--- # Copyright 2008-2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. # This software is provided for demonstration purposes only and is not # maintained by the author. # This software should not be used for production use # without further testing and enhancement # This template will create a CentOS Linux server to process NASA DRL data # from AQUA, TERRA, SMPP AWSTemplateFormatVersion: "2010-09-09" Description: > Creates an EC2 instance and installs IPOPP Parameters: SSHCidrBlock: Description: The CIDR Block that the security group will allow ssh access to an instance. The CIDR Block has the form x.x.x.x/x. Type: String AllowedPattern : '((\d{1,3})\.){3}\d{1,3}/\d{1,2}' ConstraintDescription : must be a valid CIDR range of the form x.x.x.x/x, for example "10.0.0.0/16". Default: "1.1.1.1/32" SSHKeyName: Description: Name of the ssh key used to access ec2 hosts. Set this up ahead of time. Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. Default: "" VpcId: Type: AWS::EC2::VPC::Id Description: VPC to launch instances in. SubnetId: Description: Subnet to launch instances in Type: AWS::EC2::Subnet::Id S3Bucket: Type: String Description: Will store software and data received from Satellites. InstanceType: Description: EC2 Instance Type Type: String Default: "m5.xlarge" AllowedValues: - m5.4xlarge - m5d.4xlarge - c5.4xlarge - c5d.4xlarge - m5.xlarge SatelliteName: Type: String Description: Used for data receiver task Default: "AQUA" AllowedValues: - AQUA IpoppPassword: Type: String Description: Password for the ipopp user, minimum length 8 chars, only alpha-numeric chars (upper/lower case), no special chars allowed Default: 'Ch4ng3MePl34s3' NoEcho: true AllowedPattern: "[A-Za-z0-9-]{8,}+" Mappings: # The relevant CENTOS7CLEAN amis depending on the region AmiMap: us-east-1: ami: ami-0affd4508a5d2481b us-east-2: ami: ami-01e36b7901e884a10 us-west-1: ami: ami-098f55b4287a885ba us-west-2: ami: ami-0bc06212a56393ee1 me-south-1: ami: ami-011c71a894b10f35b eu-west-1: ami: ami-0b850cf02cc00fdc8 eu-north-1: ami: ami-05788af9005ef9a93 ap-southeast-2: ami: ami-0b2045146eb00b617 Resources: # The EC2 instance assumes this role. InstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: Service: - "ec2.amazonaws.com" Action: - "sts:AssumeRole" Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy - arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM # IAM policy providing the minimum S3 access required to the EC2 instance InstanceRoleS3Policy: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: "2012-10-17" Statement: - Action: - "s3:PutObject" - "s3:GetObject" - "s3:DeleteObjectVersion" - "s3:DeleteObject" Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:s3:::" - !Ref S3Bucket - "/*" - Action: - "s3:ListBucket" Effect: Allow Resource: Fn::Join: - "" - - "arn:aws:s3:::" - !Ref S3Bucket Roles: - Ref: InstanceRole # The instance profile for your EC2 instance. GeneralInstanceProfile: Type: AWS::IAM::InstanceProfile DependsOn: InstanceRole Properties: Roles: - !Ref InstanceRole # The security group for your EC2 instance. InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: AWS Ground Station receiver instance security group. VpcId: !Ref VpcId SecurityGroupIngress: # Allow SSH access from the CIDR block specified in the parameters. - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: !Ref SSHCidrBlock ProcessorInstance: Type: AWS::EC2::Instance DependsOn: - InstanceSecurityGroup - GeneralInstanceProfile Properties: DisableApiTermination: false IamInstanceProfile: !Ref GeneralInstanceProfile ImageId: Fn::FindInMap: [AmiMap, Ref: "AWS::Region", ami] InstanceType: !Ref InstanceType KeyName: !Ref SSHKeyName NetworkInterfaces: - AssociatePublicIpAddress: true DeleteOnTermination: true DeviceIndex: 0 SubnetId: !Ref SubnetId GroupSet: - !Ref InstanceSecurityGroup BlockDeviceMappings: - DeviceName: /dev/sda1 Ebs: VolumeType: gp2 VolumeSize: 300 Tags: - Key: Name Value: Fn::Join: - "-" - - Processor - !Ref AWS::StackName UserData: Fn::Base64: Fn::Sub: - | #!/bin/bash exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 echo `date +'%F %R:%S'` "INFO: Logging Setup" >&2 echo "Installing pre-req software" yum update -y yum install -y epel-release yum install -y python-pip python-devel yum groupinstall -y 'development tools' yum install -y python3-pip echo "Pre-req software install finished" # Install AWS CLI for python 2 and 3 pip install --upgrade pip --user pip3 install --upgrade pip --user pip install awscli --upgrade --user pip3 install awscli --upgrade --user # Add /.local/bin to $PATH echo "export PATH=~/.local/bin:$PATH" >> ~/.bash_profile source ~/.bash_profile echo "AWS CLI install finished" echo "Getting IPOPP scripts" mkdir -p /opt/aws/groundstation/bin/ aws s3 cp s3://${S3Bucket}/software/IPOPP/ipopp-ingest.sh /opt/aws/groundstation/bin/ipopp-ingest.sh --region ${Region} aws s3 cp s3://${S3Bucket}/software/IPOPP/install-ipopp.sh /opt/aws/groundstation/bin/install-ipopp.sh --region ${Region} chmod +x /opt/aws/groundstation/bin/*.sh echo "Creating ipopp user" adduser ipopp sudo usermod -aG wheel ipopp echo "Updating nproc limit" echo "* soft nproc 65535" >> /etc/security/limits.d/20-nproc.conf echo "Install the AWSCLI for the ipopp user" runuser -l ipopp -c "pip3 install awscli --upgrade --user" echo "Installing Tiger VNC Server" yum groupinstall -y "Server with GUI" systemctl set-default graphical.target systemctl default -f --no-block yum install -y tigervnc-server echo "Setting ipopp user password" echo "ipopp:${IpoppPassword}" | chpasswd echo "Setting ipopp user vnc password" mkdir -p /home/ipopp/.vnc echo ${IpoppPassword} | vncpasswd -f > /home/ipopp/.vnc/passwd chown -R ipopp:ipopp /home/ipopp/.vnc chmod 0600 /home/ipopp/.vnc/passwd echo "Starting vncserver −xstartup bash" runuser -l ipopp -c "vncserver" echo "Adding vncserver to rc.local" echo "runuser -l ipopp -c \"vncserver\"" >> /etc/rc.local echo "IPOPP setup requires manual intervention. Please log into the processor instance via VNC and download the IPOPP software package from NASA DRL. Navigate to the DRL IPOPP download page (https://directreadout.sci.gsfc.nasa.gov/?id=dspContent&cid=304&type=software) and follow the instructions under the Installation heading. Refer to the Earth Observation Guide for further details." #echo "Starting IPOPP install" #/opt/aws/groundstation/bin/install-ipopp.sh ${SatelliteName} ${S3Bucket} ${IpoppPassword} #echo "Starting IPOPP Ingest" #runuser -l ipopp -c "/opt/aws/groundstation/bin/ipopp-ingest.sh ${SatelliteName} ${S3Bucket} | tee /opt/aws/groundstation/bin/ipopp-ingest.log 2>&1" - Region: !Ref AWS::Region