Skip to content

Latest commit

 

History

History
90 lines (58 loc) · 4.7 KB

PREREQUISITES.md

File metadata and controls

90 lines (58 loc) · 4.7 KB

aws-actions » prerequisites

Increase AWS Quotas

There are a few AWS default quotas that will need to be adjusted.

  1. EC2 instance quota - In the AWS portal, visit the Support Center and create a case. Choose the region, primary instance type, and set the limit to >= 25 in your request.
  2. Elastic IP Addresses - In the AWS portal, visit the Support Center and create a case. Choose the region and set the limit to >= 30 in your request.

Note: The above quotas will be enough to deploy the infrastructure needed for installing TAP. Individual mileage may vary depending on existing resources.

(Optional) Setup an AWS service principal

First, configure AWS authentication.

Do this only if you are planning on running Terraform scripts locally with an IAM user (i.e., you're not using AWS Session Token Service).

aws configure

Or set the necessary environment variables.

export AWS_ACCESS_KEY_ID=<your_root_access_key_id>
export AWS_SECRET_ACCESS_KEY=<your_root_secret_access_key>
export AWS_REGION=<region_cloud_resources_will_be_provisioned_and_accessed>

Next, set the following environment variables for your service account.

export AWS_SERVICE_ACCOUNT_NAME=<your_service_account_name>
export AWS_SERVICE_ACCOUNT_PASSWORD=<your_service_account_password>

Then, run the following script found here.

cd /tmp
gh repo clone clicktruck/scripts
./scripts/aws/create-aws-service-account.sh

Record the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY of the new service account. These are the credentials you should use going forward with Terraform modules.

(Optional) Setup a Github SSH key-pair

You will need to create a new public/private SSH key-pair in order to work with (i.e., pull from/push to) private git repositories (e.g., Github, Gitlab, Azure Devops).

Here's how to set up such a key-pair for named repo providers:

Also see Git Authentication.

Setup a Personal Access Token in Github

A PAT is required so that workflows can add secrets to the repository in order to be used in downstream jobs. Documentation can be found here.

We are using this personal access token to create secrets for the aws backend for Terraform

Configure Github Secrets

Setup some Github secrets with the service principal credentials. Documentation can be found here. You might also consider using gh secret set command to set these individually. Or, after exporting all environment variables below, execute gh-secrets-setup.sh at the command-line passing aws as an execution argument.

# The access key identifier associated with role-based temporary security credentials vended from AWS Security Token Service
export AWS_ACCESS_KEY_ID=
# The access key's secret associated with role-based temporary security credentials vended from AWS Security Token Service
export AWS_SECRET_ACCESS_KEY=
# An expiring session token associated with role-based temporary security credentials vended from AWS Security Token Service
export AWS_SESSION_TOKEN=

Setting up a AWS_SESSION_TOKEN secret is optional. However, if you have to obtain an AWS Session Token Service token (via a provider like CloudGate) in order to authenticate to an AWS account, you will need to periodically update the AWS_* secret values as the token is typically set to expire.

You'll also want to create another secret whose value is the fine-grained personal access token you created in the prior step.

export PA_TOKEN=