Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable AWS IAM authentication with MongoDB. #2020

Merged
merged 2 commits into from
Feb 4, 2024
Merged

Enable AWS IAM authentication with MongoDB. #2020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ecc87df
Enable AWS IAM authentication with MongoDB.
jpd236 Jan 31, 2024
adf587e
Enable passing MONGO_(OPLOG_)URL via CF parameters.
jpd236 Feb 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 23 additions & 3 deletions cloudformation/jolly-roger.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,19 @@
# - Set up a certificate in AWS Certificate Manager for the domain. The ARN will
# be configured as the CertificateArn paramater.
#
# - Store the MongoDB URL using `credstash put mongo @<path>`. The free account
# from mongodb.com (for instance) should be sufficient.
# - Provide the MongoDB URL. The free account from mongodb.com (for instance)
# should be sufficient. You can configure a user using the "AWS IAM"
# authentication method, the type "IAM Role", and the ARN
# "arn:aws:iam::<AWS Account ID>:role/JollyRogerAppInstanceRole"; then you can
# specify authMechanism=MONGODB-AWS in the URL and do not need to provide a
# username/password. You will need to configure the user with the "Atlas
# admin" built-in role, and to enable connections from 0.0.0.0/0 (all IPs)
# since the EC2 instance IPs aren't static.
#
# You can either set the MongoUrl and MongoOplogUrl parameters here, or set
# them using `credstash put mongo @<path>` and
# `credstash put mongo/oplog @<path>` (e.g. if you're using regular username/
# password credentials as part of the URLs).
#
# - Signup for a Mailgun account (or any mail provider that supports SMTP
# submission), and add an SMTP URL with the SMTP credentials from your mailgun
Expand Down Expand Up @@ -108,6 +119,14 @@ Parameters:
Type: String
AllowedPattern: "^[A-Za-z0-9]+$"
NoEcho: true
MongoUrl:
Description: MONGO_URL to use with Meteor. Can leave unset and use "mongo" key in credstash if using username/password authentication.
Type: String
Default: ""
MongoOplogUrl:
Description: MONGO_OPLOG_URL to use with Meteor. Can leave unset and use "mongo/oplog" key in credstash if using username/password authentication.
Type: String
Default: ""
EnableCloudWatch:
Description: Enable CloudWatch logging
Type: String
Expand Down Expand Up @@ -294,6 +313,7 @@ Resources:
AppInstanceRole:
Type: AWS::IAM::Role
Properties:
RoleName: "JollyRogerAppInstanceRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
Expand Down Expand Up @@ -877,7 +897,7 @@ Resources:
${PapertrailDockerConfig}

- docker run --name coturn -d --restart=unless-stopped --network=host -e DETECT_EXTERNAL_IP=yes coturn/coturn -v --min-port=40000 --max-port=49999 --log-file=stdout --realm=${AppUrl} --use-auth-secret --static-auth-secret=${TurnSecret}
- docker run --name jolly-roger -d --network=host --restart=unless-stopped -e AWS_REGION=$AWS_DEFAULT_REGION -e AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION -e PORT=3000 -e ROOT_URL=https://${AppUrl} -e TURN_SERVER=turns:${AppUrl}:443?transport=tcp -e TURN_SECRET=${TurnSecret} ${DockerPackage}
- docker run --name jolly-roger -d --network=host --restart=unless-stopped -e AWS_REGION=$AWS_DEFAULT_REGION -e AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION -e PORT=3000 -e ROOT_URL=https://${AppUrl} -e TURN_SERVER=turns:${AppUrl}:443?transport=tcp -e TURN_SECRET=${TurnSecret} -e MONGO_URL="${MongoUrl}" -e MONGO_OPLOG_URL="${MongoOplogUrl}" ${DockerPackage}
- docker run --name nginx -d --network=host --restart=unless-stopped -v /etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf -v /usr/share/nginx/html/502.html:/usr/share/nginx/html/502.html nginx
- docker run --name watchtower -d --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower --interval 30 --cleanup
- docker run --name haproxy -d --restart=unless-stopped --user root --network=host -v /etc/haproxy:/usr/local/etc/haproxy:ro haproxy:2.9.0
Expand Down
5 changes: 5 additions & 0 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"@googleapis/people": "^3.0.7",
"@googleapis/script": "^3.2.0",
"@popperjs/core": "^2.11.8",
"aws4": "^1.12.0",
"bcrypt": "^5.1.1",
"bootstrap": "^5.3.2",
"classnames": "^2.5.1",
Expand Down
4 changes: 2 additions & 2 deletions scripts/run_jolly_roger.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ if [ -z "${CLUSTER_WORKERS_COUNT+set}" ]; then
fi
fi

if [ -z "${MONGO_URL+set}" ]; then
if [ -z "${MONGO_URL}" ]; then
export MONGO_URL="$(credstash get mongo)"
fi
if [ -z "${MONGO_OPLOG_URL+set}" ]; then
if [ -z "${MONGO_OPLOG_URL}" ]; then
export MONGO_OPLOG_URL="$(credstash get mongo/oplog)"
fi
if [ -z "${MAIL_URL+set}" ]; then
Expand Down