Provider Handover Checklist

Cobalt Chemical Symbol

Provider Handover Checklist#

This checklist covers every external service and credential that must be transferred or re-provisioned when handing Cobalt over to a new support provider. Work through each section in order — AWS must be done first because most other services depend on it.

Warning

Do not revoke old credentials until the new provider has verified that the replacement credentials are working in all environments (production, UAT, and test). Revoking too early will cause outages.

1. AWS Account#

Cobalt runs entirely on AWS: the application server (Elastic Beanstalk), database (RDS), email (SES), notifications (SNS), file storage (EFS/S3), DNS (Route 53), and load balancer.

Steps#

  1. Create an IAM user (or transfer ownership of the root account) for the new provider in the ABF AWS account.

  2. Attach the existing IAM policies used for Cobalt deployments (check the existing IAM user to see which policies are attached).

  3. Generate a new Access Key ID and Secret Access Key for the new IAM user.

  4. Update the following Elastic Beanstalk environment properties in every environment (Production, UAT, Test) via the AWS Console → Elastic Beanstalk → Configuration → Software:

    • AWS_ACCESS_KEY_ID

    • AWS_SECRET_ACCESS_KEY

    • AWS_REGION_NAME

  5. Update the AWS CLI and EB CLI credentials on the new provider’s local machines.

  6. Verify access by running eb status from the cobalt directory.

  7. Revoke the old IAM user’s access key once verified.

Key resources#

  • Elastic Beanstalk application: cobalt (region: ap-southeast-2)

  • RDS instance: check AWS Console → RDS

  • Route 53 hosted zone: myabf.com.au

  • SES configuration sets: cobalt-prod, cobalt-uat, cobalt-test

2. AWS RDS (Database)#

The PostgreSQL database runs on AWS RDS. The new provider needs the connection credentials to manage the database directly (migrations, backups, support queries).

Steps#

  1. In the AWS Console → RDS → Databases, select the Cobalt instance.

  2. Modify the master user password to a new value (requires a maintenance window or an immediate apply).

  3. Update the following Elastic Beanstalk environment properties in every environment:

    • RDS_DB_NAME

    • RDS_USERNAME

    • RDS_PASSWORD

    • RDS_HOSTNAME

    • RDS_PORT

  4. Restart the Elastic Beanstalk environment to pick up the new credentials.

  5. Verify the application connects successfully by checking the Cobalt home page and the Django admin.

3. AWS SES (Email)#

All transactional email is sent through AWS Simple Email Service. The verified sending domain (myabf.com.au) and configuration sets must remain active.

Steps#

  1. Confirm the new AWS IAM user (from step 1) has ses:SendEmail and ses:SendRawEmail permissions.

  2. Verify the myabf.com.au domain is still verified in SES (AWS Console → SES → Verified identities). If domain ownership is transferring, the new provider will need to add the SES DKIM DNS records to Route 53.

  3. Check each environment’s configuration set (AWS Console → SES → Configuration sets) and confirm the SNS topic subscription for event webhooks is active and pointing to the correct Cobalt URL: https://<env>.myabf.com.au/notifications/ses/event-webhook/

  4. Update AWS_SES_CONFIGURATION_SET, AWS_SES_REGION_NAME, and AWS_SES_REGION_ENDPOINT in the Elastic Beanstalk environment properties if they have changed.

  5. Send a test email from the application and confirm the SES webhook callback is received (visible in the Django admin under Notifications).

4. Stripe (Payments)#

Stripe processes all Bridge Credits top-ups and event entry payments.

Steps#

  1. The ABF Stripe account owner must add the new provider as an Administrator in the Stripe Dashboard → Settings → Team.

  2. If new API keys are needed, go to Stripe Dashboard → Developers → API keys → Create restricted key (or roll the existing secret key).

  3. Update the following Elastic Beanstalk environment properties in every environment:

    • STRIPE_SECRET_KEY

    • STRIPE_PUBLISHABLE_KEY

  4. For each environment’s webhook endpoint (Stripe Dashboard → Developers → Webhooks), verify the endpoint URL is correct: https://<env>.myabf.com.au/payments/stripe-webhook The endpoint must handle payment_method.attached and charge.succeeded events.

  5. Reveal the Signing secret for each webhook endpoint and update STRIPE_WEBHOOK_SECRET in the corresponding environment.

  6. Test a payment in the UAT environment using a Stripe test card.

5. Xero (Accounting)#

The Xero integration raises invoices and records payments for club settlements. See Setting Up the Xero Integration for the full setup guide.

Steps#

  1. The ABF Xero account admin must invite the new provider to the Xero organisation (Xero → Settings → Users → Invite a User).

  2. In the Xero Developer Portal, transfer ownership of the Cobalt Custom Connection app to the new provider’s Xero account, or create a new app and update credentials.

  3. Update the following Elastic Beanstalk environment properties in production (and create equivalent apps for UAT/test):

    • XERO_CLIENT_ID

    • XERO_CLIENT_SECRET

  4. Navigate to /xero/ in Cobalt as an ABF staff user and click Connect to verify the new credentials work.

  5. Update the Xero webhook signing key: Xero Developer Portal → app → Webhooks → copy the webhook key → set XERO_WEBHOOK_KEY in the environment properties.

  6. Confirm the webhook URL is registered: https://www.myabf.com.au/xero/webhook

6. Google Firebase Cloud Messaging (FCM)#

FCM delivers push notifications to the Cobalt mobile app (Android and iOS).

Steps#

  1. In the Firebase Console, go to Project Settings → Users and Permissions and add the new provider as an Owner.

  2. Generate a new service account key: Project Settings → Service Accounts → Generate new private key. This downloads a JSON credentials file.

  3. Upload the JSON file to a secure location on the Elastic Beanstalk EC2 instance (or store it in AWS Secrets Manager and update the retrieval method).

  4. Update the GOOGLE_APPLICATION_CREDENTIALS environment variable in every Elastic Beanstalk environment to point to the new file path.

  5. Restart the application and send a test push notification from the Django admin to verify FCM is working.

  6. Remove the old provider’s Firebase access once verified.

7. Google reCAPTCHA#

reCAPTCHA v2 protects the logged-out contact form from spam submissions.

Steps#

  1. Go to the Google reCAPTCHA Admin Console and transfer ownership of the Cobalt site to the new provider’s Google account, or create a new reCAPTCHA v2 site for myabf.com.au.

  2. Copy the new Site key and Secret key.

  3. Update the following Elastic Beanstalk environment properties in every environment:

    • RECAPTCHA_SITE_KEY

    • RECAPTCHA_SECRET_KEY

  4. Visit the public contact form and submit a test message to confirm reCAPTCHA loads and validates correctly.

8. Google Maps#

An embedded Google Maps iframe shows venue locations on congress pages. The Maps API key is currently hardcoded in the event templates.

Steps#

  1. In the Google Cloud Console, locate the project that owns the Maps Embed API key (search for the existing key value in APIs & Services → Credentials).

  2. Add the new provider as an Owner of the Google Cloud project, or create a new Maps Embed API key restricted to *.myabf.com.au.

  3. If issuing a new key, update all three template files that embed the Maps iframe:

    • events/templates/events/players/congress.html

    • events/templates/events/players/congress_logged_out.html

    • events/templates/events/congress_builder/congress_wizard_3.html

    Replace the key= parameter in the Maps embed URL in each file.

  4. Deploy the updated templates and verify that a congress venue map displays correctly.

Note

Ideally the Maps API key should be moved to an environment variable to avoid needing a code change when rotating it.

9. New Relic (Monitoring)#

New Relic provides application performance monitoring and alerting.

Steps#

  1. Log in to New Relic and go to Administration → User Management. Add the new provider as an Admin and remove the old provider once verified.

  2. Confirm the NEW_RELIC_APP_ID values for each environment are set correctly in the Elastic Beanstalk environment properties.

  3. Verify that the New Relic agent is reporting data for each environment (New Relic → APM → cobalt-* applications should all show green).

  4. Review and transfer ownership of any alert policies and notification channels to the new provider’s contact details.

10. Domain and DNS (Route 53)#

The myabf.com.au domain and its DNS records are managed in AWS Route 53. If the domain is registered elsewhere (e.g. a registrar separate from AWS), that registrar account must also be transferred.

Steps#

  1. Confirm who holds the domain registrar account for myabf.com.au and transfer access (or the registration itself) to the new provider.

  2. In AWS Route 53 → Hosted zones → myabf.com.au, verify the new provider’s IAM user (from step 1) has access to manage DNS records.

  3. Document all existing DNS records before making any changes.

  4. If the domain registrar is separate from AWS, ensure the nameservers in the registrar still point to the Route 53 hosted zone.

11. Mobile Application (Google Play & Apple App Store)#

The Cobalt mobile app is published on both stores under the ABF’s accounts.

Steps#

  1. Google Play: Go to the Google Play Console → Users and permissions and add the new provider with Admin access. Remove the old provider.

  2. Apple App Store: In App Store Connect → Users and Access, invite the new provider as an Admin. Remove the old provider once accepted.

  3. Transfer any signing certificates and provisioning profiles stored outside of the stores (e.g. on a developer machine). The iOS distribution certificate and Android keystore must not be lost.

  4. Confirm the new provider can successfully build and submit a test build to both stores using the transferred credentials.

Post-Handover Verification Checklist#

After completing all sections above, verify end-to-end functionality in the UAT environment before declaring the handover complete:

Test

Service verified

Log in to Cobalt and view the dashboard

AWS EB, RDS

Submit the logged-out contact form (with reCAPTCHA)

Google reCAPTCHA, AWS SES

Top up Bridge Credits with a Stripe test card

Stripe, AWS SES

Create a congress with a venue address and confirm map displays

Google Maps

Send a push notification to a test device via Django admin

Firebase FCM

Check New Relic shows live APM data for the UAT environment

New Relic

Confirm a Xero invoice can be created from /xero/

Xero

Confirm email delivery and SES webhook callback appears in admin

AWS SES, SNS
Contents