Process Description
This app is designed to run the generation, distribution, and management of invitations to join the PLNU Single Sign-On portal, OneLogin. The application is written in Python and built on AWS using the AWS CDK (Cloud Development Kit).
This guide outlines the initial deployment process for this application. We'll cover deployment steps and the manual configurations needed immediately after the first deployment. This setup is essential to ensure the app functions correctly.
Process Steps
CI/CD with Bitbucket Pipelines
This project uses Bitbucket pipelines to manage Continuous Integration and Deployment (CI/CD) processes. This CI/CD pipeline manages the application update, static web pages and s3 bucket content uploads, Lambda functions, synthesis and both development and production environment deployments. You can edit the bitbucket-pipelines.yml file in this repo's root to manage the pipeline's behavior.
To make updates or fix issues, make sure your CDK project and environment are set up. Make the necessary changes and commit them to the remote repository. This will automatically trigger the pipeline workflow to manage the rest. The pipeline will take care of synthesizing and deploying your changes to the development environment. From there, the change will be reviewed and manually deployed into the production environment.
Bitbucket Pipelines with OIDC
This app uses OpenID Connect (OIDC) to make sure only authorized users initiate and oversee pipeline execution. To set up OIDC in your AWS environment, follow steps outlined in this Atlassian article.
The process involves configuring an OIDC identity provider and establishing trust between AWS and the identity provider, enabling secure authentication and authorization in the pipeline.
Manual Configuration
Pushing code to the remote repository will handle the majority of the required configurations, but a few specific values need to be manually set:
DynamoDB
Table Name : ExpiryNotice
Value : {"userType": {"S": "student_applicant"}, "last": {"N": "0"}, "recipients": {"L": [{"S" : "<interested_party@domain>"}]}}
- This value is used to compare and remove inactive users from the `InviteTable` database. It also includes the recipient email for staff receiving expired invite notifications. Currently, The production email is `onboard-expiry-notice-student-applicants@pointloma.edu`.
Open the AWS Console and navigate to DynamoDB. Within DynamoDB, search for and select the ExpiryNotice table. Click on 'Explore items'. Choose 'Create item'. Switch to the 'JSON view' using the corresponding button. Copy the provided value and paste it into the JSON editor.
Secrets Manager
Secret Name : OneLoginAPICredentials
Value : client_id and client_secret
- These are the API credentials that provide access to OneLogin.
Find the secret named ol_api_credentials in the AWS Secrets Manager and update it with the actual value. You can access the production API credentials in Passwordstate.
Simple Email Service
Verified Identity : interested_party@pointloma.edu
- This is the email address where one will receive invite emails while testing in the dev environment. The receiver email address needs to be verified before receiving emails in a sandbox account.
This step is necessary to ensure delivery of invite emails during development.
This value can be modified inside of the project's cdk.json file under the to_email within the appropriate environment.
Related articles
A more comprehensive overview of the Account Invitation Management System can be found here.