Light

Configure production AWS environment and destroy existing production environment. about ef-cms HOT 7 CLOSED

ustaxcourt commented on August 20, 2024

Configure production AWS environment and destroy existing production environment.

from ef-cms.

Comments (7)

michael-mcvicker commented on August 20, 2024

Production Credentials for Andrew and Julia? Credentials following principle of least privilege as well as one for full admin access or just a single account wide admin credential?

PLOP would follow the current admin account pattern we're using such as ...
andrew.dunkman.admin.global (cli and console)
andrew.dunkman.admin.dynamodb
andrew.dunkman.admin.ec2
andrew.dunkman.admin.s3
andrew.dunkman.admin.lambda

from ef-cms.

adunkman commented on August 20, 2024

To be clear, just adding this item to the backlog of issues to tackle — we’re not yet working on this. Will follow-up when we get closer to this task!

from ef-cms.

adunkman commented on August 20, 2024

Looks like this is getting bumped in priority given that we’re looking to rebuild the production environment in the near future.

Production Credentials for Andrew and Julia?

That works — and just a single admin credential works well. The additional deployer role and user which limit permissions is managed in the application’s terraform.

from ef-cms.

adunkman commented on August 20, 2024

Provisioned account-level resources.

➜ export EFCMS_DOMAIN="dawson.ustaxcourt.gov" 
➜ (cd iam/terraform/account-specific/main && ../bin/deploy-app.sh)
User ARN not found, checking for role
Initiating Terraform state bucket creation for [arn:aws:sts::980423577122:assumed-role/AWSReservedSSO_USTC-GSAITOPS-GODADMIN_f8a2b79deace45c0/[email protected]], bucket [dawson.ustaxcourt.gov.terraform.deploys], key [permissions-.tfstate] in region [us-east-1]
make_bucket: dawson.ustaxcourt.gov.terraform.deploys
checking for the dynamodb lock table...
dynamodb lock does not exist, creating

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins...
- Downloading plugin for provider "aws" (hashicorp/aws) 2.68.0...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.aws: version = "~> 2.68"


Warning: Interpolation-only expressions are deprecated

  on api-gateway-cloud-watch.tf line 23, in resource "aws_iam_role_policy" "cloudwatch":
  23:   role = "${aws_iam_role.cloudwatch.id}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 2 more similar warnings elsewhere)

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
data.aws_caller_identity.current: Refreshing state...
aws_iam_service_linked_role.lambda_cloudfront_logger_role: Creating...
aws_ecr_repository.image_repository: Creating...
aws_iam_role.cloudwatch: Creating...
aws_iam_service_linked_role.lambda_replication_role: Creating...
aws_iam_policy.circle_ci_policy: Creating...
aws_iam_role.cloudwatch: Creation complete after 0s [id=api_gateway_cloudwatch_global]
aws_iam_role_policy.cloudwatch: Creating...
aws_iam_service_linked_role.lambda_cloudfront_logger_role: Creation complete after 0s [id=arn:aws:iam::980423577122:role/aws-service-role/logger.cloudfront.amazonaws.com/AWSServiceRoleForCloudFrontLogger]
aws_iam_service_linked_role.lambda_replication_role: Creation complete after 1s [id=arn:aws:iam::980423577122:role/aws-service-role/replicator.lambda.amazonaws.com/AWSServiceRoleForLambdaReplicator]
aws_iam_policy.circle_ci_policy: Creation complete after 1s [id=arn:aws:iam::980423577122:policy/circle_ci_policy]
aws_ecr_repository.image_repository: Creation complete after 1s [id=ef-cms-us-east-1]
aws_ecr_lifecycle_policy.repo_policy: Creating...
aws_iam_role_policy.cloudwatch: Creation complete after 1s [id=api_gateway_cloudwatch_global:cloudwatch_policy]
aws_ecr_lifecycle_policy.repo_policy: Creation complete after 0s [id=ef-cms-us-east-1]

Warning: Interpolation-only expressions are deprecated

  on api-gateway-cloud-watch.tf line 23, in resource "aws_iam_role_policy" "cloudwatch":
  23:   role = "${aws_iam_role.cloudwatch.id}"

Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.

Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.

(and 2 more similar warnings elsewhere)


Apply complete! Resources: 7 added, 0 changed, 0 destroyed.

from ef-cms.

adunkman commented on August 20, 2024

Opened #301 and #303 with changes that came up during the provisioning of resources in the new AWS account.

from ef-cms.

adunkman commented on August 20, 2024

PR #313 is the code changes needed for the new prod deploy (swaps credentials and configuration to support the different AWS account).

from ef-cms.

adunkman commented on August 20, 2024

Dropping the diagram of AWS account -> Hosted zone -> Environment here for the future; will also include this diagram in the AWS environment configuration wiki page.

from ef-cms.

Related Issues (20)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.