LazyStackSaaS Platform Technical Overview

Note - LazyStackSaaS is currently in Alpha with select partners. Beta release is expected in late December 2022. If you would like to try out LazyStackSaaS in the Beta program and receive direct support, please contact us. Support for beta users that agree to be reference accounts is free. If you are interested in joining the current Alpha program to receive early access to the tool, please contactc us.

Note: We strongly recommend that you use AWS ControlTower to create and manage multiple AWS accounts under an AWS Organization. ControlTower makes it easy to create and manage those accounts. We also recommend you configure AWS Single Sign-On as it enhances your team's ability to easily switch among AWS account they need access to.

Platform Architecture

LazyStack is itself a SAM application, made available in the AWS Serverless Application Repository. You deploy the LazyStackSaaS stack using the AWS Console or AWS CLI into a "Deployment Management Account". The LazyStack SaaS stack presents a Web UI you use to manage your deployments.

The LazyStack application configures multi-tenant application resources in one or more target accounts.

Trust Relationships Among AWS Accounts
  • Target Account Trusts Tooling Account to
    • Run Codebuild
    • Update S3 Buckets
    • CRUDL Tenant Resources
      • CloudFront Distributions
      • S3 Asset Buckets
      • CRUD DynamoDB Tables (A table contains a tenant database)
  • Tooling Account Trust Target Accounts to
    • Post Events to the Tooling Account LazyStack event bus
GitHub Commit Process Flow
  1. LazyStack GitHub App sends GitHub repository commit event to LazyStack API
  2. GitHubApp Lambda places event on LazyStack EventBridge
  3. EventBridge runs LazyStack EventHandler.Build
    1. Foreach Target account using GitHub repository specified in event
      1. Update Account Policies
      2. Build Account Service Stacks
      3. Build SPA Code
      4. CRUD Tenant Resources

The Build method performs a dependency analysis step to determine what resources need to be created, updated, deleted, built and deployed.

Multiple GitHub Repositories may be associated with build targets in the Target Account. The Build method uses permissions provided by the LazyStack GitHub App to check for changes in each of these during the dependency analysis step.

It is important to note that LazyStack manages some Tenant Account resources programmatically outside the context of a SAM stack. This is done for performance reasons. The resources managed directly include:

  • S3 Account Policies Bucket
  • S3 SPA Code bucket - create by Account Build, content updated by CodeBuild Process
  • S3 Artifacts bucket
    • Build method creates CodeBuild source zip files and writes them into the Artifacts Bucket. These source sip files contain all the necessary code to checkout and build the necessary repositories. Note that the git commands in these script files use time-limited GitHub credentials that expire within a few minutes.
    • CodeBuild runs CloudFormation SAM which packages lambdas for Service Stacks and copies these packages into Artifacts bucket
  • Tenant CloudFront Distributions
  • Tenant S3 Assets buckets
  • Tenant DynamoDB Table (a DynamoDB Table contains Tenant Database)
  • TenantKey database (a DynamoDB table used resolve database associations for CloudFront origins). Your application is passed a TenantKey in from the CloudFront distribution. Your Lambdas use the TenantKey to discover which Tenant made the API call. The TenantKey database contains the name of the Tenant database associated with the TenantKey.
GitHub Repository References

There are usually numerous repositories associated with each Target Account. These repositories may exist in different GitHub accounts. Typical repositories include:

  • Account Policies - a GitHub repo containing the policies and templates used in the LazyStack AccountBuild process
  • Service Stack - GitHub repo containing a service stack template and code
  • SPA - GitHub repo containing the source code for building the SPA client app
  • Seed Assets - a GitHub repo containing seed assets for client apps

When configuring the Target Account, you specify which repo branch is associated with each service and client app. Each time the Build method is run, the commit key for that branch is stored. The next time the Build method is run, the previously stored commit key is compared with the latest commit, reported by the GitHub repo, to determine if the repository content has changed. Repository change causes resource updates, builds etc.