Merge pull request #29 from edx/feature/sef/refarch-vpc-dns-ssh

cloudformation template changes for outbound SSH, internal DNS names

README.md

@@ -214,32 +214,33 @@ If that works fine, then you can add an export of PYTHONPATH to
 Because the reference architecture makes use of an Amazon VPC, you will not be able
 to address the hosts in the private subnets directly.  However, you can easily set 
 up a transparent "jumpbox" so that for all hosts in your vpc, connections are 
-tunneled
+tunneled.
 
 Add something like the following to your `~/.ssh/config` file.
 
 ```
-Host vpc-00000000-jumpbox 
-  HostName 54.236.224.226
+Host *.us-west-1.compute-internal
+  ProxyCommand ssh -W %h:%p vpc-00000000-jumpbox
   IdentityFile /path/to/aws/key.pem
   ForwardAgent yes
   User ubuntu
 
-Host 10.0.10.1
-  ProxyCommand ssh -W %h:%p vpc-00000000-jumpbox
-  ForwardAgent yes
-  HostName 10.0.10.242
+Host vpc-00000000-jumpbox
+  HostName 54.236.224.226
   IdentityFile /path/to/aws/key.pem
+  ForwardAgent yes
   User ubuntu
-  
-  ...
-
 ```
-You will need a host entry for each server that ansible will configure.
 
-Test this by typing `ssh 10.0.10.1`, use a hostname the exists in
-your environment.   If things are configured correctly you will ssh 
-to 10.0.10.1, jumping transparently via your basion host.
+This assumes that you only have one VPC in the ```us-west-1``` region
+that you're trying to ssh into.  Internal DNS names aren't qualified
+any further than that, so to support multiple VPC's you'd have to get
+creative with subnets, for example ip-10-1 and ip-10-2...
+
+Test this by typing `ssh ip-10-0-10-1.us-west-1.compute.internal`, 
+(of coruse using a hostname exists in your environment.)  If things 
+are configured correctly you will ssh to 10.0.10.1, jumping 
+transparently via your basion host.
 
 Assuming that the edxapp_stage.yml playbook targets hosts in your vpc
 for which there are entiries in your `.ssh/config`, do the 
@@ -249,9 +250,6 @@ following to run your playbook.
   cd playbooks
   ansible-playbook -v --user=ubuntu edxapp_stage.yml -i ./ec2.py -c ssh
 ```
-We are in the process of writing utility scripts to generate this config,
-but for the moment it is a manual process.
-
 
 *Note: this assumes the group used for the edx stack was "edxapp_stage"*
 

cloudformation_templates/edx-reference-architecture.json

@@ -1330,6 +1330,14 @@
             "FromPort":"443",
             "ToPort":"443",
             "CidrIp":"0.0.0.0/0"
+          },
+          {
+            "IpProtocol":"tcp",
+            "FromPort":"22",
+            "ToPort":"22",
+            "CidrIp":{
+              "Ref":"SSHLocation"
+            }
           }
         ]
       }
@@ -1653,7 +1661,7 @@
           "Ref":"EdxappServer"
         },
         "MinSize":"1",
-        "MaxSize":"2",
+        "MaxSize":"6",
         "DesiredCapacity":{
           "Ref":"EdxappDesiredCapacity"
         },
@@ -3192,6 +3200,19 @@
           ]
         ]
       }
+    },
+    "EnableDNSHostnamesForVPCCommand":{
+      "Description":"MANUAL COMMAND #3: Change VPC setting to enable automatic DNS hostname resolution from within the VPC. Setting not supported in Cloudformation yet.",
+      "Value":{
+        "Fn::Join":[
+          "",
+          [
+            "ec2-modify-vpc-attribute ",
+            "-c ", { "Ref":"EdxVPC" }, " ",
+            "-d true"
+          ]
+        ]
+      }
     }
   }
 }

playbooks/ec2.ini

 [ec2]
 regions=all
 destination_variable=public_dns_name
-vpc_destination_variable=ip_address
+vpc_destination_variable=private_dns_name
 cache_path=/tmp
 cache_max_age=300