chore: Created sample Typescript app that deploys everything in RFDK (#21)

Author: jericht

examples/kitchen-sink/.gitignore examples/deadline/All-In-AWS-Infrastructure-Basic/ts/.gitignore

@@ -3,9 +3,6 @@
 cdk.out
 cdk.context.json
 
-# Ignore package tarball
-kitchen-sink-*.tgz
-
 # Used by nyc
 .nyc_output
 coverage
@@ -20,4 +17,4 @@ dist
 !license-header.js
 
 # The staged files for Deadline
-stage
+stage

examples/kitchen-sink/.npmignore examples/deadline/All-In-AWS-Infrastructure-Basic/ts/.npmignore

@@ -0,0 +1,186 @@
+# RFDK Sample Application - Deadline
+
+This is a sample RFDK application that deploys the basic infrastructure for a Deadline render farm. This application is structured in tiers, each representing a CloudFormation stack. The tiers are:
+
+1. **Network Tier** - Foundational networking required by all components.
+1. **Security Tier** - Contains resources that keep the render farm secure (e.g. certificates).
+1. **Storage Tier** - Persistent storage (e.g. database, file system).
+1. **Service Tier** - Business logic (e.g. central server, licensing).
+1. **Compute Tier** - Compute power to render jobs.
+
+Each deployment tier is deployed as a separate CloudFormation Stack, and is dependent upon the ones before it. 
+The main benefit of this deployment structure is that the later tiers can be brought down (i.e. stacks destroyed)
+to save costs while keeping the earlier tiers. For instance, we could destroy the Service & Compute tiers to 
+reduce the cost to maintain the farm when we know it will be idle while retaining all of our data;
+we could re-deploy the Service & Compute tiers at a later date to restore service to exactly the same state we left it in.
+
+## Architecture
+
+This sample application deploys a basic Deadline Render farm using Usage-Based Licensing. Below is a diagram of the architecture.
+
+```
++------------------------------------------------------------------------------------------------------------------------+
+|                                                                                                                        |
+| Private Hosted Zone                                                                                                    |
+|                                                                                                                        |
+| +--------------------------------------------------------------------------------------------------------------------+ |
+| |                                                                                                                    | |
+| |  VPC                                                                                                               | |
+| |                                                                                                                    | |
+| | +------------------------------+              +-----------------------+            +-----------------------------+ | |
+| | |                              |              |                       |            |                             | | |
+| | |         Repository           |              |     Render Queue      |            |    Usage-Based Licensing    | | |
+| | |                              +-------------->                       +------------>                             | | |
+| | | +----------+ +-------------+ |   Backend    | +-------------------+ |  Deadline  | +-------------------------+ | | |
+| | | |          | |             | |     API      | |                   | |    API     | |                         | | | |
+| | | | Database | | File System | <--------------+ |     RCS Fleet     | <------------+ | License Forwarder Fleet | | | |
+| | | |          | |             | |              | |                   | |            | |                         | | | |
+| | | +----------+ +-----+-------+ |              | |     +-------+     | |            | |        +-------+        | | | |
+| | |                    |         |              | |     |  ALB  |     | |            | |        |  ALB  |        | | | |
+| | +------------------------------+              | |     +---+---+     | |            | |        +---+---+        | | | |
+| |                      |                        | |         |         | |            | |            |            | | | |
+| |                      |                        | |   +-----------+   | |            | |      +-----------+      | | | |
+| |                      |                        | |   |     |     |   | |            | |      |     |     |      | | | |
+| |                      |Mounts                  | |   v     v     v   | |            | |      v     v     v      | | | |
+| |                      |onto                    | | +-++         ++-+ | |            | |    +-++         ++-+    | | | |
+| |                      |                        | | |  |   ...   |  | | |            | |    |  |   ...   |  |    | | | |
+| |                      |                        | | +--+         +--+ | |            | |    +--+         +--+    | | | |
+| |                      |                   +----> |                   | |            | |                         | | | |
+| |                      |                   |    | +-------------------+ |            | +-------------------------+ | | |
+| |          +-----------v--+                |    |                       |            |                             | | |
+| |          |              +----------------+    +-----^--------+--------+            +------^--------+-------------+ | |
+| |          | Bastion Host |  Can connect to           |        |                            |        |               | |
+| |          |              |                           |        |                            |        |               | |
+| |          +------------+-+                           |Deadline|                            |        |               | |
+| |                       |                             |  API   |                            |        |               | |
+| |                       |                             |        |                            |  Get   |               | |
+| |                       |                             |        |                            |Licenses|               | |
+| |                       |                           +-+--------v--------+                   |        |               | |
+| |                       |                           |                   |                   |        |               | |
+| |                       |                           |   Worker Fleet    |                   |        |               | |
+| |                       |  Can connect to           |                   |                   |        |               | |
+| |                       +--------------------------->     +-------+     +-------------------+        |               | |
+| |                                                   |     |  ALB  |     |                            |               | |
+| |                                                   |     +---+---+     <----------------------------+               | |
+| |                                                   |         |         |                                            | |
+| |                                                   |   +-----------+   |              +----------------+            | |
+| |                                                   |   |     |     |   |              |                |            | |
+| |                                                   |   v     v     v   |              | Health Monitor |            | |
+| |                                                   | +-++         ++-+ |              |                |            | |
+| |                                                   | |  |   ...   |  | |    Monitors  |   +-------+    |            | |
+| |                                                   | +--+         +--+ <--------------+   |  NLB  |    |            | |
+| |                                                   |                   |              |   +-------+    |            | |
+| |                                                   +-------------------+              |                |            | |
+| |                                                                                      +----------------+            | |
+| |                                                                                                                    | |
+| +--------------------------------------------------------------------------------------------------------------------+ |
+|                                                                                                                        |
++------------------------------------------------------------------------------------------------------------------------+
+
+```
+
+### Components
+
+All components in the render farm live within a [VPC](https://aws.amazon.com/vpc/), which is within a [Private Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html).
+
+#### Repository
+
+The Repository component contains the database and file system that store persistent data used by Deadline. These resources are initialized by the Deadline Repository installer. The database can either be [MongoDB](https://www.mongodb.com/) or [Amazon DocumentDB](https://aws.amazon.com/documentdb/).
+
+#### Render Queue
+
+The Render Queue component contains the fleet of [Deadline Remote Connection Server](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/remote-connection-server.html) instances behind an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). This acts as the central service for Deadline applications and is the only component that interacts with the Repository.
+
+#### Usage-Based Licensing
+
+The Usage-Based Licensing component contains the fleet of [Deadline License Forwarder](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/license-forwarder.html) instances behind an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). This provides [usage-based licenses](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/licensing-usage-based.html) to Deadline Workers that are rendering jobs and communicates with the Render Queue to store/retrieve licensing information.
+
+#### Worker Fleet
+
+The Worker Fleet component contains the fleet of [Deadline Worker](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/worker.html) instances behind an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html). These are the compute power of the render farm that perform render jobs. They communicate with the Render Queue to carry out render jobs and with the Usage-Based Licensing component to obtain any licenses required for the jobs.
+
+#### Health Monitor
+
+The Health Monitor component contains a [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) used to perform application-level health checks on the Worker Fleet instances. These health checks ensure that the Deadline Worker application is operating properly. In the event that the Worker Fleet is deemed unhealthy, the Health Monitor will scale down the Worker Fleet to 0 to prevent unnecessary cost accrual.
+
+#### Bastion Host
+
+The Bastion Host is a `BastionHostLinux` construct that allows you to connect to the Render Queue and Worker Fleet if you would like to take a look at the state of these components. It is not an essential component to the render farm, so it can be omitted without side effects, if desired. To connect to it, please refer to [Bastion Hosts CDK documentation](https://docs.aws.amazon.com/cdk/api/latest/docs/aws-ec2-readme.html#bastion-hosts).
+
+## Prerequisites
+
+- You have an EC2 Amazon Machine Image (AMI) with the Deadline Worker application to run the worker nodes in the compute tier. Make note of the AMI ID as it will be used in this guide. You can use AWS Portal AMIs which can be found in Deadline's amis.json file (see https://awsportal.s3.amazonaws.com/10.1.9/Release/amis.json). **Note:** The link to the amis.json file contains the Deadline version (10.1.9), which you should change if you are using a different version of Deadline.
+- You have setup and configured the AWS CLI
+- Your AWS account already has CDK bootstrapped in the desired region by running `cdk bootstrap`
+
+## Instructions
+
+---
+**NOTE**
+
+These instructions assume that your working directory is `examples/deadline/All-In-AWS-Infrastructure-Basic-Tiered/ts/` relative to the root of the AWS-RFDK package.
+
+---
+
+1. Install the dependencies of the sample app:
+```
+yarn install
+```
+2. Change the value in the `deadlineClientLinuxAmiMap` variable in `bin/config.ts` to include the region + AMI ID mapping of your EC2 AMI(s) with Deadline Worker.
+```ts
+// For example, in the us-west-2 region
+public readonly deadlineClientLinuxAmiMap: Record<string, string> = {
+  ['us-west-2']: '<your-ami-id>',
+  // ...
+  };
+```
+3. Create a binary secret in [SecretsManager](https://aws.amazon.com/secrets-manager/) that contains your [Usage-Based Licensing](https://docs.thinkboxsoftware.com/products/deadline/10.1/1_User%20Manual/manual/aws-portal/licensing-setup.html?highlight=usage%20based%20licensing) certificates in a `.zip` file:
+```
+aws secretsmanager create-secret --name <name> --secret-binary fileb://<path-to-zip-file>
+```
+4. The output from the previous step will contain the secret's ARN. Change the value of the `ublCertificatesSecretArn` variable in `bin/config.ts` to the secret's ARN:
+```ts
+public readonly ublCertificatesSecretArn: string = '<your-secret-arn>';
+```
+5. Choose your UBL limits and change the value of the `ublLicenses` variable in `bin/config.ts` accordingly:
+```ts
+public readonly ublLicenses: UsageBasedLicense[] = [ /* <your-ubl-limits> (e.g. UsageBasedLicense.forMaya(10)) */ ];
+```
+---
+
+**Note:** The next two steps are optional. You may skip these if you do not need SSH access into your render farm.
+
+---
+6. Create an EC2 key pair to give you SSH access to the render farm:
+```
+aws ec2 create-key-pair --key-name <key-name>
+```
+7.  Change the value of the `keyPairName` variable in `bin/config.ts` to your value for `<key-name>` in the previous step: <br><br>**Note:** Save the value of the "KeyMaterial" field as a file in a secure location. This is your private key that you can use to SSH into the render farm.
+```ts
+public readonly keyPairName: string = '<key-name>';
+```
+8. Choose the type of database you would like to deploy and change the value of the `deployMongoDB` variable in `bin/config.ts` accordingly:
+```ts
+// true = MongoDB, false = Amazon DocumentDB
+public readonly deployMongoDB: boolean = false;
+```
+9. If you set `deployMongoDB` to `true`, then you must accept the [SSPL license](https://www.mongodb.com/licensing/server-side-public-license) to successfully deploy MongoDB. To do so, change the value of `acceptSsplLicense` in `bin/config.ts`:
+```ts
+public readonly acceptSsplLicense: MongoDbSsplLicenseAcceptance = <value>;
+```
+10. Modify the `deadline_ver` field in the `config` block of `package.json` as desired, then stage the Docker recipes for `RenderQueue` and `UBLLicensing`:
+```
+yarn stage
+```
+11. Build the sample app:
+```
+yarn build
+```
+12. Deploy all the stacks in the sample app:
+```
+cdk deploy "*"
+```
+13. Once you are finished with the sample app, you can tear it down by running:
+```
+cdk destroy "*"
+```

examples/deadline/All-In-AWS-Infrastructure-Basic/ts/README.md

@@ -0,0 +1,123 @@
+#!/usr/bin/env node
+/**
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import 'source-map-support/register';
+import * as path from 'path';
+import * as pkg from '../package.json';
+import { config } from './config';
+import * as cdk from '@aws-cdk/core';
+import { NetworkTier } from '../lib/network-tier';
+import { ServiceTier } from '../lib/service-tier';
+import {
+  StorageTier,
+  StorageTierDocDB,
+  StorageTierMongoDB,
+} from '../lib/storage-tier';
+import { SecurityTier } from '../lib/security-tier';
+import {
+  InstanceClass,
+  InstanceSize,
+  InstanceType,
+  MachineImage,
+} from '@aws-cdk/aws-ec2';
+import { ComputeTier } from '../lib/compute-tier';
+
+  // ------------------------------ //
+  // --- Validate Config Values --- //
+  // ------------------------------ //
+
+  if (!config.ublCertificatesSecretArn) {
+    throw new Error('UBL certificates secret ARN is required but was not specified.');
+  }
+
+  if (!config.ublLicenses) {
+    throw new Error('At least one UBL license must be specified');
+  }
+
+  if (!config.keyPairName) {
+    console.log('EC2 key pair name not specified. You will not have SSH access to the render farm.');
+  }
+
+  if (config.deadlineClientLinuxAmiMap === {['region']: 'ami-id'}) {
+    throw new Error('Deadline Client Linux AMI map is required but was not specified.');
+  }
+
+// ------------------- //
+// --- Application --- //
+// ------------------- //
+
+const env = {
+  account: process.env.CDK_DEPLOY_ACCOUNT ?? process.env.CDK_DEFAULT_ACCOUNT,
+  region: process.env.CDK_DEPLOY_REGION ?? process.env.CDK_DEFAULT_REGION,
+};
+
+const app = new cdk.App();
+
+// -------------------- //
+// --- Network Tier --- //
+// -------------------- //
+
+const network = new NetworkTier(app, 'NetworkTier', { env });
+
+// --------------------- //
+// --- Security Tier --- //
+// --------------------- //
+
+const security = new SecurityTier(app, 'SecurityTier', {
+  env,
+  vpc: network.vpc,
+});
+
+// -------------------- //
+// --- Storage Tier --- //
+// -------------------- //
+
+let storage: StorageTier;
+if (config.deployMongoDB) {
+  storage = new StorageTierMongoDB(app, 'StorageTier', {
+    env,
+    vpc: network.vpc,
+    databaseInstanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
+    rootCa: security.rootCa,
+    dnsZone: network.dnsZone,
+    acceptSsplLicense: config.acceptSsplLicense,
+    keyPairName: config.keyPairName ? config.keyPairName : undefined,
+  });
+} else {
+  storage = new StorageTierDocDB(app, 'StorageTier', {
+    env,
+    vpc: network.vpc,
+    databaseInstanceType: InstanceType.of(InstanceClass.R5, InstanceSize.LARGE),
+  });
+}
+
+// -------------------- //
+// --- Service Tier --- //
+// -------------------- //
+
+const service = new ServiceTier(app, 'ServiceTier', {
+  env,
+  database: storage.database,
+  fileSystem: storage.fileSystem,
+  vpc: network.vpc,
+  dockerRecipesStagePath: path.join(__dirname, '..', pkg.config.stage_path), // Stage directory in config is relative, make it absolute
+  ublCertsSecretArn: config.ublCertificatesSecretArn,
+  ublLicenses: config.ublLicenses,
+  rootCa: security.rootCa,
+  dnsZone: network.dnsZone,
+});
+
+// -------------------- //
+// --- Compute Tier --- //
+// -------------------- //
+
+new ComputeTier(app, 'ComputeTier', {
+  env,
+  vpc: network.vpc,
+  renderQueue: service.renderQueue,
+  workerMachineImage: MachineImage.genericLinux(config.deadlineClientLinuxAmiMap),
+  keyPairName: config.keyPairName ? config.keyPairName : undefined,
+});