An attempt to follow security best-practices to create a production-ready installation of Sentry.io on AWS.
Features:
- HTTPS end-to-end
- Load-balanced, Multi-AZ setup
- EC2 Auto-scaling group (also gives zero-downtime upgrades)
- Creates own VPC
- Encryption using integrated KMS key
- Limit sentry access to your GitHub organisation
Choose from the templates below and either click "Launch Stack" or use"Create Stack" in the CloudFormation AWS consoleand specify the relevant Amazon S3 template URL.
| Name | Click to launch | S3 Link |
|---|---|---|
| Internet-facing setup in 1 availability zone |  |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internet-facing-1az.yaml |
| Internet-facing setup in 2 availability zones | |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internet-facing-2az.yaml |
| Internet-facing setup in 3 availability zones | |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internet-facing-3az.yaml |
| Internal setup in 1 availability zone | |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internal-1az.yaml |
| Internal setup in 2 availability zones | |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internal-2az.yaml |
| Internal setup in 3 availability zones | |
https://s3-eu-west-1.amazonaws.com/sentry-formation/templates/master-internal-3az.yaml |
If you don't want your new instances to automatically pull down new version of the setup scripts, then change the filename, switchingmasterfor the specific version you want to stick with e.g.1.0.0.
- User accounts and secrets for Sentry, Redis and Postgres
- DNS name: the hostname you're going to use to access your sentry installation.
- SSL Certificate ARN: A certificate matching your DNS name that you've stored in KMS (seeImporting Certificates)
- SMTP email server for sending alerts (seeUsing the Amazon SES SMTP Interface to Send Email)
- GitHub App Id & API secret (if using GitHub to sign in).
Once the load balancer has been created, you can update your DNS entry. SeeRouting Traffic to an ELB Load Balancerif using Route 53.
If you want to also encrypt your EC2 EBS volumes, you can make a copy of the original AMI, add encryption using the createdSentryEncryptionKey.Then update your stack to the new encrypted AMI, which will provision new EC2 instances and remove the old instances.
This is a great option if you want to automatically deploy your stack from your CI server:
- Take a copy of
deploy-example.sh. - Fill in the parameters.
Requires Ruby & Bundler to be installed locally.
bundle install
lono generate
Requires Vagrant and Ansible to be installed locally.
vagrant up
ansible-playbook site.yml -u vagrant
Your site should then be available athttps://33.33.33.20/
Original version developed by Karl Turner (@otaiga), Bradley Allen (@ValkyrieUK) and Daniel Bradley (@danielrbradley).
Using AWS KMS to Encrypt Values in CloudFormation Stacksby Ben Jones (@RealSalmon)
Starting point for CloudFormation setup:https://github.com/acervos/sentry
