AWS Service to simplify AWS SDK functions
IaC example is a simple example of Infrastructure as code (IaC) to automate a development environment based on Vagrant and a staging, production environment on AWS. The installation creates a basic Symfony application along with a PostgreSQL, Solr and Redis services. Ansible helps automate all the infrastructure tasks and the bash scripts act as a wrapper for the Ansible commands.
Recently I posted about Varnish with secure AWS S3 bucket as backend and I wanted to have the “always online” enabled, meaning you can take the backend offline while serving from Varnish cache.
Serving static contents from S3 is common, but using Varnish in front is a bit tricky. Especially if you want to keep the bucket secure and only serve from Varnish, here is a simple Varnish file to solve this problem.
First secure your bucket via IP policy:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example.bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"5.6.7.8/32" //varnish ip
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example.bucket/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}
]
}
Setting up PostgreSQL on RDS using ansible is a bit tricky because the main user on RDS is not a SUPERUSER and roles membership is not automatically granted for ex: “ERROR: must be member of role ..” is quite common. Here is a working solution:
