protected configureMongoDb()

in packages/aws-rfdk/lib/core/lib/mongodb-instance.ts [542:614]

• 55 lines of code
• 1 McCabe index (conditional complexity)

  protected configureMongoDb(instance: StaticPrivateIpServer, settings: MongoDbApplicationProps) {
    const scriptsAsset = new Asset(this, 'MongoSetup', {
      path: path.join(__dirname, '..', 'scripts', 'mongodb', settings.version),
    });
    scriptsAsset.grantRead(instance.grantPrincipal);

    const scriptZipfile = instance.userData.addS3DownloadCommand({
      bucket: scriptsAsset.bucket,
      bucketKey: scriptsAsset.s3ObjectKey,
    });

    instance.userData.addCommands(
      // Ensure mongod is installed and stopped before we go any further
      'which mongod && test -f /etc/mongod.conf',
      'sudo service mongod stop',
      // We're going to make a temporary RAM filesystem for the mongo setup files.
      // This will let us write sensitive data to "disk" without worrying about it
      // being persisted in any physical disk, even temporarily.
      'MONGO_SETUP_DIR=$(mktemp -d)',
      'mkdir -p "${MONGO_SETUP_DIR}"',
      'sudo mount -t tmpfs -o size=50M tmpfs "${MONGO_SETUP_DIR}"',
      'pushd "${MONGO_SETUP_DIR}"',
      `unzip ${scriptZipfile}`,
      // Backup mongod.conf for now
      'cp /etc/mongod.conf .',
    );

    const cert = settings.serverCertificate;
    instance.userData.addCommands(
      `bash serverCertFromSecrets.sh "${cert.cert.secretArn}" "${cert.certChain!.secretArn}" "${cert.key.secretArn}" "${cert.passphrase.secretArn}"`,
    );
    cert.cert.grantRead(instance.grantPrincipal);
    cert.certChain!.grantRead(instance.grantPrincipal);
    cert.key.grantRead(instance.grantPrincipal);
    cert.passphrase.grantRead(instance.grantPrincipal);

    const certsDirectory = '/etc/mongod_certs';
    instance.userData.addCommands(
      // Move the certificates into place
      `sudo mkdir -p ${certsDirectory}`,
      `sudo mv ./ca.crt ./key.pem ${certsDirectory}`,
      'sudo chown root.mongod -R /etc/mongod_certs/', // Something weird about shell interpretation. Can't use '*' on this or next line.
      'sudo chmod 640 -R /etc/mongod_certs/',
      'sudo chmod 750 /etc/mongod_certs/', // Directory needs to be executable.
      // mongod user id might, potentially change on reboot. Make sure we own all mongo data
      `sudo chown mongod.mongod -R ${MongoDbInstance.MONGO_DEVICE_MOUNT_POINT}`,
      // We need yaml for some of our MongoDB configuration scripts
      'sudo yum install -y python3-PyYAML',
      // Configure mongod
      'bash ./setMongoLimits.sh',
      `bash ./setStoragePath.sh "${MongoDbInstance.MONGO_DEVICE_MOUNT_POINT}"`,
      'bash ./setMongoNoAuth.sh',
      'sudo service mongod start',
      // Ensure the mongo service started
      'sudo service mongod status',
      `bash ./setAdminCredentials.sh "${this.adminUser.secretArn}"`,
    );
    this.adminUser.grantRead(instance.grantPrincipal);

    instance.userData.addCommands(
      // Setup for live deployment, and start mongod
      'sudo service mongod stop',
      'bash ./setLiveConfiguration.sh',
      'sudo systemctl enable mongod', // Enable restart on reboot
      'sudo service mongod start',
      'popd',
    );

    instance.userData.addOnExitCommands(
      // Clean up the temporary RAM filesystem
      'test "${MONGO_SETUP_DIR}" != "" && sudo umount "${MONGO_SETUP_DIR}"',
    );
  }