Setup for AWS
This page outlines the steps that the ForgeOps Team took when setting up AWS before deploying the CDM.
Perform these steps before you deploy the CDM:
-
Create and configure an IAM group:
-
Create a group with the name
cdm-users. -
Attach the following AWS preconfigured policies to the
cdm-usersgroup:-
IAMUserChangePassword -
IAMReadOnlyAccess -
AmazonEC2FullAccess -
AmazonEC2ContainerRegistryFullAccess -
AWSCloudFormationFullAccess
-
-
Create two policies in the IAM service of your AWS account:
-
Create the
EksAllAccesspolicy using theeks-all-access.jsonfile in the /path/to/forgeops/etc/aws-example-iam-policies directory. -
Create the
IamLimitedAccesspolicy using theiam-limited-access.jsonfile in the /path/to/forgeops/etc/aws-example-iam-policies directory.
-
-
Attach the policies you created to the
cdm-usersgroup.Remember, the CDM is a reference implementation and is not for production use. The policies you create in this procedure are suitable for the CDM. When you create a project plan, you’ll need to determine how to configure AWS permissions.
-
Assign one or more AWS users who will set up CDM to the
cdm-usersgroup.
-
-
If you haven’t already done so, set up your aws command-line interface environment using the aws configure command.
-
Verify that your AWS user is a member of the
cdm-usersgroup:$ aws iam list-groups-for-user --user-name my-user-name --output json { "Groups": [ { "Path": "/", "GroupName": "cdm-users", "GroupId": "ABCDEFGHIJKLMNOPQRST", "Arn": "arn:aws:iam::048497731163:group/cdm-users", "CreateDate": "2020-03-11T21:03:17+00:00" } ] } -
Verify that you are using the correct user profile:
$ aws iam get-user { "User": { "Path": "/", "UserName": "my-user-name", "UserId": "...", "Arn": "arn:aws:iam::01...3:user/my-user-name", "CreateDate": "2020-09-17T16:01:46+00:00", "PasswordLastUsed": "2021-05-10T17:07:53+00:00" } } -
Copy the file that contains default Terraform variables to a new file:
-
Change to the /path/to/forgeops-extras/terraform directory.
-
Copy the terraform.tfvars file to override.auto.tfvars [1].
Copying the terraform.tfvars file to a new file preserves the original content in the file.
-
-
Determine the cluster size: small, medium, or large.
-
Define your cluster’s configuration:
-
Open the override.auto.tfvars file.
-
Determine the location of your cluster’s configuration in the override.auto.tfvars file:
Cluster size Section containing the cluster configuration Small
cluster.tf_cluster_eks_smallMedium
cluster.tf_cluster_eks_mediumLarge
cluster.tf_cluster_eks_large -
Modify your cluster’s configuration by setting values in the section listed in the table:
-
Modify your cluster’s configuration by setting values in the section listed in the table:
-
Set the value of the
enabledvariable totrue. -
Set the value of the
meta.cluster_namevariable to the name of the Amazon EKS cluster you’ll create. -
Set the values of the
location.regionandlocation.zonesvariables to the region and zones where you’ll deploy the CDM.Before continuing:
-
Go to the Amazon Elastic Kubernetes Service endpoints and quotas page and verify the region you’re specifying supports Amazon EKS.
-
Run the aws ec2 describe-availability-zones --region region-name command to identify three availability zones in your AWS region.
-
-
-
Save and close the override.auto.tfvars file.
-
-
Ensure your region has an adequate CPU quota for the CDM.
Locate these two variables in your cluster’s configuration in the override.auto.tfvars file:
-
node_pool.type: the machine type to be used in your cluster -
node_pool.max_count: the maximum number of machines to be used in your cluster
Your quotas must be large enough to let you allocate the maximum number of machines in your region. If your quotas are too low, request and wait for a quota increase from Amazon Web Services before attempting to create your CDM cluster.
-
Next step
forgerock that adds labels required for clusters created by ForgeRock employees. If you’re a ForgeRock employee creating a cluster, set values for these variables.