VPC CIDR for Datastores / Private Networking Toggle

[nzoschke]

Fixes #637

• Make the VPCCIDR setting available in the API environment
• Pass VPCCIDR as a datastore stack parameter on convox services create
• Pass all network settings as stack parameters on convox services update

Demo - Test Redis Connectivity

Here is a simple way to test redis connectivity before, during or after the network configuration:

$ convox apps
APP           STATUS 
httpd         running
httpd-old     running
simple-rails  running

$ convox services
NAME           TYPE     STATUS 
convox-events  webhook  running
redis-4778     redis    running
syslog-7504    syslog   running

$ convox services info redis-4778
Name    redis-4778
Status  running
Exports
  URL: redis://cor17unwsff8a40p.u0cje2.ng.0001.use1.cache.amazonaws.com:6379/0

$ convox run web bash --app httpd
root@081a7bc0282c:/usr/local/apache2# apt-get update && apt-get install -y redis-tools
...
Setting up redis-tools (2:2.8.17-1+deb8u3) ...

root@9f50bcced498:/usr/local/apache2# redis-cli -h cor17unwsff8a40p.u0cje2.ng.0001.use1.cache.amazonaws.com PING
PONG

Release Playbook

• Rebase against master
• Release branch ()
• Pass CI ()
• Code review
• Merge into master
• Release master ()
• Pass CI ()
• Update staging rack
• Edit Rack release record and/or update docs
• Publish release
• Release CLI

[nzoschke]

This is not working as hoped. Changes to the VPC CIDR and Subnets roll back with:

11:26:16 UTC-0700 UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack convox The following resource(s) failed to update: [GatewayAttachment].
Physical ID:arn:aws:cloudformation:us-east-1:132866487567:stack/convox/826bdce0-b30a-11e5-89a2-500c2866f062
11:26:15 UTC-0700 UPDATE_FAILED AWS::EC2::VPCGatewayAttachment GatewayAttachment Network vpc-f8006b9c has some mapped public address(es). Please unmap those public address(es) before detaching the gateway.
Physical ID:convo-Gatew-174RZJJHGB2YW

[nzoschke]

There are a couple issues conflated here, starting to unwind that.

Unfortunately changing CIDR parameters on the fly isn't possible right now due to a pretty gnarly VPC / CloudFormation technicality. I hope someday this workflow is possible, but it isn't yet:

Demo

# Pull down the API bugfixes, and watch until the update is complete
$ convox rack update 
$ watch convox ps --app convox

# Report current network settings
$ convox rack params | grep CIDR
Subnet0CIDR          10.0.1.0/24                         
Subnet1CIDR          10.0.2.0/24                         
Subnet2CIDR          10.0.3.0/24                         
SubnetPrivate0CIDR   10.0.4.0/24                         
SubnetPrivate1CIDR   10.0.5.0/24                         
SubnetPrivate2CIDR   10.0.6.0/24                         
VPCCIDR              10.0.0.0/16      

# Update network settings. 
# This starts a maintenance window while the automated VPC and instance replacement carries out.
# Apps will not be able to connect to convox data services due to security group misalignment.
$ convox rack params set           \
  Subnet0CIDR=10.101.1.0/24        \
  Subnet1CIDR=10.101.2.0/24        \
  Subnet2CIDR=10.101.3.0/24        \
  SubnetPrivate0CIDR=10.101.4.0/24 \
  SubnetPrivate1CIDR=10.101.5.0/24 \
  SubnetPrivate2CIDR=10.101.6.0/24 \
  VPCCIDR=10.101.0.0/16

# Update datastores. This will restore app datastore connectivity and end the maintenance window.
$ convox services update myredis

[nzoschke]

Closing and merging on #695