Part 1 - Step 17 redundant
Part 1 - Step 22 Screenshot update as code lines are incorrect
Step 22 GUID not matching up to real tenant id

Is it possible to deploy this locally on docker instead of on the cloud? Would be nice if we can get the steps to do so

I do some changes in the code but i can not deploy this changes.
Change the login and rest api login.

New tenant/user registration fails with saas-bootcamp-user-svc-task-role is not authorized to perform: cognito-idp:TagResource on resource: *

Hello guys,

How did you go through the CORS issue on the tenant registration step ? I can't register I keep having CORS issue between my CloudFront and my API .../reg....

How come I'm the only one with this issue?

When running the workshop.yml CF template the Baseline nested stack fails standing up the workshop. The error I receive is below:

Embedded stack arn:aws:cloudformation:us-east-1:479698460486:stack/B2-Baseline-M3JRIU7AZ012/5affd0f0-34bd-11eb-b506-0a68381145d1 was not successfully created: The following resource(s) failed to create: [WebClient, AuthService, UserService, OrderService, ProductService, TenantService, RegistrationService].

After this is hit it rolls back the deployment and the logs are removed.

To fix the Cloud9 issues with the event engine, we hard coded an IAM role in saas-bootcamp-cloud9.template. This prevents the stacks from properly deploying in a normal AWS account. We need a Lambda function that will check for the existence of that role and set a CloudFormation condition respectively.

Lab2 Part2 - Failed because existing stack name

Hi, I know this repository just got created, but I was wondering if there is a planned session that will be covering items in this repository or if there is something that's already available? Looks very interesting & thanks for publishing this!

EDIT: Sorry, just read about SaaS Factory program at AWS.

Include a Master and Linked Account Implementation

It's complicated to reference specific parts of the PDF, and impossible to create pull requests. Suggest moving them to some format that would allow easier contributions.

lab3part2 step 4-6 is a lot of tiny steps.. might be worth adding some screenshots. I had to do it twice because I missed something

We intend to have the same user in multiple tenant accounts. This means the same username/email will be mapped to multiple Cognito pool ids in user management service. How can we decide which pool to authenticate the user against when we do not want to have the users select the tenant.

The various build.sh and [servicename].sh scripts designed to be run from within the Cloud9 environment have the AWS region hard coded to us-east-1. This breaks if the baseline CloudFormation template was deployed in any other region.

For brand-new account is ok.
But if the account has even one cloudformation stack, some scripts don't work.

The architecture consists of a lot of nested stack and detect root stack name as BASELINE_STACK by referencing to the oldest stack based on CreationTime.

I suggest using other logic not depending on specific account environment.

Index.html > index.html should fix

CURL needs to be more intuitive

The documentation for lab 1 indicates that the IDE is already provisioned. How would one proceed with the lab if the IDE isn't already there?

Thanks,
-Derek

Product Table is created by CFN when it shouldnt be

Hi,

Note: This is not an issue. Just want to confirm one additional aspect. Please do let me know if I need to raise such requests in any other forum.

I have started using this bootcamp implementation, by making few changes to authentication as per our needs.

Changes:
Instead of /auth endpoint validating UN/PWD and return tokens; my endpoint just validates UN, identifies which Tenant user belongs to, and returns Pool details (Userpool Id, AppClientId. IdPool Id). Client receives these details and uses Amplify to configure the Auth, and starts UN/PWD flow.

Reason for this change is, we can have either of (not both at the same time) the following situations:

1. User email exists in two Tenants, so this implementation would help me to display a UI to choose which Tenant user wants to login to, and accordingly initiate authentication based on the Tenant selected.
2. If Federation Authentication is configured to a Tenant, then this implementation would help me to not to enforce PWD, and redirect to respective IdP from client.

Query:

1. Auth endpoint is unauthenticated and revealing the details (Userpool Id, AppClientId. IdPool Id). Is it OK to reveal such details?
2. Is there any other way that I can achieve similar requirements (1 & 2 above)?

Thanks in advance for any help.
Sai Koya

Deleting the bootcamp CloudFormation stacks does not remove the CloudWatch log groups created

Document Update - Recommended update to have Context when its not an executionary step.

While loading workshop.yml into Cloudformation, there is the next error:

The following resource types are not supported for resource import: AWS::SSM::Parameter,Custom::CustomResource,Custom::CustomResource,Custom::CustomResource,Custom::CustomResource,Custom::CustomResource

Running with all privileged account.

Thanks

Lab3/Part5/scripts/productmanager-v7.sh does not exist.

Lab2 Part 1 Step 10 error with http should be https

1. Timeout to short for federation - Should be duration of bootcamp
2. Having to signout when in another account, when isengard works
3. Caching issues and not loading when changes made

Part 2 / Step 5: product id -> productId

Dynamodb update documentation fix for leading keys

The web-client-build.template nested template fails to delete due to the S3 artifact bucket not being empty.
Resource: applicationui-webclient-random-artifactbucket-random

I'm looking for advice on how to get past the below in Lab 1 Part 2 - Deploy the user Management Microservice.

17:21:55 UTC-0500 | CREATE_FAILED | AWS::CloudFormation::Stack | DevEnvironment | Embedded stack arn:aws:cloudformation:us-east-2:915842112807:stack/UserManagerService-DevEnvironment-1T0U35TGL2RVK/1a359160-99c7-11e8-9afa-060ae44bf6ec was not successfully created: No export named module-saas-bootcamp-base-PUBLICSUBNET1 found
-- | -- | -- | -- | --

I did start Part 2 a day after finishing Part 1 if that help anything. The Cloud Formation Manager still have green status of the services running.

Thanks

product table should not be named 'product' in screenshot should be 'ProductBootcamp'

I am looking for the codebase for lab1 that will onboard and authenticate tenants and their users. This involves provisioning userpool/identity pool/ custom claims. All of that is pretty important information that is missing here. Where can I find it?

Part 2 / Step 1:

Lab2/Part2 /app/source/product-manager/ -> Lab2/Part2 /app/source/product-manager/src/

Reset Password and Resent Notification in Console and API

Lab1/Part6/templates/client/web-client-build.template

Code build fails while installing Ruby gem compass due to upgraded Ruby runtime requirements not being available in the default CodeBuild Linux apt-get repo.

Building native extensions. This could take a while... ERROR: Error installing compass: rb-inotify requires Ruby version >= 2.2.

Should combine part 7 and 8 into part 7. Part 6 labeling is repeated. 5, 6, 6, 7 should be 5, 6, 7 (combine 7 & 8).

START RequestId: ae5af682-8ebd-11e8-9b24-a3456f67235f Version: $LATEST
2018-07-23T21:16:40.073Z ae5af682-8ebd-11e8-9b24-a3456f67235f REQUEST RECEIVED:
{
"RequestType": "Create",
"ServiceToken": "arn:aws:lambda:us-east-1:058192547359:function:ApplicationUI-Update-10Z0AEVMJ253-CFNConfiguration-44FKZT5QXZ37",
"ResponseURL": "https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A058192547359%3Astack/ApplicationUI-Update-10Z0AEVMJ253O-AuthUpdate-1W2LS9CX7B6GA-UpdateService-L9UX6OMVOGDQ/a1e6c9e0-8ebd-11e8-b61a-500c20ff1436%7CCFNInvoke%7C14fa9832-c5ee-4d3a-ac21-e3d233f13cdf?AWSAccessKeyId=AKIAIYSQHCFBJXX7KRIA&Expires=1532387795&Signature=onPFWHD6004VrFbcerc17j4ZL%2FE%3D",
"StackId": "arn:aws:cloudformation:us-east-1:058192547359:stack/ApplicationUI-Update-10Z0AEVMJ253O-AuthUpdate-1W2LS9CX7B6GA-UpdateService-L9UX6OMVOGDQ/a1e6c9e0-8ebd-11e8-b61a-500c20ff1436",
"RequestId": "14fa9832-c5ee-4d3a-ac21-e3d233f13cdf",
"LogicalResourceId": "CFNInvoke",
"ResourceType": "Custom::ConfigFile",
"ResourceProperties": {
"ServiceToken": "arn:aws:lambda:us-east-1:058192547359:function:ApplicationUI-Update-10Z0AEVMJ253-CFNConfiguration-44FKZT5QXZ37",
"TaskDefinition": "arn:aws:ecs:us-east-1:058192547359:task-definition/auth-manager:3",
"Service": "auth-manager",
"Cluster": "module-saas-bootcamp-base-Base-1R9PVNF22IB45-BaselineStack-9T1B4TG4IXCU",
"StackName": "ApplicationUI-Update-10Z0AEVMJ253O-AuthUpdate-1W2LS9CX7B6GA-UpdateService-L9UX6OMVOGDQ"
}
}

2018-07-23T21:16:40.111Z ae5af682-8ebd-11e8-9b24-a3456f67235f STACK CREATE
2018-07-23T21:16:45.633Z ae5af682-8ebd-11e8-9b24-a3456f67235f { ServiceNotFoundException: null
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request. (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request. (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: null,
code: 'ServiceNotFoundException',
time: 2018-07-23T21:16:45.631Z,
requestId: 'b3fdfccc-8ebd-11e8-80d2-3f1362e8405d',
statusCode: 400,
retryable: false,
retryDelay: 68.71166916807712 } 'ServiceNotFoundException: null\n at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)\n at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)\n at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)\n at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)\n at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)\n at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10\n at Request. (/var/task/node_modules/aws-sdk/lib/request.js:38:9)\n at Request. (/var/task/node_modules/aws-sdk/lib/request.js:685:12)\n at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)'
2018-07-23T21:16:45.730Z ae5af682-8ebd-11e8-9b24-a3456f67235f Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2018/07/23/[$LATEST]1fb9ff364c874bff8225b2196bbf26be",
"PhysicalResourceId": "2018/07/23/[$LATEST]1fb9ff364c874bff8225b2196bbf26be",
"StackId": "arn:aws:cloudformation:us-east-1:058192547359:stack/ApplicationUI-Update-10Z0AEVMJ253O-AuthUpdate-1W2LS9CX7B6GA-UpdateService-L9UX6OMVOGDQ/a1e6c9e0-8ebd-11e8-b61a-500c20ff1436",
"RequestId": "14fa9832-c5ee-4d3a-ac21-e3d233f13cdf",
"LogicalResourceId": "CFNInvoke"
}

2018-07-23T21:16:45.946Z ae5af682-8ebd-11e8-9b24-a3456f67235f Status code: 200
2018-07-23T21:16:45.946Z ae5af682-8ebd-11e8-9b24-a3456f67235f Status message: OK
END RequestId: ae5af682-8ebd-11e8-9b24-a3456f67235f
REPORT RequestId: ae5af682-8ebd-11e8-9b24-a3456f67235f Duration: 5921.41 ms Billed Duration: 6000 ms Memory Size: 128 MB Max Memory Used: 33 MB
START RequestId: dacc37ef-8ebd-11e8-8858-15744465283b Version: $LATEST

doesnt tell user what policy to edit. They should edit TenantAdmin

The saas-bootcamp-docker-bucket-repository nested template fails to delete because the ECR repository isn't empty.

Ensure that Email is specified, and notate that the customer must not put [email protected] but a valid email

Streaming Data Error should be more intuitive

Delete stack fails in the nested admin-access-policy.template because of a JavaScript error

TypeError: Cannot read property 'logStreamName' of undefined

DynamoDB table: product is never being used. Documentation should not ask user to create the table manually.

Deleting the CloudFormation stacks for the bootcamp does not remove the IAM user BootcampUser which causes failure if you rerun the stacks.

Hi,
Page 24 of PDF files "SaaS Identity and Isolation with Amazon Cognito" says "6. Tenant registration provisions policies for each tenant role." Also Figure13 in the same page shows like that.

But I couldn't find the code related code in app/source/tenant-registration/src/server.js
does the code locate in the User Management Service, not Tenant Registration Service?
I would like to know where it is in.

Lab 1 Part 6 Overview states S3 bucket above when bucket was not created

The step starts off with "Now that have a clearer view" does not read well.

Add logging to cloudwatch. This needed to be removed to fix a bug but this should come back post 23rd

The image for the "Do You want to add custom attributes?" is at the top of the page. However, there is a sentence that states "Your screen should appear as follows:" with nothing below it. It appears the image at the top of the page should be below that last sentence.