Upload Code to Aws Govcloud for Deployment

Note: S3 Buckets created are PUBLICLY EXPOSED. Please stay inside your visitor's security posture.

Amazon Web Services (AWS) has multiple Identity partitions: AWS, AWS GovCloud (US), and AWS Prc. You can run into these represented in their ARNs (arn:aws, arn:aws-the states-gov, arn:aws-cn). For security, services like Amazon Unproblematic Storage Service (Amazon S3) practice not accept access to credentials beyond their boundaries, which tin make it difficult to transfer information from inside i Identity boundary to another.

In that location is a new tool though, that reduces time and complexity for customers migrating their workloads into AWS GovCloud (US) – gov-deject-import.

With gov-cloud-import, y'all have a spider web-based UI that allows you to import an AMI or Snapshot from AWS to AWS GovCloud (US) (upward to 100GiB). Within the aforementioned tool, you can input an S3 bucket and an AWS GovCloud (United states of america) Destination Bucket and perform i-style synchronizations (up to 1TiB).

Install the Script

To get started, y'all must first run the installation shell script. The installation script deploys ii CloudFormation Templates, one in AWS and one in AWS GovCloud (US).

In AWS GovCloud (U.s.a.), we deploy an S3 Bucket (for importing images only) and IAM resources to make the necessary API Calls for importing. And in AWS, we deploy Pace Functions, EC2, Lambda, SSM, S3, and SNS. Stride Functions will control the workflow every bit well as show progress. EC2 Worker is used for the actual transfer of images or synchronization of buckets. AWS Lambda is used for calling all other functions in the workflow. SSM parameter store securely keeps sensitive keys and other parameters necessary to the overall application. S3 houses the user interface to gov-cloud-import. SNS is used for notification at the finish of an import.

Prior to install, remove the vmimport role from AWS GovCloud (US) if it exists. The script should be able to install with any Fustigate shell (tested on MacOS and Amzn Linux) and AWS CLI. You'll need API Keys with admin privileges for AWS and AWS GovCloud (U.s.a.). Installation takes a few minutes and volition share the progress during that time. When finished, it will requite you a URL to access the Spider web UI. See the sample install below. Please notation the errors. These are from checking if the gov-cloud-import CloudFormation stack exists. If it doesn't exist, the AWS CLI directs errors to stdout.

          git clone https://github.com/awslabs/aws-gov-cloud-import.git cd aws-gov-cloud-import chmod +x gov-cloud-import-install.sh ./gov-cloud-import-install.sh                  

Using gov-cloud-import-epitome

Browse to the URL output past the installation script. You need keys that allow for lambda-invoke, lambda-list, and e2-describeRegions. Scan to the API Key page, enter keys, and click validate. Then click notifications if you would like to add your email or phone (sms) alerts.

For importing images, input an AMI or Snapshot ID. The AMI or Snapshot must be endemic by the account and comprise a single volume. While the input field checks the format of the string, it does non check permissions. Select the Os and Source/Destination Regions. Verify your input with a dialog box and import. You lot'll receive a State Machine Execution ARN to the import job. Click to open in a new tab and watch the progress.

Using gov-deject-import-s3

For importing S3 buckets, y'all must give gov-cloud-import permissions to the source and destination buckets. Download the sample policy and change to fit your needs. And so click the link for permissions and install your policy inline to the united states of america-goc-import-ec2role. Click on the 2nd link for permissions and install your second inline policy for user gov-cloud-import-user.

One time permissions are set, proceed to the Import S3 page. From the offset drop down menu, select your source. From the second driblet down card, select your destination. Verify your input and submit.

After submitting, a link to the S3 Sync logs will appear, which keeps a text log of time, source, and destination for each file synchronized.

Using gov-deject-import via AWS SDK

If y'all desire to build gov-deject-import into your application, here are sample calls in Javascript that can exist used with AWS SDK to start an import. Exist sure to detect the correct FunctionName as cloudformation suffixes randomize characters. These tin can exist sent to united states of america-west-2 or united states-eastward-2 depending on which AWS GovCloud (United states) Region (and adjacent AWS Region) y'all have installed and will utilize to import images.

For Importing Images:

          function initImportImage(lambda){     return new Hope((resolve, reject) => {         allow paradigm = 'ami-1234abcd' /*AMI or Snapshot ID*/         permit os = 'Windows'/*Windows or Linux*/         permit region = 'united states-east-1'/*Source AWS Region */         //Params for Lambda invoke         let params = {             FunctionName : initStepFunction,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({"image": image, "region": region, "os": os})         };         // Call the Lambda part         lambda.invoke(params, function(err, information) {             if (err) {                 decline(err);             } else {                 resolve(data);             }         });     }); }                  

For Importing from S3:

          role initS3Import(lambda){     return new Promise((resolve, reject) => {         allow comBucket = 'my-aws-bucket' /*Source AWS Saucepan*/         let govBucket = 'my-govcloud-bucket' /*Destination AWS GovCloud (US) Bucket*/         //Params for Lambda invoke         permit params = {             FunctionName : initS3Sync,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({"source": comBucket, "dest": govBucket})         };         // Call the Lambda function         lambda.invoke(params, function(err, data) {             if (err) {                 reject(err);             } else {                 resolve(data);             }         });     }); }                  

For HTTPS Success/Failed Callbacks:

          function initSNSSubscribe(lambda){     return new Promise((resolve, reject) => {         allow snsProtocol = 'https',         allow snsTopic = '<gov-cloud-import-image or gov-deject-import-s3>';         permit snsRegion = '<the states-west-ii or united states of america-e-two>';;         let snsEndpoint = 'https://my.application.com/some/ping/dorsum';         //Params for Lambda invoke         let params = {             FunctionName : snsSubscribe,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({                 "protocol": snsProtocol,                 "topic": snsTopic,                 "endpoint": snsEndpoint,                 "region": snsRegion             })         };         // Call the Lambda function         lambda.invoke(params, function(err, data) {             if (err) {                 reject(err)             } else {                 resolve(data);             }         });     }); }                  

Success notification:

          {   "sourceRegion": "u.s.-west-2",   "source": "ami-0123abdc",   "destRegion": "u.s.-gov-west-ane",   "dest": "ami-wxyz9876"  }                  

Failure notification:

          {   "sourceRegion": "u.s.a.-w-ii",   "source": "ami-0123abdc",   "destRegion": "usa-gov-west-1",   "dest": "failed" }                  

Troubleshooting

First, look at the errors and logs directly in the State Machine. Lambda functions should requite a high-level fault in the exception console well-nigh the elevation. To look further into the logs, click on the last Lambda Role executed in the State Machine. Under Step Details (near the peak right), there should exist a link to the Lambda Function, also as i to the logs for the function. These logs incorporate more detail to explain whatsoever error that might have occurred.

For the EC2 Worker, if in that location are problems copying to AWS GovCloud (US), you may end and start a new instance. Application logs are kept in CloudWatch.

Scheduling S3 Synchronization

With the employ of scheduled CloudWatch event rules, you can trigger the initS3Sync Lambda Office based on any schedule you demand. Take notation, exist sure your schedule interval is greater than the time it takes to synchronize the bucket. While it can run in parallel, information technology volition decrease functioning or may produce failures. Recall to accept your Saucepan permission prepare commencement. See an example input below.

Caveats

• AMIs may merely have 1 (root) volume. The application ignores other volumes.
• AMI or Snapshot must be < 100GiB.
• S3 Buckets must be < 1TiB.
• Windows imports lose .pem password decryption (Linux works). Set the admin credentials prior to import.

By using gov-cloud-import for the importation of AMIs, Snapshots, and S3 Buckets, you tin can bring your workloads and applications to AWS GovCloud (Us).

Learn more than about AWS GovCloud (US) and contact united states with questions.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox.

danielsdevescithhen.blogspot.com

Source: https://aws.amazon.com/blogs/publicsector/gov-cloud-import-tool-how-to-transfer-information-between-identity-boundaries/

Share this post