Deployment Notes

How Currently Identity Service Deployed?

Currently, we have a single AWS user on which we have deployed a production identity service that is using the main branch.

How do we have to deploy it?

• 1. Create a user named IdentityService with specific permissions:
• AWSCloudFormationFullAccess
• IAMFullAccess
• AWSLambda_FullAccess
• AmazonAPIGatewayAdministrator
• AmazonS3FullAccess
• AmazonEC2ContainerRegistryFullAccess
• AmazonSSMFullAccess
• 2. Create the profile for the IdentityService user in AWS CLI.
• 3. Using the above profile run sam pipeline init --bootstrap.
• 4. In the process, you will be asked to create two stages but we don't want to create both the stages (development/prod) using a single user, so we will create all the roles for stage 1 (development) but skip stage 2.
• 5. Save all the necessary role names, stack names, and region names somewhere.
• 6. Re-run 3,4 and 5 steps for production but for the production, set the region different from development, because our parameter store is a central place for storing data in a region for all the users, where we are going to store our firestore key with name firestoreCred as it is same for all the users in a region, we will separate the regions of development and production user. It also increases the security between development and production as they both are in different regions, if one is compromised another is fine.
• Create two environments in Github secrets (main and develop).
• Set all the below keys in main and develop environments from production and development stages respectively.
• Merge this PullRequest.
• Set the AmazonSSMReadOnlyAccess Permission to the roles of profile and verify lambda function of development and production.
• Add Firestore credential of development and production in Parameter Store of Systems Manager as firestoreCred name in both the region respectively.
• Remove the unnecessary key from "Secrets Manager" for all regions of deployments. This key will otherwise incur continuous costs.