RHEDcloud for AWS Launch Accelerator and Knowledge Transfer Engagement (Provider Surge)
Provider: Surge (http://www.surgeforward.com)
Contacts: Abby Gordon (agordon@surgeforward.com), Marc Nuar (mnuar@surgeforward.com)
This engagement is designed to accelerate RHEDcloud for AWS launch by bringing in several RHEDcloud and DevOps experts to setup RHEDcloud for AWS and show your team how everything works as they go. After this engagement the implementation site should have four working environments of RHEDcloud for AWS that are integrated with the RHEDcloud project infrastructure and several of the site’s own enterprise systems. The specific goals of the engagement are to:
Set up an AWS administration account with all Beanstalk environments, RDS, Amazon MQ, account series master accounts, and other infrastructure (60 hours):
The following are required:
RHEDcloud AWS Account Service (Account Metadata Repository and Provisioning)
RHEDcloud Console for AWS (Account, VPC, Service, Network, Provisioning, and Notification Management)
RHEDcloud Landing Page for AWS (Launch page with links into the AWS Console, RHEDcloud Console, Service Request System, AWS Service Inventory and Risk Assessments, etc.)
Security Risk Detection Service (Security Overwatch deployed with any or all of the existing detectors developed by the RHEDcloud project)
E-mail Address Validation Service (E-mail Address Validation for Addresses used with Cloud Accounts)
Temporary Key Issuance (TKI) Serivce (Accelerates and Simplifies User Access without Long-lived Credentials)
IDM Service (Exposes Roles and Role Assignments/Memberships to the Other Services listed here---presently implemented for NetIQ, but also implementing for Grouper and others)
Directory Service (Exposes an organization’s person search features to the other services listed here)
Financial Account System Service (Exposes financial account system numbers to the rest of these applications and services for validation)
The following are optional and require 20 more hours added to this engagement if the site chooses to deploy them (depending on what the site is doing and what network, firewall, and other infrastructure they have):
Network Operations Service (Network Automation for Site-to-Site VPN and Static NAT)
Cisco ASR Service (Router-level automation for Site-to-Site VPN and Static NAT---presently implemented for Cisco ASR routers using Netconf/Yang, but could be extended to other equipment and standards)
Elastic IP Service (Orchestrates On-Prem Static NAT for the Cloud)
Firewall Service (Exposes On-prem and Cloud-based Firewall rules for VPCs---presently implemented for Palo Alto firewalls, but could be extended to others)
Implement the implementation site’s deploy-only Bitbucket pipelines in a Bitbucket account for the site to deploy DEV and PROD environments that pull from the master RHEDcloud repositories, including SAML 2.0 SSO integration (40 hours)
Required deploy-only repos and pipelines
RHEDcloud AWS Account Service
RHEDcloud Console for AWS
RHEDcloud Landing Page for AWS
RHEDcloud Security Risk Detection Service
RHEDcloud Email Address Validation Service
RHEDcloud TKI Service
RHEDcloud TKI Client
RHEDcloud IDM Service
RHEDcloud Directory Service
RHEDcloud Account CloudFormation Templates
RHEDcloud Type 1 VPC Template
RHEDcloud Standard Service Control Policies
Financial Account Service
Optional repos and pipelines (depending on what the site is doing and what network, firewall, and other infrastructure they have)
RHEDcloud Network Operations Service
RHEDcloud Cisco ASR Service
RHEDcloud Firewall Service
RHEDcloud Elastic IP Service
Perform training and knowledge transfer on RHEDcloud account series, pipelines, and environment administration (80 hours)
Demonstrate the purpose and function of all of the RHEDcloud for AWS middleware and serverless infrastructure
Demonstrate the purpose and function of RHEDcloud AWS master accounts and account series
Implement initial release of custom data providers for IDM, directory, and financial account number validation web services (approximately 140 hours, depends on directory, IDM, and financial system complexity)
Unless the implementing site uses Grouper or NetIQ, a new data provider must be implemented to expose the site’s roles and role assignments or role memberships to the rest of these services. Any IDM solution that has an API, database, or directory store should be able to be plugged into this IDM web service
Almost every implementing site will have a directory, which needs to be exposed to these applications as a web service. In some cases sites will have multiple directories---like for Emory University and Emory Healthcare---that need to appear as one directory. The directory service web service sits on top of an LDAP or other directory mechanism and exposes person search to the rest of these components.
An organization’s financial system or general ledger is authoritative for financial account numbers that can be associated with AWS Accounts. The Financial System Service exposes a service operation to validate whether the account number associated with an AWS Account is valid. A new data provider must be implemented at each site. The RHEDcloud project has already implemented one for PeopleSoft Financials, but given the site-specific nature of financial system account numbers this validation query is something that is likely to be site-specific at every site.
Project management, coordination, and scheduling (20 hours)
Total hours: 340
Approximate Cost: $37,400
Additional optional services such as the Network Operations Service, Cisco ASR Service, and others can be deployed with training and knowledge transfer for approximately 20 hours per service. Note that the engagement does not cover comprehensive integration testing or production readiness, although other services are available for executing and training on the RHEDcloud automated test suite. The engagement also does not cover implementing the billing integration, but such a service is anticipated once RHEDcloud publishes detailed materials on its implementation.
The implementation site pays for cloud resources used during the engagement, provides their own technical staff to participate in knowledge transfer, as well as subject matter experts for IDM, directory, and financial system analysis.