forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloudform-template.html.md.erb
163 lines (113 loc) · 10.2 KB
/
cloudform-template.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
---
title: Deploying the CloudFormation Template for PCF on AWS
owner: Ops Manager
---
<strong><%= modified_date %></strong>
This topic describes how to deploy the CloudFormation template for [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF) on Amazon Web Services (AWS).
An AWS CloudFormation template describes a set of AWS resources and properties. The template used in this topic is designed to output the resources necessary for three availability zones (AZ), with an Ops Manager, Pivotal Application Service (PAS), and services subnet in each AZ. The Elastic Load Balancer will be attached to the public subnet the AZs to balance traffic.
## <a id='prereq'></a> Prerequisites
The procedure in this topic requires the following:
* **An AWS Region with at least 3 availability zones**: Before following the procedure below, confirm that you have selected the correct region within your AWS account. All of the AWS resources for your deployment must exist within a single region. See the <a href='http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones'>Amazon documentation on regions and availability zones</a> for help selecting the correct region for your deployment.
<p class="note"><strong>Note</strong>: To deploy PCF to AWS GovCloud (US), select the <code>us-gov-west-1</code> region.</p>
* **An AWS SSH keypair**: You must provide an AWS SSH keypair name as a parameter for the CloudFormation template. If you do not have a pre-existing key pair, create one in [AWS](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair). Save the resulting private key file in a secure location.
* **A registered wildcard domain**: You must enter a wildcard domain as the `Common name` when creating your SSL certificate.
## <a id='upload-cert'></a>Step 1: Upload an SSL Certificate to AWS ##
You can add an SSL Certificate using two methods:
* The [AWS CLI](#aws-cli)
* The [AWS Certificate Manager](#aws-certificate-manager)
### <a id="aws-cli"></a>(Option) Create SSL Certificate using the AWS CLI
The [AWS CLI](https://aws.amazon.com/cli/) must be installed on your machine and configured to a user account with admin access privileges on your AWS account.
1. Obtain or create an SSL server certificate. For more information, see the [AWS documentation on SSL certificates](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html). When you create a certificate signing request (CSR) in the "Create a Server Certificate" instructions, you must use your wildcard domain as the Common Name input.
1. Add the following additional domains and wildcards using the OpenSSL SAN (subjectAltName) extension:
* `*.sys.example.com`
* `*.login.sys.example.com`
* `*.uaa.sys.example.com`
* `*.apps.example.com`
<p class='note'><strong>Note</strong>: If you use a self-signed certificate or select the "Generate Self-Signed RSA Certificate" option during the <a href="./../customizing/cloudform-er-config.html#security-config">Deploying PAS on AWS</a> installation process, you can ignore the step above. However, make sure you upload the self-signed certificate to AWS and attach the certificate to the listeners on the AWS Elastic Load Balancer. Pivotal recommends only using a self-signed certificate for testing and development.</p>
1. Upload your SSL certificate to AWS. For more information, see the [AWS documentation s on uploading SSL certificate using the CLI](http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html).
<pre class='terminal'>
$ aws iam upload-server-certificate \
--server-certificate-name YOUR-CERTIFICATE \
--certificate-body file://YOUR-PUBLIC-KEY-CERT-FILE.pem \
--private-key file://YOUR-PRIVATE-KEY-FILE.pem \
</pre>
For example:
<pre class='terminal'>
$ aws iam upload-server-certificate \
--server-certificate-name myServerCertificate \
--certificate-body file://my-certificate.pem \
--private-key file://my-private-key.pem
</pre><p class='note'><strong>Note</strong>: If you receive an upload error (MalformedCertificate), run the following command to convert your server certificate to the PEM format as required by the AWS Identity and Management (IAM) service:
<code>$ openssl x509 -inform PEM -in my-certificate.pem</code><br/>Then try your upload again.</p>
1. After successfully uploading the certificate to your AWS account, you will see output metadata for your certificate. For example:
<pre class="highlight json">
{
"ServerCertificateMetadata": {
"ServerCertificateId": "ASCAI3HRFYUTD55KNAF64",
"ServerCertificateName": "myServerCertificate",
"Expiration": "2016-10-18T18:41:59Z",
"Path": "/",
"Arn": "arn:aws:iam::9240874958318:server-certificate/myServerCertificate",
"UploadDate": "2015-10-19T19:10:57.404Z"
}
}
</pre>
1. Record the value of the SSL Certificate <code>ARN</code> (Amazon Resource Name) to use when [configuring](#create-stack) your AWS resource stack. Alternatively, if you know the name of the certificate, you can run the following command to retrieve certificate metadata later: <pre class='terminal'>$ aws iam get-server-certificate --server-certificate-name YOUR-CERT-NAME</pre> For example: <pre class='terminal'>$ aws iam get-server-certificate --server-certificate-name myServerCertificate</pre>
### <a id="aws-certificate-manager"></a>(Option) Create SSL Certificate using the AWS Certificate Manager
1. Log into your AWS management console and navigate to **Certificate Manager**. If your Certificate Manager has no certificates, click **Get Started**.
1. Under **Add domain names**, enter the following wildcard subdomains to the certificate, based on your domain (example: example.com). Click **Add another name to this certificate** until you have entered them all:
* `*.example.com`
* `*.sys.example.com`
* `*.login.sys.example.com`
* `*.uaa.sys.example.com`
* `*.apps.example.com`
1. Click **Review and Request** to review, and **Confirm and Request** to confirm.
1. Check the email account registered for the domain owner. Open the certificate approval email message sent from Amazon Certificates, and click the email link to the approval page for the SSL certificate.
1. From the approval page, click **I Approve**.
1. Record the SSL Certificate Amazon Resource Name (ARN) shown on the confirmation page to use when [configuring](#create-stack) your AWS resource stack. Alternatively, you can retrieve certificate metadata later by selecting the certificate listing in Certificate Manager and recording values in the **Details** pane that appears underneath.
## <a id='download-template'></a>Step 2: Download the PCF CloudFormation Template ##
1. Sign in to [Pivotal Network](https://network.pivotal.io/).
1. Select PAS. From the <b>Releases</b> drop-down menu, select the release that you wish to install.
1. Download the **PCF CloudFormation for AWS Setup**.
1. Save the file as `pcf-cloudformation.json`.
## <a id='create-stack'></a>Step 3: Create a Resource Stack Using the CloudFormation Template ##
1. Log in to the [AWS Console](https://console.aws.amazon.com/).
<p class="note"><strong>Note</strong>: Log in to the <a href="https://console.amazonaws-us-gov.com/">AWS GovCloud (US) console</a> to deploy PCF on AWS GovCloud.</p>
1. In the second column, under **Management Tools**, click **CloudFormation**.
<%= image_tag("cloudform/cloudformation.png") %>
1. Click **Create New Stack**.
<%= image_tag("cloudform/newstack.png") %>
1. Select **Upload a template to Amazon S3**.
<%= image_tag("cloudform/uploadtemplate.png") %>
1. Click **Browse**. Browse to and select the `pcf-cloudformation.json`, the **Pivotal Cloud Foundry CloudFormation script for AWS** file that you downloaded. Click **Next**.
1. On the next screen, name the stack `pcf-stack`.
1. <a id='parameters'></a>In the **Specify Parameters** page, complete the
following fields:
* **AvailabilityZone1**: Enter the first availability zone in your region.
* **AvailabilityZone2**: Enter the second availability zone in your region.
* **AvailabilityZone3**: Enter the third availability zone in your region.
* **EnvironmentID**: Enter a prefix by which you can identify the resources for this PCF deployment.
* **ERTCertificateARN**: Enter your uploaded SSL Certificate ARN to use for PAS.
* **IsoCertificateARN**: Enter your uploaded SSL Certificate ARN to use for PCF Isolation Segment.
* **OpsManAMI**: Enter the **AMI ID** for your region. You can find this in the `Pivotal Cloud Foundry Ops Manager for AWS` PDF file available with the Ops Manager release on [Pivotal Network](https://network.pivotal.io).
* **OpsManIngressCidr**: If you want to limit which range of IP addresses can reach Ops Manager, enter a CIDR range in this field. Otherwise, leave this as `0.0.0.0/0`.
* **OpsManSSHKeyPairName**: Use the drop-down menu to select the name of your pre-existing AWS key pair.
* If you want to use Amazon RDS for the PAS databases, complete the following fields:
* **RDSDBName**: Do not change this value.
* **RDSPassword**: Enter a password for the RDS database.
* **RDSUsername**: Enter a username for the RDS database.
1. Click **Next**.
1. On the **Options** page, leave the fields blank and click **Next**.
<%= image_tag("cloudform/options.png") %>
1. On the **Review** page, select the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources** checkbox and click **Create**.
<%= image_tag("cloudform/acknowledge.png") %>
AWS runs the CloudFormation script and creates the infrastructure that you need to deploy PCF to AWS. This may take a few moments. You can click on the **Events** tab to view the progress of the setup.
When the installation process successfully completes, AWS displays **CREATE_COMPLETE** as the status of the stack.
<%= image_tag "cloudform/aws-cloudform-stacks.png" %>
After completing this procedure, complete all of the steps in the following
topics:
* [Configure DNS for PCF on AWS](./cloudform-dns-config.html)
* [Configuring Ops Manager Director for AWS](./cloudform-om-config.html)
* [Deploying PAS on AWS](./cloudform-er-config.html)
---
Return to [Installing Pivotal Cloud Foundry Using AWS CloudFormation](./cloudform-install.html).