Skip to content

Latest commit

 

History

History
107 lines (85 loc) · 6.88 KB

project-onboarding-procedure.md

File metadata and controls

107 lines (85 loc) · 6.88 KB
description
New users (projects) of MDPS need to have their AWS account setup, users setup, and linked together with a MDPS shared-services account. This procedure outlines the steps needed to accomplish this.

Project Onboarding Procedure

{% hint style="info" %} PREREQUISITE: The Shared Services account must be setup before following the below procedure. {% endhint %}

Venue Account Onboarding Procedure:

  1. Project obtains their own AWS account (Bring your own Account).

  2. Project agrees to EC2 conditions (EULA / FIPS) on their new account

  3. Project notifies MDPS Team that they want to onboard to MDPS by sending an email to [email protected] The email should include the following information:

    • Project Name (e.g. Sounder SIPS)
    • Project Identifier short string (e.g. ssips)
    • Project Description
    • Venue Name (e.g. Sounder SIPS Development Venue)
    • Venue Identifier (e.g. DEV, TEST, UAT, PROD, etc..)
    • Venue Purpose
    • Existing AWS Account ID
    • NASA ID (Agency User ID), of initial MDPS user
    • Email address of initial MDPS user
    • Set of other users, if known (NASA AUID & email addresses for all)

  4. Project waits for notification from the MDPS Team that everything is setup and ready to use (see step 14 below)

  5. Per the information (email address & AUID) in the email sent in step 3, the MDPS Team sets up initial set of users in the Shared Services AWS account Cognito user pool:

    • Each user should be assigned these Groups at a minimum:
      • Unity_Viewer
    • The Cognito user naming convention is available at Cognito User Standards
    • After creating the user in the Cognito user pool, the Project User receives a temporary password through email with instructions to change the password

  6. [NOTE THIS STEP IS OPTIONAL FOR NOW, AND CAN BE SKIPPED]
    In the Shared Services account, the MDPS Team needs to create a set of Cognito project/venue-specific user groups (roles):

    • Unity-<PROJECT>-<VENUE>-ManagementConsole-ReadOnly
    • Unity-<PROJECT>-<VENUE>-ManagementConsole-Admin
    • Unity-<PROJECT>-<VENUE>-viewer
    • NOTE: The Cognito user group naming conventions can be viewed in Cognito User Group Standards

  7. MDPS Team adds project AWS account to shared service Resource Access Manager (RAM) to enable sharing of SSM parameters. See shared-services-deployment.md for more instructions.

  8. MDPS Team requests wildcard cert In Project Venue Account.

    • must add the cname record/value to the SHARED SERVICES DNS to approve its creation. See instructions here.

  9. MDPS Team sets up roles on account:

  10. MDPS Team sets up the venue bastion host

    • Follow the instructions here to create a bastion host, if one does not already exist.

  11. MDPS Team deploys the Venue Infrastructure (Networking stack, Management Console, and more)

    • connect to instance via AWS SSM connection
    • sudo su - ubuntu
    • cd unity-cs-infra/nightly_tests ; git pull
    • ./run.sh --destroy false --run-tests false --project-name PROJECT --venue-name VENUE
    • NOTE: If this is the first time deploying to this AWS account, you may have to manually enter a few SSM parameters such as:
      • /unity/cs/github/username
      • /unity/cs/github/useremail
      • /unity/cs/githubtoken
      • /unity/ci/slack-web-hook-url
      • PLEASE CONSULT THE MDPS U-CS Team to determine what values to use, if you are unsure.
    • Make sure to copy the URL of the Management Console that gets printed to the console, as part of running the above command. If any issues or errors encountered, see below "Debugging Management Console" section.
    • OPTIONAL STEPS IF YOU NEED TO DESTROY the Venue Infrastructure:
      • Run the following on the bastion host:
      • ./destroy.sh --project-name`` <PROJECT>``--venue-name``<VENUE>
      • NOTE: the S3 bucket holding the terraform state files will not be deleted via the destroy.sh script. It would be available for re-use next time around, if you deploy using the same <PROJECT> and <VENUE>.

  12. MDPS Team runs Core Setup actions in Management Console

  13. MDPS Team reaches out to Project, to notify them that their account is ready for use.

    • URL(s) and instructions to log into services is provided to Project Team.

  14. Project Users log into MDPS using the URLs provided, and do work. For example:

    • Project Algorithm Developer logs into JuptyerHub and creates/tests algorithms
    • Project Administrator logs into Management Console, and installs/updates MDPS services
    • Project Workflow Engineer logs into SPS/Airflow and edits DAG code
    • etc..

Debugging Issues with the Management Console

1) SSH into Management Console EC2 instance

2) cd /var/log/

3) cat managementconsole.log