@myhelix-cdk/applications NPM

applications

A collection of standardized cdk Applications. These will generally handle everything involved, and are easily extensible to add additional resources on a per-service basis.

StaticSites

Sample implementation:

#!/usr/bin/env node
import 'source-map-support/register';
import applications = require('@myhelix-cdk/applications');

export class Health extends applications.StaticSiteLocalBase implements applications.IStaticSite {
  readonly certificateArn: string;
  readonly serviceName = 'health';

  constructor() {
    super();
    switch (this.namedEnv.name) {
      case 'hipaa-staging':
        this.certificateArn = 'arn:aws:acm:us-east-1:304674702989:certificate/249b461a-5a4b-4e13-91da-bdacd2757ccd';
        break;
      case 'hipaa-production':
        this.certificateArn = 'arn:aws:acm:us-east-1:032052122631:certificate/80572878-cadf-460a-8981-f24288b90148';
        break;
      default:
        throw new Error('unrecognized environment');
    }
  }
}

const health = new Health();
const app = health.staticSiteApp();

BuildScriptsWithRds

This is our most common legacy case. It deploys an Aurora RDS cluster and a lambda to populate that instance with a database and appropriate users. The lambda publishes db related secrets into our serialized secrets.

Usage (assumes a red-zone deploy). Start by generating the app.

cd $SERVICE
mkdir cdk
cd cdk
cdk init app --language typescript
rm -rf lib test

Take a look at the email app for an example of how to create code the app. You will also need to set up your packages.json with appropriate dependencies. You will need to provision legacy secrets to support the cutover. See BuildScriptsWithRdsProps for explicit descriptions of these and all the other paramters.

Next, deploy the infastructure and prepare for the cutover.

SERVICE=fulfillment
for p in platform-development hipaa-staging hipaa-production; do
  npx cdk --profile $p --require-approval never deploy ${SERVICE}-db-*-$p;
	aws --profile ${profile} lambda invoke --function-name ${SERVICE}-db-and-users-creator out --log-type Tail --query 'LogResult' --output text |  base64 -D
  npx cdk --profile $p --require-approval never deploy ${SERVICE}-migrator-$p;
done

# Populate any remaining secrets and confirm that secrets look right

npx cdk --profile platform-development deploy ${SERVICE}-pipeline

# review the first run of the pipeline and troubleshoot any issues.
# Note that goose must complete running successfully in all environments
# before we can set up the DMS run.

# connect to the staging VPN and then into the RDS db:
eval "$(hops db config -f eval -e hipaa-staging -s $SERVICE -u migrator)"

In the DMS console, you will find two endpoints $SERVICE-source and $SERVICE-target. Run the connectivity test and confirm connectivity. You can not run the migration task until you have confirmed connectivity, better to do that ahead of the maintance window.

Inside the DB, you will need to disable keys on all tables in preparation for the DMS run:

SHOW TABLES;
ALTER TABLE foo DISABLE KEYS;
...

Leave your SQL session open for after the migration.

At cutover time, first disable the legacy ECS cluster by updating desired count to 0 and stopping all instances. Confirm all instances are stopped by looking at connections to the legacy RDS database. Trigger the DMS migration task from the console. Most migrations take less than 5 min. Wait for the console to tell you that the migration has completed. In your SQL session: