We have the pleasure of working with a research group staffed with hundreds of brilliant researchers tasked with developing innovative new materials and technologies. This talented team of scientists is eager to test their ideas. Yet, the group had inherited infrastructure that got in the way of continuous innovation.
The challenge before us was to help turn the group into a tech-generating machine by removing infrastructure-related roadblocks from the process -- while ensuring security and operational best practices -- allowing them to quickly test and prove their ideas. One of the AWS DevOps best practices that our AWS Consulting group brought to the table was self-service IT with automatic AWS account creation. Today we’ll share with you the process we went through to create this self-serve architecture.
The goal here was to create a self-service portal that would enable end user researchers to create new AWS accounts through AWS Organizations with a single click. (AWS Organizations allow you to create groups of accounts, automate account creation, and apply and manage policies for those groups.) In doing so, the researchers are able to spin up for themselves the accounts they need to test an idea, without submitting a ticket or waiting in an IT queue for approval.
AWS Account Creation
On the front end, the architecture consists of a ReactJS user interface where users input their email address, business unit, and environment. Once they hit the "Create AWS Account" button, the request hits a reverse proxy which forwards the request to a private API Gateway endpoint.
Once the API Gateway endpoint receives the request, it triggers a Lambda function which performs parameter validation on the inputs received and in turn triggers an AWS Step Function. (AWS Step Functions allow you to build -- and coordinate the components of -- distributed applications with visual workflows.)
The AWS Step Functions then trigger a Lambda function that send a notification to a Slack channel to request manager approval to allow the new account to be created. This uses another API gateway, that's a public endpoint, to approve or deny the new account.
As you can see here, once the AWS Step Function receives the response from the API Gateway, it moves to the next step which is another Lambda function that actually creates the account. After the account is created, another Lambda function is triggered which puts the inputs in the correct order for the next steps.
At this point, a parameter file with the new account number and other information that will be used for account hardening in a future step is created and checked into GitHub. After the parameter file is created we employ a sleep state for a few minutes to ensure that the account is properly initialized. Once the sleep state is over, yet another Lambda function is used to trigger a Jenkins job to perform account hardening on the new account. In this way we help ensure security in AWS and that IT Operations policy is followed.
Following account hardening, another Lambda Function is triggered. It sends a notification to the user’s Slack via direct message and also to the approval channel. This notification includes the new AWS account number. If any errors are encountered in the process, a notification is sent to Slack to let the user/manager know that there was an error and what the specific error was.
From IT Queue to One Click AWS Sandbox
What was taking this research group hours, if not days, to set up can now be done with the click of a button. As a result, they are able to get the most out of their top talent as nothing is standing in the way of their getting the infrastructure they need, when they need it, in order to test their ideas and ensure that innovation continues to flow at the speed of business.
For more reading:
- AWS Best Practice: Sandbox Accounts Provide Secure Middle Ground
- Service Catalog: Your Very Own IT Vending Machine
- AWS Best Practices White Paper:Driving Agility through IT Process Automation