Amazon Web Services (AWS) Installation

myriAD is installed into a AWS account using the Cloud Formation template(s) and source code zip files located on GitHub.

Download the latest Zephyr.Directory.Aws.v#.#####.#.zip release, expand it and copy the contents into an S3 bucket on the AWS account (in the same region) where you want myriAD to run. The cloud formation templates are located in the cf-templates directory.

Cloud Formation Core Template

The cloud formation template "cft-myriad-core.yaml" creates all the necessary resources required to run MyriAD in your AWS account. It assumes you are running the template with a policy that has the permissions to create the resources necessary (listed below). The policy document can be found in the "policies" directory.

Minimum Required Permissions

Prerequesites For Running Core Template

The core cloud formation template expects a few items to have been created before calling it. All of the items below can be created by running the cft-myriad-init.yaml template, or can be created from the AWS console.

Template Variables

Below is the list of variables needed to run the core cloud formation template, and a brief explaination of each:

Lambda Function Variables

Variable Name Required Description
MyriadCodeBucketName Yes The name of the S3 Bucket which contains the Lambda DotNet Core code (the Zephyr.Directory.Aws.zip file)
MyriadCodeBucketKey Yes The key of the S3 Lambda DotNet Core code object (ex: code/Zephyr.Directory.Aws.zip)
MyriadCoreFunctionName Yes The name of the lambda function.
LambdaCoreRoleArn Yes The ARN (Amazon Resource Name) for the iam role to be used by the lambda functions. See the prerequisites for details.
MyriadVpcSubnetIds No (1) A comma separated list of VPC Subnets where the lambda functions should be deployed
MyriadVpcSecurityGroupIds No (1) A comma separated list of security groups to apply to lambda function.

LDAP Configuration

Variable Name Required Description
MyriadEnvDefaultConfig No (2) Json string representing the default configuration to connect to the LDAP server. Used when connection details are not provided in the request and for queries by object type. (see Ldap Config for example)
MyriadEnvDomainMapping No (3) Json string representing a mapping of full domains and/or short domain names to environment variables that provide connection details to that domain. (see LDAP Domain Mappings for example)
MyriadEnvReturnTypes No Json string representing attributes that should be returned as a different type other than string. (see Attribute Mapping for example)

API Gateway Variables

Variable Name Required Description
ApiGatewayId Yes The API Gateway Id where the Resources, Methods, API Keys and Cost Plans will be deployed.
RootResourceId Yes The Root Resource Id for your API Gateway. Template will create /search and /{type} resources off the main root resource.
ApiGatewayStageName Yes The name of the stage where the API Gateway will be deployed.
DeployToStage Yes Boolean value indicating whether or not the API Gateway should be deployed after creation.
SecureWithApiKey Yes Boolean value indicating whether or not the API Gateway methods should be securied with an API Key.
ApiDefaultKeyName No (4) Name of the default API Key created for MyriAD (Leave Blank If Not Secured With API or you already have an API Key associated with this API Gateway)
ApiDefaultUsagePlanName No (4) Name of the default Usage Plan created for MyriAD (Leave Blank If Not Secured with API or y ou already have a Usage Plan associated with this API Gateway)

JSON Configuration Objects

The following JSON Objects are used in the LDAP Configuration variable section above.

LDAP Config

Saves in DEFAULT_CONFIG environment variable

{ 
    "server": "my.ldapsever.company.com",
    "ssl" : true,
    "username": "MyUserName",
    "password": "MyEncryptedOrPlainTextPassword"
    "maxResults": 1000,
    "maxRetries": 2
}

LDAP Domain Mappings

ALL CAPS ONLY - Saves in DOMAIN_MAPPINGS enviornment variable

{
    "SB1":"DEFAULT_CONFIG",
    "SANDBOX.MYCOMPANY.COM":"DEFAULT_CONFIG",
    "SB2":"SB2_CONFIG",
    "SANDBOX2.MYCOMPANY.COM":"SB2_CONFIG",
    "SB3":"SB3_CONFIG",
    "SANDBOX3.BP.COM":"SB3_CONFIG"
}

Attribute Mapping

Saves in RETURN_TYPES environment variable.
Valid values are (String, StringArray, Bytes, BytesArray, Guid or Sid)

{
    "comment":"Bytes",
    "mS-DS-ConsistencyGuid":"Guid",
    "msExchArchiveGUID":"Guid",
    "msExchMailboxGuid":"Guid",
    "thumbnailPhoto":"Bytes",
    "directReports":"StringArray",
    "showInAddressBook":"StringArray",
    "msRTCSIP-UserPolicies":"BytesArray"
}

Cloud Formation Init Template

The cloud formation template "cft-myriad-init.yaml" creates one or more of the prerequisite cloud resources needed by the core cloud formation template. There is absolutely no requirement that you use this template to create these resources, as you can use any or all resources that have already been created in another manner. The only requirement is that the resources meet the prerequesites.

The init template can create the following objects for you :

Lambda Execution IAM Role

The core template requires the Amazon Resource Name (ARN) of an IAM Role under which to execute the core lambda functions. Here are the template variables for creating the IAM Role :

Variable Name Required Description
MyriadCoreRoleName No The name of the role you wish to create (Leave blank to skip creating a role.)
PolicyPermissionBoundry No The ARN for the boundary policy to be added to the created role (if one is required or desired.)

Rest Api Gateway

The core template requires a Rest Api Gateway where the required methods and resources will be deployed. This section will create an empty API Gateway for use in the core template. Here are the template variables for creating an API Gateway :

Variable Name Required Description
RestApiName No The name of the API Gateway you wish to create (Leave blank to skip creating an API Gateway.)

EC2 Security Group

Finally, if you will be deploying your core lambda functions into a VPC, the core template will require an EC2 Security Group to apply to the lambda function within that VPC. Here are the template variables for creating an EC2 Security Group for use by a lambda function running inside of a VPC :

Variable Name Required Description
DefaultSecurityGroupName No The name of the security group to create. (Leave blank to skip creating a security group.)
DefaultSecurityGroupVpcId No The VPC into which the security group should be created.

Template Outputs

The outputs from the init template will be needed as inputs into the core template. Below if a description of each potential output from the init template (assuming the object was created by the template of course) that is used as input into the core template.

Variable Name Export Name Core Template Input Variable
ApiGateway (STACK NAME)-MyriadApiGateway ApiGatewayId
RootResourceId (STACK NAME)-RootResourceId RootResourceId
DefaultVPCSecurityGroupId (STACK NAME)-MyriadDefaultVpcSG MyriadVpcSecurityGroupIds
LambdaRoleArn (STACK NAME)-MyriadCoreRoleArn LambdaCoreRoleArn