/
Key decisions (for Cloud Automation)

Key decisions (for Cloud Automation)

This is an evolving initiative. This document holds our rough notes on principles and preferences on Cloud Automation strategy. Contact @Nouman Memon for details. Or ping us on Slack.

Infra As Code

Recomendation: Terraform āœ… Qualities: šŸ”˜ Provisioning (Docker is taking care of configuration management already) šŸ”˜ Cloud Agnostic / support šŸ”˜ Immutable infrastructure šŸ”˜ Declarative language šŸ”˜ Client-only architecture (Masterless, Agentless) šŸ”˜ Large communitiy support šŸ”° Options ā†’ Terraform āœ… ā†’ CloudFormation ā†’ Ansible

Identity Provider

Recomendation: Keycloak āœ… Qualities: šŸ”˜ Multi-tenancy support šŸ”˜ Cost šŸ”˜ Flexible šŸ”° Options (starting with AWS) ā†’ Keycloak āœ… + Better Multi tenant support as compared to Cognito + Cloud Agnostic + Better MFA + Flexible + OpenSource + Community capibilities - Complex setup (we could still use it as AWS service) ā†’ AWS Cognito + Free 50K identity + Better integration with STS, Lambdas for events etc + Fully managed - Not much Flexible - Limitation on 1000 user pool per AWS account (hard for SaaS model) - LImitation in MFA (supports SMS) - AWS only - Cant scale for Multi-tenant ā†’ Ory (Hydra + Kratos) + Open source + Mature documenation and easy to setup - Setting up IDP integrated (OAuth + Identity) is difficult and limited - Have SaaS option (beta + bit pricy)

Container Management

Recomendation: EKS (EC2) āœ… Qualities: šŸ”˜ Portability šŸ”˜ Simple šŸ”˜ Flexible šŸ”˜ Future proof šŸ”˜ Cost šŸ”° Options (starting with AWS) ā†’ EKS (EC2) āœ… - with minikube for dev + Portable: Cloud agnostic platform investment (almost) + Flexibility + Future proof + High Abstraction: better expererience for development - Complex (needs experience) - Need configuration for integrating with AWS services (not complex though) - Might be a bit expensive (need to validate) e.g. control plane is not free (API server and etcd) ā†’ ECS (FARGATE) + Initial setup is very simple + Free control plane + Built in integration with AWS services - AWS only - Limiting for complex SaaS setup - Abstraction: Coupling with AWS services due to its out-of-box integration

Docker Registry

  • Create BahmniIndia account on dockerhub

  • Keep bahmni space on dockerhub for global

AWS Services

Qualities šŸ”˜ Cost and ability to optimise šŸ”˜ OpenSoruce (Community support and contributions) šŸ”˜ Cloud provider agnostic šŸ”˜ Flexibility Services options ā­•ļø RDS (managed) vs self managed on EC2 via EKS ā­•ļø CloudWatch (managed) vs EFK stack (same or seperate EKS cluster) for centralise logging ā­•ļø FARGATE vs EC2 for EKS

Ā 

Helm Charts

Qualities šŸ”˜ reduces the complexity of deploying microservices šŸ”˜ simplifies deployment scripts and files (all defined in YAML) šŸ”˜ improves the productivity of the deployments and rollback šŸ”˜ provides a way of versioning the Kubernetes resources as a single unit. šŸ”° Options: - Can use configmaps

Ā 

Kubernetes Packaging Structure

šŸ”° Options: ā­•ļø Helm with Umbrella Charts Directory Structure: --- bahmni (openmrs-module-bahmniapps repo) - package - docker - Dockerfile - .... - helm -- Chart.yaml --> holds the chart definition -- values.yaml --> default values, secret ref - templates -- deployment -- service --- openmrs (openmrs-module-bahmni-distro repo) - package - docker - Dockerfile - ... - helm -- Chart.yaml --> holds the chart definition -- values.yaml --> default values, secret ref - templates -- deployment -- service --- package (bahmni-k8s repo) - Chart.yaml - clinic - dev.yaml - qa.yaml - demo.yaml - prod.yaml - hospital - dev.yaml - qa.yaml - demo.yaml - prod.yaml

CI/CD tools

tfsec: tfsec uses static analysis of your terraform code to spot potential misconfigurations. Its is an ADOPT in TW tech Radar. https://www.thoughtworks.com/en-gb/radar/tools/tfsec šŸ”˜ tfsec uses static analysis of your terraform code to spot potential misconfigurations. šŸ”˜ Checks for misconfigurations across all major (and some minor) cloud providers šŸ”˜ Hundreds of built-in rules šŸ”˜ Scans modules (local and remote) šŸ”˜ Evaluates HCL expressions as well as literal values šŸ”˜ Evaluates Terraform functions e.g. concat() šŸ”˜ Evaluates relationships between Terraform resources šŸ”˜ Compatible with the Terraform CDK šŸ”˜ Applies (and embellishes) user-defined Rego policies šŸ”˜ Supports multiple output formats: CLI, JSON, SARIF, CSV, CheckStyle, and JUnit. šŸ”˜ Configurable (via CLI flags and/or config file) šŸ”˜ Very fast, capable of quickly scanning huge repositories šŸ”˜ Plugins for popular IDEs available (JetBrains, VSCode and Vim) šŸ”˜ Community-driven Since, it is a recommended tool from TW and also widely used in projects we will be going ahead with tfsec. šŸ”° Options ā†’ tfsec āœ… ā†’ checkov

Ā 

Monitoring and Alerting

Recommendation: Prometheus & Grafana āœ… šŸ”° Options šŸ”˜ Prometheus & Grafana āœ… - Portable: Cloud agnostic tools Can run on cloud(k8s), also with docker-compose - Most widely used tool for monitoring & alerting ā­•ļø Setup Methods: ā†’ In the same cluster under a separate namespace āœ… Pros: - Low cost and simple setup - Lesser configuration definitions needed Cons: - Monitoring would be unreachable if the node/cluster goes down ā†’ In a different cluster Pros: - Monitoring will always be available for the application cluster since hosted in a separate cluster. Cons: - Increased cost and management overhead - Cluster intercommunication needs to be setup ā­•ļø Pipeline Setup: - A separate workflow for deploying monitoring stack. ā­•ļø User Management for Grafana: - Use Github Oauth Integration and restrict access to members of Bahmni / BahmniIndiaDistro Oraganisation ā­•ļø Metrics: - To be discussed ā­•ļø Alerts: - To be discussed šŸ”˜ Cloudwatch - Specific to AWS - Could not support local installations

Topics to be discussed

  • Secrets manager

  • Monitoring and Alerting (Prometheus-Grafana)

Ā 

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)