Working E2E deployment

README.rst

@@ -27,13 +27,53 @@ Deploy to AWS
 Verify and adapt all the settings and configuration you find in **aws.yml** file to match your environment.
 Once that is done, all you have to do is deploy to AWS via
 
-.. code-block:: yaml
+.. code-block::
 
-   ecs-compose-x up -f docker-compose.yml -f aws.yml -n wordpress-demo
+   ecs-compose-x up -f docker-compose.yml -f aws.yml -p wordpress-demo
 
 .. hint::
 
    If you do not wish to specify a bucket you can let ecs-composex create all the necessary for you. Simply run
 
    ecs-compose-x init
 
+Adding WAF
+----------
+
+To add WAF, simply the run the command including the ``wafv2.yaml`` to the command line
+
+.. code-block::
+
+   ecs-compose-x up -f docker-compose.yml -f aws.yml -p wordpress-demo -f wafv2.yml
+
+
+.. note::
+
+   Enabling the WAF with the defined rules here will deny access to ``/wp-admin``. You can create rules to allow your IP addresses to access it.
+
+
+x-elbv2 Conditions
+-------------------
+
+You will notice in the conditions for ``x-elbv2`` pointing to the service, a ``Conditions`` section.
+There, we indicate that we want traffic to be sent to wordbress **only if the hostname matches**.
+By default, the ELBv2 will be configured to return 418
+
+.. code-block::
+
+    curl -k https://wordpr-wordp-sw06gyb58v6i-1922613310.eu-west-1.elb.amazonaws.com/ -v
+    < HTTP/2 418
+    < server: awselb/2.0
+    < date: Wed, 28 Feb 2024 10:35:11 GMT
+    < content-type: application/json; charset=utf-8
+    < content-length: 24
+    <
+    * Connection #0 to host wordpr-wordp-sw06gyb58v6i-1922613310.eu-west-1.elb.amazonaws.com left intact
+    {"Info": "Be our guest"}
+
+I have found this is a great way to rebuke crawlers that try their luck on an IP addresses basis instead of hostnames.
+If I try to get on the hostname itself, i.e ``wordpress.demos.bdd-testing.compose-x.io``, I can reach it and all subsequent
+pages.
+
+To further secure the wp-admin path, I recommend to use the x-cognito integration to force going through authentication
+before you can even hit the WP Admin login page.

aws.yml

@@ -1,145 +1,129 @@
-version: '3.8'
-
 services:
   wordpress:
     deploy:
       resources:
         reservations:
-          cpus: 1.0
+          cpus: "1.0"
           memory: 1G
+    environment:
+      WORDPRESS_SKIP_INSTALL: 'no'
+      WORDPRESS_USERNAME: superuser
+      WORDPRESS_PASSWORD: 'ch@ngeM3Please'
     volumes:
       - persistent:/bitnami/wordpress
-    environment:
-      WORDPRESS_SKIP_INSTALL: "no"
-    x-scaling:
-      Range: 1-5
     x-alarms:
       Predefined:
         HighRamUsageAndMaxScaledOut:
           Topics:
             - x-sns: alarms
-
-
+    x-scaling:
+      Range: 1-5
+version: '3.8'
 volumes:
   persistent:
     x-efs:
+      MacroParameters:
+        EnforceIamAuth: true
       Properties:
-        LifecyclePolicies:
+        LifecyclePolicies: null
         TransitionToIA: AFTER_14_DAYS
-      MacroParameters:
-        EnforceIamAuth: True
-
-x-sns:
-  Topics:
-    alarms: {}
-
-# Storage settings
+x-acm:
+  wordpress-demo:
+    Lookup:
+      Tags:
+        - Name: wildcard.${DOMAIN_NAME:-demos.bdd-testing.compose-x.io}
 
+x-cluster:
+  Properties:
+    CapacityProviders:
+      - FARGATE
+      - FARGATE_SPOT
+    ClusterName: demo
+    DefaultCapacityProviderStrategy:
+      - Base: 2
+        CapacityProvider: FARGATE_SPOT
+        Weight: 2
+      - CapacityProvider: FARGATE
+        Weight: 1
+x-elbv2:
+  wordpress-lb:
+    DnsAliases:
+      - Route53Zone: x-route53::PublicZone
+        Names:
+          - wordpress.${DOMAIN_NAME:-demos.bdd-testing.compose-x.io}
+    Listeners:
+      - DefaultActions:
+          - Redirect: HTTP_TO_HTTPS
+        Port: 80
+        Protocol: HTTP
+      - Certificates:
+          - x-acm: wordpress-demo
+        Port: 443
+        Protocol: HTTPS
+        Targets:
+          - Conditions:
+              - Field: host-header
+                HostHeaderConfig:
+                  Values:
+                    - wordpress.${DOMAIN_NAME:-demos.bdd-testing.compose-x.io}
+            name: wordpress:wordpress
+    MacroParameters:
+      Ingress:
+        ExtSources:
+          - Description: ANY
+            IPv4: 0.0.0.0/0
+            Name: ANY
+    Properties:
+      Scheme: internet-facing
+      Type: application
+    Services:
+      wordpress:wordpress:
+        healthcheck: 8080:HTTP:/:7:2:15:5
+        port: 8080
+        protocol: HTTP
 x-rds:
   wordpress-db:
     Properties:
-      Engine: "aurora-mysql"
-      EngineVersion: "5.7"
       BackupRetentionPeriod: 1
       DatabaseName: wordpress
-      StorageEncrypted: True
+      Engine: aurora-mysql
+      EngineVersion: '5.7'
+      StorageEncrypted: true
       Tags:
         - Key: Name
-          Value: "dummy-db"
+          Value: dummy-db
     Services:
-      - name: wordpress
-        access: RW
+      wordpress:
+        Access:
+          DBCluster: RO
         SecretsMappings:
           Mappings:
-            host: MARIADB_HOST
-            port: MARIADB_PORT_NUMBER
-            username: WORDPRESS_DATABASE_USER
-            password: WORDPRESS_DATABASE_PASSWORD
             dbname: WORDPRESS_DATABASE_NAME
-
+            host: WORDPRESS_DATABASE_HOST
+            password: WORDPRESS_DATABASE_PASSWORD
+            port: WORDPRESS_DATABASE_PORT_NUMBER
+            username: WORDPRESS_DATABASE_USER
+x-route53:
+  PublicZone:
+    Lookup: true
+    Name: bdd-testing.compose-x.io
 x-s3:
   wp-data-bucket:
     Properties:
       AccessControl: BucketOwnerFullControl
-      PublicAccessBlockConfiguration:
-          BlockPublicAcls: True
-          BlockPublicPolicy: True
-          IgnorePublicAcls: True
-          RestrictPublicBuckets: False
       BucketEncryption:
         ServerSideEncryptionConfiguration:
           - ServerSideEncryptionByDefault:
               SSEAlgorithm: AES256
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
     Services:
-      - name: wordpress
-        access:
-          Bucket: ListOnly
-          Objects: RW
-
-
-# DNS and Ingress settings
-
-x-dns:
-  PublicZone:
-    Name: demos.lambda-my-aws.io
-    Lookup: True
-  Records:
-    - Properties:
-        Name: wordpress.demos.lambda-my-aws.io
-        Type: A
-      Target: x-elbv2::wordpress-lb
-
-
-x-acm:
-  wordpress-demo:
-    Lookup:
-      Tags:
-        - Name: demos.lambda-my-aws.io
-        - wildcard: "True"
-
-x-elbv2:
-  wordpress-lb:
-    Properties:
-      Scheme: internet-facing
-      Type: application
-    MacroParameters:
-      Ingress:
-        ExtSources:
-          - IPv4: 0.0.0.0/0
-            Name: ANY
-            Description: "ANY"
-    Listeners:
-      - Port: 80
-        Protocol: HTTP
-        DefaultActions:
-          - Redirect: HTTP_TO_HTTPS
-      - Port: 443
-        Protocol: HTTPS
-        Certificates:
-          - x-acm: wordpress-demo
-        Targets:
-          - name: wordpress:wordpress
-            access: /
-
-    Services:
-      - name: wordpress:wordpress
-        port: 8080
-        protocol: HTTP
-        healthcheck: 8080:HTTP:/:7:2:15:5
-
-
-# ECS Cluster settings
-
-
-x-cluster:
-  Properties:
-    CapacityProviders:
-      - FARGATE
-      - FARGATE_SPOT
-    ClusterName: demo
-    DefaultCapacityProviderStrategy:
-      - Base: 2
-        CapacityProvider: FARGATE_SPOT
-        Weight: 2
-      - CapacityProvider: FARGATE
-        Weight: 1
+      wordpress:
+        Access:
+          bucket: ListOnly
+          objects: RW
+x-sns:
+  alarms: {}

docker-compose.yml

@@ -6,10 +6,12 @@ version: '3.8'
 services:
   wordpress:
     image: public.ecr.aws/bitnami/wordpress:latest
+    x-docker_opts:
+      InterpolateWithDigest: true
     ports:
       - '80:8080'
       - '443:8443'
-    user: 1001
+    user: '1001'
 
 volumes:
   persistent:

requirements.txt

@@ -1 +1,2 @@
-ecs_composex=>0.13.0
+ecs_composex>=1.0
+