This is a sample application for demonstration purposes only. It is a very simple application devoted to managing advertisements (actually, it doesn't allow deletion and update of ads). The idea is demonstrate Spring Cloud AWS capabilities. In order to run it, you need a minimum AWS configuration (see below).
The application allows users to create ads with a picture. Ads are stored in a RDS database in AWS. The project is configured to use MySQL, but that can be changed to use a different database (for instance, PostgreSQL). Pictures within ads are stored in a bucket in S3.
It also gets all necessary credentials to connect to a RDS database using AWS Secrets Manager for security purposes.
WARNING: These instructions allow you to run and test the application from within your development environment (i.e., without deploying it to AWS) using an RDS instance open to the world, which is something you should avoid in production.
First, create a security group that will be used to allow ingress connections from outside AWS. Whithin the security group just created, create a new access rule with the following configuration:
- Type: MySQL/Aurora
- Source: Anywhere
- CIDR: 0.0.0.0/0
Then, create an RDS instance, with these properties:
- Engine MySQL
- Type dev/test
- DB Instance Class: t2.micro
- Multizone AZ: no
- DB Instance identifier: springaws (we will provide this as app argument cloud.aws.rds.dbInstanceIdentifier)
- Master username: springaws (we will provide this as app argument cloud.aws.rds.springaws.username)
- Master password: (we will provide this as app argument cloud.aws.rds.springaws.password)
- Ensure Default VPC is enabled
- Ensure Publicly accessible is yes
- VPC security group: choose the security group previously created
- Database name: springaws
- Launch!!
Create an S3 bucket, name it spring-cloud-aws-sample and give read permissions to anonymous users. Just copy and paste this aws policy to enable anonymous read access:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::spring-cloud-aws-sample/*"]
}
]
}
Create a new secret named as: /secrets-app/springaws_prod. You can insert your desired values but if you want to use the previously created RDS database just put the next key-values:
| Secret Key | Secret Value |
|---|---|
| cloud.aws.rds.dbInstanceIdentifier | springaws |
| cloud.aws.rds.springaws.password | my_secret |
| cloud.aws.rds.springaws.username | springaws |
| cloud.aws.rds.springaws.databaseName | springaws |
Note: I was unable to run new versions of spring-cloud-aws locally. It seems it tries always to perform some autoconfiguration assuming it is deployed on AWS, and as long as it doesn't find a valid instance id, it raises an exception and stops. What follows here is the approach that worked for version 0.0.1 of the tutorial, useless in version 0.1.0. If you have an idea of how this can be solved, please fill in an issue and I'll look into it.
Some configurations are required in your AWS account for this sample to work. Basically, an S3 bucket (by default spring-cloud-aws-sample is used, but it can be changed using cloud.aws.s3.bucket property), and an RDS MySQL instance open to the world. Additionally, we need an IAM user with access key and programmatic access to AWS API so that we can access AWS resources from our development machine.
- Enable programmatic access
- Generate an access key for the user
- Give the user the following permissions: ** AmazonS3FullAccess ** AmazonRDSFullAccess
Create an IAM role with the following properties:
- EC2 role (i.e., a role to be attached to EC2 instances)
- Policies:
- AmazonS3FullAccess
- AmazonRDSFullAccess
- SecretsManagerReadWrite
WARNING: It's a good practice to limit policies and not give all available permissions. We're selecting FullAccess as a proof of concept. Real deployment environments must have more restrictive policies.
It has been tested with an instance with the following properties:
- AMI: Ubuntu 18.04
- Type: t2.micro
- Storage: 20Gb
- Security group: choose or create one with ports 22 and 8080 opened
- Attach the IAM role created previously
Once the instance has been started, ssh'd into the machine and issue the following commands:
sudo apt-get update
sudo apt-get install openjdk-8-jre-headless
Then from your own machine, build the jar file and upload it to your EC2 instance:
mvn package -DskipTests
scp -i <your key> spring-cloud-aws-sample-0.2.0.jar ubuntu@<your ec2 ip>:/home/ubuntu/
The application has two different Spring Profiles for differents enviroments executions:
-
Development (dev):
This environment is for local development purposes. It does not use AWS Secrets Manager and get credentials from
application-dev.propertiesdirectly, but needs a RDS and a S3 up and running. -
Production (prod):
This environment gets credentials from AWS Secrets Manager. In this way, it is not necessary to put credentials in
application-prod.properties, preventing database credentials to be exposed.
For the impatient...
git clone https://github.com/codeurjc/spring-cloud-aws-sample
cd spring-cloud-aws-sample
mvn package
cd target
java -jar spring-cloud-aws-sample-0.0.1-SNAPSHOT.jar --cloud.aws.rds.dbInstanceIdentifier=springaws --cloud.aws.rds.springaws.password=<your pass> --cloud.aws.rds.springaws.username=springaws --cloud.aws.rds.springaws.databaseName=springaws --cloud.aws.credentials.accessKey="key" --cloud.aws.credentials.secretKey="secret"
If your EC2 instance has the appropriate role (see prerequisites above), and the jar file has been uploaded, the it can be run just by issuing:
java -jar spring-cloud-aws-sample-0.1.0-SNAPSHOT.jar --cloud.aws.rds.db-instance-identifier="springaws" --cloud.aws.rds.springaws.password="your rds password"