Connector Deployment Cloudformation

Disclaimer

The template provided here is a sample and may not work as is for all AWS accounts. It is also important to consider your company's requirements and adapt as necessary. This is not a production-ready template.

Prerequisites

To successfully deploy the stack, certain prerequisites should be in place. These are listed below:

• A registered domain name
• A public DNS zone for the domain
• At least 1 private Subnet in the VPC
• At least 1 public Subnet in the VPC
• Permission to pull the required docker image from a container registry

Manual Deployments

When manually deploying the template through the Cloudformation console, you need to provide several Parameters applicable to your environment.

Note: There will be a few Parameters with default values. The environment-specific ones have been enclosed in angle brackets. You can replace these with the values specific to your environment.

After successful deployment of the stack, you can get the public endpoint by going to the “Outputs” tab on the stack. It will be listed next to “ConnectorsPublicURL” logical resource name.

Stack Provisioned

• Secrets Manager - Used for credential storage.
• SQS Queues - Used to receive events from commercetools and internal messages of the connector.
• S3 - Log file storage.
• CloudWatch - Steams container logs and collects metrics from the containers running.
• ECS - Runs the Commercetools connector containers.
• EventBridge - Holds the configuration and triggers execution of batch operations for the connector.
• ELB / API endpoints - Exposes the Connector to the web, explained in more detail below.

There are 3 key endpoints provided as part of the commercetools Connector:

• Fluent Webhook (/api/v1/fluent-connect/webhook): This is required to be public, and there can't be any form of security for it; it has to be open. The webhook contains a signature that is validated by the connector to guarantee authenticity and validate the sender (Fluent OMS).
• Scheduler Endpoint (/api/v1/fluent-connect/scheduler/add/*): This should not be public as EventBridge is the only consumer - it can be on a private VPC.
• Spring Actuators (/actuator/**): Provides health status for the container. Although it is configured to provide minimal information, it is best to keep it private.

As the connector has a web server running, if not secured or made private, it will respond to any HTTP requests, and when the resource is not found, it returns a blank with a 404 code. It is not necessary to secure the connector with a security layer such as Spring Security. Limiting the public URLs through CloudFormation should be sufficient.

If new custom endpoints are added to the connector, then the need for a security layer needs to be reconsidered.