GSA · afeld · Sep 1, 2017 · Aug 29, 2017 · Aug 30, 2017 · Aug 30, 2017
diff --git a/README.md b/README.md
@@ -26,6 +26,12 @@ All configuration is code, and [all setup steps are documented](#setup). New env
 
 The code follows the [Don't Repeat Yourself (DRY)](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself) principle. Values that need to be shared are passed around as variables, rather than being hard-coded in multiple places. This ensures configuration stays in sync.
 
+## Immutable deployment
+
+Once deployed, immutable resources should not be modified. The goal is to have as much of the infrastructure be immutable as possible, with regular backups of the mutable parts. EBS volumes where state is stored (like `wp-content/` for WordPress) and database are common mutable resources, EC2 instances and their root volumes should not be.
+
+For mutable resources, enable [deletion protection](https://www.terraform.io/docs/configuration/resources.html#prevent_destroy).
+
 ### Configuration travels "down"
 
 _Related to [DRY](#dry)._
@@ -44,6 +50,10 @@ WordPress has no idea that it's running on AWS, Ansible doesn't know it's runnin
 
 Give (internal) custom domains to services, rather than using the hostnames/IPs provided by AWS by default. In this repository, a custom DNS record is added in a [Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) in Route 53, pointing to the database - see [`terraform/dns.tf`](terraform/dns.tf). This helps with [service discovery](https://en.wikipedia.org/wiki/Service_discovery), because references to services (the database, in this case) can remain constant while the database can be recreated with a new IP, load-balanced, etc. See [this article](https://www.infoq.com/articles/rest-discovery-dns) for more information on this approach.
 
+### Disk
+
+* [Encryption](https://www.terraform.io/docs/providers/aws/r/ebs_volume.html#encrypted) is enabled
+
 ## Setup
 
 1. Set up the AWS CLI.
@@ -111,6 +121,8 @@ For initial or subsequent deployment:
     terraform apply
     ```
 
+Note that if the public IP address changes after you set up the site initially, you will need to [change the site URL](https://codex.wordpress.org/Changing_The_Site_URL#Changing_the_Site_URL) in WordPress.
+
 ## Troubleshooting
 
 To SSH into the running instance:

diff --git a/ansible/wordpress.yml b/ansible/wordpress.yml
@@ -4,6 +4,8 @@
 - hosts: all
   become: true
   vars:
+    apache_user: www-data
+    apache_group: "{{ apache_user }}"
     wp_install_dir: /usr/share/wordpress
     wp_content_dir: "{{ wp_install_dir }}/wp-content"
   tasks:
@@ -33,6 +35,17 @@
         src: config.php
         # https://superuser.com/a/559371/102684
         dest: /etc/wordpress/config-default.php
+        owner: "{{ apache_user }}"
+        group: "{{ apache_group }}"
+
+    # https://help.ubuntu.com/community/WordPress#Install_WordPress
+    - name: Fix permissions on WordPress directory
+      file:
+        path: "{{ wp_install_dir }}"
+        owner: "{{ apache_user }}"
+        group: "{{ apache_group }}"
+        state: directory
+        recurse: true
 
     - name: Configure Apache
       template:

diff --git a/terraform/ec2.tf b/terraform/ec2.tf
@@ -14,10 +14,14 @@ data "aws_ami" "wordpress" {
   owners = ["self"]
 }
 
+data "aws_subnet" "public" {
+  id = "${module.vpc.public_subnets[0]}"
+}
+
 resource "aws_instance" "wordpress" {
   ami = "${data.aws_ami.wordpress.id}"
   instance_type = "t2.micro"
-  subnet_id = "${module.vpc.public_subnets[0]}"
+  subnet_id = "${data.aws_subnet.public.id}"
   vpc_security_group_ids = ["${aws_security_group.wordpress_ec2.id}"]
   key_name = "${aws_key_pair.deployer.key_name}"
 
@@ -33,3 +37,8 @@ resource "aws_instance" "wordpress" {
     }
   }
 }
+
+resource "aws_eip" "public" {
+  instance = "${aws_instance.wordpress.id}"
+  vpc = true
+}
diff --git a/terraform/files/attach-data-volume.sh b/terraform/files/attach-data-volume.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# adapted from
+# https://github.com/hashicorp/terraform/issues/2740#issuecomment-288549352
+
+set -e
+set -x
+
+# note the name doesn't match the device_name in Terraform
+DEVICE=/dev/xvdf
+OWNER=www-data
+DEST=/usr/share/wordpress/wp-content
+OLDDEST=$DEST-old
+# if this directory is present, assume volume contains initial data
+CHECK_DIR=$DEST/themes
+
+devpath=$(readlink -f $DEVICE)
+
+if [[ $(sudo file -s $devpath) != *ext4* && -b $devpath ]]; then
+  # Filesystem has not been created. Create it!
+  sudo mkfs -t ext4 $devpath
+fi
+
+sudo mv $DEST $OLDDEST
+sudo mkdir -p $DEST
+
+# add to fstab if not present
+if ! egrep "^${devpath}" /etc/fstab; then
+  echo "$devpath $DEST ext4 defaults,nofail,noatime,nodiratime,barrier=0,data=writeback 0 2" | sudo tee -a /etc/fstab > /dev/null
+fi
+sudo mount $DEST
+
+sudo chown $OWNER:$OWNER $DEST
+sudo chmod 0775 $DEST
+
+# TODO: /etc/rc3.d/S99local to maintain on reboot
+echo deadline | sudo tee /sys/block/$(basename "$devpath")/queue/scheduler
+echo never | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
+
+if [ ! -d "$CHECK_DIR" ]; then
+  # Copy initial content in.
+  # https://askubuntu.com/a/86891/501568
+  sudo cp -a $OLDDEST/. $DEST/
+fi
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
@@ -3,7 +3,7 @@ output "ssh_user" {
 }
 
 output "public_ip" {
-  value = "${aws_instance.wordpress.public_ip}"
+  value = "${aws_eip.public.public_ip}"
 }
 
 output "public_subnet_id" {
@@ -27,5 +27,5 @@ output "db_pass" {
 }
 
 output "url" {
-  value = "http://${aws_instance.wordpress.public_ip}/blog/"
+  value = "http://${aws_eip.public.public_ip}/blog/"
 }
diff --git a/terraform/rds.tf b/terraform/rds.tf
@@ -4,6 +4,7 @@ resource "aws_db_instance" "wordpress" {
   engine = "mysql"
   engine_version = "5.7.17"
   instance_class = "db.t2.micro"
+  copy_tags_to_snapshot = true
   # just for development
   skip_final_snapshot = true
 
@@ -13,4 +14,8 @@ resource "aws_db_instance" "wordpress" {
 
   db_subnet_group_name = "${module.vpc.database_subnet_group}"
   vpc_security_group_ids = ["${aws_security_group.wordpress_db.id}"]
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
diff --git a/terraform/volume.tf b/terraform/volume.tf
@@ -0,0 +1,26 @@
+resource "aws_ebs_volume" "wp_content" {
+  availability_zone = "${data.aws_subnet.public.availability_zone}"
+  type = "gp2"
+  size = 10
+  encrypted = true
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_volume_attachment" "wp_content" {
+  device_name = "/dev/sdf"
+  volume_id = "${aws_ebs_volume.wp_content.id}"
+  instance_id = "${aws_instance.wordpress.id}"
+
+  # https://github.com/hashicorp/terraform/issues/2740#issuecomment-288549352
+  skip_destroy = true
+  provisioner "remote-exec" {
+    script = "files/attach-data-volume.sh"
+    connection {
+      user = "${var.ssh_user}"
+      host = "${aws_eip.public.public_ip}"
+    }
+  }
+}