Turnkey AWS with Paco: Create and Manage a WordPress server — Part 1

By Kevin Teague
Published on Jan 07, 2020

Turnkey AWS with Paco

Waterbear Cloud was started with the vision of making cloud management more modular. We wanted to be able to re-use the code we wrote as cloud consultants between multiple projects. We dreamed of having complete turnkey AWS solutions that we could use as starting points for creating new Infrastructure as Code projects. That dream turned into an open source tool that we named Paco.

Today we are starting a new blog post series we’re calling Turnkey AWS with Paco. In this series we’ll show you how to use Paco to create different turnkey AWS solutions with Paco’s templated starter project feature.

Prescribed Automation for Cloud Orchestration

Paco is an acronym for Prescribed Automation for Cloud Orchestration. Paco is in the class of Infrastructure as Code tools, also sometimes called cloud orchestration. This type of tool automates the creation and configuration of cloud resources. Rather than manually creating cloud infrastructure and configuring it, code drives all of this activity by calling APIs.

We saw that much of the automation and configuration for cloud projects is repetitive — we built Paco to include these repetitive features directly in the tool. This enables you to create complete Infrastructure as Code projects without writing any code.

The Paco starter projects feature asks you some basic questions about your project and creates you a complete ready-to-run Paco project. What may have taken you weeks or months to build using lower level Infrastructure as Code tooling can now be created in minutes.

Turnkey WordPress on AWS with Paco

For this first turnkey solution, we’ll show you a simple Paco starter project: a budget-conscious, single-tier WordPress server.

When architecting a WordPress solution on AWS, you can have either single-tier or multi-tier. With single-tier you run everything, including the MySQL database, on one EC2 instance. With multi-tier there will be a load balancer, one or more web servers, and a database server. While the single-tier solution is cheaper to run, multi-tier benefits from increased reliability and can handle higher traffic loads. Today we’ll show you the more simple single-tier solution.

To try this solution yourself, you will follow five steps:

  1. Install Paco.
  2. Create a Paco project with a single-tier WordPress starter project.
  3. Connect your new Paco project to your AWS account.
  4. Provision a WordPress environment in your AWS account.
  5. Access your new WordPress server.

After your WordPress is running, we will give you a tour of the AWS resources Paco has created and show you further customizations you can do with Paco.

1. Install Paco

Start at the Paco web site and follow the Paco Installation docs to install the Paco command-line interface.

Hint: if you already have Python 3.6+ or higher installed, you can run pip install paco-cloud to install Paco.

2. Create a Paco project using the WordPress-single-tier starter project

With Paco installed, you will run the paco init project <project-name>command to create a new Paco project. Paco projects are a collection of YAML files that declare your cloud resources. You can create a Paco project from scratch, but the paco init project command will get you up-and-running much quicker with a ready-to-go projects.

Run paco init project wp-paco and answer the following prompts. This will create a new directory in your current working named wp-paco. You will need to know your AWS account id and root email for the last two prompts:

$ paco init project wp-paco

Paco project initialization
About to create a new Paco project directory at /Users/username/wp-paco

Choose a starter project template:

1: simple-web-app
   A minimal skeleton with a simple web application.
2: wordpress-single-tier
   A single-tier WordPress application.
3: managed-webapp-cicd
   A managed web application with CI/CD and dev/staging/prod environments.
4: s3lambda
   An S3 Bucket that notifies a Lambda which replicates additions/deletions to S3 Bucket(s) in other regions.

Enter a number or name: 2
Project title - Long description for this Paco project:
WordPress Test

NetworkEnvironment name - short alphanumeric string used to name cloud resources:

NetworkEnvironment title - Long description for a NetworkEnvironment:
WordPress Network

Application name - short alphanumeric string used to name cloud resources:

Application title -Long description for this application:
WordPress Site

AWS Region name - e.g. us-west-2, us-east-1 or ca-central-1:

AWS account id this project will connect to:

Root email for the AWS account to connect to:

After you’ve finished, you will have a wp-paco directory that looks like this:

Your Paco project created from the wordpress-single-tier starter project

3. Connecting Paco to your AWS Account

The next step is to connect your new Paco project to your AWS account. Back on the Paco docs site, follow the Getting Started with Paco instructions to create an IAM User and Role and then run paco init credentials to connect your newly created Paco project to your AWS account.

4. Prepare a SSH keypair and get the Bitnami Ami Id from AWS Marketplace

You are almost ready to provision your WordPress network and server. First though, you will need to create an EC2 SSH keypair. Run the paco provision command to create an EC2 kepair:

paco provision resource.ec2.keypairs

Copy the PEM file output on your terminal, starting at the BEGIN RSA PRIVATE KEY line up to the END RSA PRIVATE KEY and create a new file from it. You can use this PEM file to SSH to your new server:

EC2 Service: keypairs: pacokeypair: Key pair created successfully.
pacokeypair: Account: master
pacokeypair: Region: ca-central-1
pacokeypair: Fingerprint: 47:a1:5c:90:60:e0:d5:25:8e
pacokeypair: Key:
MIIEogIBA...<keypair-encoded here>...T3yWZJcsD42/JGEFw=

If you already have an EC2 keypair that you want to use, you could instead edit resource/ec2.yaml file in your Paco project and enter the name of your EC2 keypair:

keypair_name: “<your-ec2-keypair-name>”

Visit the AWS Marketplace and subscribe to the WordPress Certified by Bitnami and Automattic product. This is a free subscription — you will only be charged for your normal AWS EC2 instance costs.

Click on “Continue to Subscribe” then “Continue to Configuration”, and on the configuration page select the same AWS Region you entered when you created your Paco project. Choose US West (Oregon) if you followed this blog post example and entered us-west-2. Copy the Ami Id shown.

In your Paco project, open the netenv/wnet.yamlfile and enter the Ami Id you copied into your Paco project in the file on the instance_ami line:

enabled: true
instance_ami: # ToDo: Put the AMI ID for "WordPress Certified by Bitnami and Automattic" from the AWS Marketplace
instance_ami_type: ubuntu
instance_key_pair: paco.ref resource.ec2.keypairs.pacokeypair

You should have something like this:

enabled: true
instance_ami: ami-0af7f24f3045796de
instance_ami_type: ubuntu
instance_key_pair: paco.ref resource.ec2.keypairs.pacokeypair

Note that Ami Id is for us-west-2 from December 6th. These Ami Ids will change per region and over time as Bitnami releases updated Ami Ids, so you should follow the above process of getting the latest Ami Id from the AWS Marketplace.

5. Provision your WordPress server

Now you are ready to provision your WordPress server! Run the provision command against the prod environment in your wnetnetwork environment:

paco provision netenv.wnet.prod

This will take some time, as AWS provisions the resources needed to support your WordPress environment.

6. Check out your new WordPress server

Now you should be able to see your WordPress server running. Go to the AWS console and go to EC2 service in your region and in the left menu choose Instances. Find your new Elastic IP address for your server:

Note: It will take a couple minutes the first time your server launches to initialize and attach the Elastic IP to the server. An attached Elastic IP will show as a blue hyperlink. Next you will have to wait a few minutes while the Bitnami server is copied from the AMI onto your dedicated WordPress volume. In all, you may have to wait 5–7 minutes after your server launches the first time.

Enter the IP address into your web browser and you should see your new WordPress site running:

Explore your new WordPress environment

To use this WordPress site, you will need the initial user credentials. Follow the instructions on how to Find Application Credentials on the Bitnami site. Note that as additional system logs have run in this set-up, you will not be able to use the AWS console method to find your starting password — you will need to follow “Option 2: Find Credentials By Connecting To Your Application Through SSH”. When you SSH to your server, you will use the SSH keypair that you created in step 4.

Explore your AWS resources

Paco uses the native AWS CloudFormation service to provision resources. Paco consumes a Paco project of declarative YAML files and generates CloudFormation code, which it sends to AWS to create CloudFormation stacks. Paco organizes your CloudFormation stacks cleanly by NetworkEnvironment, Environment, and Application.

If you go to the CloudFormation service in your AWS console, you can see all of the CloudFormation stacks that Paco created for you:

Paco gives consistent names to all resources it creates. You can see at a glance stacks created for networking and stacks created for an application.

For the network, a VPC has been created with a public subnet for the WordPress server and SecurityGroups to control access to the server.

For the application, an AutoScalingGroup has been created, along with an Instance Role and an Elastic IP. An EBS volume has also been created to contain all the files for the WordPress server.

Part 2: Customize your WordPress environment

You’ve now got a WordPress environment running, but if you wanted to use this server for real-world use, getting the core resources provisioned is not even half the battle.

Part 2 of this blog post will cover:

  • Create a domain name with Route 53
  • Secure your server by removing SSH access
  • Turn on AWS Backup to prevent data loss
  • Enable monitoring and alerting
  • Increase the server size to handle higher traffic

… or clean-up and delete your WordPress environment

Otherwise, if you were just giving this walk through a trial run and are finished with your WordPress environment, you can delete everything with the paco delete command:

paco delete netenv.wnet.prod

You may also want to visit the CloudFormation service and manually delete the stack that you created in the Getting Started with Paco instructions to delete the AWS User and Role that were used by Paco to connect to your AWS account. However, these resources do not cost any money, so you could leave them in-place if you’re planning on using Paco again in the future.

Professional Paco by Waterbear Cloud

Want professional Paco help? Talk to Waterbear Cloud for custom Paco work and complete AWS solutions.