The following tutorial will guide development users on automating the deployment of a Python API. We chose AWS Elastic Beanstalk as our deployment tool. The 3 main points are:
- Deploy a Python Flask App with AWS Elastic Beanstalk
- Automate SSL Certificate Installation and renewal
- Automate nginx config updates to prevent “Payload Too Large” 413 HTTP error codes
#2 and #3 enable a minimum possible downtime for the web service. High level knowledge of AWS services is recommended for this tutorial.
Table of Contents
Why Elastic Beanstalk?
Elastic Beanstalk is a beginner-friendly AWS service that allows developers to deploy web applications without a deep knowledge of the underlying AWS infrastructure.
- Install Python from https://www.python.org/downloads/
- For this tutorial, we will be using the sample flask app below:
3. Add another file to the project called requirements.txt, this file tells the EB environment that our app needs Flask v2.0.1 to run and allows dependency installation.
4. Now, on your localhost, run the following command to install Flask and run the app in the project directory:
6. Zip the project folder and name it “SampleApp.zip”. We’ll use this zipped file in the next steps.
Deployment to Elastic Beanstalk (EB)
- Using the AWS Console, let’s create a new Elastic Beanstalk application.
a. Navigate to Elastic Beanstalk from the AWS Services Menu
b. Click the “Create Application” button. Now, you’ll see a form open.
c. Name your application. I’m calling mine – “Sample App Onkar”.
d. For the Platform option – choose “Python” and leave rest of the options as default.
e. For the Application Code option – choose “upload your own code” and upload SampleApp.zip
f. Hit “Create Application.”
2. This would create the application as well as create a web server environment under our application.
3. The environment creation process takes about 5 minutes because it provisions all the resources required for an environment such as load balancers, security groups, EC2 instances, etc.
4. After the environment is created and shows a healthy status, the application should be available at the link shown on the environment page of the application. This env is hosted at http://sampleapponkar-env.eba-ffjmsc4p.us-east-1.elasticbeanstalk.com/
5. For subsequent deploys, upload the updated zipped project folder using the “Upload and Deploy” button on the specific environment page.
This was all for the deployment piece. You can look at logs, configuration, and monitoring on the environment page for debugging complex applications.
Automate SSL Certificate Installation and Renewal
To make your EB application easier to manage, you can automate the renewal of the EB domain’s SSL Certificate. Normally, SSL certificates are configured for domains you own. However, our EB environment URL is http://sampleapponkar-env.eba-ffjmsc4p.us-east-1.elasticbeanstalk.com/ and we don’t own the elasticbeanstalk.com domain.
Now, there are a few ways to install an SSL Certificate for an Elastic Beanstalk environment:
- Using the Application Load Balancer + ACM. However, having a load balancer on a single instance application might add unnecessary AWS costs just for enabling HTTPS.
- Using a CloudFront configuration. This is great for setting up CDN type content for satisfying global traffic.
- Install your own SSL certificate on the underlying EC2 instance. This process is a bit manual but the most cost-effective and suitable for single instance applications.
The following guide will walk you through Option #3 and how to implement automatic SSL cert renewals. For this to work, there must be a DNS mapping already set from your application’s Elastic beanstalk URL to your custom domain i.e. http://onkar.bluerelay.com pointing to http://sampleapponkar-env.eba-ffjmsc4p.us-east-1.elasticbeanstalk.com/. This method also does not incur additional costs. We used the popular option CertBot for generating SSL Certificates and ebextensions scripts for the generation and renewal process.
- Create a folder called .ebextensions in the root directory of your folder.
- Create a file called 1_install_dependencies.config and paste the following code into it:
This config file will install CertBot and its dependencies on the underlying EC2 instance.
3. Open port 443 on the EC2 instance by modifying the inbound rules of the associated security group. Create a file named 2_open_port_443.config with the following content:
- For the cert installation to trigger after the deployment is complete, we will use the postdeploy hook. This is the last hook to get triggered.
- For more information about EB Platform hooks and the different stages they trigger at during deployment, see here: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/platforms-linux-extend.html
- Create a folder called .platform in the project root directory.
- Create a folder called hooks inside it.
- Create another folder called postdeploy inside hooks.
- The folder structure would be .platform/hooks/postdeploy
- Create a file called 1_generate_certificate.sh inside postdeploy folder with the following content:
Replace the domain name and email to the correct values. This command verifies if the host server on which the command runs on is pointing to the specified domain name. Once the domain is verified, it issues the SSL Certs and automatically places them in the correct nginx directory and updates the nginx configurations to use them. CertBot is truly awesome.
7. Now we need to grant executable permission to this script. For that create a file called 3_grant_exec_permission.config with the following:
8. Until this point, the certificate generation part will be handled, however, we also want to automate SSL Certificate renewal. For that, we’ll setup a cron job using a crontab. Create a file under .ebextensions called 4_renew_certificate_cron_job.config with the following content:
We’re specifying a file which contains the cron expression and then later use container commands to create a crontab using that file and clean it up. This should set a schedule job to go off at 3am and 3pm daily to attempt to renew the certs.
9. Now the project structure should look something like below:
Now, zip the project and upload to EB.
10. To troubleshoot and monitor ebextensions scripts, you can check /var/log/cfn-init.log and /var/log/eb-hooks.log on the ec2 instance.
Automate nginx Config Updates to Tackle “Payload Too Large” 413 HTTP Errors
There might be some cases where the default EB configuration for nginx might not be sufficient. For example, by default nginx is configured to allow a max of 1MB request body with POST requests. Since the nginx configurations are overridden, every time a new application version is deployed, automating such a configuration update saves a lot of manual work after each deployment.
To change the max request body size to 20M, you need to update the /etc/nginx/nginx.conf file and add the line as show below:
To automate this process, we’ll add some more commands to our .ebextensions folder from the previous section.
- Create a file called 2_update_filesize_nginx.sh inside the postdeploy folder with the following content:
In the above script, we’re essentially using the sed command to replace any occurrence of the phrase
client_max_body_size 20M; client_header_timeout
and then it reloads the nginx configuration by calling nginx -s reload.
2. Also, modify 3_grant_exec_permission.config under .ebextensions folder to include exec permissions for filesize update script. The resultant 3_grant_exec_permission.config would be:
3. Now, zip your project again and deploy it to EB. Check the /var/log/ directory to monitor the hooks and script execution.
Congratulations! You just learned:
- How to deploy a simple Flask Web Application on AWS Elastic Beanstalk.
- How to use ebextensions scripts to automate SSL Generation and installation using Certbot.
- How to essentially update any config file on the underlying EC2 instance by using ebextension config files.
I hope you enjoyed learning about Elastic Beanstalk, it was a fun learning experience for me as well. Feel free to ask any questions in the comments or reach out to me on LinkedIn.
Escandell, M. (2021, April 18). How to get a SSL certificate running in AWS Elastic Beanstalk using Certbot. Medium. Retrieved August 3, 2022, from https://medium.com/edataconsulting/how-to-get-a-ssl-certificate-running-in-aws-elastic-beanstalk-using-certbot-6daa9baa3997
Work with Us
Indellient is a Software Development Company that specializes in Data Analytics, Cloud Services, and DevOps Services.
We’re dedicated to creating a fruitful, inclusive, and memorable work environment for all of our team members. Check out open opportunities on our Careers page.