RHEDcloud for AWS Launch Accelerator and Knowledge Transfer Engagement (Provider Surge)

Provider: Surge (http://www.surgeforward.com)

Contacts: Abby Gordon (agordon@surgeforward.com), Marc Nuar (mnuar@surgeforward.com)


This engagement is designed to accelerate RHEDcloud for AWS launch by bringing in several RHEDcloud and DevOps experts to setup RHEDcloud for AWS and show your team how everything works as they go. After this engagement the implementation site should have four working environments of RHEDcloud for AWS that are integrated with the RHEDcloud project infrastructure and several of the site’s own enterprise systems. The specific goals of the engagement are to:


  1. Set up an AWS administration account with all Beanstalk environments, RDS, Amazon MQ, account series master accounts, and other infrastructure (60 hours):

    1. The following are required:

      1. RHEDcloud AWS Account Service (Account Metadata Repository and Provisioning)

      2. RHEDcloud Console for AWS (Account, VPC, Service, Network, Provisioning, and Notification Management)

      3. RHEDcloud Landing Page for AWS (Launch page with links into the AWS Console, RHEDcloud Console, Service Request System, AWS Service Inventory and Risk Assessments, etc.)

      4. Security Risk Detection Service (Security Overwatch deployed with any or all of the existing detectors developed by the RHEDcloud project)

      5. E-mail Address Validation Service (E-mail Address Validation for Addresses used with Cloud Accounts)

      6. Temporary Key Issuance (TKI) Serivce (Accelerates and Simplifies User Access without Long-lived Credentials)

      7. IDM Service (Exposes Roles and Role Assignments/Memberships to the Other Services listed here---presently implemented for NetIQ, but also implementing for Grouper and others)

      8. Directory Service (Exposes an organization’s person search features to the other services listed here)

      9. Financial Account System Service (Exposes financial account system numbers to the rest of these applications and services for validation)

    2. The following are optional and require 20 more hours added to this engagement if the site chooses to deploy them (depending on what the site is doing and what network, firewall, and other infrastructure they have):

      1. Network Operations Service (Network Automation for Site-to-Site VPN and Static NAT)

      2. Cisco ASR Service (Router-level automation for Site-to-Site VPN and Static NAT---presently implemented for Cisco ASR routers using Netconf/Yang, but could be extended to other equipment and standards)

      3. Elastic IP Service (Orchestrates On-Prem Static NAT for the Cloud)

      4. Firewall Service (Exposes On-prem and Cloud-based Firewall rules for VPCs---presently implemented for Palo Alto firewalls, but could be extended to others)

  2. Implement the implementation site’s deploy-only Bitbucket pipelines in a Bitbucket account for the site to deploy DEV and PROD environments that pull from the master RHEDcloud repositories, including SAML 2.0 SSO integration (40 hours)

    1. Required deploy-only repos and pipelines

      1. RHEDcloud AWS Account Service

      2. RHEDcloud Console for AWS

      3. RHEDcloud Landing Page for AWS

      4. RHEDcloud Security Risk Detection Service

      5. RHEDcloud Email Address Validation Service

      6. RHEDcloud TKI Service

      7. RHEDcloud TKI Client

      8. RHEDcloud IDM Service

      9. RHEDcloud Directory Service

      10. RHEDcloud Account CloudFormation Templates

      11. RHEDcloud Type 1 VPC Template

      12. RHEDcloud Standard Service Control Policies

      13. Financial Account Service

    2. Optional repos and pipelines (depending on what the site is doing and what network, firewall, and other infrastructure they have)

      1. RHEDcloud Network Operations Service

      2. RHEDcloud Cisco ASR Service

      3. RHEDcloud Firewall Service

      4. RHEDcloud Elastic IP Service

  3. Perform training and knowledge transfer on RHEDcloud account series, pipelines, and environment administration (80 hours)

    1. Demonstrate the purpose and function of all of the RHEDcloud for AWS middleware and serverless infrastructure

    2. Demonstrate the purpose and function of RHEDcloud AWS master accounts and account series

  4. Implement initial release of custom data providers for IDM, directory, and financial account number validation web services (approximately 140 hours, depends on directory, IDM, and financial system complexity)

    1. Unless the implementing site uses Grouper or NetIQ, a new data provider must be implemented to expose the site’s roles and role assignments or role memberships to the rest of these services. Any IDM solution that has an API, database, or directory store should be able to be plugged into this IDM web service

    2. Almost every implementing site will have a directory, which needs to be exposed to these applications as a web service. In some cases sites will have multiple directories---like for Emory University and Emory Healthcare---that need to appear as one directory. The directory service web service sits on top of an LDAP or other directory mechanism and exposes person search to the rest of these components.

    3. An organization’s financial system or general ledger is authoritative for financial account numbers that can be associated with AWS Accounts. The Financial System Service exposes a service operation to validate whether the account number associated with an AWS Account is valid. A new data provider must be implemented at each site. The RHEDcloud project has already implemented one for PeopleSoft Financials, but given the site-specific nature of financial system account numbers this validation query is something that is likely to be site-specific at every site.

  5. Project management, coordination, and scheduling (20 hours)


Total hours: 340

Approximate Cost: $37,400


Additional optional services such as the Network Operations Service, Cisco ASR Service, and others can be deployed with training and knowledge transfer for approximately 20 hours per service. Note that the engagement does not cover comprehensive integration testing or production readiness, although other services are available for executing and training on the RHEDcloud automated test suite. The engagement also does not cover implementing the billing integration, but such a service is anticipated once RHEDcloud publishes detailed materials on its implementation.


The implementation site pays for cloud resources used during the engagement, provides their own technical staff to participate in knowledge transfer, as well as subject matter experts for IDM, directory, and financial system analysis.