# ECS Variant-1: New Customers This article outlines the end-to-end process for enabling AskEdgi components for newly onboarded SaaS customers on ECS-Variant-1. The implementation leverages AWS Control Tower automation to create and manage core AWS resources, while incorporating manual verification steps to ensure correct configuration and functionality. AskEdgi components rely on a combination of AWS services such as ECS, RDS, EFS, S3, SQS, IAM, and Secrets Manager. These components are configured to interact seamlessly, enabling secure and scalable operations for the SaaS environment. This document provides a structured, step-by-step guide for setting up network security, IAM roles, ECS tasks, S3 buckets, SQS queues, event notifications, Bridge server and client setup, and feature validation for AskEdgi.

## Purpose of the document The purpose of this document is to provide a detailed, professional, and structured process for implementing AskEdgi components on ECS-Variant-1 for new SaaS customers. It ensures all AWS resources, ECS tasks, S3 buckets, SQS queues, IAM configurations, and application services are configured correctly. It also provides verification steps to validate operational readiness and integration of AskEdgi within the Ovaledge environment. ## Prerequisites

Component	Requirement	Notes / Important
ECS	ECS cluster and service access	Required for deploying Edgi Data and Insight services
SQS	Access to create and manage queues	Needed for data sync between services
IAM	Permissions to create roles, users, and attach policies	Ensure IAM policies include required permissions for ECS, SQS, and S3
RDS	Database instance	Used for storing Edgi data and metadata
EFS	File system access	Required for persistent storage for the Insight service
Secrets Manager	Create and manage secrets	Used to store database credentials and other sensitive keys

{% hint style="warning" %} * Ensure AWS Control Tower automation is active and operational before starting. * Manual verification is required for ECS task roles, IAM user credentials, S3 bucket permissions, and event notifications. * All services should comply with corporate security policies regarding VPCs, subnets, and access controls. {% endhint %} ## Implementation Steps ### Step 1: Network Security * Create two private subnets for the Edgi Insight Service. * Create a Security Group for the Edgi ECS service with the following rules: | Protocol | Port | Source/Destination | | -------- | ---- | ------------------------------------ | | TCP | 8000 | Destination VPC range | | TCP | 9200 | Private Elasticsearch Security Group | | TCP | 3306 | Private RDS Security Group | | All | All | Private EFS Security Group | {% hint style="info" %} * Ensure that ports 8000, 9200, and 3306 are allowed only from specified sources. * Security Group configuration ensures proper communication between Edgi ECS, RDS, EFS, and Elasticsearch. {% endhint %} ### Step 2: EFS Access Points * Create EFS Access Points for askEdgi Insight Service and one common for Ovaledge UI/Job, data task definition, and insight. | Access Point Path | Notes | | ------------------------ | ------------- | | /oe\_edgi\_assets\_store | Stores assets | {% hint style="warning" %} Assign correct mount permissions to ECS tasks to ensure persistent storage access. {% endhint %} ### Step 3: S3 Bucket Creation * Create a new S3 bucket for storing Edgi-related data.

* Configure CORS permissions: ``` [ { "AllowedHeaders": ["*"], "AllowedMethods": ["PUT"], "AllowedOrigins": ["*"], "ExposeHeaders": [] } ] ```

{% hint style="info" %} * The bucket will store all data uploaded via Edgi Data Service and processed by the Insight Service. * Ensure correct permissions to allow S3 to send events to SQS. {% endhint %} ### Step 4: IAM User Configuration #### IAM User for AskEdgi Python * Create IAM user (example: edgi\_user) with: * AmazonSQSFullAccess * AskEdgi\_policy\_Saas from: AWS SAAS ECS Policy JSON * AmazonSQSFullAccess:

* Generate Access Key and Secret Key for CLI access.

* Use credentials in Ovaledge Task Definition environment variables: | Environment Variable | Value | | ---------------------- | ------------- | | EDGI\_AWS\_ACCESS\_ID | \ | | EDGI\_AWS\_SECRET\_KEY | \ | #### IAM User for Bridge Server and Client * Create another IAM user with S3 PutObject permissions only.

* Use credentials in Ovaledge Task Definition environment variables: | Environment Variable | Value | | ------------------------------ | ------------------------ | | BRIDGE\_AWS\_USER\_ACCESS\_KEY | \ | | BRIDGE\_AWS\_USER\_SECRET\_KEY | \ | {% hint style="info" %} * Bridge user credentials are required for secure S3 uploads. * Validate IAM policies before ECS task deployment. {% endhint %} ### Step 5: ECS Task Role Configuration * Create IAM Role with ECS task execution permissions. * Attach the custom policy: [AskEdgi ECS Policy JSON.](https://oe-saas-distributions-bridgeclient.s3.ap-south-1.amazonaws.com/Askedgi/AWS_SAAS_ECS_Policy.json)

* Modify the Trust Relationship for ECS.

{% hint style="warning" %} * This IAM role is shared across all ECS Task Definitions to ensure consistent and secure access. * Automation scripts handle permission setup automatically, but verification is recommended. {% endhint %} ### Step 6: AWS SQS Configuration Amazon SQS (Simple Queue Service) is a fully managed message queuing service provided by AWS. It allows decoupling of application components so that they can communicate and scale independently. * Create SQS queue: data\_sync\_queue using naming convention \\_data\_sync\_queue (example: askedgi\_data\_sync\_queue). **Configure Access Policy – Send Message Permissions** * Go to Advanced settings and note the Resource ARN. * Modify the JSON below to include the AWS Account ID, Region, IAM Role Name, and S3 Bucket ARN.

**Access Policy – add Send Message Permissions:** * Modify the below JSON according to the account ID and S3 ARN * AWS: SourceArn: The S3 bucket ARN created at **Step 3**. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "__owner_statement_1", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:root"}, "Action": "SQS:*", "Resource": "arn:aws:sqs:{AWS_REGION}:${AWS_ACCOUNT_ID}:{PREFIX}_data_sync_queue" }, { "Sid": "__receiver_statement", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/{IAM_ROLE_NAME}"}, "Action": ["SQS:ChangeMessageVisibility","SQS:DeleteMessage","SQS:ReceiveMessage"], "Resource": "arn:aws:sqs:{AWS_REGION}:${AWS_ACCOUNT_ID}:{PREFIX}_data_sync_queue" }, { "Sid": "__s3_sender_statement", "Effect": "Allow", "Principal": {"Service": "s3.amazonaws.com"}, "Action": "SQS:SendMessage", "Resource": "arn:aws:sqs:{AWS_REGION}:${AWS_ACCOUNT_ID}:{PREFIX}_data_sync_queue", "Condition": {"ArnLike": {"aws:SourceArn": "arn:aws:s3:::${BUCKET_NAME}"}} } ] } ```

**Access Policy – Receive Message Permissions:** * Principal: IAM role ARN * Resource: edgi\_galaxy\_data\_sync\_queue ARN

{% hint style="info" %} * Ensure aws: SourceArn points to the correct S3 bucket. * Verify SQS ARN for both send and receive permissions. {% endhint %} ### Step 7: S3 Event Notifications Amazon S3 Event Notifications allow automatic triggering of actions when certain events happen in an S3 bucket - like when an object is uploaded, deleted, or restored. To enable automated processing of uploaded files, configure S3 Event Notifications to trigger the SQS queue: * Navigate to the **S3 bucket** > **Properties** > **Event Notifications** > **Click Create Event Notification.** * Create Notification for CSV Files * Name: csv\_event\_to\_sqs (customizable) * File Suffix: .csv * Event Type: All object creation events * Destination: SQS * SQS ARN: {PREFIX}\_data\_sync\_queue

* **Create Additional Notifications**\ Repeat the above steps for the following file types, ensuring each notification points to the same SQS queue:

Notification Name	File Suffix	Event Type	Destination
avro_event	.avro	All object creation events	data_sync_queue
json_event	.json	All object creation events	data_sync_queue
parquet_event	.parquet	All object creation events	data_sync_queue
xlsx_event	.xlsx	All object creation events	data_sync_queue

{% hint style="info" %} * These notifications enable real-time processing of files uploaded to the S3 bucket. * Verify that the correct SQS queue ARN is used for each notification. {% endhint %} ### Step 8: ECS Task Definition – Data Service Create an ECS Task Definition for the Edgi Data Service with the following configuration details. | Configuration | Value | | --------------- | ----------------- | | CPU | 0.5 vCPU | | Memory | 2 GB | | Container Name | edgi-data-service | | Port | 8000 | | Storage | 200 GB | | CloudWatch Logs | Enabled | #### Environment Variables | Key | Value | | ----------------- | ----------------------- | | AWS\_REGION | \ | | AWS\_SCTNAME | \ | | BUCKET\_NAME | \ | | CREDENTIAL\_TYPE | container | | DEPLOYMENT\_TYPE | ecs | | ENV | production | | EDGI\_ASSET\_PATH | /app/asset | | OVALEDGE\_URL | \ | | LOG\_LEVEL | debug |

* Enable CloudWatch Logs for the container to capture logs. * Under Storage configuration, allocate a maximum of 200 GB.

{% hint style="info" %} CloudWatch logging is essential for monitoring Data Service activity. {% endhint %} **Elastic File System Configuration** * Add EFS mounts for the data task definition.

### Step 9: ECS Task Definition – Data Service Medium Create an ECS Task Definition for the Edgi Data Service Medium with the following configuration details. | Configuration | Value | | --------------- | ----------------- | | CPU | 1 vCPU | | Memory | 8 GB | | Container Name | edgi-data-service | | Port | 8000 | | Storage | 200 GB | | CloudWatch Logs | Enabled | #### Environment Variables | Key | Value | | ----------------- | ----------------------- | | AWS\_REGION | \ | | AWS\_SCTNAME | \ | | BUCKET\_NAME | \ | | CREDENTIAL\_TYPE | container | | DEPLOYMENT\_TYPE | ecs | | ENV | production | | EDGI\_ASSET\_PATH | /app/asset | | OVALEDGE\_URL | \ | | LOG\_LEVEL | debug |

* Enable CloudWatch Logs for the container to capture logs * Under Storage configuration, allocate a maximum of 200 GB

{% hint style="info" %} CloudWatch logging is essential for monitoring Data Service activity. {% endhint %} **Elastic File System Configuration** * Add EFS mounts for the data task definition.

### Step 10: ECS Task Definition – Data Service-XL Create an ECS Task Definition for the Edgi Data Service-XL with the following configuration details. | Configuration | Value | | --------------- | ----------------- | | CPU | 2 vCPU | | Memory | 16 GB | | Container Name | edgi-data-service | | Port | 8000 | | Storage | 200 GB | | CloudWatch Logs | Enabled | #### Environment Variables | Key | Value | | ----------------- | ----------------------- | | AWS\_REGION | \ | | AWS\_SCTNAME | \ | | BUCKET\_NAME | \ | | CREDENTIAL\_TYPE | container | | DEPLOYMENT\_TYPE | ecs | | ENV | production | | EDGI\_ASSET\_PATH | /app/asset | | OVALEDGE\_URL | \ | | LOG\_LEVEL | debug |

* Enable CloudWatch Logs for the container to capture logs. * Under Storage configuration, allocate a maximum of 200 GB.

{% hint style="info" %} CloudWatch logging is essential for monitoring Data Service activity. {% endhint %} Elastic File System Configuration * Add EFS mounts for the data task definition.

{% hint style="info" %} Service Discovery endpoint is required in Ovaledge task definitions. {% endhint %} ### Step 11: API Key set in the AWS Secret Manager An API Key update is introduced in the AWS Secret Manager. Users need to add a key without a value in the Secret Manager, which you are using for the DB details secret. apiaccesskeyforedgi

Once the application is started, the value will be stored in the secret manager with encryption. **Permissions**: You need to give the Update permission to the IAM role. After the application is up and running, the API key will be added to the secret manager.

### Step 12: Update Ovaledge Task Definition and Job To enable the AskEdgi feature in the Ovaledge environment, update the UI and Job ECS Task Definitions by adding the following environment variables. #### Environment Variables for UI and Job Tasks | Key | Value | | ------------------------------------ | ---------------------------------------------- | | BRIDGE\_AWS\_USER\_ACCESS\_KEY | \ | | BRIDGE\_AWS\_USER\_SECRET\_KEY | \ | | EDGI\_AI\_FUNCTION\_QUEUE | ai\_functions\_queue | | EDGI\_AWS\_ACCESS\_ID | \ | | EDGI\_AWS\_SECRET\_KEY | \ | | EDGI\_AWS\_REGION | \ | | EDGI\_BUCKET\_NAME | \ | | EDGI\_CLIENT\_PREFIX | \ | | EDGI\_CONSUMER\_CREDENTIAL\_TYPE | static | | EDGI\_ENABLE | true | | EDGI\_INSIGHT\_SERVICE\_HOST | \ | | EDGI\_WORKSPACE\_DISCOVERY | dynamic | | EDGI\_WORKSPACE\_HOST | \ | | EDGI\_WORKSPACE\_NAMESPACE | \ | | EDGI\_ASSET\_PATH | /app/asset | | EDGI\_WORKSPACE\_NAMESPACE\_ID | \ | | EDGI\_CLUSTER\_NAME | \ | | EDGI\_SUBNETS | \ | | EDGI\_SECURITY\_GROUP | \ | | EDGI\_STANDARD\_DATATASK\_FAMILYNAME | \ | | EDGI\_MEDIUM\_DATATASK\_FAMILYNAME | \ | | EDGI\_LARGE\_DATATASK\_FAMILYNAME | \ | #### Optional OAUTH2 Configuration | Key | | | ---------------------------- | ----------------------- | | OAUTH2\_BASE\_URL | \ | | OAUTH2\_CLIENTID | \ | | OAUTH2\_CLIENT\_REGISTRATION | auth0 | | OAUTH2\_ROLE\_ATTRIBUTE | https\:///roles | | OAUTH2\_SECRET | \ | | OVALEDGE\_SECURITY\_TYPE | oauth2 |

Elastic File System Configuration * Add asset EFS mounts for both the UI and Job service Both the UI and Job task definitions must be updated, and then new ECS services must be deployed using the latest task definition revisions. ### Step 13: AskEdgi Feature Checks * Once the application is up and running. * Log in with the admin user. Once the OvalEdge application is up and running, follow these steps. * Navigate to System Settings\ **Administration** > **System Settings** > **AI Tab** Update the following settings * askedgi.edition = **Data Analytics** * askedgiplus.enable = **true** * askedgi.ovaledge.recipe.connection.id = **-1 (MySQL connector ID)**

* Ai.config = (Developer will provide the KEY), and the remaining settings are the same as below.

* Ensure that all Marketplace details are correctly populated in the settings.

Once done, the changes are logged out and relogged into the application. * Navigate to the **AskEdgi** feature.

* It will take a few seconds to create a workspace.

* Try to add the Catalog and Files Upload to the workspace.

Now, ask anything in the search option, and it should give an answer. * Once it gives the result, we are good with the complete setup. **If Workspace is not created:** * Check Insight Service logs. * Validate IAM Role permissions. * Verify user entry in the database: ``` select * from edgi_data_service_stack edss ; delete * from edgi_data_service_stack edss; delete from edgi_data_service_uptime_history ; ``` {% hint style="warning" %} Do not run delete queries unless confirmed by the development team. {% endhint %} **Remove User Entry from Service Discovery** * Navigate to **AWS Cloud Map** > **Service Discovery Resource**. * Locate and delete the user entry associated with the application. * Log back into the application to verify that the changes have taken effect. * Check if the files have been uploaded or not. ### Step 14: NiFi Bridge Server #### AWS Access Key Secret Key for Bridge Server and Client * These credentials have S3 PutObject permissions, allowing secure uploads to the S3 bucket (created in Step **4B**). * During Ovaledge application installation, AWS Credentials (Access Key & Secret Key) are securely stored in **/mnt/tmp** and also provided as environment variables in the **run.sh** file. * During Bridge Client installation, the credentials, along with S3 bucket details (name and region), are packaged into the Bridge Client certificate ZIP file. This enables the Bridge Client to authenticate with S3 seamlessly. **Bridge Server UI Changes** * To configure S3 access through the UI, update the following parameters under **S3PutObject** > **View Configuration**: * S3 Bucket Name * AWS Region * AWS Access Key and Secret Key {% hint style="info" %} * Always verify that the credentials used have S3 PutObject permissions. * Changes made via the UI should match the configuration in nifi.properties to prevent synchronization issues. {% endhint %}

**ECS Task Definition and Credential Management** During installation, these values are passed into the ECS Task Definition. * Credentials are temporarily stored in a file during installation. * After installation, the credentials file remains in the EFS mount directory at /mnt/tmp. {% hint style="warning" %} Ensure that the EFS mount has proper access controls to prevent unauthorized access to AWS credentials. {% endhint %} #### S3 Bucket Configuration * During Bridge Server installation, the **nifi.properties** file is updated with the following S3 details: * S3 Bucket Name * AWS Region * These values are also passed as **environment variables** in the Bridge Server Docker **run.sh** file and defined in the ECS Task Definition. The **run.sh** script handles these updates.

* After installation, the script ensures that the **nifi.properties** file contains the correct S3 bucket name and region.

**Bridge Server UI Changes** * To configure S3 access through the UI, update the following parameters under S3PutObject > View Configuration: * S3 Bucket Name * AWS Region * AWS Access Key and Secret Key {% hint style="info" %} * Always verify that the credentials used have S3 PutObject permissions. * Changes made via the UI should match the configuration in nifi.properties to prevent synchronization issues. {% endhint %}

**Bridge Client Installation** * During Bridge Client installation, the S3 bucket name and region are retrieved from the Bridge Server’s **nifi.properties** file. * The script **generate\_bridge\_client.sh** is responsible for applying these changes.

The Bridge Client’s **nifi.properties** file is updated with the same S3 configuration.

**Key Change Summary:** * **Before**: Bridge Client certificate ZIP contained only certificates. * **After**: Bridge Client certificate ZIP now includes: * AWS Credentials (Access Key & Secret Key) * S3 Bucket Name * AWS Region This ensures the Bridge Client can directly connect to S3 using the provided credentials and configuration. **Bridge Client UI Changes** To configure S3 access through the UI, update the following parameters under **S3PutObject > View Configuration**: * S3 Bucket Name * AWS Region * AWS Access Key and Secret Key {% hint style="info" %} * Ensure that the Bridge Client certificate ZIP file is stored securely. * Do not share AWS credentials externally; they are sensitive and allow direct access to S3. * Always confirm that the S3 bucket exists and the region is correct before starting the Bridge Client. {% endhint %} *** Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA, USA. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ovaledge.com/release8.1/askedgi/deployment-and-installation/ecs-variant/ecs-variant-1-new-customers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.