Disclaimer
Target audience
AWS Blu Age Standard Delivery is designed for customers engaged in AWS Blu Age modernization projects. The goal is to provide a tool that can be installed in the AWS customer accounts and used by partners or customer delivery teams. These tools are components of the development environment known as the AWS Blu Age Standard Delivery Environment (SDE). See AWS Blu Age Standard Delivery Environment (SDE).
Introduction
AWS Blu Age SDE comes with a set of predefined resources to function effectively with Continuous Integration, Continuous Deployment, and Continuous Testing pipelines. It is capable of building a fully scalable environment for AWS Blu Age Modernization projects from the ground up. A set of predefined resources must be installed; see Components section for all resources involved in building that environment. Please note that some resources can be reused from existing AWS account, such as VPC, Subnets, CodeArtifact, Private ECR, Certificate, Route 53, etc…
Project sizing & resources
The size of the modernized project will impact resource consumption. The team size of developers and non-regression testers will also affect the number and type of resources required. For example, modernizing a code base of 100,000 lines of code (LOC) compared to a project with 10 million LOC will require running hundreds to thousands of test cases. Depending on the criticality of the test cases, some must be run on a nightly basis. Furthermore, depending on the length and size of the test cases, it is crucial to run them concurrently.
Note that database size also impact the type of instances and volumes to use. For example, 200GB databases versus a 10TB database will need to run on different instance types. Furthermore, the way the application accesses the database can also impact the instance type.
All of those criteria need to be taken into account when estimating the cost of AWS Blu Age SDE.
This document AWS Blu Age Standard Delivery Environment (SDE) Costs provides a cost estimate for deploying AWS Blu Age Software Development Environment (SDE) in the initial phase of the project. Our aim is to offer an overview of anticipated expenses to facilitate budget planning.
Elevation of privileges in AWS Blu Age SDE
To scale database environment, there two types of elevation of privilege as listed bellow.
Component AWS Blu Age Regression Testing Snapshots
AWS Cognito service is used for the component AWS Blu Age Regression Testing Snapshots. Two roles are described in Cognito user pool:
- A standard role for all RTS users. This role allows to restore a database snapshots and gives users access to the following:
- Send AWS System Manager command permission.
- On specific EC2 tagged bluage:dws:type=DWS, the permission to create a volume from a snapshot (EBS Volume or RDS Snapshots).
- The permission to restore RDS/EC2 instance. This implies:
- Creation and termination of a new RDS instance restored with
asnapshots that also contains the tag bluage:dws:type=DWS. - Creation/termination and attach/detach of encrypted EBS volumes.
- Creation and termination of a new RDS instance restored with
- Update DNS Record in Route 53.
- An administrator role is used for RTS administrator. This role allows the following:
- Creation/termination of EC2 and RDS instances, these type of instances are restricted to specific instance types. (See documentation AWS Blu Age RTS - Admin Guide)
- Send SSM command.
- Creation/termination of EBS and RDS snapshots.
- Creation of EBS volumes with attach/detach permission.
Creation of DNS records in Route 53.
IAM Roles
AWS Blu Age SDE deployment and operation requires the use and creation of custom scope down roles and policies. This document outlines the specific access rights required and details the roles and policies that must be created : AWS Blu Age Standard Delivery Environment - Security
Components
AWS Blu Age DevOps Setup
Resources created
- Amazon VPC Resources
VPC
Public Subnet
Private Subnet
Isolated Subnet
Internet Gateway
NAT Gateway
Network Firewall
Route Tables
Network ACLs
Security Groups
- VPC Endpoints
SSM
EC2_MESSAGES
EC2
SSM_MESSAGES
KMS
CLOUDWATCH
CLOUDWATCH_LOGS
CLOUDWATCH_EVENTS
CODEDEPLOY
CODEDEPLOY_COMMANDS_SECURE
CODEBUILD
CODEPIPELINE
ECR
ECR_DOCKER
ECS
ECS_AGENT
ECS_TELEMETRY
CODEARTIFACT_API
CODEARTIFACT_REPOSITORIES
SQS
AUTOSCALING
LAMBDA
SECRETS_MANAGER
- AWS Private Certificate Authority (ACM)
Private Certificate Authority
Certificate
- Logging
VPC Flow Logs
Firewall Logging
S3 Access Logging
- CloudWatch
Cloudwatch Log Groups
Amazon EventBridge Rule
Cloudwatch Alarms
- EC2
Launch Template
- IAM
IAM Roles (optional for user access)
IAM Policies
IAM EC2 Instance Profile
- Lambda Function
- Cloud Formation Stacks
AWS Blu Age DevOps Pipelines
Resources created
- CodeArtifact
Domains Repositories
- CodeBuild
Projects
- CodeDeploy
Applications
Deployment groups
- CodePipeline
Pipelines
- EventBridge
Rules
- CloudWatch
Log groups
Log stream
- Lambda
- EC2
Instances
Load Balancers:
Target groups
Auto Scaling groups
- ECS
Clusters
Task definitions
- ECR
Repositories (pull through)
- EFS
File Systems
- S3
- IAM
Roles (service linked to EC2) Policies
- Security group
- Route53
Hosted zone:
bluage.local
- Secrets Manager
Secrets Keys
- Endpoints
Private Links
AWS Blu Age Regression Testing Snapshots
Resources created
- Amazon EC2
EC2
Launch Template
Application Load Balancer
Security Group
- Amazon IAM
Roles with inline policies
- Amazon SSM
Parameter Store Keys
- Amazon Secrets Manager
Secret Keys
- CloudWatch
Log groups Log stream
- Amazon Route 53
Hosted zone:
bluage.local(if not created by previous CDK)
- Lambda Function
- S3
- Cloud Formation Stacks