Merge pull request #620 from bigchaindb/make-aws-security-group-a-parameter

Made the security group an AWS deployment parameter

deploy-cluster-aws/awsdeploy.sh

@@ -42,6 +42,7 @@ echo "SSH_KEY_NAME" = $SSH_KEY_NAME
 echo "USE_KEYPAIRS_FILE = "$USE_KEYPAIRS_FILE
 echo "IMAGE_ID = "$IMAGE_ID
 echo "INSTANCE_TYPE = "$INSTANCE_TYPE
+echo "SECURITY_GROUP = "$SECURITY_GROUP
 echo "USING_EBS = "$USING_EBS
 if [ "$USING_EBS" = True ]; then
     echo "EBS_VOLUME_SIZE = "$EBS_VOLUME_SIZE

deploy-cluster-aws/example_deploy_conf.py

@@ -55,6 +55,11 @@ IMAGE_ID="ami-accff2b1"
 # For all options, see https://aws.amazon.com/ec2/instance-types/
 INSTANCE_TYPE="m3.2xlarge"
 
+# SECURITY_GROUP is the name of the AWS security group to use.
+# That security group must exist.
+# Examples: "bigchaindb", "bcdbsecure"
+SECURITY_GROUP="bigchaindb"
+
 # USING_EBS is True if you want to attach an Amazon EBS volume
 USING_EBS=False
 

deploy-cluster-aws/launch_ec2_nodes.py

@@ -27,8 +27,8 @@ from awscommon import get_naeips
 
 
 SETTINGS = ['NUM_NODES', 'BRANCH', 'WHAT_TO_DEPLOY', 'SSH_KEY_NAME',
-            'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'USING_EBS',
-            'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED']
+            'USE_KEYPAIRS_FILE', 'IMAGE_ID', 'INSTANCE_TYPE', 'SECURITY_GROUP',
+            'USING_EBS', 'EBS_VOLUME_SIZE', 'EBS_OPTIMIZED']
 
 
 class SettingsTypeError(TypeError):
@@ -92,6 +92,9 @@ if not isinstance(IMAGE_ID, str):
 if not isinstance(INSTANCE_TYPE, str):
     raise SettingsTypeError('INSTANCE_TYPE should be a string')
 
+if not isinstance(SECURITY_GROUP, str):
+    raise SettingsTypeError('SECURITY_GROUP should be a string')
+
 if not isinstance(USING_EBS, bool):
     raise SettingsTypeError('USING_EBS should be a boolean (True or False)')
 
@@ -182,6 +185,8 @@ if NUM_NODES > len(non_associated_eips):
 print('Commencing launch of {} instances on Amazon EC2...'.
       format(NUM_NODES))
 
+sg_list = [SECURITY_GROUP]
+
 for _ in range(NUM_NODES):
     # Request the launch of one instance at a time
     # (so list_of_instances should contain only one item)
@@ -206,7 +211,7 @@ for _ in range(NUM_NODES):
             MaxCount=1,
             KeyName=SSH_KEY_NAME,
             InstanceType=INSTANCE_TYPE,
-            SecurityGroupIds=['bigchaindb'],
+            SecurityGroupIds=sg_list,
             BlockDeviceMappings=[dm],
             EbsOptimized=EBS_OPTIMIZED
         )
@@ -217,7 +222,7 @@ for _ in range(NUM_NODES):
             MaxCount=1,
             KeyName=SSH_KEY_NAME,
             InstanceType=INSTANCE_TYPE,
-            SecurityGroupIds=['bigchaindb']
+            SecurityGroupIds=sg_list
         )
 
     # Tag the just-launched instances (should be just one)

docs/source/clusters-feds/aws-testing-cluster.md

@@ -43,16 +43,18 @@ The AWS cluster deployment scripts use elastic IP addresses (although that may c
 
 ## Create an Amazon EC2 Security Group
 
-Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. Name it `bigchaindb`. The description probably doesn't matter; you can also put `bigchaindb` for that.
+Go to the AWS EC2 Console and select "Security Groups" in the left sidebar. Click the "Create Security Group" button. You can name it whatever you like. (Notes: The default name in the example AWS deployment configuration file is `bigchaindb`. We had problems with names containing dashes.) The description should be something to help you remember what the security group is for.
 
-Add these rules for Inbound traffic:
+For a super lax, somewhat risky, anything-can-enter security group, add these rules for Inbound traffic:
 
 * Type = All TCP, Protocol = TCP, Port Range = 0-65535, Source = 0.0.0.0/0
 * Type = SSH, Protocol = SSH, Port Range = 22, Source = 0.0.0.0/0
 * Type = All UDP, Protocol = UDP, Port Range = 0-65535, Source = 0.0.0.0/0
 * Type = All ICMP, Protocol = ICMP, Port Range = 0-65535, Source = 0.0.0.0/0
 
-**Note: These rules are extremely lax! They're meant to make testing easy.** For example, Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address."
+(Note: Source = 0.0.0.0/0 is [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for "allow this traffic to come from _any_ IP address.")
+
+If you want to set up a more secure security group, see the [Notes for Firewall Setup](../appendices/firewall-notes.html).
 
 
 ## Deploy a BigchainDB Monitor
@@ -126,6 +128,7 @@ SSH_KEY_NAME="not-set-yet"
 USE_KEYPAIRS_FILE=False
 IMAGE_ID="ami-accff2b1"
 INSTANCE_TYPE="m3.2xlarge"
+SECURITY_GROUP="bigchaindb"
 USING_EBS=False
 EBS_VOLUME_SIZE=30
 EBS_OPTIMIZED=False