adding repo files

Author: orion

.env

@@ -0,0 +1,8 @@
+DJANGO_SETTINGS_MODULE=settings.dev
+SECRET_KEY='django-insecure-django-insecure-django-insecure-django-insecure'
+DEBUG=True
+DB_NAME=postgres
+DB_USER=postgres
+DB_PASSWORD=postgres
+DB_HOST=db
+DB_PORT=5432

Dockerfile

@@ -0,0 +1,19 @@
+FROM python:3.8.5-alpine
+
+RUN pip install --upgrade pip
+
+COPY ./requirements.txt .
+
+RUN \
+ apk add --no-cache postgresql-libs && \
+ apk add --no-cache --virtual .build-deps gcc musl-dev postgresql-dev && \
+ python3 -m pip install -r requirements.txt --no-cache-dir && \
+ apk --purge del .build-deps
+
+COPY ./myproject /myproject
+
+COPY ./entrypoint.sh /myproject
+
+WORKDIR /myproject
+
+ENTRYPOINT ["sh", "./entrypoint.sh"]

README.md

@@ -1,2 +1,144 @@
-# djaws
-Deploy a Django container to AWS.
+# DJAWS (DJango on AWS)
+
+### Description
+
+Use **DJAWS** to deploy a Django container on AWS. This repo contains a small Django project called _myproject_ that needs access to a Postgres backend and an S3 bucket. The code in this repo will:
+
+* deploy _myproject_ **locally** with Docker Compose using 3 containers (Gunicorn, Nginx and Postgres)
+* deploy _myproject_ in **production** on AWS Elastic Container Service (ECS)
+
+Deploying on ECS is done via Cloudformation YAML files in the _infra/_ directory. The Django app would be reached via the load balancer URL.
+
+
+### Installing AWS CLI
+
+It is advised that the root user of your AWS account not to be used during deployment or most other activities. It is better to create a new group and a user belonging to that group. The user would have programmatic but limited access and you can store the user's credentials locally in `~/.aws/credentials`.
+
+```
+## install aws cli
+virtualenv venv -p python
+source venv/bin/activate
+python -m pip install awscli
+aws --version
+```
+
+### Deployment to AWS
+
+Deployment can be carried out from your local machine and it consists of 7 steps:
+
+1. Build the Docker image for _myproject_ and push it to the Elastic Container Registry (ECR)
+2. Create the VPC stack (includes public subnets, private subnets, internet gateway, elastic IPs, Nat gateways, route tables)
+3. Create the execution role for the ECS task
+4. Create the load balancer, security group and task definition
+5. Create the Postgres RDS, S3 bucket and their secrets and parameters
+6. Update the Django SECRET_KEY as a SecureString type on the parameter store and add its value
+7. Launch the ECS Service.
+
+
+### The AWS Services Used:
+
+* Elastic Container Registry
+* Elastic Container Service
+* Fargate Cluster
+* Application Load Balancer
+* Elastic IP address
+* Postgres RDS
+* S3 bucket
+* Secrets Manager
+* Parameter Store
+* CloudWatch
+
+
+## Local Deployment
+
+Docker Compose is used to locally spin up a Django container with Gunicorn, Nginx container and a Postgres container.
+Enviroment variables are found in the **.env** file.
+
+The Docker image for the Django project _myproject_ will be built locally.
+
+#### Start
+
+```docker-compose up -d```
+
+#### Stop
+
+```docker-compose down```
+
+
+## Deployment in Production with AWS
+
+1. Build and push Docker image to ECR
+
+```
+## build docker image
+docker build -t myproject .
+
+## create a repo on ECR
+aws ecr create-repository --repository-name myproject
+
+## authenticate your local Docker daemon against the ECR
+$(aws ecr get-login --registry-ids <your registry ID> --no-include-email)
+
+## tag the Docker image
+docker tag myproject <your registry ID>.dkr.ecr.<your region>.amazonaws.com/myproject:0.0.1
+
+## push to ECR
+docker push <your registry ID>.dkr.ecr.<your region>.amazonaws.com/myproject:0.0.1
+
+## list your container images on ECR
+aws ecr list-images --repository-name myproject
+
+## delete image on registry
+aws ecr batch-delete-image --repository-name myproject --image-ids imageDigest=<the image digest>
+```
+
+2. The VPC stack
+
+```
+cd infra
+aws cloudformation create-stack --stack-name vpc --template-body file://vpc.yaml --capabilities CAPABILITY_NAMED_IAM
+```
+
+3. The Execution role
+
+```
+aws cloudformation create-stack --stack-name roles --template-body file://roles.yaml --capabilities CAPABILITY_NAMED_IAM
+```
+
+4. The Load balancer, security group and task definition
+
+```
+aws cloudformation create-stack --stack-name lb-sg-task --template-body file://lb_sg_task.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=ImageUrl,ParameterValue='<your registry ID>.dkr.ecr.<your region>.amazonaws.com/myproject:0.0.1'
+```
+
+5. The Postgres DB, S3 bucket and Secrets
+
+```
+aws cloudformation create-stack --stack-name rds-s3 --template-body file://rds_s3.yaml --capabilities CAPABILITY_NAMED_IAM --parameters ParameterKey=BucketName,ParameterValue=$(head /dev/urandom | tr -dc a-z0-9 | head -c10)
+```
+
+6. Update SECRET_KEY in the Parameter Store:
+
+```
+aws ssm put-parameter --overwrite --name /Prod/DjangoSecret --type SecureString --value <SECRET_KEY value>
+```
+
+7. Launching the ECS Service
+
+```
+aws cloudformation create-stack --stack-name service --template-body file://service.yaml --capabilities CAPABILITY_NAMED_IAM
+```
+
+### Teardown
+
+Teardown in reverse order:
+
+service stack -> rds-s3 stack -> lb-sg-task stack -> roles stack -> vpc stack
+
+```
+## deleting a stack
+aws cloudformation delete-stack --stack-name <stack name>
+
+## updating a stack
+aws cloudformation update-stack --stack-name <stack name> --template-body file://<stack yaml>
+```

docker-compose.yaml

@@ -0,0 +1,37 @@
+version: '3.7'
+
+services:
+  db:
+    image: postgres
+    container_name: db
+    ports:
+      - '5438:5432'
+    volumes:
+      - ./postgres-data:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=postgres
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+
+  fl_gunicorn:
+    container_name: fl_gunicorn
+    volumes:
+      - ./myproject/static:/static
+    env_file:
+      - .env
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+    ports:
+      - "8000:8000"
+    depends_on:
+      - db
+
+  nginx:
+    build: ./nginx
+    volumes:
+      - ./myproject/static:/static
+    ports:
+      - "80:80"
+    depends_on:
+      - fl_gunicorn

entrypoint.sh

@@ -0,0 +1,5 @@
+python manage.py makemigrations
+python manage.py migrate --no-input
+python manage.py collectstatic --no-input
+
+gunicorn myproject.wsgi:application --bind 0.0.0.0:8000

infra/lb_sg_task.yaml

@@ -0,0 +1,164 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: Create load balancer, security groups and task definition.
+Parameters:
+  EnvName:
+    Description: The environment name.
+    Type: String
+    Default: 'PROD'
+
+  ContainerPort:
+    Description: Container port.
+    Type: Number
+    Default: 8000
+
+  ImageUrl:
+    Description: Container image.
+    Type: String
+    Default: ""
+
+Resources:
+  PublicLoadBalancerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Access to the public facing load balancer.
+      VpcId:
+        'Fn::ImportValue': !Sub "${EnvName}-VPC"
+      SecurityGroupIngress:
+        - CidrIp: 0.0.0.0/0
+          IpProtocol: -1
+
+  PublicLoadBalancer:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Scheme: internet-facing
+      Subnets:
+        - 'Fn::ImportValue': !Sub "${EnvName}-PublicSubnet1"
+        - 'Fn::ImportValue': !Sub "${EnvName}-PublicSubnet2"
+      SecurityGroups:
+        - !Ref PublicLoadBalancerSecurityGroup
+
+  ECSCluster:
+    Type: AWS::ECS::Cluster
+
+  ECSSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Access to the ECS containers.
+      VpcId:
+        'Fn::ImportValue': !Sub "${EnvName}-VPC"
+
+  ECSSecurityGroupIngressFromPublicALB:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from the public ALB.
+      GroupId: !Ref ECSSecurityGroup
+      IpProtocol: -1
+      SourceSecurityGroupId: !Ref PublicLoadBalancerSecurityGroup
+
+  ECSSecurityGroupIngressFromSelf:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from other containers in the same security group
+      GroupId: !Ref ECSSecurityGroup
+      IpProtocol: -1
+      SourceSecurityGroupId: !Ref ECSSecurityGroup
+
+
+  TargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      HealthCheckIntervalSeconds: 10
+      HealthCheckPath: /
+      HealthCheckProtocol: HTTP
+      HealthCheckTimeoutSeconds: 5
+      HealthyThresholdCount: 2
+      TargetType: ip
+      Name: !Join ['-', [!Ref EnvName, 'Service']]
+      Port: !Ref ContainerPort
+      Name: "target-group"
+      Protocol: HTTP
+      UnhealthyThresholdCount: 2
+      VpcId: 
+        'Fn::ImportValue': !Sub "${EnvName}-VPC"
+
+  PublicLoadBalancerListener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    DependsOn:
+      - PublicLoadBalancer
+      - TargetGroup
+    Properties:
+      DefaultActions:
+        - TargetGroupArn: !Ref TargetGroup
+          Type: 'forward'
+      LoadBalancerArn: !Ref PublicLoadBalancer
+      Port: 80
+      Protocol: HTTP
+
+  TaskDefinition:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      Family: !Ref EnvName
+      Cpu: 512
+      Memory: "2GB"
+      NetworkMode: awsvpc
+      RequiresCompatibilities:
+        - FARGATE
+      ExecutionRoleArn:
+        'Fn::ImportValue': !Sub "${EnvName}-ECSTaskExecutionRole"
+      TaskRoleArn:
+        'Fn::ImportValue': !Sub "${EnvName}-ECSTaskExecutionRole"
+      ContainerDefinitions:
+        - Name: !Ref EnvName
+          Image: !Ref ImageUrl
+          PortMappings:
+            - ContainerPort: !Ref ContainerPort
+          Environment:
+            - Name: 'DB_PORT'
+              Value: 5432
+            - Name: 'DJANGO_SETTINGS_MODULE'
+              Value: 'settings.prod'
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-group: !Ref CloudWatchLogsGroup
+              awslogs-region: !Ref AWS::Region
+              awslogs-stream-prefix: !Ref EnvName
+
+  CloudWatchLogsGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: !Sub "${EnvName}-Logs"
+      RetentionInDays: 1
+
+
+Outputs:
+
+  PublicLoadBalancer:
+    Description: Public Load Balancer
+    Value: !Ref PublicLoadBalancer
+    Export:
+      Name: !Join ['-', [!Ref EnvName, 'PublicLoadBalancer']]
+
+  ECSSecurityGroup:
+    Description: ECS Security Group
+    Value: !Ref ECSSecurityGroup
+    Export:
+      Name: !Join ['-', [!Ref EnvName, 'ECSSecurityGroup']]
+
+  ECSCluster:
+    Description: ECS Cluster
+    Value: !Ref ECSCluster
+    Export:
+      Name: !Join ['-', [!Ref EnvName, 'ECSCluster']]
+
+  TargetGroup:
+    Description: Target Group
+    Value: !Ref TargetGroup
+    Export:
+      Name: !Join ['-', [!Ref EnvName, 'TargetGroup']]
+
+  TaskDefinition:
+    Description: Task Definition
+    Value: !Ref TaskDefinition
+    Export:
+      Name: !Join ['-', [!Ref EnvName, 'TaskDefinition']]