Amazon Web Services (AWS)#

Our default region is us-east-1 (N. Virginia). For large data transfer operations (like backups), use the closest region: for example, us-west-2 (London) for Linode servers in the London datacenter.

Simple Email Service (SES)#

Reference: Setting up Email with Amazon SES

Verify a domain#

  1. Go to SES’ Domains:

    1. Click Verify a New Domain

    2. Enter the domain in Domain:

    3. Check the Generate DKIM Settings box

    4. Click Verify This Domain

  2. Go to GoDaddy’s DNS Management:

    1. Add the TXT and CNAME records. Add the MX record if none exists.

      Note

      SES’ DKIM Record Set is a scrollable table with three records.

      Note

      Omit .open-contracting.org from hostnames. GoDaddy appends it automatically.

    2. Add or update the SPF record

  3. Wait for the domain’s verification status to become “verified” on SES’ Domains

    Note

    AWS will notify you by email. Last time, it took a few minutes.

Reference: Verifying a Domain

Verify an email address#

  1. Check that the domain’s verification status is “verified” on SES’ Domains

  2. If an MX record didn’t exist, go to SES’ Rule Sets:

    1. Click Create a New Rule Set

    2. Click the rule set’s name

    3. Click Create Rule

    4. Click Next Step

    5. Select “S3” from the Add action dropdown

    6. Select “Create S3 bucket” from the S3 bucket dropdown

    7. Enter a bucket name in Bucket Name

    8. Click Create Bucket

    9. Click Next Step

    10. Enter a rule name in Rule Name

    11. Click Next Step

    12. Click Create Rule

    13. Go to SES’ Rule Sets

    14. Check the rule set’s box

    15. Click Set as Active Rule Set

  3. Go to SES’ Email Addresses:

    1. Click Verify a New Email Address

    2. Enter the email address in Email Address:

    3. Click Verify This Email Address

  4. If an MX record didn’t exist, go to S3 (otherwise, check your email):

    1. Click the bucket name

    2. Click the long alphanumeric string (if there is none, double-check the earlier steps)

    3. Click Download

    4. Copy the URL in the downloaded file

    5. Open the URL in a web browser

  5. Check that the email address’s verification status is “verified” on SES’ Email Addresses

  6. If an MX record didn’t exist, cleanup:

    1. Delete the bucket

    2. Disable and delete the rule set

    3. Remove the MX record

Reference: Verifying an Email Address

Create SMTP credentials#

Note

You only need to do this once per AWS region.

  1. Go to SES’ SMTP Settings:

    1. Click Create My SMTP Credentials

    2. Enter a user name in IAM User Name:

    3. Click Create

    4. Click Download Credentials

    5. Click Close

Reference: Getting Your SMTP Credentials

Move out of sandbox#

Note

You only need to do this once per AWS account.

Reference: Moving Out of the Amazon SES Sandbox

Set up MAIL FROM domain#

Note

This optional step improves email deliverability.

Reference: Setting up a custom MAIL FROM domain

Disable account-level suppression list#

Note

This optional step can negatively affect sender reputation.

Reference: Disabling the account-level suppression list

Set up notifications#

  1. Go to SNS’ Topics:

    1. Click Create topic

    2. Set Type to Standard

    3. Enter a hyphenated address in Name (data-open-contracting-org, for example)

    4. Click Create topic

  2. Click Create subscription:

    1. Select “Email” from the Protocol dropdown

    2. Enter an email address in Endpoint

    3. Click Create subscription

  3. Click the email address on SES’ Email Addresses:

    1. Expand Notifications

    2. Click Edit configuration

    3. Select the created topic from the Bounces: dropdown

    4. Check the Include original headers box

    5. Select the created topic from the Complaints: dropdown

    6. Check the Include original headers box

    7. Click Save Config

Reference: Configuring Amazon SNS notifications for Amazon SES

Check DMARC compliance#

Check DMARC compliance, sending the email using SES.

Note

SES adds two DKIM signatures (“The extra DKIM signature, which contains d=amazonses.com, is automatically added by Amazon SES. You can ignore it”). This signature’s domain is not aligned, but according to RFC 7489 <https://tools.ietf.org/html/rfc7489#page-10>, “a single email can contain multiple DKIM signatures, and it is considered to be a DMARC “pass” if any DKIM signature is aligned and verifies.”

Debug delivery issues#

Bounces and complaints are sent to the subscribed address. The relevant properties of the notification message are:

Reference: DNS Blackhole List (DNSBL) FAQs

Relational Database Service (RDS)#

Note

This configuration is for data analysis, where it is acceptable for the data to be lost.

  1. Go to RDS’ Databases

  2. Click Create database

    1. Set Engine type to “PostgreSQL”

    2. Set Version to the latest version

    3. Set Templates to “Free tier”

    4. Check Auto generate a password

    5. Set DB instance class to “db.t3.micro”

    6. Uncheck Enable storage autoscaling

    7. Set Public access to “Yes”

    8. Add “postgresql-anywhere” to *Existing VPC security groups”

    9. Remove “default” from *Existing VPC security groups”

    10. Expand Additional configuration

    11. Uncheck Enable automated backups

    12. Uncheck Enable encryption

    13. Uncheck Turn on Performance Insights

    14. Click Create database

  3. Wait for the database to be created

  4. Click View connection details

Aurora Serverless#

Warning

“You can’t give an Aurora Serverless DB cluster a public IP address.”. Instead, you need to use an EC2 instance as a bastion host.

Create a VPC#

  1. Set IPv4 CIDR block to “10.0.0.0/16”

  2. Click Create

Reference: Create a DB instance in the VPC

Create subnets#

  1. Set VPC to the created VPC

  2. Set Availability Zone to any zone

  3. Set IPv4 CIDR block to “10.0.1.0/24”

  4. Click Create

Then:

  1. Set VPC to the created VPC

  2. Set Availability Zone to another zone

  3. Set IPv4 CIDR block to “10.0.2.0/24”

  4. Click Create

Create security group#

  1. Set Security group name to “postgresql-anywhere”

  2. Set Description to “Allows PostgreSQL connections from anywhere”

  3. Click Add rule under Inbound rules

  4. Set Type to “PostgreSQL”

  5. Set Source to “Anywhere”

  6. Click Create security group

Create database#

  1. Choose a database creation method: (no changes)

  2. Engine options

    1. Engine type: Amazon Aurora

    2. Edition: Amazon Aurora with PostgreSQL compatibility

    3. Version: Aurora PostgreSQL (compatible with PostgreSQL 10.7)

  3. Database features: Serverless

  4. Settings: (no changes)

  5. Capacity settings

    1. Minimum Aurora capacity unit: 2

    2. Maximum Aurora capacity unit: 2

    3. Expand Additional scaling configuration

    4. Check Pause compute capacity after consecutive minutes of inactivity

    5. Set to 1 hours 0 minutes 0 seconds

  6. Connectivity

    1. Virtual private cloud (VPC): Select the created VPC

    2. Expand Additional connectivity configuration

    3. VPC security group:

      1. Select the created group

      2. Remove the default group

    4. Check Data API

  7. Additional configuration

    1. Initial database name: common

    2. Backup retention period: 1 day

  8. Click Create database

Amazon S3#

Create backup bucket#

  1. Go to Amazon S3 `Buckets<https://s3.console.aws.amazon.com/s3/buckets>`__

  2. Click Create bucket

    1. Enter a Bucket name (ocp-redmine-backup, for example)

    2. Set AWS Region to the nearest region to the server

    3. Click Create bucket

  3. Click the created bucket

  4. Click Management

  5. Click Create lifecycle rule

    1. Lifecycle rule name: delete-after-30-days

    2. Choose a rule scope: Apply to all objects in the bucket

    3. Check I acknowledge that this rule will apply to all objects in the bucket.

    4. Check Expire current versions of objects

    5. Check Delete expired object delete markers or incomplete multipart uploads

    6. Days after object creation: 30

    7. Check Delete incomplete multipart uploads

    8. Number of days: 7

  6. Click Create rule

Identity and Access Management (IAM)#

Create a new IAM backup user and policy#

  1. Go to IAM `Policies<https://us-east-1.console.aws.amazon.com/iamv2/home#/policies>`__

  2. Click Create policy

    1. Click the JSON tab and paste the content below, replacing BUCKET_NAME:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

    2. Click Next: Tags

    3. Click Next: Review

    4. Enter a Name (ocp-redmine-backup, for example)

    5. Click Create policy

  3. Go to IAM `Users<https://us-east-1.console.aws.amazon.com/iamv2/home#/users>`__

  4. Click Add Users

    1. Enter a User name (ocp-redmine-backup, for example)

    2. Check Access key - Programmatic access

    3. Click Next: Permissions

    4. Click Attach existing policies directly

      Note

      Alternatively, create a group, attach the policy to the group, and add the user to the group.

    5. Search for and check the policy above

    6. Click Next: Tags

    7. Click Next: Review

    8. Click Create user

    9. Add the Access key ID and Secret access key to the service’s Pillar file<../develop/update/awscli>