AWS GovCloud
Overview
The Sublime GovCloud stack uses docker images to run AWS Lambda, which powers the message screenshots detections.
In CloudFormation stacks in regular AWS regions, we publish these docker images in AWS' Elastic Container Registry in an AWS account we own, and AWS Lambda uses these docker images (the same pattern is used for other Sublime services).
In GovCloud, Lambda does not yet support using docker images from another AWS account. We have confirmed this disparity with AWS and are waiting on the expansion of the feature to GovCloud.
To work around this limitation, a few manual steps are required before deploying Sublime in GovCloud.
Deployment failures
GovCloud CloudFormation deployments are required to complete the steps listed below before moving forward with your AWS deployment. If these steps are not completed, the stack will fail to deploy!
Requirements
-
AWS credentials for your destination GovCloud AWS account
Permissions for ECR login, creating a repository, and pulling and pushing to the repository are necessary.
-
A terminal with the AWS CLI and docker installed
Steps to Create the Registry
In the steps, we'll assume your credentials for your GovCloud AWS account are in an AWS profile named gov_cloud
. These steps could also be done in the AWS console, but we'll do this via the CLI since we'll need these credentials later anyway.
-
Confirm credentials
AWS_PROFILE=gov_cloud aws sts get-caller-identity
Confirm that the "Arn" in the response includes "aws-us-gov" and your expected account ID. Take note of the account ID for later steps.
-
Create both required repositories
AWS_PROFILE=gov_cloud aws ecr create-repository --repository-name url-defense --region us-gov-west-1 AWS_PROFILE=gov_cloud aws ecr create-repository --repository-name render-email-html-lambda --region us-gov-west-1
Set Repository Contents
- Login to ECR repos (
YOUR_GOV_CLOUD_ACCOUNT_ID
must be replaced on the first line)
AWS_PROFILE=gov_cloud aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin YOUR_GOV_CLOUD_ACCOUNT_ID.dkr.ecr.us-gov-west-1.amazonaws.com
AWS_PROFILE=gov_cloud aws ecr get-login-password --region us-gov-west-1 | docker login --username AWS --password-stdin 106524781139.dkr.ecr.us-gov-west-1.amazonaws.com
-
Pull Sublime published docker images from ECR
Note
106524781139
is a Sublime managed account that contains the latest versions of the docker images. It should not be replaced.docker pull 106524781139.dkr.ecr.us-gov-west-1.amazonaws.com/url-defense:latest docker pull 106524781139.dkr.ecr.us-gov-west-1.amazonaws.com/render-email-html-lambda:latest
-
Retag images for your ECR repo (
YOUR_GOV_CLOUD_ACCOUNT_ID
must be replaced on each line)docker tag 106524781139.dkr.ecr.us-gov-west-1.amazonaws.com/url-defense:latest YOUR_GOV_CLOUD_ACCOUNT_ID.dkr.ecr.us-gov-west-1.amazonaws.com/url-defense:latest docker tag 106524781139.dkr.ecr.us-gov-west-1.amazonaws.com/render-email-html-lambda:latest YOUR_GOV_CLOUD_ACCOUNT_ID.dkr.ecr.us-gov-west-1.amazonaws.com/render-email-html-lambda:latest
-
Push docker images to your account
docker push YOUR_GOV_CLOUD_ACCOUNT_ID.dkr.ecr.us-gov-west-1.amazonaws.com/url-defense:latest docker push YOUR_GOV_CLOUD_ACCOUNT_ID.dkr.ecr.us-gov-west-1.amazonaws.com/render-email-html-lambda:latest
Note: We may ask you to repeat the "Set Repository Contents" step in the future in order to update these services.
Once you’ve completed these steps, you can kick off the AWS CF setup steps described here! Please note that you must complete the above steps before moving forward with your AWS CF deployment in order to avoid errors/failures.
Updated about 2 months ago