mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-11-08 23:25:51 +01:00
339 lines
8.4 KiB
YAML
339 lines
8.4 KiB
YAML
# Instructions:
|
|
# 1. Check all "TODO" comments and make changes if required for your environment
|
|
# 2. Provide values for all required parameters and any optional parameters desired
|
|
|
|
AWSTemplateFormatVersion: '2010-09-09'
|
|
Description: Verdaccio - NPM cache / private registry
|
|
Parameters:
|
|
# REQUIRED PARAMETERS
|
|
Ami:
|
|
Type: AWS::EC2::Image::Id
|
|
Description: >
|
|
Amazon Linux 2 AMI ID for the proxy instances. Find it with
|
|
'aws ssm get-parameters --names /aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
|
|
Ec2KeyPair:
|
|
Type: String
|
|
Description: EC2 Key Pair to use for the proxy instances.
|
|
HttpsCertificateArn:
|
|
Type: String
|
|
Description: ACM certificate ARN to use
|
|
DnsHostedZoneName:
|
|
Type: String
|
|
Description: >
|
|
The route 53 hosted zone name to create the `npm.<zone>` record in. Do not
|
|
include the trailing dot!
|
|
Vpc:
|
|
Type: AWS::EC2::VPC::Id
|
|
Description: VPC to create this stack inside
|
|
AsgSubnets:
|
|
Type: List<AWS::EC2::Subnet::Id>
|
|
Description: >
|
|
Subnets the auto scaling group should span.
|
|
LbSubnets:
|
|
Type: List<AWS::EC2::Subnet::Id>
|
|
Description: >
|
|
Subnets the load balancer should span.
|
|
VerdaccioConfigUrl:
|
|
Type: String
|
|
Description: URL the ASG instances can download Verdaccio's config.yaml from.
|
|
# TODO: if you aren't using htpasswd authentication, remove this parameter
|
|
# and the associated user data reference.
|
|
VerdaccioHtpasswdUrl:
|
|
Type: String
|
|
Description: URL the ASG instances can download Verdaccio's htpasswd from.
|
|
|
|
# OPTIONAL PARAMETERS
|
|
DockerImage:
|
|
Type: String
|
|
Default: verdaccio/verdaccio:3
|
|
AsgMinSize:
|
|
Type: String
|
|
Default: '1'
|
|
AsgMaxSize:
|
|
Type: String
|
|
Default: '1'
|
|
AsgInstanceType:
|
|
Type: String
|
|
Default: t3.nano
|
|
DnsName:
|
|
Type: String
|
|
Default: npm
|
|
Description: The Route 53 record created is $DnsName.$DnsHostedZoneName
|
|
|
|
Resources:
|
|
Asg:
|
|
Type: AWS::AutoScaling::AutoScalingGroup
|
|
DependsOn:
|
|
- EfsMountA
|
|
- EfsMountB
|
|
- EfsMountC
|
|
Properties:
|
|
DesiredCapacity:
|
|
Ref: AsgMaxSize
|
|
HealthCheckGracePeriod: 60
|
|
HealthCheckType: ELB
|
|
LaunchConfigurationName:
|
|
Ref: Lc
|
|
MaxSize:
|
|
Ref: AsgMinSize
|
|
MinSize:
|
|
Ref: AsgMaxSize
|
|
Tags:
|
|
- Key: Name
|
|
Value:
|
|
Ref: AWS::StackName
|
|
PropagateAtLaunch: true
|
|
TargetGroupARNs:
|
|
- Ref: Tg
|
|
VPCZoneIdentifier:
|
|
Ref: AsgSubnets
|
|
|
|
# TODO: you may want to add target tracking scaling policy. By default the ASG
|
|
# does not automatically scale.
|
|
|
|
AsgSg:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupDescription: Used by instances in the Auto Scaling Group.
|
|
SecurityGroupIngress:
|
|
- FromPort: 22
|
|
ToPort: 22
|
|
IpProtocol: tcp
|
|
# TODO: you may want to restrict this further
|
|
CidrIp: 0.0.0.0/0
|
|
SecurityGroupEgress:
|
|
- FromPort: 0
|
|
ToPort: 65535
|
|
IpProtocol: tcp
|
|
CidrIp: 0.0.0.0/0
|
|
Tags:
|
|
- Key: Name
|
|
Value:
|
|
Fn::Sub: ${AWS::StackName} ASG
|
|
VpcId:
|
|
Ref: Vpc
|
|
AsgSgHttpIngress:
|
|
Type: AWS::EC2::SecurityGroupIngress
|
|
Properties:
|
|
GroupId:
|
|
Ref: AsgSg
|
|
FromPort: 4873
|
|
ToPort: 4873
|
|
IpProtocol: tcp
|
|
SourceSecurityGroupId:
|
|
Ref: LbSg
|
|
|
|
Lc:
|
|
Type: AWS::AutoScaling::LaunchConfiguration
|
|
Properties:
|
|
ImageId:
|
|
Ref: Ami
|
|
InstanceType:
|
|
Ref: AsgInstanceType
|
|
KeyName:
|
|
Ref: Ec2KeyPair
|
|
SecurityGroups:
|
|
- Ref: AsgSg
|
|
UserData:
|
|
Fn::Base64:
|
|
# Since this uses Fn::Sub, don't use the ${var} form for any bash
|
|
# variables. Just use $var.
|
|
Fn::Sub: |
|
|
#!/bin/bash
|
|
set -eu
|
|
|
|
start_time=$(date +%s)
|
|
|
|
IMAGE="${DockerImage}"
|
|
BASE="/verdaccio"
|
|
|
|
# Mount EFS first
|
|
yum -y install amazon-efs-utils
|
|
mkdir /verdaccio
|
|
echo "${Efs}:/ "$BASE" efs tls,_netdev" >> /etc/fstab
|
|
mount -a -t efs defaults
|
|
|
|
# Create/update the config & password files.
|
|
[[ -d "$BASE/conf" ]] || mkdir "$BASE/conf"
|
|
curl -o "$BASE/conf/htpasswd" "${VerdaccioHtpasswdUrl}"
|
|
curl -o "$BASE/conf/config.yaml" "${VerdaccioConfigUrl}"
|
|
|
|
amazon-linux-extras install docker
|
|
systemctl start docker
|
|
|
|
# Download the image
|
|
docker pull "$IMAGE"
|
|
|
|
# Update permissions on the cache directory.
|
|
target_uid=$(docker run "$IMAGE" id -u)
|
|
target_gid=$(docker run "$IMAGE" id -g)
|
|
chown "$target_uid:$target_gid" "$BASE"
|
|
|
|
docker run --detach \
|
|
-p 4873:4873 \
|
|
--mount "type=bind,src=$BASE,dst=/verdaccio" \
|
|
"$IMAGE"
|
|
|
|
echo "Finished user-data script in $(( $(date +%s) - start_time)) secs"
|
|
|
|
Tg:
|
|
Type: AWS::ElasticLoadBalancingV2::TargetGroup
|
|
Properties:
|
|
HealthCheckIntervalSeconds: 5
|
|
HealthCheckPort: '4873'
|
|
HealthCheckProtocol: 'HTTP'
|
|
HealthCheckTimeoutSeconds: 2
|
|
Port: 4873
|
|
Protocol: 'HTTP'
|
|
TargetGroupAttributes:
|
|
- Key: deregistration_delay.timeout_seconds
|
|
Value: '10'
|
|
VpcId:
|
|
Ref: Vpc
|
|
|
|
Lb:
|
|
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
|
|
Properties:
|
|
SecurityGroups:
|
|
- Ref: LbSg
|
|
Subnets:
|
|
Ref: LbSubnets
|
|
Tags:
|
|
- Key: Name
|
|
Value:
|
|
Fn::Sub: ${AWS::StackName} ALB
|
|
|
|
LbSg:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupDescription:
|
|
Fn::Sub: Allow HTTPS connections to the ${AWS::StackName} load balancer
|
|
SecurityGroupIngress:
|
|
# TODO: You may want to restrict the allowed IPs
|
|
- FromPort: 443
|
|
ToPort: 443
|
|
IpProtocol: tcp
|
|
CidrIp: 0.0.0.0/0
|
|
Tags:
|
|
- Key: Name
|
|
Value:
|
|
Fn::Sub: ${AWS::StackName} LB
|
|
VpcId:
|
|
Ref: Vpc
|
|
LbSgHttpEgress:
|
|
Type: AWS::EC2::SecurityGroupEgress
|
|
Properties:
|
|
GroupId:
|
|
Ref: LbSg
|
|
FromPort: 4873
|
|
ToPort: 4873
|
|
IpProtocol: tcp
|
|
DestinationSecurityGroupId:
|
|
Ref: AsgSg
|
|
|
|
LbListener:
|
|
Type: AWS::ElasticLoadBalancingV2::Listener
|
|
Properties:
|
|
Certificates:
|
|
- CertificateArn:
|
|
Ref: HttpsCertificateArn
|
|
DefaultActions:
|
|
- TargetGroupArn:
|
|
Ref: Tg
|
|
Type: forward
|
|
LoadBalancerArn:
|
|
Ref: Lb
|
|
Port: 443
|
|
Protocol: HTTPS
|
|
SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01
|
|
|
|
Dns:
|
|
Type: AWS::Route53::RecordSet
|
|
Properties:
|
|
AliasTarget:
|
|
DNSName:
|
|
Fn::GetAtt:
|
|
- Lb
|
|
- DNSName
|
|
HostedZoneId:
|
|
Fn::GetAtt:
|
|
- Lb
|
|
- CanonicalHostedZoneID
|
|
HostedZoneName:
|
|
Fn::Sub: ${DnsHostedZoneName}.
|
|
Name:
|
|
Fn::Sub: ${DnsName}.${DnsHostedZoneName}.
|
|
Type: A
|
|
|
|
Efs:
|
|
Type: AWS::EFS::FileSystem
|
|
Properties:
|
|
FileSystemTags:
|
|
- Key: Name
|
|
Value:
|
|
Ref: AWS::StackName
|
|
|
|
EfsSg:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupDescription:
|
|
Fn::Sub: Allow connections from the ${AWS::StackName} ASG
|
|
Tags:
|
|
- Key: Name
|
|
Value:
|
|
Fn::Sub: ${AWS::StackName} EFS
|
|
VpcId:
|
|
Ref: Vpc
|
|
EfsSgFsIngress:
|
|
Type: AWS::EC2::SecurityGroupIngress
|
|
Properties:
|
|
GroupId:
|
|
Ref: EfsSg
|
|
FromPort: 2049
|
|
ToPort: 2049
|
|
IpProtocol: tcp
|
|
SourceSecurityGroupId:
|
|
Ref: AsgSg
|
|
|
|
# TODO: if you have more / less than three subnets for AsgSubnets, add/delete
|
|
# entries here as appropriate. Also update the DependsOn section of Asg
|
|
# resource.
|
|
EfsMountA:
|
|
Type: AWS::EFS::MountTarget
|
|
Properties:
|
|
FileSystemId:
|
|
Ref: Efs
|
|
SecurityGroups:
|
|
- Ref: EfsSg
|
|
SubnetId:
|
|
Fn::Select:
|
|
- 0
|
|
- Ref: AsgSubnets
|
|
EfsMountB:
|
|
Type: AWS::EFS::MountTarget
|
|
Properties:
|
|
FileSystemId:
|
|
Ref: Efs
|
|
SecurityGroups:
|
|
- Ref: EfsSg
|
|
SubnetId:
|
|
Fn::Select:
|
|
- 1
|
|
- Ref: AsgSubnets
|
|
EfsMountC:
|
|
Type: AWS::EFS::MountTarget
|
|
Properties:
|
|
FileSystemId:
|
|
Ref: Efs
|
|
SecurityGroups:
|
|
- Ref: EfsSg
|
|
SubnetId:
|
|
Fn::Select:
|
|
- 2
|
|
- Ref: AsgSubnets
|
|
|
|
Outputs:
|
|
Hostname:
|
|
Value:
|
|
Ref: Dns
|