Skip to main content

AWS AOS installation and provisioning

NOTE: Be aware to use Terraform v1.2.9

Prerequisites and points for awareness

You need to get the private token for the ACR published aws container image.

Security Context for AWS AOS provisioning

Ideally you have an AWS user with Administrator Access managed policy attached, which will allow to create and deploy needed AOS resources.

Setup stage will deploy the roles with fully privileges needed, afterwards the terraform role should be assumed to be able to manage AOS AWS resources, this restricts to all AWS users to not be allowed by default to be able to manage the AOS AWS resources.

Get the AWS AOS prepackaged image

We need to pull and run the aos-aws-utilities docker image for convenience of packages dependencies with pre-packaged code.

docker run -it --name aos-aws-utilities --mount source=aos-aws-utilities,target=/root <aosacr>/aws/aos-aws-utilities

Environment variables needed

export AWS_ACCESS_KEY_ID=<>
export AWS_DEFAULT_REGION=<>
export AWS_SECRET_ACCESS_KEY=<>
export AWS_SESSION_TOKEN=<>

Terraform backend setup

The backend setup will create the following resources:

  • Role to be assumed by terraform
  • Bucket to store the terraform backend
  • KMS key for terraform backend (encrypted files)
  • Secrets for terraform backend properties

Follow the instructions for AWS setup remote state:

Secrets needed (Support from AOS Cloud team)

This is the list of secrets needed for before continuing to the next aos installation steps.

export TF_VAR_aos_cloud_recaptcha_key=<key> This is the recaptcha key that it is needed for the environment and frontend, can be generated from GCP cloud.
export TF_VAR_smtp_mail_server_password=<pwd> SMTP Email password which is needed for notifications and send keys/certs to new users.
export TF_VAR_smtp_mail_server_login=Auto_Reply@mydomain.com SMTP Email which is used for notifications and send keys/certs to new users (Compatible as for now only with outlook servers).
export TF_VAR_aos_registry_properties={password="***",server="***.azurecr.io",username="****"} Need to ask to cloud team this property to generate temporary password and allow firewall rule from your nat ip address.

AOS Infra installation and deploy

  • AWS Infra Base resources - setup infrastructure for AOS
  • AWS AMI build - AMI build for the MQ VMs to be deployed
  • AWS AOS Monitoring (Optional) - AWS Monitoring tools and alerts for AOS Edge System
  • AWS AOS Gitlab Runner for CICD (Optional)(Not recommended) - Runner for CICD if planning to implement in your environment (Need gitlab to be setup with AOS Projects).

For the above installation we recommend to use next env vars or terraform.tfvars template:

# If you have your .envrc from setup step file handy
source .envrc_aos-staging
# If you using env var (not .envrc)
export TF_VAR_project_name=aos
export TF_VAR_environment=staging
export TF_VAR_remote_state_bucket=<bucketterraformstatename>
export TF_VAR_remote_state_db_table=${TF_VAR_project_name}-${TF_VAR_environment}-tf-dy

AOS EKS access

By default, EKS access is closed, then VPN is mandatory at this point.

To get the VPN Secret and convert into a file to get openvpn configuration:

# Get the secret
aws secretsmanager get-secret-value --secret-id "${TF_VAR_project_name}-${TF_VAR_environment}-infrastructure/ovpnBase64Config" --query 'SecretString' --output text | base64 -d > ovpn-config-${TF_VAR_environment}.ovpn
# Connect to vpn
sudo openvpn --config ovpn-config-${TF_VAR_environment}.ovpn

Terraform Unit tests

go test -v $(go list ./... | grep "$TERRAFORM_TEMPLATE_PATH" | grep "unit")