-
Notifications
You must be signed in to change notification settings - Fork 13
/
cockroach_insecure_cluster_with_haproxy.draft
83 lines (64 loc) · 5.03 KB
/
cockroach_insecure_cluster_with_haproxy.draft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Title: Create a simple (insecure) CockroachDB cluster
# Description: Deploying an insecure multi-node CockroachDB cluster with HAProxy to distribute client traffic. See https://www.cockroachlabs.com/docs/manual-deployment-insecure.html
# CLIExample: awless run repo:cockroach_insecure_cluster_with_haproxy ssh.keypair=my-ssh-keyname
# MinimalVersion: v0.1.7
# Create a new VPC with 3 private subnets and a public one (i.e. with internet gateway)
vpc = create vpc cidr=10.0.0.0/16 name=vpc_10.0.0.0_16
gateway = create internetgateway
attach internetgateway id=$gateway vpc=$vpc
# Private subnets in multi AZ for cockroachdb cluster
subnet_1 = create subnet cidr=10.0.0.0/24 vpc=$vpc name=sub_10.0.0.0_24 availabilityzone={zone1}
subnet_2 = create subnet cidr=10.0.1.0/24 vpc=$vpc name=sub_10.0.1.0_24 availabilityzone={zone2}
subnet_3 = create subnet cidr=10.0.2.0/24 vpc=$vpc name=sub_10.0.2.0_24 availabilityzone={zone3}
# Public subnet that will hosts the HAproxy
subnet_4 = create subnet cidr=10.0.3.0/24 vpc=$vpc name=sub_10.0.3.0_24 availabilityzone={zone1}
update subnet id=$subnet_4 public=true
# Routing to attach internet gateway to public subnet
igw_rtable = create routetable vpc=$vpc
attach routetable id=$igw_rtable subnet=$subnet_4
create route cidr=0.0.0.0/0 gateway=$gateway table=$igw_rtable
# Public IP for a NAT Gateway
pubip = create elasticip domain=vpc
# Add a NAT Gateway to the public subnet
natgw = create natgateway elasticip-id=$pubip subnet=$subnet_4
# Wait for the NAT Gateway
check natgateway id=$natgw state=available timeout=180
# Routing to attach nat gateway to private subnets
natgw_rtable = create routetable vpc=$vpc
attach routetable id=$natgw_rtable subnet=$subnet_1
attach routetable id=$natgw_rtable subnet=$subnet_2
attach routetable id=$natgw_rtable subnet=$subnet_3
create route cidr=0.0.0.0/0 gateway=$natgw table=$natgw_rtable
# Create firewall for SSH access
sshfirewall = create securitygroup vpc=$vpc description=ssh-access name=AccessSSH
update securitygroup id=$sshfirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=22
# Create firewall for cockroachdb node TCP access
nodefirewall = create securitygroup vpc=$vpc description=cockroachdb-node-access name=CockroachDBAccess
update securitygroup id=$nodefirewall inbound=authorize protocol=tcp cidr=10.0.0.0/16 portrange=26257
# Create firewall for UI HTTP access
uifirewall = create securitygroup vpc=$vpc description=cockroachdb-ui-access name=CockroachUIAccess
update securitygroup id=$uifirewall inbound=authorize protocol=tcp cidr=10.0.0.0/16 portrange=8080
# Create firewall for HTTP access
proxyfirewall = create securitygroup vpc=$vpc description=proxy-http-access name=ProxyAccess
update securitygroup id=$proxyfirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=80
update securitygroup id=$proxyfirewall inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=443
# Create a role with policy for ec2 resources so that an instance can list other instances using a local `awless`
create role name=DiscoverCockroachNodeRole principal-service="ec2.amazonaws.com" sleep-after=20
attach policy role=DiscoverCockroachNodeRole arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
## Create the cockroachdb nodes
node_1 = create instance subnet=$subnet_1 keypair={ssh.keypair} distro=canonical:ubuntu type=t2.medium count=1 role=DiscoverCockroachNodeRole name=cockroachdb-node-1 securitygroup=$sshfirewall userdata=https://raw.githubusercontent.com/wallix/awless-templates/master/userdata/ubuntu/cockroach_insecure_node.sh
check instance id=$node_1 state=running timeout=180
node_2 = create instance subnet=$subnet_2 keypair={ssh.keypair} distro=canonical:ubuntu type=t2.medium count=1 role=DiscoverCockroachNodeRole name=cockroachdb-node-2 securitygroup=$sshfirewall userdata=https://raw.githubusercontent.com/wallix/awless-templates/master/userdata/ubuntu/joining_cockroach_insecure_node.sh
check instance id=$node_2 state=running timeout=180
node_3 = create instance subnet=$subnet_3 keypair={ssh.keypair} distro=canonical:ubuntu type=t2.medium count=1 role=DiscoverCockroachNodeRole name=cockroachdb-node-3 securitygroup=$sshfirewall userdata=https://raw.githubusercontent.com/wallix/awless-templates/master/userdata/ubuntu/joining_cockroach_insecure_node.sh
check instance id=$node_3 state=running timeout=180
haproxy = create instance subnet=$subnet_4 keypair={ssh.keypair} distro=canonical:ubuntu type=t2.micro count=1 role=DiscoverCockroachNodeRole name=cockroachdb-haproxy securitygroup=$sshfirewall userdata=https://raw.githubusercontent.com/wallix/awless-templates/master/userdata/ubuntu/cockroach_haproxy.sh
# Update instances with firewall definitions
attach securitygroup id=$proxyfirewall instance=$haproxy
attach securitygroup id=$nodefirewall instance=$haproxy
attach securitygroup id=$nodefirewall instance=$node_1
attach securitygroup id=$nodefirewall instance=$node_2
attach securitygroup id=$nodefirewall instance=$node_3
attach securitygroup id=$uifirewall instance=$node_1
attach securitygroup id=$uifirewall instance=$node_2
attach securitygroup id=$uifirewall instance=$node_3