Skip to main content

What’s New

Qrvey 8.8
Qrvey Version 8.8 (LTS) is now available to customers! This version supports FIPS for GovCloud and includes tons of bug fixes and performance improvements.
Learn More
Qrvey 8.7
Version 8.7 of the Qrvey platform is now available to customers! This version includes new features including area charts, the ability to pivot and export data, as well as numerous bug fixes and performance improvements.
Learn More
Qrvey 8.6
Version 8.6 of the Qrvey platform is now available to customers. This version includes several new feature enhancements and performance improvements.
Learn More
Required Update for 8.5.1
Attention 8.5.1 customers: for any 8.5.1 instance deployed prior to 08/05/2024, an update is required to ensure you are running the latest images.
Learn More
Qrvey 8.5
Version 8.5 (LTS) of the Qrvey platform is now available to customers. This version includes several new features and performance improvements.
Learn More
End-of-life Schedule
We've added a new article that lists the features and endpoints that have been scheduled for deprecation. All features and endpoints will be supported for (1) year after the release date of the LTS version that contains the alternative.
Learn More
Version: 8.8

Deploy in AWS GovCloud with FIPS

This document outlines the process for deploying a Qrvey Platform instance in AWS GovCloud with FIPS enabled.

As of this writing, AWS offers two GovCloud regions (us-gov-east-1 and us-gov-west-1), with only us-gov-west-1 supporting the majority of services required for Qrvey Platform deployment. Note that AWS GovCloud (us-gov-west-1) does not support CloudFront, which is necessary for rendering the UI. To work around this limitation, deploy the Widgets component in a non-GovCloud AWS account and link it to access certain files in the S3 bucket of the GovCloud AWS account. This is currently the only method to deploy an instance.

ECS only FIPS-compliant in GovCloud. Snowflake & Oracle not available in FIPS.

Prerequisites

  • Non-GovCloud AWS Account: Used for deploying Widgets (static HTML/CSS) and the CloudFront distribution. Select a region for deploying the CloudFormation template.
  • GovCloud AWS Account: Qrvey supports deployment in the us-gov-west-1 region only.
  • Globally Unique Prefix: This prefix will be used for naming S3 buckets and must be unique. A minimum 5-character random string is recommended.
  • AWS Account IDs: Provide the two AWS Account IDs to Qrvey Support for whitelisting.

Steps for Non-GovCloud Account

  1. Determine the unique prefix for this instance.

  2. Log in to the non-GovCloud AWS account and select the appropriate region (e.g., us-west-2).

  3. Create a new location CloudFormation stack using the following URL: https://qrvey-autodeployapp.s3.amazonaws.com/common/qrvey-aws-location-Template.json.

    • Copy the IdentityPoolId from the Outputs tab (e.g., us-west-2:xxxxxxxxx).

  4. Deploy the AutoDeployApp/Installer CloudFormation template.

    • Obtain the template URL from Qrvey Support for the appropriate version (e.g., 8.5.2).
    • Create a new stack using the URL, selecting public subnets within the appropriate VPC.
    • Once the stack is ready, copy and save the URL from the Outputs tab.
    • Initialize the installer by calling the INIT API. Replace placeholder values as needed.
    curl --location '<AutoDeployAppURL>/api/v1/init'

  5. Deploy the Widgets Module using the following API. Replace placeholder values accordingly.

    curl --location '<AutoDeployAppURL>/api/v1/deploy/pipeline/widgets/deployment' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "email": "<name@email.com>",
        "useDeployID": "<prefix>",
        "UseFipsEndpoint": "true",
        "Referer": "<Referer>",
        "LocationIdentityPoolID": "<us-west-2:xxxxxxxxx>",
        "GovCloudRegion": "us-gov-west-1",
        "GovCloudAccount": "<GovCloudAWSAccountID>"
    }'

  6. Monitor progress by accessing the AutoDeployAppURL in a browser or using the GET /api/v1/status API. Upon completion, proceed with the following steps:

  7. Retrieve the Widgets deployment JSON by calling the following API. This will be used for GovCloud deployment.

    curl --location '<AutoDeployAppURL>/api/v1/deploy/pipeline/widgets/results'

  8. In the S3 service, locate and delete the following buckets. These will be recreated in the GovCloud account, so ensure they are deleted before starting the GovCloud deployment:

    • <AccountID><Prefix>qrveyuserfiles
    • qrvey-<prefix>-config
    • qrveyversion-<prefix>

  9. You can now delete the AutoDeployApp/Installer CloudFormation stack.

Steps for GovCloud Account

  1. Select the us-gov-west-1 region.

  2. Deploy the AutoDeployApp/Installer CloudFormation template.

    • Obtain the template URL from Qrvey Support for the appropriate version (e.g., 8.5.2).
    • Create a new stack using the URL, selecting public subnets within the appropriate VPC.
    • Once the stack is ready, copy and save the URL from the Outputs tab.
    • Initialize the installer by calling the INIT API. Replace placeholder values with those from step 5 in the prerequisites section above.

  3. Begin deployment by calling the following API. Replace placeholder values as needed, ensuring the data matches Step 5 of the Non-GovCloud deployment.

    curl --location '<AutoDeployAppURL>/api/v1/deployment' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "company": "CompanyName",
        "email": "name@email.com",
        "firstname": "FirstName",
        "lastname": "LastName",
        "useDeployID": "<prefix (matching from Step 5 in Non-GovCloud)>",
        "UseFipsEndpoint": "true",
        "Referer": "<Referer (matching from Step 5 in Non-GovCloud)>",
        "skipWidgetPipeline": true,
        "widgetConfig": {
            <WidgetConfigJSON from Step 7 in Non-GovCloud deployment>
        },
        "useExistingAWSLocation": true,
        "LocationIdentityPoolID": "us-west-2:85b694c3-4269-43e8-9ea4-5f52939f1e5a",
        "elasticSearchConfig": {
            "EBSOptions": {
                "EBSEnabled": true,
                "VolumeSize": 100,
                "VolumeType": "gp2"
            },
            "ElasticsearchClusterConfig": {
                "InstanceCount": 2,
                "InstanceType": "r6g.large.elasticsearch"
            },
            "ElasticsearchVersion": "7.10"
        }
    }'

  4. Monitor deployment progress using the AutoDeployApp UI or the GET /api/v1/status API.

  5. Upon completion, access AWS DynamoDB.

  6. Locate the qrveyDeploymentApp_Config table and select "Explore table items."

  7. Copy and save the following values:

    • MicroserviceCodePipeline: appResourceValues.composerELBDNSName. Set this in the CloudFront origin (in the Non-GovCloud account) for Qrvey<prefix>ComposerALB.
    • AdminCodePipeline: appResourceValues.adminSecurityHttpApiEndpoint. Set this in the CloudFront origin (in the Non-GovCloud account) for Qrvey<prefix>SecurityApiGateway.

  8. After deployment, you will receive an email with the relevant details.

Post-Deployment Tasks

  1. Log in to the Non-GovCloud account.

  2. In AWS CloudFront, find the distribution created from the Widgets stack. It will have an alternate domain name matching the composer URL (<prefix>.qrveyapp.com).

  3. Open the distribution and select the "Origins" tab.

    • Update the origin path for Qrvey<prefix>ComposerALB with the composer ELB DNS name from Step 7 in the previous section.
    • Update the origin path for Qrvey<prefix>SecurityApiGateway with the admin security HTTP endpoint from Step 7 in the previous section.
      • Ensure the origin path is set to /prod.

  4. Call the following API to generate the default system roles using the values from the email received in Step 8 of the previous section.

    curl --location --request POST 'https://<ComposerURL>/admin/api/v5/group/system/generate' \
    --header 'x-api-key: <ApiKey>' \
    --data ''