AWS Transform for mainframe refactor

AWS Transform for mainframe SDE

Overview

The Standard Delivery Environment (SDE) provides infrastructure automation, continuous integration, continuous delivery, and continuous testing (CI/CD/CT) pipelines, and regression testing management for teams modernizing mainframe applications with AWS Transform for mainframe refactor.

SDE is composed of three tools:

  • DevOps Setup (DOS) - provisions your infrastructure
  • DevOps Pipeline (DOP) - manages your CI/CD/CT pipelines
  • Regression Testing Snapshots (RTS) - manages your databases and databases snapshots

This document describes the changes in each SDE release.

Release v1.3

With SDE 1.3, you get multi-region deployment support, dependency compatibility updates, and resource cleanup improvements across all three components. If you deploy SDE infrastructure across multiple AWS Regions, you benefit from the AWS Identity and Access Management (IAM) naming conflict resolution.

DOS

Improvements

  • You can now deploy AWS Lambda functions across multiple AWS Regions without naming conflicts, because IAM role names include a region suffix (for example, us-east-1). IAM role names must be globally unique within an account.

DOP

Bug fixes

  • Lambda layer deployment scripts (Slack, GitLab, and Jenkins) no longer use the obsolete --use-feature=2020-resolver pip flag. This change fixes installation failures on current pip versions.

RTS

Improvements

  • AWS Secrets Manager now stores both username and password instead of password only, so that you can properly authenticate for DevOps login workflows.

Bug fixes

  • Amazon CloudWatch Log Groups now include RemovalPolicy.DESTROY, so they are automatically deleted when you remove the stack. This prevents leftover resources.
  • Leftover CloudWatch Log Groups that remain after you destroy an AWS Cloud Development Kit (CDK) stack are now cleaned up automatically.

To learn more, see the Standard Delivery Environment documentation.

Release v1.2

With SDE 1.2, you get an improved developer experience and greater CI/CD/CT flexibility. You can use the new optional Image Builder infrastructure in DOS to create pre-configured development Amazon Machine Images (AMIs), and you can take advantage of multi-branch support and runtime version management in DOP. This release is intended for teams that need customizable development environments and flexible branching strategies.

DOS

New features

  • You can use a new optional CDK stack (blu-imagebuilder-infra-stack) to create pre-configured Windows Server 2022 AMIs with AWS Transform for mainframe refactor development tools through AWS EC2 Image Builder.
  • You can manage installer versions centrally through image-builder-recipe-parameters.ts.
  • You can select components in a modular way, with the following categories:
    • Browsers and GitLab certificate
    • Dev tools: 7-Zip, HxD, Notepad++, WinMerge, WinSCP
    • SDE dev tools: Maven, Tomcat, Git, Node.js, pgAdmin, Python, Spring Tool Suite, VS Code
    • Kiro IDE and WSL
  • You can deploy into a new isolated Virtual Private Cloud (VPC) or reuse an existing customer VPC.
  • AMI lifecycle management with retention policies is automated.
  • You can deploy this stack independently from the mandatory DevOps setup, and you can use your own AMI ("Bring Your Own AMI").

DOP

New features

  • You can now run CI/CD/CT workflows on any branch of your modernized application. The previous master and develop branch restrictions no longer apply.
  • You can customize your deployment strategies per branch.
  • You can now use multiple Gapwalk Runtime versions (the AWS Transform for mainframe refactor runtime engine) simultaneously in CI/CD/CT, which helps you adopt new versions faster across your projects.

Improvements

  • You can now toggle SonarQube code analysis on or off in your application build pipelines by using a configurable parameter.

RTS

No changes in this release. To learn more, see the Standard Delivery Environment documentation.

Release v1.1

SDE 1.1 is the foundational release of the Standard Delivery Environment. With this release, you get the following capabilities:

  • Core infrastructure, including VPC, networking, and security
  • Full CI/CD/CT pipeline with GitLab, Jenkins, and AWS CodePipeline
  • Regression Testing Snapshots (RTS) for managing your application servers and databases

Key improvements for you include network security hardening, IAM least privilege, encryption, and automated testing.

DOS

New features

  • You can deploy on an existing customer network, including a custom VPC and subnets.
  • VPC network configuration supports multiple Availability Zones with private subnets 10.0.0.0/20 and 10.0.16.0/20.
  • SDE supports single Availability Zone deployments with a dedicated firewall subnet.
  • SDE creates a "bluage.local" Amazon Route 53 private hosted zone for internal DNS resolution within the SDE network.
  • SDE adds VPC endpoints for Auto Scaling, Amazon Elastic Compute Cloud (Amazon EC2), and Lambda.
  • The BluSegEndpoints security group controls access to all VPC endpoints.
  • A new Certificate Manager stack (BluCertificateStack) is available as an optional component.
  • A new AWS Systems Manager (SSM) document (AWSBluageEC2PortForwarding) restricts Remote Desktop Protocol (RDP) connections to SSM port forwarding only.
  • SDE supports managed AWS Key Management Service (KMS) keys for Amazon Simple Storage Service (Amazon S3) buckets, Amazon Simple Notification Service (SNS) topics, and Amazon Elastic Block Store (EBS) volumes.
  • A cost-optimization Lambda function is deployed with an Amazon CloudWatch IAM policy and RTS parameter store integration.
  • The AWS firewall rule authorizes ".amazonaws.com" and ".amazon.com" domains.
  • AWS CodeArtifact now supports additional AWS Regions.

Improvements

  • Instance Metadata Service (IMDS) Lambda role policies and SSM policy are scoped down to least privilege.
  • IAM roles for Project Manager and Developers are now optional.
  • Firewall deletion protection is enabled by default.
  • A region suffix is added to Amazon S3 bucket names and IAM roles.
  • The AutoStop Amazon EC2 and Auto Scaling group (ASG) cost-optimization Lambda function is disabled by default.
  • Development AMI configuration is managed in the inputs.ts file.
  • The CodeCommit stack is removed, replaced by GitLab for source code management.

Bug fixes

  • Fixed an issue with the AutoUpdateAMI Lambda function.
  • Fixed issues with managed KMS key and internet access.
  • Fixed the Amazon S3 endpoint policy and Amazon EC2 instance profile S3 policy for AWS CodeArtifact.

DOP

New features

  • Source control migrated from CodeCommit to a dedicated GitLab server deployed within the client's VPC.
  • GitLab backups run twice a day, once a week, and once a month.
  • Application binaries (.jar, .war) are fetched from Amazon S3.
  • SonarQube code analysis reports are generated in the User Acceptance Testing (UAT) environment.
  • Slack notifications include pipeline state and last committer information.
  • Amazon Elastic Container Service (ECS) application health checks are performed by using curl.
  • A new codepipeline-docker-image-builder pipeline builds Docker Hub images.
  • A Lambda function automatically updates AMIs on CI instances.
  • Jenkins jobs are automatically created from the test case repository.
  • SDE supports Selenium Integration Test Case (ITC) and Batch Test Case (BTC) test types.
  • Test jobs run in parallel.
  • Tests run on a nightly schedule during weekdays.
  • SDE supports multiple entrypoints, database comparison (CompareDB), and file comparison (CompareFile).
  • Test results are generated and displayed as PDF reports.
  • SDE supports Playwright test scripts.
  • Amazon Relational Database Service (RDS) databases integrate with RTS.
  • Jacoco integrates with the Tomcat container to provide per-job reports and a merged coverage report.
  • Job Runner, Restart App Server, and Cleaner utilities are included.

Improvements

  • DevOps pipeline code is consolidated in the gitlab-devops repository.
  • Pipelines no longer require internet access (codepipeline-app, codepipeline-jenkins).
  • IAM roles are refined for the principle of least privilege.
  • Security groups are refined for least privilege.
  • Access logs are enabled for all Application Load Balancers (ALBs) and Amazon S3 buckets.
  • Amazon ECS SNS topics are encrypted.
  • SDE supports client-specified KMS keys.
  • Jenkins authentication uses AWS Cognito with RTS.
  • Binaries are stored in Amazon S3 to provide developer version flexibility.
  • Test execution durations are displayed in the Jenkins console.

RTS

New features

  • Secure Sockets Layer (SSL)/HTTPS is enabled for the RTS Manager API and web UI.
  • An AWS Cognito user pool is created with Standard and Admin roles.
  • SSL is enabled for PostgreSQL databases on Amazon EC2.
  • The PostgreSQL admin password is moved to AWS Secrets Manager.
  • Connection throttling limits traffic to 20 concurrent requests per second.
  • The maximum connection limit is 50 concurrent requests.
  • Server API requests are sanitized.
  • The back-end is redesigned so that business logic is separated from the application server, so that you can reuse it in Lambda, CI/CD, or other application types.
  • The installation process is integrated in SDE CDK.

Improvements

  • The Redis cache strategy is redesigned to use a single client instance, a single database, and global cache keys with a 10-minute time to live (TTL).
  • SDE switched from a custom AMI to standard Amazon Linux 2023 with installation scripts.
  • PostgreSQL engine settings are automatically configured based on instance type.

Bug fixes

  • Fixed parameter reload by correcting Redis cache invalidation.
  • Fixed the server creation popup that displayed a blank disk selection.
  • Fixed CDK so that the Cognito user pool is properly deleted when you destroy the stack.

To learn more, see the Standard Delivery Environment documentation.