-
Create API keys for sending
sinister-incorporated-aws-testsinister-incorporated-aws-prod
- Create environments
terraform-testterraform-prod
- Create environment secrets
CLOUDFLARE_API_TOKENEMAIL_FUNCTION_PARAMETERS[{"name":"...","value":"..."}]
- Create environment variables
API_SUBDOMAINIAM_ROLE
- Enable "Allow GitHub Actions to create and approve pull requests" in Settings/Actions/General/Workflow permissions
-
Create AWS accounts
sinister-incorporated-testsinister-incorporated-prod
-
Prepare AWS CLI
# ~/.aws/config # Sinister Incorporated [profile sinister-incorporated-test] sso_session = sinister-incorporated-sso sso_account_id = 220746603587 sso_role_name = AdministratorAccess [profile sinister-incorporated-prod] sso_session = sinister-incorporated-sso sso_account_id = sso_role_name = AdministratorAccess [sso-session sinister-incorporated-sso] sso_region = eu-central-1 sso_start_url = https://simonknittel.awsapps.com/start
-
Create and deploy setup stack with AWS CloudFormation
- Create and populate
test-parameters.jsonandprod-parameters.json AWS_PROFILE=sinister-incorporated-test aws sso loginAWS_PROFILE=sinister-incorporated-test aws --region eu-central-1 cloudformation deploy --template-file setup.yaml --stack-name setup --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM --tags ManagedBy=CloudFormation Repository=simonknittel/sinister-incorporated --parameter-override file://test-parameters.json
- Create and populate
-
Manually set up AWS User Notifications through the console
-
Notification hubs: eu-central-1
-
Create notification configuration for CloudWatch
- Name:
cloudwatch-alarms - AWS service name:
CloudWatch - Event type:
CloudWatch Alarm State Change - Regions: eu-central-1
- Advanced filter
{ "detail": { "previousState": { "value": ["OK", "INSUFFICIENT_DATA"] }, "state": { "value": ["ALARM"] } } }- Aggregation settings: Receive within 5 minutes
- Delivery channels: Email
- Name:
-
Create notification configuration for Health
-
- https://stackoverflow.com/questions/51273227/whats-the-most-efficient-way-to-determine-the-minimum-aws-permissions-necessary
- https://github.com/iann0036/iamlive
iamlive --mode proxy --force-wildcard-resource --output-file policy.json --sort-alphabeticalHTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE=~/.iamlive/ca.pem AWS_CSM_ENABLED=true AWS_PROFILE=sinister-incorporated-test terraform plan -var-file="test.tfvars"
mkdir certificates && cd certificates/- Create private certificate authority (CA):
openssl genrsa -out RootCA.key 4096 - Create private and public keys:
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem- Country Name:
DE - State or Province Name:
Lower Saxony - Locality Name:
Delmenhorst - Organization Name:
Sinister Incorporated - Organizational Unit Name:
- - Common Name:
sinister-api.simonknittel.de - Email Address:
-
- Country Name:
- Create client certificate private key and certificate signing request (CSR). Leave A challenge password empty.
openssl req -newkey rsa:2048 -nodes -keyout localhost.key -out localhost.csropenssl req -newkey rsa:2048 -nodes -keyout vercel.key -out vercel.csr
- Sign client certificates with root CA
openssl x509 -req -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out localhost.pem -days 3650 -sha256openssl x509 -req -in vercel.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out vercel.pem -days 3650 -sha256
- Create trust store:
cp RootCA.pem truststore.pem
-
Create and populate
test.s3.tfbackend,prod.s3.tfbackend,test.tfvarsandprod.tfvars -
Create Terraform resources
AWS_PROFILE=sinister-incorporated-test aws sso loginAWS_PROFILE=sinister-incorporated-test terraform init -backend-config=test.s3.tfbackendAWS_PROFILE=sinister-incorporated-test terraform apply -var-file="test.tfvars"
- Set
Ignored Build SteptoRun my Bash script: bash ../.vercel/ignore-step.sh
- Manually enable we monthly budget report on AWS
- Budget report name:
Total monthly costs - Select budgets:
Total monthly budget - Report frequency:
Monthly - Day of month:
1
- Budget report name: