Saltar al contenido principal

Descripción General

Esta guía lo lleva a través de la implementación de CaseBender en AWS utilizando imágenes Docker precompiladas con Amazon ECS (Elastic Container Service) y Fargate.

Prerrequisitos

  1. Cuenta de AWS
  2. AWS CLI instalado y configurado
  3. Docker instalado

Paso 1: Configuración Inicial

Instalar y Configurar AWS CLI

# Usando Homebrew
brew install awscli

# Configurar AWS CLI

aws configure

# Configurar Docker para ECR

aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $(aws sts get-caller-identity --query Account --output text).dkr.ecr.us-east-1.amazonaws.com

Paso 2: Configurar Infraestructura de AWS

Crear Bucket S3 para Almacenamiento

# Crear bucket S3
aws s3 create-bucket \
  --bucket casebender-storage \
  --region us-east-1

# Habilitar versionado (opcional)
aws s3api put-bucket-versioning \
  --bucket casebender-storage \
  --versioning-configuration Status=Enabled

# Crear usuario IAM para acceso S3
aws iam create-user --user-name casebender-storage-user

# Crear y adjuntar política
aws iam create-policy \
  --policy-name casebender-storage-policy \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::casebender-storage",
                "arn:aws:s3:::casebender-storage/*"
            ]
        }
    ]
}'

# Adjuntar política al usuario
aws iam attach-user-policy \
  --user-name casebender-storage-user \
  --policy-arn arn:aws:iam::SU_ID_DE_CUENTA:policy/casebender-storage-policy

# Crear claves de acceso
aws iam create-access-key --user-name casebender-storage-user

Crear una VPC

# Crear VPC
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=casebender-vpc}]'

# Habilitar nombres de host DNS
aws ec2 modify-vpc-attribute \
  --vpc-id <vpc-id> \
  --enable-dns-hostnames

Crear Subredes

# Crear subredes públicas
aws ec2 create-subnet \
  --vpc-id <vpc-id> \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=casebender-public-1a}]'

aws ec2 create-subnet \
  --vpc-id <vpc-id> \
  --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1b \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=casebender-public-1b}]'

Configurar RDS (PostgreSQL)

# Crear grupo de subredes de BD
aws rds create-db-subnet-group \
  --db-subnet-group-name casebender-db-subnet \
  --db-subnet-group-description "Grupo de subredes para CaseBender RDS" \
  --subnet-ids "<subnet-1-id>" "<subnet-2-id>"

# Crear instancia RDS
aws rds create-db-instance \
  --db-instance-identifier casebender-db \
  --db-instance-class db.t3.medium \
  --engine postgres \
  --master-username superadmin \
  --master-user-password <su-contraseña-segura> \
  --allocated-storage 20 \
  --db-subnet-group-name casebender-db-subnet

Configurar ElastiCache (Redis)

# Crear grupo de subredes de caché
aws elasticache create-cache-subnet-group \
  --cache-subnet-group-name casebender-cache-subnet \
  --cache-subnet-group-description "Grupo de subredes para CaseBender Redis" \
  --subnet-ids "<subnet-1-id>" "<subnet-2-id>"

# Crear clúster Redis
aws elasticache create-cache-cluster \
  --cache-cluster-id casebender-redis \
  --engine redis \
  --cache-node-type cache.t3.micro \
  --num-cache-nodes 1 \
  --cache-subnet-group-name casebender-cache-subnet

Paso 3: Crear Repositorios ECR

# Crear repositorios para cada servicio
aws ecr create-repository --repository-name casebender/app
aws ecr create-repository --repository-name casebender/workflow-processor
aws ecr create-repository --repository-name casebender/misp-processor

# Obtener el ID de cuenta de AWS
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)

# Extraer imágenes de CaseBender
docker pull casebender/casebender:latest
docker pull casebender/workflow-processor:latest
docker pull casebender/misp-processor:latest

# Etiquetar imágenes para ECR
docker tag casebender/casebender:latest ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/app:latest
docker tag casebender/workflow-processor:latest ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/workflow-processor:latest
docker tag casebender/misp-processor:latest ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/misp-processor:latest

# Subir imágenes a ECR
docker push ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/app:latest
docker push ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/workflow-processor:latest
docker push ${AWS_ACCOUNT_ID}.dkr.ecr.us-east-1.amazonaws.com/casebender/misp-processor:latest

Paso 4: Crear Clúster ECS

# Crear clúster ECS
aws ecs create-cluster --cluster-name casebender-cluster

# Crear rol de ejecución de tarea
aws iam create-role \
  --role-name ecsTaskExecutionRole \
  --assume-role-policy-document file://task-execution-assume-role.json

# Adjuntar política
aws iam attach-role-policy \
  --role-name ecsTaskExecutionRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

Paso 5: Crear Definiciones de Tareas

Cree archivos JSON de definición de tareas para cada servicio: 
{
  "family": "casebender-app",
  "networkMode": "awsvpc",
  "requiresCompatibilities": ["FARGATE"],
  "cpu": "1024",
  "memory": "2048",
  "executionRoleArn": "arn:aws:iam::<aws-account-id>:role/ecsTaskExecutionRole",
  "containerDefinitions": [
    {
      "name": "app",
      "image": "<aws-account-id>.dkr.ecr.us-east-1.amazonaws.com/casebender/app:latest",
      "portMappings": [
        {
          "containerPort": 3000,
          "protocol": "tcp"
        }
      ],
      "environment": [
        {
          "name": "POSTGRES_PRISMA_URL",
          "value": "postgresql://superadmin:password@casebender-db.xxxxx.region.rds.amazonaws.com:5432/casebender"
        },
        {
          "name": "REDIS_URL",
          "value": "redis://casebender-redis.xxxxx.region.cache.amazonaws.com:6379"
        }
      ],
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/casebender-app",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "ecs"
        }
      }
    }
  ]
}
Registre las definiciones de tareas: 
# Registrar definiciones de tareas
aws ecs register-task-definition --cli-input-json file://casebender-app-task.json
aws ecs register-task-definition --cli-input-json file://workflow-processor-task.json
aws ecs register-task-definition --cli-input-json file://misp-processor-task.json

Paso 6: Crear Servicios ECS

Crear Grupo de Seguridad

# Crear grupo de seguridad
aws ec2 create-security-group \
  --group-name casebender-sg \
  --description "Grupo de seguridad para servicios CaseBender" \
  --vpc-id <vpc-id>

# Permitir tráfico HTTP/HTTPS
aws ec2 authorize-security-group-ingress \
  --group-id <security-group-id> \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress \
  --group-id <security-group-id> \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0

Crear Balanceador de Carga

# Crear balanceador de carga
aws elbv2 create-load-balancer \
  --name casebender-alb \
  --subnets <subnet-1-id> <subnet-2-id> \
  --security-groups <security-group-id> \
  --type application

# Crear grupo objetivo
aws elbv2 create-target-group \
  --name casebender-app-tg \
  --protocol HTTP \
  --port 3000 \
  --vpc-id <vpc-id> \
  --target-type ip \
  --health-check-path /api/health

# Crear oyente
aws elbv2 create-listener \
  --load-balancer-arn <load-balancer-arn> \
  --protocol HTTP \
  --port 80 \
  --default-actions Type=forward,TargetGroupArn=<target-group-arn>

Crear Servicios

# Crear servicio para la aplicación principal
aws ecs create-service \
  --cluster casebender-cluster \
  --service-name casebender-app \
  --task-definition casebender-app \
  --desired-count 2 \
  --launch-type FARGATE \
  --network-configuration "awsvpcConfiguration={subnets=[<subnet-1-id>,<subnet-2-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}" \
  --load-balancers "targetGroupArn=<target-group-arn>,containerName=app,containerPort=3000"

# Crear servicio para el procesador de flujo de trabajo
aws ecs create-service \
  --cluster casebender-cluster \
  --service-name workflow-processor \
  --task-definition workflow-processor \
  --desired-count 1 \
  --launch-type FARGATE \
  --network-configuration "awsvpcConfiguration={subnets=[<subnet-1-id>,<subnet-2-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}"

# Crear servicio para el procesador MISP
aws ecs create-service \
  --cluster casebender-cluster \
  --service-name misp-processor \
  --task-definition misp-processor \
  --desired-count 1 \
  --launch-type FARGATE \
  --network-configuration "awsvpcConfiguration={subnets=[<subnet-1-id>,<subnet-2-id>],securityGroups=[<security-group-id>],assignPublicIp=ENABLED}"

Paso 7: Configurar DNS y SSL

Configurar Route 53

# Crear registro DNS
aws route53 change-resource-record-sets \
  --hosted-zone-id <hosted-zone-id> \
  --change-batch '{
    "Changes": [
      {
        "Action": "CREATE",
        "ResourceRecordSet": {
          "Name": "casebender.su-dominio.com",
          "Type": "A",
          "AliasTarget": {
            "HostedZoneId": "<load-balancer-hosted-zone-id>",
            "DNSName": "<load-balancer-dns-name>",
            "EvaluateTargetHealth": true
          }
        }
      }
    ]
  }'

Configurar SSL con ACM

# Solicitar certificado
aws acm request-certificate \
  --domain-name casebender.su-dominio.com \
  --validation-method DNS

# Añadir registro de validación a Route 53
# (Siga las instrucciones proporcionadas por ACM)

# Actualizar oyente para usar HTTPS
aws elbv2 create-listener \
  --load-balancer-arn <load-balancer-arn> \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=<certificate-arn> \
  --default-actions Type=forward,TargetGroupArn=<target-group-arn>

Monitoreo y Mantenimiento

Configurar CloudWatch

# Crear panel de CloudWatch
aws cloudwatch put-dashboard \
  --dashboard-name CaseBender \
  --dashboard-body file://cloudwatch-dashboard.json

# Configurar alarmas
aws cloudwatch put-metric-alarm \
  --alarm-name casebender-cpu-high \
  --alarm-description "Alarma para uso alto de CPU" \
  --metric-name CPUUtilization \
  --namespace AWS/ECS \
  --statistic Average \
  --period 60 \
  --threshold 70 \
  --comparison-operator GreaterThanThreshold \
  --dimensions Name=ClusterName,Value=casebender-cluster Name=ServiceName,Value=casebender-app \
  --evaluation-periods 3 \
  --alarm-actions <sns-topic-arn>

Solución de Problemas

Problemas Comunes

  1. Errores de Conexión a Base de Datos:
    • Verifique los grupos de seguridad de RDS
    • Confirme que las credenciales sean correctas
    • Asegúrese de que la VPC y las subredes estén configuradas correctamente
  2. Problemas de Implementación de ECS:
    • Revise los registros de CloudWatch para mensajes de error
    • Verifique que las definiciones de tareas sean correctas
    • Confirme que los servicios tengan acceso a ECR
  3. Problemas de Balanceador de Carga:
    • Verifique las verificaciones de salud
    • Confirme que los grupos de seguridad permitan el tráfico
    • Revise la configuración de oyentes y grupos objetivo

Siguientes Pasos

  1. Configure respaldos automáticos para RDS
  2. Implemente un pipeline de CI/CD con AWS CodePipeline
  3. Configure Auto Scaling para los servicios ECS
  4. Implemente AWS WAF para protección adicional
I