# Deployment Guide

### Prerequisites

Before deploying the CloudFormation template, ensure you have:

* AWS account with permissions to create IAM roles and CloudFormation stacks
* AWS CLI installed and configured, or access to AWS Console
* List of S3 bucket names that e6data needs to access
* Required account IDs and External IDs will be provided by e6data

{% hint style="info" %}
**Note:** External ID, e6data AWS Account ID, and VPC Endpoint ID will be provided directly by e6data.
{% endhint %}

### Deployment Parameters

| Parameter           | Value                             | Description                                                       |
| ------------------- | --------------------------------- | ----------------------------------------------------------------- |
| **Stack name**      | `<your-chosen-stack-name>`        | e.g., `e6data-s3-access-prod`                                     |
| **BucketNames**     | `<comma-separated-bucket-names>`  | List your buckets, e.g., `bucket1,bucket2` or `*` for all buckets |
| **e6dataAccountId** | <kbd>\<E6DATA\_ACCOUNT\_ID></kbd> | e6data AWS Account ID (pre-filled)                                |
| **ExternalId**      | <kbd>\<EXTERNAL\_ID></kbd>        | Security token for cross-account access (pre-filled)              |
| **VPCEndpointId**   | <kbd>\<VPC\_ENDPOINT\_ID></kbd>   | Your VPC Endpoint ID for S3 (pre-filled)                          |

### Deployment Options

#### Option 1: AWS Console (Recommended)

1. **Access CloudFormation Console**
   * Log in → CloudFormation → **Create stack → With new resources (standard)**
2. **Upload Template**
   * Select **Upload a template file** → Choose your CloudFormation YAML → Next
3. **Configure Parameters**
   * Stack name, BucketNames, E6dataAccountId, ExternalId, VPCEndpointId
   * Click **Next**
4. **Configure Options** (Optional)
   * Add tags if needed
   * Leave other settings default → Next
5. **Review & Create**
   * Acknowledge IAM resources creation
   * Click **Submit**
6. **Monitor Deployment**
   * Wait for **CREATE\_COMPLETE** status (2–5 minutes)

### Option 2: AWS CLI

1. **Create Parameters File (`parameters.json`)**

```json
[
  { "ParameterKey": "BucketNames", "ParameterValue": "bucket1,bucket2,bucket3" },
  { "ParameterKey": "E6dataAccountId", "ParameterValue": "<E6DATA_ACCOUNT_ID>" },
  { "ParameterKey": "ExternalId", "ParameterValue": "<EXTERNAL_ID>" },
  { "ParameterKey": "VPCEndpointId", "ParameterValue": "<VPC_ENDPOINT_ID>" }
]

```

2. **Deploy Stack**

```bash
aws cloudformation create-stack \
  --stack-name <stack-name> \
  --template-body file://<template-file>.yaml \
  --parameters file://parameters.json \
  --capabilities CAPABILITY_NAMED_IAM \
  --region <your-region>
```

3. **Monitor Deployment**

```bash
aws cloudformation describe-stacks \
  --stack-name <stack-name> \
  --query 'Stacks[0].StackStatus'
```

Wait until `CREATE_COMPLETE`.

Post-Deployment: Outputs

* **RoleArn**: IAM role ARN (e.g., `arn:aws:iam::<account-id>:role/...`)
* **FailedBuckets**: Buckets where policy application failed (should be empty)

#### Via CLI

```bash
aws cloudformation describe-stacks \
  --stack-name <stack-name> \
  --query 'Stacks[0].Outputs'
```

### Info to Send to e6data

* CloudFormation Stack Name
* IAM Role ARN
* AWS Region

**Email Template Example:**

```
Subject: e6data CloudFormation Stack Deployment Completed

Hi e6data Team,

We have successfully deployed the cross-account access CloudFormation stack.

Deployment Details:
- Stack Name: <your-stack-name>
- IAM Role ARN: <role-arn-from-outputs>
- AWS Region: <your-region>
- AWS Account ID: <your-account-id>

Please proceed with configuring access on your end.

Best regards,
[Your Name]
```

### Verification

1. **Verify IAM Role**

```bash
aws iam get-role --role-name e6data-cross-account-role-<stack-name>-<region>
```

2. **Verify Lambda Function**

```bash
aws lambda list-functions --query 'Functions[?contains(FunctionName, `ManageBucketPolicies`)]'
```

3. **Check CloudWatch Logs**

```bash
aws logs tail /aws/lambda/<lambda-function-name> --follow
```

4. **Verify S3 Bucket Policies**

```bash
aws s3api get-bucket-policy --bucket <bucket-name> | jq .Policy | jq fromjson
```

### Troubleshooting

* **Insufficient permissions** → Check IAM permissions for CloudFormation, Lambda, S3
* **FailedBuckets not empty** → Bucket policy conflicts, size limits, or cross-region issues
* **Lambda timeout** → Increase timeout or deploy in batches
* **VPC Endpoint issues** → Verify endpoint is active

### Updating the Stack

* Via Console: CloudFormation → Select stack → Update → Modify **BucketNames** → Submit
* Via CLI:

```bash
aws cloudformation update-stack \
  --stack-name <stack-name> \
  --use-previous-template \
  --parameters ParameterKey=BucketNames,ParameterValue="new-bucket1,new-bucket2" \
               ParameterKey=E6dataAccountId,UsePreviousValue=true \
               ParameterKey=ExternalId,UsePreviousValue=true \
               ParameterKey=VPCEndpointId,UsePreviousValue=true \
  --capabilities CAPABILITY_NAMED_IAM
```

### Deleting the Stack

* Removes IAM role, policies, Lambda, VPC endpoint policies
* Does **not** delete your S3 buckets or data

Via Console: CloudFormation → Select stack → Delete\
Via CLI:

```bash
aws cloudformation delete-stack --stack-name <stack-name>
```

### Security Best Practices

1. Monitor Role usage (CloudTrail, CloudWatch alarms)
2. Regular audits of bucket access
3. Keep External ID secure; rotate periodically
4. Grant access only to necessary buckets

**Support**

* Template deployment → Check CloudFormation events & CloudWatch logs
* e6data platform → Contact support with Stack Name and Role ARN
* AWS services → Refer to AWS docs or AWS Support