Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Share your experience with the FAS IT-Playbook by taking this brief survey

Technical Approach

In the technical approach, the PPMS modernization used microservices that leverage many different AWS services. Other tools are used in conjunction with AWS services to implement DevSecOps, CI/CD, and GitOps principles.

High-Level Approach

A high-level breakdown of the microservices used in the technical approach along with the standard design pattern for each microservice is shown below.

Following the Single Responsibility principle and Domain Driven Design, the PPMS application is broken down into multiple microservices. This microservices design enables faster deployment of new features and reduces time spent on O&M for the application. Each microservice has its own Database which is managed as multiple schemas in one RDS in lower environments and each with its own RDS in Production environment. Microservices implemented for PPMS are shown in the list below.

Figure 1: PPMS Microservices

All the Microservices follow the common pattern of having Controllers, Service and Repository classes. Communications between microservices are through REST API calls. The sequence diagram below illustrates the common pattern of how each API call in a microservice behaves.

Figure 2: Sequence flow for API call pattern within a microservice.

AWS Services

In order to implement the microservices-focused approach outlined above, PPMS leverages many different AWS Services. The AWS Services used for PPMS are listed below, organized by use case. You can also find more information about AWS here.

  • AWS VPC (Security Group, Subnets, NACLs, VPC Flow logs, VPC Peering association): Uses SQL to analyze structured and semi-structured data across data warehouses, operational databases, and data lakes, using AWS-designed hardware and machine learning to deliver the best price performance at any scale.
  • AWS EKS: In the cloud, Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services. On-premises, EKS provides a consistent, fully-supported Kubernetes solution with integrated tooling and simple deployment to AWS Outposts, virtual machines, or bare metal servers.
  • AWS S3: Store and protect any amount of data for virtually any use case, such as data lakes, cloud-native applications, and mobile apps.
  • AWS CloudTrail: Monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.
  • AWS DynamoDB: A fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data import and export tools.
  • AWS Glue (Database Catalog, Crawler, Jobs, Connections for data migration): A serverless data integration service that makes it easier to discover, prepare, move, and integrate data from multiple sources for analytics, machine learning (ML), and application development.
  • AWS ElasticSearch: A serverless data integration service that makes it easier to discover, prepare, move, and integrate data from multiple sources for analytics, machine learning (ML), and application development.
  • AWS RDS (MySQL, PostgreSQL): A collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.
  • AWS Redshift: Uses SQL to analyze structured and semi-structured data across data warehouses, operational databases, and data lakes, using AWS-designed hardware and machine learning to deliver the best price performance at any scale.
  • AWS ElastiCache (REDIS): An in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications.
  • AWS CloudFront: A content delivery network (CDN) service built for high performance, security, and developer convenience.

  • AWS IAM: Specifies who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.
  • AWS KMS: Allows you to create, manage, and control cryptographic keys across your applications and more than 100 AWS services.
  • AWS GuardDuty: A threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
  • AWS Secret Manager: Helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles.

  • AWS WAF Shield (v2): A web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources.
  • AWS Certificate Manager: A service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
  • AWS Transfer Family (SFTP): Securely scales your recurring business-to-business file transfers to AWS Storage services using SFTP protocol.
  • AWS PrivateLink: Provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

  • AWS EKS: In the cloud, Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services. On-premises, EKS provides a consistent, fully-supported Kubernetes solution with integrated tooling and simple deployment to AWS Outposts, virtual machines, or bare metal servers.
  • AWS CloudWatch: A monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), IT managers, and product owners that provides data and actionable insights to monitor your applications, respond to system-wide performance changes, and optimize resource utilization.

Tools

A variety of tools are used as part of the PPMS project to implement DevSecOps, CI/CD, and GitOps principles. For more information about the functionality of the tools referenced in the descriptions below, please visit the Tools Used on PPMS Modernization list.

  • Infrastructure Automation: The entire PPMS AWS services are automated using Terraform. Building the AMIs are also automated using Ansible/Packer. Currently we are also using Terraform to run our maintenance on the infrastructure.
  • Container Orchestration: The PPMS is using AWS EKS to orchestrate all these tools "containers" which are automated/managed by Terraform/ArgoCD/Helm/Kustomize as well. The worker nodes of the EKS are hardened and pulled from the GSA ISE Team using Terraform.
  • Static Code Analysis (SAST Testing): SonarQube tool that is automated and managed by ArgoCD
  • Container Vulnerability Scanning/Security Scanning and Testing: GSA Tools (Anchore/Stackrox) which are also automated and managed by ArgoCD
  • Registry/Artifactory: JFrog Artifactory used for Artifact repository/Container Registry that is automated and managed by ArgoCD
  • Distributed Tracing: ZipKin helps gather timing data needed to troubleshoot latency problems in service architectures (SOA). It is automated and managed by ArgoCD
  • Application Performance Monitoring (APM)/Application Logging: Grafana is a data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki. We are using Loki to aggregate and pull all the application logs across the multi-tenant AWS Account (Dev, Test, Mgmt, Prod). We are also using Prometheus to pull all the containers/applications performance metrics across the multi-tenant AWS Account (Dev, Test, Mgmt, Prod). All these tools are automated and managed by ArgoCD
  • End-to-End Encryption (E2EE): We are using Load Balancer with valid Certificate to serve the application with SSL (HTTPS) but that is not everything, we are also using Linkerd2 for securing internal communication (mTLS) between the micro-services and Cert-Manager to rotate the micro-services' external links as extra security measurement. Beside that, we are also attaching AWS Security Group to Kubernetes Pods to control the rules that allow inbound and outbound network traffic to and from pods.
  • Secrets and Encryption Management System: We are using AWS Secret Management to store all our private/sensitive information and we are deploying External-Secret-Operator (ESO) as plugin for Kubernete clusters (AWS EKS) to pull all the secrets rather than having them stored/hardcoded anywhere else.
  • Fault-Tolerance and High Availability: We are using Cluster-Autoscaler tool across all our multi-tenant Kubernetes Clusters that is a standalone program to adjusts automatically the size of a Kubernetes cluster to meet the current needs/load of the entire system. This tools is also automated and managed by ArgoCD.

  • Continuous Integration: Jenkins managed by ArgoCD which is also automated in our IaC github repository.
  • Continuous Deployment: We are using ArgoCD that is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD is implemented as a kubernetes controller which continuously monitors running applications and compares the current, live state against the desired target state (as specified in the Git repo)