make deployment more secure by logging out of hcp afterwards, update …

…readme
seroanalytics · Sep 3, 2024 · 4853be3 · 4853be3
1 parent 265d5c8
commit 4853be3
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 31 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 ![logo192](https://github.com/user-attachments/assets/a988b290-0a61-47bf-aea9-cf3c17183b9a)
 
-[![Project Status: Concept – Minimal or no implementation has been done yet, or the repository is only intended to be a limited example, demo, or proof-of-concept.](https://www.repostatus.org/badges/latest/concept.svg)](https://www.repostatus.org/#concept)
+[![Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public.](https://www.repostatus.org/badges/latest/wip.svg)](https://www.repostatus.org/#wip)
 [![🔨 Build](https://github.com/seroanalytics/seroviz/actions/workflows/build.yml/badge.svg)](https://github.com/seroanalytics/seroviz/actions/workflows/build.yml)
 [![🔎 Test](https://github.com/seroanalytics/seroviz/actions/workflows/test.yml/badge.svg)](https://github.com/seroanalytics/seroviz/actions/workflows/test.yml)
 [![codecov](https://codecov.io/gh/seroanalytics/seroviz/graph/badge.svg?token=2DH6NUOXRe)](https://codecov.io/gh/seroanalytics/seroviz)
@@ -44,40 +44,67 @@ API JSON schema specifications. Generated types are saved into `src/generated.d.
 
 ## Deployment
 
+### Docker
 The app is deployed using a Dockerised `nginx` server which also proxies the `serovizr` API.
 See the [proxy/README.md](proxy/README.md) for details.
 
-To build this Docker image run `.scripts/build`. To push an image to DockerHub
-run `./scripts/push`. And to start a copy of the app locally with a self-signed SSL certificate
-run `./scripts/run`.
+* To build the Docker image run `.scripts/build`. 
+* To push an image to DockerHub run `./scripts/push`
+* To start a copy of the app locally with a self-signed SSL certificate run `./scripts/run`.
+
+### Secrets
+Secrets (at the moment this is just the real SSL private key and certificate) are stored in 
+HashiCorp Cloud Vault. To access the secrets in Vault, you need to create an account with [HashiCorp Cloud](https://portal.cloud.hashicorp.com/sign-in)
+and ask Alex to add you to the organization.
+
+To deploy the app, ensure that you have the `hcp` CLI installed on your machine.
+Installation instructions [here](https://developer.hashicorp.com/hcp/docs/cli/install).
+
+### Deploying the app
+The app is deployed onto an EC2 instance called `seroviz`. You will need to ask Alex for AWS console access, 
+and to add your IP to the inbound security rules for ssh access.
+
+Then
+1. Retrieve `hcp` service principal credentials by running *on your own machine* (after `hcp auth login`):
+    ```shell
+    hcp vs secrets open production_id --app=seroviz
+    hcp vs secrets open production_secret --app=seroviz
+    ```
+1. ssh onto the server
+1. navigate to the `seroviz` directory
+1. run:
+    ```shell
+    ./scripts/clear-docker.sh
+    ./scripts/deploy
+    ```
+
+    The `deploy` script will prompt you for the client id and secret from step 1.
+
+    You can also export these as environment variables which may be more convenient in case deployment fails
+    for any reason and has to be re-run:
+    ```shell
+    CLIENT_ID=<client_id>
+    CLIENT_SECRET=<client_secret>
+    ```
 
 ### Setting up a new EC2 instance
 (unless otherwise specified, all steps are run on the remote machine)
-
-* Install the `hcp cli` for secret retrieval by following the [instructions](https://developer.hashicorp.com/hcp/docs/cli/install)
-* On your own machine, install the `hcp cli` if you haven't already, and retrieve the production service principal id and secret, stored at `production_id` and `production_secret`. If using the the cli, the commands are:
-```shell
-hcp vs secrets open production_id --app=seroviz
-hcp vs secrets open production_secret --app=seroviz
-```
-* On the remote server, now login to `hcp` using these credentials:
-```shell
-hcp auth login --client-id=<client_id> --client_secret=<client_secret>
-```
 * Install `git`:
-```shell
-sudo yum -y install git
-```
-* Clone this Github repo using https:
-```shell
-git clone https://github.com/seroanalytics/seroviz.git
-```
-* Install Docker, following instructions [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-docker.html)
-* Run the `deploy` script in this repo:
-```shell
-cd seroviz
-./scripts/deploy
-```
+    ```shell
+    sudo yum -y install git
+    ```
+* Install Docker, following instructions [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-docker.html).
+* Install the `hcp cli` for secret retrieval by following the [instructions](https://developer.hashicorp.com/hcp/docs/cli/install) for Amazon Linux.
+* On your own machine, install the `hcp cli` if you haven't already, and retrieve the production service principal id and secret, stored at `production_id` and `production_secret`:
+    ```shell
+    hcp vs secrets open production_id --app=seroviz
+    hcp vs secrets open production_secret --app=seroviz
+    ```
+* On the remote server, clone this GitHub repo using https:
+    ```shell
+    git clone https://github.com/seroanalytics/seroviz.git
+    ```
+* Follow the instructions above to deploy the app
 
 ## Domain name
 The domain name `seroanalytics.org` is registered with NameCheap.

diff --git a/scripts/deploy b/scripts/deploy
@@ -1,12 +1,43 @@
 #!/usr/bin/env bash
-set -ex
+set -e
+
+trap cleanup ERR
+trap cleanup EXIT
+function cleanup() {
+  hcp auth logout
+}
+
+if [[ ! -v "CLIENT_ID" ]]; then
+    echo Please provide production client id from Vault.
+    echo -e To read this from Vault on another machine, run:
+    echo ""
+    echo -e "\t hcp vs secrets open production_id --app=seroviz"
+    echo ""
+    read -r CLIENT_ID
+fi
+
+if [[ ! -v "CLIENT_SECRET" ]]; then
+    echo Please provide production client secret from Vault
+    echo -e To read this from Vault on another machine, run:
+    echo ""
+    echo -e "\t hcp vs secrets open production_secret --app=seroviz"
+    echo ""
+    read -r CLIENT_SECRET
+fi
+
+hcp auth login --client-id="$CLIENT_ID" --client-secret="$CLIENT_SECRET"
 
 NETWORK=seroviz_nw
+TAG=seroanalytics/seroviz:main
+API_TAG=seroanalytics/serovizr:main
+
+docker pull $TAG
+docker pull $API_TAG
 
 docker network create $NETWORK
 
-docker run -d -p 8888:8888 --network=$NETWORK --name serovizr seroanalytics/serovizr:main
-docker run -d -p 80:80 -p 443:443 --network=$NETWORK --name seroviz seroanalytics/seroviz:main seroviz.seroanalytics.org
+docker run -d -p 8888:8888 --network=$NETWORK --name serovizr $API_TAG
+docker run -d -p 80:80 -p 443:443 --network=$NETWORK --name seroviz $TAG seroviz.seroanalytics.org
 
 TEMP_KEY=$(mktemp -q)
 hcp vs secrets open ssl_key --app seroviz --out-file=$TEMP_KEY