Prerequisites and requirements
IAM Policy for AWS AOS provisioning
Ideally you have an AWS user with Administrator Access managed policy attached, which will allow to create and deploy needed AOS resources.
Setup stage will deploy the roles with fully privileges needed, afterwards the terraform role should be assumed to be able to manage AOS AWS resources, this restricts to all AWS users to not be allowed by default to be able to manage the AOS AWS resources.
Setup stage will setup role with following policy:
{
"Version": "2012-10-17",
"Id": "key-terraform",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"${ADMIN_ARNS}"
]
},
"Action": "${RESOURCE}:*",
"Resource": "*"
},
{
"Sid": "Enable IAM Assumed Roles",
"Effect": "Allow",
"Principal": "*",
"Action": "${RESOURCE}:*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "${ASSUMED_TF_ROLE}"
}
}
},
{
"Sid": "Enable IAM Users Ids Like",
"Effect": "Allow",
"Principal": "*",
"Action": "${RESOURCE}:*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": ["${TERRAFORM_USERS_IDS}"]
}
}
}
]
}
Technical prerequisites and requirements
Supported OS
We can use any OS which has installed docker on top of it, we had created a Dockerfile definition with all the utilities needed for deploy/debug/troubleshoot, we strongly recommend to build and use the aos-aws docker image for convenience of packages dependencies.
pushd devops/container-images/docker-aws
docker build -t aos-aws-utilities .
popd
docker run -it --name aos-aws-utilities_demo --mount source=aos-aws-utilities_demo,target=/root -v /var/run/docker.sock:/var/run/docker.sock aos-aws-utilities
Skills and specialized knowledge required
- Containers/kubernetes/eks
- docker-cli to use the pre-packaged installation container
- kubectl
- aws sts
- AWS cli
- IAM AWS with assumed roles
- Terraform
- Manage state.
- Create/destroy/upgrade resources.
- (Optional) golang
Environment configuration
Environment variables needed
Export your OWN AWS credentials into env variables and apply terraform s3 aftewards. More info here
export AWS_ACCESS_KEY_ID=<>
export AWS_DEFAULT_REGION=<>
export AWS_SECRET_ACCESS_KEY=<>
export AWS_SESSION_TOKEN=<>
Terraform backend setup
We provide source code to setup the terraform backend in the aws S3, however you can choose whichever backend you're using. AOS Edge cloud team recommends to use the AWS S3 backend as default.
The backend setup will create the following resources:
- Role to be assumed by terraform
- Bucket to store the terraform backend
- KMS key for terraform backend (encrypted files)
- Secrets for terraform backend properties
Customer needed settings
This is the list of secrets needed for before continuing to the next aos installation steps.
- export TF_VAR_domain_name=<test.aoscloud.io>
- This is required to setup by administrator, NLB hostname can be used, however, cert-manager has some constraints about long hostname for NLB.
- export TF_VAR_aos_cloud_recaptcha_key=<key>
- This is the recaptcha key that it is needed for the environment and frontend, can be generated from GCP cloud.
- export TF_VAR_smtp_mail_server_password=<pwd>
- SMTP Email password which is needed for notifications and send keys/certs to new users.
- export TF_VAR_smtp_mail_server_login=Auto_Reply@mydomain.com
- SMTP Email which is used for notifications and send keys/certs to new users (Compatible as for now only with outlook servers).
- export TF_VAR_aos_registry_properties={password="***",server="***.azurecr.io",username="****"}
- Need to ask to cloud team support about this property to generate temporary password and allow firewall rule from your nat ip address.