Skip to content

Commit

Permalink
Add details on requirements for regions (#1175)
Browse files Browse the repository at this point in the history 
### Feature or Bugfix
- Bugfix

### Detail
- Add more details about requirement of tooling account region =
deployment accounts regions

### Relates
- #1086 

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/). `N/A`

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
  • Loading branch information
@dlpzx
dlpzx authored Apr 15, 2024
1 parent 452ee6b commit 27461c5
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions pages/deploy/deploy_aws.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,10 @@ data.all to multiple environments on the same or multiple AWS accounts (e.g dev,
with `internet_facing` set to true, `us-east-1` is required for the deployment of some frontend components.
Backend resources can be hosted in any region given that the AWS services used are available.

**Note**: If you are not deploying data.all in production mode, you could use the same AWS account as the Tooling
**Important**: the selected region for the tooling account and for the backend resources (deployment account) MUST be
the same one.

If you are not deploying data.all in production mode, you could use the same AWS account as the Tooling
and the Deployment account.

Make sure that the AWS services used in data.all are available in the Regions you choose for tooling and deployment.
Expand Down Expand Up @@ -120,6 +123,8 @@ It needs to be bootstrapped with CDK in 2 regions, your selected region and us-e
The **Deployment** account(s) is where the data.all application infrastructure will be deployed.
Each of the deployment account(s) needs to be bootstrapped with CDK in 2 regions, your selected region and us-east-1.

Remember that the selected region for the tooling account and for the backend resources (deployment account) MUST be
the same one.

Run the commands below with the AWS credentials of the tooling account:

Expand Down Expand Up @@ -235,7 +240,7 @@ and find 2 examples of cdk.json files.
| ---------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| envname | REQUIRED | The name of the deployment environment (e.g dev, qa, prod,...). It must be in lower case without any special character. |
| account | REQUIRED | The AWS deployment account (deployment account N) |
| region | REQUIRED | The AWS deployment region |
| region | REQUIRED | The AWS deployment region - Must be the same as the `tooling_region` |
| with_approval | Optional | If set to **true** an additional step on AWS CodePipeline to require user approval before proceeding with the deployment. (default: false) |
| vpc_id | Optional | The VPC ID for the deployment account. If not provided, **a new VPC** will be created. |
| vpc_endpoints_sg | Optional | The VPC endpoints security groups to be use by AWS services to connect to VPC endpoints. If not assigned, NAT outbound rule is used. |
Expand Down Expand Up @@ -301,7 +306,7 @@ deploy to 2 deployments accounts.
{
"envname": "dev",
"account": "000000000000",
"region": "eu-west-1",
"region": "eu-west-2",
"with_approval": false,
"internet_facing": true,
"prod_sizing": false,
Expand All @@ -312,7 +317,7 @@ deploy to 2 deployments accounts.
{
"envname": "prod",
"account": "111111111111",
"region": "eu-west-1",
"region": "eu-west-2",
"with_approval": true,
"internet_facing": false,
"vpc_id": "vpc-0987654321EXAMPLE",
Expand Down Expand Up @@ -360,7 +365,7 @@ deploy to 2 deployments accounts.
{
"envname": "dev",
"account": "000000000000",
"region": "eu-west-1",
"region": "eu-west-2",
"with_approval": false,
"internet_facing": true,
"prod_sizing": false,
Expand Down

0 comments on commit 27461c5

Please sign in to comment.