Child pages
  • Webinar: Code Review of the AWS Account Service
Skip to end of metadata
Go to start of metadata

Background

Come take a look both at the process of conducting a code review and at the architecture and foundation components used in building a complex ESB orchestration. Some folks have requested to see how IT Architecture collaborates together and develops and reviews software engineering projects. To that end we are conducting a reviews and working sessions for several applications as Webinars so other LITS teams can participate and observe.

Date, Time, and Registration

The webinar will be held on Monday, December 5 from 10:30 AM to 12:00 PM eastern time. To register for the webinar visit the registration page.

Details

The AWS Account Service is a product of the AWS Proof-of-Concept initiative. It is an ESB service that orchestrates all of the major steps of the AWS account assignment and VPC creation process. It is also authoritative for Emory AWS account data and virtual private cloud data. It provides an interface for creating stacks in AWS accounts; that is, executing CloudFormation templates. It also provides an interface for creating identity providers in AWS accounts, specifically SAML providers. At the time of this writing, identity providers cannot be created as part of CloudFormation templates, so the SAML providers required to implement Emory single sign-on for AWS accounts must be created with a separate Amazon API call and ESB service operation.

The AWS Account Service is presently called from the ServiceNow VPC request form and from the AWS VPC Provisioning Web App.

To implement these functions the AwsAccountService handles the following requests and publishes the following sync event notifications:

Requests

  1. com.amazon.aws.Provisioning.Account.Query-Request (definition | example)
  2. com.amazon.aws.Provisioning.Account.Create-Request (definition | example)
  3. com.amazon.aws.Provisioning.Account.Update-Request (definition | example)
  4. com.amazon.aws.Provisioning.Account.Delete-Request (definition | example)
  5. com.amazon.aws.Provisioning.VirtualPrivateCloud.Query-Request (definition | example)
  6. com.amazon.aws.Provisioning.VirtualPrivateCloud.Generate-Request (definition | example)
  7. com.amazon.aws.Provisioning.VirtualPrivateCloud.Update-Request (definition | example)
  8. com.amazon.aws.Provisioning.VirtualPrivateCloud.Delete-Request (definition | example)
  9. com.amazon.aws.CloudFormation.Stack.Query-Request (definition | example)
  10. com.amazon.aws.CloudFormation.Stack.Generate-Request (definition | example)
  11. com.amazon.aws.CloudFormation.Stack.Delete-Request (definition | example)
  12. com.amazon.aws.Provisioning.SamlProvider.Query-Request (definition | example)
  13. com.amazon.aws.Provisioning.SamlProvider.Create-Request (definition | example)
  14. com.amazon.aws.Provisioning.SamlProvider.Update-Request (definition | example)
  15. com.amazon.aws.Provisioning.SamlProvider.Delete-Request (definition | example)

Syncs

  1. com.amazon.aws.Provisioning.Account.Create-Sync (definition | example)
  2. com.amazon.aws.Provisioning.Account.Update-Sync (definition | example)
  3. com.amazon.aws.Provisioning.Account.Delete-Sync (definition | example)
  4. com.amazon.aws.Provisioning.VirtualPrivateCloud.Create-Sync (definition | example)
  5. com.amazon.aws.Provisioning.VirtualPrivateCloud.Update-Sync (definition | example)
  6. com.amazon.aws.Provisioning.VirtualPrivateCloud.Delete-Sync (definition | example)
  7. com.amazon.aws.CloudFormation.Stack.Create-Sync (definition | example)
  8. com.amazon.aws.CloudFormation.Stack.Delete-Sync (definition | example)
  9. com.amazon.aws.Provisioning.SamlProvider.Create-Sync (definition | example)
  10. com.amazon.aws.Provisioning.SamlProvider.Update-Sync (definition | example)
  11. com.amazon.aws.Provisioning.SamlProvider.Delete-Sync (definition | example)

The VirtualPrivateCloud generate operation implements the AWS account assignment and VPC generation logic workflow. It invokes other services in this orchestration to obtain a CIDR, assign administrators to e-mail distribution lists, IDM roles, execute the appropriate CloudFormation template(s), setup SAML sign-on for console access, etc. The detailed VPC generation logic is:

  1. It inspects the VirtualPrivateCloudRequisition to determine if this is a request for a new VPC in a new account or a new VPC in an existing account.
  2. If the request is for a new VPC in a new AWS account, it performs the following steps:
    1. Sends an Account.Query-Request message to the AwsAccountService to identify the next available AWS Account in the inventory. If there are no available accounts in the inventory, it responds with an appropriate error.
    2. If an AWS Account is available in the inventory, it updates the AWS Account AccountOwnerNetId and FinancialAccountNumber from the VirtualPrivateCloudRequisition to identify the new owner and payment method for the account.
    3. Sends edu.emory.Identity.RoleAssignment.Create-Requests to the IdmService to add each of the customer administrators of the new account. Note: as of the time of this writing LITS administrators will be implemented as one IDM role for all AWS accounts, so no provisioning for LITS administrators of each account would be required.
    4. Sends a com.amazon.aws.Provisioning.SamlProvider.Create-Request to the AwsAccountService to create a SAML provider in the new account.
    5. Sends a com.amazon.aws.Provisioning.AccountAlias.Create-Request to the AwsAccountService to create an alias for the new account. The format of the alias is "emory-aws-n" where n is the sequence number of the account.
    6. Determines the type of VPC requested from the Type indicated in the VirtualPrivateCloudRequisition and selects the appropriate CloudFormation template.
    7. Sends an edu.emory.Network.Cidr.Generate-Request to get the next available CIDR range for the requested type of VPC.
    8. Computes subnetting for the VPC based on the CIDR and type and performs VPC-specific replacements in template for CIDR, subnets, etc.
    9. Sends a com.amazon.aws.CloudFormation.Stack.Create-Request to the AwsAccountService with the appropriate credentials and template.
    10. Returns a com.amazon.aws.Provisioning.VirtualPrivateCloud.Response-Reply to the requestor with the status and, if applicable, error codes and descriptions. In the case of success it publishes a com.amazon.aws.Provisioning.VirtualPrivateCloud.Create-Sync.
  3. If the request is for a new VPC in an existing AWS account, it performs the following steps:
    1. Sends an Account.Query-Request message to the AwsAccountService to retrieve the AWS account. If there the account does not exist or the owner does not match the owner in the request, it returns and appropriate error.
    2. Sends an edu.emory.Identity.RoleAssignment.Query-Request for the customer account administration role to get a list of all current customer administrators for the account.
    3. If there are new customer administrators in the VirtualPrivateCloudRequisition who do not yet exist in the role, it sends edu.emory.Identity.RoleAssignment.Create-Requests to the IdmService to add each of the customer administrators of the new account. Note that this service intentionally does not remove existing administrators from the role as the requestor of the new VPC may not be aware of all current administrators. Any further customer administrator management should happen through the AWS Acccount management processes and interfaces.
    4. Determines the type of VPC requested from the Type indicated in the VirtualPrivateCloudRequisition and selects the appropriate CloudFormation template.
    5. Sends an edu.emory.Network.Cidr.Generate-Request to get the next available CIDR range for the requested type of VPC.
    6. Computes subnetting for the VPC based on the CIDR and type and performs VPC-specific replacements in the template for CIDR, subnets, etc.
    7. Sends a com.amazon.aws.CloudFormation.Stack.Create-Request to the AwsAccountService with the appropriate credentials and template.
    8. Returns a com.amazon.aws.Provisioning.VirtualPrivateCloud.Response-Reply to the requestor with the status and, if applicable, error codes and descriptions. In the case of success it publishes a com.amazon.aws.Provisioning.VirtualPrivateCloud.Create-Sync.

Relevant Frameworks

LITS application development groups use the following frameworks for application development <https://wiki.service.emory.edu/x/O43GBQ>. The frameworks relevant to this application are:

  1. EAI/SOA
  • No labels