Droid Basement

Note: This article has been duplicated from the previous article which uses Terraform and has been modified for Ansible.

AWS has introduced Lightsail (https://aws NULL.amazon NULL.com/lightsail/) to compete with Digital Ocean, Linode, etc. for an inexpensive VPS (Virtual Private Server) offering.

In this article we will use Ansible (https://www NULL.ansible NULL.com/) (Infrastructure as Code) to swiftly bring up an AWS Lightsail instance in us-east-1 on a dynamic IP and install docker/docker-compose on it.

We will use ‘myweb’ as an example in this article, using the same base path of ‘dev’ that was previously created, the container-admin group and using ~/.local/bin|lib for the binaries/libraries.

Please use ‘Get started with Lightsail for free’ (https://portal NULL.aws NULL.amazon NULL.com/billing/signup?client=lightsail&fid=1A3F6B376ECAC516-2C15C39C5ACECACB&redirect_url=https%3A%2F%2Flightsail NULL.aws NULL.amazon NULL.com%2Fls%2Fsignup#/start) prior to commencing with this article.

–>
Go in to the dev directory/link located within your home directory:

$ cd ~/dev

Upgrade the AWS CLI on your host:

$ pip3 install awscli --upgrade --user && chmod 754 ~/.local/bin/aws

Install/Upgrade Ansible:

$ pip3 install ansible --upgrade --user && chmod 754 ~/.local/bin/ansible ~/.local/bin/ansible-playbook

Install/Upgrade Boto3:

$ pip3 install boto3 --upgrade --user

Create a work folder and change in to it:

$ mkdir -p ansible/myweb/scripts && cd ansible/myweb

Add an IAM Policy to the container-admin group so it will have access to the Lightsail API:
AWS UI Console -> Services -> Security, Identity, & Compliance -> IAM -> Policies -> Create Policy -> JSON (replace <AWS ACCOUNT ID> in the Resource arn with your Account’s ID (shown under the top right drop-down (of your name) within the My Account page next to the Account Id: under Account Settings)):

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "lightsail:GetRelationalDatabaseEvents",
                 "lightsail:GetActiveNames",
                 "lightsail:GetOperations",
                 "lightsail:GetBlueprints",
                 "lightsail:GetRelationalDatabaseMasterUserPassword",
                 "lightsail:ExportSnapshot",
                 "lightsail:UnpeerVpc",
                 "lightsail:GetRelationalDatabaseLogEvents",
                 "lightsail:GetRelationalDatabaseBlueprints",
                 "lightsail:GetRelationalDatabaseBundles",
                 "lightsail:CopySnapshot",
                 "lightsail:GetRelationalDatabaseMetricData",
                 "lightsail:PeerVpc",
                 "lightsail:IsVpcPeered",
                 "lightsail:UpdateRelationalDatabaseParameters",
                 "lightsail:GetRegions",
                 "lightsail:GetOperation",
                 "lightsail:GetDisks",
                 "lightsail:GetRelationalDatabaseParameters",
                 "lightsail:GetBundles",
                 "lightsail:GetRelationalDatabaseLogStreams",
                 "lightsail:CreateKeyPair",
                 "lightsail:ImportKeyPair",
                 "lightsail:DeleteKeyPair",
                 "lightsail:GetInstance",
                 "lightsail:CreateInstances",
                 "lightsail:DeleteInstance",
                 "lightsail:GetDomains",
                 "lightsail:GetDomain",
                 "lightsail:CreateDomain",
                 "lightsail:DeleteDomain",
                 "lightsail:GetStaticIp",
                 "lightsail:AllocateStaticIp",
                 "lightsail:AttachStaticIp",
                 "lightsail:DetachStaticIp",
                 "lightsail:ReleaseStaticIp"
             ],
             "Resource": "*"         
         },
         {
             "Effect": "Allow",
             "Action": "lightsail:",
             "Resource": [
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:StaticIp/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:ExportSnapshotRecord/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:Instance/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:CloudFormationStackRecord/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:RelationalDatabaseSnapshot/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:RelationalDatabase/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:InstanceSnapshot/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:Domain/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:LoadBalancer/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:KeyPair/*",
                 "arn:aws:lightsail::<AWS ACCOUNT ID>:Disk/*"
             ]
         }
     ]
 }

Review Policy ->

Name: AllowLightsail
Description: Allow access to Lightsail.

Create Policy.

Groups -> container-admin -> Attach Policy -> Search for AllowLightsail -> Attach Policy.

Generate an SSH Key Pair (no password) and restrict permissions on it:

$ ssh-keygen -q -t rsa -b 2048 -N '' -f ~/.ssh/myweb && chmod 400 ~/.ssh/myweb

Import the public key to Lightsail:

$ aws lightsail import-key-pair --key-pair-name myweb --public-key-base64 file://~/.ssh/myweb.pub

Create a hosts file and specify localhost:

$ cat << 'EOF' > hosts
> [local]
> localhost
> EOF

Create a nano instance based off of Ubuntu 18_04 and reference an extraneous file for user_data (run once script on Virtual Machine boot):

$ cat << 'EOF' > lightsail.yml
> # Create a new Lightsail instance, register the instance details and add a way to destroy it
> ---
> - hosts: local
>   connection: local
>
>   tasks:
>     - lightsail:
>         state: present
>         name: myweb.com
>         region: us-east-1
>         zone: us-east-1a
>         blueprint_id: ubuntu_18_04
>         bundle_id: nano_2_0
>         key_pair_name: myweb
>         user_data: "{{ lookup('file', './scripts/install.sh') }}"
>         wait_timeout: 500
>       register: myweb
>
>     - debug: msg="Public IP is {{ myweb.instance.public_ip_address }} for {{ myweb.instance.name }}"
>       when: myweb.instance.public_ip_address is defined
>
>     - debug: msg="Run this playbook for {{ myweb.instance.name }} shortly to list the Public IP."
>       when: myweb.instance.public_ip_address is not defined
>
>     - lightsail:
>         state: absent
>         name: myweb.com
>         region: us-east-1
>       tags: [ 'never', 'destroy' ] 
> EOF

Create the shell script for user_data:

$ cat << 'EOF' > scripts/install.sh
> #!/bin/bash
>
> MY_HOME="/home/ubuntu"
> export DEBIAN_FRONTEND=noninteractive
>
> # Install prereqs
> apt update
> apt install -y python3-pip apt-transport-https ca-certificates curl software-properties-common
> # Install docker
> curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
> add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
> apt update
> apt install -y docker-ce
> # Install docker-compose
> su ubuntu -c "pip3 install docker-compose --upgrade --user && chmod 754 $MY_HOME/.local/bin/docker-compose"
> usermod -aG docker ubuntu
> # Add PATH
> printf "\nexport PATH=\$PATH:$MY_HOME/.local/bin\n" >> $MY_HOME/.bashrc
>
> exit 0
> EOF

Run the playbook:

$ ansible-playbook -i hosts lightsail.yml

Log on to the instance (up to ~30 seconds may be needed for the attachment of the dynamic IP to the instance):

$ ssh -i ~/.ssh/myweb ubuntu@<The value of public_ip_address that was reported.  One can also re-run the playbook to print it again.>

Type yes and hit enter to accept.

On the host (a short while is needed for the run-once script to complete):

$ docker --version
$ docker-compose --version
$ logout

Tear down the instance:

$ ansible-playbook -i hosts lightsail.yml --tags "destroy"

<–

References:

« Firmware – Asuswrt-Merlin (NG) – 384.14 – RT-AC68 Firmware – Asuswrt-Merlin (NG) – 384.14_2 – RT-AC68 »