Deployment guide
Overview
The AWS Blu Age Standard Delivery Environment (SDE) provides a complete DevOps infrastructure for mainframe modernization projects. This guide covers deployment of three core components:
- AWS Blu Age DevOps Setup (DOS) - Foundation infrastructure including VPC, networking, IAM roles, and developer AMIs
- AWS Blu Age DevOps Pipelines (DOP) - CI/CD pipelines with Jenkins, GitLab, SonarQube, and container registries
- AWS Blu Age Regression Testing Snapshots (RTS) - Automated testing infrastructure with snapshot management
Target audience: AWS administrators and DevOps engineers with experience in AWS services, CDK, and DevOps practices.
Deployment order: components must be deployed sequentially: DOS → DOP → RTS
Current version: 1.2.0
Global prerequisites
Required infrastructure
- Amazon Linux 2023 EC2 instance with SSH access
- AWS account with administrative privileges
- Sufficient AWS service quotas for VPC, EC2, ECS, and other resources
Required software
- AWS CLI v2
aws --version
If not version 2.x, update following: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
- Node.js (includes npm and npx)
sudo yum install -y nodejsnode --version # Verify installation - Make
sudo yum install -y make - Git (for version control)
sudo yum install -y git
Download AWS Blu Age SDE
The AWS Blu Age SDE is accessible from AWS Transform for mainframe refactor Toolbox.
Setup AWS Blu Age SDE
1. Create working directory on your Amazon Linux 2023 EC2 instance
mkdir -p ~/sde-cdk-script && cd ~/sde-cdk-script
2. Copy the AWS Blu Age SDE package in your working directory
3. Extract SDE package
# Extract the archive
unzip SDE-standard-delivery-environment-<version>.zip
4. Verify directory structure
cd ~/sde-cdk-script
ls -la
You should see three main directories:
aws-blu-age-devops-setup/aws-blu-age-devops-pipeline/aws-blu-age-rts/
AWS Blu Age DevOps Setup (DOS)
AWS Blu Age DevOps Setup is the first component that must be deployed. It provides the foundation infrastructure for the entire SDE environment.
Deployment options
Choose one of two deployment approaches:
- Full infrastructure deployment - Creates new VPC, subnets, endpoints, and firewall
- Existing network deployment - Uses your existing VPC infrastructure (requires prerequisites)
Existing network prerequisites
If using existing network infrastructure, ensure:
- Subnet CIDR:
/20 <= subnet mask <= /25(size depends on number of test cases) - Internet Access: Subnets must allow egress to these URLs:
| .amazonaws.com | .amazon.com |
| .bluage.com | .docker.io |
| .cloudfront.net | .docker.com |
| .pypi.org | .webhooks.aws |
| nodejs.org | license.ej-technologies.net |
| public.ecr.aws | files.pythonhosted.org |
| registry.npmjs.org | bluinsights.aws |
Configuration steps
- Navigate to the setup directory:
cd ~/sde-cdk-script/aws-blu-age-devops-setup/ - Edit configuration file:
vi parameters/input.ts - Update required parameters:
export const LandingZoneInput = {
account: "123456789", // Your AWS account ID
region: "eu-west-3", // Your AWS region
createImageBuilder: {
recipeInputCfn: "blu_poc/blu-imagebuilder-infra-stack/resources/aws-transform-sde-image-recipe-template.yaml",
bucketPrefixName: 'aws-transform-sde-imagebuilder',
},
ami_name: "AWS-Transform-SDE-Developer-ami", // AMI name to use
LAUNCH_TEMPLATE_NAME: "BluAge-Developer-Instance",
instance_type: "t3.2xlarge", // Developer EC2 instance type
useExistingVPC: false, // Set to true to use existing VPC
vpcId: "vpc-XXXXXXXXXXXX", // Required if useExistingVPC = true
privateSubnetIds: ["subnet-XXX", "subnet-YYY"], // Required if useExistingVPC = true
customKMSKeyARNForS3: "", // Optional: Custom KMS key for S3
customKMSKeyARNForEBS: "", // Optional: Custom KMS key for EBS
customKMSKeyAliasForSNS: "", // Optional: Custom KMS key for SNS
createIAMRole: true, // Create developer and PM IAM roles
createCertificate: true, // Create SSL certificate
route53_hosted_zone_name: 'bluage.local', // Route 53 hosted zone name
cron_schedule_ssm_patch: "cron(0 0 ? * * *)", // EC2 Patch Manager schedule
globalParameterStoreName: "/BluAgeSDE/GlobalParameter",
awsbluagertsPath: "/../../aws-blu-age-rts/src/config.ts",
awsbluagedevopspipelinePath: "/../../aws-blu-age-devops-pipeline/env.yml"
};
AMI Configuration
Option 1: Use existing AMI
- Specify the existing AMI name in the
ami_nameparameter - Ensure the AMI is available in your region
Option 2: Create new AMI (recommended)
- Deploy the Image Builder stack first (see [Optional] AWS Blu Age Image Builder])
- The Image Builder will create a custom developer AMI
- Update
ami_namewith the created AMI name
Deployment
- Install dependencies:
make install - Deploy the infrastructure:
make
Deployment time: approximately 30-45 minutes.
Verification
After deployment, verify the following resources were created:
- VPC and subnets (if
useExistingVPC = false) - S3 buckets for artifacts
- IAM roles and policies
- Route 53 hosted zone
- Launch template for developer instances
- SSM Parameter Store entries
AWS Blu Age DevOps Pipelines (DOP)
This component deploys the CI/CD infrastructure including Jenkins, GitLab, SonarQube, Selenium, and container registries.
Prerequisites: AWS Blu Age DevOps Setup (DOS) must be deployed first.
Configuration steps
- Navigate to the pipeline directory:
cd ~/sde-cdk-script/aws-blu-age-devops-pipeline - Edit the configuration file:
vi env.yml - Update mandatory fields:
# Mandatory variables
PROJECT_NAME: "your-project-name" # Lowercase, hyphens only
AWS_REGION: "your-region-x" # Example: eu-west-3
AWS_ACCOUNT_ID: "123456789"
VPC_ID: "vpc-XXXXXXXXXXXX"
PRIVATE0_SUBNET_ID: "subnet-XXXXXXXXXXXX"
PRIVATE1_SUBNET_ID: "subnet-YYYYYYYYYYYY"
GITLAB_CODE_CONNECTION_ARN: "" # Leave empty initially, will be filled after GitLab setup
# Docker image configurations (recommended versions)
TOMCAT_DOCKER_IMAGE_NAME: public.ecr.aws/docker/library/tomcat
JENKINS_DOCKER_IMAGE_NAME: jenkins/jenkins
JENKINS_NODE_DOCKER_IMAGE_NAME: jenkins/inbound-agent
SONARQUBE_DOCKER_IMAGE_NAME: public.ecr.aws/docker/library/sonarqube
POSTGRES_DOCKER_IMAGE_NAME: public.ecr.aws/docker/library/postgres
SELENIUM_DOCKER_IMAGE_NAME: selenium/hub
CHROME_NODE_DOCKER_IMAGE_NAME: selenium/node-chrome
GITLAB_DOCKER_IMAGE_NAME: gitlab/gitlab-ee
TOMCAT_VERSION: "10-jdk17"
JENKINS_VERSION: "latest-jdk17"
JENKINS_NODE_VERSION: "latest-jdk17"
SONARQUBE_VERSION: "community"
POSTGRES_VERSION: "16-alpine"
SELENIUM_VERSION: "latest"
CHROME_NODE_VERSION: "latest"
GITLAB_VERSION: "latest"
# Application binaries
SELENESE_APP_VERSION: "4.3.0"
SELENESE_APP_BASE_URL: "https://repo1.maven.org/maven2/jp/vmi/selenese-runner-java"
JACOCO_APP_VERSION: "0.8.8"
JACOCO_APP_BASE_URL: "https://repo1.maven.org/maven2/org/jacoco"
# Optional: Custom KMS keys
EFS_KMS_KEY_ARN: ""
CODEARTIFACT_KMS_KEY_ARN: ""
SECRETS_MANAGER_KMS_KEY_ARN: ""
LAMBDA_KMS_KEY_ARN: ""
SNS_KMS_KEY_ARN: ""
S3_KMS_KEY_ARN: ""
EBS_KMS_KEY_ARN: ""
Note: The recommended image versions above ensure stability and security. You can modify them, but check for CVEs before using different versions.
Deployment process
Step 1: Install dependencies and deploy GitLab
sudo make install
make gitlab
Deployment time: approximately 20-30 minutes.
Step 2: Setup GitLab CodeConnection
After GitLab deployment completes:
- Navigate to AWS Console → Developer Tools → Connections
- Create a new connection to your GitLab instance
- Follow the connection setup wizard
- Copy the Connection ARN
For detailed instructions, refer to the internal GitLab setup documentation Setup Gitlab.
Step 3: Update configuration with GitLab ARN
vi env.yml
Update the GITLAB_CODE_CONNECTION_ARN field with the ARN from Step 2.
Step 4: Deploy remaining components
make
This deploys:
- Jenkins master and agent infrastructure
- SonarQube for code quality analysis
- Selenium Grid for automated testing
- ECR repositories for container images
- CodePipeline for CI/CD workflows
- ECS clusters for application hosting
Deployment time: approximately 40-60 minutes.
Custom KMS keys (optional)
If using custom KMS keys, ensure they have the minimum required permissions:
{
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "<AWS_SERVICE_NAME>.<AWS_REGION>.amazonaws.com",
"kms:CallerAccount": "<AWS_ACCOUNT_ID>"
}
}
}
Post-deployment access
After successful deployment, access the services at:
- Jenkins: https://jenkins.bluage.local/
- GitLab: https://gitlab.bluage.local/
- SonarQube: https://sonarqube.bluage.local/
- Selenium Grid: https://selenium.bluage.local/
Retrieve initial credentials from AWS Secrets Manager.
AWS Blu Age Regression Testing Snapshots (RTS)
The RTS Manager provides automated regression testing with snapshot management capabilities.
Prerequisites:
- AWS Blu Age DevOps Setup (DOS) deployed
- AWS Blu Age DevOps Pipelines (DOP) deployed
Required IAM permissions
The deployment account must have permissions for:
- EC2 (EBS, Snapshots, Instances, Volumes)
- SSM (Parameter Store, Commands, Core)
- IAM (Role creation)
- Route 53 (Hosted zone management)
- Secrets Manager (SSH key storage)
- S3 (Bucket creation)
- VPC (Endpoint management)
- CloudWatch (Logs)
Configuration steps
- Navigate to the RTS directory:
cd ~/sde-cdk-script/aws-blu-age-rts/srcvi config.ts - Update configuration parameters:
export const config = {
parameters: {
postgresql_yaml: "version: '3.3'\nservices:\n db:\n image: <Insert your Private Repository Image>\n ..."
},
// ECR Configuration
ecr: {
usingPullThroughCacheRule: true, // Recommended for VPCs without internet
upstreamRegistryUrl: "public.ecr.aws", // Do not change
repositoryPrefix: 'rts-postgres', // Private repository prefix
upstreamRepositoryName: 'docker/library/postgres',
tag: '15-alpine' // PostgreSQL version
},
// AWS Account Configuration
account_id: "123456789",
region: "your-region-x", // Example: eu-west-3
// VPC Configuration
vpc: {
id: "vpc-XXXXXXXXXXXX", // Your VPC ID
name: "BluVpcStack/BluPoc", // VPC name from DOS deployment
s3_vpc_endpoint: "vpce-XXXXXXXXXXXX", // S3 VPC endpoint ID
private_subnet_id: "subnet-XXXXXXXXXXXX" // Private subnet ID
},
// Firewall Configuration
firewall: {
firewall_policy_name: "BluVpcFirewallPolicy",
create_firewall_dns_group: true // Set to false if firewall rules exist
},
// Route 53 Configuration
route_53: {
hosted_zone_name: 'bluage.local', // Must match DOS configuration
create_new_hosted_zone: false, // Set to false if zone exists
hosted_zone_id: '<ZONE_ID>' // Required if create_new_hosted_zone = false
},
// Certificate Configuration
bluage_certificate_arn: '<CERTIFICATE_ARN>' // Certificate ARN from DOS deployment
};
ECR configuration options
Option 1: Pull-Through Cache Rule (recommended)
Best for VPCs without direct internet access. Automatically pulls images from ECR Public Gallery to your private ECR.
ecr: {
usingPullThroughCacheRule: true,
upstreamRegistryUrl: "public.ecr.aws",
repositoryPrefix: 'rts-postgres',
upstreamRepositoryName: 'docker/library/postgres',
tag: '15-alpine'
}
The deployment script automatically updates the postgresql_yaml field with these values.
Option 2: Manual ECR repository
Create your own private ECR repository and pull the PostgreSQL image manually:
- Create ECR repository
- Pull PostgreSQL image to your repository
- Update the
postgresql_yamlfield with your image URI:
postgresql_yaml: "version: '3.3'\nservices:\n db:\n image: <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/postgres:15-alpine\n ..."
VPC configuration details
- vpc.id: Your VPC ID from DOS deployment
- vpc.name: VPC name (typically
BluVpcStack/BluPoc) - vpc.private_subnet_id: Private subnet ID (find in VPC → Subnets →
<VPC_NAME>/private_0) - vpc.s3_vpc_endpoint: S3 VPC endpoint ID (find in VPC → Endpoints → service name:
com.amazonaws.<region>.s3)
If you don't have an S3 VPC endpoint, create one before deployment.
Firewall configuration
create_firewall_dns_group:
- Set to
trueto create a new firewall rule group allowing HTTP/HTTPS traffic to: .amazonaws.com.amazon.com- Set to
falseif you already have firewall rules or use direct NAT
Route 53 configuration
- hosted_zone_name: Must match the zone created in DOS deployment (
bluage.local) - create_new_hosted_zone: Set to
falseif the zone already exists - hosted_zone_id: Required if
create_new_hosted_zone = false(find in Route 53 console)
Deployment
Install dependencies:
cd ~/sde-cdk-script/aws-blu-age-rts/srcmake install- Deploy RTS infrastructure:
make - Deployment time: approximately 15-25 minutes.
Post-deployment access
Access the RTS Manager at: https://dws-manager.bluage.local/
Retrieve credentials from AWS Secrets Manager or SSM Parameter Store.
[Optional] AWS Blu Age Image Builder
AWS Blu Age Image Builder is an optional component that creates custom AMIs for the BluAge SDE. Deploy this before the DevOps Setup if you need a custom developer AMI.
Overview
Purpose: Automates creation of developer AMIs with pre-installed BluAge tools and dependencies
Key features:
- Modular architecture - deploy independently or with DevOps infrastructure
- Flexible VPC options - create new VPC or use existing infrastructure for Image Builder
- Automated AMI creation with scheduled builds
- Built-in AMI testing (and security scanning if Amazon Inspector enabled)
Deployment options
- Full AWS Solution: deploy Image Builder + DevOps infrastructure
- Bring Your Own AMI: skip Image Builder, use existing AMI IDs
- Hybrid Approach: start with Image Builder, migrate to custom solution later
Prerequisites
- AWS account with Image Builder permissions
- S3 bucket for component binaries (created automatically)
- Software binaries for the AMI (provided separately)
Configuration
- Step 1: Configure Image Builder in input.ts
The Image Builder configuration is defined inaws-blu-age-devops-setup/parameters/input.ts:
createImageBuilder: {
recipeInputCfn: "blu_poc/blu-imagebuilder-infra-stack/resources/aws-transform-sde-image-recipe-template.yaml",
bucketPrefixName: 'aws-transform-sde-imagebuilder',
imageScanningEnable: false // Set to true for Amazon Inspector scanning (additional cost)
}
imageScanningEnable:
- false (default): no vulnerability scanning, lower cost
- true: enable Amazon Inspector for CVE scanning (requires Amazon Inspector)
- Step 2: Configure Software Components
Recommended software may include:
| Software Name | Recommanded Versions | Format | Source |
| Amazon CLI v2 | latest | - | Image Builder managed component |
| Amazon Corretto 17 (X64) | latest | - | Image Builder managed component |
| Amazon CloudWatch Agent | latest | - | Image Builder managed component |
| PuTTY | latest | - | Image Builder managed component |
| BluageSdeDevBrowsersComponent | |||
| Chrome | latest | - | S3 bucket |
| Firefox | latest | - | S3 bucket |
| BluageSdeDevToolsComponent | |||
| 7-Zip (.exe) | latest | exe (64-bit Windows x64) | S3 bucket |
| HxD (.zip) | latest | zip | S3 bucket |
| Notepad++ (.exe) | latest | exe (x64 installer) | S3 bucket |
| WinMerge (.exe) | latest | exe (x64 installer) | S3 bucket |
| WinSCP (.exe) | latest | exe (Windows) | S3 bucket |
| BluageSdeDevComponent | |||
| Apache Ant (.zip) | 1.10.x | zip (binary zip archive) | S3 bucket |
| Apache Maven (.zip) | 3.9.x | zip (binary zip archive) | S3 bucket |
| Apache Tomcat (.exe) | 10.xx | exe (32-bit/64-bit Windows Service installer) | S3 bucket |
| Git (.exe) | latest | exe (Standalone installer - Windows/x64) | S3 bucket |
| NodeJS (.msi) | 22.x | msi (Windows installer) | S3 bucket |
| pgAdmin 4 (.exe) | latest | exe (Windows) | S3 bucket |
| Python 3 (.exe) | latest | exe (Windows installer) | S3 bucket |
| Spring Tools for Eclipse 4 (.zip) | latest | zip (Windows x86_64) | S3 bucket |
| Visual Studio Code (.exe) | latest | exe (Windows System installer) | S3 bucket |
| Kiro (.exe) | latest | exe (Windows) | S3 bucket |
| BluageWslComponent | |||
| Microsoft.VCLibs.x64.14.00.Desktop.appx | 14 | appx (Windows APPX) | S3 bucket |
| Ubuntu2204-221101.AppxBundle | 22.04 | AppxBundle (Windows APPX) | S3 bucket |
Edit aws-blu-age-devops-setup/parameters/image-builder-recipe-parameters.ts to specify which software components to install and their installer filenames:
// Image Builder Installer Parameters
// Fill in the installer filenames you want to use.
// Leave blank to skip that component.
export const ImageBuilderRecipeParameters = {
// Component Selection - set to true/false to enable/disable entire component groups
InstallGitlabCertificate: "true",
InstallBrowsers: "true",
InstallDevTools: "true",
InstallSdeDev: "true",
InstallWsl: "true",
InstallKiro: "true",
// BluageSdeDevToolsComponent Installers (only used if InstallDevTools=true)
SevenZipInstaller: "7z2501-x64.exe",
HxDInstaller: "HxDSetup.zip",
NotepadPPInstaller: "npp.8.8.5.Installer.x64.exe",
WinMergeInstaller: "WinMerge-2.16.50.2-x64-Setup.exe",
WinSCPInstaller: "WinSCP-6.5.3-Setup.exe",
// BluageSdeDevComponent Installers (only used if InstallSdeDev=true)
ApacheANTInstaller: "apache-ant-1.10.15-bin.zip",
ApacheMavenInstaller: "apache-maven-3.9.11-bin.zip",
ApacheTomcatInstaller: "apache-tomcat-10.1.47.exe",
GitInstaller: "Git-2.51.0.2-64-bit.exe",
NodeJSInstaller: "node-v22.20.0-x64.msi",
PgAdminInstaller: "pgadmin4-9.8-x64.exe",
PythonInstaller: "python-3.13.7-amd64.exe",
SpringToolSuite4Installer: "spring-tools-for-eclipse-4.32.0.RELEASE-e4.37.0-win32.win32.x86_64.zip",
VisualStudioCodeInstaller: "VSCodeSetup-x64-1.104.3.exe",
// BluageKiroComponent Installers (only used if InstallKiro=true)
KiroInstaller: "Kiro-win32-x64.exe",
// BluageWslComponent Installers (only used if InstallWsl=true)
UbuntuWslInstaller: "Ubuntu2204-221101.AppxBundle",
VCLibsForWslInstaller: "Microsoft.VCLibs.x64.14.00.Desktop.appx",
};
Configuration Guidelines:
- Set component group flags (
InstallDevTools,InstallSdeDev, etc.) to"true"or"false"to enable/disable entire groups - Specify exact installer filenames for each component (must match files uploaded to S3)
- Leave installer fields empty (
"") to skip individual components - Ensure installer versions are compatible with your environment
Deployment steps
- Navigate to the setup directory:
cd ~/sde-cdk-script/aws-blu-age-devops-setup/
- Deploy Image Builder:
make deploy-image-builder
Deployment time: approximately 10-15 minutes.
- Upload software binaries:
After deployment, upload required software binaries to the S3 bucket:
# S3 bucket name format
S3_BUCKET="aws-transform-sde-imagebuilder-<ACCOUNT_ID>-<REGION>"
# Create the components folder
aws s3api put-object --bucket $S3_BUCKET --key sde-ide-components/
# Upload binaries (examples)
aws s3 cp eclipse-installer.tar.gz s3://$S3_BUCKET/sde-ide-components/
aws s3 cp bluage-tools.zip s3://$S3_BUCKET/sde-ide-components/
aws s3 cp jdk-17.tar.gz s3://$S3_BUCKET/sde-ide-components/
Critical: ensure binary filenames match exactly with the recipe parameters in the YAML template.
- Trigger AMI build:
The Image Builder pipeline can be triggered:
- Manually via AWS Console (EC2 Image Builder → Pipelines)
- Automatically via schedule (if configured)
- Via AWS CLI:
aws imagebuilder start-image-pipeline-execution \
--image-pipeline-arn <PIPELINE_ARN>
- Verify AMI creation:
Check the AMI status in EC2 → AMIs. Once available, update theami_nameparameter inparameters/input.ts.
Required software binaries
The following binaries should be uploaded to the S3 bucket (exact list depends on your recipe):
- Eclipse IDE installer
- BluAge development tools
- JDK 17
- Maven
- Git
- Additional development tools as specified in your recipe
Recipe customization
To customize the AMI recipe:
- Edit the recipe template:
vi blu_poc/blu-imagebuilder-infra-stack/resources/aws-transform-sde-image-recipe-template.yaml
- Update component definitions, software versions, and installation steps
- Ensure S3 binary filenames match recipe parameters
- Redeploy Image Builder:
make deploy-image-builder
Cleanup
To remove the Image Builder infrastructure:
cd ~/sde-cdk-script/aws-blu-age-devops-setup/
make destroy-image-builder
Note: this does not delete created AMIs. Delete AMIs manually if no longer needed.
Troubleshooting
Common issues and solutions
1. CDK Bootstrap failures
Problem: CDK bootstrap fails with permission errors
Solution:
- Ensure you have administrator privileges
- Verify AWS credentials are correctly configured
- Check that the account has not reached service limits
- Review the bootstrap policies in
aws-blu-age-devops-setup/bootstrap/
# Verify credentials
aws sts get-caller-identity
# Check CDK version
cdk --version
# Re-run bootstrap with verbose output
cdk bootstrap --verbose
2. VPC Endpoint issues
Problem: deployment fails due to missing VPC endpoints
Solution:
- Create required VPC endpoints before deployment:
- S3 Gateway Endpoint
- ECR API Endpoint
- ECR DKR Endpoint
- Secrets Manager Endpoint
# Create S3 Gateway Endpoint
aws ec2 create-vpc-endpoint \
--vpc-id <VPC_ID> \
--service-name com.amazonaws.<REGION>.s3 \
--route-table-ids <ROUTE_TABLE_ID>
3. GitLab CodeConnection errors
Problem: cannot create CodeConnection to GitLab
Solution:
- Ensure GitLab is fully deployed and accessible
- Verify network connectivity between AWS and GitLab
- Check security group rules allow HTTPS traffic
- Confirm GitLab root credentials are available in Secrets Manager
4. Image Builder AMI creation fails
Problem: Image Builder pipeline fails during AMI creation
Solution:
- Verify all required binaries are uploaded to S3
- Check binary filenames match recipe parameters exactly
- Review Image Builder logs in CloudWatch
- Ensure base AMI is available in the region
# Check S3 bucket contents
aws s3 ls s3://aws-transform-sde-imagebuilder-<ACCOUNT_ID>-<REGION>/sde-ide-components/
# View Image Builder logs
aws logs tail /aws/imagebuilder/<PIPELINE_NAME> --follow
5. ECS Task Launch failures
Problem: ECS tasks fail to start
Solution:
- Check ECR image availability
- Verify ECS task execution role has ECR pull permissions
- Review ECS task logs in CloudWatch
- Ensure sufficient resources (CPU, memory) in the cluster
# Check ECS task status
aws ecs describe-tasks --cluster <CLUSTER_NAME> --tasks <TASK_ARN>
# View task logs
aws logs tail /ecs/<TASK_FAMILY> --follow
6. DNS resolution issues
Problem: cannot access services via DNS names
Solution:
- Verify Route 53 hosted zone is created
- Check DNS records are properly configured
- Ensure VPC DNS resolution is enabled
- Verify security groups allow traffic on required ports
# Test DNS resolution
nslookup jenkins.bluage.local
# Check Route 53 records
aws route53 list-resource-record-sets --hosted-zone-id <ZONE_ID>
7. KMS key permission errors
Problem: deployment fails with KMS permission errors
Solution:
- Add required KMS permissions to the key policy
- Ensure the deployment role is listed in key users
- Verify the key is in the same region as the deployment
8. Insufficient service quotas
Problem: deployment fails due to service limits
Solution:
- Request quota increases for:
- VPCs per region
- Elastic IPs
- NAT Gateways
- ECS tasks
- EC2 instances
# Check current quotas
aws service-quotas list-service-quotas --service-code ec2
# Request quota increase
aws service-quotas request-service-quota-increase \
--service-code ec2 \
--quota-code <QUOTA_CODE> \
--desired-value <NEW_VALUE>
Getting help
If issues persist:
- Check CloudWatch Logs for detailed error messages
- Review CloudFormation stack events for failure reasons
- Consult AWS Support with stack trace and error details
- Review the component-specific README files in each directory
Useful Commands
# View CDK stack status
cdk list
# Show differences before deployment
cdk diff
# View CloudFormation events
aws cloudformation describe-stack-events --stack-name <STACK_NAME>
# Check resource status
aws cloudformation describe-stack-resources --stack-name <STACK_NAME>
Cleanup and removal
Complete SDE removal
To completely remove the AWS Blu Age SDE infrastructure, destroy components in reverse order:
Step 1: Destroy RTS
cd ~/sde-cdk-script/aws-blu-age-rts/src
make destroy
Note: this removes RTS infrastructure but preserves EBS snapshots. Delete snapshots manually if no longer needed.
Step 2: Destroy DevOps Pipelines
cd ~/sde-cdk-script/aws-blu-age-devops-pipeline
make destroy
This removes:
- Jenkins infrastructure
- GitLab infrastructure
- SonarQube infrastructure
- Selenium Grid
- ECR repositories (images are retained)
- CodePipeline resources
- ECS clusters and services
Warning: ECR images are retained by default. Delete manually if needed:
# List ECR repositories
aws ecr describe-repositories
# Delete repository and all images
aws ecr delete-repository --repository-name <REPO_NAME> --force
Step 3: Destroy DevOps Setup
cd ~/sde-cdk-script/aws-blu-age-devops-setup
make destroy
This removes:
- VPC and networking (if created by DOS)
- IAM roles and policies
- S3 buckets (empty buckets only)
- Route 53 hosted zone
- Launch templates
- SSM parameters
Note: S3 buckets with content are not deleted. Empty them first:
# List buckets
aws s3 ls
# Empty bucket
aws s3 rm s3://<BUCKET_NAME> --recursive
# Delete bucket
aws s3 rb s3://<BUCKET_NAME>
Step 4: Destroy Image Builder (if deployed)
cd ~/sde-cdk-script/aws-blu-age-devops-setup
make destroy-image-builder
Note: created AMIs are not deleted. Deregister manually if needed:
# List AMIs
aws ec2 describe-images --owners self
# Deregister AMI
aws ec2 deregister-image --image-id <AMI_ID>
# Delete associated snapshots
aws ec2 delete-snapshot --snapshot-id <SNAPSHOT_ID>
Partial removal
To remove specific components while keeping others:
Remove only RTS
cd ~/sde-cdk-script/aws-blu-age-rts/src
make destroy
Remove only DevOps Pipelines
cd ~/sde-cdk-script/aws-blu-age-devops-pipeline
make destroy
Remove only Image Builder
cd ~/sde-cdk-script/aws-blu-age-devops-setup
make destroy-image-builder
Manual cleanup checklist
After running destroy commands, verify the following resources are removed:
- CloudFormation stacks deleted
- EC2 instances terminated
- EBS volumes deleted
- Elastic IPs released
- NAT Gateways deleted
- VPC endpoints removed
- S3 buckets emptied and deleted
- ECR repositories deleted
- Route 53 records removed
- Secrets Manager secrets deleted
- CloudWatch log groups deleted
- IAM roles and policies removed
- KMS keys scheduled for deletion (if custom keys used)
Cost optimization
To minimize costs without full removal:
- Stop EC2 instances (instead of terminating)
- Delete unused EBS snapshots
- Remove old ECR images
- Delete CloudWatch logs older than retention period
- Remove unused Elastic IPs
# Stop all EC2 instances with specific tag
aws ec2 stop-instances --instance-ids $(aws ec2 describe-instances \
--filters "Name=tag:Project,Values=BluAge" "Name=instance-state-name,Values=running" \
--query "Reservations[].Instances[].InstanceId" --output text)
# Delete old CloudWatch log groups
aws logs describe-log-groups --query 'logGroups[*].logGroupName' --output text | \
xargs -I {} aws logs delete-log-group --log-group-name {}
Additional resources
Documentation
- AWS CDK Documentation: https://docs.aws.amazon.com/cdk/
- AWS CLI Reference: https://docs.aws.amazon.com/cli/
- AWS Blu Age: https://aws.amazon.com/blu-age/
Component-specific READMEs
- DevOps Setup:
aws-blu-age-devops-setup/README.md - DevOps Pipeline:
aws-blu-age-devops-pipeline/README.md(if exists) - RTS:
aws-blu-age-rts/README.md(if exists)
Configuration files
- DevOps Setup:
aws-blu-age-devops-setup/parameters/input.ts - DevOps Pipeline:
aws-blu-age-devops-pipeline/env.yml - RTS:
aws-blu-age-rts/src/config.ts
Makefile commands
Each component supports these commands:
make install # Install dependencies
make # Deploy infrastructure (alias: make deploy)
make destroy # Remove infrastructure
DevOps Setup additional commands:
make deploy-image-builder # Deploy Image Builder
make destroy-image-builder # Remove Image Builder
DevOps Pipeline additional commands:
make gitlab # Deploy GitLab only
Support and feedback
For issues, questions, or feedback regarding the AWS Blu Age SDE deployment:
- Check the Troubleshooting section
- Review CloudWatch Logs for detailed error messages
- If you need support regarding AWS Blu Age SDE, please ask your questions on AWS re:Postas described here Use the tag "AWS Blu Age Standard Delivery Environment (SDE)" to see questions & answers or post your own questions