From b5e72c7a6b162b83fc66e7efcb8434ef2f9546d9 Mon Sep 17 00:00:00 2001 From: Joseph Manley Date: Sun, 3 Nov 2019 17:34:28 -0500 Subject: [PATCH] Nakama custom Nakama authentication & update to RDS authentication --- ReadMe.md | 2 +- cloudformation/nakama/rds.yaml | 61 +++++++++++++++++++++++---------- cloudformation/nakama/task.yaml | 46 ++++++++++++++++++++++--- cloudformation/nakama/top.yaml | 49 ++++++++++++++++++++++++-- 4 files changed, 132 insertions(+), 26 deletions(-) diff --git a/ReadMe.md b/ReadMe.md index feff77d..ed61153 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -25,7 +25,7 @@ Parameters, `DatabaseUsername`, `DatabasePassword`, `DatabaseEndpoint`, and `Dat - [x] Build Database - [ ] Database configuration - [x] Automatically migrate database -- [ ] Custom Admin User +- [x] Custom Admin User - [ ] Custom security keys - [ ] Formatted Launch Parameters - [ ] Informative `ReadMe.md` diff --git a/cloudformation/nakama/rds.yaml b/cloudformation/nakama/rds.yaml index e304dcf..e21b38a 100644 --- a/cloudformation/nakama/rds.yaml +++ b/cloudformation/nakama/rds.yaml @@ -12,16 +12,41 @@ Parameters: Description: ID of the VPC Type: AWS::EC2::VPC::Id - #------------------ - # Secret's Manager - #------------------ - Secret: + #----------------- + # RDS Information + #----------------- + InstanceClass: Type: String - Description: Arn of the secret in Secret's Manager + Description: Instance class for the dabase to run on + Default: db.t2.micro + DatabaseEngine: + Type: String + Description: Database engine for the database to use + Default: postgres + DatabaseUsername: + Type: String + Description: Master account's username for database + Default: postgres + DatabasePort: + Type: Number + Description: Port for the database to open a socket on + Default: "5432" + DatabaseStorage: + Type: Number + Description: The amount of storage (in GB) allocated to the RDS instance + Default: "100" + DatabaseAccessCidr: + Type: String + Description: The CIDR used in the security group to secure the database + Default: "0.0.0.0/0" + DatabaseSecret: + Type: String + Description: Arn of the secret in Secret's Manager to use as the password Default: "" + Conditions: - CreateSecret: !Equals [!Ref Secret, ""] + CreateSecret: !Equals [!Ref DatabaseSecret, ""] Resources: SecurityGroup: @@ -33,11 +58,11 @@ Resources: - IpProtocol: icmp FromPort: "-1" ToPort: "-1" - CidrIp: 0.0.0.0/0 + CidrIp: !Ref DatabaseAccessCidr - IpProtocol: tcp - FromPort: "5432" - ToPort: "5432" - CidrIp: 0.0.0.0/0 + FromPort: !Ref DatabasePort + ToPort: !Ref DatabasePort + CidrIp: !Ref DatabaseAccessCidr SecurityGroupEgress: - IpProtocol: icmp FromPort: "-1" @@ -65,23 +90,23 @@ Resources: DbInstance: Type: AWS::RDS::DBInstance Properties: - DBInstanceClass: db.t2.micro + DBInstanceClass: !Ref InstanceClass DBInstanceIdentifier: !Sub "nakama-rds-${environment}" - Engine: postgres - MasterUsername: postgres - MasterUserPassword: !Join ["", ["{{resolve:secretsmanager:", !If [ CreateSecret, !Ref RdsPassword, !Ref Secret] ,":SecretString}}" ]] - Port: "5432" - AllocatedStorage: "100" + Engine: !Ref DatabaseEngine + MasterUsername: !Ref DatabaseUsername + MasterUserPassword: !Join ["", ["{{resolve:secretsmanager:", !If [ CreateSecret, !Ref RdsPassword, !Ref DatabaseSecret] ,":SecretString}}" ]] + Port: !Ref DatabasePort + AllocatedStorage: !Ref DatabaseStorage VPCSecurityGroups: - !Ref SecurityGroup Outputs: RdsSecret: Description: ARN of the Secret's Manager secret for the RDS password - Value: !If [ CreateSecret, !Ref RdsPassword, !Ref Secret] + Value: !If [ CreateSecret, !Ref RdsPassword, !Ref DatabaseSecret] RdsUsername: Description: ARN of the Secret's Manager secret for the RDS password - Value: postgres + Value: !Ref DatabaseUsername RdsEnpoint: Description: Endpoint to connect to database Value: !GetAtt DbInstance.Endpoint.Address diff --git a/cloudformation/nakama/task.yaml b/cloudformation/nakama/task.yaml index 4c4f5bc..d090743 100644 --- a/cloudformation/nakama/task.yaml +++ b/cloudformation/nakama/task.yaml @@ -4,6 +4,22 @@ Parameters: ServerName: Type: String Default: "nakama-default" + + #---------------------------- + # Admin Portal Configuration + #---------------------------- + NakamaUsername: + Type: String + Description: Username to access the Nakama admin portal + Default: "admin" + NakamaPasswordOverride: + Type: String + Description: Override Nakama admin portal password + Default: "" + + #------------------------ + # Database Configuration + #------------------------ DatabaseUsername: Type: String Description: Username of the Postgres server @@ -19,7 +35,21 @@ Parameters: Description: Port for the Postgres server Default: 5432 +Conditions: + CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""] + Resources: + + AdminPortalPassword: + Type: AWS::SecretsManager::Secret + Condition: CreateSecret + Properties: + Name: !Sub "nakama/admin/password" + Description: "Admin portal password for Nakama" + GenerateSecretString: + ExcludePunctuation: true + ExcludeCharacters: '"@/\' + LogGroup: Type: AWS::Logs::LogGroup Properties: @@ -48,13 +78,19 @@ Resources: Ref: AWS::Region awslogs-group: Ref: LogGroup - EntryPoint: + MountPoints: + - ContainerPath: /nakama/volume + SourceVolume: "nakama-volume" + EntryPoint: - "/bin/sh" - "-ecx" - - Fn::Sub: | - /nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} && - exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} - + - !Join ["", [ + !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n", + !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"", + !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:", !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\"" + ]] + Volumes: + - Name: "nakama-volume" Outputs: TaskArn: Description: ARN of the TaskDefinition diff --git a/cloudformation/nakama/top.yaml b/cloudformation/nakama/top.yaml index a6307cd..5418aa8 100644 --- a/cloudformation/nakama/top.yaml +++ b/cloudformation/nakama/top.yaml @@ -38,7 +38,18 @@ Parameters: #---------------------- # Nakama Configuration #---------------------- + NakamaUsername: + Type: String + Description: Username to access the Nakama admin portal + Default: "admin" + NakamaPasswordOverride: + Type: String + Description: Override Nakama admin portal password. Leave blank for random password. + Default: "" + #------------------------ + # Database Configuration + #------------------------ CreateDatabase: Type: String Default: "true" @@ -62,6 +73,32 @@ Parameters: Description: Port for the Postgres server Default: 5432 + # Advanced RDS Configuration + RdsInstanceClass: + Type: String + Description: Instance class for the dabase to run on + Default: db.t2.micro + RdsEngine: + Type: String + Description: Database engine for the database to use + Default: postgres + AllowedValues: ["aurora", "aurora-mysql", "aurora-postgresql", "mariadb", "mysql", "oracle-ee", "oracle-se2", "oracle-se1", "oracle-se", "postgres", "sqlserver-ee", "sqlserver-se", "sqlserver-ex", "sqlserver-web"] + RdsUsername: + Type: String + Description: Master account's username for database + Default: postgres + RdsPort: + Type: Number + Description: Port for the database to open a socket on + Default: "5432" + RdsStorage: + Type: Number + Description: The amount of storage (in GB) allocated to the RDS instance + Default: "100" + RdsAccessCidr: + Type: String + Description: The CIDR used in the security group to secure the database + Default: "0.0.0.0/0" Conditions: CreateRdsStack: !Equals [!Ref CreateDatabase, "true"] @@ -79,6 +116,12 @@ Resources: Parameters: environment: !Ref environment VpcId: !Ref VpcId + InstanceClass: !Ref RdsInstanceClass + DatabaseEngine: !Ref RdsEngine + DatabaseUsername: !Ref RdsUsername + DatabasePort: !Ref RdsPort + DatabaseStorage: !Ref RdsStorage + DatabaseAccessCidr: !Ref RdsAccessCidr #----------------- # Load Balancing @@ -93,7 +136,7 @@ Resources: Value: 60 Scheme: internet-facing SecurityGroups: - - !Ref SecurityGroup + - !Ref AlbSecurityGroup Subnets: !Split [",", !Ref PublicSubnets] Tags: - Key: Name @@ -101,7 +144,7 @@ Resources: - Key: environment Value: !Ref environment - SecurityGroup: + AlbSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: ECS Allowed Ports @@ -197,6 +240,8 @@ Resources: DatabasePassword: !If ["CreateRdsStack", !Join ["", ["{{resolve:secretsmanager:", !GetAtt RdsDatabase.Outputs.RdsSecret, ":SecretString}}" ]], !Ref DatabasePassword] DatabaseEndpoint: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsEnpoint, !Ref DatabaseEndpoint] DatabasePort: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsPort, !Ref DatabasePort] + NakamaUsername: !Ref NakamaUsername + NakamaPasswordOverride: !Ref NakamaPasswordOverride EcsService: DependsOn: AdminPortalAlbListener