Skip to main content

Appsuite On-Prem Installation Guide

First time deployment

1. Create Aws Account

Datasert Apps suite supports AWS cloud and uses the following aws services. Most of the deployments are automated via IaC. However, there are a couple of manual steps related to S3 bucket and Route S3. So having a basic understanding of those services would help.

We’re here to help. If you aren’t aware or have any questions, please reach out to us and will be happy to assist with installation.

2. Decide on the AWS Region

Datasert Appsuite can be deployed in any AWS region where the above services are available. Decide on the region based on where your other services are hosted and proximity to your business users and pricing structure.

Keep in Mind

Some services like AWS Certificate Manager (ACM) require certificates to be created in us-east-1 region irrespective of where the rest of the solution is deployed.

2. Set up GitHub Repo

Create a private GitHub repo in customers org to store Appsuite operation files including GitHub Actions scripts. You can call this as appsuite-ops. Any other name is also fine.

Make sure the Datasert support team member can write into the report as we will need to modify various installation settings to be able to deploy via GitHub actions.

Clone the https://github.com/datasert/appsuite-ops repo into local machine and push all files into the newly created customer's appsuite-ops repo.

Make sure you use the dev branch to make all of these changes till installation is complete.

3. Deploy appsuite-bootstrap stack

To start the installation, we need IAM Users and Policies to grant required access. We have a CloudFormation template that creates all these resources. Create a stack named prd-appsuite-bootstrap using the template available in the appsuite-ops repo.

4. Set up IAM Access Keys for appsuite-deploy-user

Go to the AWS console and create access keys for the user created in the previous step. Add these keys to GitHub repo secrets as DEPLOY_AWS_ACCESS_KEY_ID and DEPLOY_AWS_SECRET_ACCESS_KEY.

4. Set up IAM User for downloading packages

  1. Go to https://github.com/datasert/appsuite-ops and create a new branch.
  2. Add an IAM user ${EnvName}-appsuite-tenant-user-{CompanyName} and grant access to read Delivery packages, similar to other users.
  3. Deploy the package to prd.
  4. Create access keys for prd-appsuite-tenant-user-{CompanyName} user and add these keys to customers appsuite-ops GitHub repo secrets as PACKAGE_AWS_ACCESS_KEY_ID and PACKAGE_AWS_SECRET_ACCESS_KEY.

5. Set up the Phase 1 Env Vars

Go to appsuite.env file and set the env vars under Phase 1 section. You can use the information from the Customer Org.

Keep in Mind
  • It expects that VPC is already created in the account. If not, please create a VPC with at least 2 private and 2 public subnets
  • For ApiDomainCfKeyNew and ApiDomainCfKeyOld generate some random string of length 32 chars and set them.

6. Deploy appsuite-core stack

  1. Go to GitHub repo and create a PR from Dev to main/master branch.
  2. Add label Deploy Core (if label doesn't exist, create one. Make sure the label name is exactly same)
  3. GitHub Action will run and deploys the appsuite-core stack.

6. Delegate the control of the subdomain

appsuite-core stack would have created a hosted zone in the format company.my.datasert.com. Now we need to delegate the control of that domain in Datasert product Route53.

  1. Go to https://github.com/datasert/aws-dns and add delegation resource like this. Copy the name servers from the customer's Route 53 hosted zone and make sure you use the correct company name and domain name.
  TenantDnsDelegationCompanyName:
    Type: AWS::Route53::RecordSet
    Condition: PrdOnly
    Properties:
      HostedZoneId: !Ref DatasertComHostedZone
      Name: company.my.datasert.com
      Type: NS
      TTL: !FindInMap [EnvMap, !Ref EnvName, dnsTtl]
      ResourceRecords:
        - '{NameServer1}'
        - '{NameServer2}'
        - '{NameServer3}'
        - '{NameServer4}'
  1. Go to the customer's Route53 hosted zone and create a new NS record for test.company.my.datasert.com with CNAME to www.datasert.com. After few seconds, go to command line and type nslookup test.company.my.datasert.com to verify that it resolves to www.datasert.com. If it resolves, then delegation is successful.

7. Set up the Phase 2 Env Vars

Go to appsuite.env file and set the env vars under Phase 2 section.

7. Deploy appsuite-infra stack.

  1. Go to GitHub repo and add Deploy Infra label to the PR created in the previous step. (if label doesn't exist, create one. Make sure the label name is exactly same)
Keep in Mind

In this stack, we create Certificates for API and UI domains. We use DNS validations and sometimes ACM automatically validates using Hosted Zone created in the appsuite-core stack. If that doesn't happen, then you need to manually add the CNAME records in the hosted zone.

Make sure you check the ACM in us-east-1 region for API and UI domain certificates.

8. Create the Postgres RDS DB

  1. We need to create the Postgres RDS DB instance manually. Follow these steps to create the database.
Create Mode: Standard
Engine type: PostgreSQL
Engine version: Latest Version
Availability and durability: Single AZ
DB Instance Identifier: prd-appsuite-appdb
Master Username: postgres
Credentials management: Self Managed
Master password: <Generate a strong password of 32 chars>
Instance Class: Select one that is appropriate for usage. db.t4g.medium is a good starting point.
Storage type: General Purpose (SSD) GP3
Allocated Storage: 50 GB
Storage autoscaling: Yes
Storage autoscaling Max: 500 GB
Compute resource: Don’t connect to an EC2 compute resource
Virtual private cloud: Select the VPC created for Appsuite
Availability Zone: Same AZ where other resources are created
Initial database name: appdb

  1. Once DB is created, set the following secrets in prd-appsuite-internal secrets manager secret.
dbHost
dbPort
dbName
dbSchema
dbAuthType
dbUsername
dbPassword
sfdcOauthClientId
sfdcOauthClientSecret
googleOauthClientId
googleOauthClientSecret
envSecret //Generate a random string of length 32 chars and set it.
cookieSecret //Generate a random string of length 32 chars and set it.
  1. Login to the DB instance using any SQL client user master username and password and setup the Application schema and user.
-- ============================================================================
-- 1. CREATE DATABASE
-- ============================================================================

-- Create the application database
CREATE DATABASE appsuite_appdb;

-- ============================================================================
-- 2. CREATE SCHEMA
-- ============================================================================

-- Create the application schema
CREATE SCHEMA IF NOT EXISTS appsuite_app;

-- ============================================================================
-- 3. CREATE APPLICATION USER
-- ============================================================================

-- Create the application user with a secure password
-- NOTE: Change the password to a secure value before running this script
CREATE USER appsuite_appuser WITH 
    PASSWORD 'CHANGE_THIS_PASSWORD_BEFORE_RUNNING'
    NOSUPERUSER 
    NOCREATEDB 
    NOCREATEROLE
    NOINHERIT
    LOGIN;

-- ============================================================================
-- 4. REVOKE DEFAULT PERMISSIONS (Security Hardening)
-- ============================================================================

-- Revoke all privileges on public schema from public role
REVOKE ALL ON SCHEMA public FROM PUBLIC;

-- Revoke all privileges on public schema from the app user
REVOKE ALL ON SCHEMA public FROM appsuite_appuser;

-- Revoke create privilege on database from public
REVOKE CREATE ON DATABASE appsuite_appdb FROM PUBLIC;

-- ============================================================================
-- 5. GRANT SCHEMA PERMISSIONS
-- ============================================================================

-- Grant usage on the application schema (required to access schema)
GRANT USAGE ON SCHEMA appsuite_app TO appsuite_appuser;

-- Grant create privilege on the schema (allows creating tables, views, etc.)
GRANT CREATE ON SCHEMA appsuite_app TO appsuite_appuser;

-- ============================================================================
-- 6. GRANT PERMISSIONS ON EXISTING TABLES
-- ============================================================================

-- Grant all privileges on all existing tables in the schema
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA appsuite_app TO appsuite_appuser;

-- Grant all privileges on all existing sequences in the schema
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA appsuite_app TO appsuite_appuser;

-- Grant all privileges on all existing functions in the schema
GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA appsuite_app TO appsuite_appuser;

-- ============================================================================
-- 7. SET DEFAULT PRIVILEGES FOR FUTURE OBJECTS
-- ============================================================================

-- Grant privileges on future tables created in the schema
ALTER DEFAULT PRIVILEGES IN SCHEMA appsuite_app 
    GRANT ALL PRIVILEGES ON TABLES TO appsuite_appuser;

-- Grant privileges on future sequences created in the schema
ALTER DEFAULT PRIVILEGES IN SCHEMA appsuite_app 
    GRANT ALL PRIVILEGES ON SEQUENCES TO appsuite_appuser;

-- Grant privileges on future functions created in the schema
ALTER DEFAULT PRIVILEGES IN SCHEMA appsuite_app 
    GRANT ALL PRIVILEGES ON FUNCTIONS TO appsuite_appuser;

-- ============================================================================
-- 8. SET DEFAULT SEARCH PATH FOR USER
-- ============================================================================

-- Set the default search path for the user to only include the app schema
-- This ensures the user primarily works within their designated schema
ALTER ROLE appsuite_appuser SET search_path = appsuite_app;

-- 1. Make sure the user can connect to the DB
GRANT CONNECT ON DATABASE appsuite_appdb TO appsuite_appuser;

-- 2. Let them use and create objects in your schema
GRANT USAGE, CREATE ON SCHEMA appsuite_app TO appsuite_appuser;

-- 3. Give full rights on all existing tables/sequences in that schema
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA appsuite_app TO appsuite_appuser;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA appsuite_app TO appsuite_appuser;

-- 4. Ensure future tables/sequences also get rights automatically
ALTER DEFAULT PRIVILEGES IN SCHEMA appsuite_app
GRANT ALL ON TABLES TO appsuite_appuser;

ALTER DEFAULT PRIVILEGES IN SCHEMA appsuite_app
GRANT ALL ON SEQUENCES TO appsuite_appuser;

9. Deploy appsuite-server stack

10. Enable Email Forwarding in appsuite-tenants

Go to appsuite-tenants and add access to forward the email from Customer Tenant

11. Init Tenant

Run the following command with values substituted to initialize the tenant with an admin user. After that, admin user can log in and invite other users.

aws lambda invoke --region <region> --function-nam prd-account-api-Service out --log-type None --output text \--payload $(echo \
  '{"type": "initTenant", "request": {"tenantId": "<tenant id>", "tenantName": "<tenant name>", "firstName": "<admin firstName>", "lastName": "<admin lastName>", "email": "<admin email>"} }' \
   | base64 -w 0) | base64 -d