LazyStack
LazyStack AWS SMF Deployment Summary
Here is a technical overview of the SMF deployment. Review this overview to get an idea of what the install will do and what resources and skills you need to perform the install.
- 1. Technical Skills and Knowledge
- Some basic experience installing software on a workstation
- Experience running scripts in a command terminal/window
- Experience editing text files
- We recommend having reviewed AWS Getting Started Guides
- 2. AWS Costs
- All resources used in the SMF qualify for usage under the free tier:
- AWS Pricing Overview
- AWS Free Tier
- AWS CodeBuild
- AWS S3
- Services used in typical Serverless Stacks (these are also in the free tier):
Most services have "caps" on usage beyond which costs will accrue. In addition, some services are in the free tier only for the first 12 months of usage. Review the AWS pricing pages to understand these pricing models and budget accordingly.
- 3. Use Cases:
- 2.1 Use Case: Install SMF
- Prerequisites:
-
- - Workstation running an OS supporting PowerShell, .NET, AWS CLI, and AWS SAM CLI (ex: Windows 10, Linux, MacOS)
- - Administrative workstation access to install and run software
- - Credit card for creating AWS Management Account
- - Unique email addresses (or aliases) for each AWS Account being created
- - GitHub Account and Organization
- Time To Complete
-
- - SMF Setup 11 - 25 minutes
- Costs - None
- These actions are performed on the Management Workstation
and/or AWS Console. Much of the following configuration are are automated with PowerShell
scripts.
- Configure LazyStack SMF Organization
- SMF 1) Create GitHub Account
- 1.1 Join GitHub
- 1.2 Create GitHub Organization
- 1.3 Install Git client
- 1.4 Install "gh" (GitHub CLI)
- 1.4 Create PetStore and LazyStackSmfUtil repositories
- SMF 2) Configure Workstation
- 2.1 Install PowerShell
- 2.2 InstaLL powershell-yaml
- 2.3 Select "common" folder
- 2.4 Clone InSciCo/LazyStackSMF
- 2.5 Create LazyStack Settings Folder
- 2.6 Generate GitHub Personal Access Tokens
- SMF 3) Create AWS Management Account
- 3.1 Sign up for AWS Account
- 3.2 Create IAM User - OrgMgmt
- 3.4 Install AWS CLI
- 3.5 Create Named AWS Profile - OrgMgmt
- 3.6 Secure your Root Credentials
- 3.7 Install AWS SAM CLI
- SMF 4) Create AWS Organization
- Run LzConfigure.ps1 to:
- Create Organizational Unit - DevOU
- Create Organizational Unit - TestOU
- Create Organizational Unit - ProdOU
- Create Tutorial System with
- Tutorial System Test Account
- Create an AWS System Test Account - OrgTutTest
- Move it under the Test Organizational Unit - TestOU
- Create the Test Account IAM User OrgTutTestIAM
- Create the Administrators group
- Assign the IAM User to the Administrators group
- Create a Management Workstation AWS profile with OrganizationalAccountAccessRole policy to allow Management account to administer the Test Account.
- Tutorial System Production Account
- Create a System Prod Account - OrgTutProd
- Move it under the Prod Organizational Unit - ProdOU
- Create the Prod Account IAM User OrgTutProdIAM
- Create the Administrators group
- Assign the IAM User to the Administrators group
- Create a Management Workstation AWS profile with OrganizationalAccountAccessRole policy to allow Management account to administer the Production Account.
- Configure Account to use GitHub Personal Access Token
- Deploy CI/CD Pipelines
- Test_PR_Create - deployed with cloudformation
- Test_PR_Merge - deployed with cloudformation
- Prod_PR_Merge - deployed with cloudformation
- Tutorial System Test Account
- Run LzConfigure.ps1 to:
- SMF 1) Create GitHub Account
- SMF 5) - Create Developer AWS Sandbox Accounts
- SMF 2.1 - Create Developer Account
- Run LzNewDevAccount.ps1 script to:
- Create AWS developer account - ex: OrgDevJoe
- Move developer account into the Dev Organizational Unit
- Create IAM User for the developer
- Create Developers IAM Group having PowerUser and limited IAM permissions
- Assign IAM User to IAM Group
- Create named role profile - OrgDevJoeAccess
OrganizationalAccountAccessRole policy allows Management account to administer the developer's Account.
- Run LzNewDevAccount.ps1 script to:
- SMF 2.1 - Create Developer Account
-
- 2.2 Use Case: Developer Publishes a Stack to their Development Account
- Prerequisites:
-
- - Development Workstation Configuration Complete
- Publish stack using AWS Toolkit Extension for Visual Studio IDE (Windows)
- Publish stack using AWS SAM CLI
-
- 2.3 Use Case: Developer Creates GitHub Pull Request
- Prerequisites:
-
- - SMF Step 4 Complete
- Test Account CodeBuild Project publishes stack for PR
- AwsSettings.json file generated and checked into PR branch
-
- 2.4 Use Case: Developer Updates GitHub Pull Request
- Prerequisites:
-
- - SMF Step 4 Complete
- Test Account CodeBuild Project updates stack for PR
- AwsSettings.json file generated and checked into PR branch
-
- 2.5 Use Case: GitHub Pull Request is merged
- Prerequisites:
-
- - SMF Step 4 Complete
- Test Account CodeBuild Project deletes stack for PR
- Prod Account CodeBuild Project creates/updates Production stack
- AwsSettings.json file generated and checked into main branch
-
- 2.1 Use Case: Install SMF
- 4. Typical Customer Deployment AWS Resources
- AWS Organization
- Management Account - OrgMgmt
- Member of IAM User Group - Administrators
- AWS Policy AdministratorAccess
- IAM User - OrgMgmt
- Member of Administrators User Group
- Management Account - OrgMgmt
- Development Organizational Unit - DevOU
- Developer account(s) - ex: OrgDevJoe
- Customer Policy IAMUserCredsPolicy (see IAMUserCredsPolicy.json)
- AllowViewAccountInfo
- AllowManageOwnPasswords
- AllowManageOwnAccessKeys
- AllowManageOwnSSHPublicKeys
- IAM User Group Developers
- AWS Policy PowerUserAccess
- Customer Policy IAMUserCredsPolicy
- IAM User - OrgDevJoe
- Member of Developers User Group
- Customer Policy IAMUserCredsPolicy (see IAMUserCredsPolicy.json)
- Developer account(s) - ex: OrgDevJoe
- Test Organizational Unit - TestOU
- System Test Account - OrgSysTest
- Administrators User Group
- AWS Policy AdministratorAccess
- IAM User - OrgSysTest
- Member of Administrators User Group
- CodeBuild Connection to GitHub repository
- Test_CodeBuild_PR_Create.yaml template - CodeBuild Project to Create/Update test
stack for a new/updated Pull Request
- CodeBuild Project Stack Resources:
- AWS::S3::Bucket - build artifacts1
- AWS::CodeBuild::Project
- Webhook on PR Create/Update
- Inline Script for Build, Test, and Deploy
version: 0.2 env: git-credential-helper: yes phases: build: commands: # example GitHub refs/heads/F1 - echo $CODEBUILD_WEBHOOK_HEAD_REF - FeatureBranch="$(basename $CODEBUILD_WEBHOOK_HEAD_REF)" - stack=$FeatureBranch # build all Lambda projects (and their dependencies) - for proj in Lambdas/*/*.csproj; do eval "dotnet build ${proj} --configuration Release"; done # $stack is replaced by csh - eval "sam deploy -t Stacks/Test/serverless.template --stack-name $stack --s3-bucket ${S3} --capabilities CAPABILITY_NAMED_IAM --region ${AWS::Region}" - pwsh -Command "../LzSmfUtil/GetAwsSettings $stack Stacks/Test/AwsSettings.json" - git config user.name "CodeBuild" - git config user.email CodeBuild@example.com - git checkout $FeatureBranch - git add Stacks/Test/AwsSettings.json - git commit -m "Update AwsSettings.json for PR Stack" - git push --set-upstream origin HEAD:$FeatureBranch
- AWS::IAM::Role - CodeBuildRole
- AWS::IAM::Policy - CodeBuildPolicy
- Test_CodeBuild_PR_Merge.yaml template - Codebuild Project stack to Delete test
stack for for a merged Pull Request
- CodeBuild Project Stack Resources:
- AWS::S3::Bucket - build artifacts1
- AWS::CodeBuild::Project
- Webhook on PR Merge
- Inline Script for delete stack
version: 0.2 env: git-credential-helper: yes phases: build: commands: # ex for GitHub refs/heads/F1 - echo $CODEBUILD_WEBHOOK_HEAD_REF - FeatureBranch="$(basename $CODEBUILD_WEBHOOK_HEAD_REF)" - stack=$FeatureBranch - eval "aws cloudformation delete-stack --stack-name $stack" - git config user.name "CodeBuild" - git config user.email CodeBuild@example.com - git checkout $FeatureBranch - git rm Stacks/Test/AwsSettings.json - git commit -m "Deleted AwsSettings.json for PR Stack" - git push --set-upstream origin HEAD:$FeatureBranch
- AWS::IAM::Role - CodeBuildRole
- AWS::IAM::Policy - CodeBuildPolicy
- Administrators User Group
- System Test Account - OrgSysTest
- Prod Organizational Unit - OrgProdOU
- System Production Account - OrgSysProd
- Administrators User Group
- AWS Policy AdministratorAccess
- IAM User - OrgSysProd
- Member of Administrators User Group
- CodeBuild Connection to GitHub repository
- Prod_CodeBuild_PR_Merge.yaml template - CodeBuild Project Stack to Create/Update
Prod stack for a merged Pull Request
- CodeBuild Project Stack Resources:
- AWS::S3::Bucket - build artifacts1
- AWS::CodeBuild::Project
- Webhook on PR Merge
- Inline Script for Build, and Deploy
version: 0.2 env: git-credential-helper: yes phases: build: commands: # build all Lambda projects (and their dependencies) - for proj in Lambdas/*/*.csproj; do eval "dotnet build ${proj} --configuration Release"; done - eval "sam deploy -t Stacks/Prod/serverless.template --stack-name ${ProdStackNameParam} --s3-bucket ${S3} --capabilities CAPABILITY_NAMED_IAM --region ${AWS::Region}" - pwsh -Command "../LzSmfUtil/GetAwsSettings $stack Stacks/Prod/AwsSettings.json" - git config user.name "CodeBuild" - git config user.email CodeBuild@example.com - git checkout main - git add Stacks/Prod/AwsSettings.json - git commit -m "Update AwsSettings.json for Prod Stack" - git push --set-upstream origin HEAD:main
- AWS::IAM::Role - CodeBuildRole
- AWS::IAM::Policy - CodeBuildPolicy
- Administrators User Group
- System Production Account - OrgSysProd
- AWS Organization
- OrgCode + SysCode prefix to be used for system test and system production accounts
- Software Management Framework Flow
- AWS Organization Overview
- AWS CodeBuild and Cloud Formation Services
- AWS Root and IAM Users with Management and Development workstation AWS Profiles
- CI/CD Stacks
- Since the SWF is a development tool. Sizing considerations are not relevant for small to medium sized teams.