Merge pull request #2 from troy-ameigh/main

Initial move of code from aws-quickstart repo

.gitignore

@@ -0,0 +1,11 @@
+*.js
+!jest.config.js
+*.d.ts
+node_modules
+
+# CDK asset staging directory
+.cdk.staging
+cdk.out
+.DS_Store
+.editorconfig
+.pre-commit-config.yaml

.gitmodules

@@ -0,0 +1,4 @@
+
+[submodule "docs/boilerplate"]
+	path = docs/boilerplate
+	url = https://github.com/aws-ia/aws-ia-documentation-base-common.git

CODEOWNERS

@@ -1 +1 @@
-* @aws-ia/aws-ia
+* @aws-ia/aws-ia

NOTICE.txt

@@ -1,4 +1,4 @@
-Copyright 2016-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+Copyright 2022-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
 

README.md

@@ -0,0 +1,7 @@
+## Data Fabric Security on AWS—Solution
+
+For architectural details, step-by-step instructions, and customization options, see the [deployment guide](https://fwd.aws/P5YgK?").
+
+To post feedback, submit feature ideas, or report bugs, use the **Issues** section of this GitHub repo.
+
+To submit code for this Solution, see the [AWS Quick Start Contributor's Guide](https://fwd.aws/NwqYA?).

bin/cdk-solution.ts

@@ -0,0 +1,27 @@
+import * as cdk from 'aws-cdk-lib';
+import { AwsSolutionsChecks } from 'cdk-nag';
+
+import { MainStack } from '../lib/main';
+import { Config } from '../lib/core/config';
+
+const app = new cdk.App();
+cdk.Aspects.of(app).add(new AwsSolutionsChecks({ 
+  verbose: true,
+  reports: true
+}));
+
+async function Main() {
+  new Config().Load(`./config/dev.yaml`).then(_f => {
+
+    new MainStack(app, "DataFabricStack", {
+      env: {
+        account: Config.Current.AWSAccountID,
+        region: Config.Current.AWSRegion
+      },
+      description: '(qs-1u67sa7bo)'
+    });
+  });
+
+}
+
+Main();

cdk.context.json

@@ -0,0 +1,2 @@
+{
+}

cdk.json

@@ -0,0 +1,9 @@
+{
+  "app": "npx ts-node bin/cdk-solution.ts",
+  "context": {
+    "solution_id": "%%SOLUTION_ID%%",
+    "solution_name": "data-fabric-security",
+    "solution_version": "%%VERSION%%",
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false
+  }
+}

config/dev.yaml

@@ -0,0 +1,43 @@
+AWSAccountID: "123456789012"
+AWSRegion: "us-east-1"
+
+Domain: "company.com"
+
+Networking:
+  VpcId: "vpc-123456789abcdefgh"
+  SubnetA: "subnet-123456789abcdefgh"
+  SubnetB: "subnet-abcdefgh123456789"
+  MaxAZs: 2                                     # Default: 2 (Valid inputs are 2 or 3)
+
+EKS:
+  ClusterName: "data-fabric-security-eks-cluster"
+  EKSAdminRole: "arn:aws-us-gov:iam::123456789012:role/aws-service-role/eks.amazonaws.com/EKSAdminRole"
+  EKSEndpointAccess: "PRIVATE"      # Default: "" (Valid inputs are "PUBLIC", "PRIVATE", or "" for both)
+  InstanceType: "m5.large"                 # Default: "m5.large"
+  ClusterSize: 3
+
+Immuta:
+  Deploy: true
+  ChartVersion: "4.13.2"
+  ImmutaVersion: "2023.4.0"
+  ImageTag: "2023.4.0"
+  Instance:
+    Username: "USERNAME"
+    Password: "PASSWORD"
+  Database:
+    ImmutaDBPassword: "SECRET"
+    ImmutaDBSuperUserPassword: "SECRET"
+    ImmutaDBReplicationPassword: "SECRET"
+    ImmutaDBPatroniApiPassword: "SECRET"
+  Query:
+    ImmutaQEPassword: "SECRET"
+    ImmutaQESuperUserPassword: "SECRET"
+    ImmutaQEReplicationPassword: "SECRET"
+    ImmutaQEPatroniApiPassword: "SECRET"
+
+RadiantLogic:
+  Deploy: true
+  ZkImageTag: "3.5.8"
+  FidImageTag: "8.0.0"
+  License: "\\{rlib\\}xXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+  RootPassword: "Password1!"

dfs-solution-install.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+echo "Deploying Data Fabric Security Solution"
+cdk deploy DataFabricStack --require-approval never --no-rollback
+cdk deploy DataFabricStack/data-fabric-security-eks-cluster --require-approval never --no-rollback
+echo "Data Fabric Security Solution deployment completed"

dfs-solution-uninstall.sh

@@ -0,0 +1,6 @@
+echo "Uninstalling Data Fabric Security Solution"
+cdk destroy DataFabricStack/data-fabric-security-eks-cluster --force
+cdk destroy DataFabricStack --force
+echo "Cleaning up packages"
+rm resources/immuta/install.zip resources/immuta/uninstall.zip resources/radiantlogic/install.zip resources/radiantlogic/uninstall.zip
+echo "Uninstall completed"

docs/_deployment_guide.adoc

@@ -0,0 +1 @@
+:type: cdk

docs/deployment_guide/partner_editable/_settings.adoc

@@ -0,0 +1,15 @@
+:partner-solution-project-name: cdk-ps-aws-data-fabric-security
+:partner-solution-github-org: aws-ia
+:partner-product-name: Data Fabric Security
+:partner-product-short-name: DFS
+:partner-company-name: Immuta and Radiant Logic
+:doc-month: May
+:doc-year: 2023
+//:partner-contributors: John Smith, {partner-company-name}
+// :other-contributors: Akua Mansa, Trek10
+:aws-contributors: Jenifer Wang, Solution Acceleration team (DoD)
+:aws-ia-contributors: Troy Ameigh, AWS Integration & Automation team
+:deployment_time: 30 minutes
+//:default_deployment_region: us-east-1
+// :private_repo:
+

docs/deployment_guide/partner_editable/architecture.adoc

@@ -0,0 +1,26 @@
+:xrefstyle: short
+
+Deploying this Partner Solution with default parameters builds the following {partner-product-name} environment in the
+AWS Cloud.
+
+// Replace this example diagram with your own. Follow our wiki guidelines: https://w.amazon.com/bin/view/AWS_Quick_Starts/Process_for_PSAs/#HPrepareyourarchitecturediagram. Upload your source PowerPoint file to the GitHub {deployment name}/docs/images/ directory in its repository.
+
+[#architecture1]
+.Partner Solution architecture for {partner-product-name} on AWS
+image::../docs/deployment_guide/images/data-fabric-security-on-aws-architecture-diagram.png[Architecture]
+
+As shown in <<architecture1>>, this Partner Solution sets up the following:
+
+* An architecture that spans two Availability Zones.*
+* A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
+* In the public subnets, NAT gateways to allow outbound internet access for resources in the private subnets.*
+* Two Classic Load Balancers, one each for the Immuta and RadiantOne services in the private subnets.
+* In the private subnets:
+** Three-node Amazon EKS clusters containing highly-available deployments of Immuta and RadiantOne.
+** Amazon EKS to provide the Kubernetes control plane for the clusters.
+** Endpoints for other AWS services to access the Amazon EKS Kubernetes API server.
+* Amazon CloudWatch to collect, store, access, and monitor logs.
+* Amazon Route 53 for a private hosted zone and resolvers.
+* AWS Lambda to install Immuta and RadiantOne.
+
+[.small]#* You can choose to use an existing VPC during deployment. The existing VPC must include two private subnets in separate Availability Zones.#

docs/deployment_guide/partner_editable/licenses.adoc

@@ -0,0 +1,3 @@
+// Include details about any licenses and how to sign up. Provide links as appropriate.
+
+This deployment requires licenses for Immuta and RadiantOne. For more information, refer to the https://www.immuta.com/[Immuta^] and https://www.radiantlogic.com/[Radiant Logic^] websites, respectively. There is no cost to use this Partner Solution, but you will be billed for any AWS services or resources that this Partner Solution deploys. For more information, refer to the https://fwd.aws/rA69w?[AWS Partner Solution General Information Guide^].

docs/deployment_guide/partner_editable/overview.adoc

@@ -0,0 +1,3 @@
+This guide covers the information you need to deploy the {partner-product-name} Partner Solution in the AWS Cloud.
+
+// For information about using this Partner Solution for migrations, refer to the https://{partner-solution-github-org}.github.io/{partner-solution-project-name}/migration/index.html[Migration Guide^].

docs/deployment_guide/partner_editable/post_deployment.adoc

@@ -0,0 +1,89 @@
+// Include any postdeployment steps here, such as steps necessary to test that the deployment was successful. If there are no postdeployment steps, leave this file empty.
+
+== Postdeployment steps
+
+=== Sign in to RadiantOne
+
+You must connect to RadiantOne from inside the environment (bastion host) or by configuring your local DNS to point the RadiantOne hostname to the RadiantOne load balancer.
+
+. Navigate to one of the following URLs.
++
+* `\http://radiantlogic.example.com:7070`
++
+* `\https://radiantlogic.example.com:7171`
+
+. On the RadiantOne main control panel, enter username `cn=directory manager`.
+. For the password, enter the value of the `RootPassword` parameter in `dev.yaml`. Refer to link:#_deployment_configuration[Deployment configuration], earlier in this guide.
+. Choose *Login*.
+
+
+=== Sign in to Immuta
+. Connect to `\https://immuta.<example.com>`. Replace `<example.com>` with the domain name entered for the `Domain` parameter in `dev.yaml`. Refer to link:#_deployment_configuration[Deployment configuration], earlier in this guide.
+. Enter an email address and password to create a new administrator account.
+. On the *License* page, choose *Add license key*.
+. Enter the Immuta license provided by Immuta.
+. Choose *Save*.
+
+=== Immuta AWS GovCloud region support
+
+Immuta comes with support for standard AWS Regions. Complete the following steps to configure AWS GovCloud support in Immuta.
+
+. In Immuta, choose *App Settings*.
+. Choose *Advanced Settings*.
+. Choose *Advanced Configuration*.
+. Enter the following in the *Advanced Configuration* text box.
++
+[,bash]
+----
+client:
+  awsRegions:
+    - us-gov-east-1
+    - us-gov-west-1
+----
++
+. Choose *Save*
+
+=== Uninstall the Partner Solution
+To uninstall the Partner Solution, complete the following steps.
+
+==== Step 1: Run the Lambda *uninstall* functions for Immuta and RadiantOne
+
+. Sign in to the AWS Management Console and open the https://console.aws.amazon.com/lambda/[AWS Lambda console^].
+. On the *Functions* page, choose the *data-fabric-security-immuta-uninstall* function.
+. On the *Code* tab, choose *Test*.
+. On the *Configure test event* window, enter an event name.
+. Choose *Save*.
+. Choose the *Test* button to run the test.
+. Navigate to the *Functions* page.
+. Choose the *data-fabric-security-radiantlogic-uninstall* function.
+. Repeat steps 3–6.
+
+==== Step 2: Uninstall the deployment stacks
+
+To uninstall the deployment stacks, run the following command.
+[,bash]
+----
+./dfs-solution-uninstall.sh
+----
+
+== Additional resources
+
+=== RadiantOne
+* https://support.radiantlogic.com/hc/en-us[Radiant Logic Help Center^]
+* https://developer.radiantlogic.com/v7.4/architect-guide/getting-started-with-radiantone/[Getting started^]
+* https://developer.radiantlogic.com/global-identity-builder-guide/introduction/[Global identities^]
+* https://developer.radiantlogic.com/global-identity-builder-guide/create-projects/create-project/[Create a global identity project^]
+* https://developer.radiantlogic.com/global-identity-builder-guide/create-projects/create-project/[Add an identity source to a project^]
+* https://developer.radiantlogic.com/global-identity-builder-guide/create-projects/upload/[Upload and sync data sources^]
+* https://developer.radiantlogic.com/global-identity-builder-guide/concepts/#global-identity-viewer[View global identities^]
+
+=== Immuta
+
+* https://documentation.immuta.com/2023.1/[Immuta documentation^]
+* https://documentation.immuta.com/2023.1/2-configure-integration/additional-config/config-builder-guide/#use-existing-identity-access-manager[Configure Identity Manager^]
+* https://documentation.immuta.com/2023.1/4-connecting-data/creating-data-sources/storage-technologies/general/query-backed-tutorial/[Add a data source^]
+* https://documentation.immuta.com/2023.1/3-writing-global-policies-for-compliance/policies-explained/#global-policies-in-immuta[Global policies in Immuta]
+* https://documentation.immuta.com/2023.1/3-writing-global-policies-for-compliance/global-policy-builder/subscription-policy-tutorial/#write-a-global-subscription-policy[Create a global subscription policy^]
+* https://documentation.immuta.com/2023.1/3-writing-global-policies-for-compliance/global-policy-builder/data-policy-tutorial/#write-a-global-data-policy[Create a global data policy]
+* https://documentation.immuta.com/2023.1/4-connecting-data/managing-data-sources/local-policy-builder/#write-a-local-policy[Create a local policy^]
+