Deploy in AWS GovCloud with FIPS
This document outlines the process for deploying a Qrvey Platform instance in AWS GovCloud with FIPS enabled.
As of this writing, AWS offers two GovCloud regions (us-gov-east-1 and us-gov-west-1), with only us-gov-west-1 supporting the majority of services required for Qrvey Platform deployment. Note that AWS GovCloud (us-gov-west-1) does not support CloudFront, which is necessary for rendering the UI. To work around this limitation, deploy the Widgets component in a non-GovCloud AWS account and link it to access certain files in the S3 bucket of the GovCloud AWS account. This is currently the only method to deploy an instance.
Prerequisites
- Non-GovCloud AWS Account: Used for deploying Widgets (static HTML/CSS) and the CloudFront distribution. Select a region for deploying the CloudFormation template.
- GovCloud AWS Account: Qrvey supports deployment in the us-gov-west-1 region only.
- Globally Unique Prefix: This prefix will be used for naming S3 buckets and must be unique. A minimum 5-character random string is recommended.
- AWS Account IDs: Provide the two AWS Account IDs to Qrvey Support for whitelisting.
Steps for Non-GovCloud Account
Determine the unique prefix for this instance.
Log in to the non-GovCloud AWS account and select the appropriate region (e.g., us-west-2).
Create a new location CloudFormation stack using the following URL:
https://qrvey-autodeployapp.s3.amazonaws.com/common/qrvey-aws-location-Template.json
.- Copy the
IdentityPoolId
from the Outputs tab (e.g.,us-west-2:xxxxxxxxx
).
- Copy the
Deploy the AutoDeployApp/Installer CloudFormation template.
- Obtain the template URL from Qrvey Support for the appropriate version (e.g., 8.5.2).
- Create a new stack using the URL, selecting public subnets within the appropriate VPC.
- Once the stack is ready, copy and save the URL from the Outputs tab.
- Initialize the installer by calling the INIT API. Replace placeholder values as needed.
curl --location '<AutoDeployAppURL>/api/v1/init'
Deploy the Widgets Module using the following API. Replace placeholder values accordingly.
curl --location '<AutoDeployAppURL>/api/v1/deploy/pipeline/widgets/deployment' \
--header 'Content-Type: application/json' \
--data-raw '{
"email": "<name@email.com>",
"useDeployID": "<prefix>",
"UseFipsEndpoint": "true",
"Referer": "<Referer>",
"LocationIdentityPoolID": "<us-west-2:xxxxxxxxx>",
"GovCloudRegion": "us-gov-west-1",
"GovCloudAccount": "<GovCloudAWSAccountID>"
}'Monitor progress by accessing the
AutoDeployAppURL
in a browser or using theGET /api/v1/status
API. Upon completion, proceed with the following steps:Retrieve the Widgets deployment JSON by calling the following API. This will be used for GovCloud deployment.
curl --location '<AutoDeployAppURL>/api/v1/deploy/pipeline/widgets/results'
In the S3 service, locate and delete the following buckets. These will be recreated in the GovCloud account, so ensure they are deleted before starting the GovCloud deployment:
<AccountID><Prefix>qrveyuserfiles
qrvey-<prefix>-config
qrveyversion-<prefix>
You can now delete the AutoDeployApp/Installer CloudFormation stack.
Steps for GovCloud Account
Select the us-gov-west-1 region.
Deploy the AutoDeployApp/Installer CloudFormation template.
- Obtain the template URL from Qrvey Support for the appropriate version (e.g., 8.5.2).
- Create a new stack using the URL, selecting public subnets within the appropriate VPC.
- Once the stack is ready, copy and save the URL from the Outputs tab.
- Initialize the installer by calling the INIT API. Replace placeholder values with those from step 5 in the prerequisites section above.
Begin deployment by calling the following API. Replace placeholder values as needed, ensuring the data matches Step 5 of the Non-GovCloud deployment.
curl --location '<AutoDeployAppURL>/api/v1/deployment' \
--header 'Content-Type: application/json' \
--data-raw '{
"company": "CompanyName",
"email": "name@email.com",
"firstname": "FirstName",
"lastname": "LastName",
"useDeployID": "<prefix (matching from Step 5 in Non-GovCloud)>",
"UseFipsEndpoint": "true",
"Referer": "<Referer (matching from Step 5 in Non-GovCloud)>",
"skipWidgetPipeline": true,
"widgetConfig": {
<WidgetConfigJSON from Step 7 in Non-GovCloud deployment>
},
"useExistingAWSLocation": true,
"LocationIdentityPoolID": "us-west-2:85b694c3-4269-43e8-9ea4-5f52939f1e5a",
"elasticSearchConfig": {
"EBSOptions": {
"EBSEnabled": true,
"VolumeSize": 100,
"VolumeType": "gp2"
},
"ElasticsearchClusterConfig": {
"InstanceCount": 2,
"InstanceType": "r6g.large.elasticsearch"
},
"ElasticsearchVersion": "7.10"
}
}'Monitor deployment progress using the AutoDeployApp UI or the
GET /api/v1/status
API.Upon completion, access AWS DynamoDB.
Locate the
qrveyDeploymentApp_Config
table and select "Explore table items."Copy and save the following values:
- MicroserviceCodePipeline:
appResourceValues.composerELBDNSName
. Set this in the CloudFront origin (in the Non-GovCloud account) forQrvey<prefix>ComposerALB
. - AdminCodePipeline:
appResourceValues.adminSecurityHttpApiEndpoint
. Set this in the CloudFront origin (in the Non-GovCloud account) forQrvey<prefix>SecurityApiGateway
.
- MicroserviceCodePipeline:
After deployment, you will receive an email with the relevant details.
Post-Deployment Tasks
Log in to the Non-GovCloud account.
In AWS CloudFront, find the distribution created from the Widgets stack. It will have an alternate domain name matching the composer URL (
<prefix>.qrveyapp.com
).Open the distribution and select the "Origins" tab.
- Update the origin path for
Qrvey<prefix>ComposerALB
with the composer ELB DNS name from Step 7 in the previous section. - Update the origin path for
Qrvey<prefix>SecurityApiGateway
with the admin security HTTP endpoint from Step 7 in the previous section.- Ensure the origin path is set to
/prod
.
- Ensure the origin path is set to
- Update the origin path for
Call the following API to generate the default system roles using the values from the email received in Step 8 of the previous section.
curl --location --request POST 'https://<ComposerURL>/admin/api/v5/group/system/generate' \
--header 'x-api-key: <ApiKey>' \
--data ''