This document describes how to deploy and operate a reference implementation of the Covid Shield web portal, along with the diagnosis key retrieval and submission services on AWS.
There should be an illustration of the Covid Shield infrastructure deployed on AWS right here
At a glance, health care professionals (on the left) interact with a web portal, and mobile app users (on the right) interact with the diagnosis key retrieval and submission services.
| Service | AWS product offering |
|---|---|
| Serverless compute | Fargate |
| Container registry | Elastic Container Registry |
| Domain name services | Route 53 |
| TLS certificates | Certificate Manager |
| Load balancing | Elastic Load Balancing |
| Content delivery network | CloudFront |
| Web application firewall | WAF |
While this infrastructure may be deployed in a number of different ways, this document demonstrates a deploy using a small series of command line operations to generate credentials, and a CI/CD pipeline using GitHub Actions, Docker, and Terraform.
-
A GitHub repository with Actions enabled
-
awsCommand Line Interface installed and available in your path -
terraform0.12.x installed and available in your path
Optional TODO: make a quick playbook doc to see if the containers are up or down? or pivot to the ui?
ecs-cliinstalled and available in your path
The credentials for the AWS Terraform provider are expected to be provided through the standard AWS credential environment variables.
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY_ID
If it's not already done, and before applying. You will need to enable the new ARN format to propagate tags to containers.
aws ecs put-account-setting-default --name serviceLongArnFormat --value enabled
aws ecs put-account-setting-default --name taskLongArnFormat --value enabled
aws ecs put-account-setting-default --name containerInstanceLongArnFormat --value enabled
All Terraform variables are defined in config/terraform/aws/variables.tf & their values are set in config/terraform/aws/variables.auto.tfvars. There are seven secret variables that should be set through the following environment variables as to not commit plain text secrets to version control.
TF_VAR_ecs_task_key_retrieval_env_ecdsa_keyTF_VAR_ecs_task_key_retrieval_env_hmac_keyTF_VAR_ecs_task_key_submission_env_key_claim_tokenTF_VAR_rds_backend_db_passwordTF_VAR_cloudfront_custom_headerTF_VAR_environmentTF_VAR_new_key_claim_allow_list(use ["0.0.0.0/1", "128.0.0.0/1"] for any)
If you are using Terraform in Github actions the above can be set as Github secrets, and set as environment variables in your YAML file (see .github/workflows/terraform.yml).
There is an optional Terraform variable that can be set to control which container to deploy. It should match a container tag that both Key Retrieval & Key Submission share. By default Terraform will deploy the latest commit on the master branch.
TF_VAR_github_sha
To run manually:
- Go to the AWS Terraform directory -
cd config/terraform/aws - Run
TF_VAR_ecs_task_key_retrieval_env_ecdsa_key="" TF_VAR_ecs_task_key_retrieval_env_hmac_key="" TF_VAR_ecs_task_key_submission_env_key_claim_token="" TF_VAR_rds_backend_db_password="" AWS_ACCESS_KEY_ID="" AWS_SECRET_ACCESS_KEY="" terraform [init|plan|apply]
This section will demonstrate the following:
- Continuous container builds on new pull requests
- Releasing new containers on a successful merge to the master branch
- Integrating dependency management using Dependabot
According to GitHub, Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
We've chosen to configure a number of Actions to make the infrastructure go brrrr 🤖, here they are:
- [ci](to test a thing), for container vulnerability scanning
- [ci](to scan a thing), for __
- [ci](docker build), for __
- [ci](docker push), for __
- [cd](to ecs), for __
According to GitHub (because they own it), Dependabot creates pull requests to keep your dependencies secure and up-to-date.
Configuring Dependabot requires one or two things:
- Sign up and grant Dependabot access to your repositories
- You can configure the repository in the UI after signing up. Alternatively, you may specify a Dependabot config file in your repository at
.dependabot/config.yml
Here is the Dependabot configuration we chose for the Portal:
version: 1
update_configs:
- package_manager: "ruby:bundler"
directory: "/"
update_schedule: "weekly"
- package_manager: "javascript"
directory: "/"
update_schedule: "weekly"This configuration schedules the 🤖 to check for updates every week for both the Bundler and Yarn packages deployed with this application. Feel free to run this configurations through the configuration validator to attest that it is valid.