#Utillity sudo yum install jq unzip wget docker -y usermod -a -G docker ec2-user sudo service docker start curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install wget https://releases.hashicorp.com/consul/1.10.4/consul_1.10.4_linux_amd64.zip unzip consul_1.10.4_linux_amd64.zip EC2_INSTANCE_IP_ADDRESS=$(curl -s 169.254.169.254/latest/meta-data/local-ipv4) EC2_INSTANCE_ID=$(curl -s 169.254.169.254/latest/meta-data/instance-id) AWS_REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.region') mkdir -p /opt/consul/data mkdir -p /opt/consul/config #Consul initial setup cat << EOF > /opt/consul/config/consul-server.json { "advertise_addr": "${EC2_INSTANCE_IP_ADDRESS}", "client_addr": "0.0.0.0", "connect": { "enabled": true } } EOF docker run -d --net=host -p 8300:8300 -p 8301:8301 -p 8301:8301/udp -p 8302:8302 \ -p 8302:8302/udp -p 8400:8400 -p 8500:8500 -p 53:53/udp \ -v /opt/consul/data:/consul/data -v /opt/consul/config:/consul/config \ -v /var/run/docker.sock:/var/run/docker.sock \ -h $EC2_INSTANCE_ID --name consul-server -e CONSUL_ALLOW_PRIVILEGED_PORTS=1 \ -l service_name=consul-server public.ecr.aws/hashicorp/consul:1.10.4 agent -server \ -bootstrap-expect 1 -ui -config-file /consul/config/consul-server.json #Generate Consul CA ./consul tls ca create aws secretsmanager update-secret --secret-id $CONSUL_CA_SECRET_ARN \ --secret-string file://consul-agent-ca.pem \ --region $AWS_REGION #Generate Server certs ./consul tls cert create -server -dc dc1 sudo mkdir /opt/consul/certs sudo cp consul-agent-ca.pem /opt/consul/certs sudo cp dc1-server-consul-0-key.pem /opt/consul/certs sudo cp dc1-server-consul-0.pem /opt/consul/certs sudo tee /opt/consul/config/tls.json > /dev/null << EOF { "ports": {"https": 8501}, "verify_incoming_rpc": true, "verify_outgoing": true, "verify_server_hostname": true, "ca_file": "/consul/certs/consul-agent-ca.pem", "cert_file": "/consul/certs/dc1-server-consul-0.pem", "key_file": "/consul/certs/dc1-server-consul-0-key.pem", "auto_encrypt": { "allow_tls": true } } EOF #Generate gossip ./consul keygen > consul-agent-gossip.txt aws secretsmanager update-secret --secret-id $CONSUL_GOSSIP_SECRET_ARN \ --secret-string file://consul-agent-gossip.txt \ --region $AWS_REGION GOSSIP_SECRET=$(cat consul-agent-gossip.txt) sudo tee /opt/consul/config/consul-server.json > /dev/null << EOF { "advertise_addr": "$EC2_INSTANCE_IP_ADDRESS", "client_addr": "0.0.0.0", "connect": { "enabled": true }, "encrypt": "$GOSSIP_SECRET" } EOF #Restart Consul docker stop consul-server docker rm consul-server EC2_INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id) docker run -d --net=host -p 8300:8300 -p 8301:8301 -p 8301:8301/udp -p 8302:8302 \ -p 8302:8302/udp -p 8400:8400 -p 8500:8500 -p 53:53/udp \ -v /opt/consul/data:/consul/data \ -v /opt/consul/config:/consul/config \ -v /opt/consul/certs:/consul/certs \ -v /var/run/docker.sock:/var/run/docker.sock \ -h $EC2_INSTANCE_ID --name consul-server -e CONSUL_ALLOW_PRIVILEGED_PORTS=1 \ -l service_name=consul-server public.ecr.aws/hashicorp/consul:1.10.4 agent -server \ -bootstrap-expect 1 -ui -config-file /consul/config/consul-server.json