Platform Deployment on AWS
Wiki Home ▸ [Getting Started Guide](Getting Started Guide) ▸ Platform Deployment on AWS
- Minimal deployment requires 2 ElasticIPs (for load balancer and bastion host).
- Minimal deployment requires instance limit increased to 33 (23 instances + 10 instances used as workers only during deployment procedure)
As Trusted Analytics Platform does not provide its own SMTP service you may want to use your own SMTP server for sending e-mails like platform invitations or password reset request. SMTP server configuration occurs in one of following steps. For AWS deployment you may want to use AWS Simple Email Service. Please make sure that you have set SES properly according to AWS SES docs and you verified your domain Verifying Domains in Amazon SES and email address Verifying Email Addresses in Amazon SES.
- Create an AWS account if one hasn't been created previously. The account/user needs to be capable of manipulating AWS EC2/S3/Route 53 resources.
- Request region EC2 instance limit increase via AWS support (default: 20, required as described in Pricing Matrix for AWS Deployments + 10 more needed for deployment process).
- Check for the number of free VPC EIPs and if necessary, request EC2-VPC Elastic IPs limit increase via AWS support.
- If you intend to use AWS SES as your smtp service, please request appropriate SES sending limit rate via AWS support.
If you already have your AWS credentials (access_key_id and secret_access_key, which are not the same as your AWS login and password), you can skip this step.
Start by logging on to AWS: https://console.aws.amazon.com
Click on “Instances” in the left pane and select your deployment region:
From the menu next to your login name, select “Security Credentials”:
Select “Create New Access Key“. If access keys have already been created, consult someone in your organization to obtain the access_key_id and secret_access_key. There is a limit of two sets of Access Keys that can be assigned to an organization.
You will be prompted to download the security file as a CSV file. Make sure you download and save the CSV file as you won't be able to retrieve the AWS secret key once the screen is closed.
Document the access_key_id and secret_access_key and store in a safe, secure place within your organization. These two pieces of information can be used by fraudsters to consume AWS resources.
This example deployment uses the following keys:
AWS_Access_Key_ID: AKIAJ354GOFUDGEYRMTT
AWS_Secret_Access_Key: c9/flkkasITUmdlQdzbnIu4ff+UgIOQuB/xbIf you already have a key pair created, you can skip the step of creating a new key pair, described below. You will still however need to place a copy of the pem file, as shown below.
Make sure that your deployment region is selected as the AWS Region. Click on “Key Pairs” in the left menu and then click on “Create Key Pair”.
Name your key pair “bosh” and click on “Yes”:
After you click “Yes”, a file will be downloaded to your computer and named “bosh.pem”. Save it into your ~/.ssh folder on your computer. For example, on OS X you can save and rename the file from the terminal using the following commands:
$ mkdir -p ~/.ssh
$ mv ~/Downloads/bosh.pem.txt ~/.ssh/bosh.pemChange the permissions for the bosh.pem file. For example, on OS X you can change the permissions from the terminal as follows:
$ chmod 400 ~/.ssh/bosh.pemFor first time deployment, please follow the instructions provided at:
https://github.com/trustedanalytics/platform-wiki/wiki/Platform-Deployment-Procedure-local-setup
After receiving your AWS keys, you can supply these values to Terraform to deploy Cloud Foundry.
Obtain Terraform configuration data from the latest release tag by executing the following:
$ git clone https://github.com/trustedanalytics/terraform-aws-intel.git
$ cd terraform-aws-intel
$ cp terraform.tfvars.example terraform.tfvarsGenerate a secure password for CF admin account and write it down. Using a text editor, edit the terraform.tfvars file. In the examples we will use vi. Fill aws_access_key, aws_secret_key, aws_key_path and aws_key_name (the downloaded AWS private ssh key, make sure to specify full path to your key), aws_region (AWS deployment region). Also, set up your future CF admin password cf_admin_pass and CF client password (UAAC) cf_client_pass, as well as appropriate deployment_size. Note that cf_admin_pass cannot contain special characters due to the limitations of CloudFoundry, so make sure you use characters in [0-9A-Za-z].
Please note that XIP domain should never be used for production deployment.
$ vi terraform.tfvarsAfter editing, your file should look like this:
# Change needed
# AWS IAM credentials
aws_access_key = "YOUR-AWS-KEY"
aws_secret_key = "YOUR-AWS-SECRET"
# CloudFoundry and UAAC passwords
cf_admin_pass = "PUT-YOUR-PASSWORD-HERE"
cf_client_pass = "PUT-YOUR-CF-PASSWORD-HERE"
# Default values, may be changed if needed
aws_key_path = "/home/username/.ssh/bosh.pem"
aws_key_name = "bosh"
aws_region = "us-west-1"
network = "10.10"
cf_size = "tiny"
hadoop_worker_count = "3"
hadoop_instance_type = "m3.xlarge"
env_name = "trustedanalytics"
quay_username = ""
quay_pass = ""
# tag values, key order: Project,IAP,Environment
aws_tags = "Foo Bar,00000,Development"
# Use "XIP" for an xip.io based domain, or provide your own domain here
# NOTE: xip.io should never be used for production deployment
cf_domain="XIP"
# Prevent Host Header spoofing from hitting internal APIs:
private_cf_domains="xip.internal"
# Control the cloudfoundry deployment size
# Values are 'small', 'med', 'med-ha', and 'big-ha'
# See https://github.com/cloudfoundry-community/terraform-aws-cf-install/blob/master/variables.tf for how
# those sizes inform instance counts
deployment_size="small"
install_docker_services="true"
install_logsearch="false"
# Should we use offline buildpack for java?
#offline_java_buildpack="true"
# Expert only! Do not change if unsure
# Control the version of CF to be deployed
cf_release_version="212"ℹ️ Use screen or tmux for the task to prevent process from failing in case of communications errors.
You are now ready to deploy. Run the following commands:
$ make update
$ make plan
$ make apply
$ make provisionIt takes about an hour to deploy to AWS. If an error occurs during make apply or make provision, run the command again as the error might be due to AWS resources not being available when requested.
When the installation has completed, you will get several values as output:
Example:
module.cloudera.aws_instance.cdh-manager.private_ip = 10.10.10.41
module.cloudera.aws_instance.cloudera-launcher.public_ip = 52.19.63.97
Outputs.bastion_ip = 52.19.62.177
Outputs.cf_api_ip = 52.19.82.149The obtained values should help you connect to Cloud Foundry and the Bastion server. If you use your own domain please create at this step wildcard A record for your domain that points to the cf_api_ip IP address.
Run generate_inv.sh script which will log you into cloudera-launcher, then run ansible.
ℹ️ Use screen or tmux for the task, as it takes considerable amount of time to complete.
$ bash cdh/generate_inv.sh
$ cd ansible-cdh
$ bash run_ansible.shThis script asks for accepting Oracle JDK license terms and for the vault password. The password needs to be delivered by the vault owner.
PLAY RECAP **** section.
If the section contains any errors, meaning there are rows containing failed value other than zero, re-run bash run_ansible.sh.
ℹ️ In order to connect to CDH manager WebUI, you will need to set up port forwarding.
Every time you need to access the WebUI, you can follow the steps below on your local endpoint computer (needs to have a web browser installed). This forwards CDH manager WebUI port to
http://localhost:7180/, as long as the ssh session stays connected.
$ bash cdh/generate_inv.shFollow the instructions from this document: