How to Deploy Signing Service To AWS

Install eb-cli

Follow these instructions to install AWS eb-cli.

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/eb-cli3-install.html

Clone the Repository

Clone this repository and cd to its directory in Terminal.

Add elasticbeanstalk config

Download the file elasticbeanstalk_config.zip, copy the zip file to root of the cloned repository folder, and unzip it. Inside will be a hidden folder called “.elasticbeanstalk” that contains configuration files.

Add required config values

Use a text editor such as TextEdit to open the file at: 

.elasticbeanstalk/saved_configs/signing_service_template.cfg.yml

This file will contain some configuration values that should remain unchanged as well as some that require a new value to be entered. The text ######### ENTER VALUE will be shown for each area that requires a new value. Remove ######### ENTER VALUE and replace it with new values as follows.

SECRET_KEY_BASE

Skip this if a value has already been provided for this. Otherwise generate a long secure value to use for this. If Ruby on Rails is already installed, this can be done by going to the repo root in Terminal. Type rake secret | pbcopy to generate a secret key base and copy it to the paste board. 

EMAIL_FROM_ADDRESS

Add an email address to display as the sender when the application sends email.

HOST_NAME

Enter the domain name to be used for the application. (This can be added or changed later if needed using AWS Console.)

EMAIL Service

Add values for an email service such as Mandrill. This can be skipped initially if needed.

MAIL_HOST
MAIL_USERNAME
MAIL_PASSWORD

Database

Enter a secure value for DBPassword to use for the database created. 

If desired, edit the value for DBUser as well to any valid value to use as the database user name. Or just leave the default value.

SSLCertificateArns

Use AWS Certificate Manager to create an SSL certificate. Copy the ARN for the certificate and paste it for this section. 

Notification Endpoint

Add an email address to be notified for AWS application health monitoring events. 

EB Init

In Terminal from the repo root, run the command eb init and follow prompts to select or create an SSH keypair. 

CodeCommit: no

Set up SSH: yes

Select a keypair: create new keypair called aws-eb or select an existing one.

IAM Roles

The Elastic Beanstalk configuration file references two standard AWS IAM roles used for permissions when deploying to Elastic Beanstalk. If Elastic Beanstalk has previously been used for the current AWS account then these IAM roles will have already been created and nothing further is needed. This can be confirmed by going to AWS web console, opening the IAM section, clicking on Roles, and checking that both of these roles are shown: 

aws-elasticbeanstalk-ec2-role
aws-elasticbeanstalk-service-role

If these IAM roles do not exist the easiest way to add them is to run the command below. This will create an environment for the application without specifying any configuration. After running this command proceed immediately to the next section to create the real environment.

eb create temp-env

Create Environment

Press Control-C if needed to quit the command above for create temp-env. 

In Terminal from the repo root, run this command to create the environment: 

eb create signing-service-env --cfg signing_service_template

This will then run for about 15 minutes and create an environment for the application using the configuration template file. 

Once Terminal prints the output message saying it is safe to do so, press Control-C. Then run these commands 

eb use signing-service-env
eb console

Wait for environment creation to be completed.

EB Open

In Terminal run the command eb open to open the application in a browser. Click through security warnings as needed to load the page, as initially there will be a mismatch between the app url and the SSL certificate. 

Once the application is loaded in a browser, sign in with initial credentials. These initial credentials are sent via email and must be changed on first login.

Enter the license key file provided and accept the user agreement. 

Click on Users to change the admin password and email address.

Remove temp-env

If temp-env was created as specified in the section for IAM Roles, temp-env will need to be removed once the main app environment is confirmed. From the AWS web console go to Elastic Beanstalk environments and find temp-env. Once on the page for temp-env find the button toward the top right called Actions, then click Terminate environment. Enter the name temp-env when prompted to confirm. 

Domain

Configure a domain for the application to resolve the SSL warnings. If the domain is managed in AWS Route 53, create an alias record pointing to an Elastic Beanstalk environment, and select the environment for this application.

SSH Access

In Terminal type “eb ssh” to SSH to the instance if needed. The app content will be located at /var/app/current