Forem: Lucas The latest articles on Forem by Lucas (@lpossamai). https://forem.com/lpossamai https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1222620%2Fb3dfaa3e-fee0-4ffc-9323-5c0c45b6342e.jpg Forem: Lucas https://forem.com/lpossamai en Building Hybrid Search for RAG: Combining pgvector and Full-Text Search with Reciprocal Rank Fusion Lucas Thu, 12 Feb 2026 04:10:57 +0000 https://forem.com/lpossamai/building-hybrid-search-for-rag-combining-pgvector-and-full-text-search-with-reciprocal-rank-fusion-6nk https://forem.com/lpossamai/building-hybrid-search-for-rag-combining-pgvector-and-full-text-search-with-reciprocal-rank-fusion-6nk <p>Most RAG tutorials show you the happy path: embed your documents, store them in a vector database, do a similarity search, done. Ship it.</p> <p>Then you put it in front of real users and discover that semantic search alone misses obvious keyword matches, exact product names get hallucinated into approximate nonsense, and your retrieval quality sits at maybe 60%.</p> <p><strong>This post covers how we fixed it</strong> — using nothing but PostgreSQL. <code>pgvector</code> for semantic search, <code>tsvector</code> for full-text search, and Reciprocal Rank Fusion to merge the results. No Pinecone. No Elasticsearch. Just Postgres.</p> <blockquote> <p><strong>TL;DR</strong> — Pure vector search got us ~62% retrieval precision. Adding full-text search + RRF fusion bumped it to ~84%, with near-perfect exact-match queries. Zero additional infrastructure — it's all just SQL.</p> </blockquote> <h2> Why Not Just Use Vector Search? </h2> <p>Vector (semantic) search is great at understanding <em>meaning</em>. If a user asks "how do I reduce cloud costs?" it will find documents about "infrastructure cost optimization" even if those exact words don't appear.</p> <p>But it has blind spots. Here's how the two approaches compare:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Query type</th> <th>Vector search</th> <th>Full-text search</th> </tr> </thead> <tbody> <tr> <td>"infrastructure cost optimization"</td> <td>Finds it even if phrased differently</td> <td>Misses unless exact words match</td> </tr> <tr> <td>"PCI-DSS v4" (exact standard)</td> <td>Returns generic "security compliance" docs</td> <td>Nails it</td> </tr> <tr> <td>"ECS" (acronym)</td> <td>Matches "container services" broadly</td> <td>Finds exact AWS ECS references</td> </tr> <tr> <td>"SQS DLQ config" (precise query)</td> <td>Diluted by semantically similar noise</td> <td>Direct hit</td> </tr> <tr> <td>"how do I handle errors gracefully?"</td> <td>Understands intent, finds relevant patterns</td> <td>Misses if docs use different wording</td> </tr> </tbody> </table></div> <p>Neither approach is sufficient on its own. <strong>The answer is to use both.</strong></p> <h2> Architecture Overview </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ziqqi5lg94779cwt205.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ziqqi5lg94779cwt205.png" alt=" " width="800" height="631"></a></p> <p>Both searches run <strong>in parallel</strong> against the same PostgreSQL database. RRF merges the ranked lists into a single result set.</p> <h2> Setting Up the Database </h2> <h3> pgvector for Semantic Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">IF</span> <span class="k">NOT</span> <span class="k">EXISTS</span> <span class="n">vector</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">document_chunks</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">document_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">documents</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">content</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">embedding</span> <span class="n">vector</span><span class="p">(</span><span class="mi">3072</span><span class="p">),</span> <span class="c1">-- text-embedding-3-large dimensions</span> <span class="n">metadata</span> <span class="n">JSONB</span> <span class="k">DEFAULT</span> <span class="s1">'{}'</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">TIMESTAMPTZ</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">()</span> <span class="p">);</span> <span class="c1">-- HNSW index for approximate nearest neighbor search</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_chunks_embedding</span> <span class="k">ON</span> <span class="n">document_chunks</span> <span class="k">USING</span> <span class="n">hnsw</span> <span class="p">(</span><span class="n">embedding</span> <span class="n">vector_cosine_ops</span><span class="p">)</span> <span class="k">WITH</span> <span class="p">(</span><span class="n">m</span> <span class="o">=</span> <span class="mi">16</span><span class="p">,</span> <span class="n">ef_construction</span> <span class="o">=</span> <span class="mi">128</span><span class="p">);</span> </code></pre> </div> <blockquote> <p><strong>Why HNSW over IVFFlat?</strong> HNSW gives better recall at query time without needing to tune <code>nprobe</code>. IVFFlat is faster to build but requires choosing the number of lists upfront and tuning probe count per query. For production RAG where retrieval quality matters more than index build time, HNSW is the better default.</p> </blockquote> <h3> tsvector for Full-Text Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">document_chunks</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">search_vector</span> <span class="n">tsvector</span> <span class="k">GENERATED</span> <span class="n">ALWAYS</span> <span class="k">AS</span> <span class="p">(</span><span class="n">to_tsvector</span><span class="p">(</span><span class="s1">'english'</span><span class="p">,</span> <span class="n">content</span><span class="p">))</span> <span class="n">STORED</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_chunks_search</span> <span class="k">ON</span> <span class="n">document_chunks</span> <span class="k">USING</span> <span class="n">gin</span><span class="p">(</span><span class="n">search_vector</span><span class="p">);</span> </code></pre> </div> <p>Using a <code>GENERATED ALWAYS</code> column means the search vector stays in sync with content automatically — no triggers, no application logic to maintain.</p> <h2> The Search Queries </h2> <h3> Semantic Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">semantic_search</span><span class="p">(</span> <span class="n">session</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">query_embedding</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">float</span><span class="p">],</span> <span class="n">workspace_id</span><span class="p">:</span> <span class="n">uuid</span><span class="p">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">20</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">SearchResult</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find chunks by vector similarity using cosine distance.</span><span class="sh">"""</span> <span class="n">stmt</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">select</span><span class="p">(</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">document_id</span><span class="p">,</span> <span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">embedding</span><span class="p">.</span><span class="nf">cosine_distance</span><span class="p">(</span><span class="n">query_embedding</span><span class="p">)).</span><span class="nf">label</span><span class="p">(</span> <span class="sh">"</span><span class="s">similarity</span><span class="sh">"</span> <span class="p">),</span> <span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">Document</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">document_id</span> <span class="o">==</span> <span class="n">Document</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="n">Document</span><span class="p">.</span><span class="n">workspace_id</span> <span class="o">==</span> <span class="n">workspace_id</span><span class="p">)</span> <span class="p">.</span><span class="nf">order_by</span><span class="p">(</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">embedding</span><span class="p">.</span><span class="nf">cosine_distance</span><span class="p">(</span><span class="n">query_embedding</span><span class="p">)</span> <span class="p">)</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="n">limit</span><span class="p">)</span> <span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">stmt</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="nc">SearchResult</span><span class="p">(</span> <span class="n">chunk_id</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="n">document_id</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="n">document_id</span><span class="p">,</span> <span class="n">score</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">row</span><span class="p">.</span><span class="n">similarity</span><span class="p">),</span> <span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">results</span> <span class="p">]</span> </code></pre> </div> <h3> Full-Text Search </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">fulltext_search</span><span class="p">(</span> <span class="n">session</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">query</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">workspace_id</span><span class="p">:</span> <span class="n">uuid</span><span class="p">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">20</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">SearchResult</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Find chunks by full-text relevance using ts_rank.</span><span class="sh">"""</span> <span class="n">ts_query</span> <span class="o">=</span> <span class="n">func</span><span class="p">.</span><span class="nf">plainto_tsquery</span><span class="p">(</span><span class="sh">"</span><span class="s">english</span><span class="sh">"</span><span class="p">,</span> <span class="n">query</span><span class="p">)</span> <span class="n">stmt</span> <span class="o">=</span> <span class="p">(</span> <span class="nf">select</span><span class="p">(</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">document_id</span><span class="p">,</span> <span class="n">func</span><span class="p">.</span><span class="nf">ts_rank</span><span class="p">(</span><span class="n">DocumentChunk</span><span class="p">.</span><span class="n">search_vector</span><span class="p">,</span> <span class="n">ts_query</span><span class="p">).</span><span class="nf">label</span><span class="p">(</span><span class="sh">"</span><span class="s">relevance</span><span class="sh">"</span><span class="p">),</span> <span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">Document</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">document_id</span> <span class="o">==</span> <span class="n">Document</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span> <span class="n">Document</span><span class="p">.</span><span class="n">workspace_id</span> <span class="o">==</span> <span class="n">workspace_id</span><span class="p">,</span> <span class="n">DocumentChunk</span><span class="p">.</span><span class="n">search_vector</span><span class="p">.</span><span class="nf">op</span><span class="p">(</span><span class="sh">"</span><span class="s">@@</span><span class="sh">"</span><span class="p">)(</span><span class="n">ts_query</span><span class="p">),</span> <span class="p">)</span> <span class="p">.</span><span class="nf">order_by</span><span class="p">(</span><span class="n">func</span><span class="p">.</span><span class="nf">ts_rank</span><span class="p">(</span><span class="n">DocumentChunk</span><span class="p">.</span><span class="n">search_vector</span><span class="p">,</span> <span class="n">ts_query</span><span class="p">).</span><span class="nf">desc</span><span class="p">())</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="n">limit</span><span class="p">)</span> <span class="p">)</span> <span class="n">results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">session</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="n">stmt</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="nc">SearchResult</span><span class="p">(</span> <span class="n">chunk_id</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="n">content</span><span class="p">,</span> <span class="n">document_id</span><span class="o">=</span><span class="n">row</span><span class="p">.</span><span class="n">document_id</span><span class="p">,</span> <span class="n">score</span><span class="o">=</span><span class="nf">float</span><span class="p">(</span><span class="n">row</span><span class="p">.</span><span class="n">relevance</span><span class="p">),</span> <span class="p">)</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">results</span> <span class="p">]</span> </code></pre> </div> <h2> Reciprocal Rank Fusion </h2> <p>Here's where the magic happens. RRF merges two ranked lists <strong>without needing to normalize their scores</strong> — which is important because cosine similarity scores and ts_rank scores are on completely different scales.</p> <p>The formula is simple:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>RRF_score(d) = Σ 1 / (k + rank_i(d)) </code></pre> </div> <p>Where <code>k</code> is a constant (typically 60) and <code>rank_i(d)</code> is the rank of document <code>d</code> in the i-th result list.</p> <blockquote> <p><strong>Why not just normalize and average the scores?</strong> Cosine similarity and ts_rank have fundamentally different distributions. Normalizing them into a common range introduces arbitrary decisions about scaling. RRF side-steps this entirely by only caring about <em>rank position</em>, not raw scores. A document ranked #1 in both lists will always beat a document ranked #5 in one and #1 in another — regardless of what the underlying scores looked like.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">reciprocal_rank_fusion</span><span class="p">(</span> <span class="n">result_lists</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">list</span><span class="p">[</span><span class="n">SearchResult</span><span class="p">]],</span> <span class="n">k</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">SearchResult</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Merge multiple ranked result lists using Reciprocal Rank Fusion. The k parameter controls how much we trust top-ranked results. Higher k = more equal weighting. Default 60 is from the original Cormack et al. (2009) paper. </span><span class="sh">"""</span> <span class="n">rrf_scores</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="n">uuid</span><span class="p">.</span><span class="n">UUID</span><span class="p">,</span> <span class="nb">float</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">results_by_id</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="n">uuid</span><span class="p">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">SearchResult</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">result_list</span> <span class="ow">in</span> <span class="n">result_lists</span><span class="p">:</span> <span class="k">for</span> <span class="n">rank</span><span class="p">,</span> <span class="n">result</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">result_list</span><span class="p">,</span> <span class="n">start</span><span class="o">=</span><span class="mi">1</span><span class="p">):</span> <span class="n">rrf_scores</span><span class="p">[</span><span class="n">result</span><span class="p">.</span><span class="n">chunk_id</span><span class="p">]</span> <span class="o">=</span> <span class="n">rrf_scores</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="n">result</span><span class="p">.</span><span class="n">chunk_id</span><span class="p">,</span> <span class="mf">0.0</span> <span class="p">)</span> <span class="o">+</span> <span class="mf">1.0</span> <span class="o">/</span> <span class="p">(</span><span class="n">k</span> <span class="o">+</span> <span class="n">rank</span><span class="p">)</span> <span class="n">results_by_id</span><span class="p">[</span><span class="n">result</span><span class="p">.</span><span class="n">chunk_id</span><span class="p">]</span> <span class="o">=</span> <span class="n">result</span> <span class="n">sorted_ids</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">rrf_scores</span><span class="p">,</span> <span class="n">key</span><span class="o">=</span><span class="n">rrf_scores</span><span class="p">.</span><span class="n">get</span><span class="p">,</span> <span class="n">reverse</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span> <span class="nc">SearchResult</span><span class="p">(</span> <span class="n">chunk_id</span><span class="o">=</span><span class="n">chunk_id</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="n">results_by_id</span><span class="p">[</span><span class="n">chunk_id</span><span class="p">].</span><span class="n">content</span><span class="p">,</span> <span class="n">document_id</span><span class="o">=</span><span class="n">results_by_id</span><span class="p">[</span><span class="n">chunk_id</span><span class="p">].</span><span class="n">document_id</span><span class="p">,</span> <span class="n">score</span><span class="o">=</span><span class="n">rrf_scores</span><span class="p">[</span><span class="n">chunk_id</span><span class="p">],</span> <span class="p">)</span> <span class="k">for</span> <span class="n">chunk_id</span> <span class="ow">in</span> <span class="n">sorted_ids</span> <span class="p">]</span> </code></pre> </div> <h2> Putting It Together </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">hybrid_search</span><span class="p">(</span> <span class="n">session</span><span class="p">:</span> <span class="n">AsyncSession</span><span class="p">,</span> <span class="n">query</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">query_embedding</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">float</span><span class="p">],</span> <span class="n">workspace_id</span><span class="p">:</span> <span class="n">uuid</span><span class="p">.</span><span class="n">UUID</span><span class="p">,</span> <span class="n">limit</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">10</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">SearchResult</span><span class="p">]:</span> <span class="sh">"""</span><span class="s"> Run semantic and full-text search in parallel, then merge results with RRF. </span><span class="sh">"""</span> <span class="n">semantic_results</span><span class="p">,</span> <span class="n">fulltext_results</span> <span class="o">=</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">gather</span><span class="p">(</span> <span class="nf">semantic_search</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">query_embedding</span><span class="p">,</span> <span class="n">workspace_id</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="mi">20</span><span class="p">),</span> <span class="nf">fulltext_search</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">workspace_id</span><span class="p">,</span> <span class="n">limit</span><span class="o">=</span><span class="mi">20</span><span class="p">),</span> <span class="p">)</span> <span class="n">fused</span> <span class="o">=</span> <span class="nf">reciprocal_rank_fusion</span><span class="p">([</span><span class="n">semantic_results</span><span class="p">,</span> <span class="n">fulltext_results</span><span class="p">])</span> <span class="k">return</span> <span class="n">fused</span><span class="p">[:</span><span class="n">limit</span><span class="p">]</span> </code></pre> </div> <p>Both searches run concurrently with <code>asyncio.gather</code>. We fetch 20 candidates from each, fuse them, and return the top 10. Over-fetching from each source gives RRF more signal to work with.</p> <h2> Why Not a Dedicated Vector Database? </h2> <p>We considered Pinecone, Weaviate, and Qdrant. We stuck with PostgreSQL + pgvector for several reasons:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Concern</th> <th>Dedicated vector DB</th> <th>PostgreSQL + pgvector</th> </tr> </thead> <tbody> <tr> <td>Infrastructure</td> <td>Separate service to monitor, back up, patch, pay for</td> <td>Already running Aurora PostgreSQL</td> </tr> <tr> <td>Consistency</td> <td>Eventual consistency between stores</td> <td>Single transaction — deletes are atomic</td> </tr> <tr> <td>Full-text search</td> <td>Need a <em>third</em> system (Elasticsearch, etc.)</td> <td> <code>tsvector</code> is built in</td> </tr> <tr> <td>Compliance (SOC2)</td> <td>Every new service adds audit scope</td> <td>One set of encryption, access controls, audit trails</td> </tr> <tr> <td>Performance at our scale</td> <td>Faster at 10M+ vectors</td> <td>&lt;50ms HNSW search at ~500K chunks</td> </tr> </tbody> </table></div> <blockquote> <p><strong>When would we switch?</strong> If we hit tens of millions of vectors and needed sub-10ms p99 latency, a dedicated solution would make sense. At ~500K chunks, pgvector is more than fast enough.</p> </blockquote> <h2> Production Lessons </h2> <p>Here's what we learned running this in production:</p> <p><strong>1. Over-fetch, then trim.</strong><br> Pulling 20 results from each source and fusing to 10 consistently outperformed pulling 10 from each. More candidates = better fusion signal.</p> <p><strong>2. Full-text search needs query preprocessing.</strong><br> <code>plainto_tsquery</code> handles most cases, but for advanced users we added <code>websearch_to_tsquery</code> support which handles quoted phrases and boolean operators.</p> <p><strong>3. Monitor both sides independently.</strong><br> We track semantic search latency and full-text search latency separately. If pgvector's HNSW index needs a rebuild, we see it in the semantic search p99 without it being masked by fast full-text results.</p> <p><strong>4. Embedding model upgrades require re-indexing.</strong><br> When we considered switching embedding models, we realized every chunk needs re-embedding. We built this into our pipeline as a background job with progress tracking. Plan for this from day one.</p> <p><strong>5. RRF's k=60 is a reasonable default, but test it.</strong><br> We ran evaluations with k values from 10 to 100. For our dataset, 60 was optimal. Your mileage will vary — the important thing is to have an evaluation set so you can actually measure.</p> <h2> Results </h2> <p>After switching from pure semantic search to hybrid search with RRF:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before (vector only)</th> <th>After (hybrid + RRF)</th> </tr> </thead> <tbody> <tr> <td>Retrieval precision</td> <td>~62%</td> <td><strong>~84%</strong></td> </tr> <tr> <td>Exact-match queries (product names, error codes)</td> <td>Unreliable</td> <td>Near-perfect</td> </tr> <tr> <td>Additional infrastructure</td> <td>—</td> <td>None. It's all just SQL.</td> </tr> </tbody> </table></div> <p>Hybrid search isn't novel research — the pattern has been around for years in traditional information retrieval. But in the RAG gold rush, most tutorials skip it entirely in favor of pure vector search. If your RAG pipeline is struggling with retrieval quality, this is likely the highest-ROI improvement you can make.</p> <p><em>[Code examples in this post are illustrative patterns based on production experience, not copy-paste from a proprietary codebase.]</em></p> ai python postgres rag Building a SOC2-Compliant Azure Multi-Subscription Architecture with Terraform Lucas Wed, 17 Dec 2025 08:47:54 +0000 https://forem.com/lpossamai/building-a-soc2-compliant-azure-multi-subscription-architecture-with-terraform-4g38 https://forem.com/lpossamai/building-a-soc2-compliant-azure-multi-subscription-architecture-with-terraform-4g38 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghwkp3r7kl64xdsfddzg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fghwkp3r7kl64xdsfddzg.png" alt=" " width="800" height="436"></a></p> <p><em>A deep dive into implementing Microsoft's Cloud Adoption Framework Landing Zones with Terraform, and why Azure's approach to multi-tenancy requires a fundamentally different mindset than AWS.</em></p> <h2> The Challenge: "Just Make It Work Like AWS" </h2> <p>When our team at Foo was tasked with building a SOC2-compliant infrastructure on Azure, the initial instinct was simple: "Let's just replicate our AWS multi-account strategy." After all, we already had a battle-tested AWS organization with:</p> <ul> <li>9+ AWS accounts (dev, staging, prod, security-tooling, log-archive, shared-services, etc.)</li> <li>Service Control Policies (SCPs) for guardrails</li> <li>IAM Identity Center (SSO) for centralized access</li> <li>AWS Organizations for hierarchy</li> </ul> <p><strong>Spoiler alert: This approach would have been a costly mistake on Azure.</strong></p> <p>Here's why, and what we built instead.</p> <h2> 🚨 The Azure Subscription Limit Reality Check </h2> <p>Unlike AWS, where you can spin up accounts almost endlessly (soft limit of ~10, easily increased to hundreds), <strong>Azure has hard limits on subscriptions that require engagement with Microsoft support</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cloud Provider</th> <th>Isolation Unit</th> <th>Typical Count</th> <th>Limit Increase</th> </tr> </thead> <tbody> <tr> <td>AWS</td> <td>Account</td> <td>10-100+</td> <td>Easy (support ticket)</td> </tr> <tr> <td>Azure</td> <td>Subscription</td> <td>3-10</td> <td>Requires Microsoft engagement</td> </tr> </tbody> </table></div> <p>This isn't just a technical limitation—it's a <strong>fundamental architectural constraint</strong> that shapes how you design your Azure landing zone.</p> <blockquote> <p>💡 <strong>Key Insight</strong>: Azure's answer to "we need more isolation" isn't "create more subscriptions." It's <strong>Resource Groups with RBAC</strong>.</p> </blockquote> <h2> The Architecture: Microsoft CAF Landing Zone Pattern </h2> <p>After evaluating several approaches, we landed on Microsoft's Cloud Adoption Framework (CAF) Landing Zone architecture. Here's our 4-tier Management Group hierarchy:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flubngy7tqghh7ws2tcfa.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flubngy7tqghh7ws2tcfa.png" alt=" " width="800" height="368"></a></p> <h3> 5 Subscriptions vs 9+ AWS Accounts </h3> <p>Here's how we consolidated:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>AWS Account</th> <th>Azure Equivalent</th> <th>Strategy</th> </tr> </thead> <tbody> <tr> <td>Dev Account</td> <td>Corp-NonProduction Sub</td> <td>Use Resource Groups: <code>rg-foo-preview-*</code> </td> </tr> <tr> <td>Staging Account</td> <td>Corp-NonProduction Sub</td> <td>Use Resource Groups: <code>rg-foo-staging-*</code> </td> </tr> <tr> <td>Prod Account</td> <td>Corp-Production Sub</td> <td>Dedicated subscription</td> </tr> <tr> <td>Security-Tooling</td> <td>Management Sub</td> <td>Consolidated with monitoring</td> </tr> <tr> <td>Log-Archive</td> <td>Management Sub</td> <td>Storage accounts with lifecycle policies</td> </tr> <tr> <td>Shared-Services</td> <td>Connectivity Sub</td> <td>Hub networking</td> </tr> <tr> <td>Network Account</td> <td>Connectivity Sub</td> <td>Azure Firewall, VPN, DNS</td> </tr> <tr> <td>Monitoring</td> <td>Management Sub</td> <td>Log Analytics, Azure Monitor</td> </tr> <tr> <td>Sandbox</td> <td>Sandbox Sub</td> <td>Developer experimentation</td> </tr> </tbody> </table></div> <p><strong>Result: 5 subscriptions doing the work of 9 AWS accounts.</strong></p> <h2> Show Me The Code: Terraform Implementation </h2> <h3> Management Group Hierarchy </h3> <p>Here's how we define the 4-tier CAF hierarchy in Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># management_groups.tf</span> <span class="c1"># Azure Management Groups - Microsoft CAF Landing Zone Architecture</span> <span class="c1"># Tier 1: Root Management Group</span> <span class="nx">resource</span> <span class="s2">"azurerm_management_group"</span> <span class="s2">"foo"</span> <span class="p">{</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">organization_name</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">organization_name</span> <span class="nx">timeouts</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="s2">"30m"</span> <span class="c1"># MGs can take a while!</span> <span class="nx">delete</span> <span class="p">=</span> <span class="s2">"30m"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Tier 2: Category Management Groups (Platform, Landing Zones, Sandbox)</span> <span class="nx">resource</span> <span class="s2">"azurerm_management_group"</span> <span class="s2">"tier2_groups"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">management_groups</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="nx">parent_id</span> <span class="p">==</span> <span class="s2">"foo"</span> <span class="p">}</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">parent_management_group_id</span> <span class="p">=</span> <span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">id</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">foo</span><span class="p">]</span> <span class="p">}</span> <span class="c1"># Tier 3: Specialization (Connectivity, Management, Corp)</span> <span class="nx">resource</span> <span class="s2">"azurerm_management_group"</span> <span class="s2">"tier3_groups"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">management_groups</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="nx">parent_id</span> <span class="p">==</span> <span class="s2">"Platform"</span> <span class="err">||</span> <span class="nx">v</span><span class="p">.</span><span class="nx">parent_id</span> <span class="p">==</span> <span class="s2">"LandingZones"</span> <span class="p">}</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">parent_management_group_id</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">tier2_groups</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">parent_id</span><span class="p">,</span> <span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">foo</span><span class="p">.</span><span class="nx">id</span> <span class="p">)</span> <span class="p">}</span> <span class="c1"># Tier 4: Environment (Prod, Non-Prod)</span> <span class="nx">resource</span> <span class="s2">"azurerm_management_group"</span> <span class="s2">"tier4_groups"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">k</span><span class="p">,</span> <span class="nx">v</span> <span class="nx">in</span> <span class="nx">var</span><span class="p">.</span><span class="nx">management_groups</span> <span class="err">:</span> <span class="nx">k</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">v</span> <span class="nx">if</span> <span class="nx">v</span><span class="p">.</span><span class="nx">parent_id</span> <span class="p">==</span> <span class="s2">"Corp"</span> <span class="p">}</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">parent_management_group_id</span> <span class="p">=</span> <span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">tier3_groups</span><span class="p">[</span><span class="s2">"Corp"</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h3> Subscription to Management Group Association </h3> <p>The key to this architecture is <strong>associating existing subscriptions with the hierarchy</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># subscriptions.tf</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">subscription_to_mg_mapping</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"management"</span> <span class="p">=</span> <span class="s2">"Management"</span> <span class="s2">"corp-nonprod"</span> <span class="p">=</span> <span class="s2">"NonProd"</span> <span class="s2">"corp-prod"</span> <span class="p">=</span> <span class="s2">"Prod"</span> <span class="s2">"connectivity"</span> <span class="p">=</span> <span class="s2">"Connectivity"</span> <span class="s2">"sandbox"</span> <span class="p">=</span> <span class="s2">"Sandbox"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"azurerm_management_group_subscription_association"</span> <span class="s2">"assignments"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">subscription_to_mg_mapping</span> <span class="nx">management_group_id</span> <span class="p">=</span> <span class="nx">lookup</span><span class="p">(</span><span class="nx">local</span><span class="p">.</span><span class="nx">all_management_group_ids</span><span class="p">,</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">)</span> <span class="nx">subscription_id</span> <span class="p">=</span> <span class="s2">"/subscriptions/${var.subscription_ids[each.key]}"</span> <span class="p">}</span> </code></pre> </div> <h2> SOC2 Compliance: Azure Policy as Your Guardrails </h2> <p>For SOC2 Type II compliance, we implemented 7 custom Azure Policies that enforce security controls across the entire organization:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fycc1yh5ca15w72bfkkf9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fycc1yh5ca15w72bfkkf9.png" alt=" " width="800" height="1412"></a></p> <p><strong>Legend:</strong> 🔴 Deny policies (blocking) | 🟢 Audit policies (non-blocking)</p> <h3> Policy Definition Example: Baseline Security </h3> <p>Here's a real policy that enforces SOC2 CC6.6 (Encryption) and CC7.2 (Monitoring):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/policy/main.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_policy_definition"</span> <span class="s2">"baseline_security"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"foo-soc2-baseline-security"</span> <span class="nx">policy_type</span> <span class="p">=</span> <span class="s2">"Custom"</span> <span class="nx">mode</span> <span class="p">=</span> <span class="s2">"All"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"SOC2 Baseline Security Controls"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Baseline security - prevents deletion of critical resources"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">category</span> <span class="p">=</span> <span class="s2">"Security"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"1.0.0"</span> <span class="nx">SOC2</span> <span class="p">=</span> <span class="s2">"CC6.6, CC7.2, CC8.1"</span> <span class="p">})</span> <span class="nx">management_group_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">management_group_id</span> <span class="nx">policy_rule</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/policies/baseline_security.json"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>And the policy rule itself (<code>policies/baseline_security.json</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"if"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"anyOf"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allOf"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"equals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Insights/activityLogAlerts"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Insights/activityLogAlerts/enabled"</span><span class="p">,</span><span class="w"> </span><span class="nl">"equals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"false"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allOf"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"equals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.OperationalInsights/workspaces"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.OperationalInsights/workspaces/retentionInDays"</span><span class="p">,</span><span class="w"> </span><span class="nl">"less"</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"allOf"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"type"</span><span class="p">,</span><span class="w"> </span><span class="nl">"equals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Storage/storageAccounts"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Microsoft.Storage/storageAccounts/encryption.requireInfrastructureEncryption"</span><span class="p">,</span><span class="w"> </span><span class="nl">"notEquals"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"then"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"deny"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This policy <strong>blocks</strong>:</p> <ul> <li>Disabling activity log alerts</li> <li>Creating Log Analytics workspaces with &lt; 90 days retention</li> <li>Creating storage accounts without infrastructure encryption</li> </ul> <h3> Policy Assignment at Management Group Level </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_management_group_policy_assignment"</span> <span class="s2">"baseline_security"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"soc2-baseline-security"</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="s2">"SOC2 Baseline Security Controls"</span> <span class="nx">management_group_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">management_group_id</span> <span class="nx">policy_definition_id</span> <span class="p">=</span> <span class="nx">azurerm_policy_definition</span><span class="p">.</span><span class="nx">baseline_security</span><span class="p">.</span><span class="nx">id</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Organization</span> <span class="p">=</span> <span class="s2">"Foo"</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"SOC2 Compliance Guardrails"</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> RBAC: The Azure AD Groups Strategy </h2> <p>Instead of AWS SSO Permission Sets, we use Azure AD Groups with RBAC role assignments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># modules/iam/groups.tf</span> <span class="nx">resource</span> <span class="s2">"azuread_group"</span> <span class="s2">"groups"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">groups</span> <span class="nx">display_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">display_name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">description</span> <span class="nx">security_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">prevent_duplicate_names</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1"># modules/iam/role_assignments.tf</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"group_assignments"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">all_role_assignments</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">scope</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">role_definition_name</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azuread_group</span><span class="p">.</span><span class="nx">groups</span><span class="p">[</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">group_key</span><span class="p">].</span><span class="nx">object_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Managed by Terraform - Foo IAM Module"</span> <span class="p">}</span> </code></pre> </div> <h3> Our 7 Default Groups </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Group</th> <th>Platform Subs</th> <th>Workload Subs</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Platform-Team</td> <td>Contributor</td> <td>Reader</td> <td>Platform engineers</td> </tr> <tr> <td>Security-Team</td> <td>Security Admin</td> <td>Security Reader</td> <td>Security engineers</td> </tr> <tr> <td>BreakGlass-Admins</td> <td>Owner (at root)</td> <td>-</td> <td>Emergency access</td> </tr> <tr> <td>Finance-Team</td> <td>Cost Mgmt Reader</td> <td>Cost Mgmt Reader</td> <td>Billing/finance</td> </tr> <tr> <td>ReadOnly-Users</td> <td>Reader</td> <td>Reader</td> <td>Auditors</td> </tr> <tr> <td>Dev-Team</td> <td>-</td> <td>Contributor (nonprod)</td> <td>Developers</td> </tr> <tr> <td>DevOps-Team</td> <td>Reader</td> <td>Contributor</td> <td>DevOps engineers</td> </tr> </tbody> </table></div> <h2> The Resource Group Pattern: Your New Best Friend </h2> <p>Here's where Azure truly differs from AWS. Instead of creating separate subscriptions for staging vs preview, we use Resource Groups:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Corp-NonProduction Subscription ├── rg-foo-staging-api ├── rg-foo-staging-database ├── rg-foo-staging-network ├── rg-foo-preview-api ├── rg-foo-preview-database └── rg-foo-preview-network </code></pre> </div> <p>Each Resource Group gets its own RBAC assignments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Staging RGs: Only staging team</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"staging_contributor"</span> <span class="p">{</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">staging_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Contributor"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azuread_group</span><span class="p">.</span><span class="nx">staging_team</span><span class="p">.</span><span class="nx">object_id</span> <span class="p">}</span> <span class="c1"># Preview RGs: All developers</span> <span class="nx">resource</span> <span class="s2">"azurerm_role_assignment"</span> <span class="s2">"preview_contributor"</span> <span class="p">{</span> <span class="nx">scope</span> <span class="p">=</span> <span class="nx">azurerm_resource_group</span><span class="p">.</span><span class="nx">preview_api</span><span class="p">.</span><span class="nx">id</span> <span class="nx">role_definition_name</span> <span class="p">=</span> <span class="s2">"Contributor"</span> <span class="nx">principal_id</span> <span class="p">=</span> <span class="nx">azuread_group</span><span class="p">.</span><span class="nx">dev_team</span><span class="p">.</span><span class="nx">object_id</span> <span class="p">}</span> </code></pre> </div> <h2> SOC2 Control Mapping </h2> <p>Here's how our implementation maps to SOC2 Trust Services Criteria:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>SOC2 Control</th> <th>Azure Implementation</th> </tr> </thead> <tbody> <tr> <td> <strong>CC6.1</strong> - Logical Access</td> <td>Azure AD groups, MFA via Conditional Access, PIM for JIT access</td> </tr> <tr> <td> <strong>CC6.6</strong> - Encryption</td> <td>Azure Policy enforcing encryption at rest, TLS 1.2, Key Vault</td> </tr> <tr> <td> <strong>CC7.2</strong> - Monitoring</td> <td>Log Analytics (90-day retention), Activity Logs, Azure Monitor</td> </tr> <tr> <td> <strong>CC7.3</strong> - Incident Response</td> <td>Azure Sentinel (SIEM), Alert Rules, Action Groups</td> </tr> <tr> <td> <strong>CC8.1</strong> - Change Management</td> <td>Activity Logs, Azure Policy audit, Git-based IaC</td> </tr> <tr> <td> <strong>CC9.2</strong> - Risk Mitigation</td> <td>Region restrictions, Defender for Cloud, Budget alerts</td> </tr> </tbody> </table></div> <h2> Cost Impact: The Numbers </h2> <p>Running our 5-subscription architecture vs a 9-account AWS-style approach:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Azure CAF (5 subs)</th> <th>AWS-style (9+ subs)</th> <th>Savings</th> </tr> </thead> <tbody> <tr> <td>Management overhead</td> <td>Low</td> <td>High</td> <td>~50% less ops time</td> </tr> <tr> <td>Subscription costs</td> <td>$0</td> <td>$0</td> <td>Same</td> </tr> <tr> <td>Log Analytics</td> <td>1 central workspace</td> <td>9 workspaces</td> <td>~60% cost reduction</td> </tr> <tr> <td>Policy management</td> <td>1 root assignment</td> <td>9 assignments</td> <td>Simpler</td> </tr> </tbody> </table></div> <h2> Lessons Learned </h2> <h3> 1. Management Groups Take Time </h3> <p>Azure Management Groups can take <strong>10-15 minutes</strong> to create or delete. Set your Terraform timeouts accordingly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">timeouts</span> <span class="p">{</span> <span class="nx">create</span> <span class="p">=</span> <span class="s2">"30m"</span> <span class="nx">delete</span> <span class="p">=</span> <span class="s2">"30m"</span> <span class="p">}</span> </code></pre> </div> <h3> 2. Subscription Association is the Key </h3> <p>Don't try to create subscriptions via Terraform in most cases. Instead, create them in the portal (or via billing APIs) and <strong>associate</strong> them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"azurerm_management_group_subscription_association"</span> <span class="s2">"assignments"</span> <span class="p">{</span> <span class="nx">management_group_id</span> <span class="p">=</span> <span class="nx">azurerm_management_group</span><span class="p">.</span><span class="nx">prod</span><span class="p">.</span><span class="nx">id</span> <span class="nx">subscription_id</span> <span class="p">=</span> <span class="s2">"/subscriptions/${var.existing_subscription_id}"</span> <span class="p">}</span> </code></pre> </div> <h3> 3. Azure Policy ≠ AWS SCPs </h3> <p>While conceptually similar, Azure Policy is more granular but also more complex. Use the built-in policies where possible, and only create custom ones for specific compliance needs.</p> <h3> 4. Resource Groups Are First-Class Citizens </h3> <p>Unlike AWS, where you might create a new account for isolation, in Azure you create a new Resource Group. This is a fundamental mindset shift.</p> <h2> Module Structure </h2> <p>Our final Terraform module structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>infra/azure/modules/organization/ ├── main.tf ├── management_groups.tf # 4-tier CAF hierarchy ├── subscriptions.tf # Subscription associations ├── modules/ │ ├── policy/ # 7 SOC2 policy definitions │ │ ├── policies/ │ │ │ ├── baseline_security.json │ │ │ ├── region_restriction.json │ │ │ ├── require_encryption.json │ │ │ └── ... │ │ └── main.tf │ ├── iam/ # Azure AD groups + RBAC │ │ ├── groups.tf │ │ └── role_assignments.tf │ ├── monitoring/ # Log Analytics, alerts │ ├── audit/ # Activity log export │ ├── budget/ # Cost management │ └── delegation/ # Defender for Cloud </code></pre> </div> <h2> Conclusion </h2> <p>Building a SOC2-compliant Azure infrastructure isn't about replicating AWS patterns—it's about embracing Azure's native paradigms:</p> <ol> <li><strong>Fewer subscriptions, more Resource Groups</strong></li> <li><strong>Management Groups for policy inheritance</strong></li> <li><strong>Azure AD as your single identity plane</strong></li> <li><strong>Azure Policy as your compliance engine</strong></li> </ol> <p>The result? A simpler, more cost-effective, and equally secure infrastructure that works <em>with</em> Azure rather than against it.</p> <h2> Resources </h2> <ul> <li><a href="https://docs.microsoft.com/azure/cloud-adoption-framework/" rel="noopener noreferrer">Microsoft Cloud Adoption Framework</a></li> <li><a href="https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/" rel="noopener noreferrer">CAF Landing Zones</a></li> <li><a href="https://docs.microsoft.com/azure/governance/policy/" rel="noopener noreferrer">Azure Policy Documentation</a></li> <li><a href="https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs" rel="noopener noreferrer">Terraform AzureRM Provider</a></li> </ul> <p><strong>Have you implemented Azure Landing Zones? I'd love to hear about your approach in the comments!</strong> 👇</p> <p><em>This article is part of our series on building enterprise-grade cloud infrastructure. Follow for more deep dives into Terraform, cloud architecture, and compliance automation.</em></p> <p><strong>Tags:</strong> <code>#azure</code> <code>#terraform</code> <code>#devops</code> <code>#cloud</code> <code>#soc2</code> <code>#compliance</code> <code>#infrastructure</code></p> azure terraform devops soc2 Building a Cost-Efficient Game Launcher with AWS Pre-Signed URLs Lucas Thu, 04 Sep 2025 08:30:17 +0000 https://forem.com/lpossamai/building-a-cost-efficient-game-launcher-with-aws-pre-signed-urls-1k1k https://forem.com/lpossamai/building-a-cost-efficient-game-launcher-with-aws-pre-signed-urls-1k1k <h2> Introduction </h2> <p>We’re a small game studio based in New Zealand. Like many modern studios, we built our own <strong>game launcher</strong> (think Steam or Epic Games Launcher style) that allows players to log in to our own authentication solution, using their favorite identity provider — Google, Epic, Steam, Outlook, and more. From there, they can download and update our games.</p> <p>Sounds straightforward, right? Well… not quite.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuh2m0sg6q1io3ir33ff3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuh2m0sg6q1io3ir33ff3.png" alt="introduction" width="800" height="800"></a></p> <h3> The Problem </h3> <p>Our games and launcher binaries are stored in <strong>Amazon S3</strong>, fronted by <strong>CloudFront</strong> with a <strong>WAF</strong> for security.</p> <p>The catch:</p> <p>Even with CloudFront and WAF in place, the S3 buckets were still public. That meant anyone who discovered the URL could:</p> <ul> <li>Download the game repeatedly.</li> <li>Share direct links with others.</li> <li>Drive up our <strong>CDN data transfer bill</strong>.</li> </ul> <p>When you’re distributing large binaries (think tens of gigabytes per game), the cost of <strong>unrestricted downloads</strong> quickly becomes painful.</p> <h3> The Solution </h3> <p>We needed a way to <strong>control who can download</strong> and ensure downloads were tied to real authenticated users. Enter <strong>CloudFront Pre-Signed URLs</strong>.</p> <p>Our infrastructure looks like this:</p> <ul> <li> <strong>API Gateway</strong> – Public entry point for download requests.</li> <li> <strong>Lambda Authorizer</strong> – Validates user authentication/session.</li> <li> <strong>Lambda Backend</strong> – Issues short-lived CloudFront pre-signed URLs.</li> <li> <strong>SQS + DLQ</strong> – Provides a dead-letter queue for failed requests or processing errors, ensuring no data is lost and enabling easier debugging and recovery.</li> </ul> <p>The flow is simple:</p> <ol> <li>The launcher authenticates the player.</li> <li>It calls our <code>/download-url</code> endpoint with the requested asset ID.</li> <li>The backend Lambda validates entitlement and returns a <strong>signed URL</strong> with a short TTL (60–300s).</li> <li>The launcher immediately begins the download via CloudFront.</li> <li>If any step fails, the event is sent to SQS DLQ for observability.</li> </ol> <p>Result: only <strong>authorized, entitled users</strong> get valid download links.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fam3lyug7w0pnopze94d8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fam3lyug7w0pnopze94d8.png" alt=" " width="602" height="699"></a></p> <h2> Caching &amp; TTL (what actually changes) </h2> <ul> <li> <p><strong>Caching behavior:</strong> our API <strong>response</strong> that returns the signed URL is sent with</p> <p><code>Cache-Control: private, max-age=0</code>.</p> <p>That prevents accidental caching of the <em>API</em> response. The <strong>asset itself remains cacheable at the edge</strong>; the <strong>signature gates access, not caching</strong>.</p> </li> <li> <p><strong>TTL strategy:</strong> we keep signed URL TTLs short (<strong>60–120s</strong> for most assets). That’s long enough for the launcher to start the transfer, but short enough to reduce link leakage.</p> <blockquote> </blockquote> </li> </ul> <h2> Minimal Terraform (copy-paste) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># 1) CloudFront public key (the PEM public half of your keypair) resource "aws_cloudfront_public_key" "downloads_pk" { name = "downloads-public-key" encoded_key = file("${path.module}/cloudfront-public-key.pem") comment = "Public key for signing download URLs" } # 2) Key group that includes the public key resource "aws_cloudfront_key_group" "downloads_kg" { name = "downloads-key-group" items = [aws_cloudfront_public_key.downloads_pk.id] } # 3) Origin (S3 or an Origin Access Control-backed S3) resource "aws_cloudfront_origin_access_control" "oac" { name = "downloads-oac" description = "OAC for S3 downloads" origin_access_control_origin_type = "s3" signing_behavior = "always" signing_protocol = "sigv4" } resource "aws_s3_bucket" "assets" { bucket = "game-assets-example" } # 4) Distribution with behavior that requires signed URLs resource "aws_cloudfront_distribution" "downloads" { enabled = true comment = "Game downloads (signed URLs)" default_root_object = "" origins { domain_name = aws_s3_bucket.assets.bucket_regional_domain_name origin_id = "s3-assets" origin_access_control_id = aws_cloudfront_origin_access_control.oac.id } default_cache_behavior { target_origin_id = "s3-assets" viewer_protocol_policy = "redirect-to-https" allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] # Require signed URLs via this key group trusted_key_groups = [aws_cloudfront_key_group.downloads_kg.id] compress = true # Cache policy &amp; origin request policy can be customized as needed cache_policy_id = data.aws_cloudfront_cache_policy.caching_optimized.id origin_request_policy_id = data.aws_cloudfront_origin_request_policy.cors_s3_origin.id } restrictions { geo_restriction { restriction_type = "none" } } viewer_certificate { cloudfront_default_certificate = true } } data "aws_cloudfront_cache_policy" "caching_optimized" { name = "Managed-CachingOptimized" } data "aws_cloudfront_origin_request_policy" "cors_s3_origin" { name = "Managed-CORS-S3Origin" } </code></pre> </div> <p>Minimal Lambda signer (Python)</p> <p>Here’s a small extract based on our backend that shows the core signing path: read Key-Pair-Id from env, load private key from Secrets Manager, sign a URL, return { url, expiresAt }.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span><span class="p">,</span> <span class="n">json</span><span class="p">,</span> <span class="n">base64</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timedelta</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives</span> <span class="kn">import</span> <span class="n">serialization</span><span class="p">,</span> <span class="n">hashes</span> <span class="kn">from</span> <span class="n">cryptography.hazmat.primitives.asymmetric</span> <span class="kn">import</span> <span class="n">padding</span> <span class="n">secrets</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">secretsmanager</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_b64url</span><span class="p">(</span><span class="n">data</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">s</span> <span class="o">=</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">data</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">s</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">+</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">-</span><span class="sh">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">~</span><span class="sh">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">=</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">_</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">sign_url</span><span class="p">(</span><span class="n">url</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">expires_secs</span><span class="p">:</span> <span class="nb">int</span><span class="p">,</span> <span class="n">key_pair_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">private_key_pem</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">expire_ts</span> <span class="o">=</span> <span class="nf">int</span><span class="p">((</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">()</span> <span class="o">+</span> <span class="nf">timedelta</span><span class="p">(</span><span class="n">seconds</span><span class="o">=</span><span class="n">expires_secs</span><span class="p">)).</span><span class="nf">timestamp</span><span class="p">())</span> <span class="n">policy</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">Resource</span><span class="sh">"</span><span class="p">:</span> <span class="n">url</span><span class="p">,</span> <span class="sh">"</span><span class="s">Condition</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">DateLessThan</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">AWS:EpochTime</span><span class="sh">"</span><span class="p">:</span> <span class="n">expire_ts</span><span class="p">}}}]}</span> <span class="n">policy_json</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">policy</span><span class="p">,</span> <span class="n">separators</span><span class="o">=</span><span class="p">(</span><span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">:</span><span class="sh">"</span><span class="p">))</span> <span class="n">private_key</span> <span class="o">=</span> <span class="n">serialization</span><span class="p">.</span><span class="nf">load_pem_private_key</span><span class="p">(</span><span class="n">private_key_pem</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">password</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> <span class="n">signature</span> <span class="o">=</span> <span class="n">private_key</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="n">policy_json</span><span class="p">.</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">padding</span><span class="p">.</span><span class="nc">PKCS1v15</span><span class="p">(),</span> <span class="n">hashes</span><span class="p">.</span><span class="nc">SHA1</span><span class="p">())</span> <span class="k">return</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">url</span><span class="si">}</span><span class="s">?Policy=</span><span class="si">{</span><span class="nf">_b64url</span><span class="p">(</span><span class="n">policy_json</span><span class="p">.</span><span class="nf">encode</span><span class="p">())</span><span class="si">}</span><span class="s">&amp;Signature=</span><span class="si">{</span><span class="nf">_b64url</span><span class="p">(</span><span class="n">signature</span><span class="p">)</span><span class="si">}</span><span class="s">&amp;Key-Pair-Id=</span><span class="si">{</span><span class="n">key_pair_id</span><span class="si">}</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">_context</span><span class="p">):</span> <span class="n">cf_domain</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">CLOUDFRONT_DOMAIN_NAME</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># e.g., dxxxxx.cloudfront.net </span> <span class="n">key_pair_id</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">CLOUDFRONT_PUBLIC_KEY_ID</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># the public key ID </span> <span class="n">secret_arn</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">CLOUDFRONT_PRIVATE_KEY_SECRET</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># PEM private key in Secrets Manager </span> <span class="n">path</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">,</span><span class="sh">"</span><span class="s">{}</span><span class="sh">"</span><span class="p">)).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">path</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">/launcher/ReadyLauncher.exe</span><span class="sh">"</span><span class="p">)</span> <span class="n">pem</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="n">secret_arn</span><span class="p">)[</span><span class="sh">"</span><span class="s">SecretString</span><span class="sh">"</span><span class="p">]</span> <span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">https://</span><span class="si">{</span><span class="n">cf_domain</span><span class="si">}{</span><span class="n">path</span><span class="si">}</span><span class="sh">"</span> <span class="n">ttl</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">PRESIGNED_URL_EXPIRY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">120</span><span class="sh">"</span><span class="p">))</span> <span class="n">signed</span> <span class="o">=</span> <span class="nf">sign_url</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">ttl</span><span class="p">,</span> <span class="n">key_pair_id</span><span class="p">,</span> <span class="n">pem</span><span class="p">)</span> <span class="c1"># Important: prevent caching of *API* response </span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">headers</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Cache-Control</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">private, max-age=0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Access-Control-Allow-Origin</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">url</span><span class="sh">"</span><span class="p">:</span> <span class="n">signed</span><span class="p">,</span> <span class="sh">"</span><span class="s">expiresAt</span><span class="sh">"</span><span class="p">:</span> <span class="nf">int</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">().</span><span class="nf">timestamp</span><span class="p">())</span> <span class="o">+</span> <span class="n">ttl</span><span class="p">})</span> <span class="p">}</span> </code></pre> </div> <h2> Observability: how we know it worked </h2> <p><strong>CloudFront (distribution)</strong></p> <ul> <li> <strong>CacheHitRate</strong>: should trend <strong>up</strong> for game assets once hot.</li> <li> <strong>BytesDownloaded</strong>: visualize by <strong>path prefix</strong> (e.g., <code>/launcher/*</code> vs <code>/games/*</code>).</li> <li> <strong>Requests</strong>: also split by path to see hot objects and suspicious spikes.</li> </ul> <p><strong>API (download-url)</strong></p> <ul> <li> <strong>Count of requests</strong> to <code>/download-url</code> vs <strong>2xx success rate</strong>.</li> <li>Emit a <strong>correlation ID</strong> (e.g., <code>x-request-id</code>) from API Gateway → Lambda logs → include it in any DLQ payloads for failed attempts.</li> </ul> <p><strong>Guardrails</strong></p> <ul> <li> <strong>403 spike alarm</strong> in CloudFront: when <code>4xxErrorRate</code> exceeds a baseline over N minutes.</li> <li> <strong>Unsigned access attempts</strong>: create a <strong>log metric filter</strong> from CloudFront logs counting requests for asset paths <strong>missing</strong> <code>Key-Pair-Id</code>/<code>Signature</code> query params; alarm if &gt; threshold.</li> </ul> <h3> AWS Cost </h3> <p>Did this make sense from a cost perspective? Absolutely.</p> <p>Here’s what our <strong>August AWS bill</strong> looked like for this setup:</p> <ul> <li> <strong>10,000 requests</strong> handled by the Pre-Signed API.</li> <li> <strong>10 TB of game assets</strong> delivered through CloudFront.</li> <li> <strong>Total monthly cost</strong> for the API stack: <strong>USD $47.95</strong>.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fbkr22wbmazv2swvols.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3fbkr22wbmazv2swvols.png" alt="cost" width="800" height="522"></a></p> <p>That’s less than the cost of a single AAA game… while distributing <strong>terabytes worth of player downloads over time</strong>.</p> <h3> Conclusion </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fonvvn7nouqmbf8cdrdet.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fonvvn7nouqmbf8cdrdet.png" alt="conclusion" width="800" height="800"></a></p> <p>By moving to Pre-Signed URLs, we’ve delivered a solution that is:</p> <ul> <li> <strong>Secure</strong> – Only authorized users can access downloads.</li> <li> <strong>Scalable</strong> – API Gateway, Lambda, and SQS scale automatically.</li> <li> <strong>Cost-efficient</strong> – Infrastructure overhead is minimal compared to raw CDN transfer charges.</li> <li> <strong>Manageable</strong> – Everything is deployed and maintained via <strong>Terraform IaC</strong>.</li> </ul> <p>For studios and SaaS products dealing with large assets, this pattern is a proven way to reduce risk and keep bills under control — without sacrificing user experience.</p> <p>✅ Next step for us: keep refining observability (tying SQS data into dashboards) and expanding entitlement logic for future titles.</p> aws cloudfront devops security Shielding Your Apps in the Cloud: Integrating CloudFront and AWS WAF with Terraform Lucas Wed, 24 Jan 2024 02:01:22 +0000 https://forem.com/lpossamai/shielding-your-apps-in-the-cloud-integrating-cloudfront-and-aws-waf-with-terraform-4c3c https://forem.com/lpossamai/shielding-your-apps-in-the-cloud-integrating-cloudfront-and-aws-waf-with-terraform-4c3c <h1> Introduction </h1> <p>In the evolving landscape of cloud computing, securing your applications is as crucial as ever. With AWS's vast array of services, it's important to leverage the right tools to protect your infrastructure effectively. In this blog post, we'll dive into how you can enhance your AWS security posture by integrating CloudFront and AWS WAF with Terraform, ensuring your applications are fortified against threats.</p> <h1> Understanding the Components </h1> <ul> <li> <a href="https://terragrunt.gruntwork.io/" rel="noopener noreferrer">Terragrunt</a>: An extension of Terraform, Terragrunt assists in managing complex infrastructure with less duplication and more efficiency. Its power lies in its ability to manage dependencies and its dry configuration approach.</li> <li> <a href="https://aws.amazon.com/cloudfront/" rel="noopener noreferrer">CloudFront</a>: AWS CloudFront is a content delivery network (CDN) service that speeds up the distribution of your static and dynamic web content. Beyond performance, it offers essential security features to protect your applications.</li> <li> <a href="https://aws.amazon.com/waf/" rel="noopener noreferrer">AWS WAF</a>: The AWS Web Application Firewall (WAF) helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.</li> <li>Integrating for Security: We'll explore how these components work in unison, providing a robust defense mechanism for your applications.</li> </ul> <h1> Integrating Terragrunt with AWS Services </h1> <p>In recent blog post, <a href="https://dev.to/lpossamai/seamless-cloud-infrastructure-integrating-terragrunt-and-terraform-with-aws-3pbb">we discussed how we can connect Terragrunt/Terraform with AWS</a>.</p> <p>Assuming you have that in place (or similar), I'll walk you through the steps required to deploy the services mentioned in this post as well as some additional monitoring solutions such as CloudWatch Alerts with notifications sent to Slack.</p> <h1> Setting Up Security Measures </h1> <h2> Configuring AWS WAF: </h2> <p>A deep dive into setting up rules in AWS WAF to protect your applications from common web attacks and vulnerabilities.</p> <p>Using the <a href="https://github.com/cloudposse/terraform-aws-waf/releases" rel="noopener noreferrer">Cloudposse Terraform module</a>, I have the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"web-acl-cf"</span> <span class="nx">scope</span> <span class="p">=</span> <span class="s2">"CLOUDFRONT"</span> <span class="nx">default_action</span> <span class="p">=</span> <span class="s2">"allow"</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"cloudfront-alb-waf"</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="c1">###################</span> <span class="c1"># Logging</span> <span class="c1">###################</span> <span class="nx">log_destination_configs</span> <span class="p">=</span> <span class="p">[</span><span class="nx">dependency</span><span class="p">.</span><span class="nx">s3</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">s3_bucket_arn</span><span class="p">]</span> <span class="c1">###################</span> <span class="c1"># WAF Rules</span> <span class="c1">###################</span> <span class="nx">managed_rule_group_statement_rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="nx">override_action</span> <span class="p">=</span> <span class="s2">"count"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesKnownBadInputsRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontAWSManagedRulesKnownBadInputsRuleSet"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesAmazonIpReputationList"</span> <span class="nx">override_action</span> <span class="p">=</span> <span class="s2">"count"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesAmazonIpReputationList"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontAWSManagedRulesAmazonIpReputationList"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesBotControlRuleSet"</span> <span class="nx">override_action</span> <span class="p">=</span> <span class="s2">"count"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesBotControlRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontAWSManagedRulesBotControlRuleSet"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">override_action</span> <span class="p">=</span> <span class="s2">"count"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">4</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesCommonRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontAWSManagedRulesCommonRuleSet"</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesPHPRuleSet"</span> <span class="nx">override_action</span> <span class="p">=</span> <span class="s2">"count"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AWSManagedRulesPHPRuleSet"</span> <span class="nx">vendor_name</span> <span class="p">=</span> <span class="s2">"AWS"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontAWSManagedRulesPHPRuleSet"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">rate_based_statement_rules</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"RateBasedRule"</span> <span class="nx">action</span> <span class="p">=</span> <span class="s2">"block"</span> <span class="nx">priority</span> <span class="p">=</span> <span class="mi">6</span> <span class="nx">statement</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">limit</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">waf_rate_limit</span> <span class="nx">aggregate_key_type</span> <span class="p">=</span> <span class="s2">"IP"</span> <span class="p">}</span> <span class="nx">visibility_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cloudwatch_metrics_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">sampled_requests_enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CloudfrontRateBasedRule"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Note that the only rule that is blocking at the moment is the <code>RateBasedRule</code> rule.</p> </blockquote> <p>The AWS Managed rules specified above have been taken from <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html" rel="noopener noreferrer">this official AWS documentation</a>.</p> <p>To view the AWS WAF Dashboard, make sure to select the <code>CloudFront</code> "region":</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns298ixhjl5jtjv02rrc.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fns298ixhjl5jtjv02rrc.png" alt=" " width="800" height="179"></a></p> <p>You'll be able to see the new rules:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvna67x3zb9sjk7dp1za.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvna67x3zb9sjk7dp1za.png" alt=" " width="800" height="288"></a></p> <p>You can play around with the AWS WAF rules by following their official documentation.</p> <h2> Leveraging CloudFront for Security: </h2> <p>Understanding how CloudFront can be configured to prevent DDoS attacks, bot traffic, and other types of threats.</p> <p>Consuming the <a href="https://github.com/terraform-aws-modules/terraform-aws-cloudfront/releases" rel="noopener noreferrer">Terraform AWS Modules CloudFront module</a>, I can easily deploy a CloudFront distribution in Terraform:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">aliases</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"cdn.${local.environment_vars.locals.public_domain_name}"</span><span class="p">,</span> <span class="s2">"*.${local.environment_vars.locals.public_domain_name}"</span><span class="p">,</span> <span class="p">]</span> <span class="nx">comment</span> <span class="p">=</span> <span class="s2">"CDN for ${local.environment_vars.locals.public_domain_name}"</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">http_version</span> <span class="p">=</span> <span class="s2">"http1.1"</span> <span class="nx">is_ipv6_enabled</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">web_acl_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">waf</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">arn</span> <span class="c1"># When you enable additional metrics for a distribution, CloudFront sends up to 8 metrics to CloudWatch in the US East (N. Virginia) Region.</span> <span class="c1"># This rate is charged only once per month, per metric (up to 8 metrics per distribution).</span> <span class="nx">create_monitoring_subscription</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cloudfront_monitoring_subscription</span> <span class="c1">####################</span> <span class="c1"># Logging</span> <span class="c1">####################</span> <span class="nx">logging_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">s3</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">s3_bucket_bucket_domain_name</span> <span class="nx">prefix</span> <span class="p">=</span> <span class="s2">"${local.env}.${local.environment_vars.locals.public_domain_name}"</span> <span class="p">}</span> <span class="c1">####################</span> <span class="c1"># SSL certificate</span> <span class="c1">####################</span> <span class="nx">viewer_certificate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">acm_certificate_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">acm</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">acm_certificate_arn</span> <span class="nx">ssl_support_method</span> <span class="p">=</span> <span class="s2">"sni-only"</span> <span class="nx">minimum_protocol_version</span> <span class="p">=</span> <span class="s2">"TLSv1.2_2021"</span> <span class="p">}</span> <span class="c1">####################</span> <span class="c1"># Origin</span> <span class="c1">####################</span> <span class="nx">origin</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">alb</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">domain_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cloudfront_alb_alias_name</span> <span class="nx">origin_id</span> <span class="p">=</span> <span class="s2">"alb"</span> <span class="nx">connection_attempts</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">connection_timeout</span> <span class="p">=</span> <span class="mi">10</span> <span class="nx">custom_origin_config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">http_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">https_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="nx">origin_keepalive_timeout</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">common_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">ONE_MINUTE_IN_MS</span> <span class="nx">origin_read_timeout</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">common_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">THREE_MINUTES_IN_MS</span> <span class="nx">origin_protocol_policy</span> <span class="p">=</span> <span class="s2">"https-only"</span> <span class="nx">origin_ssl_protocols</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"TLSv1.2"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">custom_header</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"X-Cloudfront-Security-Header"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">include</span><span class="p">.</span><span class="nx">root</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">common_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cloudfront_security_header</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">origin_shield</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">origin_shield_region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">aws_region</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">####################</span> <span class="c1"># Caching behavior</span> <span class="c1">####################</span> <span class="nx">default_cache_behavior</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cache_policy_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cloudfront_response_headers_policy_id</span> <span class="c1"># Allow: [Headers - All viewer headers | Cookies - All | Query strings - All]</span> <span class="nx">origin_request_policy_id</span> <span class="p">=</span> <span class="s2">"216adef6-5c7f-47e4-b989-5492eafa07d3"</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="s2">"alb"</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"DELETE"</span><span class="p">,</span> <span class="s2">"POST"</span><span class="p">,</span> <span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">,</span> <span class="s2">"OPTIONS"</span><span class="p">,</span> <span class="s2">"PUT"</span><span class="p">,</span> <span class="s2">"PATCH"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">compress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">min_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">default_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="c1"># The parameter ForwardedValues cannot be used when a cache policy is associated to the cache behavior.</span> <span class="nx">use_forwarded_values</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">ordered_cache_behavior</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">cache_policy_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">cloudfront_response_headers_policy_id</span> <span class="c1"># Allow: [Headers - All viewer headers | Cookies - All | Query strings - All]</span> <span class="nx">origin_request_policy_id</span> <span class="p">=</span> <span class="s2">"216adef6-5c7f-47e4-b989-5492eafa07d3"</span> <span class="nx">target_origin_id</span> <span class="p">=</span> <span class="s2">"alb"</span> <span class="nx">viewer_protocol_policy</span> <span class="p">=</span> <span class="s2">"redirect-to-https"</span> <span class="nx">path_pattern</span> <span class="p">=</span> <span class="s2">"/*"</span> <span class="nx">allowed_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"DELETE"</span><span class="p">,</span> <span class="s2">"POST"</span><span class="p">,</span> <span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">,</span> <span class="s2">"OPTIONS"</span><span class="p">,</span> <span class="s2">"PUT"</span><span class="p">,</span> <span class="s2">"PATCH"</span><span class="p">]</span> <span class="nx">cached_methods</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"GET"</span><span class="p">,</span> <span class="s2">"HEAD"</span><span class="p">]</span> <span class="nx">compress</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">query_string</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">min_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">default_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="nx">max_ttl</span> <span class="p">=</span> <span class="mi">0</span> <span class="c1"># The parameter ForwardedValues cannot be used when a cache policy is associated to the cache behavior.</span> <span class="nx">use_forwarded_values</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <ul> <li>You can see that I have the following origin: <code>origin_id = "alb"</code>: That's my Application Load Balancer. I created a Route53 Alias (i.e. alb.example.com) and I made CF to accept that endpoint as an origin.</li> <li> <code>custom_header</code>: In my ALB, I have rules that it will only accept traffic from CloudFront if that header is present. This is another security best practice.</li> <li>In <code>aliases</code>, I specify that my CF distribution will respond as <code>cdn.example.com</code>.</li> </ul> <h1> Continuous Monitoring and Maintenance </h1> <h2> AWS WAF </h2> <p>The WAF dashboard will give you quite a good visibility on things:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykemiexicmtvfpuocydx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fykemiexicmtvfpuocydx.png" alt=" " width="800" height="723"></a></p> <p>However, I do have some extra alerts going to Slack. For this integration, I use the <a href="https://github.com/terraform-aws-modules/terraform-aws-notify-slack/releases" rel="noopener noreferrer">terraform-aws-notify-slack TF module</a> with CloudWatch.</p> <h3> terraform-aws-notify-slack </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">sns_topic_name</span> <span class="p">=</span> <span class="s2">"notify-slack-topic"</span> <span class="nx">slack_webhook_url</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">slack_webhook_url</span> <span class="nx">slack_channel</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">notify_slack_slack_channel</span> <span class="nx">slack_username</span> <span class="p">=</span> <span class="s2">"reporter"</span> <span class="nx">kms_key_arn</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">sns_topic_kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_arn</span> <span class="nx">sns_topic_kms_key_id</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">sns_topic_kms</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">key_id</span> <span class="nx">lambda_function_name</span> <span class="p">=</span> <span class="s2">"notify-slack-${local.env}"</span> <span class="nx">lambda_description</span> <span class="p">=</span> <span class="s2">"Lambda function which sends notifications to Slack"</span> <span class="nx">log_events</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Added this argument not to recreate the missing package once it was created</span> <span class="nx">recreate_missing_package</span> <span class="p">=</span> <span class="kc">false</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">tags</span> <span class="p">}</span> </code></pre> </div> <h3> WAF Alerts </h3> <p>One example is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="s2">"waf-CloudfrontRateBasedRule"</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"waf-CloudfrontRateBasedRule-${local.env}"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanOrEqualToThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"BlockedRequests"</span> <span class="nx">period</span> <span class="p">=</span> <span class="s2">"300"</span> <span class="nx">statistic</span> <span class="p">=</span> <span class="s2">"Average"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">waf_rate_limit</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"This metric monitors the BlockedRequests of the CloudfrontRateBasedRule WAF rule"</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">dependency</span><span class="p">.</span><span class="nx">notify_slack</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">slack_topic_arn</span><span class="p">]</span> <span class="nx">ok_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">dependency</span><span class="p">.</span><span class="nx">notify_slack</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">slack_topic_arn</span><span class="p">]</span> <span class="nx">treat_missing_data</span> <span class="p">=</span> <span class="s2">"notBreaching"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/WAFV2"</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">WebACL</span> <span class="p">=</span> <span class="nx">dependency</span><span class="p">.</span><span class="nx">waf</span><span class="p">.</span><span class="nx">outputs</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="p">}</span><span class="err">,</span> </code></pre> </div> <p>I have alerts in the following WAF resources:</p> <ul> <li>BlockedRequests</li> <li>CountedRequests</li> </ul> devops terraform waf cloud Seamless Cloud Infrastructure: Integrating Terragrunt and Terraform with AWS Lucas Sun, 10 Dec 2023 21:08:25 +0000 https://forem.com/lpossamai/seamless-cloud-infrastructure-integrating-terragrunt-and-terraform-with-aws-3pbb https://forem.com/lpossamai/seamless-cloud-infrastructure-integrating-terragrunt-and-terraform-with-aws-3pbb <h1> Introduction </h1> <p>Welcome to our latest blog post, where we delve into the world of Infrastructure as Code (IaC) using Terragrunt and Terraform, specifically focusing on their integration with Amazon Web Services (AWS). Whether you're a seasoned DevOps professional or new to cloud infrastructure, this post will guide you through the essentials of using these powerful tools in harmony with AWS.</p> <h1> Understanding Terragrunt and Terraform </h1> <blockquote> <p>"The cloud is someone else's computer" - Unknown</p> </blockquote> <p>Imagine deploying a server that runs an NGINX application with only a few lines of code? This seemed impossible a couple of years ago when we were spending hours in Datacenters swapping hardware and fixing networking issues.</p> <p><a href="https://www.terraform.io/" rel="noopener noreferrer">Terraform</a>, an open-source infrastructure as code software tool, allows users to define and provision a cloud infrastructure using a high-level configuration language. It's a game-changer in the world of cloud computing, bringing simplicity and predictability to cloud resource management.</p> <h2> Terraform state </h2> <p>Terraform logs information about the resources it has created in a state file. This enables Terraform to know which resources are under its control and when to update and destroy them. The terraform state file, by default, is named terraform.tfstate and is held in the same directory where Terraform is run. It is created after running terraform apply.</p> <p>The actual content of this file is a JSON formatted mapping of the resources defined in the configuration and those that exist in your infrastructure. When Terraform is run, it can then use this mapping to compare infrastructure to the code and make any adjustments as necessary.</p> <p>Read more about <a href="https://spacelift.io/blog/terraform-architecture" rel="noopener noreferrer">the elements of Terraform architecture</a>.</p> <h1> Setting Up Your Environment </h1> <p>If you use either <a href="https://spacelift.io/blog/terragrunt-vs-terraform" rel="noopener noreferrer">Terraform or Terragrunt</a>, you'll need to connect your <a href="https://en.wikipedia.org/wiki/Infrastructure_as_code" rel="noopener noreferrer">IaC</a> (Infrastructure as Code) repository to your Cloud Provider, in my case, AWS.</p> <p>There are many ways of doing that, but after +8 years working with these solutions, you get to know a few tips and tricks.</p> <p>My AWS account structure is as follow:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F40uf1wubyb4rmn6ppj1i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F40uf1wubyb4rmn6ppj1i.png" alt="aws-account-structure" width="800" height="207"></a></p> <p>A good practice that I learnt over the years is that it can become very difficult and time consuming to manage dozens and/or hundreds of different state files in different AWS accounts. That's why I have been deploying a <code>SharedServices</code> account where I host all the Terraform backends and resources that it needs in order to manage infrastructure in the cloud.</p> <p>These are some of the Terraform resources I store in the <code>SharedServices</code> account:</p> <ul> <li><a href="https://developer.hashicorp.com/terraform/language/settings/backends/s3#dynamodb-table-permissions" rel="noopener noreferrer">DynamoDB table for state locking</a></li> <li>S3 bucket to store the state files</li> <li>IAM roles and permissions</li> <li>Alerts (constantly monitoring if any of the above resources are modified, deleted or even accessed)</li> </ul> <p>That being said, this is how a Terraform/Terragrunt IaC repository hosted on Github will connect to AWS:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flya8e7bgdi596vqfsid2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flya8e7bgdi596vqfsid2.png" alt="terragrunt-connectivity-to-aws" width="800" height="557"></a></p> <ul> <li> <a href="https://terrateam.io/" rel="noopener noreferrer">Terrateam</a>: After getting into some really big issues when running Terragrunt with Github Actions, I decided to look for a better CI solution. Terrateam is my CI/CD tool of choice here. <ul> <li>Unfortunately as of December 2023, they increased their price from USD $175 to <a href="https://terrateam.io/#pricing" rel="noopener noreferrer">USD $496 monthly</a>. Me being an existing customer I still pay the old amount (thank God!)</li> <li>Alternatively, you can look at solutions like <a href="https://www.runatlantis.io/" rel="noopener noreferrer">Atlantis</a> or <a href="https://spacelift.io/ci-cd-for-infrastructure" rel="noopener noreferrer">spacelift</a>.</li> </ul> </li> <li> <code>terraform-state-lock</code>: DynamoDB table for TF state locking</li> <li> <code>devops-bucket</code>: S3 Bucket to store TF state files</li> <li> <code>terraform-execution-role</code>: IAM Role deployed across ALL accounts. This is the Role that TF will assume when provisioning resources in AWS</li> </ul> <p>If you're provisioning the above resources for the first time, you'll have to either configure Terraform to use specific AWS keys as you won't have <code>OIDC</code> connection yet. In my case, I chose to have those pre-requesites resources in a <a href="https://aws.amazon.com/cloudformation/" rel="noopener noreferrer">CloudFormation</a> template and deploy them with <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html" rel="noopener noreferrer">StackSets</a>.</p> <h2> Deploying the pre-requesites </h2> <p><a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">Github OIDC</a> connection and role:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1">#---------------------------------------------------------------</span> <span class="c1"># Deployed to the SharedServices Account</span> <span class="c1">#---------------------------------------------------------------</span> <span class="c1"># This template deploys the necessary resources for the Terraform Backend</span> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Deploys the necessary resources for the Terraform Backend</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">GithubRoleName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">github-oidc-role"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">AWS</span><span class="nv"> </span><span class="s">IAM</span><span class="nv"> </span><span class="s">Role</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">Terraform</span><span class="nv"> </span><span class="s">assume"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># Creates the Github OIDC Identity Provider</span> <span class="na">GithubOidcProvider</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::OIDCProvider</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Url</span><span class="pi">:</span> <span class="s">https://token.actions.githubusercontent.com</span> <span class="na">ClientIdList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts.amazonaws.com</span> <span class="pi">-</span> <span class="s">https://github.com/github_org_name/*</span> <span class="na">ThumbprintList</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">6938fd4d98bab03faadb97b34396831e3780aea1</span> <span class="pi">-</span> <span class="s">1c58a3a8518e8759bf075b76b750d4f2df264fcd</span> <span class="c1"># Creates the IAM Role that Github Actions will assume to deploy infrastrcuture</span> <span class="na">GithubActionsRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Federated</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com'</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRoleWithWebIdentity'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">token.actions.githubusercontent.com:aud</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts.amazonaws.com"</span> <span class="na">StringLike</span><span class="pi">:</span> <span class="c1"># https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub</span> <span class="na">token.actions.githubusercontent.com:sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">repo:github_org_name/*"</span> <span class="c1"># https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${AWS::AccountId}:role/github-oidc-role'</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Role to provide Github access to AWS</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/AdministratorAccess</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="na">Ref</span><span class="pi">:</span> <span class="s">GithubRoleName</span> <span class="c1"># 43200 = 12 hours</span> <span class="na">MaxSessionDuration</span><span class="pi">:</span> <span class="m">43200</span> </code></pre> </div> <blockquote> <p><strong><em>NOTE:</em></strong> <code>github_org_name</code>: Change this to your Github Organization name or check <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub" rel="noopener noreferrer">this</a> article for more details.</p> <p><strong><em>NOTE:</em></strong> Since we only want to deploy this CloudFormation template to the <code>SharedServices</code> account, there is no need for you to use StackSets.</p> </blockquote> <p><a href="https://developer.hashicorp.com/terraform/language/settings/backends/configuration" rel="noopener noreferrer">Terraform backend</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="c1">#---------------------------------------------------------------</span> <span class="c1"># Deployed to the Shared-Services account</span> <span class="c1">#---------------------------------------------------------------</span> <span class="c1"># This template deploys the necessary resources for the Terraform Backend</span> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2010-09-09"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Deploys the necessary resources for the Terraform Backend</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">DynamoDBTableName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">terraform-state-lock"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Terraform</span><span class="nv"> </span><span class="s">DynamoDB</span><span class="nv"> </span><span class="s">table"</span> <span class="na">TerraformS3BucketName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">devops-bucket"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">S3</span><span class="nv"> </span><span class="s">Bucket</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">Terraform</span><span class="nv"> </span><span class="s">state</span><span class="nv"> </span><span class="s">files"</span> <span class="na">TerraformBackendRoleName</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">terraform-backend-role"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">the</span><span class="nv"> </span><span class="s">role</span><span class="nv"> </span><span class="s">that</span><span class="nv"> </span><span class="s">users</span><span class="nv"> </span><span class="s">will</span><span class="nv"> </span><span class="s">assume</span><span class="nv"> </span><span class="s">for</span><span class="nv"> </span><span class="s">local</span><span class="nv"> </span><span class="s">TF</span><span class="nv"> </span><span class="s">development"</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># Creates the S3 bucket that will store the Terraform State files</span> <span class="na">TerraformS3BucketLogging</span><span class="pi">:</span> <span class="c1"># checkov:skip=CKV_AWS_18: This is a logging bucket</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Join</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">,</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">TerraformS3BucketName</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-logging"</span><span class="pi">]]</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BucketEncryption</span><span class="pi">:</span> <span class="na">ServerSideEncryptionConfiguration</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ServerSideEncryptionByDefault</span><span class="pi">:</span> <span class="na">SSEAlgorithm</span><span class="pi">:</span> <span class="s">AES256</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Backup"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Environment"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SharedServices"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Owner"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Terraform"</span> <span class="na">TerraformS3BucketLoggingBucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::BucketPolicy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TerraformS3BucketLogging</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:List*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:Get*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:DeleteObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutEncryptionConfiguration"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutBucketPolicy"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3BucketLogging}</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3BucketLogging}/*</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::AccountId}'</span> <span class="na">TerraformS3Bucket</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::S3::Bucket</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TerraformS3BucketName</span> <span class="na">LoggingConfiguration</span><span class="pi">:</span> <span class="na">DestinationBucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TerraformS3BucketLogging</span> <span class="na">LogFilePrefix</span><span class="pi">:</span> <span class="s">logs</span> <span class="na">PublicAccessBlockConfiguration</span><span class="pi">:</span> <span class="na">BlockPublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BlockPublicPolicy</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">IgnorePublicAcls</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">RestrictPublicBuckets</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">BucketEncryption</span><span class="pi">:</span> <span class="na">ServerSideEncryptionConfiguration</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">ServerSideEncryptionByDefault</span><span class="pi">:</span> <span class="na">SSEAlgorithm</span><span class="pi">:</span> <span class="s">AES256</span> <span class="na">VersioningConfiguration</span><span class="pi">:</span> <span class="na">Status</span><span class="pi">:</span> <span class="s">Enabled</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Backup"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Environment"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SharedServices"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Owner"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Terraform"</span> <span class="na">TerraformS3BucketPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::S3::BucketPolicy"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Bucket</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TerraformS3Bucket</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:List*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:Get*"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:DeleteObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutEncryptionConfiguration"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutBucketPolicy"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Allow"</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="c1"># We allow only the backend role to access the bucket</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:iam::${AWS::AccountId}:role/terraform-backend-role"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}/*</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:*"</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">RootAccess"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}/*</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="c1"># So that we don't lock ourselves out of the bucket</span> <span class="c1"># A specific IAM role/user should be used for this</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s2">"</span><span class="s">arn:aws:iam::${AWS::AccountId}:root"</span> <span class="pi">-</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:*"</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">EnforcedTLS"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Deny</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s">arn:aws:s3:::${TerraformS3Bucket}/*</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">Bool</span><span class="pi">:</span> <span class="na">aws:SecureTransport</span><span class="pi">:</span> <span class="s2">"</span><span class="s">false"</span> <span class="c1"># Creates the DynamoDB Table for the TF State lock</span> <span class="na">TerraformDynamoDBTable</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::DynamoDB::Table</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TableName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">DynamoDBTableName</span> <span class="na">AttributeDefinitions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LockID"</span> <span class="na">AttributeType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">S"</span> <span class="na">DeletionProtectionEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">KeySchema</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">AttributeName</span><span class="pi">:</span> <span class="s2">"</span><span class="s">LockID"</span> <span class="na">KeyType</span><span class="pi">:</span> <span class="s">HASH</span> <span class="na">ProvisionedThroughput</span><span class="pi">:</span> <span class="na">ReadCapacityUnits</span><span class="pi">:</span> <span class="m">5</span> <span class="na">WriteCapacityUnits</span><span class="pi">:</span> <span class="m">5</span> <span class="na">PointInTimeRecoverySpecification</span><span class="pi">:</span> <span class="na">PointInTimeRecoveryEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">SSESpecification</span><span class="pi">:</span> <span class="na">SSEEnabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">KMSMasterKeyId</span><span class="pi">:</span> <span class="s">alias/aws/dynamodb</span> <span class="na">SSEType</span><span class="pi">:</span> <span class="s">KMS</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Backup"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Environment"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">SharedServices"</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Owner"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Terraform"</span> <span class="c1"># AutoScaling rules for the DynamoDB Table</span> <span class="na">MyTableWriteCapacityScalableTarget</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::ApplicationAutoScaling::ScalableTarget"</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">TerraformDynamoDBTable</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">MaxCapacity</span><span class="pi">:</span> <span class="m">20</span> <span class="na">MinCapacity</span><span class="pi">:</span> <span class="m">5</span> <span class="na">ResourceId</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">table/${DynamoDBTableName}</span> <span class="na">RoleARN</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:iam::${AWS::AccountId}:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable</span> <span class="na">ScalableDimension</span><span class="pi">:</span> <span class="s2">"</span><span class="s">dynamodb:table:WriteCapacityUnits"</span> <span class="na">ServiceNamespace</span><span class="pi">:</span> <span class="s">dynamodb</span> <span class="na">MyTableWriteScalingPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS::ApplicationAutoScaling::ScalingPolicy"</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">WriteAutoScalingPolicy</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">TargetTrackingScaling</span> <span class="na">ScalingTargetId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">MyTableWriteCapacityScalableTarget</span> <span class="na">TargetTrackingScalingPolicyConfiguration</span><span class="pi">:</span> <span class="na">TargetValue</span><span class="pi">:</span> <span class="m">70</span> <span class="na">ScaleInCooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="na">ScaleOutCooldown</span><span class="pi">:</span> <span class="m">60</span> <span class="na">PredefinedMetricSpecification</span><span class="pi">:</span> <span class="na">PredefinedMetricType</span><span class="pi">:</span> <span class="s">DynamoDBWriteCapacityUtilization</span> <span class="na">TerraformBackendRole</span><span class="pi">:</span> <span class="c1">#checkov:skip=CKV_AWS_60::Ensure IAM role allows only specific services or principals to assume it</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="c1"># We give these roles below the ability to assume this role</span> <span class="c1"># The reason why I give the terraform-execution-role permissions to assume this role is because of local development.</span> <span class="c1"># When I run terraform locally, I want to be able to assume this role so that I can access the S3 bucket and DynamoDB table</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowAllAccounts"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="c1"># dev</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{dev_account_id}:role/terraform-execution-role</span> <span class="c1"># staging</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{staging_account_id}:role/terraform-execution-role</span> <span class="c1"># production</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{production_account_id}:role/terraform-execution-role</span> <span class="c1"># Log Archive</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{log-archive_account_id}:role/terraform-execution-role</span> <span class="c1"># Audit</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{audit_account_id}:role/terraform-execution-role</span> <span class="c1"># Master</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{master_account_id}:role/terraform-execution-role</span> <span class="c1"># backup</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{backup_account_id}:role/terraform-execution-role</span> <span class="c1"># shared-services</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{shared-services_account_id}:role/terraform-execution-role</span> <span class="pi">-</span> <span class="s">arn:aws:iam::{shared-services_account_id}:role/github-oidc-role</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRole'</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowGithubActions"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Federated</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com'</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">sts:AssumeRoleWithWebIdentity'</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">StringEquals</span><span class="pi">:</span> <span class="na">token.actions.githubusercontent.com:aud</span><span class="pi">:</span> <span class="s2">"</span><span class="s">sts.amazonaws.com"</span> <span class="na">StringLike</span><span class="pi">:</span> <span class="c1"># https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub</span> <span class="na">token.actions.githubusercontent.com:sub</span><span class="pi">:</span> <span class="s2">"</span><span class="s">repo:github_org_name/*"</span> <span class="c1"># This is needed as we use AWS SSO and the AWSReservedSSO_DevOps* roles are used by the Engineers</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowSSOAWSAdministratorAccess"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">AWS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*"</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">sts:AssumeRole"</span> <span class="na">Condition</span><span class="pi">:</span> <span class="na">ArnEquals</span><span class="pi">:</span> <span class="na">aws:PrincipalArn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_DevOps*"</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Role to provide Terraform access to DynamoDB and S3</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">allows-access-to-s3-policy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowS3Access"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:ListBucket"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:GetObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:PutObject"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">s3:DeleteObject"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">TerraformS3Bucket.Arn</span> <span class="pi">-</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">arn:aws:s3:::"</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">TerraformS3Bucket</span> <span class="pi">-</span> <span class="s">/*</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">allows-access-to-dynamodb-policy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2012-10-17"</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AllowDynamoDBAccess"</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dynamodb:GetItem"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dynamodb:DeleteItem"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dynamodb:PutItem"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">dynamodb:DescribeTable"</span> <span class="na">Resource</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">TerraformDynamoDBTable.Arn</span> <span class="pi">-</span> <span class="kt">!Join</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">"</span> <span class="pi">-</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">TerraformDynamoDBTable.Arn</span> <span class="pi">-</span> <span class="s">/*</span> <span class="na">RoleName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">TerraformBackendRoleName</span> </code></pre> </div> <blockquote> <p><strong><em>NOTE:</em></strong> <code>github_org_name</code>: Change this to your Github Organization name or check <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html#idp_oidc_Create_GitHub" rel="noopener noreferrer">this</a> article for more details.</p> <p><strong><em>NOTE:</em></strong> Since we only want to deploy this CloudFormation template to the <code>SharedServices</code> account, there is no need for you to use StackSets.</p> <p><strong><em>NOTE:</em></strong> You might notice this across some of the resources</p> <pre class="highlight yaml"><code><span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Backup"</span> <span class="na">Value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> </code></pre> <p>I have <a href="https://aws.amazon.com/backup/" rel="noopener noreferrer">AWS Backups</a> setup which will backup anything that has a tag of <code>Backup = true</code>.</p> </blockquote> <h1> Connecting to AWS </h1> <p>Now, let's connect your Terragrunt/Terraform setup with AWS. This process involves managing AWS credentials securely and ensuring your Terraform configurations can access these credentials. This section will include detailed steps and code snippets to guide you through this process, emphasizing security and best practices.</p> <h2> Terrateam configuration </h2> <blockquote> <p><strong><em>NOTE:</em></strong> More information about Terrateam's configuration <a href="https://terrateam.io/docs/cloud-provider-setup/aws/#configure-terrateam-for-oidc" rel="noopener noreferrer">here</a>.</p> </blockquote> <p><code>.terrateam/config.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>hooks: all: pre: - type: oidc provider: aws role_arn: "${TERRAFORM_GITHUB_OIDC_ROLE_ARN}" session_name: "terrateam" duration: 14400 audience: "sts.amazonaws.com" </code></pre> </div> <p><code>TERRAFORM_GITHUB_OIDC_ROLE_ARN</code> is defined in my Github Secrets and it has the following value: <code>arn:aws:iam::{shared-services_account_id}:role/github-oidc-role</code></p> <p>A simple Terragrunt repository structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>. ├── environments │ └── test │ ├── ap-southeast-2 │ │ ├── vpc │ │ │ └── terragrunt.hcl └── terragrunt.hcl </code></pre> </div> <blockquote> <p><strong><em>NOTE:</em></strong> More information about the <code>terragrunt.hcl</code> file can be found in <a href="https://github.com/gruntwork-io/terragrunt-infrastructure-live-example" rel="noopener noreferrer">this example repository</a>.</p> </blockquote> <p>My <code>terragrunt.hcl</code> file will have the backend and provider's configuration defined:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Automatically load region-level variables</span> <span class="nx">region_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"region.hcl"</span><span class="p">))</span> <span class="c1"># Automatically load environment-level variables`</span> <span class="nx">environment_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"env.hcl"</span><span class="p">))</span> <span class="c1"># Extract the variables we need for easy access</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">account_name</span> <span class="nx">account_id</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">environment_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">aws_account_id</span> <span class="nx">aws_region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">aws_region</span> <span class="c1"># This is the S3 bucket where the Terraform State Files will be stored</span> <span class="nx">remote_state_bucket</span> <span class="p">=</span> <span class="s2">"devops-bucket"</span> <span class="c1"># This is the DynamoDB table where Terraform will add the locking status</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-state-lock"</span> <span class="c1"># IAM Role for Terraform backend to assume</span> <span class="nx">terraform_backend_role</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::{shared-services_account_id}:role/terraform-backend-role"</span> <span class="nx">environment_path</span> <span class="p">=</span> <span class="nx">replace</span><span class="p">(</span><span class="nx">path_relative_to_include</span><span class="p">(),</span> <span class="s2">"environments/"</span><span class="p">,</span> <span class="s2">""</span><span class="p">)</span> <span class="c1"># https://github.com/hashicorp/terraform/releases</span> <span class="nx">terraform_version</span> <span class="p">=</span> <span class="s2">"latest"</span> <span class="c1"># https://github.com/gruntwork-io/terragrunt/releases</span> <span class="nx">terragrunt_version</span> <span class="p">=</span> <span class="s2">"latest"</span> <span class="p">}</span> <span class="c1"># Generate an AWS provider block</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { region = "${local.aws_region}" # Only these AWS Account IDs may be operated on by this template allowed_account_ids = ["${local.account_id}"] # Assume role information assume_role { role_arn = "arn:aws:iam::${local.account_id}:role/terraform-execution-role" session_name = "terragrunt-${local.account_id}-${local.aws_region}" } } </span><span class="no">EOF </span><span class="p">}</span> <span class="c1"># Configure Terragrunt to automatically store tfstate files in an S3 bucket</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">remote_state_bucket</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"tfstate/${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"ap-southeast-2"</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">dynamodb_table</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">terraform_backend_role</span> <span class="p">}</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>An example of how the state files will be stored:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5wfjb49pxscqzyfbvad.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx5wfjb49pxscqzyfbvad.png" alt="tf-state" width="800" height="473"></a></p> <p>With that, you should be able to create the VPC resources in the Test account. :)</p> <h1> Conclusion </h1> <p>To wrap up, we'll summarize the key points covered and discuss the importance of integrating Terragrunt and Terraform with AWS for efficient cloud infrastructure management. Our goal is to equip you with the knowledge to enhance your infrastructure management practices.</p> <h2> Call to Action </h2> <p>We encourage you to share your thoughts, experiences, or questions in the comments below. And if you found this post helpful, don’t forget to follow our blog for more insightful content on cloud infrastructure and DevOps.</p> aws terraform infrastructureascode cicd Smooth Sailing from AWS EC2 to ECS: A Comprehensive Migration Guide Lucas Mon, 04 Dec 2023 09:54:29 +0000 https://forem.com/lpossamai/smooth-sailing-from-aws-ec2-to-ecs-a-comprehensive-migration-guide-2dci https://forem.com/lpossamai/smooth-sailing-from-aws-ec2-to-ecs-a-comprehensive-migration-guide-2dci <h2> Introduction </h2> <p>Having an application running behind a Load Balancer with Auto Scaling policies is already a good choice.</p> <p>With the <a href="https://dev.to/lpossamai/from-bare-metal-to-aws-cloud-in-90-minutes-2b2b">migration from Bare metal to AWS EC2</a> and the <a href="https://dev.to/lpossamai/postgresql-live-migration-from-92-to-14-with-bucardo-32n9">upgrade of our main database from PostgreSQL 9.2 to PostgreSQL 14</a>, we were ready to the next challenge.</p> <h3> Current architecture </h3> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h6904ddh6rnrv3uultq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h6904ddh6rnrv3uultq.png" alt="current aws architecture" width="800" height="960"></a></p> <h2> Why Migrate to ECS? </h2> <p>ECS brings many benefits. Better integration with other AWS services, simplified container management and improved scalability and resource optimization are some of them.</p> <p>In our case, we were using <a href="https://www.atlassian.com/software/bamboo" rel="noopener noreferrer">Bamboo</a> as our CI solution to deploy application changes to our AWS environments. Each build would take around 50 minutes to complete. Imagine you're a developer and we wanted to test a change in the Test environment. You'd have to wait for ~50 minutes to see if your change succeeded or not. No, there was no local development solution in place either.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwahu21w1o093kb21gyvd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwahu21w1o093kb21gyvd.png" alt="bamboo build" width="800" height="408"></a></p> <h2> Choose your weapons! </h2> <h3> Infrastructure as Code </h3> <p>There are many IaC (Infrastructure as Code) solutions out there. We decided to go with <a href="https://www.terraform.io/" rel="noopener noreferrer">Terraform</a>, as it's easier to manage and to find engineers who have work experience with it.</p> <p>💡 <strong>Tip:</strong> Using Terraform community modules such as <a href="https://github.com/terraform-aws-modules" rel="noopener noreferrer">terraform-aws-modules</a> and <a href="https://github.com/cloudposse" rel="noopener noreferrer">cloudposse</a> may help you speed up the creation of those resources.</p> <p>Github Actions will connect to our AWS Accounts using an <a href="https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services" rel="noopener noreferrer">OIDC connection</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo6h9br32jdgwg94kex9s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fo6h9br32jdgwg94kex9s.png" alt="github actions with terraform" width="800" height="559"></a></p> <h4> Terraform state file </h4> <p>Managing the state of your IaC can be tricky if you have other team members creating, updating and deleting resources at the same time as you are.</p> <p>Terraform has a feature that allows you to <a href="https://spacelift.io/blog/terraform-state" rel="noopener noreferrer">manage the state of your infrastructure using an AWS S3 bucket and DynamoDB tables</a>. This is a huge improvement for us given the fact we had resources in CloudFormation. </p> <h3> CI/CD </h3> <p>Terraform alone is of no help. You must have a good CI solution to deploy your infrastructure changes.</p> <p>We've opted to go with <a href="https://github.com/features/actions" rel="noopener noreferrer">Github Actions</a>, as the business was already using Github for other repositories.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkxeh0quii4tfd09kd9z.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffkxeh0quii4tfd09kd9z.png" alt="github actions workflow" width="800" height="207"></a></p> <h2> Conclusion </h2> <p>Our cluster has been handling the traffic really well.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnc47a3sclngf65wmwwo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqnc47a3sclngf65wmwwo.png" alt="ecs metrics last 7 days" width="800" height="189"></a></p> <h3> Improved response time just by moving platform </h3> <h4> Before ECS migration </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmo759wu39jif80g212x3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmo759wu39jif80g212x3.png" alt="ecs new relic before migration" width="800" height="327"></a></p> <h4> After ECS migration </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F319npv45hyow83axwqxv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F319npv45hyow83axwqxv.png" alt="ecs new relic after migration" width="800" height="331"></a></p> <h4> Our new AWS architecture </h4> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3s6okpkevlxgr8w2x5q2.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3s6okpkevlxgr8w2x5q2.png" alt="aws new architecture" width="761" height="721"></a></p> aws ecs docker migration PostgreSQL Live Migration from 9.2 to 14 with Bucardo Lucas Mon, 04 Dec 2023 08:43:29 +0000 https://forem.com/lpossamai/postgresql-live-migration-from-92-to-14-with-bucardo-32n9 https://forem.com/lpossamai/postgresql-live-migration-from-92-to-14-with-bucardo-32n9 <p>We all hear about technical debt at some point in I.T, and often, fixing that problem is not easy. Mainly because it involves Production environments that need to be live 24/7, or simply for not having enough (human) resources.</p> <p>The challenge I face is having a Production Database (1.3TB) running PostgreSQL 9.2 and Ubuntu 16.04, on EC2 instances in AWS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>version ------------------------------------------------------------------------------------------------------------------ PostgreSQL 9.2.21 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609, 64-bit (1 row) </code></pre> </div> <p>It brings not only performance issues, but also the lack of security patches across all these years.</p> <p>PostgreSQL 9.2 was released on <a href="https://www.postgresql.org/docs/9.2/release-9-2.html" rel="noopener noreferrer">2012–09–10</a>, that's almost 10 years ago. Many performance improvements have been implemented specially after PG 10, which we were not taking advantage of.</p> <p>In this article, I'll talk about the challenges of migrating a live database from PostgreSQL 9.2 to 14, and improvements we've seen and where we wanna go next. :)</p> <h2> Database Stack </h2> <p>Our <a href="https://dev.to/lpossamai/from-bare-metal-to-aws-cloud-in-90-minutes-2b2b">AWS Architecture</a> is quite simple, deployed in two or more Availability Zones. Our database cluster had 5 instances in total, where the Master would handle all write traffic and the slaves, all the read traffic using <a href="https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-weighted.html" rel="noopener noreferrer">Route53 Weighted records</a>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flrmk8krmf52heqbiz7vy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flrmk8krmf52heqbiz7vy.png" alt=" " width="800" height="960"></a></p> <ul> <li>pgsql-aws-05 = Master DB running PG 9.2–100% of the write traffic</li> <li>pgsql-aws-10 = Slave (Streaming Replication) DB running PG 9.2–0% of the read traffic (Mainly used for EBS Snapshots)</li> <li>pgsql-aws-11 = Slave (Streaming Replication) DB running PG 9.2–25% of the read traffic</li> <li>pgsql-aws-12 = Slave (Streaming Replication) DB running PG 9.2–25% of the read traffic</li> <li>pgsql-aws-13 = Slave (Streaming Replication) DB running PG 9.2–25% of the read traffic</li> <li>pgsql-aws-14 = Slave (Streaming Replication) DB running PG 9.2–25% of the read traffic</li> </ul> <p>These instances were deployed on r4. instance types and had Ubuntu 16.04 as the OS.</p> <h2> The issue(s) </h2> <p>New Relic would constantly complain about high response times and high CPU Utilization, specially for the Master Database. We would love to be able to benefit from the <a href="https://www.postgresql.org/about/featurematrix/detail/281/" rel="noopener noreferrer">Parallel query</a> feature from PG 14, but we weren't there yet.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqe8lc9hs3zrzjtg9u7f4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqe8lc9hs3zrzjtg9u7f4.png" alt=" " width="800" height="438"></a></p> <p>However, our biggest problem was with the Replication Lag. It would go up to 2 minutes at some cases, and that was causing several different issues to our customers, providing a bad user experience.</p> <p>Maybe because <a href="https://www.postgresql.org/docs/release/9.1.0/" rel="noopener noreferrer">Streaming Replication was introduced on PG 9.1</a>, so it meant that we were using a very early version of it, without all the improvements among the years.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqkprh9vrc1wn4eahsz1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftqkprh9vrc1wn4eahsz1.png" alt=" " width="800" height="433"></a></p> <p>I did post some questions about this in the PostgreSQL General Mail list, but was unable to find a solution other than upgrading the DB version.</p> <ul> <li><a href="https://www.postgresql.org/message-id/Z14WgPUs_T-sranXV8i1KakN-eGRgP7fFcKUR8wHJDmjR-V8tHXkIIVWPxEEUd69GBeQCCKD0BeFn4f9AKItYa22mk_DzQP0yKuhRoyXZCc=@sud0.nz" rel="noopener noreferrer">https://www.postgresql.org/message-id/Z14WgPUs_T-sranXV8i1KakN-eGRgP7fFcKUR8wHJDmjR-V8tHXkIIVWPxEEUd69GBeQCCKD0BeFn4f9AKItYa22mk_DzQP0yKuhRoyXZCc=@sud0.nz</a></li> <li><a href="https://www.postgresql.org/message-id/4fd63109744f5ef6eee098fc92c4fa87%40sud0.nz" rel="noopener noreferrer">https://www.postgresql.org/message-id/4fd63109744f5ef6eee098fc92c4fa87%40sud0.nz</a></li> </ul> <h2> Setting up Bucardo </h2> <p>Setting up <a href="https://bucardo.org/Bucardo/" rel="noopener noreferrer">Bucardo</a> was a challenge, as I did not have any experience with it before. Its documentation is sometimes confusing, and there isn't much information there as well.</p> <p>The idea was to launch a new EC2 Instance with Bucardo in it, and make it replicate from PG 9.2 to PG 14.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkoa4t4dg0soamz9txm3q.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkoa4t4dg0soamz9txm3q.png" alt=" " width="800" height="656"></a></p> <p>Basically, the steps I did to set it up were (After following <a href="https://bucardo.org/Bucardo/installation/" rel="noopener noreferrer">these steps</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Create the Bucardo Role `CREATE ROLE bucardo WITH LOGIN SUPERUSER PASSWORD 'password';` 2. Modify the `pg_hba.conf` file to allow connection from the Bucardo role. `host replication bucardo 10.0.0.0/16 md5` 3. Export PG roles and schema (from 9.2): ``` pg_dump --schema-only --schema=public foo &gt; /data-bucardo/foo_schemas.sql pg_dumpall --roles-only --database=foo &gt; /data/foo_roles.sql ``` 4. Import the roles and the schema into the new PG 14 DB: ``` psql foo -f /data-bucardo/foo_roles.sql psql foo -f /data-bucardo/foo_schemas.sql ``` 5. Create all the extensions needed in PG 14 6. Disable Triggers and FKs: ``` create table if not exists foo_triggers ( seq bigserial primary key, sql text ); -- disable triggers do $$ declare t record; begin for t in select trigger_schema || '.' || event_object_table as table_name, trigger_name from information_schema.triggers where trigger_catalog = 'foo' and trigger_schema in ('public') loop insert into foo_triggers (sql) values ( format('alter table %s disable trigger %s', t.table_name, t.trigger_name)); execute format('alter table %s disable trigger %s', t.table_name, t.trigger_name); end loop; end $$; create table if not exists dropped_foreign_keys_public ( seq bigserial primary key, sql text ); -- public schema do $$ declare t record; begin for t in select conrelid::regclass::varchar table_name, conname constraint_name, pg_catalog.pg_get_constraintdef(r.oid, true) constraint_definition from pg_catalog.pg_constraint r where r.contype = 'f' -- current schema only: and r.connamespace = (select n.oid from pg_namespace n where n.nspname = 'public') loop insert into dropped_foreign_keys_public (sql) values ( format('alter table %s add constraint %s %s', quote_ident(t.table_name), quote_ident(t.constraint_name), t.constraint_definition)); execute format('alter table %s drop constraint %s', quote_ident(t.table_name), quote_ident(t.constraint_name)); end loop; end $$; ``` 7. Add tables and sequences to Bucardo: ``` sudo bucardo add db source_db dbname=foo host=pgsql-aws-05 user=bucardouser pass='password' sudo bucardo add db target_db dbname=foo host=pgsql-aws-pg14 user=bucardo pass='password' sudo bucardo add table public.* db=source_db relgroup=foo_db_group sudo bucardo add sequence public.* db=source_db relgroup=foo_db_group sudo bucardo add dbgroup foo_db_group source_db:source target_db:target sudo bucardo add sync foo_sync relgroup=foo_db_group dbs=foo_db_group autokick=0 sudo bucardo validate foo_sync ``` 7. Export the data from PG 9.2: `pg_dump -Fc --data-only --disable-triggers --verbose foo &gt; /data/foo_database_data.sql` 8. Import the data into PG 14: `pg_restore -d foo /data/foo_database_data.sql --disable-triggers --exit-on-error -v --jobs=15` 9. Re-enable Triggers and FKs: ``` -- enable FKs do $$ declare t record; begin -- order by seq for easier troubleshooting when data does not satisfy FKs for t in select * from dropped_foreign_keys_public order by seq loop execute t.sql; end loop; end $$; -- enable triggers do $$ declare t record; begin for t in select trigger_schema || '.' || event_object_table as table_name, trigger_name from information_schema.triggers where trigger_catalog = 'foo' and trigger_schema in ('public') loop execute format('alter table %s enable trigger %s', t.table_name, t.trigger_name); end loop; end $$; ``` 10. Start Bucardo Replication: `sudo bucardo update sync foo_sync autokick=1` `sudo bucardo start` </code></pre> </div> <p>From there, with the Bucardo replication working, we could create EBS Snapshots from the PostgreSQL 14 Master Database Instance at any time, and create slaves from those snapshots. We have been using this for the past few years and it works really good for us!</p> <p>Ultimately, before moving forward with the upgrade, we want to have the same amount of Slaves as the old stack had, <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-initialize.html" rel="noopener noreferrer">warm up the EBS volumes</a>, and only after that they'll be ready to receive read-only traffic.</p> <h2> Failover to the new DB version </h2> <p>We had around 4 (four) hours of scheduled downtime to perform the failover to the new database stack.</p> <p>The idea was to setup the new DB stack in a brand-new AWS LZ (Landing Zone) account managed by Control Tower. The steps we took were:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Launch an Application Load Balancer 2. Redirect all customers to the new ALB 3. From the ALB, redirect all customers to a maintenance page using `aws_lb_listener_rule` 4. Whitelist some of our IP addresses to access the application (This is for allowing few members of our team to actually access the application for testing purposes) ``` resource "aws_lb_listener_rule" "https_whitelist_ip_addresses_to_app" { count = terraform.workspace == "prod" ? 1 : 0 listener_arn = aws_alb_listener.old_alb_listener_https_prod[count.index].arn action { target_group_arn = "arn:aws:elasticloadbalancing:ap-southeast-2:2____________0:targetgroup/bau-prod-elb/6_____e" type = "forward" } condition { host_header { values = ["*.foo.com", "foo.com"] } } condition { source_ip { values = [ "100.100.100.101/32", # Staff 1 "100.100.100.102/32", # Staff 2 "100.100.100.103/32", # Staff 3 "100.100.100.104/32", # Staff 4 ] } }} ``` 5. Stop Bucardo 6. Modify Route53 records and point those records to the new DB cluster (Our application connects to the database using a specific endpoint) 7. Testing, testing and more testing! 8. Modify the ALB and remove the redirect rules to allow customers to access the application </code></pre> </div> <p>The tests mentioned on Step 7 were the following:</p> <ul> <li><a href="http://pgdiff.sourceforge.net" rel="noopener noreferrer">pgdiff</a></li> <li>[k6.io](<a href="https://www.k6.io" rel="noopener noreferrer">https://www.k6.io</a>] for stress and load tests</li> <li>Manual tests using the API, Console and Mobile APPs</li> </ul> <h2> The new AWS Infrastructure </h2> <p>In the beginning of this article, I mentioned we had the database stack running on Ubuntu 16.04, which is not good. They were all deployed using CloudFormation and Bamboo, which brings us another problem. Having to manage the Bamboo on an EC2 Instance is something that we should avoid, as we would have to apply security patches, take care of backups and SSH keys rotation and more!</p> <p>For that reason, when we deployed the new DB stack, we decided to go with Terraform and Bitbucket Pipelines (mainly because the company was already using Bitbucket as source of control).</p> <p>The new <code>r5.</code> instances were all deployed using Terraform and Bitbucket Pipelines, with encrypted EBS volumes and infrastructure <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html" rel="noopener noreferrer">CIS compliant</a>.</p> <p>The <code>gp3</code> EBS volumes were deployed with 10000 IOPS and 600 Mbps of throughput, as those were the numbers we thought we needed to support the traffic.</p> <p>In the diagram below, you can check the current architecture, which is all managed by Terraform and Bitbucket Pipelines.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgjq6np02jmr3rjahvpjv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgjq6np02jmr3rjahvpjv.png" alt=" " width="800" height="422"></a></p> <h2> Did we solve anything at all with the upgrade? </h2> <p>Yes! Performance gain was amazing! Our response times dropped from <code>~300ms - 350ms</code> to <code>~100ms - 120ms</code>, and all this just by upgrading the DB version… no code changes and no changes to the architecture.</p> <p>The new Response Time from New Relic looks (so) good - and that was taken during peak time, where we were processing more than 10,000 requests per minute.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5dghd3l5h4cx5lecbi36.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5dghd3l5h4cx5lecbi36.png" alt=" " width="657" height="386"></a></p> <p>The replication lag is gone, and it's now around 1 second or less:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy5655gaayjyjru03ytq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxy5655gaayjyjru03ytq.png" alt=" " width="424" height="406"></a></p> <p>System load (24 hours window) goes up to 10 during peak hours, but our <code>r5.4xlarge</code> master DB handles it well:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfaa73mh63h6zvv6k95h.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flfaa73mh63h6zvv6k95h.png" alt=" " width="800" height="129"></a></p> <h2> Conclusion </h2> <p>Overall I'm very happy with the result. Having only 4 hours of scheduled downtime for a big project like this is definitely a win, and we did not encounter any data loss or any other major problem in the following days after the upgrade.</p> <p>Our EC2 cluster is performing really well, even though there are a lot to be worked on still, like slow queries improvements and changing some table designs for better performance.</p> <p>I'm also very confident that we can now decrease the amount of IOPS and/or Throughput originally deployed, and potentially even move more traffic to the slaves and retire one of the slaves to save some money (at the moment each slave is getting 25% of the read traffic).</p> aws ec2 postgres database From bare metal to AWS Cloud in 90 minutes. Lucas Mon, 04 Dec 2023 08:26:52 +0000 https://forem.com/lpossamai/from-bare-metal-to-aws-cloud-in-90-minutes-2b2b https://forem.com/lpossamai/from-bare-metal-to-aws-cloud-in-90-minutes-2b2b <h2> Introduction </h2> <p>The job management platform ran a collection of bare metal servers in a leased data center. Over the last seven years, the application requirements had outgrown the capacity of the hosting platform. The company decided to migrate the application to Amazon Web Services (AWS) rather than invest in additional bare metal hardware.</p> <h2> The legacy environment </h2> <p>The job management platform ran on a collection of bare metal servers in a leased data center. Over the last seven years, the application requirements had outgrown the capacity of the hosting platform. The company decided to migrate the application to Amazon Web Services (AWS) rather than invest in additional bare metal hardware. The staff who originally set up the environment were no longer working for the company. A full-time team of three developers, as well as a sysadmin and DBA, were maintaining the legacy platform.</p> <p>While the PHP code was git repository controlled, the actual sysadmin configuration was hand edited over several years; items such as Apache configuration, log file management and shared libraries. For the web and API tiers, there was a server running NGINX acting as a load balancer, distributing traffic on a round robin basis to two back-end web servers, each of which was attached to an NFS mounted disk on which the PHP code was installed.</p> <p>PostgreSQL 9.2 was the database tier along with Redis for credential storage. PostgreSQL was 4TB and growing. Disk I/O was 100% on a normal day. The original designers had chosen to store media files such as images and video in the database and had created a virtual file system mapped in relational database tables within PostgreSQL. The database tier simply would not scale.</p> <h2> The challenges: </h2> <ol> <li>With over 60,000 active international users (and growing) the system was in use around the clock and the migration required minimal downtime.</li> <li>Perhaps the largest problem was the old version of PostgreSQL and its +4TB of active data and growing. AWS Database Migration Service was a clear choice. It is a web service you can use to migrate data from your database that is on-premises, onto an Amazon Relational Database Service (Amazon RDS) DB instance in real time. This was not available to us, as it requires a PostgreSQL database that is version 9.3.x or later. We opted to use native PostgreSQL tools to create a live streaming replica from the legacy data center to PostgreSQL on EC2. We leveraged the flexibility of EC2 to create three tiers of cascading PostgreSQL slave databases such that when we performed the actual cut-over we promoted the primary replica to become the master and the two tiers of remaining slaves became the read replica and the fail-over databases. Using AWS snapshots and CloudFormation we can continue to build chains of cascading slaves in the event of a failure in any node, giving us an HA database solution in AWS. Due to the legacy 100% I/O issues, we provisioned the PostgreSQL EBS volumes using 10,000 IOPS and r4.4xlarge EBS–optimized instances.</li> <li>The API and web tiers depended on an NFS mounted volume to share PHP code and sessions. We re-factored the code across 6 git repositories on a migration branch. The new code stored sessions in Redis and managed file uploads via S3 using an AWS SDK. Using immutable infrastructure, we were able to deploy a built AWS AMI to an auto-scaling group of m4.xlarge application servers, fronted with an AWS classic Load Balancer. We chose CloudFormation wrapped in a parameter driven script framework to build new AMIs reflecting the git commit being deployed. Part of this infrastructure as code delivered a new sysadmin environment using Ubuntu Xenial and Apache HTTP Server 2.4. This resolved the issue of the legacy sysadmin environment being unknown and hand-coded over many years.</li> <li>For Orchestration, we chose Bamboo, which is a continuous integration and deployment server from Atlassian, the makers of JIRA and Confluence which were already in use by the company. We used Bamboo as a task runner/task logger to execute our parameter driven script framework which we installed on a deployment server, also built via the same CloudFormation framework.</li> <li>The company had an existing skilled team with no cloud experience. AWS provided training credits and the AWS consulting partner provided skills transfer to ensure that the existing team were able to manage the migrated solution to deploy to development, UAT and production environments for each application tier.</li> </ol> <h2> Project results: </h2> <p>The main migration was completed with 90 minutes of downtime which had been communicated to the users well in advance. The migration window was over the low traffic Christmas / New Year period.</p> <p>From the beginning, the job management platform ran well on AWS. For the first week or so the team was able to tune various AWS settings to achieve optimal performance.</p> <p>There were problems. It was impossible to test the production workload in spite of having a full copy of the production database for extensive per-migration testing. As issues surfaced in the first hours and days, the developers and DBA were able to make and test changes quickly and deploy those changes using the Bamboo driven pipeline. We encountered no sysadmin specific issues.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0vuet4dswjalj41rr4go.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0vuet4dswjalj41rr4go.png" alt=" " width="800" height="960"></a></p> <h4> Factors Critical to Project Success </h4> <p>The critical success factors were obvious in hindsight and key learning for any company attempting a migration project of this size. A deficit in any of the following may well have lead to an orphan project.</p> <h4> Senior Company Executive Backing &amp; Strong CTO Leadership </h4> <p>The company CTO directed the project and provided strong leadership to ensure each participant was aligned with the same goals. He was able to communicate effectively to the board as well as dive into the detail by asking the right questions and offering the right advice at each step. He also played a vital role in communicating the company vision to AWS to achieve maximum vendor support.</p> <h4> Strong AWS Consulting Partner Support </h4> <p>The AWS Consulting Partner leads the project, using a technology stack which has undergone the test of time; there were no surprises.</p> <h4> Skilled and Dedicated Developers and DBA </h4> <p>The company employees were skilled and professional and they knew their application code well. With zero previous AWS experience, they received a one-day AWS Essentials training course and in-project training by the AWS Consulting Partner. They learned quickly and were motivated put in their best efforts. Post-migration they are successfully managing the AWS environments.</p> <h4> Significant Support from AWS </h4> <p>AWS was engaged from the beginning to help the customer directly and in partnership with the AWS Consulting Partner. The first AWS leadership principle is customer obsession. They start with the customer and work backwards. They work vigorously to earn and keep customer trust.</p> aws cloud migration linux