AWS setup
This document provides instructions for setting up an AWS environment for the Thinkwise Platform.
The Intelligent Application Manager (IAM) database and, optionally, the Software Factory (SF) database are installed in an Amazon Relational Database Service (RDS), whereas the Universal GUI and the Indicium service tier are installed on AWS Elastic Beanstalk.
Prerequisites
Prerequisites for deploying the Software Factory and IAM on AWS RDS are:
- An AWS account. You can create one for free here.
AWS infrastructure
It is your own organization's responsibility to take adequate security measures for protecting your cloud environment. Thinkwise products have been tested thoroughly, including pen testing, to ensure their security.
- Use AWS RDS for hosting the Software Factory, IAM and the developed application database.
- Use AWS Elastic Beanstalk for hosting Indicium and the Universal GUI, Web GUI and/or Mobile GUI.
Example: AWS
Creating an AWS RDS environment
To create an AWS RDS environment for the SF and IAM databases:
In the AWS Management Console, search for the "RDS" service and click on it to create a new service:
Select Create database to create a new database
Select Standard create and the Microsoft SQL Server engine type.
Select the required SQL Server edition, for example SQL Server Express Edition, and the latest available version.
Fill in the DB instance identifier and the Master username and Master password.
Select the required DB instance size.
Select Storage type and fill in the Allocated storage and Autoscaling options.
Select Create database to create the database. This may take some time.
The RDS environment is now ready.
Deploying the Thinkwise IAM database
To deploy the Thinkwise IAM database for end products:
Download the Thinkwise Installation package from the Thinkwise Community Portal https://tcp.thinkwise.app/web.
Unzip the downloaded Thinkwise package.
Start the Deployer GUI
twdeployerGUI.exe.
Select Install on the IAM product page.
Fill in the server connection options. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.
Click Check.
Fill in the name of the IAM database to create and click Next.
Click Confirm
The IAM database will now be created in the RDS environment.
Deploying the Thinkwise SF database (optional)
The Thinkwise Software Factory development environment can also be installed on AWS, if desired.
As the Software Factory also needs an IAM database, first deploy an additional IAM database by following the steps from
the previous chapter, and name this database IAM_SF.
Next, deploy the Software Factory database:
Select Install on the SF (Software Factory) product page.
Fill in the server connection options and click Connect. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.
Select the previously installed IAM database and click Next.
Use the same host and RDS credentials for the SF database and click Connect.
Click Check.
Fill in the Software Factory database name and click Next.
Click Confirm.
The SF database will now be created in the RDS environment.
Creating an AWS Elastic Beanstalk environment
To create an AWS Elastic Beanstalk environment to host the Thinkwise Universal GUI and Indicium service tier:
In the AWS Management Console, search for the "Elastic Beanstalk" service and click on it to create a new service:
Click Create a new environment.
Select Web server environment and click Select.
Fill in the Application name.
Configure the platform using the following settings:
Select Sample application and click Create environment.
The Elastic Beanstalk environment is created. This may take some time.
When the environment is created, go to the newly made environment and click the URL displayed below the name.
This will open a new browser tab:
The Elastic Beanstalk environment is now ready.
Deploying the Thinkwise Universal GUI and Indicium service tier
For security reasons (to avoid having to enable Cross-Origin Resource Sharing), the Universal GUI and Indicium service tier will be installed in the same environment.
When using Indicium on AWS, encryption keys must be saved in the AWS Secrets Manager. For more information, see: Store encryption keys on AWS.
To install the Thinkwise Universal GUI and Indicium service tier:
Download both the Thinkwise Universal GUI and the Indicium (Universal) service tier from the Thinkwise Community Portal https://tcp.thinkwise.app/web.
Copy the downloaded zip files to a new folder, for example ThinkwiseElasticBeanstalk.
Open
Indicium.zipand edit theappsettings.jsonfile.- Fill in the
Server,Database(IAM),PoolUserName, andPoolPasswordproperties with the information from the RDS environment.
{
"Logging": {
"ApplicationInsights": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "thinkwisesql.chkw7dln.eu-central-1.rds.amazonaws.com",
"Database": "IAM_SF",
"PoolUserName": "admin",
"PoolPassword": "password"
}
}- Fill in the
Open
Universal.zipand edit theconfig.jsonfile. Fill in theserviceUrlwith the information from the Elastic Beanstalk environment and save the file.{
"defaultApplication": "",
"defaultPlatform": 3,
"loginOptionsDisabled": false,
"serviceUrl": "https://ThinkwiseElasticBeanstalk-env.ebaadxmu.eu-central-1.elasticbeanstalk.com/indicium/iam/iam"
}Add a deployment manifest file to the ThinkwiseElasticBeanstalk folder by creating a new text file named:
aws-windows-deployment-manifest.jsonAdd the following text to the file:
{
"manifestVersion": 1,
"deployments": {
"aspNetCoreWeb": [
{
"name": "indicium",
"parameters": {
"appBundle": "indicium.zip",
"iisPath": "/indicium"
}
},
{
"name": "universal",
"parameters": {
"appBundle": "universal.zip",
"iisPath": "/"
},
"scripts": {
"postInstall": {
"file": "SetupScripts/PostInstallSetup.ps1"
}
}
}
]
}
}Option - If you're planning to run multiple instances of Indicium or if you want a separate application pool for your Indicium, then add the
iisConfigwith theappPoolsarray to theaws-windows-deployment-manifest.jsonfile. After that, add the name of theappPoolto the application:
{
"manifestVersion": 1,
"iisConfig": {
"appPools": [
{
"name": "INDICIUM"
}
]
},
"deployments": {
"aspNetCoreWeb": [
{
"name": "indicium",
"parameters": {
"appBundle": "indicium.zip",
"iisPath": "/indicium",
"appPool": "INDICIUM"
}
},
{
"name": "universal",
"parameters": {
"appBundle": "universal.zip",
"iisPath": "/"
},
"scripts": {
"postInstall": {
"file": "SetupScripts/PostInstallSetup.ps1"
}
}
}
]
}
}
Create a new folder in the root with the name:
SetupScripts
In this folder, create a new file named
PostInstallSetup.ps1with the following content:$IisPath = "indicium"
$ApplicationPoolName = "DefaultAppPool"
$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePathIf you have specified multiple instances of Indicium in step 8, copy the JSON and paste it into the same file, as in the example below. This will set all the read and write rights for Indicium.
$IisPath = "indicium"
$ApplicationPoolName = "INDICIUM"
$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath
$IisPath = "Second_Indicium"
$ApplicationPoolName = "SECOND_INDICIUM"
$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath
Create a new folder in the root with the name:
.ebextensions
In this folder, create a new file named
webserver.configwith the following content:commands:
ApplicationPool_CreatePool:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd add apppool /name:DefaultAppPool /managedRuntimeVersion:\"v4.0\" /managedPipelineMode:Integrated"
ApplicationPool_SetIdleTimeoutToZero:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.idleTimeout:0.00:00:00"
ApplicationPool_SetLoadUserProfileToTrue:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.loadUserProfile:true"
ApplicationPool_RemoveOldPeriodicRestartSchedules:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd set apppool /apppool.name:DefaultAppPool /-recycling.periodicRestart.schedule"
ApplicationPool_SetRestartSchedule:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd set config -section:system.applicationHost/applicationPools /+\"[name='DefaultAppPool'].recycling.periodicRestart.schedule.[value='03:00:00']\" /commit:apphost"
ApplicationPool_SetStartModeAlwaysRunning:
cwd: "C:\\windows\\system32\\inetsrv"
command: "appcmd set apppool /apppool.name:DefaultAppPool /.startMode:AlwaysRunning"If you have specified a different application pool in step 8, then replace
DefaultAppPoolwith the name of your application pool. If you have specified multiple application pools, copy all the commands and replace theDefaultAppPoolwith the name of the added application pool to make them run with the correct application pool name.
Create a zip file of the contents of the ThinkwiseElasticBeanstalk folder to deploy to Elastic Beanstalk. (Select all files and select Send to > Compressed (zipped) folder from the context menu.)
From the AWS Elastic Beanstalk environment, select Upload and deploy
Click Choose file and select the created zip file:
Click Deploy and wait for the deployment to finish:
The Thinkwise Universal GUI and Indicium service tier are now up and running.
Logging to AWS CloudWatch
IndiciumWhen running Indicium on AWS, you can log to AWS CloudWatch. This AWS functionality makes it easier to monitor the behavior and performance of your Indicium instance. For example, you can show the logs on your AWS dashboard or create an alarm based on a log pattern.
To enable AWS CloudWatch, add the following code to the appsettings.json configuration file, under the "Logging" section:
"AWSCloudWatch": {
"LogGroup": "indicium-tst"
}
To get access to AWS CloudWatch, your EC2 instance needs to have the following policy attached to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<aws-region>:<account-number>:log-group:indicium-tst:*"
}
]
}
In this code fragment, replace indicium-tst with the name of your log group in appsettings.json and specify your account-number and aws-region.
To add the logs to your AWS CloudWatch Dashboard:
Open the AWS console.
Open the AWS CloudWatch dashboard.
Click Add widget.
Select Logs table.
In Logs Insights, select Log group. This is the name of the log group in
appsettings.json.Add the following query to the log to show, for example, the last 20 items:
fields @timestamp, @message
| sort @timestamp desc
| limit 20Click Create widget to show your logs on the dashboard.
Use an Amazon S3 bucket as file cache
To use an Amazon Simple Storage Service (Amazon S3) bucket as a file cache for Indicium to store files, you must perform the following actions:
- Create an Amazon S3 bucket
- Block public access
- Disable bucket versioning
- Create an ElastiCache Redis cache
Create an Amazon S3 bucket
To create an Amazon S3 bucket:
- Open the AWS console.
- Search for 'S3', and select the resulting S3 page.
- On this page, click Create bucket.
- In the setup page, enter a Name and a Region where the data will be stored.
Block public access
It is strongly recommended to select the Block all public access setting for safety purposes. When creating a bucket, public access is blocked by default, so you can leave this setting as it is:
Block all public access setting
Disable bucket versioning
To ensure the deletion of files will work as expected, you must disable Bucket Versioning in the creation screen of the S3 bucket. Bucket versioning is disabled by default, so you can leave this setting as it is:
Bucket versioning settings from the creation tab
Clear the file cache periodically
To clear the file cache periodically, follow these steps.
We recommend clearing files every seven days to keep the cache clean and the costs low.
Use an S3 bucket as a file cache
To use an S3 bucket as a file cache for Indicium, you first need to create a user with programmatic access. If such a user exists, you can skip this part and continue with Create an ElastiCache Redis cache.
Create a user with programmatic access
To create a user with programmatic access:
In the AWS Management Console, select IAM.
In the menu on the left-hand side, select Users.
Click Add users on the right-hand side. The Add user screen opens.
In this screen, select AWS credential type: Access key - Programmatic access.
If password access is necessary, select Password - AWS Management Console Access.
Click Next.
Add userOn the next page, select Create group. A popup dialog opens.
Enter a Group name.
Click Create policy (a new browser tab will open).
Copy the following policy to the JSON tab.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}Replace both occurrences of
<bucket_name>with the name of the S3 bucket.Click Next: Tags and Next: Review.
Provide a policy name.
Click Create policy.
Close the browser tab and return to the Create group browser tab.
Click Refresh.
Select the policy you just created.
Click Create group.
Create groupSelect the newly created user group.
Click Next.
Optionally, you can add tags.
Click Next.
Click Create User.
This screen displays the Access key ID and Secret Access Key. Add the corresponding values to the
appsettings.jsonconfiguration file:
"FileCache": {
"Type": "AWSS3",
"AWSRegion": "<Bucket region>",
"AWSAccessKeyID": "<Access key ID>",
"AWSSecretAccessKey": "<Secret Access Key>",
"AWSBucketName": "<Bucket name>"
}
Now, the S3 bucket is added as a file cache to Indicium.