Solution Architecture - Secure Service Delivery Platform - AWS
This solution is broken into three sections:
- Infrastructure
- Platform
- Services
You will need to choose one of the following options:
- Build with Terraform
- Use existing Infrastructure
The sa-ssdp-aws/infrastucture/
directory of this reposiory contains terraform infrastructure definitions to build out AWS resource for hosting the Secure Service Delivery Platform deployment. Once you've completed the REQUIREMENTS section below you are ready to execute the terraform apply
within the infrastructure/
directory.
The terraform apply takes apprximately 13 minutes to deploy.
If you have an existing environment, or wish to build your own VPCs and EKS clusters, you may skip the terraform infrastrucure build. You will require certain inputs to deploy the platform services in ./platform/
. The commands to extract this information from AWS can be found below in XXXX.
NOTE: Following best practices, our Vault Cluster will not be available externally, over the internall. Hene, you will need a Bastian host that can access the Vault and Consul ASGs and the EKS kubectl API, as done in the Terraform infrastructure (Option 1).
.
├── README.md
├── docs
│ ├── INFRASTRUCTURE.md
│ ├── PLATFORM.md
│ └── SERVICES.md
├── infrastructure
├── inputs
├── platform
│ ├── consul-ent-aws
│ ├── consul-ent-gateways-aws
│ └── vault-ent-aws
└── services
├── hashicups-ec2-payments
└── hashicups-k8s
git
aws cli
- v2session-manager-plugin
- v1.2 https://formulae.brew.sh/cask/session-manager-pluginterraform
- v1.3 locally installed
NOTE: The AWS session-manager-plugin
is used to remote shell into the Vault and Consul AWS Auto Scale Group (ASG) instances.
Clone this repo:
git clone https://github.com/hashicorp/sa-ssdp-aws.git
Just like the AWS CLI tool, the Terraform Provider for AWS requires both the AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
. Export these values, e.g.:
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
You require Enterprise Licesnes for both Vault and Consul. Save them somewhere locally, e.g.:
ls -l1 ./sa-ssdp-aws/inputs
README.md
consul.hclic
vault.hclic
You can use terraform to build infrastructure, or use your own infrastructure. Choose one of the two options in this guide before commencing the PLATFORM build: ./docs/INFRASTRUCTURE.md
Having deployed the Infrastructure using terraform (above) or collected the appropriate informatino from existing infrastructure (also documented above)You may now commence deployment the PLATFORM services: ./docs/PLATFORM.md
NOTE: you may use and existing Vault deployment, or create a new Vault Enterprise cluster. Documentation for each method is available.
For demonstration purposes, instructions for deploying the HashiCups demo app are provided in ./docs/SERVICES.md