System Architecture
Explore the key components of ASSIST’s system architecture and how critical technical considerations were incorporated into it.
ASSIST Architecture (As Is)
The System Architecture section of this IT Playbook provides a detailed description of ASSIST's current hosting and operational setup. ASSIST is hosted in an AWS cloud environment, adhering to a three-tiered architectural model that includes the AWS Elastic Kubernetes Service (EKS), the AWS Aurora Serverless Database, and an intricate network of multiple external interfaces.
This architecture overview highlights the strategic use of cloud technologies and provides a solid foundation for understanding the system's operations, its architectural choices, and the manner in which it interacts with external systems. The following diagrams show the high-level technical architecture being used for ASSIST.
The following is a visual representation of ASSIST’s current system architecture. ASSIST is a large software system designed to streamline and consolidate the data produced during assisted acquisitions. At its current stage, ASSIST is structured as a Java Enterprise Edition (JEE) application. This version is hosted in the FAS Cloud Services and operates on the MCaaS platform. Key components of the current ASSIST system comprise an interactive user interface, a suite of data management tools, and a foundational Aurora Serverless V2 Postgres database that underpins its operations.
The following diagram represents the current ASSIST architecture.
The sections below describe the principal elements of the ASSIST architectural framework.
Access to the ASSIST user interface is granted to users upon successful authentication internal mechanisms for Client, Contractor, or Support users and via the GSAuth for GSA users. Authentication directs users to the appropriate module landing page (be it CPRM or ASSIST). This methodology is a prevalent approach for the deployment of Angular and ReactJS single page applications.
Application traffic undergoes a process of routing through the application load balancer, where certification validation occurs. Subsequently, the traffic is directed to the network load balancer, which in turn dispatches the request to the corresponding EKS containers.
The core components of the ASSIST business system are architected within a Multi-tenant Container-as-a-Service (MCaaS) environment, an infrastructural service accessed through our collaborative engagements with the Federal Acquisition Services' Cloud Services (FCS). The technical underpinnings of MCaaS rely on the capabilities offered by Amazon Web Services' (AWS) Elastic Kubernetes Service (EKS).
Our system environments, namely, Development (DEV), Testing (TEST), Staging (STAGE), and Production (PROD), each operate within their respective EKS Clusters. This framework endows each environment with a distinct operational sphere, facilitating effective lifecycle management of each module from development to production.
The ASSIST data storage is composed of several distinct components, each operating in concert within the AWS environment to facilitate various functionalities:
- Database: ASSIST utilizes AWS Aurora Serverless V2 as its primary database. This setup is bifurcated into 'writer' and 'reader' instances. The division allows us to direct read-only traffic to the reader instances. Applications that primarily request data, like BIRT reports and external interfaces such as Tableau and Business Objects Reports, engage with these reader instances.
- File Storage: For long-term and reliable storage of files, ASSIST incorporates AWS Elastic File Service (EFS). This is particularly instrumental for interaction with the FSS-19 system.
- Document Storage and Processing: ASSIST employs AWS S3 buckets for the storage and processing of documents and files. To ensure system security and integrity, these files undergo Clam AntiVirus scanning. This procedure aids in the early detection and mitigation of potential malware and viruses.
The Current System Architecture section, along with several other sections, illustrate how ASSIST leverages a suite of common components provided by Multi-tenant Container-as-a-Service (MCaaS):
- AWS S3: ASSIST utilizes AWS S3 for reliable storage and retrieval. Specifically, an S3 bucket is allocated for storing ASSIST invoicing files, ensuring these files are safely kept and readily accessible.
- ClamAV File Scanning Service: To maintain the integrity and safety of our stored files, ASSIST integrates the ClamAV file scanning service. This component scrutinizes files and categorizes them as clean, infected, or encrypted. In the event a file is detected to harbor a virus, access to the file is promptly inhibited, and the infected file can be permanently removed if necessary. The scanning process is initiated when a file is placed into a specified S3 bucket, triggered by an AWS Lambda function. Metadata about the scan result and timestamp are stored within the object's TagSet. This metadata is utilized by ASSIST to update our database and reflect the status of the uploaded file.
- Flux CD: As part of ASSIST's CI/CD pipeline, Flux CD is incorporated. This tool serves as a Continuous Delivery solution, aimed at maintaining synchronicity between Kubernetes clusters and configuration source - Git repositories. It also automates the process of implementing configuration updates when they become available.
- DataDog: Continuous monitoring and logging of ASSIST's services are facilitated through the integration of DataDog. All constituent elements of the ASSIST ecosystem, including its databases, incorporate logging and monitoring features facilitated via Datadog integration. Datadog is a robust cloud-scale monitoring service that allows for comprehensive observability of infrastructure and applications. Custom agents configured within the environments actively gather data from various sources such as pods, databases, and load balancers to maintain a constant stream of health check indicators. This data is relayed to Datadog, where it is processed, analyzed, and made readily available for operational and performance insights.
As described above, ASSIST is split into multiple applications that are deployed in the MCaaS environment. Each of these applications are deployed in separate containers running in the managed MCaaS environment. These applications provide one or more services in use by ASSIST. The breakdown of each of the applications and the services deployed in each are detailed in the diagram below.
| Application | Service | Description |
|---|---|---|
| AM | ForgeRock AM | COTS product that includes ASSIST modifications to provide authentication services to the rest of ASSIST. |
| Accrual | Agreement, Billing and Accrual Transactions functionality include search capability for agreement, billing, and accrual transactions. | |
| Agreement | Agreement, Billing and Accrual Transactions functionality include search capability for agreement, billing, and accrual transactions. | |
| ASSIST 1 | Registration | The centralized registration platform for the ASSIST applications facilitates users having a single user account with the means to request access to all ASSIST applications and services at the same time. |
| ASSIST 2 | Acquisition Service | The Acquisition Service allows users to initiate the acquisition workflow. This enables AAS user communities to use one unified platform to conduct acquisition planning and collect a common set of acquisition data. |
| Authentication Service | This service is in place to provide answers to authorization queries related to the current logged in user from other services. | |
| Award Admin Service | The Award Admin Service enables the users to follow the Award Administration workflow from creation of an award to signature and to allow for Award Modifications. The Award Administration includes the PDF forms that are generated when an award is signed as well as Attachment enhancements. In addition, the Award Admin Service Award Line Items accommodate all the various modification types including Administrative, Amount Change, Vendor Change, Final Deobligation, and combinations thereof. The Award also facilitates the Invoice. The FPDS feature is also available for signed Awards via the FPDS Summary form. | |
| Help Documentation Services | The Help Document Service provides access to ASSIST Help Documentation. | |
| IA Service | The Interagency Agreement describes the terms and conditions that govern the provision of acquisition assistance between the Requesting Agency and Servicing Agency, GSA/FAS/AAS. This component implements a common platform for conducting Interagency Agreements and collecting a common set of interagency agreements data. In addition, the IA component houses the Service Charge functionality which allows the users to create the following Service Charge Types: On-Demand, Fixed Fee, Labor, Labor Tracking, Travel, and Travel Tracking. | |
| Solicitation Service | Solicitation records are created and nested under Acquisitions as child records; GSA users can view and perform workflow actions consistent with workflow states within ASSIST interfaces. Solicitation records created also act as parent records for Awards, under which migrated Award records will be nested. | |
| Funding Service | The Funding Service provides methods to manage funds management for new and existing funding packages using amendments, adjustments, and lines of accounting. The Funding Service will leverage the existing ASSIST Agreement Service to transmit the financial agreement data to the GSA financial system of record, Pegasys, to enable the Federal Service Desk (FSD) to manage funds throughout the life of the funding package. | |
| Financial Services | The Financial Service allows GSA Finance users to conduct transactional corrections outside of the normal workflow. In ASSIST, the user has the ability to: (1) rebill after labor hours are moved from one-line item to another, (2) credit service charges/surcharges that have already been billed, and (3) delete an invoice that was already accepted. The Financial Service component encompasses the Financial Transmission Service enabling GSA Finance users to manage the transmission of data to the GSA Finance system of record, Pegasys. The service consumes incoming transmission data from integrated upstream ASSIST applications, allows users to manage transmission actions for data consumed by the service, and facilitates the outgoing transmission of data to Pegasys intermediary interfaces, Visual Invoice Tracking and Payment (VITAP) and Financial Management Enterprise Service Bus (FMESB). |
|
| PIID Service | The ASSIST PIID Generator service provides a unique PIID to a requesting system that calls the service and provides a valid AAC and Instrument Code as inputs. The PIID is a unique number that can be assigned to a procurement artifact, such as an award document or solicitation document. The PIID Supplement number is an extension to the PIID number which denotes an updated version of the original, such as an award modification or a solicitation amendment. In addition to the ASSIST PIID Generator service, the PIID Management webpage can be used to search for PIIDs. Upon accessing the PIID Management page, the user can search for existing PIIDs, view the PIID Hierarchy and generate a new supplement for an existing PIID. |
|
| Misc Services | There are a number of common services used throughout the modern ASSIST applications (e.g. Collaboration Service, Search Service, etc). | |
| ASSIST 2 Web | Mirrors ASSIST 2 | Angular UI deployed to support ASSIST 2 application. UI services and structure mirror the services described for the ASSIST 2 application. |
| Billing | Billing Service | Billing transactions functionality including search capability for billing transactions. |
| CM Static Content | N/A | A static repository of CM content such as Slider Tutorials used during training and assets for email content. |
| CPRM | GWAC and Oasis Services | The Contract Payment Reporting Module (CPRM) began originally as two separate modules: Governmentwide Acquisition Contracts (GWAC) Management Module (GMM) and the One Acquisition Solution for Integrated Services (OASIS) Management Module (OMM). GWAC was designed to provide reporting services to stakeholders such as OMB and customers. It also provides Contract Access Fee (CAF) payment reconciliation and track payment status. |
| Document Management | Document Management Services | The document management component provides the backend capability to serve content to the help document repository which provides user training documentation, system release notes, and frequently asked questions. Similarly, the components across ASSIST also integrate this capability for uploading and managing attachments. |
| Dojo | N/A | Static content supporting legacy ASSIST UIs. |
| DS | ForgeRock DS | COTS Directory Services application required to support ForgeRock AM. Stores AM configuration information. |
| External File Transfer | File Transfer Service | A custom service developed to provide SFTP transmittal capabilities for the ASSIST database instance via an S3 bucket. |
| FPDS Integration | N/A | Provides FPDS integration services. Also maintains a UI for Support Users to manage FPDS accounts for ASSIST users. |
| GSA Pay Gov | N/A | Provides FPDS integration services. Also maintains a UI for Support Users to manage FPDS accounts for ASSIST users. |
| GSA Pay Gov | N/A | Provides GSA Pay.gov integration services for the CPRM application. |
| Portal | Login Service | Provides login and MFA capabilities. |
| Announcements Service | Management of system announcements. | |
| User Preference Service | Provides support for user-controlled preference management. | |
| CPRM Service | Provides services to the CPRM application specific to authorization and action items. | |
| Portal Web | Mirrors Portal | Angular UI deployed to support Portal application. UI services and structure mirror the services described for the Portal application. |
| Reports | N/A | Custom GSA Reports utilizing the Eclipse BIRT report engine. BIRT is an Eclipse-based open-source reporting system for web applications, especially those based on Java and Java EE. BIRT has two main components: a report designer based on Eclipse, and a runtime component that you can add to your app server. BIRT also offers a charting engine that lets you add charts to your own application. |
| Support Tools | Support Tools Services | Services to support the ASSIST support tiers including data update creation, approval, and execution. |
| Support Tools Web | Mirrors Support Tools | Angular UI deployed to manage Support Tools application. UI services and structure mirror the services described for the Support Tools application. |
| Timekeeping | Timekeeping Services | The converged ASSIST Timekeeping service allows GSA users to log, certify, review/approve and Bill Labor Charges within the System. This service enables GSA Employees to track time spent on billable client work. |
| Timekeeping Web | Mirrors Timekeeping | Angular UI deployed to support Timekeeping application. UI services and structure mirror the services described for the Timekeeping application. |
The following diagram displays the high-level dependencies between ASSIST applications. The arrows indicate the dependency direction. This diagram displays dependencies at the application level between the user interface and the back-end applications. It also depicts dependencies at the service level. This diagram does not display any dependencies between ASSIST and its external interfaces. Each relationship is described in the provided Key. The Key numbers correspond to the numbers displayed on the association lines in the diagram.
The ASSIST platform is characteristically designed to facilitate various external integrations with a range of disparate systems. These systems function in dual capacities—they either receive or provide information to/from the ASSIST platform. Communication processes between ASSIST and these systems utilize dedicated ports and protocols, all of which operate under the purview of formalized Interconnection Security Agreements (ISAs) that have been uniquely crafted for each system interface.
The succeeding diagram provides a visualization of this complex architecture. The box on the left encapsulates all communication channels directed towards ASSIST, including both application-level and database-level interactions.
Note: In addition to the information provided below, check out the ASSIST GFE Process whitepaper to learn about how ASSIST migrated the development process from contractor laptops to GSA Government Furnished Equipment (GFE) laptops to better leverage the FCS CI/CD pipeline.
The ASSIST CI/CD Pipeline is central to all development activities for the ASSIST program. All deployed applications within the ASSIST boundary are built using the MCaaS CI/CD Pipeline. The ASSIST Team manages multiple simultaneous release trains depending on technical and business priorities and timelines. ASSIST has established a CM process to manage the release trains starting with release naming as described below.
The CM process defines merge strategies to keep releases in sync; release strategies; and details how code is promoted through the ASSIST dev, test, stage, and production environments:
| Release Type | Naming Convention | Example |
|---|---|---|
| Program | ASSIST_X.x.x.x | ASSIST_4.0.0.0_DME |
| Major | ASSIST_x.X.x.x | ASSIST_4.1.0.0_DME |
| Minor/Maintenance | ASSIST_x.x.X.x | ASSIST_4.0.1.0_MR |
| Out-of-cycle | ASSIST_x.x.x.X | ASSIST_4.0.0.1_OOC |
Upon beginning work on a story or defect, the ASSIST Team develops code within a feature branch specific to the functionality using a specific naming convention (feature/<issue ID>_<description>). Once a feature or defect is complete, tested, and committed, it is ready to be reviewed. A PR is created to merge from the feature branch to the appropriate release branch. Upon PR creation, Jenkins executes a preliminary build to ensure all unit tests and code quality gates pass in addition to ensuring the application and docker image successfully build. The PR is allowed to me merged only upon success of the PR build and two peer reviews and approvals. This in turn kicks off a release build for the application, performing the same checks as the PR build with an added Stackrox scan against the built image to detect any newly created security vulnerabilities.
A successful build against the release branch will yield a deployable application image, which the Jenkins build environment then tags and pushes to MCaaS ECR. The configuration of all deployments within the clusters is governed via Infrastructure-as-Code using Flux, controlled using GitOps practices. Changes to the Flux configuration follows the same process as the application repositories: all configuration and image tag changes to the clusters require a pull request to the assist-flux-config repository with two peer reviews and approvals. With the image policy mechanism provided by Flux v2, the DevOps team will ensure the latest image tags for a given release are automatically deployed to the designated Dev and Test environments the moment they become available.
A release if deployed to Staging via manual promotion of the release image tags for each application. Deployment to Production follows a similar procedure, with the addition of a separate git repository - assist-prod-flux-config - for production Flux configurations.
ASSIST Architecture (To Be)
The diagram below shows the future to-be state of ASSIST’s architecture. This includes the eventual use of data analytics and the leveraging of microservices as the system becomes more mature. ASSIST Optimization is the next evolution of this transactional system. With a projected development commencement date in 2024, ASSIST Optimization boasts an array of advanced features to elevate its capabilities. One significant change will be its micro-frontend applications which are geared to deliver a modular and adaptable user interface. This interface will be supported by a consolidated API, which, in turn, reveals a host of back-end micro-services. These services, in line with the contemporary micro-services paradigm, will likewise be hosted on the MCaaS platform.
Data management will experience a paradigm shift in ASSIST Optimization. In keeping with the microservices pattern, data will reside in distributed databases, ensuring that each microservice has autonomy over its data. One of the most noteworthy introductions in ASSIST Optimization is the local data analytics (LDA) engine. This engine is optimized for customer experience and business intelligence, positioning it as a game-changer in the realm of data-driven decision-making. LDA's capacity to generate datasets will provide invaluable insights, facilitating decisions via detailed reports, event triggers, and timely notifications. These features will seamlessly integrate with standard FAS shared services.
Furthermore, ASSIST Optimization will maintain its connections to the same external data sources and dependencies as its predecessor. A significant objective with the design of ASSIST Optimization is the emphasis on system reusability. This ensures that similar systems can capitalize on the advancements of ASSIST Optimization, making it a trailblazer in transactional data systems.
ASSIST's Optimization journey is continuous and the next critical phase of this journey will begin in FY23 Q4 with primary focus on following:
- Integration Across Applications
- Automation of Functional Gaps
- Consistency within ASSIST
- Support complex evolving business needs and business agility
- Microservices Refactoring
- Faster Time to Market with SecDevOps Automation
- Data analytics and visualization
- Business Process Automation