LazyStack

LazyStack AWS SMF Deployment Summary

Here is a technical overview of the SMF deployment. Review this overview to get an idea of what the install will do and what resources and skills you need to perform the install.

  • 1. Technical Skills and Knowledge
    • Some basic experience installing software on a workstation
    • Experience running scripts in a command terminal/window
    • Experience editing text files
    • We recommend having reviewed AWS Getting Started Guides

  • 2. Use Cases:
    • 2.1 Use Case: Install SMF
        Prerequisites:
        • - Workstation running an OS supporting PowerShell, .NET, AWS CLI, and AWS SAM CLI (ex: Windows 10, Linux, MacOS)
        • - Administrative workstation access to install and run software
        • - Credit card for creating AWS Management Account
        • - Unique email addresses (or aliases) for each AWS Account being created
        • - GitHub Account and Organization

        Time To Complete
        • - SMF Setup 11 - 25 minutes

        Costs - None

        These actions are performed on the Management Workstation and/or AWS Console. Much of the following configuration are are automated with PowerShell scripts.
      • Configure LazyStack SMF Organization
        • SMF 1) Create GitHub Account
          • 1.1 Join GitHub
          • 1.2 Create GitHub Organization
          • 1.3 Install Git client
          • 1.4 Install "gh" (GitHub CLI)
          • 1.4 Create PetStore and LazyStackSmfUtil repositories
        • SMF 2) Configure Workstation
          • 2.1 Install PowerShell
          • 2.2 InstaLL powershell-yaml
          • 2.3 Select "common" folder
          • 2.4 Clone InSciCo/LazyStackSMF
          • 2.5 Create LazyStack Settings Folder
          • 2.6 Generate GitHub Personal Access Tokens
        • SMF 3) Create AWS Management Account
          • 3.1 Sign up for AWS Account
          • 3.2 Create IAM User - OrgMgmt
          • 3.4 Install AWS CLI
          • 3.5 Create Named AWS Profile - OrgMgmt
          • 3.6 Secure your Root Credentials
          • 3.7 Install AWS SAM CLI
        • SMF 4) Create AWS Organization
          • Run LzConfigure.ps1 to:
            • Create Organizational Unit - DevOU
            • Create Organizational Unit - TestOU
            • Create Organizational Unit - ProdOU
            • Create Tutorial System with
              • Tutorial System Test Account
                • Create an AWS System Test Account - OrgTutTest
                • Move it under the Test Organizational Unit - TestOU
                • Create the Test Account IAM User OrgTutTestIAM
                • Create the Administrators group
                • Assign the IAM User to the Administrators group
                • Create a Management Workstation AWS profile with OrganizationalAccountAccessRole policy to allow Management account to administer the Test Account.
              • Tutorial System Production Account
                • Create a System Prod Account - OrgTutProd
                • Move it under the Prod Organizational Unit - ProdOU
                • Create the Prod Account IAM User OrgTutProdIAM
                • Create the Administrators group
                • Assign the IAM User to the Administrators group
                • Create a Management Workstation AWS profile with OrganizationalAccountAccessRole policy to allow Management account to administer the Production Account.
                • Configure Account to use GitHub Personal Access Token
              • Deploy CI/CD Pipelines
                • Test_PR_Create - deployed with cloudformation
                • Test_PR_Merge - deployed with cloudformation
                • Prod_PR_Merge - deployed with cloudformation

      • SMF 5) - Create Developer AWS Sandbox Accounts
        • SMF 2.1 - Create Developer Account
          • Run LzNewDevAccount.ps1 script to:
            • Create AWS developer account - ex: OrgDevJoe
            • Move developer account into the Dev Organizational Unit
            • Create IAM User for the developer
            • Create Developers IAM Group having PowerUser and limited IAM permissions
            • Assign IAM User to IAM Group
            • Create named role profile - OrgDevJoeAccess
              OrganizationalAccountAccessRole policy allows Management account to administer the developer's Account.


    • 2.2 Use Case: Developer Publishes a Stack to their Development Account
        Prerequisites:
        • - Development Workstation Configuration Complete
      • Publish stack using AWS Toolkit Extension for Visual Studio IDE (Windows)
      • Publish stack using AWS SAM CLI

    • 2.3 Use Case: Developer Creates GitHub Pull Request
        Prerequisites:
        • - SMF Step 4 Complete
      • Test Account CodeBuild Project publishes stack for PR
      • AwsSettings.json file generated and checked into PR branch

    • 2.4 Use Case: Developer Updates GitHub Pull Request
        Prerequisites:
        • - SMF Step 4 Complete
      • Test Account CodeBuild Project updates stack for PR
      • AwsSettings.json file generated and checked into PR branch

    • 2.5 Use Case: GitHub Pull Request is merged
        Prerequisites:
        • - SMF Step 4 Complete
      • Test Account CodeBuild Project deletes stack for PR
      • Prod Account CodeBuild Project creates/updates Production stack
      • AwsSettings.json file generated and checked into main branch

  • 3. Typical Customer Deployment AWS Resources
    • AWS Organization
      • Management Account - OrgMgmt
        • Member of IAM User Group - Administrators
          • AWS Policy AdministratorAccess
        • IAM User - OrgMgmt
        • Member of Administrators User Group
      • Development Organizational Unit - DevOU
        • Developer account(s) - ex: OrgDevJoe
          • Customer Policy IAMUserCredsPolicy (see IAMUserCredsPolicy.json)
            • AllowViewAccountInfo
            • AllowManageOwnPasswords
            • AllowManageOwnAccessKeys
            • AllowManageOwnSSHPublicKeys
          • IAM User Group Developers
            • AWS Policy PowerUserAccess
            • Customer Policy IAMUserCredsPolicy
          • IAM User - OrgDevJoe
            • Member of Developers User Group
      • Test Organizational Unit - TestOU
        • System Test Account - OrgSysTest
          • Administrators User Group
            • AWS Policy AdministratorAccess
          • IAM User - OrgSysTest
            • Member of Administrators User Group
          • CodeBuild Connection to GitHub repository
          • Test_CodeBuild_PR_Create.yaml template - CodeBuild Project to Create/Update test stack for a new/updated Pull Request
              CodeBuild Project Stack Resources:
            • AWS::S3::Bucket - build artifacts1
            • AWS::CodeBuild::Project
              • Webhook on PR Create/Update
              • Inline Script for Build, Test, and Deploy
                 
                    version: 0.2
                    env:
                        git-credential-helper: yes
                    phases:
                        build:
                        commands:
                            # example GitHub refs/heads/F1 
                            - echo $CODEBUILD_WEBHOOK_HEAD_REF
                            - FeatureBranch="$(basename $CODEBUILD_WEBHOOK_HEAD_REF)"
                            - stack=$FeatureBranch
                
                            # build all Lambda projects (and their dependencies)
                            - for proj in Lambdas/*/*.csproj; do eval "dotnet build ${proj} --configuration Release";  done
                
                            # $stack is replaced by csh
                            - eval "sam deploy -t Stacks/Test/serverless.template --stack-name $stack --s3-bucket ${S3} --capabilities CAPABILITY_NAMED_IAM --region ${AWS::Region}"
                            - pwsh -Command  "../LzSmfUtil/GetAwsSettings $stack Stacks/Test/AwsSettings.json"
                
                            - git config user.name "CodeBuild"
                            - git config user.email CodeBuild@example.com
                            - git checkout $FeatureBranch
                            
                            - git add Stacks/Test/AwsSettings.json
                            - git commit -m "Update AwsSettings.json for PR Stack"
                            - git push --set-upstream origin HEAD:$FeatureBranch
            • AWS::IAM::Role - CodeBuildRole
            • AWS::IAM::Policy - CodeBuildPolicy
          • Test_CodeBuild_PR_Merge.yaml template - Codebuild Project stack to Delete test stack for for a merged Pull Request
              CodeBuild Project Stack Resources:
            • AWS::S3::Bucket - build artifacts1
            • AWS::CodeBuild::Project
              • Webhook on PR Merge
              • Inline Script for delete stack
                          
                    version: 0.2
                    env:
                        git-credential-helper: yes
                    phases:
                        build:
                        commands:
                            # ex for GitHub refs/heads/F1 
                            - echo $CODEBUILD_WEBHOOK_HEAD_REF
                            - FeatureBranch="$(basename $CODEBUILD_WEBHOOK_HEAD_REF)"
                            - stack=$FeatureBranch
                
                            - eval "aws cloudformation delete-stack --stack-name $stack"
                
                            - git config user.name "CodeBuild"
                            - git config user.email CodeBuild@example.com
                            - git checkout $FeatureBranch
                            
                            - git rm Stacks/Test/AwsSettings.json
                            - git commit -m "Deleted AwsSettings.json for PR Stack"
                            - git push --set-upstream origin HEAD:$FeatureBranch
            • AWS::IAM::Role - CodeBuildRole
            • AWS::IAM::Policy - CodeBuildPolicy
      • Prod Organizational Unit - OrgProdOU
        • System Production Account - OrgSysProd
          • Administrators User Group
            • AWS Policy AdministratorAccess
          • IAM User - OrgSysProd
            • Member of Administrators User Group
          • CodeBuild Connection to GitHub repository
          • Prod_CodeBuild_PR_Merge.yaml template - CodeBuild Project Stack to Create/Update Prod stack for a merged Pull Request
              CodeBuild Project Stack Resources:
            • AWS::S3::Bucket - build artifacts1
            • AWS::CodeBuild::Project
              • Webhook on PR Merge
              • Inline Script for Build, and Deploy
                
                    version: 0.2
                    env:
                        git-credential-helper: yes
                    phases:
                        build:
                        commands:
                            # build all Lambda projects (and their dependencies)
                            - for proj in Lambdas/*/*.csproj; do eval "dotnet build ${proj} --configuration Release";  done
                
                            - eval "sam deploy -t Stacks/Prod/serverless.template --stack-name ${ProdStackNameParam} --s3-bucket ${S3} --capabilities CAPABILITY_NAMED_IAM --region ${AWS::Region}"
                            - pwsh -Command  "../LzSmfUtil/GetAwsSettings $stack Stacks/Prod/AwsSettings.json"
                
                            - git config user.name "CodeBuild"
                            - git config user.email CodeBuild@example.com
                            - git checkout main
                            
                            - git add Stacks/Prod/AwsSettings.json
                            - git commit -m "Update AwsSettings.json for Prod Stack"
                            - git push --set-upstream origin HEAD:main
            • AWS::IAM::Role - CodeBuildRole
            • AWS::IAM::Policy - CodeBuildPolicy

  • 4. Deployment Naming
    • OrgCode + SysCode prefix to be used for system test and system production accounts

  • 5. Architectural Diagrams
    • Software Management Framework Flow

    • AWS Organization Overview

    • AWS CodeBuild and Cloud Formation Services

    • AWS Root and IAM Users with Management and Development workstation AWS Profiles

    • CI/CD Stacks

  • 6. Security References

  • 7. AWS Costs
    All resources used in the SMF qualify for usage under the free tier

  • 8. AWS Sizing
    • Since the SWF is a development tool. Sizing considerations are not relevant for small to medium sized teams.