Upload Code to Aws Govcloud for Deployment

Note: S3 Buckets created are PUBLICLY EXPOSED. Delight stay within your company's security posture.

Amazon Web Services (AWS) has multiple Identity partitions: AWS, AWS GovCloud (The states), and AWS People's republic of china. Y'all tin see these represented in their ARNs (arn:aws, arn:aws-us-gov, arn:aws-cn). For security, services like Amazon Simple Storage Service (Amazon S3) practise non accept admission to credentials beyond their boundaries, which can make information technology difficult to transfer information from within ane Identity boundary to another.

At that place is a new tool though, that reduces fourth dimension and complexity for customers migrating their workloads into AWS GovCloud (Us) – gov-cloud-import.

With gov-cloud-import, you accept a web-based UI that allows y'all to import an AMI or Snapshot from AWS to AWS GovCloud (US) (up to 100GiB). Within the same tool, you can input an S3 bucket and an AWS GovCloud (US) Destination Bucket and perform one-way synchronizations (up to 1TiB).

Install the Script

To become started, y'all must commencement run the installation beat script. The installation script deploys two CloudFormation Templates, one in AWS and ane in AWS GovCloud (US).

In AWS GovCloud (US), we deploy an S3 Bucket (for importing images just) and IAM resource to make the necessary API Calls for importing. And in AWS, we deploy Pace Functions, EC2, Lambda, SSM, S3, and SNS. Step Functions will control the workflow as well as show progress. EC2 Worker is used for the actual transfer of images or synchronization of buckets. AWS Lambda is used for calling all other functions in the workflow. SSM parameter shop securely keeps sensitive keys and other parameters necessary to the overall application. S3 houses the user interface to gov-cloud-import. SNS is used for notification at the stop of an import.

Prior to install, remove the vmimport office from AWS GovCloud (Us) if information technology exists. The script should be able to install with whatsoever BASH beat out (tested on MacOS and Amzn Linux) and AWS CLI. You lot'll need API Keys with admin privileges for AWS and AWS GovCloud (United states of america). Installation takes a few minutes and will share the progress during that time. When finished, it will give you a URL to access the Spider web UI. See the sample install below. Please note the errors. These are from checking if the gov-cloud-import CloudFormation stack exists. If it doesn't be, the AWS CLI directs errors to stdout.

          git clone https://github.com/awslabs/aws-gov-deject-import.git cd aws-gov-deject-import chmod +ten gov-cloud-import-install.sh ./gov-cloud-import-install.sh                  

Using gov-deject-import-image

Browse to the URL output past the installation script. You need keys that allow for lambda-invoke, lambda-list, and e2-describeRegions. Browse to the API Key page, enter keys, and click validate. Then click notifications if you would similar to add together your email or telephone (sms) alerts.

For importing images, input an AMI or Snapshot ID. The AMI or Snapshot must exist endemic by the account and incorporate a unmarried volume. While the input field checks the format of the string, it does not check permissions. Select the Bone and Source/Destination Regions. Verify your input with a dialog box and import. You'll receive a State Machine Execution ARN to the import chore. Click to open in a new tab and lookout the progress.

Using gov-cloud-import-s3

For importing S3 buckets, you must give gov-deject-import permissions to the source and destination buckets. Download the sample policy and modify to fit your needs. Then click the link for permissions and install your policy inline to the us-goc-import-ec2role. Click on the second link for permissions and install your 2nd inline policy for user gov-cloud-import-user.

In one case permissions are prepare, go on to the Import S3 page. From the starting time drop down menu, select your source. From the 2d drop down menu, select your destination. Verify your input and submit.

Afterwards submitting, a link to the S3 Sync logs will appear, which keeps a text log of time, source, and destination for each file synchronized.

Using gov-deject-import via AWS SDK

If you want to build gov-cloud-import into your application, hither are sample calls in Javascript that can exist used with AWS SDK to offset an import. Be sure to discover the right FunctionName equally cloudformation suffixes randomize characters. These tin be sent to us-west-2 or u.s.a.-east-two depending on which AWS GovCloud (US) Region (and adjacent AWS Region) you have installed and will employ to import images.

For Importing Images:

          part initImportImage(lambda){     return new Promise((resolve, reject) => {         let prototype = 'ami-1234abcd' /*AMI or Snapshot ID*/         let os = 'Windows'/*Windows or Linux*/         permit region = 'usa-east-ane'/*Source AWS Region */         //Params for Lambda invoke         permit params = {             FunctionName : initStepFunction,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({"image": image, "region": region, "os": os})         };         // Call the Lambda function         lambda.invoke(params, office(err, data) {             if (err) {                 reject(err);             } else {                 resolve(information);             }         });     }); }                  

For Importing from S3:

          office initS3Import(lambda){     return new Promise((resolve, reject) => {         let comBucket = 'my-aws-bucket' /*Source AWS Bucket*/         let govBucket = 'my-govcloud-saucepan' /*Destination AWS GovCloud (United states of america) Saucepan*/         //Params for Lambda invoke         allow params = {             FunctionName : initS3Sync,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({"source": comBucket, "dest": govBucket})         };         // Phone call the Lambda function         lambda.invoke(params, office(err, data) {             if (err) {                 decline(err);             } else {                 resolve(information);             }         });     }); }                  

For HTTPS Success/Failed Callbacks:

          function initSNSSubscribe(lambda){     render new Promise((resolve, reject) => {         let snsProtocol = 'https',         let snsTopic = '<gov-deject-import-image or gov-cloud-import-s3>';         allow snsRegion = '<us-westward-ii or us-due east-2>';;         permit snsEndpoint = 'https://my.application.com/some/ping/back';         //Params for Lambda invoke         let params = {             FunctionName : snsSubscribe,             InvocationType : 'RequestResponse',             LogType : 'Tail',             Payload : JSON.stringify({                 "protocol": snsProtocol,                 "topic": snsTopic,                 "endpoint": snsEndpoint,                 "region": snsRegion             })         };         // Phone call the Lambda function         lambda.invoke(params, function(err, data) {             if (err) {                 pass up(err)             } else {                 resolve(data);             }         });     }); }                  

Success notification:

          {   "sourceRegion": "us-w-2",   "source": "ami-0123abdc",   "destRegion": "the states-gov-west-1",   "dest": "ami-wxyz9876"  }                  

Failure notification:

          {   "sourceRegion": "u.s.a.-westward-two",   "source": "ami-0123abdc",   "destRegion": "us-gov-west-1",   "dest": "failed" }                  

Troubleshooting

Beginning, look at the errors and logs straight in the Land Machine. Lambda functions should give a loftier-level fault in the exception panel near the top. To expect further into the logs, click on the final Lambda Function executed in the State Machine. Under Step Details (nigh the top right), there should be a link to the Lambda Part, equally well as ane to the logs for the role. These logs comprise more detail to explain any error that might have occurred.

For the EC2 Worker, if there are issues copying to AWS GovCloud (U.s.a.), you may terminate and start a new example. Application logs are kept in CloudWatch.

Scheduling S3 Synchronization

With the utilise of scheduled CloudWatch event rules, you can trigger the initS3Sync Lambda Role based on whatever schedule you need. Take notation, be sure your schedule interval is greater than the time it takes to synchronize the bucket. While information technology can run in parallel, information technology will decrease performance or may produce failures. Remember to have your Bucket permission set outset. Come across an example input below.

Caveats

• AMIs may only have one (root) book. The application ignores other volumes.
• AMI or Snapshot must be < 100GiB.
• S3 Buckets must be < 1TiB.
• Windows imports lose .pem password decryption (Linux works). Set the admin credentials prior to import.

By using gov-cloud-import for the importation of AMIs, Snapshots, and S3 Buckets, you tin can bring your workloads and applications to AWS GovCloud (U.s.).

Acquire more most AWS GovCloud (U.s.) and contact us with questions.

Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox.

boggstioner.blogspot.com

Source: https://aws.amazon.com/blogs/publicsector/gov-cloud-import-tool-how-to-transfer-information-between-identity-boundaries/

Share this post