Skip to main content

AWS Deployment

This document provides instructions for installing the Thinkwise Platform on AWS.

The Intelligent Application Manager (IAM) database and, optionally, the Software Factory (SF) database are installed in an Amazon Relational Database Service (RDS), whereas the Universal GUI and the Indicium service tier are installed on AWS Elastic Beanstalk.

Prerequisites

Prerequisites for deploying the SF and IAM on AWS RDS are:

  • An AWS account. You can create one for free here.

Creating an AWS RDS environment

To create an AWS RDS environment for the SF and IAM databases:

  1. In the AWS Management Console, search for the "RDS" service and click on it to create a new service:

  2. Select Create database to create a new database

  3. Select Standard create and the Microsoft SQL Server engine type.

  4. Select the required SQL Server edition, for example SQL Server Express Edition, and the latest available version.

  5. Fill in the DB instance identifier and the Master username and Master password.

  6. Select the required DB instance size.

  7. Select Storage type and fill in the Allocated storage and Autoscaling options.

  8. Select Create database to create the database. This may take some time.

The RDS environment is now ready.

Deploying the Thinkwise IAM database

To deploy the Thinkwise IAM database for end products:

  1. Download the Thinkwise Installation package from the Thinkwise Community Portal https://tcp.thinkwise.app/web.

  2. Unzip the downloaded Thinkwise package.

  3. Start the Deployer GUI twdeployerGUI.exe.

  4. Select Install on the IAM product page.

  5. Fill in the server connection options. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.

  6. Click Check.

  7. Fill in the name of the IAM database to create and click Next.

  8. Click Confirm

The IAM database will now be created in the RDS environment.

Deploying the Thinkwise SF database (optional)

The Thinkwise Software Factory development environment can also be installed on AWS, if desired.

As the Software Factory also needs an IAM database, first deploy an additional IAM database by following the steps from the previous chapter, and name this database IAM_SF.

Next, deploy the Software Factory database:

  1. Select Install on the SF (Software Factory) product page.

  2. Fill in the server connection options and click Connect. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.

  3. Select the previously installed IAM database and click Next.

  4. Use the same host and RDS credentials for the SF database and click Connect.

  5. Click Check.

  6. Fill in the Software Factory database name and click Next.

  7. Click Confirm.

The SF database will now be created in the RDS environment.

Creating an AWS Elastic Beanstalk environment

To create an AWS Elastic Beanstalk environment to host the Thinkwise Universal GUI and Indicium service tier:

  1. In the AWS Management Console, search for the "Elastic Beanstalk" service and click on it to create a new service:

  2. Click Create a new environment.

  3. Select Web server environment and click Select.

  4. Fill in the Application name.

  5. Configure the platform using the following settings:

  6. Select Sample application and click Create environment.

  7. The Elastic Beanstalk environment is created. This may take some time.

  8. When the environment is created, go to the newly made environment and click the URL displayed below the name.

  9. This will open a new browser tab:

The Elastic Beanstalk environment is now ready.

Deploying the Thinkwise Universal GUI and Indicium service tier

For security reasons (to avoid having to enable Cross-Origin Resource Sharing), the Universal GUI and Indicium service tier will be installed in the same environment.

To install the Thinkwise Universal GUI and Indicium service tier:

  1. Download both the Thinkwise Universal GUI and the Indicium (Universal) service tier from the Thinkwise Community Portal https://tcp.thinkwise.app/web.

  2. Copy the downloaded zip files to a new folder, for example ThinkwiseElasticBeanstalk.

  3. Open Indicium.zip and edit the appsettings.json file.

    • Fill in the Server, Database (IAM), PoolUserName, and PoolPassword properties with the information from the RDS environment.
    • Platform and AWSSettings are necessary for storing the key with which the cookies are encrypted (DataProtection key). The key is stored in the Systems Manager in AWS. Set the value for Platform to "AWS". In the AWSSettings, enter the ApplicationName you prefer. Save the file.
{
"Logging": {
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "thinkwisesql.chkw7dln.eu-central-1.rds.amazonaws.com",
"Database": "IAM_SF",
"PoolUserName": "admin",
"PoolPassword": "password"
},
"Platform": "AWS",
"AWSSettings": {
"DataProtection": {
"ApplicationName": "Indicium"
}
}
}
  1. Since the DataProtection key is stored in the AWS Systems Manager, the Elastic Beanstalk EC2 role needs extra rights to add them to the AWS Systems Manager. Open the Configuration tab in the Elastic Beanstalk screen. Go to Security. On that page, in the IAM Instance Profile field, you will find the name of the role used for the virtual machine on which the elastic beanstalk runs, remember that name or write it down.

caution

The text below is about the IAM that is part of AWS, not Thinkwise's Intelligent Application Manager.

  1. Go to IAM > Roles. Select the Add permissions button. A drop-down list opens. In this list, select the Create inline policy. The Permissions policies screen opens:

  1. Go to the Json tab and replace the provided json with this json:
      {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "Rule_SSM_read_write",
    "Effect": "Allow",
    "Action": [
    "ssm:PutParameter",
    "ssm:GetParametersByPath"
    ],
    "Resource": "*"
    }
    ]
    }

The Resource property can be used to restrict on which resources this policy is applied.. It is advised to tighten the security for this policy. To make it more restricted, change the Resource property to: arn:aws:ssm:{region}:{Elastic Beanstalk account id}:parameter/{dataprotection application name}/IndiciumDataProtection.

  • The {region} placeholder has to be replaced with the region code in which the Elastic Beanstalk is hosted. The region codes can be found here: https://docs.aws.amazon.com/general/latest/gr/elasticbeanstalk.html#elasticbeanstalk_region

  • The {Elastic Beanstalk account id} placeholder has to be replaced with the account Id of the Elastic Beanstalk instance. This id can be found on the Elastic Beanstalk configuration page. On the right side you can find the Security category where the Service role information can be found. The Service Role will start with arn:aws:iam: following a twelve digit code. The twelve digit code should be used in the placeholder.

  • The {dataprotection application name} placeholder has to be replaced with the value of AWSSettings > DataProtection > ApplicationName that is added to the appsettings.json in step 3.

After correcting the Resource property, select Review policy. On this page, enter a name for the policy. Select Create policy.

  1. Open Universal.zip and edit the config.json file. Fill in the serviceUrl with the information from the Elastic Beanstalk environment and save the file.

      {
    "defaultApplication": "",
    "defaultPlatform": 3,
    "loginOptionsDisabled": false,
    "serviceUrl": "https://ThinkwiseElasticBeanstalk-env.ebaadxmu.eu-central-1.elasticbeanstalk.com/indicium/iam/iam"
    }
  2. Add a deployment manifest file to the ThinkwiseElasticBeanstalk folder by creating a new text file named: aws-windows-deployment-manifest.json

  3. Add the following text to the file:

    {
    "manifestVersion": 1,
    "deployments": {
    "aspNetCoreWeb": [
    {
    "name": "indicium",
    "parameters": {
    "appBundle": "indicium.zip",
    "iisPath": "/indicium"
    }
    },
    {
    "name": "universal",
    "parameters": {
    "appBundle": "universal.zip",
    "iisPath": "/"
    },
    "scripts": {
    "postInstall": {
    "file": "SetupScripts/PostInstallSetup.ps1"
    }
    }
    }
    ]
    }
    }
  4. Option - If you're planning to run multiple instances of Indicium or if you want a separate application pool for your Indicium, then add the iisConfig with the appPools array to the aws-windows-deployment-manifest.json file. After that, add the name of the appPool to the application:

{
"manifestVersion": 1,
"iisConfig": {
"appPools": [
{
"name": "INDICIUM"
}
]
},
"deployments": {
"aspNetCoreWeb": [
{
"name": "indicium",
"parameters": {
"appBundle": "indicium.zip",
"iisPath": "/indicium",
"appPool": "INDICIUM"
}
},
{
"name": "universal",
"parameters": {
"appBundle": "universal.zip",
"iisPath": "/"
},
"scripts": {
"postInstall": {
"file": "SetupScripts/PostInstallSetup.ps1"
}
}
}
]
}
}
  1. Create a new folder in the root with the name: SetupScripts

  2. In this folder, create a new file named PostInstallSetup.ps1 with the following content:

    $IisPath = "indicium"
    $ApplicationPoolName = "DefaultAppPool"

    $sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
    $Acl = Get-ACL $SharePath
    $AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
    $Acl.AddAccessRule($AccessRule)
    $Acl | Set-Acl $SharePath
  3. If you have specified multiple instances of Indicium in step 8, copy the JSON and paste it into the same file, as in the example below. This will set all the read and write rights for Indicium.

   $IisPath = "indicium"
$ApplicationPoolName = "INDICIUM"

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath

$IisPath = "Second_Indicium"
$ApplicationPoolName = "SECOND_INDICIUM"

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath
  1. Create a new folder in the root with the name: .ebextensions

  2. In this folder, create a new file named webserver.config with the following content:

    commands: 
    ApplicationPool_CreatePool:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "command: "appcmd add apppool /name:DefaultAppPool /managedRuntimeVersion:\"v4.0\" /managedPipelineMode:Integrated"
    ApplicationPool_SetIdleTimeoutToZero:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.idleTimeout:0.00:00:00"
    ApplicationPool_SetLoadUserProfileToTrue:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.loadUserProfile:true"
    ApplicationPool_RemoveOldPeriodicRestartSchedules:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /-recycling.periodicRestart.schedule"
    ApplicationPool_SetRestartSchedule:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set config -section:system.applicationHost/applicationPools /+\"[name='DefaultAppPool'].recycling.periodicRestart.schedule.[value='03:00:00']\" /commit:apphost"
    ApplicationPool_SetStartModeAlwaysRunning:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.startMode:AlwaysRunning"

    If you have specified a different application pool in step 8, then replace DefaultAppPool with the name of your application pool. If you have specified multiple application pools, copy all the commands and replace the DefaultAppPool with the name of the added application pool to make them run with the correct application pool name.

  1. Create a zip file of the contents of the ThinkwiseElasticBeanstalk folder to deploy to Elastic Beanstalk. (Select all files and select Send to > Compressed (zipped) folder from the context menu.)

  2. From the AWS Elastic Beanstalk environment, select Upload and deploy

  3. Click Choose file and select the created zip file:

  4. Click Deploy and wait for the deployment to finish:

The Thinkwise Universal GUI and Indicium service tier are now up and running.

Logging to AWS CloudWatch

Indicium

When running Indicium on AWS, you can log to AWS CloudWatch. This AWS functionality makes it easier to monitor the behavior and performance of your Indicium instance. For example, you can show the logs on your AWS dashboard or create an alarm based on a log pattern.

To enable AWS CloudWatch, add the following code to the appsettings.json configuration file, under the "Logging" section:

   "AWSCloudWatch": {
"LogGroup": "indicium-tst"
}

To get access to AWS CloudWatch, your EC2 instance needs to have the following policy attached to it:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<aws-region>:<account-number>:log-group:indicium-tst:*"
}
]
}

In this code fragment, replace indicium-tst with the name of your log group in appsettings.json and specify your account-number and aws-region.

To add the logs to your AWS CloudWatch Dashboard:

  1. Open the AWS console.

  2. Open the AWS CloudWatch dashboard.

  3. Click Add widget.

  4. Select Logs table.

  5. In Logs Insights, select Log group. This is the name of the log group in appsettings.json.

  6. Add the following query to the log to show, for example, the last 20 items:

    fields @timestamp, @message
    | sort @timestamp desc
    | limit 20
  7. Click Create widget to show your logs on the dashboard.