S3

S3

Simple Storage Service (S3) provides a cost-effective and flexible place to store your content. If you’re using more than one server inside of AWS, we recommend using a combination of S3 and CloudFront for serving your content.

CloudFront Origin Access Identity

To provision S3, the necessary IAM users, etc, we first need to create an Origin Access Identity for CloudFront.

  1. Make sure you are logged in to the AWS console as the root user (IAM users will not work).
  2. Go here https://console.aws.amazon.com/cloudfront/home?region=us-east-1#oai: and click Create OAI.
  3. Enter Rustici Content Controller OAI for the comment and click Create.
  4. Take note of the ID beside Rustici Content Controller OAI. You will need it in a few steps.

S3 Bucket and IAM User Setup

This part has quite a few steps, so we’ve provided an Ansible Playbook to setup your S3 buckets, logging, and IAM user “automagically”. This playbook will:

  • Create 2 new S3 buckets for you (one for content and one for logs).
  • Set up an IAM user, group, and policy that assign sufficient rights to read/write from the new bucket.
  • Grant your CloudFront Origin Access Identity the rights it needs to access the bucket.
  • Create a valid group_vars/s3.yml file for Ansible to use when it sets up Content Controller.

Run the Playbook

  1. SSH in to your Ansible instance, and go to your ContentController-PublicDeploy folder.
  2. Run the following command (but replace CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ID and DEMO.CONTENTCONTROLLER.NET with the proper values for your install).
ansible-playbook aws-s3.yml \
    -e "cloudfront_origin_access_identity=CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ID" \
    -e "ServerName=DEMO.CONTENTCONTROLLER.NET" \
    -e "env=prod" \
    -e "ClientName=Rustici"
  1. Enter the following values when asked (but replace CLIENT_NAME with the name of your company with no spaces). If you plan on setting up a separate staging environment, add stg or prod to your bucket name prefix and username.
    1. S3 bucket name prefix: CLIENT_NAME
    2. AWS account ID (you can find this in the AWS console)
    3. Username: rustici-cc-s3-user
  2. Everything you need for S3 to work should have been created. A group_vars/s3.yml file has been created with the credentials needed for Content Controller to access S3.

Deleting It All and Starting Over

Sometimes things don’t work on the first try, and you need to start over. To undo all of your changes and delete the bucket and user you’ve created, run the playbook again with the Slartibartfast variable set to true.

NOTE THAT THIS IS DANGEROUS AND WILL DESTROY YOUR S3 BUCKET AND EVERYTHING IN IT. ONLY USE IT IF YOU HAVEN’T STARTED USING S3 IN PRODUCTION.

ansible-playbook aws-s3.yml \
    -e "cloudfront_origin_access_identity=CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ID" \
    -e "ServerName=DEMO.CONTENTCONTROLLER.NET" \
    -e "env=prod" \
    -e "ClientName=Rustici" \
    -e '{"Slartibartfast": true}'