From 85e743ef316a6e081b0044eff5d4c0bdb3cec478 Mon Sep 17 00:00:00 2001 From: dwara001 Date: Tue, 14 Apr 2026 08:58:41 -0400 Subject: [PATCH 01/10] change order of add to organization --- aws/documentation/account-setup/README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index 4a951be9..6a492608 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,16 +63,16 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. With new EW account +4. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) + - PR +5. Create [bootstrap](#create-bootstrap-access-keys) + 1. [EW](#bootstrap-ew-account) + 2. [GovCloud](#bootstrap-govcloud-account) +6. With new EW account 1. [Setup credentials entry and new password](#1-setup-credentials-entry-and-new-password) 2. [Reset password from shared mailbox](#2-reset-password-from-shared-mailbox) 3. [Create MFA for root account and record in location XXX](#4-create-mfa-for-root-account-and-record-in-location-xxx) - PR -5. Create [bootstrap](#create-bootstrap-access-keys) - 1. [EW](#bootstrap-ew-account) - 2. [GovCloud](#bootstrap-govcloud-account) -6. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) - - PR 7. [Baseline EW account](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-provisioning) - PR 8. [Baseline Gov account](https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/account-provisioning) @@ -572,3 +572,5 @@ Once you have created the GovCloud account, there are a couple more steps to add * 1.0.36 -- 2024-04-29 - add flowchart +* 1.0.37 -- 2026-04-14 + - change order of add to organization From 1fda2c479b67b0dd2fd58edb8190e1efbe3d8f07 Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 07:54:54 -0400 Subject: [PATCH 02/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index 6a492608..7c3a5616 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,11 +63,11 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) - - PR -5. Create [bootstrap](#create-bootstrap-access-keys) +4. Create [bootstrap](#create-bootstrap-access-keys) 1. [EW](#bootstrap-ew-account) - 2. [GovCloud](#bootstrap-govcloud-account) + 2. [GovCloud](#bootstrap-govcloud-account) +5. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) + - PR 6. With new EW account 1. [Setup credentials entry and new password](#1-setup-credentials-entry-and-new-password) 2. [Reset password from shared mailbox](#2-reset-password-from-shared-mailbox) From 37823f0a855fad2b0d21bf2f988f4d4cae5b2e1a Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 07:57:55 -0400 Subject: [PATCH 03/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index 7c3a5616..525ad474 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -574,3 +574,5 @@ Once you have created the GovCloud account, there are a couple more steps to add - add flowchart * 1.0.37 -- 2026-04-14 - change order of add to organization +* 1.0.38 -- 2026-04-16 + - change order of Bootstrap and add to organization steps From 37425f5a17191dc2e09997001fe3c41aa456269d Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 08:22:34 -0400 Subject: [PATCH 04/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index 525ad474..3522fc06 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,7 +63,7 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. Create [bootstrap](#create-bootstrap-access-keys) +4. Create [bootstrap](#cross-account roles for bootstrapping) 1. [EW](#bootstrap-ew-account) 2. [GovCloud](#bootstrap-govcloud-account) 5. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) From 04a466fc738405b166640a7bf84f275f6937fa26 Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 08:40:32 -0400 Subject: [PATCH 05/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index 3522fc06..dd9d47b6 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,7 +63,7 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. Create [bootstrap](#cross-account roles for bootstrapping) +4. Create [cross-account roles for bootstrapping] 1. [EW](#bootstrap-ew-account) 2. [GovCloud](#bootstrap-govcloud-account) 5. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) From a68bd1f10161ddc4d3125eac9a4bcee36826c21f Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 09:37:44 -0400 Subject: [PATCH 06/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index dd9d47b6..d88c49ed 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,7 +63,7 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. Create [cross-account roles for bootstrapping] +4. Create [#cross-account roles for bootstrapping] 1. [EW](#bootstrap-ew-account) 2. [GovCloud](#bootstrap-govcloud-account) 5. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) From 92550f4f50c481aad7c8cd68a90a748dbe4b6c9c Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 16 Apr 2026 09:41:06 -0400 Subject: [PATCH 07/10] change order of the new account creation steps --- aws/documentation/account-setup/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/documentation/account-setup/README.md b/aws/documentation/account-setup/README.md index d88c49ed..e4b09e20 100644 --- a/aws/documentation/account-setup/README.md +++ b/aws/documentation/account-setup/README.md @@ -63,7 +63,7 @@ before continuing. - PR 3. [Execute apply](#execute-terraform-code) in master payer to create both EW, GovCloud accounts - PR -4. Create [#cross-account roles for bootstrapping] +4. Create [cross-account roles](#create-bootstrap-access-keys) for bootstrapping 1. [EW](#bootstrap-ew-account) 2. [GovCloud](#bootstrap-govcloud-account) 5. Add Gov account to [organizations](add-to-org.md) (**NEW ORDER**) From dfa30b3970f37bb0ee067781741e44748e92db11 Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 4 Jun 2026 07:55:33 -0400 Subject: [PATCH 08/10] update markdown for CHRIS application --- aws/projects/adsd-chris/README.md | 44 ++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/aws/projects/adsd-chris/README.md b/aws/projects/adsd-chris/README.md index 17190132..e9ea2941 100644 --- a/aws/projects/adsd-chris/README.md +++ b/aws/projects/adsd-chris/README.md @@ -1,6 +1,18 @@ # ADSD CHRIS This document lists some basic architecture and requirements of the ADSD CHRIS System +* CHRIS application is a .Net application that runs on windows servers with a MSSQL Server backend database. +* Application interfaces with other systems. Most of the interfaces are through windows shared file systems. +* It is tightly integrated with boc.ad.census.gov domain. It need access to boc.ad.census.gov on-prem file shares. +* Web and Application EC2 servers need to be joined to boc.ad.census.gov domain. +* Web and Application servers need common shared filesystem that can be mounted on both servers. FSx for windows AWS storage service is an ideal choice. + +# RDS MSSQL Server engine: +* CHRIS database need native SQL Server Auditing enabled. We use this feature to comply with security baseline, track user activity and data access. +* CHRIS database need native SQL Server backup and restore functionality. We use native backups to move/migrate CHRIS databases to Cloud-RDS. +* CHRIS application also uses SSIS - SQL Server Integration Services feature to process interface data files. +* The options group (SQLSERVER_AUDIT , SQL_Server_Backup_Restore , SSIS) require tight integration with S3 storage. +* SSIS options group require tight integration with boc.ad.census.gov customer managed domain controller. ## Challenges @@ -19,12 +31,42 @@ to any future MSSQL setups. ## RDS * Security Group -* Paraameter Group + * Security groups and Parameter groups are common for all database engines. + * sg-adsd-chris-qa-mssql + * Port 1433 + * Port 445 +* Parameter Group + * census-sqlserver-se-15-0 + * census-sqlserver-se-16-0 * Option Group * list each desired setting name and value + * base-ms-sqlserver-ee-15-00 + * base-ms-sqlserver-se-15-00 + * base-ms-sqlserver-ee-16-00 + * base-ms-sqlserver-se-16-00 + * Settings + * SQLSERVER_AUDIT + * RETENTION_TIME + * 365 + * S3_BUCKET_ARN + * S3 bucket/mssql + * IAM_ROLE_ARN + * IAM Role + * SQLSERVER_BACKUP_RESTORE + * IAM_ROLE_ARN + * IAM Role + * SSIS + * IAM_ROLE_ARN + * IAM Role + * AD Integration + * TDE + * Audit + * SQLSERVER_AUDIT * Backup + * SQLSERVER_BACKUP_RESTORE * Integration with boc.ad.census.gov + * SSIS ## FSx Windows * Integration with boc.ad.census.gov From f0e5932efdf215a0a65a48b1b39442f733ad74ed Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 4 Jun 2026 08:13:15 -0400 Subject: [PATCH 09/10] update markdown for CHRIS application --- aws/projects/adsd-chris/README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/aws/projects/adsd-chris/README.md b/aws/projects/adsd-chris/README.md index e9ea2941..f954eb87 100644 --- a/aws/projects/adsd-chris/README.md +++ b/aws/projects/adsd-chris/README.md @@ -68,5 +68,21 @@ to any future MSSQL setups. * Integration with boc.ad.census.gov * SSIS +## The OG module for the mssql db does the following + 1. creates the OG + 2. if enable_s3_backups set, checks for options_group_bucket_id and options_group_role_arn + 3. if enable_s3_audit set, checks for same as #2 + 4. if none of the things are set in #2, and create_resources is set + 1. create s3 bucket (need to have a lifecycle on it) + 2. with kms key + 3. create iam role + 5. uses same bucket, key, and role for both backups and audit + 6. need to decide on defaults +## Formats + 1. s3: v-s3-{blf}-mssql-{sqlinstance}-{account_id}-{regionshort} + 2. iam: r-{blf}-mssql-{sqlinstance} +## SSO Permission + if the sc-dba needs to read/write the bucket, we would grant assume role access to the iam role + ## FSx Windows * Integration with boc.ad.census.gov From da7694b3e62686214b9a1087edb35f822e3da4a3 Mon Sep 17 00:00:00 2001 From: dwara001 Date: Thu, 4 Jun 2026 09:16:00 -0400 Subject: [PATCH 10/10] update markdown for CHRIS application --- aws/projects/adsd-chris/README.md | 35 ++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/aws/projects/adsd-chris/README.md b/aws/projects/adsd-chris/README.md index f954eb87..9fbd8fda 100644 --- a/aws/projects/adsd-chris/README.md +++ b/aws/projects/adsd-chris/README.md @@ -83,6 +83,39 @@ to any future MSSQL setups. 2. iam: r-{blf}-mssql-{sqlinstance} ## SSO Permission if the sc-dba needs to read/write the bucket, we would grant assume role access to the iam role - +## Process + * is this write access a one time thing? + Not a one time thing. It will be needed until the CHRIS migration is completed. The CHRIS databases are currently on-prem and the backup files will need to be copied to the S3 Bucket so they can be restored to the AWS RDS DB instance. + * is it only from windows servers? + Yes, it will only be from windows servers + * do the windows servers have the aws cli and the ability to use sso and/or the aws sdk and assume roles? + Yes, the windows server I will be using has the aws cli and the ability to use sso. + * is there one bucket per mssql db and an associated role for it? + If you mean one bucket per environment (dev,test,stage,prod) then yes a S3 bucket is needed for each environment which I believe already exists. + would like to use the current S3 bucket "s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/" and create a new folder called "restore" or "restore fromonprem" for testing. The role which writes backups and audit, that has write access + * what folders are in use for the backups and for the audit? + This has nothing to do with the audit folders only backups and i would like to get a new folder created under the "mssql" folder (s3://v-s3-adsd-chris-de v-rds-dump-582222802695-uge1/mssql/) called "migration", "restore" or "restorefromonprem" and upload the on-prem backup files to that folder. The files will be deleted once the restore is completed. + * Backups + s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/backup/chris-dev-db1/ + * diff/ + * full/ + * Audits + s3://v-s3-adsd-chris-dev-rds-dump-582222802695-uge1/mssql/chris-dev-db1/ + * ADSD_Audit/ + * Database_Audit/ + * Database_Schema_Object_Change_Audit/ + * DatabaseTables_Audit/ + * Login_Audit/ + * Login_Failed_Audit/ + * RoleMemberChange_Audit/ + * Schema_Object_Access_Audit/ + * would it be a different folder for the migration? + Yes, I would like to get a new folder created called "migration", "restore" or "restorefromonprem" + * once migrated is that write access still needed? + No + * Read will be needed to validate. + * for the backups it is run from within the SQL Server Instance via a schedule job using an AWS RDS provided stored procedure "EXEC msdb.dbo.rds_backup_dat abase" + * the folder(s) get created from the "msdb.dbo.rds_backup_database" stored procedure if they do not exist already. + ## FSx Windows * Integration with boc.ad.census.gov