Nanomdmsandbox is a project that tries to make it easier for folks to spin up a sandbox environment for nanomdm. See our MacDevOpsYVR22 talk Open Source MDM in a (Sand)Box for more info and background about this project!
⚠️ micro2nano
andmdmdirector
services are not functional yet.
-
Buy a domain. There are many registrars you can choose from but we are partial to namecheap.com.
-
Create an AWS account.
-
Generate IAM credentials with access to manage ECS, RDS, and the other services in this project.
⚠️ You can alternatively give the IAM credentialsAdministratorAccess
but this is not recommended.
- Generate an APNS Certificate. Checkout https://github.com/micromdm/micromdm/blob/main/docs/user-guide/quickstart.md#configure-an-apns-certificate and https://micromdm.io/blog/certificates/ for info about this step.
-
brew install tfenv
-
Generate SCEP default CA files which outputs to a
depot
folder. This is required for the SCEP and NanoMDM containerssh scripts/depot.sh
-
Install Terraform 1.1.9
tfenv install 1.1.9
-
Create terraform variable files
cp terraform/example_tfvars/config.auto.tfvars.json terraform/config.auto.tfvars.json cp terraform/example_tfvars/example-secrets.auto.tfvar.json terraform/secrets.auto.tfvars.json cp terraform/example_tfvars/_backend.tf terraform/backend.tf
-
Fill in the secrets:
public_inbound_cidr_blocks_ipv4
domain_name
, which should beacme.co
(replace with your real domain name). Later, when you domake tf-apply
amdm-infra
subdomain will be automatically created:mdm-infra.acme.co
.public_key
<-- used for sshing to the ec2 instance which is pre-configured with access to the mysql rds instance where you need to later upload the mysql schema.
-
Activate Terraform 1.1.9 within tfenv
tfenv use 1.1.9
-
Configure AWS cli with the previously created IAM credentials.
-
Export all the vars!
export AWS_PROFILE={INSERT AWS_PROFILE_NAME HERE} export AWS_ACCOUNT_ID={INSERT ACCOUNT ID HERE}
Okay finally! Time to run Terraform...
-
Create the TF remote state. You don't have to use S3 backend and can use whatever you want but this project recommends an S3 bucket for ease of collaboration while working on Terraform.
make tf-remote-state-init
-
Copy outputted
bucket_name
to the corresponding filed interraform/backend.tf
. -
Copy your
mdm_push_cert.pem
into place. See Generate APNS Certificate for more info.
cp /path/to/mdm_push_cert.pem docker/config/certs/mdm_push_cert.pem
- Now the "first run" stuff can be launched. Among other things, this creates proper Route53 NS associations that can be used to manage all sub-domain or root domain operations for any of the required Route53 records within the module.
make tf-first-run
- Make note of the nameservers that were just created. Navigate to https://us-east-1.console.aws.amazon.com/route53/v2/hostedzones# and then click on your domain name.
- Point domain at these nameservers that you just noted. This process is external to AWS and will be specific to your registrar.
- WAIT FOR DNS PROPAGATION. This will take a while... go grab yourself a nice dinner.
- Confirm that the DNS has propagated by digging against various DNS providers like Google and CloudFlare.
dig @8.8.8.8 +short NS INSERT_YOUR_DOMAIN_HERE
dig @1.1.1.1 +short NS INSERT_YOUR_DOMAIN_HERE
- Run the plan
make tf-plan
- If the plan looks good...
make tf-apply
⚠️ This needs to be done before nanomdm will function properly.
-
Run the schema file. You can use the provided EC2 instance or any other way to upload the base SQL schema to the newly created RDS or your own RDS instance. You can grab the schema file at https://github.com/micromdm/nanomdm/blob/main/storage/mysql/schema.sql
-
Optional: ssh to the provided ec2 box
ssh -i ~/.ssh/ec2.pub [email protected]
-
Obtain the schema file.
curl https://raw.githubusercontent.com/micromdm/nanomdm/main/storage/mysql/schema.sql -o schema.sql
-
Run the schema file.
mysql -h ${RDS_HOST} -P 3306 -u ${USER_NAME} -p nanomdm < schema.sql
-
Force the ECS service to re-deploy:
make ecs-update-service CLUSTER=production-nanomdm-cluster SERVICE=nanomdm
Adjust
CLUSTER
andSERVICE
to match what you specified in Terraform app_variables
cat /path/to/mdm_push_cert.pem /path/to/mdmcert.download.push.key | curl -T - -u nanomdm:nanomdm 'https://mdm-infra.acme.co/v1/pushcert'
python3 ~/nanomdm/tools/cmdr.py InstallProfile config_profiles/desktop-setting.mobileconfig | curl -T - -u nanomdm:nanomdm 'https://mdm-infra.acme.co/v1/enqueue/UUID_GOES_HERE'
If you want to add additional services to the cluster, take a look at:
Example PR: #14
make tf-destroy
⚠️ You may have to manually delete some components of an RDS after runningterraform destroy
. See this github issue for more info.
You must enable these experimental docker features in your docker_config if building from m1 mac.
{
"experimental": true,
"features": {
"buildkit": true
}
}