Skip to content

Commit

Permalink
feat(examples): Added examples for Spot Event Plugin Deployment
Browse files Browse the repository at this point in the history 
Adds python and TS examples that create a farm that has the requirements to use
Deadline's Spot Event Plugin.
  • Loading branch information
@grbartel
grbartel committed Oct 23, 2020
1 parent 90c83a4 commit 92cf41c
Show file tree
Hide file tree
Showing 23 changed files with 693 additions and 2 deletions.
4 changes: 3 additions & 1 deletion examples/deadline/All-In-AWS-Infrastructure-Basic/python/package/lib/storage_tier.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,9 @@ def __init__(self, scope: Construct, stack_id: str, *, props: StorageTierDocDBPr
self,
'DocDBCluster',
instance_props=instance_props,
instances=len(self.availability_zones),
# TODO - For cost considerations this example only uses 1 Database instance.
# It is recommended that when creating your render farm you use at least 2 instances for redundancy.
instances=1,
master_user=Login(username='adminuser'),
backup=BackupProps(
# We recommend setting the retention of your backups to 15 days
Expand Down
4 changes: 3 additions & 1 deletion examples/deadline/All-In-AWS-Infrastructure-Basic/ts/lib/storage-tier.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,9 @@ export class StorageTierDocDB extends StorageTier {
vpcSubnets: { subnetType: SubnetType.PRIVATE },
instanceType: props.databaseInstanceType,
},
instances: this.availabilityZones.length,
// TODO - For cost considerations this example only uses 1 Database instance.
// It is recommended that when creating your render farm you use at least 2 instances for redundancy.
instances: 1,
masterUser: {
username: 'adminuser',
},
Expand Down
106 changes: 106 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
# RFDK Sample Application - Deadline Spot Event Plugin

This is a sample RFDK application that deploys the basic infrastructure for a Deadline render farm. This application is structured in tiers, each representing a CloudFormation stack. The tiers are:

1. **Network Tier** - Foundational networking required by all components.
1. **Security Tier** - Contains resources that keep the render farm secure (e.g. certificates).
1. **Storage Tier** - Persistent storage (e.g. database, file system).
1. **Service Tier** - Business logic (e.g. central server, licensing).

Each deployment tier is deployed as a separate CloudFormation Stack, and is dependent upon the ones before it.
The main benefit of this deployment structure is that the later tiers can be brought down (i.e. stacks destroyed)
to save costs while keeping the earlier tiers. For instance, we could destroy the Service & Compute tiers to
reduce the cost to maintain the farm when we know it will be idle while retaining all of our data;
we could re-deploy the Service tierat a later date to restore service to exactly the same state we left it in.

---

_**Note:** This application is an illustrative example to showcase some of the capabilities of the RFDK. **It is not intended to be used for production render farms**, which should be built with more consideration of the security and operational needs of the system._

---

## Architecture

This sample application deploys a basic Deadline Render farm that is configured to use Deadlines [Spot Event Plugin](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/event-spot.html). Below is a diagram of the architecture.

```
+-----------------------------------------------------------------------------+
| |
| Private Hosted Zone |
| |
| +-------------------------------------------------------------------------+ |
| | | |
| | VPC | |
| | | |
| | +------------------------------+ +-----------------------+ | |
| | | | | | | |
| | | Repository | | Render Queue | | |
| | | +--------------> | | |
| | | +----------+ +-------------+ | Backend | +-------------------+ | | |
| | | | | | | | API | | | | | |
| | | | Database | | File System | <--------------+ | RCS Fleet | | | |
| | | | | | | | | | | | | |
| | | +----------+ +-----+-------+ | | | +-------+ | | | |
| | | | | | | | ALB | | | | |
| | +------------------------------+ | | +---+---+ | | | |
| | | | | | | | | |
| | | | | +-----------+ | | | |
| | |Mounts | | | | | | | | |
| | |onto | | v v v | | | |
| | | | | +-++ ++-+ | | | |
| | +--------------+ | | | | ... | | | | | |
| | | - | | +--+ +--+ | | | |
| | | Bastion Host +---------------------> | | | | |
| | | | Can connect to | +-------------------+ | | |
| | +--------------+ +-----------------------+ | |
| +-------------------------------------------------------------------------+ |
+-----------------------------------------------------------------------------+
```

### Components

All components in the render farm live within a [VPC](https://aws.amazon.com/vpc/), which is within a [Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html).

#### Repository

The Repository component contains the database and file system that store persistent data used by Deadline. These resources are initialized by the Deadline Repository installer. The database can either be [MongoDB](https://www.mongodb.com/) or [Amazon DocumentDB](https://aws.amazon.com/documentdb/).

#### Render Queue

The Render Queue component contains the fleet of [Deadline Remote Connection Server](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/remote-connection-server.html) instances behind an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). This acts as the central service for Deadline applications and is the only component that interacts with the Repository. When comparing this component to the "All in AWS Infrastructure - Basic" example it has been granted additional permissions in order to use the Spot Event Plugin.

#### Bastion Host

The Bastion Host is a `BastionHostLinux` construct that allows you to connect to the Render Queue if you would like to take a look at its state. It is not an essential component to the render farm, so it can be omitted without side effects, if desired. To connect to it, please refer to [Bastion Hosts CDK documentation](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html#bastion-hosts).

#### Spot Event Plugin Configurations

The Spot Event plugin requires additional Roles for both Deadline's Resource Tracker and the Spot Workers that are created and a Security Group to allow your Spot workers the ability to access the Render Queue.

## Best Practices

### VPC Flow Logs
We recommend enabling VPC Flow Logs for networks containing sensitive information. For example, in this application, we have enabled flow logs on the VPC created in the Network Tier. These logs capture information about the IP traffic going in and out of your VPC, which can be useful to detect malicious activity. For more information, see [VPC Flow Logs documentation](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html).

### VPC Network ACLs

Network ACLs act as a firewall for controlling traffic in or out of your VPC subnets. We recommend creating custom network ACLs on your VPC to restrict traffic so that only necessary traffic is allowed. The default network ACLs that are created with a new VPC allow all inbound and outbound traffic, whereas custom network ACLs deny all inbound and outbound traffic by default, unless rules are added that explicitly allow traffic. This is a security best-practice to help defend against malicious actions against your render farm. For more information, see [Network ACLs documentation](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html).

## Prerequisites

- The Spot Fleet Configuration requires an [Amazon Machine Image (AMI)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) with the Deadline Worker application installed. This AMI must have Deadline Installed and should be configured to connect to your repository. For additional information on setting up your AMI please see the [Spot Event Plugin Documentation](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/event-spot.html).
- You have setup and configured the AWS CLI
- Your AWS account already has CDK bootstrapped in the desired region by running `cdk bootstrap`
- You must have NodeJS installed on your system
- You must have Docker installed on your system
- You must have Python 3.7+ installed on your system (Python app only)

## Typescript

[Continue to Typescript specific documentation.](ts/README.md)

## Python

[Continue to Python specific documentation.](python/README.md)
12 changes: 12 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
*.swp
package-lock.json
__pycache__
.pytest_cache
.env
*.egg-info

# CDK asset staging directory
.cdk.staging
cdk.out
cdk.context.json
stage
53 changes: 53 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# RFDK Sample Application - Deadline Spot Event Plugin - Python

## Overview
[Back to overview](../README.md)

## Instructions

---
**NOTE**

These instructions assume that your working directory is `examples/deadline/All-In-AWS-Infrastructure-SEP/python/` relative to the root of the AWS-RFDK package.

---

1. Install the dependencies of the sample app:

```bash
pip install -r requirements.txt
```
2. Stage the Docker recipes for `RenderQueue`:

```bash
# Set this value to the version of RFDK your application targets
RFDK_VERSION=<version_of_RFDK>
# Set this value to the version of AWS Thinkbox Deadline you'd like to deploy to your farm. Deadline 10.1.9 and up are supported.
RFDK_DEADLINE_VERSION=<version_of_deadline>
npx --package=aws-rfdk@${RFDK_VERSION} stage-deadline \
--deadlineInstallerURI s3://thinkbox-installers/Deadline/${RFDK_DEADLINE_VERSION}/Linux/DeadlineClient-${RFDK_DEADLINE_VERSION}-linux-x64-installer.run \
--dockerRecipesURI s3://thinkbox-installers/DeadlineDocker/${RFDK_DEADLINE_VERSION}/DeadlineDocker-${RFDK_DEADLINE_VERSION}.tar.gz \
--output stage
```
3. Deploy all the stacks in the sample app:

```bash
cdk deploy "*"
```

4. Connect to your Render Farm and open up the Deadline Monitor.

5. Configure the Spot event plugin by following the directions in the [Spot Event Plugin documentation](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/event-spot.html) with the following considerations:

Use the default security credentials by using turning "Use Local Credentials" to False and leaving both "Access Key ID" and "Secret Access Key" blank.
Ensure that the Region your Spot workers will be launched in is the same region as your CDK application.
When Creating your Spot Fleet Requests, set the IAM instance profile to "DeadlineSpotWorkerRole" and set the security group to "DeadlineSpotSecurityGroup".
Configure your instances to connect to the Render Queue by either creating your AMI after launching your app and preconfiguring the AMI or by setting up a userdata in the Spot Fleet Request. (see the Spot Event Plugin documentation for additional information on configuring this connection.)

6. Once you are finished with the sample app, you can tear it down by running:

```bash
cdk destroy "*"
```
3 changes: 3 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/cdk.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"app": "python -m package.app"
}
Empty file added examples/deadline/All-In-AWS-Infrastructure-SEP/python/package/__init__.py
View file
Empty file.
Binary file added examples/deadline/All-In-AWS-Infrastructure-SEP/python/package/__init__.pyc
View file
Binary file not shown.
43 changes: 43 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/package/app.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#!/usr/bin/env python3

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

import os

from aws_cdk.core import (
App,
Environment
)

from .lib import (
sep_stack,
)

def main():
# ------------------------------
# Application
# ------------------------------
app = App()

if 'CDK_DEPLOY_ACCOUNT' not in os.environ and 'CDK_DEFAULT_ACCOUNT' not in os.environ:
raise ValueError('You must define either CDK_DEPLOY_ACCOUNT or CDK_DEFAULT_ACCOUNT in the environment.')
if 'CDK_DEPLOY_REGION' not in os.environ and 'CDK_DEFAULT_REGION' not in os.environ:
raise ValueError('You must define either CDK_DEPLOY_REGION or CDK_DEFAULT_REGION in the environment.')
env = Environment(
account=os.environ.get('CDK_DEPLOY_ACCOUNT', os.environ.get('CDK_DEFAULT_ACCOUNT')),
region=os.environ.get('CDK_DEPLOY_REGION', os.environ.get('CDK_DEFAULT_REGION'))
)
# ------------------------------
# Service Tier
# ------------------------------
sep_props = sep_stack.SEPStackProps(
docker_recipes_stage_path=os.path.join(os.path.dirname(os.path.realpath(__file__)), os.pardir, 'stage'),
)
service = sep_stack.SEPStack(app, 'SEPStack', props=sep_props, env=env)

app.synth()


if __name__ == '__main__':
main()
Empty file added examples/deadline/All-In-AWS-Infrastructure-SEP/python/package/lib/__init__.py
View file
Empty file.
126 changes: 126 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/package/lib/sep_stack.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

import typing
from dataclasses import dataclass

from aws_cdk.core import (
Construct,
Duration,
Stack,
StackProps
)
from aws_cdk.aws_ec2 import (
SecurityGroup,
Vpc,
)
from aws_cdk.aws_iam import (
ManagedPolicy,
Role,
ServicePrincipal
)
from aws_rfdk.deadline import (
RenderQueue,
Repository,
Stage,
ThinkboxDockerRecipes,
)


@dataclass
class SEPStackProps(StackProps):
"""
Properties for ServiceTier
"""
# The path to the directory where the staged Deadline Docker recipes are.
docker_recipes_stage_path: str


class SEPStack(Stack):
"""
The service tier contains all "business-logic" constructs
(e.g. Render Queue, UBL Licensing/License Forwarder, etc.).
"""

def __init__(self, scope: Construct, stack_id: str, *, props: SEPStackProps, **kwargs):
"""
Initialize a new instance of ServiceTier
:param scope: The scope of this construct.
:param stack_id: The ID of this construct.
:param props: The properties for this construct.
:param kwargs: Any kwargs that need to be passed on to the parent class.
"""
super().__init__(scope, stack_id, **kwargs)

# The VPC that all components of the render farm will be created in.
vpc = Vpc(
self,
'Vpc',
max_azs=2
)

recipes = ThinkboxDockerRecipes(
self,
'Image',
stage=Stage.from_directory(props.docker_recipes_stage_path)
)

repository = Repository(
self,
'Repository',
vpc=vpc,
version=recipes.version,
repository_installation_timeout=Duration.minutes(20)
)

render_queue = RenderQueue(
self,
'RenderQueue',
vpc=props.vpc,
version=recipes.version,
images=recipes.render_queue_images,
repository=repository,
# TODO - Evaluate deletion protection for your own needs. This is set to false to
# cleanly remove everything when this stack is destroyed. If you would like to ensure
# that this resource is not accidentally deleted, you should set this to true.
deletion_protection=False
)
# Adds the following IAM managed Policies to the Render Queue so it has the necessary permissions
# to run the Spot Event Plugin and launch a Resource Tracker:
# * AWSThinkboxDeadlineSpotEventPluginAdminPolicy
# * AWSThinkboxDeadlineResourceTrackerAdminPolicy
render_queue.add_sep_policies()

# Create the security group that you will assign to your workers
worker_security_group = SecurityGroup(
self,
'SpotSecurityGroup',
vpc=props.vpc,
allow_all_outbound=True,
security_group_name='DeadlineSpotSecurityGroup',
)
worker_security_group.connections.allow_to_default_port(
render_queue.endpoint
)

# Create the IAM Role for the Spot Event Plugins workers.
# Note: This Role MUST have a roleName that begins with "DeadlineSpot"
# Note: If you already have a worker IAM role in your account you can remove this code.
worker_iam_role = Role(
self,
'SpotWorkerRole',
assumed_by=ServicePrincipal('ec2.amazonaws.com'),
managed_policies= [ManagedPolicy.from_aws_managed_policy_name('AWSThinkboxDeadlineSpotEventPluginWorkerPolicy')],
role_name= 'DeadlineSpotWorkerRole',
)

# Creates the Resource Tracker Access role. This role is required to exist in your account so the resource tracker will work properly
# Note: If you already have a Resource Tracker IAM role in your account you can remove this code.
Role(
self,
'ResourceTrackerRole',
assumed_by=ServicePrincipal('lambda.amazonaws.com'),
managed_policies= [ManagedPolicy.from_aws_managed_policy_name('AWSThinkboxDeadlineResourceTrackerAccessPolicy')],
role_name= 'DeadlineResourceTrackerAccessRole',
)

1 change: 1 addition & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/requirements.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
-e .
25 changes: 25 additions & 0 deletions examples/deadline/All-In-AWS-Infrastructure-SEP/python/setup.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import setuptools


with open("README.md") as fp:
long_description = fp.read()


setuptools.setup(
name="all_in_aws_infrastructure_sep",
version="0.0.1",

description="RFDK All In AWS Infrastructure SEP",
long_description=long_description,
long_description_content_type="text/markdown",

package_dir={"": "package"},
packages=setuptools.find_packages(where="package"),

install_requires=[
"aws-cdk.core==1.66.0",
"aws-rfdk==0.18.0"
],

python_requires=">=3.7",
)
Loading

0 comments on commit 92cf41c

Please sign in to comment.