1.0.0 • Published 11 months ago

loanpal-cf-resources v1.0.0

Weekly downloads
-
License
ISC
Repository
github
Last release
11 months ago

WIP

Attemping to create an completely automated environment setup ci/cd pipeline with Seed.

This repo replaces infra-setup as the method of preparing a non-production environment for deployment of cf services

In the process a number of resources that were not named to be stage-specific are being renamed to be stage-specific to allow deployment of multiple non-prod stages to the same account.

Overview of steps:

  1. Create an AWS member account (organization)
  2. Create a deployment user (within the new member account)
  3. Create stage-specific IoT Thing
  4. Configure your stage in Seed

Step details:

  1. Create an AWS member account in the Master Organization

  2. Create a deployment user(in the new Member account) a. No console access (don't create a password) b. Grant required permissions - simply AdministratorAccess policy for now. c. Create Access/Secret Keys ==> NOTE the AccessKey/SecretKey, they will be entered into the stage config in Seed d. Add a profile entry in your local ~/.aws/config file to allow cli functions. *Note: This is only needed for step 3 or dev & troubleshooting. profile new-env-profile region=us-west-2 output=json aws_access_key_id=AccessKey aws_secret_access_key=SecretKey

  3. Create stage-specific IoT Signing Certificate - Sadly still a manual step // * aws only allows creating the CSR via the Console or cli - not via CFn. :( a. create an IoT certificate and capture certificateArn from the output aws iot create-keys-and-certificate --set-as-active --profile new-env-profile b. store the certificateArn in env:IOT_CERTIFICATE_ARN

  4. Verify the donotreply@loanpal.com account with SES a. An email will be sent to donotreply@loanpal.com that has a link which needs to be clicked to verify. b. After the email is verified, click the email address in SES | Email Addresses and copy the Identity ARN Store this for later.

  5. Configure your stage in Seed a. details out of scope - see: https://seed.run/docs/ b. enter your Access/Secret Keys in Seed | Settings | AWS IAM INFO c. enter your ENV Variables in Seed | Settings | ENV VARIABLES:

    1. IOT_CERTIFICATE_ARN: the certificateArn from 3b above
    2. PROD_ES_HOST: the url to the production ES Endpoint - https://search-prod-shc4elk4uavimdwjeutycjk37i.us-west-2.es.amazonaws.com (include the https://)
    3. LAUNCH_DARKLY_SDK_KEY: create a new Launch Darkly key for the environment and store in Seed env variables.

Limitations:

  • Stage Name: As long as the aurora database name is based on the stage, then stage must:
    • begin with a letter
    • contain only alphanumeric characters Examples: Stage01 = Valid Stage-1 = Invalid

Implementation alterations:

  • Due to the Account/Region limit on VPC of 5, Aurora resources are being deployed into the Lambda VPC instead of creating a separate Aurora VPC. This allows the creation of up to 4 stages in a single Account/Region => If we need more than that, for example to support ephemeral stages for PR and/or Branch deploys, we can request a service limit increase or create a Single VPC for an Account/Region and share it between ALL deployments for the Account/Region.

TODO:

  • Things to ease maintenance:
  • Add "deployment" sns topic?

CHANGES: migrated common packages to /package.json migrated shared code to /libs added serverless-bundle to handle building with shared /libs/* migrated 'custom` section of serverles.yml to /serverless.common.yml to ensure all services have consistent configuration migrated a number of step-functions to lambda-backed CFn custom resources.

axios
@everything-registry/sub-chunk-2092
1.0.0

11 months ago