If you’ve worked with services in AWS GovCloud, you know about the unique challenges that come with it. Not every AWS service is authorized in GovCloud, which reduces your developmental tool set. AWS and InfusionPoints recommend using the principle of least-privilege. In many cases, this can mean that your developers might be working out of a reduced access Commercial AWS account, commonly referred to as a Developer, Test, or Staging Account. The demarcation between Commercial and GovCloud does increase security and deployment can become a challenge. 

Because of the aforementioned least-privilege rule, your development team may not have access to production or even UAT environments. Your developers likely rely upon cloud admins to deploy update packages. A Continuous Integration / Continuous Development (CI/CD) Pipeline is a series of steps intended to simplify the handoff between the two teams and make the transition as seamless as possible. 

When you need to move a deployment package Commercial to GovCloud, you’ll find that a GovCloud services can’t be given cross access to their respective Commercial counterparts, which throws a wrench into most CI/CD Pipeline walkthroughs. 

However, this does not mean that setting up a CI/CD Pipeline from Commercial to GovCloud is impossible or even that much harder. It just requires a different approach. 

The following basic framework is the basis for a Commercial to GovCloud Ci/CD Pipeline. It should be sufficient for most deployment packages.

1. Set up an S3 bucket in the Commercial account that your developers have access to.  
2. Upload your deployment package (Archived Terraform files / CodeBuild Project / Docker File) 
3. Create an S3 bucket in your GovCloud account.  
4. Create a lambda script in your GovCloud account that copies files from a pre-signed URL to your GovCloud S3 bucket.  
5. Create a CodeBuild project / Lambda script / other data transformation utility that will extract your deployment package and place it in the desired location. This could be a Lambda that loads CodeBuild data or a CodeBuild Project that extracts and pushes a Docker Image. 
6. Finally, create a Step Function that runs your data copy lambda and your data transformation utility sequentially. 

Once the infrastructure is in place, the process of deploying from dev machine to GovCloud production is as follows: 

1. Dev uploads the Docker image TAR. 
2. Dev generates a presigned URL from the TAR file and provides that to the cloud admin team. 
3. Cloud Admin feeds the presigned URL to the step function and runs it. 

There is further nuance to the process depending on your specific requirements. You may need to track CheckSums or deploy more than one type of component with each package.

  
If finer details of transitioning data from AWS Commercial to AWS GovCloud have been a stumbling block for your team, InfusionPoints can assist you with the process, from initial setup to functioning, repeatable CI/CD Pipeline.