Spike: Sort out plan for AWS Migration

[Dianadec]

Description:

This ticket it to sort out a plan and make all necessary tickets needed to implement the required AWS migration.

OCIO is upgrading landing zones in AWS, switching from AWS Secure Environment Accelerator (ASEA) product from the Government of Canada to the Landing Zone Accelerator (LZA) product from AWS.

The ASEA is the codebase currently used to configure and deploy our landing zone where your project-sets are hosted. The LZA is a new codebase that is the successor to the ASEA. It is built to align with AWS security best practices, conform with multiple global compliance frameworks and meet government requirements for security.

The ASEA codebase will be deprecated as of summer 2025 and will no longer receive updates or security fixes. The LZA codebase is officially supported by the AWS vendor who provides security patches, hot fixes, and new releases for the codebase. Switching to the LZA codebase for the AWS Landing zone will ensure that applications continue to run in a secure and compliant environment.

There is no migration path for the in-place upgrade of the ASEA landing zone to LZA. Therefore, OICO will build a separate LZA-based landing zone in parallel with the existing ASEA-based landing zone and we will be required to migrate our applications into the new landing zone.

It is recommended that to prepare, we:

• Test application disaster recovery mechanism (for example, data backup and recovery)
• Develop CI/CD for deploying application using an Infrastructure as Code (IaC) approach

OCIO is aiming to allow project migrations to start by the end of Q3 2024/25. More information available at #aws-tenant-requests in rocketchat or cloud.pathfinder@gov.bc.ca

Acceptance Criteria:

[Note: Use 'Given/When/Then' format if it makes sense to. Otherwise, a simple checklist that can be tested.]

• [ ] tickets for implementation of this migration are created
  • [ ] tickets and plan cover all Osprey products (A&R, DUP, DR, Backcountry)

Development Checklist:

• [ ] ...
• [ ] ...
• [ ] ...

Dependencies

• Blocked by
• Blocking

Relevant documentation as reference

Definition of Ready

• [ ] Acceptance criteria are included
• [ ] Wireframes are included (if applicable)
• [ ] Design / Solution is accepted by Product Owner (if applicable)
• [ ] Dependencies are identified (technical, business, regulatory/policy)
• [ ] Story has been estimated (under 13 pts)

Definition of Done

• In progress:
  • [ ] Acceptance criteria are tested (Functionality meets the acceptance criteria defined in the ticket)
  • [ ] UI meets accessibility requirements
  • [ ] Unit tests are written
  • [ ] Work is traceable in GitHub
  • [ ] PR linked to ticket number
  • [ ] If needed/required - Dev adds flag/label to highlight any migration steps necessary prior to PROD deployment
• Code review:
  • [ ] Code is peer reviewed and has passed CI/CD tests
• QA:
  • [ ] Acceptance criteria are tested (Functionality meets the acceptance criteria defined in the ticket)
  • [ ] Code is potentially shippable to the production environment
  • [ ] Functional features have been tested and passed by QA
  • [ ] UI components tested by designer
  • [ ] Code is deployed to PROD when moved to 'done' column (unless requested otherwise by PO)
• PO Review:
  • [ ] Acceptance criteria are tested (Functionality meets the acceptance criteria defined in the ticket)
  • [ ] Reviewed and approved by Product Owner

Notes:

[meyerdarcie]

Who is deprecating the ASEA?

• The ASEA is a piolet project headed by AWS. They are deprecating the project which means that they will no longer be releasing updates. We can still operate the ASEA after deprecation, however the new officially supported service is the LZA.

What is different between LZA and ASEA, is there open documentation available to consume/gain visibility into the infrastructure setup?

• The main difference is that LZA is an AWS service, while the ASEA is an AWS project. There will be much more support coming with the LZA but the LZA is designed based on the ASEA, so the infrastructure is largely the same. This is a chance for us to improve on our design in a few ways. I don’t think we have written documentation on the transition yet, but please attend the community updates as we’ll be updating there with more details as they come. To see the recording of our last community update please check out the ”CloudPathfinder Community Update” channel in teams.