loanpal-cf-resources

# WIP
Attemping to create an completely automated environment setup ci/cd pipeline with Seed.

This repo replaces infra-setup as the method of preparing a non-production environment for deployment of cf services

In the process a number of resources that were not named to be stage-specific are being renamed to be stage-specific to allow deployment of multiple non-prod stages to the same account.

## Overview of steps:
1. Create an AWS member account (organization)
2. Create a deployment user (within the new member account)
3. Create stage-specific IoT Thing
4. Configure your stage in Seed

## Step details:
1. Create an AWS member account in the Master Organization
2. Create a deployment user(in the new Member account)
a. No console access (don't create a password)
b. Grant required permissions - simply AdministratorAccess policy for now.
c. Create Access/Secret Keys
==> NOTE the AccessKey/SecretKey, they will be entered into the stage config in Seed
d. Add a profile entry in your local ~/.aws/config file to allow cli functions.
*Note: This is only needed for step 3 or dev & troubleshooting.
[profile new-env-profile]
region=us-west-2
output=json
aws_access_key_id=AccessKey
aws_secret_access_key=SecretKey

3. Create stage-specific IoT Signing Certificate - Sadly still a manual step
// * aws only allows creating the CSR via the Console or cli - not via CFn. :(
a. create an IoT certificate and capture certificateArn from the output
aws iot create-keys-and-certificate --set-as-active --profile new-env-profile
b. store the certificateArn in env:IOT_CERTIFICATE_ARN

4. Verify the donotreply@loanpal.com account with SES
a. An email will be sent to donotreply@loanpal.com that has a link which needs to be clicked to verify.
b. After the email is verified, click the email address in SES | Email Addresses and copy the Identity ARN
Store this for later.

5. Configure your stage in Seed
a. details out of scope - see: https://seed.run/docs/
b. enter your Access/Secret Keys in Seed | Settings | AWS IAM INFO
c. enter your ENV Variables in Seed | Settings | ENV VARIABLES:
1. IOT_CERTIFICATE_ARN: the certificateArn from 3b above
2. PROD_ES_HOST: the url to the production ES Endpoint - [https://search-prod-shc4elk4uavimdwjeutycjk37i.us-west-2.es.amazonaws.com] (include the https://)
3. LAUNCH_DARKLY_SDK_KEY: create a new Launch Darkly key for the environment and store in Seed env variables.

## Limitations:
* Stage Name:
As long as the aurora database name is based on the stage, then stage must:
- begin with a letter
- contain only alphanumeric characters
Examples:
Stage01 = Valid
Stage-1 = Invalid

## Implementation alterations:
* Due to the Account/Region limit on VPC of 5, Aurora resources are being deployed into the Lambda VPC instead of creating a separate Aurora VPC.
This allows the creation of up to 4 stages in a single Account/Region
=> If we need more than that, for example to support ephemeral stages for PR and/or Branch deploys, we can request a service limit increase
or create a Single VPC for an Account/Region and share it between ALL deployments for the Account/Region.

## TODO:
****
* Things to ease maintenance:
*
* Add "deployment" sns topic?


CHANGES:
migrated common packages to /package.json
migrated shared code to /libs
added serverless-bundle to handle building with shared /libs/*
migrated 'custom` section of serverles.yml to /serverless.common.yml to ensure all services have consistent configuration
migrated a number of step-functions to lambda-backed CFn custom resources.