Update .ebextensions (add Cloudwatch agent & AWS Inspector) (metabase…

…#14718)

* Update .ebextensions to send memory usage to Cloudwatch and also install inspector agent to actively monitor threats. Added full Cloudwatch agent with metrics config, simplified config file. Fix metabase#9021

* Adding a few items to documentation

* Apply suggestions from code review

Co-authored-by: Jeff Bruemmer <[email protected]>

* Add a few more changes to finish this PR

Co-authored-by: Jeff Bruemmer <[email protected]>

bin/docker/run_metabase.sh

@@ -5,25 +5,6 @@ if [ -z "$MB_JETTY_HOST" ]; then
     export MB_JETTY_HOST=0.0.0.0
 fi
 
-
-# Metabase Database Info - this is just about what db the Metabase application uses for internal storage
-
-# AWS Elastic Beanstalk w/ RDS
-if [ ! -z "$RDS_HOSTNAME" ]; then
-    # EEK: this is a bit fragile.  if user picks a non-standard port for their db we are screwed :(
-    if [ "$MB_DB_PORT" == "3306" ]; then
-        export MB_DB_TYPE=mysql
-    else
-        export MB_DB_TYPE=postgres
-    fi
-
-    export MB_DB_DBNAME=$RDS_DB_NAME
-    export MB_DB_USER=$RDS_USERNAME
-    export MB_DB_PASS=$RDS_PASSWORD
-    export MB_DB_HOST=$RDS_HOSTNAME
-    export MB_DB_PORT=$RDS_PORT
-fi
-
 # Setup Java Options
 JAVA_OPTS="${JAVA_OPTS} -XX:+IgnoreUnrecognizedVMOptions"
 JAVA_OPTS="${JAVA_OPTS} -Dfile.encoding=UTF-8"

bin/release/src/release/elastic_beanstalk/.ebextensions/01_metabase.config

@@ -3,17 +3,15 @@
 # Modify the environmental variables below to customize your installation
 # Comment out a variable to disable a feature
 #####
-container_commands:
-    #customize_env:
-        #env:
-            #NGINX_FORCE_SSL: 1
-            #PAPERTRAIL_HOSTNAME: $HOSTNAME
-            #PAPERTRAIL_HOST: foobar.papertrailapp.com
-            #PAPERTRAIL_PORT: 12345
-            #PAPERTRAIL_FILES: /var/log/nginx/access.log /var/log/nginx/error.log
-        #command: true
-        #ignoreErrors: false
 
+files:
+    "/tmp/install" :
+        mode: "000755"
+        owner: root
+        group: root
+        source: https://inspector-agent.amazonaws.com/linux/latest/install
+
+container_commands:
     # do server_https first to avoid overwriting other config changes
     01_server_https:
         command: ".ebextensions/metabase_config/metabase-setup.sh server_https"
@@ -37,8 +35,28 @@ container_commands:
         command: "/sbin/service nginx restart"
         test: nginx -t
         ignoreErrors: false
+
+    06-install_inspector:
+        command: bash -x install -u false
+        cwd: /tmp/
+
+    07-install_cloudwatch_agent:
+        command: sudo yum install amazon-cloudwatch-agent -y
+
+    08-run_cloudwatch_agent:
+        command: sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:.ebextensions/metabase_config/cloudwatch/config.json -s
+
+    09-persist_env_vars:
+        command: /opt/elasticbeanstalk/bin/get-config environment | jq -r 'to_entries | .[] | "export \(.key)=\"\(.value)\""' > /etc/profile.d/sh.local
+
+    10_set_up_env_vars:
+        command: ".ebextensions/metabase_config/metabase-setup.sh set_up_env_vars"
+        ignoreErrors: true
 
-option_settings:
-  - namespace: aws:elasticbeanstalk:command
-    option_name: Timeout
-    value: 600
+#option_settings:
+#    aws:elasticbeanstalk:application:environment
+#        NGINX_FORCE_SSL=1
+#        PAPERTRAIL_HOSTNAME=$HOSTNAME
+#        PAPERTRAIL_HOST=foobar.papertrailapp.com
+#        PAPERTRAIL_PORT=12345
+#        PAPERTRAIL_FILES=/var/log/nginx/access.log /var/log/nginx/error.log

bin/release/src/release/elastic_beanstalk/.ebextensions/metabase_config/cloudwatch/config.json

@@ -0,0 +1,134 @@
+{
+    "agent": {
+      "metrics_collection_interval": 60
+    },
+    "metrics": {
+      "namespace": "Metabase",
+      "metrics_collected": {
+        "cpu": {
+          "measurement": [
+            "time_active", 
+            "time_guest", 
+            "time_guest_nice", 
+            "time_idle", 
+            "time_iowait", 
+            "time_irq", 
+            "time_nice", 
+            "time_softirq", 
+            "time_steal", 
+            "time_system", 
+            "time_user", 
+            "usage_active", 
+            "usage_guest", 
+            "usage_guest_nice", 
+            "usage_idle", 
+            "usage_iowait", 
+            "usage_irq", 
+            "usage_nice", 
+            "usage_softirq", 
+            "usage_steal", 
+            "usage_system", 
+            "usage_user"
+          ],
+          "totalcpu": false
+        },
+        "disk": {
+          "measurement": [
+            "free", 
+            "total", 
+            "used", 
+            "used_percent", 
+            "inodes_free", 
+            "inodes_used", 
+            "inodes_total"
+          ],
+           "ignore_file_system_types": [
+            "sysfs", "devtmpfs"
+          ]        },
+        "diskio": {
+          "measurement": [
+            "reads",
+            "writes",
+            "read_bytes", 
+            "write_bytes", 
+            "read_time", 
+            "write_time", 
+            "io_time", 
+            "iops_in_progress"
+          ]
+        },
+        "swap": {
+          "measurement": [
+            "free", 
+            "used", 
+            "used_percent"
+          ]
+        },
+        "mem": {
+          "measurement": [
+            "active", 
+            "available", 
+            "available_percent", 
+            "buffered", 
+            "cached", 
+            "free", 
+            "inactive", 
+            "total", 
+            "used", 
+            "used_percent"
+          ]
+        },
+        "net": {
+          "measurement": [
+            "bytes_sent", 
+            "bytes_recv", 
+            "drop_in", 
+            "drop_out", 
+            "err_in", 
+            "err_out", 
+            "packets_sent", 
+            "packets_recv"
+          ]
+        },
+        "netstat": {
+          "measurement": [
+            "tcp_close", 
+            "tcp_close_wait", 
+            "tcp_closing", 
+            "tcp_established", 
+            "tcp_fin_wait1", 
+            "tcp_fin_wait2", 
+            "tcp_last_ack", 
+            "tcp_listen", 
+            "tcp_none", 
+            "tcp_syn_sent", 
+            "tcp_syn_recv", 
+            "tcp_time_wait", 
+            "udp_socket"
+          ]
+        },
+        "processes": {
+          "measurement": [
+            "blocked", 
+            "dead", 
+            "idle", 
+            "paging", 
+            "running", 
+            "sleeping", 
+            "stopped", 
+            "total", 
+            "total_threads", 
+            "wait", 
+            "zombies"
+          ]
+        }
+      },
+      "append_dimensions": {
+        "ImageId": "${aws:ImageId}",
+        "InstanceId": "${aws:InstanceId}",
+        "InstanceType": "${aws:InstanceType}",
+        "AutoScalingGroupName": "${aws:AutoScalingGroupName}"
+      },
+      "aggregation_dimensions" : [["InstanceId"], ["InstanceType"], ["InstanceId","InstanceType"]]
+    }
+}

bin/release/src/release/elastic_beanstalk/.ebextensions/metabase_config/metabase-setup.sh

@@ -163,7 +163,27 @@ log_x_real_ip () {
     fi
 }
 
+set_up_env_vars () {
+    if [ ! -z "$RDS_HOSTNAME" ]; then
+    # EEK: this is a bit fragile.  if user picks a non-standard port for their db we are screwed :(
+        if [ "$RDS_PORT" == "3306" ]; then
+            export MB_DB_TYPE=mysql
+        else
+            export MB_DB_TYPE=postgres
+        fi
+
+        export MB_DB_DBNAME=$RDS_DB_NAME
+        export MB_DB_USER=$RDS_USERNAME
+        export MB_DB_PASS=$RDS_PASSWORD
+        export MB_DB_HOST=$RDS_HOSTNAME
+        export MB_DB_PORT=$RDS_PORT
+    fi
+}
+
 case $1 in
+set_up_env_vars)
+    set_up_env_vars
+    ;;
 server_https)
     server_https
     ;;
@@ -173,4 +193,4 @@ install_papertrail)
 log_x_real_ip)
     log_x_real_ip
     ;;
-esac
+esac

bin/start

@@ -66,22 +66,6 @@ if [ "$SPARKPOST_SMTP_USERNAME" ]; then
     export MB_EMAIL_SMTP_PASSWORD="$SPARKPOST_SMTP_PASSWORD"
 fi
 
-# AWS Elastic Beanstalk w/ RDS
-if [ ! -z "$RDS_HOSTNAME" ]; then
-    # EEK: this is a bit fragile.  if user picks a non-standard port for their db we are screwed :(
-    if [ "$RDS_PORT" == "3306" ]; then
-        export MB_DB_TYPE=mysql
-    else
-        export MB_DB_TYPE=postgres
-    fi
-
-    export MB_DB_DBNAME=$RDS_DB_NAME
-    export MB_DB_USER=$RDS_USERNAME
-    export MB_DB_PASS=$RDS_PASSWORD
-    export MB_DB_HOST=$RDS_HOSTNAME
-    export MB_DB_PORT=$RDS_PORT
-fi
-
 # Determine whether we're on Heroku on a free, hobby, 1x dyno or 2x dyno
 #
 # We set $HEROKU in the Procfile, so we know we're on Heroku when started from the

docs/operations-guide/advanced-topics-for-running-Metabase-in-AWS-ElasticBeanstalk.md

@@ -107,3 +107,17 @@ Once your application is working properly over HTTPS, we recommend setting an ad
 - Scroll down to `Software Configuration` under the _Web Tier_ section and click the gear icon to edit those settings.
 - Under `Environment Properties` add an entry for `NGINX_FORCE_SSL` with a value of `1`.
 - Scroll to the bottom of the page and click `Apply` in the lower right, then wait for your application to update.
+
+# RAM usage monitoring
+
+Metabase installs the CloudWatch agent into the Elastic Beanstalk deployment, which sends data about your deployment to CloudWatch, allowing you to track your Metabase's RAM usage and other metrics.
+
+To set up CloudWatch for your Elastic Beanstalk environment, follow the steps in the AWS documentation to [grant permissions to publish CloudWatch metrics](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-cw.html#customize-containers-cw-policy).
+
+# Automated security assessment
+
+Metabase installs the AWS Inspector into the Elastic Beanstalk deployment, so you can have real-time assessments about your instance's security that you can integrate into other AWS products. To start the automated checks on your instance, you only need to enable the Inspector in AWS's console.
+
+# About NGINX configs inside Elastic Beanstalk deployments
+
+In the near future we will be removing the custom NGINX configuration that was being bundled with Metabase in the previous configurations, so in the case that you were using configurations like NGINX_FORCE_SSL or custom certificates, you will need to move these configurations to AWS Application Load Balancers. To do this, check out the [enabling VPC](https://www.metabase.com/docs/latest/operations-guide/running-metabase-on-elastic-beanstalk.html#22-enabling-vpc) part of the Elastic Beanstalk guide where it's specified how to use an Application Load Balancer with your Elastic Beanstalk configuration, or otherwise start over the creation of your Elastic Beanstalk deployment [having made a backup first](backing-up-metabase-application-data.html) of your application database so you don't lose your Metabase configuration.

docs/operations-guide/running-metabase-on-elastic-beanstalk.md

@@ -33,7 +33,7 @@ If you would like a reliable, scalable and fully managed Metabase, please consid
 
 ## Quick Launch
 
-Download the [Metabase AWS source bundle file](https://downloads.metabase.com/{{ site.latest_version }}/metabase-aws-eb.zip) to upload to Elastic Beanstalk.
+Download the [Metabase Community Edition AWS source bundle file](https://downloads.metabase.com/{{ site.latest_version }}/metabase-aws-eb.zip) to upload to Elastic Beanstalk. 
 
 Metabase provides several pre-configured Elastic Beanstalk launch URLs to help you get started. Open one of the links below in a new tab to create an Elastic Beanstalk deployment with a few choices pre-filled. Then just follow the step-by-step instructions below to complete your installation. 
 
@@ -103,6 +103,8 @@ Click on the `Edit` link under the Load Balancer section as seen here:
 
 ![Elastic Beanstalk Monitoring](images/EBLoadBalancerEdit.png)
 
+Select `Application Load Balancer` in the ***Load Balancer type*** if not already selected.
+
 In the **Processes** section, select the default process and click on `Actions` → Edit.
 
 ![Elastic Beanstalk Monitoring Process](images/EBProcessesSection.png)
@@ -135,7 +137,7 @@ Now go to the Capacity section and click **Edit**.
 
 ![Elastic Beanstalk Networking configuration](images/EBCapacity.png)
 
-The only change you need to do here is to reduce the number of Instances from 4 (the default number) to 1, as we still haven't created a centralized database where Metabase will save all of its configurations and will be using only the embedded H2 database which lives __inside__ the Metabase container and [is *not recommended* for production workloads](https://www.metabase.com/docs/latest/operations-guide/configuring-application-database.html) as there will be no way to backup and maintain that database. **When your instance is restarted for any reason you'll lose all your Metabase data**. If you are just doing a quick trial of Metabase that may be okay but otherwise you would like to start [creating your database engine in RDS separately](creating-RDS-database-on-AWS.html) or deploy one a separate server.
+The only change you need to do here is to reduce the number of Instances from 4 (the default number) to 1, as we still haven't created a centralized database where Metabase will save all of its configurations and will be using only the embedded H2 database which lives __inside__ the Metabase container and [is *not recommended* for production workloads](configuring-application-database.html) as there will be no way to backup and maintain that database. **When your instance is restarted for any reason you'll lose all your Metabase data**. If you are just doing a quick trial of Metabase that may be okay but otherwise you would like to start [creating your database engine in RDS separately](creating-RDS-database-on-AWS.html) or deploy one a separate server. You can take a look at the [Metabase at Scale](https://www.metabase.com/learn/data-diet/analytics/metabase-at-scale.html) article we wrote about how you can build redundant and scalable Metabase architectures.
 
 ![Elastic Beanstalk Networking configuration](images/EBCapacityModified.png)