diff --git a/resources/aws/bucket_policy.json b/resources/aws/bucket_policy.json deleted file mode 100644 index 864337a..0000000 --- a/resources/aws/bucket_policy.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::127311923021:root" - }, - "Action": "s3:PutObject", - "Resource": [ - "arn:aws:s3:::garystaf-aws-alb-logs-api/greetings-app/*" - ] - } - ] -} \ No newline at end of file diff --git a/resources/aws/iam-policy.json b/resources/aws/iam-policy.json index c11ff94..e03636f 100644 --- a/resources/aws/iam-policy.json +++ b/resources/aws/iam-policy.json @@ -1,207 +1,207 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSecurityGroup" }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } - ] + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*" + } + ] } diff --git a/resources/aws/trust-eks-policy.json b/resources/aws/trust-eks-policy.json index 99e6268..6276dc9 100644 --- a/resources/aws/trust-eks-policy.json +++ b/resources/aws/trust-eks-policy.json @@ -1,17 +1,17 @@ { - "Version":"2012-10-17", - "Statement":[ - { - "Effect":"Allow", - "Principal":{ - "Federated":"arn:aws:iam::1234567890:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/F91B063F4B2E8BDFED054DD64DAB4368" - }, - "Action":"sts:AssumeRoleWithWebIdentity", - "Condition":{ - "StringEquals":{ - "oidc.eks.us-east-1.amazonaws.com/id/F91B063F4B2E8BDFED054DD64DAB4368:sub":"system:serviceaccount:kube-system:alb-ingress-controller" - } - } + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::1234567890:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/F91B063F4B2E8BDFED054DD64DAB4368" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.us-east-1.amazonaws.com/id/F91B063F4B2E8BDFED054DD64DAB4368:sub": "system:serviceaccount:kube-system:alb-ingress-controller" + } } - ] + } + ] } \ No newline at end of file diff --git a/service_template/part5_service-builder.py b/service_template/part5_service-builder.py deleted file mode 100644 index aa7bc0d..0000000 --- a/service_template/part5_service-builder.py +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env python3 -# -# author: Gary A. Stafford -# site: https://programmaticponderings.com -# license: MIT License -# purpose: Optional: (Re)build (8) Go-based microservice's Kubernetes -# Service and Deployment resources from Jinja2 template - -from jinja2 import Environment, FileSystemLoader - -file_loader = FileSystemLoader('templates') -env = Environment(loader=file_loader) -template = env.get_template('service.j2') - -resource_location = '' -services = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h'] - -for service in services: - output = template.render(service=service, - replicas=2, - tag='1.7.5', - versions='v1') - print(output) - - filename = "service-%s%s" % (service, '.yaml') - resource = "%s" % filename - - with open(resource, "w") as f: - f.write(output) diff --git a/service_template/requirements.txt b/service_template/requirements.txt deleted file mode 100644 index f70a269..0000000 --- a/service_template/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -# python3 -m pip install -r requirements.txt -U - -Jinja2 diff --git a/service_template/templates/service.j2 b/service_template/templates/service.j2 deleted file mode 100644 index d6e1b5a..0000000 --- a/service_template/templates/service.j2 +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: service-{{ service }} - labels: - app: service-{{ service }} - component: service -spec: - ports: - - name: http - port: 8080 - selector: - app: service-{{ service }} - component: service ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: service-{{ service }} - labels: - app: service-{{ service }} - component: service - version: {{ versions }} -spec: - replicas: {{ replicas }} - strategy: - type: Recreate - selector: - matchLabels: - app: service-{{ service }} - component: service - version: {{ versions }} - template: - metadata: - labels: - app: service-{{ service }} - component: service - version: {{ versions }} - annotations: - sidecar.istio.io/inject: "true" - spec: - containers: - - name: service-{{ service }} - image: registry.hub.docker.com/garystafford/go-srv-{{ service }}:{{ tag }} - # resources: - # requests: - # memory: 100M - # cpu: 100m - # limits: - # memory: 250M - # cpu: 250m - livenessProbe: - httpGet: - path: /api/health - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - env: - - name: MONGO_CONN - valueFrom: - secretKeyRef: - name: go-srv-config - key: mongodb.conn - - name: RABBITMQ_CONN - valueFrom: - secretKeyRef: - name: go-srv-config - key: rabbitmq.conn - - name: LOG_LEVEL - value: info - - name: SERVICE_A_URL - value: http://service-a.dev.svc.cluster.local:8080 - - name: SERVICE_B_URL - value: http://service-b.dev.svc.cluster.local:8080 - - name: SERVICE_C_URL - value: http://service-c.dev.svc.cluster.local:8080 - - name: SERVICE_D_URL - value: http://service-d.dev.svc.cluster.local:8080 - - name: SERVICE_E_URL - value: http://service-e.dev.svc.cluster.local:8080 - - name: SERVICE_F_URL - value: http://service-f.dev.svc.cluster.local:8080 - - name: SERVICE_G_URL - value: http://service-g.dev.svc.cluster.local:8080 - - name: SERVICE_H_URL - value: http://service-h.dev.svc.cluster.local:8080 - ports: - - containerPort: 8080 - imagePullPolicy: Always diff --git a/services/README.md b/services/README.md deleted file mode 100644 index 43d2d69..0000000 --- a/services/README.md +++ /dev/null @@ -1,41 +0,0 @@ -# Notes - -Build all services locally: - -```shell -go version -# go version go1.16.3 darwin/amd64 - -sh ./part0_build_servcies_locally.sh -``` - -Run a service locally: - -```shell -cd ./service/service-a -go mod tidy -go run *.go -``` - -To test service-a, from a separate terminal window: - -```shell -http http://localhost:80/api/ping -``` - -Build all Docker images: - -```shell -cd services/ -time | sh ./part1_build_srv_images.sh -``` - -Push all Docker images. - -```shell -sh time | ./part2_push_images.sh -``` - -```shell -time | sh ./part1_build_srv_images.sh && sh ./part2_push_images.sh -``` diff --git a/services/part0_build_services_locally.sh b/services/part0_build_services_locally.sh deleted file mode 100644 index aa74f36..0000000 --- a/services/part0_build_services_locally.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# -# author: Gary A. Stafford -# site: https://programmaticponderings.com -# license: MIT License -# purpose: Build Go microservices for demo -# date: 2021-05-29 - -readonly -a arr=(a b c d e f g h) -# readonly -a arr=(a) - -for i in "${arr[@]}" -do - pushd "service-$i" || exit - go mod init "github.com/garystafford/go-srv-$i" - go mod tidy -v - popd || exit -done diff --git a/services/part1_build_srv_images.sh b/services/part1_build_srv_images.sh deleted file mode 100644 index f5f1f9f..0000000 --- a/services/part1_build_srv_images.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# author: Gary A. Stafford -# site: https://programmaticponderings.com -# license: MIT License -# purpose: Build Go microservices for demo -# date: 2021-05-29 - -readonly -a arr=(a b c d e f g h) -#readonly -a arr=(f) -readonly tag=1.7.6 - -for i in "${arr[@]}" -do - cp -f Dockerfile "service-$i" - pushd "service-$i" || exit - docker build -t "garystafford/go-srv-$i:$tag" . --no-cache - rm -rf Dockerfile - popd || exit -done - -#docker image ls | grep 'garystafford/go-srv-' diff --git a/services/part2_push_images.sh b/services/part2_push_images.sh deleted file mode 100644 index 98c352e..0000000 --- a/services/part2_push_images.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# -# author: Gary A. Stafford -# site: https://programmaticponderings.com -# license: MIT License -# purpose: Push images to Dockerhub -# date: 2021-05-29 - -readonly -a arr=(a b c d e f g h) -#readonly -a arr=(f) -readonly tag=1.7.6 - -for i in "${arr[@]}" -do - docker push "docker.io/garystafford/go-srv-$i:$tag" -done - -# docker push "docker.io/garystafford/angular-observe:1.6.7" diff --git a/services/templates/service.j2 b/services/templates/service.j2 deleted file mode 100644 index d6e1b5a..0000000 --- a/services/templates/service.j2 +++ /dev/null @@ -1,89 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: service-{{ service }} - labels: - app: service-{{ service }} - component: service -spec: - ports: - - name: http - port: 8080 - selector: - app: service-{{ service }} - component: service ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: service-{{ service }} - labels: - app: service-{{ service }} - component: service - version: {{ versions }} -spec: - replicas: {{ replicas }} - strategy: - type: Recreate - selector: - matchLabels: - app: service-{{ service }} - component: service - version: {{ versions }} - template: - metadata: - labels: - app: service-{{ service }} - component: service - version: {{ versions }} - annotations: - sidecar.istio.io/inject: "true" - spec: - containers: - - name: service-{{ service }} - image: registry.hub.docker.com/garystafford/go-srv-{{ service }}:{{ tag }} - # resources: - # requests: - # memory: 100M - # cpu: 100m - # limits: - # memory: 250M - # cpu: 250m - livenessProbe: - httpGet: - path: /api/health - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 3 - env: - - name: MONGO_CONN - valueFrom: - secretKeyRef: - name: go-srv-config - key: mongodb.conn - - name: RABBITMQ_CONN - valueFrom: - secretKeyRef: - name: go-srv-config - key: rabbitmq.conn - - name: LOG_LEVEL - value: info - - name: SERVICE_A_URL - value: http://service-a.dev.svc.cluster.local:8080 - - name: SERVICE_B_URL - value: http://service-b.dev.svc.cluster.local:8080 - - name: SERVICE_C_URL - value: http://service-c.dev.svc.cluster.local:8080 - - name: SERVICE_D_URL - value: http://service-d.dev.svc.cluster.local:8080 - - name: SERVICE_E_URL - value: http://service-e.dev.svc.cluster.local:8080 - - name: SERVICE_F_URL - value: http://service-f.dev.svc.cluster.local:8080 - - name: SERVICE_G_URL - value: http://service-g.dev.svc.cluster.local:8080 - - name: SERVICE_H_URL - value: http://service-h.dev.svc.cluster.local:8080 - ports: - - containerPort: 8080 - imagePullPolicy: Always