Deploying and Configuring MongoDB on EC2 with AWS CDK

Introduction

Recently, I had a friend give me a call asking for some help with MongoDB in EC2. The first question I asked of course was “Why on earth would you do that… just use Atlas”. And I then discovered that every now and then, some architects and engineers decide MongoDB needs to be run on EC2s. Here’s a guide for some of the work we did setting up MongoDB on AWS EC2s with Typescript CDK as our chosen IaC tool.

In this article, we’ll walk through how to use AWS CDK to deploy a MongoDB instance on EC2, configure it securely, and verify its operation. Please note that this article does not go in depth with best practices for data replication, multi-AZ deployments and backups. These topics will be discussed further in a series of posts when covering DocumentDB and MongoDB.

With that being said let’s get started.

Prerequisites

• Basic understanding of AWS services, particularly EC2, IAM, and VPC.

• Familiarity with MongoDB and its configuration.

• Knowledge of TypeScript and the AWS CDK.

• AWS CLI and CDK installed and configured.

Notes On Prompting:

Here are some prompts you can plug into ChatGPT to assist with code generation on this endeavor, Please not that some of the responses given by the GPT will be wrong, particularly some of the EC2 configurations and the user scripts used to initialize the instance, the scripts provided in this article have been validated extensively and will work for your needs.

Prompt 1:

Okay now, we can REALLY start…

Step 1: Setting Up Your CDK Project

Start by initializing a new CDK project:

mkdir mongodb-cdk-project
cd mongodb-cdk-project
cdk init app --language typescript

Step 2: Creating an EC2 Instance

In your CDK stack (e.g., lib/mongodb-cdk-project-stack.ts), create an EC2 instance that will host the MongoDB server.

EC2 Instance Setup

import * as ec2 from '@aws-cdk/aws-ec2';const instance = new ec2.Instance(this, 'MongoDBInstance', {  vpc,  instanceName: ec2Name,  instanceType: new ec2.InstanceType("t3.micro"), // Change as per your requirement  machineImage: ec2.MachineImage.latestAmazonLinux2(),  vpcSubnets: selectedSubnets,  securityGroup: securityGroup,  role: role,  keyName: keyPair.keyName,  blockDevices: [    {      deviceName: "/dev/xvda",      volume: ec2.BlockDeviceVolume.ebs(100),    },  ],});

Ensure you configure the instance with an appropriate AMI, instance type, and security group.

Configuring A Database User

One pattern that’s always good to follow when provisioning a database with CDK or any IaC tool is generating user credentials with AWS secrets manager and making those credentials available in the startup script of your EC2 instance for your database. This process ensures that no individual user will create an insecure password and we can also protect our credentials.

// Create a secret in AWS Secrets Manager  
const mongoDbCredentials = new secretsmanager.Secret(this,"MongoDBCredentials",
{
  secretName: "SECRET_NAME",
  generateSecretString: {
	secretStringTemplate: JSON.stringify({ username: "GENERIC_USERNAME"}),
generateStringKey: "password",
excludePunctuation: true,
includeSpace: false,      
	},
}); 
// Grant the EC2 instance access to the secret 
mongoDbCredentials.grantRead(role);

Methods for Accessing EC2

Since we are placing our EC2 instance within a private subnet for this configuration, we won’t be able to SSH directly onto the instance from any host. Meaning we’ll have to do some work to configure a key pair along with SSM session manager which will allow us to connect to the instance from the console. To do this, the following config is required

const keyName = "NAME_OF_PAIR";
const cfnKeyPair = new ec2.CfnKeyPair(this, "mongodbCFNKeyPair", {keyName: keyName,// the properties below are optional  
 keyFormat: "pem",
 keyType: "rsa",
 tags: [{
	key: "Name",
	value: keyName,
	}]
});

along with an SSM policy document giving systems manager access to your EC2 instance

const ssmPolicyDoc = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
	effect: iam.Effect.ALLOW,
	actions: [
		"ssm:UpdateInstanceInformation",
		"ssmmessages:CreateControlChannel",
		"ssmmessages:CreateDataChannel",
		"ssmmessages:OpenControlChannel",
		"ssmmessages:OpenDataChannel"
	],
	resources: ["*"]
	})
  ]
});
const ssmPolicy = new iam.Policy(this, "ssmPolicy", {
	document: ssmPolicyDoc
	});
role.attachInlinePolicy(ssmPolicy);

Step 3: Installing MongoDB

Now onto the mongoDB user script.

To install MongoDB, use EC2 user data scripts. This script automates the installation process when the instance is launched.

User Data Script

#!/bin/bash# Set AWS Region for AWS CLI

export AWS_DEFAULT_REGION=us-east-1 # Add MongoDB repositoryecho "[mongodb-org-4.4]
name=MongoDBRepositorybaseurl=https://repo.mongodb.org/yum/amazon/2/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc" | sudo tee /etc/yum.repos.d/mongodb-org-4.4.repo
# Update and install MongoDB, AWS CLI, and jq 
sudo yum update -ysudo yum install -y mongodb-org aws-cli jq
# Start MongoDB
sudo service mongod startsudo chkconfig mongod on
# Wait for MongoDB to start upsleep 20
# Retrieve MongoDB credentials from AWS Secrets Manager
MONGO_CREDENTIALS=$(aws secretsmanager get-secret-value --secret-id mongodb/credentials --query SecretString --output text)
MONGO_USERNAME=$(echo $MONGO_CREDENTIALS | jq -r .username)MONGO_PASSWORD=$(echo $MONGO_CREDENTIALS | jq -r .password)
# MongoDB commands to setup database, collection, and user
mongo <<EOF
use MY_DB
// Create a collection
db.createCollection("COLLECTION_NAME")
// Create a user with the password from Secrets Managerdb.createUser(
{user: '$MONGO_USERNAME',
 pwd: '$MONGO_PASSWORD',
 roles: [{ role: 'readWrite', db: 'yourDatabaseName' }]})
EOF

Embed this script in your CDK stack to ensure it’s executed on instance launch or place it in another file and reference it in your CDK code.

Step 4: Configuring MongoDB

After installation, configure MongoDB to suit your requirements. This might include setting up users, databases, and collections.

MongoDB Configuration Script

instance.addUserData(`  // MongoDB configuration commands`);

Step 5: Securing the Setup

Security is paramount. Ensure your security groups restrict access to the instance, and use AWS Secrets Manager to manage any sensitive credentials. One good rule to add to your security group would be the following ingress rule.

  mongoDbSecurityGroup.addIngressRule(    ec2.Peer.anyIpv4(),    ec2.Port.tcp(27017),    'Allow MongoDB traffic'  );

More security specific configurations will be explored in upcoming articles and guides.

Step 6: Deploying the Stack

Run cdk deploy to deploy your stack. This command provisions all the AWS resources defined in your CDK application.

Step 7: Verifying the Setup

Once deployed, verify the installation:

1. Log into the AWS console, find your running instance, select it and click “Connect”.

2. Navigate to the “Session Manager” option and use that to start a session.

3. Run Basic MongoDB Commands: Here are some simple commands

show dbs
use yourDatabaseName
show collections

Conclusion

Using AWS CDK to deploy and configure MongoDB on EC2 provides a scalable, repeatable, and efficient method to manage your database infrastructure. With CDK, you can codify your entire MongoDB environment, making it easier to version control, audit, and replicate.

Remember, this guide is a starting point. Customize your setup to align with your specific use cases and security requirements.

The full Github repo with all of this code can be found here

https://github.com/codex-core/typescript-cdk-db-samples/blob/main/mongo-standalone/lib/mongodb-standalone-stack.ts

Next Steps

• Explore advanced MongoDB configurations and optimizations.

• Implement monitoring and logging for your MongoDB instance using AWS CloudWatch.

• Investigate scaling and high availability options for MongoDB on AWS.

By following these steps, you can leverage the power of AWS CDK to manage MongoDB deployments effectively, ensuring a robust and secure database environment for your applications.