Skip to main content
Version: 2023

AWS Deployment

This document provides instructions for installing the Thinkwise Platform on AWS.

The Intelligent Application Manager (IAM) database and, optionally, the Software Factory (SF) database are installed in an Amazon Relational Database Service (RDS), whereas the Universal GUI and the Indicium service tier are installed on AWS Elastic Beanstalk.

Prerequisites

Prerequisites for deploying the SF and IAM on AWS RDS are:

  • An AWS account. You can create one for free here.

Creating an AWS RDS environment

To create an AWS RDS environment for the SF and IAM databases:

  1. In the AWS Management Console, search for the "RDS" service and click on it to create a new service:

  2. Select Create database to create a new database

  3. Select Standard create and the Microsoft SQL Server engine type.

  4. Select the required SQL Server edition, for example SQL Server Express Edition, and the latest available version.

  5. Fill in the DB instance identifier and the Master username and Master password.

  6. Select the required DB instance size.

  7. Select Storage type and fill in the Allocated storage and Autoscaling options.

  8. Select Create database to create the database. This may take some time.

The RDS environment is now ready.

Deploying the Thinkwise IAM database

To deploy the Thinkwise IAM database for end products:

  1. Download the Thinkwise Installation package from the Thinkwise Community Portal https://tcp.thinkwise.app/web.

  2. Unzip the downloaded Thinkwise package.

  3. Start the Deployer GUI twdeployerGUI.exe.

  4. Select Install on the IAM product page.

  5. Fill in the server connection options. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.

  6. Click Check.

  7. Fill in the name of the IAM database to create and click Next.

  8. Click Confirm

The IAM database will now be created in the RDS environment.

Deploying the Thinkwise SF database (optional)

The Thinkwise Software Factory development environment can also be installed on AWS, if desired.

As the Software Factory also needs an IAM database, first deploy an additional IAM database by following the steps from the previous chapter, and name this database IAM_SF.

Next, deploy the Software Factory database:

  1. Select Install on the SF (Software Factory) product page.

  2. Fill in the server connection options and click Connect. The hostname can be found under Connectivity & security - Endpoint in the AWS console. Use the credentials provided upon creating the RDS environment.

  3. Select the previously installed IAM database and click Next.

  4. Use the same host and RDS credentials for the SF database and click Connect.

  5. Click Check.

  6. Fill in the Software Factory database name and click Next.

  7. Click Confirm.

The SF database will now be created in the RDS environment.

Creating an AWS Elastic Beanstalk environment

To create an AWS Elastic Beanstalk environment to host the Thinkwise Universal GUI and Indicium service tier:

  1. In the AWS Management Console, search for the "Elastic Beanstalk" service and click on it to create a new service:

  2. Click Create a new environment.

  3. Select Web server environment and click Select.

  4. Fill in the Application name.

  5. Configure the platform using the following settings:

  6. Select Sample application and click Create environment.

  7. The Elastic Beanstalk environment is created. This may take some time.

  8. When the environment is created, go to the newly made environment and click the URL displayed below the name.

  9. This will open a new browser tab:

The Elastic Beanstalk environment is now ready.

Deploying the Thinkwise Universal GUI and Indicium service tier

For security reasons (to avoid having to enable Cross-Origin Resource Sharing), the Universal GUI and Indicium service tier will be installed in the same environment.

note

When using Indicium on AWS, encryption keys must be saved in the AWS Secrets Manager. For more information, see: Store encryption keys on AWS.

To install the Thinkwise Universal GUI and Indicium service tier:

  1. Download both the Thinkwise Universal GUI and the Indicium (Universal) service tier from the Thinkwise Community Portal https://tcp.thinkwise.app/web.

  2. Copy the downloaded zip files to a new folder, for example ThinkwiseElasticBeanstalk.

  3. Open Indicium.zip and edit the appsettings.json file.

    • Fill in the Server, Database (IAM), PoolUserName, and PoolPassword properties with the information from the RDS environment.
    {
    "Logging": {
    "ApplicationInsights": {
    "LogLevel": {
    "Default": "Information",
    "System": "Information",
    "Microsoft": "Warning",
    "Indicium": "Debug"
    }
    },
    "IncludeScopes": false,
    "LogLevel": {
    "Default": "Information",
    "System": "Information",
    "Microsoft": "Warning",
    "Indicium": "Debug"
    }
    },
    "MetaSourceConnection": {
    "Server": "thinkwisesql.chkw7dln.eu-central-1.rds.amazonaws.com",
    "Database": "IAM_SF",
    "PoolUserName": "admin",
    "PoolPassword": "password"
    }
    }
  4. Open Universal.zip and edit the config.json file. Fill in the serviceUrl with the information from the Elastic Beanstalk environment and save the file.

      {
    "defaultApplication": "",
    "defaultPlatform": 3,
    "loginOptionsDisabled": false,
    "serviceUrl": "https://ThinkwiseElasticBeanstalk-env.ebaadxmu.eu-central-1.elasticbeanstalk.com/indicium/iam/iam"
    }
  5. Add a deployment manifest file to the ThinkwiseElasticBeanstalk folder by creating a new text file named: aws-windows-deployment-manifest.json

  6. Add the following text to the file:

    {
    "manifestVersion": 1,
    "deployments": {
    "aspNetCoreWeb": [
    {
    "name": "indicium",
    "parameters": {
    "appBundle": "indicium.zip",
    "iisPath": "/indicium"
    }
    },
    {
    "name": "universal",
    "parameters": {
    "appBundle": "universal.zip",
    "iisPath": "/"
    },
    "scripts": {
    "postInstall": {
    "file": "SetupScripts/PostInstallSetup.ps1"
    }
    }
    }
    ]
    }
    }
  7. Option - If you're planning to run multiple instances of Indicium or if you want a separate application pool for your Indicium, then add the iisConfig with the appPools array to the aws-windows-deployment-manifest.json file. After that, add the name of the appPool to the application:

{
"manifestVersion": 1,
"iisConfig": {
"appPools": [
{
"name": "INDICIUM"
}
]
},
"deployments": {
"aspNetCoreWeb": [
{
"name": "indicium",
"parameters": {
"appBundle": "indicium.zip",
"iisPath": "/indicium",
"appPool": "INDICIUM"
}
},
{
"name": "universal",
"parameters": {
"appBundle": "universal.zip",
"iisPath": "/"
},
"scripts": {
"postInstall": {
"file": "SetupScripts/PostInstallSetup.ps1"
}
}
}
]
}
}
  1. Create a new folder in the root with the name: SetupScripts

  2. In this folder, create a new file named PostInstallSetup.ps1 with the following content:

    $IisPath = "indicium"
    $ApplicationPoolName = "DefaultAppPool"

    $sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
    $Acl = Get-ACL $SharePath
    $AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
    $Acl.AddAccessRule($AccessRule)
    $Acl | Set-Acl $SharePath
  3. If you have specified multiple instances of Indicium in step 8, copy the JSON and paste it into the same file, as in the example below. This will set all the read and write rights for Indicium.

   $IisPath = "indicium"
$ApplicationPoolName = "INDICIUM"

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath

$IisPath = "Second_Indicium"
$ApplicationPoolName = "SECOND_INDICIUM"

$sharepath = "C:\inetpub\AspNetCoreWebApps\$IisPath"
$Acl = Get-ACL $SharePath
$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$ApplicationPoolName","full","ContainerInherit,Objectinherit","none","Allow")
$Acl.AddAccessRule($AccessRule)
$Acl | Set-Acl $SharePath
  1. Create a new folder in the root with the name: .ebextensions

  2. In this folder, create a new file named webserver.config with the following content:

    commands: 
    ApplicationPool_CreatePool:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd add apppool /name:DefaultAppPool /managedRuntimeVersion:\"v4.0\" /managedPipelineMode:Integrated"
    ApplicationPool_SetIdleTimeoutToZero:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.idleTimeout:0.00:00:00"
    ApplicationPool_SetLoadUserProfileToTrue:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.processModel.loadUserProfile:true"
    ApplicationPool_RemoveOldPeriodicRestartSchedules:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /-recycling.periodicRestart.schedule"
    ApplicationPool_SetRestartSchedule:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set config -section:system.applicationHost/applicationPools /+\"[name='DefaultAppPool'].recycling.periodicRestart.schedule.[value='03:00:00']\" /commit:apphost"
    ApplicationPool_SetStartModeAlwaysRunning:
    cwd: "C:\\windows\\system32\\inetsrv"
    command: "appcmd set apppool /apppool.name:DefaultAppPool /.startMode:AlwaysRunning"

    If you have specified a different application pool in step 8, then replace DefaultAppPool with the name of your application pool. If you have specified multiple application pools, copy all the commands and replace the DefaultAppPool with the name of the added application pool to make them run with the correct application pool name.

  1. Create a zip file of the contents of the ThinkwiseElasticBeanstalk folder to deploy to Elastic Beanstalk. (Select all files and select Send to > Compressed (zipped) folder from the context menu.)

  2. From the AWS Elastic Beanstalk environment, select Upload and deploy

  3. Click Choose file and select the created zip file:

  4. Click Deploy and wait for the deployment to finish:

The Thinkwise Universal GUI and Indicium service tier are now up and running.

Logging to AWS CloudWatch

Indicium

When running Indicium on AWS, you can log to AWS CloudWatch. This AWS functionality makes it easier to monitor the behavior and performance of your Indicium instance. For example, you can show the logs on your AWS dashboard or create an alarm based on a log pattern.

To enable AWS CloudWatch, add the following code to the appsettings.json configuration file, under the "Logging" section:

   "AWSCloudWatch": {
"LogGroup": "indicium-tst"
}

To get access to AWS CloudWatch, your EC2 instance needs to have the following policy attached to it:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:<aws-region>:<account-number>:log-group:indicium-tst:*"
}
]
}

In this code fragment, replace indicium-tst with the name of your log group in appsettings.json and specify your account-number and aws-region.

To add the logs to your AWS CloudWatch Dashboard:

  1. Open the AWS console.

  2. Open the AWS CloudWatch dashboard.

  3. Click Add widget.

  4. Select Logs table.

  5. In Logs Insights, select Log group. This is the name of the log group in appsettings.json.

  6. Add the following query to the log to show, for example, the last 20 items:

    fields @timestamp, @message
    | sort @timestamp desc
    | limit 20
  7. Click Create widget to show your logs on the dashboard.

Use an Amazon S3 bucket as file cache

To use an Amazon Simple Storage Service (Amazon S3) bucket as a file cache for Indicium to store files, you must perform the following actions:

Create an Amazon S3 bucket

To create an Amazon S3 bucket:

  1. Open the AWS console.
  2. Search for 'S3', and select the resulting S3 page.
  3. On this page, click Create bucket.
  4. In the setup page, enter a Name and a Region where the data will be stored.

Block public access

It is strongly recommended to select the Block all public access setting for safety purposes. When creating a bucket, public access is blocked by default, so you can leave this setting as it is:

Public access settings from creation screen Block all public access setting

Disable bucket versioning

To ensure the deletion of files will work as expected, you must disable Bucket Versioning in the creation screen of the S3 bucket. Bucket versioning is disabled by default, so you can leave this setting as it is:

Bucket versioning settings from creation screen Bucket versioning settings from the creation tab

Clear the file cache periodically

To clear the file cache periodically, follow these steps.

We recommend clearing files every seven days to keep the cache clean and the costs low.

Use an S3 bucket as a file cache

To use an S3 bucket as a file cache for Indicium, you first need to create a user with programmatic access. If such a user exists, you can skip this part and continue with Create an ElastiCache Redis cache.

Create a user with programmatic access

To create a user with programmatic access:

  1. In the AWS Management Console, select IAM.

  2. In the menu on the left-hand side, select Users.

  3. Click Add users on the right-hand side. The Add user screen opens.

  4. In this screen, select AWS credential type: Access key - Programmatic access.

  5. If password access is necessary, select Password - AWS Management Console Access.

  6. Click Next.

    Add User Add user

  7. On the next page, select Create group. A popup dialog opens.

  8. Enter a Group name.

  9. Click Create policy (a new browser tab will open).

  10. Copy the following policy to the JSON tab.

    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": [
    "s3:PutObject",
    "s3:GetObject",
    "s3:GetObjectAttributes",
    "s3:ListBucket",
    "s3:DeleteObject"
    ],
    "Resource": [
    "arn:aws:s3:::<bucket_name>",
    "arn:aws:s3:::<bucket_name>/*"
    ]
    }
    ]
    }
  11. Replace both occurrences of <bucket_name> with the name of the S3 bucket.

  12. Click Next: Tags and Next: Review.

  13. Provide a policy name.

  14. Click Create policy.

  15. Close the browser tab and return to the Create group browser tab.

  16. Click Refresh.

  17. Select the policy you just created.

  18. Click Create group.

    Create group Create group

  19. Select the newly created user group.

  20. Click Next.

  21. Optionally, you can add tags.

  22. Click Next.

  23. Click Create User.

  24. This screen displays the Access key ID and Secret Access Key. Add the corresponding values to the appsettings.json configuration file:

"FileCache": {
"Type": "AWSS3",
"AWSRegion": "<Bucket region>",
"AWSAccessKeyID": "<Access key ID>",
"AWSSecretAccessKey": "<Secret Access Key>",
"AWSBucketName": "<Bucket name>"
}

Now, the S3 bucket is added as a file cache to Indicium.

Create an ElastiCache Redis cache

To enable proper horizontal scaling, you must create a Redis cache. AWS has its own ElastiCache Redis cache.

  1. In the AWS console, search for 'ElastiCache', and select the resulting page.

  2. Click the Get started button.

  3. Click Create Cluster, and then Create Redis Cluster.

  4. In the next screen, in the Choose a cluster creation method area, click Configure and create new cluster.

  5. In the Cluster mode field, select Disabled.

  6. Enter a name and a description for Cluster info.

  7. In the Location part, in the Location field, select AWS Cloud, and enable Multi-AZ.

  8. In the Cluster settings part, leave the Engine version, Port, and Parameter group values as they are.

  9. In the Node type field, select a size and network speed that works for your usage. You can change these values later.

    To see the difference in pricing, see this page. For Numbers of replicas, we recommend two production environments.

  10. In the Subnet group settings page, create a new subnet group and provide a name, optionally a description.

  11. Select the VPC you want to use.

  12. Leave the settings in the Availability Zone placements page as they are.

  13. Click Next. It is not necessary to enable Encryption.

  14. On the Security groups tab, add a security group that will be used by Elastic Beanstalk. If you do not have an Elastic Beanstalk at this time, you can add the security group later.

  15. In the Backup tab, disable the backup. This is not necessary because the data is short-lived.

  16. In the Maintenance tab, select the settings that work for your application. We recommend enabling Auto update minor versions.

  17. Leave the other settings as they are, and click Next.

  18. In this overview screen, check if all settings are correct. If not, change them as required.

  19. Click Create.

The Redis cache is now created.

To use the newly created Redis cache, add the following section to the appsettings.json configuration file, and specify the Primary endpoint.

"RedisSettings": {
"ConnectionString": "<Primary endpoint>"
},
...

Now, you can deploy this to EC2 or Elastic Beanstalk.