DevOps Console

Cloud Resources Management Console and Other DevOps services toolkit

For Admin

Auth Groups and Their Access Levels

Group

Description

devops-console-users

Console_Read (View access to all required models)

devops-console-reviewers

Console_Read + Action, Task Models Create/Update Access

codecommit-admins

Console_Read + CodeCommit Related Models Create/Update/Delete Access

codecommit-managers

Console_Read + CodeCommit Related Models Create/Update Access on which user has a manager membership, and can create a Repository

codebuild-admins

Console_Read + CodeBuild Related Models Create/Update/Delete Access

codebuild-managers

Console_Read + CodeBuild Related Models Create/Update Access on which user has a manager membership, and can create a Project

environment-setup-admins

Console_Read + Environment Setup Models Create/Update/Delete Access

environment-setup-managers

Console_Read + Environment Setup Related Models Create/Update Access

s3-managers

Console_Read + S3 Related Models Create/Update Access

Create Reviewers

Reviewers are the users who approve the actions in the DevOps Console, to create a reviewer follow the below steps.

Create Auth User

Create user in USERS & GROUPS -> Users Model
Add staff status for the user (tick checkbox)
Add user to the devops-console-reviewers group

Create Reviewer

Create a reviewer in REVIEWER -> Reviewers Model
Choose Associated Login User (the user we've created in the above step), and Associated IAM User
Choose Accounts allowed (Accounts for which the user is Reviewer)
Choose All models in Allowed Models to Approve
Set Auth code: This code should be used by the reviewer for actions approval

Allocate Credentials

We can allocate credentials for a reviewer in AWS ACCOUNT -> AWS Credentials
Select Credentials Object associated with Console Admin
Choose Allocation of creds to Selected Reviewer Action, and click on go
Choose reviewer object to allocate credentials
Enter Admin Auth Code
Approve Action The above steps will generate credentials required for approving the actions for the reviewer (for a specific AWS account)

Reset/Update Reviewer Auth Code

Reviewer can update auth code by selecting the Reviewer Obj in REVIEWER -> Reviewers and by choosing the Update Auth Code action
Only the Admin can reset the reviewer auth code, by selecting the Reviewer Obj in REVIEWER -> Reviewers and Choosing the Reset Auth Code action

AWS Account Config

Every AWS account object has an account level configuration specified in the config field similar to the below:

{
    "developer_group_name": "developer-1",
    "code_build_trigger_lambda_func_arn": "arn:aws:lambda:ap-south-1:1234567890:function:codebuild-trigger-prod",
    "code_artifact_domain_name": "nxtwave",
    "code_artifact_pypi_packages_repo_name": "pypi",
    "code_artifact_npm_packages_repo_name": "npm"
}

developer_group_name: A Common IAM Group with the minimum required permissions for all Developers. (Default: developer-1)
code_build_trigger_lambda_func_arn: Lambda Function for Codebuild trigger, when you configure a codebuild project for a specific branch in a repo, this function will be triggered on changes to the branch.
code_artifact_domain_name: Domain name of codeartifact from which pip or npm packages will be installed, read access permission for this domain will be added to the developers' group, so that users can install packages with their credentials.
code_artifact_pypi_packages_repo_name: Repo name for pypi packages (default: pypi), this will be used while generating Common developer perms and codebuild project perms
code_artifact_npm_packages_repo_name: Repo name for npm packages (default: npm), this will be used while generating Common developer perms and codebuild project perms

Scripts to Sync Updates in AWS -> DB

Model: OTHERS > Scripts

To make the resources to be in sync we will use the below scripts to check for any changes in AWS, and apply them in DB, the resource will be created if doesn't exists in DB, or updated if already exists, and mark as DELETED_IN_AWS if deleted in AWS

SYNC_IAM_USERS_TO_DB:
SYNC_CODECOMMIT_REPOS_TO_DB
SYNC_S3_BUCKETS_TO_DB
SYNC_CODEBUILD_PROJECTS_TO_DB
SYNC_CF_DISTRIBUTIONS_TO_DB
SYNC_SSM_PARAMETERS_TO_DB

For Users

AWS Console

AWS Console has various AWS Commonly used Services.

Code Commit

In this Section all the things related to Codecommit Repo will be there, with this you can perform the below things:

Create/Update Repo
Add/Remove Contributors
Restrict Users to make changes to specific Branches only
Restrict Users to make changes to repo from specific IPAddress

Memberships

Model: CodeCommit Repo Memberships

With Memberships you can allow the user to access the repo, we can assign various access levels for the user, which are mentioned below:

READ: Read Access for Specified Repo.
WRITE: Read, Write Access For Specified Repo (for all branches except branches specified in GlobalRestrictedBranches, RepoSpecificRestrictedBranches, RepoUserRestrictedBranches). To allow the user to make changes in a branch irrespective of *-RestrictedBranches then you can create the RepoUserWhitelistedBranches for the user.
CO_MANAGER_WITH_IP_RESTRICTIONS:
- Full Access to Specified Repo But only accessible in Allowed IP addresses, we can customize Allowed IP addresses in GlobalIPAddressWhitelist, RepoSpecificIPAddressWhitelist, and RepoUserIPAddressWhitelist.
CO_MANAGER:
- Full Access to Specified Repo (Unlike Maintainer for co-manager perms will be managed in AWS IAM Policies).
MAINTAINER:
- Full Access to Specified Repo. (Perms will be managed in codecommit resource tags)

IPAddress/Branch Restrictions

The below restrictions are applied only if the user has a membership in the repo

GlobalIPAddressWhitelist: IP addresses in which Code Commit Resources can be accessed by any developer.
GlobalRestrictedBranches: Branches for which access is restricted by default on all repos.
RepoSpecificIPAddressWhitelist: Repo Level Additional IP addresses Allowed.
RepoSpecificRestrictedBranches: Repo Level Additional Restricted Branches.
RepoUserRestrictedBranches: Repo-Level Additional Restricted Branches for a specific user.
RepoUserWhitelistedBranches: Repo-Level Whitelisted Branches for specific Users.
RepoUserIPAddressWhitelist: Repo-Level Whitelisted IP addresses for specific Users.

Actions Approval:

The user must have one of MAINTAINER, CO_MANAGER, or CO_MANAGER_WITH_IP_RESTRICTIONS membership in the respective repo.

Note: User can only approve memberships with access_levels less than or equal to their access_level (above levels are in Ascending order), for example, CO_MANAGER can't approve MANAGER access level membership.

S3

In this Section all the things related to S3 Bucket will be there, with this you can perform the below things:

Create/Update S3 Bucket
Create/Update S3 Memberships

Memberships

You can create s3 memberships for a specific object path with access levels below (you can select multiple).

Full access: Full Access to the S3 Bucket Objects (Read, write, and delete objects)
List access: List Access to the S3 Bucket Objects
Read access: Read Access to the S3 Bucket Objects
Write access: Write Access to the S3 Bucket Objects
Delete access: Delete Access to the S3 Bucket Objects

Actions Approval:

Any member of s3-managers can approve the actions

AWS IAM Users

In this Section all the things related to IAM will be there, with this you can perform the below things:

Create/Update User

Developers

While creating or updating a user, check the Is developer field if a user is a developer so that required permissions will be attached to the user.

Regenerate Codecommit policy

You can regenerate Codecommit policies By navigating to the IAM Users -> select user -> Choose Regenerate Codecommit perms

Reset Password

You can reset iam user password By navigating to the IAM Users -> Select user -> Choose Reset User password

Code Build

In this Section all the things related to the Codebuild project will be there, with this you can perform the below things:

Create/Update Project
Start Builds
Create/Update Memberships

Memberships

BUILD_STATUS: Can View the Build status of the specified Build.
BUILD_LOGS: Can View Build status, and Build logs of the specified Build.
MANAGE: Full Access to the specified project except for the Delete Project action.

Actions Approval:

The user must have a MANAGE membership in the codebuild project.

Other Codebuild features

Custom Docker Image:

If you're using a Custom Base image for your codebuild project, check the custom_docker_image field at the Codebuild project, so that the required permissions for the Codebuild project will be attached to the project service Role.

Environment Variables:

You can provide environment variables in two ways, either plaintext or parameter store values.

For Plain Text values, the syntax will be like below:

{
    "name": "MY_ENV",
    "value": "my_value",
    "type": "PLAIN_TEXT"
}

For Parameter Store values, you can provide a parameter store object path or you can provide a value, but not both

Providing name and value

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "value": "my_s3cr3t_value",
    "type": "PARAMETER_STORE"
}

If you provide a value like the above, we'll create a parameter store object with a path /Codebuild/<PROJECT_NAME>/CUSTOM_AWS_SECRET_ACCESS_KEY and value as the given value

Providing the name and path

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "type": "PARAMETER_STORE",
    "path": "/CodeBuild/devops-console-alpha/CUSTOM_AWS_SECRET_ACCESS_KEY"
}

If you provide a value like the above, we'll set the environment variable directly, with a given name, and the value will be given the path

Publishing Packages

If you're publishing a package using the Codebuild project, you need to fill in the Code Artifact Packages section, so that required permissions will be generated for the codebuild project service Role.

Codeartifact domain: Domain on which you will be publishing the package, (for the nxtwave account, the domain is nxtwave)
Codeartifact repo: Codeartifact Repo on which you will be publishing your package, generally for node packages repo is npm, for python packages repo is pypi
Codeartifact package: Your package name (remove namespace if exists), if your package name is @nw/api-constants, fill api-constants

Reset Service Role

You can reset/regenerate the codebuild project service role, select codebuild project and choose the Reset project default Role Policy action to reset.

CloudFront

In this Section all the things related to Cloudfront will be there, with this you can perform the below things:

Invalidate Cloudfront distribution cache

CloudWatch

In this Section all the things related to Cloudwatch will be there, with this you can perform the below things:

Create/Update Cloudwatch Log Memberships

Memberships

READ: Can view, search, and filter logs of the specified log group.

RDS

In this Section all the things related to RDS will be there, with this you can perform the below things:

Create Database in RDS Instance (VPC Configured).

Create VPC Obj, which contains the config as below:
- lambda_function_for_rds_operations is the lambda_function that is deployed in the VPC, which we'll use for rds operations.
```
{
    "rds_config": {
        "lambda_function_for_rds_operations": "devops-console-rds-proxy-vpc1"
    }
}
```
Create an RDS Instance Object with a respective identifier, host_endpoint, port, etc.,
Create RDS Credentials for the above instance added (password will be encrypted with user auth_code before saving)
Then Create an RDS Database Object by selecting the appropriate VPC, RDS Instance, and Credentials to use.

Environment Setup

In this Section all the things related to Environment Setup will be there, with this you can perform the below things:

Create S3WebFrontend

S3WebFrontend

With this, the following things can be done:

Create S3 Bucket
Make Bucket Static website
Create Cloudfront Distribution for this Website
Create route53 record with Cloudfront distribution endpoint
Create Web Deploy User

Miscellaneous

Actions

In DevOps Console, for every operation the action will be created, which should be approved by an authorized reviewer to apply changes.

You've two choices here:

Approve Action: Approve the action by entering the auth code
Reject Action: Reject the action (can't undo action once rejected)

Tasks

For every approved action one task will be created, you can check the status of the action in this task.

If Task failed because of any reason, you can retry it again, by clicking the Retry button on the task Page, or by selecting the task and choosing the Retry Task action.

Issues

Scripts to Sync Updates in AWS -> DB
- SYNC_CODECOMMIT_REPOS_TO_DB:
  - While syncing the changes in AWS to DB, we might get a Thottling error while fetching the current maintainer of the Codecommit Repo, in this case, we're skipping the maintainer check, instead adding a log regarding this.

PreviousDocumentations NextIssues

Last updated 1 year ago

DevOps Console

Cloud Resources Management Console and Other DevOps services toolkit

For Admin

Auth Groups and Their Access Levels

Group

Description

devops-console-users

Console_Read (View access to all required models)

devops-console-reviewers

Console_Read + Action, Task Models Create/Update Access

codecommit-admins

Console_Read + CodeCommit Related Models Create/Update/Delete Access

codecommit-managers

Console_Read + CodeCommit Related Models Create/Update Access on which user has a manager membership, and can create a Repository

codebuild-admins

Console_Read + CodeBuild Related Models Create/Update/Delete Access

codebuild-managers

Console_Read + CodeBuild Related Models Create/Update Access on which user has a manager membership, and can create a Project

environment-setup-admins

Console_Read + Environment Setup Models Create/Update/Delete Access

environment-setup-managers

Console_Read + Environment Setup Related Models Create/Update Access

s3-managers

Console_Read + S3 Related Models Create/Update Access

Create Reviewers

Reviewers are the users who approve the actions in the DevOps Console, to create a reviewer follow the below steps.

Create Auth User

Create user in USERS & GROUPS -> Users Model
Add staff status for the user (tick checkbox)
Add user to the devops-console-reviewers group

Create Reviewer

Create a reviewer in REVIEWER -> Reviewers Model
Choose Associated Login User (the user we've created in the above step), and Associated IAM User
Choose Accounts allowed (Accounts for which the user is Reviewer)
Choose All models in Allowed Models to Approve
Set Auth code: This code should be used by the reviewer for actions approval

Allocate Credentials

We can allocate credentials for a reviewer in AWS ACCOUNT -> AWS Credentials
Select Credentials Object associated with Console Admin
Choose Allocation of creds to Selected Reviewer Action, and click on go
Choose reviewer object to allocate credentials
Enter Admin Auth Code
Approve Action The above steps will generate credentials required for approving the actions for the reviewer (for a specific AWS account)

Reset/Update Reviewer Auth Code

Reviewer can update auth code by selecting the Reviewer Obj in REVIEWER -> Reviewers and by choosing the Update Auth Code action
Only the Admin can reset the reviewer auth code, by selecting the Reviewer Obj in REVIEWER -> Reviewers and Choosing the Reset Auth Code action

AWS Account Config

Every AWS account object has an account level configuration specified in the config field similar to the below:

{
    "developer_group_name": "developer-1",
    "code_build_trigger_lambda_func_arn": "arn:aws:lambda:ap-south-1:1234567890:function:codebuild-trigger-prod",
    "code_artifact_domain_name": "nxtwave",
    "code_artifact_pypi_packages_repo_name": "pypi",
    "code_artifact_npm_packages_repo_name": "npm"
}

developer_group_name: A Common IAM Group with the minimum required permissions for all Developers. (Default: developer-1)
code_build_trigger_lambda_func_arn: Lambda Function for Codebuild trigger, when you configure a codebuild project for a specific branch in a repo, this function will be triggered on changes to the branch.
code_artifact_domain_name: Domain name of codeartifact from which pip or npm packages will be installed, read access permission for this domain will be added to the developers' group, so that users can install packages with their credentials.
code_artifact_pypi_packages_repo_name: Repo name for pypi packages (default: pypi), this will be used while generating Common developer perms and codebuild project perms
code_artifact_npm_packages_repo_name: Repo name for npm packages (default: npm), this will be used while generating Common developer perms and codebuild project perms

Scripts to Sync Updates in AWS -> DB

Model: OTHERS > Scripts

SYNC_IAM_USERS_TO_DB:
SYNC_CODECOMMIT_REPOS_TO_DB
SYNC_S3_BUCKETS_TO_DB
SYNC_CODEBUILD_PROJECTS_TO_DB
SYNC_CF_DISTRIBUTIONS_TO_DB
SYNC_SSM_PARAMETERS_TO_DB

For Users

AWS Console

AWS Console has various AWS Commonly used Services.

Code Commit

In this Section all the things related to Codecommit Repo will be there, with this you can perform the below things:

Create/Update Repo
Add/Remove Contributors
Restrict Users to make changes to specific Branches only
Restrict Users to make changes to repo from specific IPAddress

Memberships

Model: CodeCommit Repo Memberships

With Memberships you can allow the user to access the repo, we can assign various access levels for the user, which are mentioned below:

READ: Read Access for Specified Repo.
WRITE: Read, Write Access For Specified Repo (for all branches except branches specified in GlobalRestrictedBranches, RepoSpecificRestrictedBranches, RepoUserRestrictedBranches). To allow the user to make changes in a branch irrespective of *-RestrictedBranches then you can create the RepoUserWhitelistedBranches for the user.
CO_MANAGER_WITH_IP_RESTRICTIONS:
- Full Access to Specified Repo But only accessible in Allowed IP addresses, we can customize Allowed IP addresses in GlobalIPAddressWhitelist, RepoSpecificIPAddressWhitelist, and RepoUserIPAddressWhitelist.
CO_MANAGER:
- Full Access to Specified Repo (Unlike Maintainer for co-manager perms will be managed in AWS IAM Policies).
MAINTAINER:
- Full Access to Specified Repo. (Perms will be managed in codecommit resource tags)

IPAddress/Branch Restrictions

The below restrictions are applied only if the user has a membership in the repo

GlobalIPAddressWhitelist: IP addresses in which Code Commit Resources can be accessed by any developer.
GlobalRestrictedBranches: Branches for which access is restricted by default on all repos.
RepoSpecificIPAddressWhitelist: Repo Level Additional IP addresses Allowed.
RepoSpecificRestrictedBranches: Repo Level Additional Restricted Branches.
RepoUserRestrictedBranches: Repo-Level Additional Restricted Branches for a specific user.
RepoUserWhitelistedBranches: Repo-Level Whitelisted Branches for specific Users.
RepoUserIPAddressWhitelist: Repo-Level Whitelisted IP addresses for specific Users.

Actions Approval:

The user must have one of MAINTAINER, CO_MANAGER, or CO_MANAGER_WITH_IP_RESTRICTIONS membership in the respective repo.

Note: User can only approve memberships with access_levels less than or equal to their access_level (above levels are in Ascending order), for example, CO_MANAGER can't approve MANAGER access level membership.

S3

In this Section all the things related to S3 Bucket will be there, with this you can perform the below things:

Create/Update S3 Bucket
Create/Update S3 Memberships

Memberships

You can create s3 memberships for a specific object path with access levels below (you can select multiple).

Full access: Full Access to the S3 Bucket Objects (Read, write, and delete objects)
List access: List Access to the S3 Bucket Objects
Read access: Read Access to the S3 Bucket Objects
Write access: Write Access to the S3 Bucket Objects
Delete access: Delete Access to the S3 Bucket Objects

Actions Approval:

Any member of s3-managers can approve the actions

AWS IAM Users

In this Section all the things related to IAM will be there, with this you can perform the below things:

Create/Update User

Developers

While creating or updating a user, check the Is developer field if a user is a developer so that required permissions will be attached to the user.

Regenerate Codecommit policy

You can regenerate Codecommit policies By navigating to the IAM Users -> select user -> Choose Regenerate Codecommit perms

Reset Password

You can reset iam user password By navigating to the IAM Users -> Select user -> Choose Reset User password

Code Build

In this Section all the things related to the Codebuild project will be there, with this you can perform the below things:

Create/Update Project
Start Builds
Create/Update Memberships

Memberships

BUILD_STATUS: Can View the Build status of the specified Build.
BUILD_LOGS: Can View Build status, and Build logs of the specified Build.
MANAGE: Full Access to the specified project except for the Delete Project action.

Actions Approval:

The user must have a MANAGE membership in the codebuild project.

Other Codebuild features

Custom Docker Image:

Environment Variables:

You can provide environment variables in two ways, either plaintext or parameter store values.

For Plain Text values, the syntax will be like below:

{
    "name": "MY_ENV",
    "value": "my_value",
    "type": "PLAIN_TEXT"
}

For Parameter Store values, you can provide a parameter store object path or you can provide a value, but not both

Providing name and value

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "value": "my_s3cr3t_value",
    "type": "PARAMETER_STORE"
}

If you provide a value like the above, we'll create a parameter store object with a path /Codebuild/<PROJECT_NAME>/CUSTOM_AWS_SECRET_ACCESS_KEY and value as the given value

Providing the name and path

{
    "name": "CUSTOM_AWS_SECRET_ACCESS_KEY",
    "type": "PARAMETER_STORE",
    "path": "/CodeBuild/devops-console-alpha/CUSTOM_AWS_SECRET_ACCESS_KEY"
}

If you provide a value like the above, we'll set the environment variable directly, with a given name, and the value will be given the path

Publishing Packages

Codeartifact domain: Domain on which you will be publishing the package, (for the nxtwave account, the domain is nxtwave)
Codeartifact repo: Codeartifact Repo on which you will be publishing your package, generally for node packages repo is npm, for python packages repo is pypi
Codeartifact package: Your package name (remove namespace if exists), if your package name is @nw/api-constants, fill api-constants

Reset Service Role

You can reset/regenerate the codebuild project service role, select codebuild project and choose the Reset project default Role Policy action to reset.

CloudFront

In this Section all the things related to Cloudfront will be there, with this you can perform the below things:

Invalidate Cloudfront distribution cache

CloudWatch

In this Section all the things related to Cloudwatch will be there, with this you can perform the below things:

Create/Update Cloudwatch Log Memberships

Memberships

READ: Can view, search, and filter logs of the specified log group.

RDS

In this Section all the things related to RDS will be there, with this you can perform the below things:

Create Database in RDS Instance (VPC Configured).

Create VPC Obj, which contains the config as below:
- lambda_function_for_rds_operations is the lambda_function that is deployed in the VPC, which we'll use for rds operations.
```
{
    "rds_config": {
        "lambda_function_for_rds_operations": "devops-console-rds-proxy-vpc1"
    }
}
```
Create an RDS Instance Object with a respective identifier, host_endpoint, port, etc.,
Create RDS Credentials for the above instance added (password will be encrypted with user auth_code before saving)
Then Create an RDS Database Object by selecting the appropriate VPC, RDS Instance, and Credentials to use.

Environment Setup

In this Section all the things related to Environment Setup will be there, with this you can perform the below things:

Create S3WebFrontend

S3WebFrontend

With this, the following things can be done:

Create S3 Bucket
Make Bucket Static website
Create Cloudfront Distribution for this Website
Create route53 record with Cloudfront distribution endpoint
Create Web Deploy User

Miscellaneous

Actions

In DevOps Console, for every operation the action will be created, which should be approved by an authorized reviewer to apply changes.

You've two choices here:

Approve Action: Approve the action by entering the auth code
Reject Action: Reject the action (can't undo action once rejected)

Tasks

For every approved action one task will be created, you can check the status of the action in this task.

If Task failed because of any reason, you can retry it again, by clicking the Retry button on the task Page, or by selecting the task and choosing the Retry Task action.

Issues

Scripts to Sync Updates in AWS -> DB
- SYNC_CODECOMMIT_REPOS_TO_DB:
  - While syncing the changes in AWS to DB, we might get a Thottling error while fetching the current maintainer of the Codecommit Repo, in this case, we're skipping the maintainer check, instead adding a log regarding this.

PreviousDocumentations NextIssues

Last updated 1 year ago