DevOps Console

For Admin

Auth Groups and Their Access Levels

Create Reviewers

Reviewers are the users who approve the actions in the DevOps Console, to create a reviewer follow the below steps.

Create Auth User

• Create user in USERS & GROUPS -> Users Model

• Add staff status for the user (tick checkbox)

• Add user to the devops-console-reviewers group

Create Reviewer

• Create a reviewer in REVIEWER -> Reviewers Model

• Choose Associated Login User (the user we've created in the above step), and Associated IAM User

• Choose Accounts allowed (Accounts for which the user is Reviewer)

• Choose All models in Allowed Models to Approve

• Set Auth code: This code should be used by the reviewer for actions approval

Allocate Credentials

• We can allocate credentials for a reviewer in AWS ACCOUNT -> AWS Credentials

• Select Credentials Object associated with Console Admin

• Choose Allocation of creds to Selected Reviewer Action, and click on go

• Choose reviewer object to allocate credentials

• Enter Admin Auth Code

• Approve Action The above steps will generate credentials required for approving the actions for the reviewer (for a specific AWS account)

Reset/Update Reviewer Auth Code

• Reviewer can update auth code by selecting the Reviewer Obj in REVIEWER -> Reviewers and by choosing the Update Auth Code action

• Only the Admin can reset the reviewer auth code, by selecting the Reviewer Obj in REVIEWER -> Reviewers and Choosing the Reset Auth Code action

AWS Account Config

Every AWS account object has an account level configuration specified in the config field similar to the below:

{
    "developer_group_name": "developer-1",
    "code_build_trigger_lambda_func_arn": "arn:aws:lambda:ap-south-1:1234567890:function:codebuild-trigger-prod",
    "code_artifact_domain_name": "nxtwave",
    "code_artifact_pypi_packages_repo_name": "pypi",
    "code_artifact_npm_packages_repo_name": "npm"
}

• developer_group_name: A Common IAM Group with the minimum required permissions for all Developers. (Default: developer-1)

• code_build_trigger_lambda_func_arn: Lambda Function for Codebuild trigger, when you configure a codebuild project for a specific branch in a repo, this function will be triggered on changes to the branch.

• code_artifact_domain_name: Domain name of codeartifact from which pip or npm packages will be installed, read access permission for this domain will be added to the developers' group, so that users can install packages with their credentials.

• code_artifact_pypi_packages_repo_name: Repo name for pypi packages (default: pypi), this will be used while generating Common developer perms and codebuild project perms

• code_artifact_npm_packages_repo_name: Repo name for npm packages (default: npm), this will be used while generating Common developer perms and codebuild project perms

Scripts to Sync Updates in AWS -> DB

Model: OTHERS > Scripts

To make the resources to be in sync we will use the below scripts to check for any changes in AWS, and apply them in DB, the resource will be created if doesn't exists in DB, or updated if already exists, and mark as DELETED_IN_AWS if deleted in AWS

• SYNC_IAM_USERS_TO_DB:

• SYNC_CODECOMMIT_REPOS_TO_DB

• SYNC_S3_BUCKETS_TO_DB

• SYNC_CODEBUILD_PROJECTS_TO_DB

• SYNC_CF_DISTRIBUTIONS_TO_DB

• SYNC_SSM_PARAMETERS_TO_DB

For Users

AWS Console

AWS Console has various AWS Commonly used Services.

Code Commit

In this Section all the things related to Codecommit Repo will be there, with this you can perform the below things:

• Create/Update Repo

• Add/Remove Contributors

• Restrict Users to make changes to specific Branches only

• Restrict Users to make changes to repo from specific IPAddress

Memberships

Model: CodeCommit Repo Memberships

With Memberships you can allow the user to access the repo, we can assign various access levels for the user, which are mentioned below:

• READ: Read Access for Specified Repo.

• WRITE: Read, Write Access For Specified Repo (for all branches except branches specified in GlobalRestrictedBranches, RepoSpecificRestrictedBranches, RepoUserRestrictedBranches). To allow the user to make changes in a branch irrespective of *-RestrictedBranches then you can create the RepoUserWhitelistedBranches for the user.

• CO_MANAGER_WITH_IP_RESTRICTIONS:

  • Full Access to Specified Repo But only accessible in Allowed IP addresses, we can customize Allowed IP addresses in GlobalIPAddressWhitelist, RepoSpecificIPAddressWhitelist, and RepoUserIPAddressWhitelist.

• CO_MANAGER:

  • Full Access to Specified Repo (Unlike Maintainer for co-manager perms will be managed in AWS IAM Policies).

• MAINTAINER:

  • Full Access to Specified Repo. (Perms will be managed in codecommit resource tags)

IPAddress/Branch Restrictions

The below restrictions are applied only if the user has a membership in the repo

• GlobalIPAddressWhitelist: IP addresses in which Code Commit Resources can be accessed by any developer.

• GlobalRestrictedBranches: Branches for which access is restricted by default on all repos.

• RepoSpecificIPAddressWhitelist: Repo Level Additional IP addresses Allowed.

• RepoSpecificRestrictedBranches: Repo Level Additional Restricted Branches.

• RepoUserRestrictedBranches: Repo-Level Additional Restricted Branches for a specific user.

• RepoUserWhitelistedBranches: Repo-Level Whitelisted Branches for specific Users.

• RepoUserIPAddressWhitelist: Repo-Level Whitelisted IP addresses for specific Users.

Actions Approval:

The user must have one of MAINTAINER, CO_MANAGER, or CO_MANAGER_WITH_IP_RESTRICTIONS membership in the respective repo.

Note: User can only approve memberships with access_levels less than or equal to their access_level (above levels are in Ascending order), for example, CO_MANAGER can't approve MANAGER access level membership.

S3

In this Section all the things related to S3 Bucket will be there, with this you can perform the below things:

• Create/Update S3 Bucket

• Create/Update S3 Memberships

Memberships

You can create s3 memberships for a specific object path with access levels below (you can select multiple).

• Full access: Full Access to the S3 Bucket Objects (Read, write, and delete objects)

• List access: List Access to the S3 Bucket Objects

• Read access: Read Access to the S3 Bucket Objects

• Write access: Write Access to the S3 Bucket Objects

• Delete access: Delete Access to the S3 Bucket Objects

Actions Approval:

Any member of s3-managers can approve the actions

AWS IAM Users

In this Section all the things related to IAM will be there, with this you can perform the below things:

• Create/Update User

Developers

While creating or updating a user, check the Is developer field if a user is a developer so that required permissions will be attached to the user.

Regenerate Codecommit policy

You can regenerate Codecommit policies By navigating to the IAM Users -> select user -> Choose Regenerate Codecommit perms

Reset Password

You can reset iam user password By navigating to the IAM Users -> Select user -> Choose Reset User password

Code Build

In this Section all the things related to the Codebuild project will be there, with this you can perform the below things:

• Create/Update Project

• Start Builds

• Create/Update Memberships

Memberships

• BUILD_STATUS: Can View the Build status of the specified Build.

• BUILD_LOGS: Can View Build status, and Build logs of the specified Build.

• MANAGE: Full Access to the specified project except for the Delete Project action.

Actions Approval:

The user must have a MANAGE membership in the codebuild project.

Other Codebuild features

• Custom Docker Image:

If you're using a Custom Base image for your codebuild project, check the custom_docker_image field at the Codebuild project, so that the required permissions for the Codebuild project will be attached to the project service Role.

• Environment Variables:

You can provide environment variables in two ways, either plaintext or parameter store values.

For Plain Text values, the syntax will be like below:

{
    "name": "MY_ENV",
    "value": "my_value",
    "type": "PLAIN_TEXT"
}

For Parameter Store values, you can provide a parameter store object path or you can provide a value, but not both

• Providing name and value

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "value": "my_s3cr3t_value",
    "type": "PARAMETER_STORE"
}

If you provide a value like the above, we'll create a parameter store object with a path /Codebuild/<PROJECT_NAME>/CUSTOM_AWS_SECRET_ACCESS_KEY and value as the given value

• Providing the name and path

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "type": "PARAMETER_STORE",
    "path": "/CodeBuild/devops-console-alpha/CUSTOM_AWS_SECRET_ACCESS_KEY"
}

If you provide a value like the above, we'll set the environment variable directly, with a given name, and the value will be given the path

Publishing Packages

If you're publishing a package using the Codebuild project, you need to fill in the Code Artifact Packages section, so that required permissions will be generated for the codebuild project service Role.

• Codeartifact domain: Domain on which you will be publishing the package, (for the nxtwave account, the domain is nxtwave)

• Codeartifact repo: Codeartifact Repo on which you will be publishing your package, generally for node packages repo is npm, for python packages repo is pypi

• Codeartifact package: Your package name (remove namespace if exists), if your package name is @nw/api-constants, fill api-constants

Reset Service Role

You can reset/regenerate the codebuild project service role, select codebuild project and choose the Reset project default Role Policy action to reset.

CloudFront

In this Section all the things related to Cloudfront will be there, with this you can perform the below things:

• Invalidate Cloudfront distribution cache

CloudWatch

In this Section all the things related to Cloudwatch will be there, with this you can perform the below things:

• Create/Update Cloudwatch Log Memberships

Memberships

• READ: Can view, search, and filter logs of the specified log group.

RDS

In this Section all the things related to RDS will be there, with this you can perform the below things:

Create Database in RDS Instance (VPC Configured).

• Create VPC Obj, which contains the config as below:

  • lambda_function_for_rds_operations is the lambda_function that is deployed in the VPC, which we'll use for rds operations.

  Copy

  {
      "rds_config": {
          "lambda_function_for_rds_operations": "devops-console-rds-proxy-vpc1"
      }
  }

• Create an RDS Instance Object with a respective identifier, host_endpoint, port, etc.,

• Create RDS Credentials for the above instance added (password will be encrypted with user auth_code before saving)

• Then Create an RDS Database Object by selecting the appropriate VPC, RDS Instance, and Credentials to use.

Environment Setup

In this Section all the things related to Environment Setup will be there, with this you can perform the below things:

• Create S3WebFrontend

S3WebFrontend

With this, the following things can be done:

• Create S3 Bucket

• Make Bucket Static website

• Create Cloudfront Distribution for this Website

• Create route53 record with Cloudfront distribution endpoint

• Create Web Deploy User

Miscellaneous

Actions

In DevOps Console, for every operation the action will be created, which should be approved by an authorized reviewer to apply changes.

You've two choices here:

• Approve Action: Approve the action by entering the auth code

• Reject Action: Reject the action (can't undo action once rejected)

Tasks

For every approved action one task will be created, you can check the status of the action in this task.

If Task failed because of any reason, you can retry it again, by clicking the Retry button on the task Page, or by selecting the task and choosing the Retry Task action.

Issues

• Scripts to Sync Updates in AWS -> DB

  • SYNC_CODECOMMIT_REPOS_TO_DB:

    • While syncing the changes in AWS to DB, we might get a Thottling error while fetching the current maintainer of the Codecommit Repo, in this case, we're skipping the maintainer check, instead adding a log regarding this.