Tear down AWS resources
- Log in to the AWS console and empty the following s3 buckets:
- gds-paas-{dev_env}-state
- {dev_env}-cf-droplets
- {dev_env}-cf-packages
- {dev_env}-cf-resources
- Head to RDS, delete the rds broker dbs associated with the environment by searching for the deploy env
- Iam: Remove all users associated with the deploy_env
- In paas-boostrap run the teardown command e.g
gds aws paas-dev-admin -- make dev02 teardown
- run it a few times in case of dependency errors(e.g security groups)
- Remove NAT gateways associated with the dev env VPC
- Run the teardown command again e.g
gds aws paas-dev-admin -- make dev02 teardown
- Remove the network interfaces associated with the dev env VPC
- Run the teardown command again, you should see the VPC deleted e.g
gds aws paas-dev-admin -- make dev02 teardown
- Navigate to codecommit in AWS console, us-east-1 and delete concourse-pool-{deploy_env}, remember to switch back to eu-west-1
- Navigate to CloudWatch, delete all log groups associated with the deploy_env
- Navigate to EC2, target groups, delete all target groups associated with the deploy_env
- Navigate to ACM, delete all certificates associated with the deploy_env
- Navigate to Elasticache, delete all subnet groups associated with the deploy_env
- Navigate to WAF & Shield, delete all ACLs, then, IP sets associated with the deploy_env
- Make sure the keypair is deleted
Create new environment
Create bosh and concourse
- Start interactive shell with paas-dev-admin role:
gds aws paas-dev-admin -- zsh
Set env vars that are set from the appropriate environment, bootstrap, globals and deployer-concourse make target. Please note that you need to change the
DEPLOY_ENV
being targeted on the first line:export DEPLOY_ENV=devXX export PASSWORD_STORE_DIR=$HOME}/.paas-pass export GITHUB_PASSWORD_STORE_DIR=${HOME}/.paas-pass export GOOGLE_PASSWORD_STORE_DIR=${HOME}/.paas-pass export SYSTEM_DNS_ZONE_NAME=${DEPLOY_ENV}.dev.cloudpipeline.digital export SYSTEM_DNS_ZONE_ID=Z1QGLFML8EG6G7 export APPS_DNS_ZONE_NAME=${DEPLOY_ENV}.dev.cloudpipelineapps.digital export APPS_DNS_ZONE_ID=Z3R6XFWUT4YZHB export AWS_ACCOUNT=dev export MAKEFILE_ENV_TARGET=dev export ENABLE_DESTROY=true export ENABLE_GITHUB=true export CONCOURSE_AUTH_DURATION=48h export SKIP_COMMIT_VERIFICATION=true export AWS_DEFAULT_REGION=eu-west-1 export CYBER_PASSWORD_STORE_DIR=${HOME}/.paas-pass export CONCOURSE_INSTANCE_TYPE=c7a.xlarge export VAGRANT_SSH_KEY_NAME=${DEPLOY_ENV}-vagrant-bootstrap-concourse export TARGET_CONCOURSE=bootstrap export CONCOURSE_WEB_USER="admin" export CONCOURSE_WEB_PASSWORD="$( aws sts get-caller-identity \ | awk '$1 ~ /UserId/ {sub(/:.*$/, "", $2); print $2}' \ | shasum -a 256 \ | base64 \ | head -c 32 )" export BOSH_INSTANCE_PROFILE=bosh-director-cf export CONCOURSE_TYPE=deployer-concourse export CONCOURSE_HOSTNAME=deployer export CONCOURSE_INSTANCE_TYPE=m7i.xlarge export CONCOURSE_INSTANCE_PROFILE=deployer-concourse export CONCOURSE_WORKER_INSTANCES=1
Run vagrant environment script:
- Navigate to paas-bootstrap
cd vagrant
environment.sh > ../environment
cd ..
- put the above exports into environment
- put the output from
echo $CONCOURSE_WEB_PASSWORD
into environment source environment
Create key pair:
- Make sure you don’t have a duplicate key. Typically, in the parent folder to paas-bootstrap
aws ec2 create-key-pair --key-name "${VAGRANT_SSH_KEY_NAME}" | jq -r ".KeyMaterial" > "${VAGRANT_SSH_KEY}"
chmod 600 "${VAGRANT_SSH_KEY}"
Launch EC2 instance from AWS console in eu-west-1 with the following settings
Name: “<deploy-env> concourse”, e.g. “dev02 concourse” Tags: instance_group: concourse-lite deploy_env: <deploy_env> AMI: Ubuntu 24.04 LTS x86 Instance type: m7a.large Key pair: <deploy-env>-vagrant-bootstrap-concourse, e.g. dev02-vagrant-bootstrap-concourse Network settings: VPC: default Security group: select existing > create-dev Auto-assign public IP: true Storage: 1 x 50GiB gp3 Advanced details: IAM instance profile: concourse-lite Metadata version: V1 and V2 (token optional) Metadata response hop limit: 3
Find instance public IP, test SSH into instance:
export CONCOURSE_LITE_INSTANCE_IP=<instance IP>
ssh -i ${VAGRANT_SSH_KEY} ubuntu@${CONCOURSE_LITE_INSTANCE_IP}
- <ctrl+d> to terminate SSH connection
Copy relevant files:
rsync -e "ssh -i ${VAGRANT_SSH_KEY}" environment ubuntu@${CONCOURSE_LITE_INSTANCE_IP}:
cd vagrant
rsync -e "ssh -i ${VAGRANT_SSH_KEY}" post-deploy.d/00-run-docker.sh ubuntu@${CONCOURSE_LITE_INSTANCE_IP}:
rsync -e "ssh -i ${VAGRANT_SSH_KEY}" docker-compose.yml ubuntu@${CONCOURSE_LITE_INSTANCE_IP}:
Run concourse via docker on concourse lite instance:
ssh -i ${VAGRANT_SSH_KEY} ubuntu@${CONCOURSE_LITE_INSTANCE_IP}
source environment
./00-run-docker.sh
- <ctrl+d> to terminate SSH connection
Set up SSH tunnel to concourse lite instance:
ssh -i ${VAGRANT_SSH_KEY} -L 8080:127.0.0.1:8080 -fN ubuntu@${CONCOURSE_LITE_INSTANCE_IP}
../concourse/scripts/pipelines.sh
. If you get ano secret key
error, make sure yourpaas-pass
alias is correctly set up in your current shell.../concourse/scripts/concourse-lite-self-terminate.sh
Run the create-bosh-concourse pipeline
- Head to
localhost:8080
and trigger the update-pipeline job (Use the concourse creds from environment) cd ..
make ${DEPLOY_ENV} upload-all-secrets
- Head to deployer.{deploy_env}.dev.cloudpipeline.digital
- run the pipeline
- Head to
Create Cloud Foundry
- Head to paas-cf
- Upload cloudfoundry pipelines with
gds aws paas-dev-admin -- make dev02 pipelines
- Connect to credhub with
gds aws paas-dev-admin -- make dev02 credhub
. Then follow the instructions to login to credhub, getting the passcode from the external hostname given when you first connect to credhub, e.g. https://bosh-uaa-external.dev02.dev.cloudpipeline.digital/passcode - Upload cloudfoundry secrets to credhub with
gds aws paas-dev-admin -- make dev02 upload-all-secrets
- Run the
generate-paas-admin-git-keys
,generate-paas-billing-git-keys
,generate-paas-aiven-broker-git-keys
andgenerate-git-keys
jobs from the “operator” tab of the create-cloudfoundry pipeline