forked from pivotal-cf/docs-awslabs-service-broker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstalling.html.md.erb
177 lines (154 loc) · 6.28 KB
/
installing.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
---
title: Installing and Configuring AWS Service Broker for VMware Tanzu
owner: Partners
---
<strong><%= modified_date %></strong>
This topic describes how to install and configure AWS Service Broker for VMware Tanzu.
##<a id="prereqs"></a> Prerequisites
Before you install AWS Service Broker for VMware Tanzu, you must have:
* Setup a DynamoDB Table.
* Prerequisite. See [Link]().
### <a id="dynamodb-table"></a>DynamoDB Table
#### Automated Setup
Prerequisites are setup using a CloudFormation template available [at Github](https://github.com/awslabs/aws-servicebroker/blob/master/setup/prerequisites.yaml). Stack outputs provide the needed resource names for broker configuration.
#### Manual setup
Create the table with the following aws cli command:
```bash
aws dynamodb create-table --attribute-definitions \
AttributeName=id,AttributeType=S AttributeName=userid,AttributeType=S \
AttributeName=type,AttributeType=S --key-schema AttributeName=id,KeyType=HASH \
AttributeName=userid,KeyType=RANGE --global-secondary-indexes \
'IndexName=type-userid-index,KeySchema=[{AttributeName=type,KeyType=HASH},{AttributeName=userid,KeyType=RANGE}],Projection={ProjectionType=INCLUDE,NonKeyAttributes=[id,userid,type,locked]},ProvisionedThroughput={ReadCapacityUnits=5,WriteCapacityUnits=5}' \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--region us-east-1 --table-name awssb
```
You can customize the table name as needed and pass in your table name using –tableName
###<a id="iam"></a> Identity and Access Management
By default the broker uses the same credentials for provisioning ServiceInstances and for broker operations like
fetching the catalog and reading/writing metadata to DynamoDB.
The user or role that the broker runs as requires the following policy:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsservicebroker/templates/*",
"arn:aws:s3:::awsservicebroker"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT_ID>:table/<TABLE_NAME>",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/asb-*",
"arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/Asb*"
],
"Effect": "Allow"
}
]
}
```
<p class="note"><strong>Note:</strong> replace the <code><REGION></code>, <code><ACCOUNT_ID></code> and
<code><TABLE_NAME></code> placeholders
in the above json before creating the policy.
</p>
The role/user used for provisioning requires additional permissions for provisioning, binding and
deprovisioning ServiceInstances.
By default, this is the same user/role as the broker role, so add to that,
or apply to a separate role,
see [Managing Resources Via Assumed Role](installing.html#managing-resources-via-assumed-role).
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SsmForSecretBindings",
"Action": "ssm:PutParameter",
"Resource": "arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/asb-*",
"Effect": "Allow"
},
{
"Sid": "AllowCfnToGetTemplates",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::awsservicebroker/templates/*",
"Effect": "Allow"
},
{
"Sid": "CloudFormation",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:CancelUpdateStack"
],
"Resource": [
"arn:aws:cloudformation:<REGION>:<ACCOUNT_ID>:stack/aws-service-broker-*/*"
],
"Effect": "Allow"
},
{
"Sid": "ServiceClassPermissions",
"Action": [
"athena:*",
"dynamodb:*",
"kms:*",
"elasticache:*",
"elasticmapreduce:*",
"kinesis:*",
"rds:*",
"redshift:*",
"route53:*",
"s3:*",
"sns:*",
"sqs:*",
"ec2:*",
"iam:*",
"lambda:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
<p class="note"><strong>Note:</strong> replace the <code><REGION></code>, <code><ACCOUNT_ID></code> placeholders
in the above json before creating the policy.
</p>
If a custom catalog is published, this policy might need to be adapted.
##<a id="installation"></a> Installation and Configuration
1. Download the latest tile from the Tanzu Network
2. Log in to Ops Manager and import the tile
3. Complete configuration in the `AWS Service Broker Configuration` section. Take note of the following fields:
* `Broker ID` - An ID to use for partitioning broker data in DynamoDb. if multiple brokers are used in the same AWS account, this value must be unique per broker. This is a customer selected string.
* `AWS Access Key ID` and `AWS Secret Access` (_**REQUIRED**_) - Specify the credentials for the user created in the prerequisites section of this guide. If you are using an ec2 instance role attached to the broker hosts, leave these fields blank.
* `Target AWS Account ID` and `Target IAM Role Name` - if you need to provision into a different account, or use a
different role for provisioning, populate these with the account and role details. The role specified must allow the
broker user/role to assume it
* `AWS Region ` - this is the default region for the broker to deploy services into, and must match the region that the
DynamoDB table created in the prerequisisites section of this guide was created in (this will be decoupled in an upcoming update).
* `Amazon S3 Bucket` - specify `awsservicebroker`
* `Amazon S3 Key Prefix` - specify `templates/latest/`
* `Amazon S3 Region` - specify `us-east-1`
* `Amazon S3 Key Suffix` - specify `-main.yaml`
* `Amazon DynamoDB table name` - specify the name of the table created in the prerequisites section of this guide, default is `awssb`