loanpal-cf-resources
v1.0.0
Published
Attemping to create an completely automated environment setup ci/cd pipeline with Seed.
Downloads
6
Readme
WIP
Attemping to create an completely automated environment setup ci/cd pipeline with Seed.
This repo replaces infra-setup as the method of preparing a non-production environment for deployment of cf services
In the process a number of resources that were not named to be stage-specific are being renamed to be stage-specific to allow deployment of multiple non-prod stages to the same account.
Overview of steps:
- Create an AWS member account (organization)
- Create a deployment user (within the new member account)
- Create stage-specific IoT Thing
- Configure your stage in Seed
Step details:
Create an AWS member account in the Master Organization
Create a deployment user(in the new Member account) a. No console access (don't create a password) b. Grant required permissions - simply AdministratorAccess policy for now. c. Create Access/Secret Keys ==> NOTE the AccessKey/SecretKey, they will be entered into the stage config in Seed d. Add a profile entry in your local ~/.aws/config file to allow cli functions. *Note: This is only needed for step 3 or dev & troubleshooting. [profile new-env-profile] region=us-west-2 output=json aws_access_key_id=AccessKey aws_secret_access_key=SecretKey
Create stage-specific IoT Signing Certificate - Sadly still a manual step // * aws only allows creating the CSR via the Console or cli - not via CFn. :( a. create an IoT certificate and capture certificateArn from the output aws iot create-keys-and-certificate --set-as-active --profile new-env-profile b. store the certificateArn in env:IOT_CERTIFICATE_ARN
Verify the [email protected] account with SES a. An email will be sent to [email protected] that has a link which needs to be clicked to verify. b. After the email is verified, click the email address in SES | Email Addresses and copy the Identity ARN Store this for later.
Configure your stage in Seed a. details out of scope - see: https://seed.run/docs/ b. enter your Access/Secret Keys in Seed | Settings | AWS IAM INFO c. enter your ENV Variables in Seed | Settings | ENV VARIABLES:
- IOT_CERTIFICATE_ARN: the certificateArn from 3b above
- PROD_ES_HOST: the url to the production ES Endpoint - [https://search-prod-shc4elk4uavimdwjeutycjk37i.us-west-2.es.amazonaws.com] (include the https://)
- LAUNCH_DARKLY_SDK_KEY: create a new Launch Darkly key for the environment and store in Seed env variables.
Limitations:
- Stage Name:
As long as the aurora database name is based on the stage, then stage must:
- begin with a letter
- contain only alphanumeric characters Examples: Stage01 = Valid Stage-1 = Invalid
Implementation alterations:
- Due to the Account/Region limit on VPC of 5, Aurora resources are being deployed into the Lambda VPC instead of creating a separate Aurora VPC. This allows the creation of up to 4 stages in a single Account/Region => If we need more than that, for example to support ephemeral stages for PR and/or Branch deploys, we can request a service limit increase or create a Single VPC for an Account/Region and share it between ALL deployments for the Account/Region.
TODO:
- Things to ease maintenance:
- Add "deployment" sns topic?
CHANGES: migrated common packages to /package.json migrated shared code to /libs added serverless-bundle to handle building with shared /libs/* migrated 'custom` section of serverles.yml to /serverless.common.yml to ensure all services have consistent configuration migrated a number of step-functions to lambda-backed CFn custom resources.