164373435343362373936613838393035663732623533616238373564
3637653337636564616131663831346531363033396266330a613162666636666235333135383631
64633832633837363263653462306361636338643964326531393133643063353738626165613132
6462336164333237340a393062353239306564303838366264636230643136393033623064343661
6431
32313732343132636531663538353439663964333130616633663761313336636663323938396566
6539353462616330626235646530626662333630613635340a323230333133326232326630396263
64383336316234656364666630396362313563346364383735303131323266326465623531373637
3138373937323761360a323138383436353439633031306438373766303763643630643263356530
3638
# It should not be necessary to change the password salt.
comanage_training_password_salt: !vault |
@@ -22,12 +22,15 @@ comanage_training_password_salt: !vault |
comanage_training_region: "us-west-2"

r53_hosted_zone: incommon.training
r53_hosted_zone: scgvm.org
r53_dns_domain: "comanage.{{ r53_hosted_zone }}"

# key for ssh-ing into training nodes
training_node_ssh_key_name: "AWS_oregon_SCG_training"

# The full ARN for an X.509 wildcard certificate provisioned by the
# AWS Certificate Manager for domain *.comanage.incommong.training
aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:626413038627:certificate/162508f9-f5e4-479d-bdb8-f614d8a7ccb0"
aws_cert_manager_cert_arn: "arn:aws:acm:us-west-2:886593122405:certificate/317c209f-5552-453a-bb8b-764d65456623"

vpc_cidr_block: 192.168.0.0/16

@@ -46,34 +49,34 @@ vpc_availability_zone:
bastion_hostname: ssh-b

ssh_bastion_instance_type: t2.nano
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
ssh_bastion_ami_id: ami-0a4497cbe959da512
ssh_bastion_user: centos
ssh_bastion_device_name: /dev/sda1
# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
ssh_bastion_ami_id: ami-07fd151b9eb3b7264
ssh_bastion_user: admin
ssh_bastion_device_name: /dev/xvda
ssh_bastion_volume_type: gp2
ssh_bastion_volume_size: 10

idp_node_instance_type: t2.small
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
idp_node_ami_id: ami-0a4497cbe959da512
idp_node_user: centos
idp_node_device_name: /dev/sda1
# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
idp_node_ami_id: ami-07fd151b9eb3b7264
idp_node_user: admin
idp_node_device_name: /dev/xvda
idp_node_volume_type: gp2
idp_node_volume_size: 20

training_node_count: 2

training_node_instance_type: t2.small
# Most current CentOS 7 x86_64, see https://wiki.centos.org/Cloud/AWS#Finding_AMI_ids
training_node_ami_id: ami-0a4497cbe959da512
training_node_user: centos
training_node_device_name: /dev/sda1
# Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
training_node_ami_id: ami-07fd151b9eb3b7264
training_node_user: admin
training_node_device_name: /dev/xvda
training_node_volume_type: gp2
training_node_volume_size: 20

# Docker version
docker_ce_package_version: "5:20.10.5~3-0~debian-buster"
docker_ce_cli_package_version: "5:20.10.5~3-0~debian-buster"
containerd_io_package_version: "1.4.3-1"
docker_ce_package_version: "5:20.10.8~3-0~debian-bullseye"
docker_ce_cli_package_version: "5:20.10.8~3-0~debian-bullseye"
containerd_io_package_version: "1.4.9-1"


@@ -27,7 +27,7 @@

- name: Provision COmanage IdP node
amazon.aws.ec2:
key_name: AWS-Trng-1
key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ idp_node_sg.group_id }}"
instance_type: "{{ idp_node_instance_type }}"
image: "{{ idp_node_ami_id }}"
@@ -33,7 +33,7 @@
shell: /bin/bash
group: trainers
append: yes
groups: wheel
groups: sudo

- name: Scott Koranda authorized ssh key
authorized_key:
@@ -50,7 +50,7 @@
shell: /bin/bash
group: trainers
append: yes
groups: wheel
groups: sudo

- name: Shayna Atkinson authorized ssh key
authorized_key:
@@ -67,7 +67,7 @@
shell: /bin/bash
group: trainers
append: yes
groups: wheel
groups: sudo

- name: Laura Paglione authorized ssh key
authorized_key:
@@ -60,7 +60,7 @@ E+M/1FURO5+w6Q0wIjoraFRnfrBrIKCozNssAvbClcwHuiFuNX8hUmGBnbs7i6KX
{% for myindex in range(1, lookup('vars', 'training_node_count') + 1, 1) | list %}
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://registry{{ myindex }}.comanage.incommon.training/Shibboleth.sso/SAML2/POST"
Location="https://registry{{ myindex }}.{{ r53_dns_domain }}/Shibboleth.sso/SAML2/POST"
index="{{ myindex }}"/>
{% endfor %}

@@ -9,6 +9,11 @@
notify:
- reload systemd-journald

- name: Install gnupg2
apt:
name: gnupg2
update_cache: yes

- name: Add Docker CE repository key
apt_key:
url: https://download.docker.com/linux/debian/gpg
@@ -21,7 +21,7 @@ services:
tag: "mariadb-{{.Name}}"

registry:
image: i2incommon/comanage-registry:3.3.2-20210313
image: i2incommon/comanage-registry:3.3.4-20210712
volumes:
- /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
- /srv/docker/etc/shibboleth/shibboleth2.xml:/etc/shibboleth/shibboleth2.xml
@@ -66,7 +66,7 @@ services:
tag: "registry_{{.Name}}"

cron:
image: i2incommon/comanage-registry-cron:3.3.2-20210309
image: i2incommon/comanage-registry-cron:3.3.4-20210712
volumes:
- /srv/docker/srv/comanage-registry/local:/srv/comanage-registry/local
environment:
@@ -80,7 +80,7 @@ services:
tag: "cron_{{.Name}}"

ldap:
image: sphericalcowgroup/comanage-registry-slapd:4
image: sphericalcowgroup/comanage-registry-slapd:5
command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
volumes:
- /srv/docker/var/lib/ldap:/var/lib/ldap
@@ -136,7 +136,14 @@
loop:
- shibboleth2.xml
- attribute-map.xml
- idp-metadata.xml

- name: Copy Shibboleth SP metadata file
template:
src: idp-metadata.xml
dest: "/srv/docker/etc/shibboleth/idp-metadata.xml"
owner: root
group: root
mode: '0644'

- name: Copy Apache configuration file
template:
@@ -52,7 +52,7 @@ tWc0EHubiXGtYVs77EhA7wLWh8S6rv2dHCF3PZiYmRjT

<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://login.comanage.incommon.training/idp/profile/SAML2/Redirect/SSO"/>
Location="https://login.{{ r53_dns_domain }}/idp/profile/SAML2/Redirect/SSO"/>
</IDPSSODescriptor>

<Organization>
@@ -24,7 +24,7 @@
# For each public subnet, build a bastion host
- name: Provision SSH bastion hosts
amazon.aws.ec2:
key_name: AWS-Trng-1
key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ bastion_ssh_security_group.group_id }}"
instance_type: "{{ ssh_bastion_instance_type }}"
image: "{{ ssh_bastion_ami_id }}"
@@ -31,7 +31,7 @@

- name: Provision COmanage training nodes
ec2:
key_name: AWS-Trng-1
key_name: "{{ training_node_ssh_key_name }}"
group_id: "{{ training_node_sg.group_id }}"
instance_type: "{{ training_node_instance_type }}"
image: "{{ training_node_ami_id }}"
@@ -71,15 +71,18 @@
- dest: 0.0.0.0/0
gateway_id: igw

- name: NAT gateway for public subnet
- name: NAT gateway for public subnet A
community.aws.ec2_vpc_nat_gateway:
region: "{{ comanage_training_region }}"
state: present
subnet_id: "{{ item.subnet.id }}"
eip_address: "{{ (subnet_index == 0) | ternary( '18.236.23.61', '34.211.214.32') }}"
if_exist_do_not_create: yes
wait: yes
register: nat_gateway
loop: "{{ subnet_public.results }}"
loop_control:
index_var: subnet_index

- name: List NAT GW information
debug:

0 comments on commit 96f415e

Please sign in to comment.