diff --git a/openvidu-server/deployments/pro/aws/cfn-openvidu-server-pro-no-market.yaml.template b/openvidu-server/deployments/pro/aws/cfn-openvidu-server-pro-no-market.yaml.template index 25489e9d..c5b98e37 100644 --- a/openvidu-server/deployments/pro/aws/cfn-openvidu-server-pro-no-market.yaml.template +++ b/openvidu-server/deployments/pro/aws/cfn-openvidu-server-pro-no-market.yaml.template @@ -41,6 +41,18 @@ Parameters: LetsEncryptEmail: Description: "If certificate type is 'letsencrypt', this email will be used for Let's Encrypt notifications" Type: String + + RecordingStorage: + Description: "If 's3', recordings will be stored in a S3 bucket" + Type: String + AllowedValues: + - local + - s3 + Default: local + + S3RecordingsBucketName: + Description: "If RecordingStorage is 's3', this will be the name of s3 bucket to store recordings" + Type: String # OpenVidu Configuration @@ -212,6 +224,8 @@ Metadata: - OpenViduLicense - OpenViduSecret - MediaNodesStartNumber + - RecordingStorage + - S3RecordingsBucketName - Label: default: Elasticsearch and Kibana configuration Parameters: @@ -247,6 +261,10 @@ Metadata: default: "URL to the key file (owncert)" LetsEncryptEmail: default: "Email for Let's Encrypt (letsencrypt)" + RecordingStorage: + default: "Recording storage" + S3RecordingsBucketName: + default: "S3 Bucket where recordings will be stored" # OpenVidu configuration OpenViduLicense: default: "OpenVidu Pro License key" @@ -276,8 +294,20 @@ Metadata: default: "Deploy OpenVidu Call application" Conditions: - WhichCertPresent: !Not [ !Equals [!Ref WhichCert, ""] ] - PublicElasticIPPresent: !Not [ !Equals [!Ref PublicElasticIP, ""] ] + WhichCertPresent: !Not [ !Equals [!Ref WhichCert, ""] ] + PublicElasticIPPresent: !Not [ !Equals [!Ref PublicElasticIP, ""] ] + RecordingStorageIsS3: !Equals [!Ref RecordingStorage, "s3" ] + S3RecordingsBucketNamePresent: !Not [ !Equals [!Ref S3RecordingsBucketName, ""] ] + CreateS3Bucket: !And [ !Equals [!Ref RecordingStorage, "s3" ], !Equals [!Ref S3RecordingsBucketName, ""] ] + +Rules: + ValidateParametersS3Local: + RuleCondition: + Fn::Equals: [!Ref RecordingStorage, "local" ] + Assertions: + - AssertDescription: If Recording Storage is 'local', you don't need to define an S3 bucket + Assert: + Fn::Equals: [!Ref S3RecordingsBucketName, ""] Resources: @@ -312,6 +342,42 @@ Resources: - 'route53:ChangeResourceRecordSets' - 'route53:ListHostedZones' Resource: '*' + - Fn::If: + # Only apply this policies if S3 is configured + - RecordingStorageIsS3 + - Effect: Allow + Action: + - 's3:DeleteObject' + - 's3:GetObject' + - 's3:PutObject' + Resource: + - Fn::If: + # Get bucket name depending if the user defines a bucket name or not + - S3RecordingsBucketNamePresent + - !Join [ "", [ 'arn:aws:s3:::', !Ref S3RecordingsBucketName, '/*'] ] + - !Join [ "", [ 'arn:aws:s3:::', !Ref AWS::StackName, '-recordings', '/*'] ] + - Ref: AWS::NoValue + - Fn::If: + # Only apply this policies if S3 is configured + - RecordingStorageIsS3 + - Effect: Allow + Action: + - 's3:ListBucket' + Resource: + - Fn::If: + # Get bucket name depending if the user defines a bucket name or not + - S3RecordingsBucketNamePresent + - !Join [ "", [ 'arn:aws:s3:::', !Ref S3RecordingsBucketName ] ] + - !Join [ "", [ 'arn:aws:s3:::', !Ref AWS::StackName, '-recordings' ] ] + - Ref: AWS::NoValue + - Fn::If: + # Only apply this policies if S3 is configured + - RecordingStorageIsS3 + - Effect: Allow + Action: + - s3:ListAllMyBuckets + Resource: 'arn:aws:s3:::' + - Ref: AWS::NoValue RoleName: !Join [ "-", [ OpenViduManageEC2Role, !Ref 'AWS::StackName', !Ref 'AWS::Region'] ] OpenviduInstancesProfile: @@ -324,6 +390,20 @@ Resources: DependsOn: - OpenViduManageEC2Role + S3bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: !Join [ "", [ !Ref 'AWS::StackName', '-recordings' ] ] + AccessControl: Private + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls : true + RestrictPublicBuckets: true + DeletionPolicy: Retain + UpdateReplacePolicy: Retain + Condition: CreateS3Bucket + OpenViduServer: Type: AWS::EC2::Instance Metadata: @@ -404,7 +484,18 @@ Resources: sed -i "s/WITH_APP=true/WITH_APP=false/" $WORKINGDIR/docker-compose.yml rm $WORKINGDIR/docker-compose.override.yml fi + + # S3 Configuration + if [ "${RecordingStorage}" == "s3" ]; then + sed -i "s/#OPENVIDU_PRO_RECORDING_STORAGE=/OPENVIDU_PRO_RECORDING_STORAGE=s3" $WORKINGDIR/.env + if [ ! -z "${S3RecordingsBucketName}" ]; then + sed -i "s/#OPENVIDU_PRO_AWS_S3_BUCKET=/OPENVIDU_PRO_AWS_S3_BUCKET=${S3RecordingsBucketName}" $WORKINGDIR/.env + else + sed -i "s/#OPENVIDU_PRO_AWS_S3_BUCKET=/OPENVIDU_PRO_AWS_S3_BUCKET=${s3BucketName}" $WORKINGDIR/.env + fi + fi - kmsAmi: !FindInMap [KMSAMIMAP, !Ref 'AWS::Region', AMI] + s3BucketName: !Join [ "", [ !Ref 'AWS::StackName', '-recordings' ] ] mode: "000755" owner: "root" group: "root" @@ -453,7 +544,7 @@ Resources: owner: "root" group: "root" '/usr/local/bin/create_security_group_rules.sh': - content: !Sub | + content: | #!/bin/bash -x SECGRPIDKMS=$(/usr/local/bin/getSecurityGroupKms.sh) SECGRPIDOV=$(/usr/local/bin/getSecurityGroupOpenVidu.sh) @@ -471,7 +562,7 @@ Resources: owner: "root" group: "root" '/usr/local/bin/restartPRO.sh': - content: !Sub | + content: | #!/bin/bash -x WORKINGDIR=/opt/openvidu diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env index 2799c02a..3cb782ae 100644 --- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env +++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env @@ -138,6 +138,34 @@ OPENVIDU_RECORDING=false # Use recording module with debug mode. OPENVIDU_RECORDING_DEBUG=false +# Where to store recording files. Can be “local” (local storage) or “s3” (AWS bucket). +# You will need to define a OPENVIDU_PRO_AWS_S3_BUCKET if you use it. +#OPENVIDU_PRO_RECORDING_STORAGE= + +# S3 Bucket where to store recording files. May include paths to allow navigating +# folder structures inside the bucket. This property is only taken into account +# if OPENVIDU_PRO_RECORDING_STORAGE=s3 +#OPENVIDU_PRO_AWS_S3_BUCKET= + +# AWS credentials access key. Must have read and write permissions over the bucket. +# If not provided, then the internal S3 client will try to use the default AWS credentials +# of the machine (if available). This property is only taken into account if +# OPENVIDU_PRO_RECORDING_STORAGE=s3 +# If you're instance has a role which has access to read +# and write into the s3 bucket, you don't need this parameter +# OPENVIDU_PRO_AWS_ACCESS_KEY= + +# AWS credentials secret key from OPENVIDU_PRO_AWS_ACCESS_KEY. This property is only +# taken into account if OPENVIDU_PRO_RECORDING_STORAGE=s3 +# If you're instance has a role which has access to read +# and write into the s3 bucket, you don't need this parameter +# OPENVIDU_PRO_AWS_SECRET_KEY= + +# AWS region in which the S3 bucket is located (e.g. eu-west-1). If not provided, +# the region will try to be discovered automatically, although this is not always possible. +# This property is only taken into account if OPENVIDU_PRO_RECORDING_STORAGE=s3 +# OPENVIDU_PRO_AWS_REGION= + # Openvidu Folder Record used for save the openvidu recording videos. Change it # with the folder you want to use from your host. OPENVIDU_RECORDING_PATH=/opt/openvidu/recordings