Skip to main content

Data Privacy Platform AWS Deployment Guide

Manage the Deployment

To facilitate the installation and update process using Cloud Development Kit, the platform uses the AWS CodePipeline continuous delivery service. CodePipeline makes deployment and future updates easier, by automating many of the deployment steps. For example, a Privitar AWS update involves simply uploading the zip file to a defined S3 location, which will then trigger CodePipeline to redeploy the application.

It is also possible to use CodePipeline to roll back a deployment if an error occurs during the deployment. This section describes how to manage the deployment.

CodePipeline Deployment Stages

The following table describes the sequential deployment steps that are executed by CodePipeline. If any of the steps fail to complete, then the update halts and rolls back any infrastructure changes. Although, any database changes made by applications as part of the update are not rolled back automatically.

Note

When deploying for the first time, a deployment should typically take between 60 to 90 minutes.

Stage

Description

1. Source

Triggers the Pipeline when a new platform infrastructure zip file is uploaded to the appropriate S3 bucket location.

2. Build

Synthesizes the Cloud Development Kit (CDK) application to CloudFormation. This generates several CloudFormation templates, one for each stack that makes up the deployment, including several nested stacks.

3. UpdatePipeline

If the CodePipeline itself has changed between releases, then the template and its resources (the pipeline) are updated.

The primary purpose of this is to add or change CloudFormation parameters or to update the CDK version being used.

4. Assets

Uploads the CloudFormation templates generated during the Build stage and uploads any binaries (such as the Privitar Glue integration).

5. Pre-deployment

The images that are required for deployment are copied from the platform repository to your repository (CopyEcrimage).

If the deployment is an update for Privitar AWS, then a snapshot (CreateDBSnapshot) of the Privitar Policy Manager configuration database is taken. A snapshot will be required if the deployment fails and a roll back is required.

An SSO SAML key-pair (CreateSSoSamlDefaultKeyPair) is created, if you enable it as a stack parameter.

6. Review

The CodePipeline will pause at the Review section and wait for your input to proceed. Click Review under ManualApproval. Should you wish to inspect the changes that are about to be applied, click the link to the AWS CloudFormation change set. Do not apply the change set or execute the AWS CloudFormation outside of the CodePipeline view. Instead, return to the CodePipeline view.

Click Approve when you wish to proceed with the deployment.

7. Deployment-stack

The CodePipeline executes the CloudFormation change set. This stage rolls out the update to the -deployment CloudFormation stack and its resources.

Examples of changes include: modify existing IAM policies, roll out updated ECR images of platform applications to ECS.

Rolling Back a Deployment

A manual rollback is required if the deployment has failed to complete during any of the stages outlined in the previous section.

To perform a manual roll-back

  1. If CodePipeline reports that the Privitar AWS CloudFormation stack is in one of the following states:

    • ROLLBACK_FAILED

    • UPDATE_ROLLBACK_FAILED

    To recover from either of these states, upload the Privitar AWS zip file for the version that you want to roll-back to and use CodePipeline to roll back to the different version. If this also fails, contact Privitar as manual changes may be needed.

    If the CodePipeline reports that the stack is in one of these following states:

    • ROLLBACK_COMPLETE

    • UPDATE_COMPLETE

    This means that the infrastructure and ECS image versions will already have been automatically rolled back, so there is no further action required.

  2. To roll back the configuration database to the snapshot created during the Pre-deployment, CreateDBSnapshot stage of the CodePipeline run that is being rolled back, see Restoring from a DB snapshot.

    Note that when working through this information:

    • The RDS will be called:

      ${DeploymentID}-db

    • The snapshot will be called:

      ${DeploymentID}-db-pre-update-${date-time}

      For example:

      privitar-db-pre-update-2021-02-11-11-34

  3. Restart the Privitar Policy Manager and Event Broker ECS containers so that they are automatically restarted and recover.

    This can be done from ECS, by selecting Stop All from the ECS Task tab.

In this section: