Systems Project Prerequisites
The following is a checklist of items that a Systems team lead will need to start most (if not all) Systems projects. Be sure to plan for these in your estimates and to discuss these items with your Product Owner or Account Manager so they may coordinate addressing these important needs with the client.
- An SSL certificate, usually a wildcard cert for
*.domain.com - Access to edit the client's DNS Zone File, preferring to use Route53 for both domain registration and DNS management whenever possible
- An email address we can use to sign up for services on the client's behalf, such as
developer@domain.com - Contact and/or billing information to sign up for services on the client's behalf
- An AWS account
- In addition to the root account, set up IAM users with passwords for:
- Yourself
- Other engineers on your project
- Director of Systems Engineering
- Configure multi-factor authentication (MFA) for each user
- Set up IAM roles to obtain AWS keys for server configuration and service access
- In addition to the root account, set up IAM users with passwords for:
- A New Relic account for app monitoring
- A Loggly account to aggregate logs
Notes
You may have clients that are tech-savvy enough to manage signing up for and controlling the various services we use, but that tends to be the exception and not the rule. If a client seems uneasy about giving us the requisite control to act on their behalf, remind them that it will help avoid any delays (blockers) in development and the ability to address any issues as quickly as possible should problems arise during or after deployment.
We can (and generally prefer to) acquire an SSL cert on behalf of the client via OpenSRS. Be sure to discuss with a Senior Engineer or Director for further instructions.
You can edit a domain's zone file with access to the client's domain registrar account, but it's not difficult to transfer existing records to Route53. It's much easier to maintain once transferred, and several AWS services will automatically update zone records for you if managed through Route53. Even better: if the client hasn't already registered a domain elsewhere it can be done right though Route53 itself.
Any sensitive billing info, such as CC numbers or private addresses, should be communicated via a secure channel, preferably in-person. This excludes email—we cannot guarantee end-to-end encryption so it's only slightly less dangerous than just publicly posting such information online.
As a general rule, do not hand over the AWS access and secret keys to IAM users that can log in to the AWS console. Instead, only use access and secret keys for the AWS roles you create for this purpose. Only assign the permissions to that role needed to fulfill whatever functions are necessary. There's essentially no reason to use an individual's API access keys since those generally have power user access and break the entire security model of using IAM users and roles.
New Relic provides a lot of insight into slow API endpoints or database queries. It also provides excellent error reporting. The free account stores data for 24 hours, which is usually enough to handle issues during development. However, you'll want to have the client update to a paid account before deploying to production.