CloudFormation template and related resources for plygrnd.net
I recently tried to launch Ghost on AWS, and it was a complete pain in the arse trying to set it up manually. Ghost, while far easier to configure than say Wordpress, has a few idiosyncrasies that complicate running a production instance scalably. This resulted in me jumping 15 steps ahead (as always) and writing production content on a development instance of Ghost.
I'll launch a production-ready instance on Amazon Web Services and ensure it stays up. Then I'll blog about it so I don't forget how I did it.
- VPC with four subnets:
- 2 public subnets (10.0.1.0/24, 10.0.2.0/24) in two different Availability Zones (AZs).
- 2 private subnets (10.0.3.0/24, 10.0.4.0/24) in different AZs
- EC2:
- 1 Autoscaling group with minimum 2, maximum 4 instances running
- 1 Elastic Load Balancer to terminate SSL and serve web traffic
- EC2 application servers running Ghost
- RDS:
- 1 multi-AZ MySQL database
- SES (email campaigns if I ever write decent content, and password resets)
- CloudFormation
- AWS Certificate Manager
- Route 53
I was going to use AWS Config to check that my resources were configured sanely, but the price tag ($2 per rule) put me off.
Ghost requires a number of variables to be set before it can be used. The basic config file is described here; it requires a whole lot of passwords to be stored in it. Since I'm going to bake the configuration into an AMI, I certainly don't want to include any plaintext passwords or API access keys in it!
We have two options here: use CloudFormation parameters to pass creds to the config file, or use a Lambda function to generate the creds, encrypt them with KMS and store them in a DynamoDB table. We could also use something like Vault to store the creds, but that's even more overhead. For right now, I'll generate the database password in Lastpass and pass it to the stack as a parameter.
So, our completed config.js file with all the privacy bits 'n bobs turned on looks like this:
var path = require('path'),
config;
config = {
production: {
url: 'myurl',
mail: {
transport: 'SMTP',
options:{
host: 'email-smtp.eu-west-1.amazonaws.com',
port: '465',
service: 'SES',
auth: {
user: 'SESUSERID',
pass: 'SESUSERSECRET'
}
}
},
database: {
client: 'mysql',
connection: {
host : 'rdsdbhostname',
user : 'rdsusername',
password : 'rdspassword',
database : 'ghost',
charset : 'utf8'
}
},
privacy:{
useGravatar: false,
useUpdatecheck: false,
useRpcPing: false
}
}
};
module.exports = config;
We'll need to fire that into a fleet of worker bees (EC2 instances) running Ghost, which we'll need to install. This blog post has information on how to download files during template execution.
- Create a VPC named 'ghost'.
- Create subnets:
|public-1|10.0.1.0/24|eu-west-1a|
|public-2|10.0.2.0/24|eu-west-1c|
|private-1|10.0.3.0/24|eu-west-1a|
|private-2|10.0.4.0/24|eu-west-1b|
- Create security groups:
- public: TCP 80/443 open to internet. Apply to public-1 and public-2.
- private: TCP 80 open to 10.0.1.0/24 and 10.0.2.0/24. TCP 3306 open to 10.0.3.0/24 and 10.0.4.0/24. SSH open to my current IP. Apply to private-1 and private-2.
- Create autoscaling launch configuration:
- Amazon Linux ami-e5083683
- t2.micro
- 8GB EBS storage
- Security groups: private
- Create Ghost configuration file and populate with following values:
- SES user ID
- SES secret
- RDS username
- RDS password
- URL
- Create autoscaling group:
- Minimum 2 instances
- Maximum 4
- Create ELB:
- Listens on port 80 and 443
- Terminates SSL using ACM cert
- Create RDS database:
- db.t2.micro
- MySQL
- Multi-AZ
- Security group: private
- Launch EC2 instances into autoscaling group
- Install node and npm
- Install nginx
- Load Ghost configuration
- npm install --production
- npm start --production
- Update Route 53 hosted zone with alias record pointing to ELB