AWS setup

Introduction to AWS setup

This document provides instructions for setting up an AWS environment for the Thinkwise Platform.

The Intelligent Application Manager (IAM) database and, optionally, the Software Factory (SF) database are installed in an Amazon Relational Database Service (RDS), whereas the Universal GUI and the Indicium service tier are installed on AWS Elastic Beanstalk.

Prerequisites

Prerequisites for deploying the Software Factory and IAM on AWS RDS are:

• An AWS account. You can create one for free here.
• An AWS base environment that has .NET 8 installed.

AWS infrastructure

note

It is your own organization's responsibility to take adequate security measures for protecting your cloud environment. Thinkwise products have been tested thoroughly, including pen testing, to ensure their security.

• Use AWS RDS for hosting the Software Factory, IAM and the developed application database.
• Use AWS Elastic Beanstalk for hosting Indicium and the Universal GUI or Web GUI.

Example: AWS

Security settings for AWS

note

For general information about setting up security, see Security

Create an AWS RDS environment

To create an AWS RDS environment for the SF and IAM databases:

1. In the AWS Management Console, search for the "RDS" service and click on it to create a new service:

   screenshot: Find service

   

2. Select Create database to create a new database

   screenshot: Create database

   

3. Select Standard create and the Microsoft SQL Server engine type.

   screenshot: Standard create

   

4. Select the required SQL Server edition, for example SQL Server Express Edition, and the latest available version.

   screenshot: Select SQL Server edition

   

5. Fill in the DB instance identifier and the Master username and Master password.

   screenshot: Identifier, user name, password

   

6. Select the required DB instance size.

   screenshot: Instance size

   

7. Select Storage type and fill in the Allocated storage and Autoscaling options*.*

   screenshot: Storage

   

8. Select Create database to create the database. This may take some time.

   screenshots: Create database

   

   

The RDS environment is now ready.

Deploy the Thinkwise IAM database

To deploy the Thinkwise IAM database for end-applications:

1. Download the Thinkwise Installation package from the Thinkwise Community Portal. For more information, see Getting started in the Thinkwise Deployment Center guide.

2. Select Install on the IAM product page.

3. On the tab Deploy > Server Connections, enter the server connection options. You can find the hostname in the AWS console under Connectivity & security - Endpoint. Use the credentials provided when the RDS environment was created.

   screenshot: Credentials in AWS

   

   screenshot: Credentials in in the Thinkwise Deployment Center

   

4. On the tab Deploy > Dependency check, click the Check button.

   screenshot: Dependency check

   

5. On the tab Deploy > Database name, enter the name of the IAM database that you want to create and click Next.

   screenshot: Database name

   

6. On the tab IAM > Review and confirm, click Confirm.

   screenshot: Review and confirm

   

The IAM database will now be created in the RDS environment.

screenshot: Database created

Deploy the Thinkwise Software Factory database (optional)

It is possible to install the Thinkwise Software Factory development environment on AWS.

As the Software Factory also needs an IAM database, first deploy an additional IAM database by following the steps from the previous chapter, and name this database IAM_SF.

Next, deploy the Software Factory database:

1. Select Install on the Software Factory product page.

   screenshot: Install

   

2. On the tab IAM > Server connection, enter the server connection options and click Connect. You can find the hostname in the AWS console under Connectivity & security - Endpoint. Use the credentials provided when the RDS environment was created.

   screenshot: Server connection

   

3. On the tab IAM > Database Selection, select the previously installed IAM database and click Next.

   screenshot: Select a database

   

4. On the tab SF > Server connection, use the same host and RDS credentials as IAM for the Software Factory database and click Connect.

   screenshot: Software Factory credentials

   

5. On the tab SF > Dependency check, click Check.

   screenshot: Dependency check

   

6. On the tab SF > Database name, enter the Software Factory database name and click Next.

   screenshot: Database name

   

7. On the tab Deploy > Review and confirm, click Confirm.

   screenshot: Review and confirm

   

   The SF database will now be created in the RDS environment.

   screenshot: Installation deployed

   

Create an AWS Elastic Beanstalk environment

To create an AWS Elastic Beanstalk environment to host the Thinkwise Universal GUI and Indicium service tier:

1. In the AWS Management Console, search for the "Elastic Beanstalk" service and click on it to create a new service:

   screenshot: Search

   

2. Click Create a new environment.

   screenshot: Create a new environment

   

3. Select Web server environment and click Select.

   screenshot: Select Web server environment

   

4. Enter the Application name.

   screenshot: Application name

   

5. Configure the platform using the following settings:

   screenshot: Configure the platform

   

6. Select Sample application and click Create environment.

   screenshot: Create the environment

   

7. The Elastic Beanstalk environment is created. This may take some time.

   screenshot: Environment created

   

8. When the environment is created, go to the newly made environment and click the URL displayed below the name.

   screenshot: Environment URL

   

9. This will open a new browser tab:

   screenshot: Application running

   

The Elastic Beanstalk environment is now ready.

Deploy the Thinkwise Universal GUI and Indicium service tier

For security reasons (to avoid having to enable Cross-Origin Resource Sharing), the Universal GUI and Indicium service tier will be installed in the same environment.

note

When using Indicium on AWS, encryption keys must be saved in the AWS Secrets Manager. For more information, see: Store encryption keys on AWS.

To install the Thinkwise Universal GUI and Indicium service tier:

1. Download both the Thinkwise Universal GUI and the Indicium service tier from the Thinkwise Community Portal.

2. Copy the downloaded zip files to a new folder, for example ThinkwiseElasticBeanstalk.

   

3. Open Indicium.zip and edit the appsettings.json file. Fill in the Server, Database (IAM), PoolUserName, and PoolPassword properties with the information from the RDS environment.

   Indicium's appsettings.json file

   {
      "Logging": {
         "ApplicationInsights": {
            "LogLevel": {
               "Default": "Information",
               "System": "Information",
               "Microsoft": "Warning",
               "Indicium": "Debug"
            }
         },
         "IncludeScopes": false,
         "LogLevel": {
            "Default": "Information",
            "System": "Information",
            "Microsoft": "Warning",
            "Indicium": "Debug"
         }
      },
      "MetaSourceConnection": {
         "Server": "thinkwisesql.chkw7dln.eu-central-1.rds.amazonaws.com",
         "Database": "IAM_SF",
         "PoolUserName": "admin",
         "PoolPassword": "password"
      }
   }

4. Open Universal.zip and edit the config.json file. Fill in the serviceUrl with the information from the Elastic Beanstalk environment and save the file.

   Universal GUI's config.json file

      {
         "defaultApplication": "",
         "defaultPlatform": 3,
         "loginOptionsDisabled": false,
         "serviceUrl": "https://ThinkwiseElasticBeanstalk-env.ebaadxmu.eu-central-1.elasticbeanstalk.com/indicium/iam/iam"
      }

5. Add a deployment manifest file to the ThinkwiseElasticBeanstalk folder by creating a new text file named: aws-windows-deployment-manifest.json

6. Add the following code to the file:

   Deployment manifest

   {
   "manifestVersion":  1,
   "iisConfig": {
      "appPools": [
         {
         "name": "indicium",
         }
      ]
   },
   "deployments": {
      "aspNetCoreWeb": [
         {
         "name": "indicium",
         "parameters": {
            "appPool": "indicium",
            "appBundle": "indicium.zip",
            "iisPath": "/indicium"
            }
         },
         {
         "name": "universal",
         "parameters": {
            "appBundle": "universal.zip",
            "iisPath": "/"
         },
            "scripts": {
            "postInstall": {
            "file": "SetupScripts/PostInstallSetup.ps1"
            }
         }
         }
      ]
   }
   }

7. Option - If you want to run multiple instances of Indicium or if you want a separate application pool for your Indicium, add the iisConfig with the appPools array to the aws-windows-deployment-manifest.json file. Then, add the name of the appPool to the application:

   Deployment manifest with iisConfig

   {
      "manifestVersion":  1,
      "iisConfig": {
         "appPools": [
            {
               "name": "INDICIUM"
            }
         ]
      },
      "deployments": {
         "aspNetCoreWeb": [
            {
               "name": "indicium",
               "parameters": {
                  "appBundle": "indicium.zip",
                  "iisPath": "/indicium",
                  "appPool": "INDICIUM"
               }
            },
            {
               "name": "universal",
               "parameters": {
                  "appBundle": "universal.zip",
                  "iisPath": "/"
               },
               "scripts": {
                  "postInstall": {
                     "file": "SetupScripts/PostInstallSetup.ps1"
                  }
               }
            }
         ]
      }
   }

8. Create a new folder in the root with the name: SetupScripts

   

9. In this folder, create a new file named PostInstallSetup.ps1 with the following content:

   PostInstallSetup.ps1

   $IisPath = "indicium"
   $ApplicationPoolName = "Indicium"
   
   C:\windows\system32\inetsrv\appcmd.exe stop apppool /apppool.name:"$ApplicationPoolName"
   C:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /-"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule"
   c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.idleTimeout:0.00:00:00" 
   c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.loadUserProfile:True"
   c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].startMode:AlwaysRunning"
   c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /+"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule.[value='03:00:00']" /commit:apphost
   
   $sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
   $Acl = Get-ACL $SharePath
   $AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
   $Acl.AddAccessRule($AccessRule)
   $Acl | Set-Acl $SharePath

10. If you have specified multiple instances of Indicium in step 8, copy the JSON and paste it into the same file, as in the example below. This will set all the read and write rights for Indicium.

PostInstallSetup.ps1 with multiple instances

$IisPath = "indicium"
$ApplicationPoolName = "Indicium"

C:\windows\system32\inetsrv\appcmd.exe stop apppool /apppool.name:"$ApplicationPoolName"
C:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /-"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.idleTimeout:0.00:00:00" 
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.loadUserProfile:True"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].startMode:AlwaysRunning"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /+"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule.[value='03:00:00']" /commit:apphost

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath

$IisPath = "Second_Indicium"
$ApplicationPoolName = "Second_Indicium"

C:\windows\system32\inetsrv\appcmd.exe stop apppool /apppool.name:"$ApplicationPoolName"
C:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /-"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.idleTimeout:0.00:00:00" 
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].processModel.loadUserProfile:True"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools "/[name='$ApplicationPoolName'].startMode:AlwaysRunning"
c:\windows\system32\inetsrv\appcmd.exe set config /section:applicationPools /+"[name='$ApplicationPoolName'].recycling.periodicRestart.schedule.[value='03:00:00']" /commit:apphost

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath

11. Create a zip file from the contents of the ThinkwiseElasticBeanstalk folder to deploy to Elastic Beanstalk: select all files and select Send to > Compressed (zipped) folder from the context menu.

12. From the AWS Elastic Beanstalk environment, select Upload and deploy

screenshot: Upload and deploy

13. Click Choose file and select the created zip file:

screenshots: Choose file

14. Click Deploy and wait for the deployment to finish:

The Thinkwise Universal GUI and Indicium service tier are now up and running.

screenshot: Universal GUI and Indicium up and running

Log to AWS CloudWatch

Indicium

When running Indicium on AWS, you can log to AWS CloudWatch. This AWS functionality makes it easier to monitor the behavior and performance of your Indicium instance. For example, you can show the logs on your AWS dashboard or create an alarm based on a log pattern.

To enable AWS CloudWatch, add the following code to the appsettings.json configuration file, under the "Logging" section:

   "AWSCloudWatch": {
      "LogGroup": "indicium-tst"
   }

To get access to AWS CloudWatch, your EC2 instance needs to have the following policy attached to it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:<aws-region>:<account-number>:log-group:indicium-tst:*"
        }
    ]
}

In this code fragment, replace indicium-tst with the name of your log group in appsettings.json and specify your account-number and aws-region.

To add the logs to your AWS CloudWatch Dashboard:

1. Open the AWS console.

2. Open the AWS CloudWatch dashboard.

3. Click Add widget.

4. Select Logs table.

5. In Logs Insights, select Log group. This is the name of the log group in appsettings.json.

6. Add the following query to the log to show, for example, the last 20 items:

   fields @timestamp, @message
   | sort @timestamp desc
   | limit 20

7. Click Create widget to show your logs on the dashboard.