Deploying Ops Manager on AWS Using Terraform
Page last updated:
Warning: Pivotal Operations Manager v2.4 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This guide describes the preparation steps required to deploy Ops Manager on Amazon Web Services (AWS) using Terraform templates.
The Terraform template for Ops Manager on AWS describes a set of AWS resources and properties. For more information about how Terraform creates resources in AWS, see the AWS Provider topic on the Terraform site.
If you are deploying Pivotal Application Service (PAS), you may also find it helpful to review different deployment options in the Reference Architecture for Pivotal Cloud Foundry on AWS.
Prerequisites
Before you deploy Ops Manager on AWS, review the following:
- If you intend to install PAS, see PCF on AWS Requirements.
- If you intend to install Enterprise Pivotal Container Service (Enterprise PKS), see AWS Prerequisites and Resource Requirements.
In addition to reviewing the prerequisites for your runtime, ensure you have the following:
- The Terraform CLI
- In your AWS account, ensure you have an IAM user with the following permissions:
- AmazonEC2FullAccess
- AmazonRDSFullAccess
- AmazonRoute53FullAccess
- AmazonS3FullAccess
- AmazonVPCFullAccess
- IAMFullAccess
- AWSKeyManagementServicePowerUser
Step 1: Download Templates and Edit Variables File
Before you can run Terraform commands to provision infrastructure resources, you must download the AWS Terraform templates and create a Terraform template variables file as described below:
On Pivotal Network, navigate to the Pivotal Application Service (formerly Elastic Runtime) release.
Download the AWS Terraform templates ZIP file.
Extract the contents of the ZIP file.
Move the extracted folder to the
workspace
directory on your local machine.On the command line, navigate to the directory. For example:
$ cd ~/workspace/pivotal-cf-terraforming-aws
Navigate to the
terraforming-pas
orterraforming-pks
directory that contains the Terraform files for your runtime.In the runtime directory, create a text file named
terraform.tfvars
.Open the
terraform.tfvars
file and add the following:env_name = "YOUR-ENVIRONMENT-NAME" access_key = "YOUR-ACCESS-KEY" secret_key = "YOUR-SECRET-KEY" region = "YOUR-AWS-REGION" availability_zones = ["YOUR-AZ-1", "YOUR-AZ-2", "YOUR-AZ-3"] ops_manager_ami = "YOUR-OPS-MAN-IMAGE-AMI" dns_suffix = "YOUR-DNS-SUFFIX" ssl_cert = <<SSL_CERT -----BEGIN CERTIFICATE----- YOUR-CERTIFICATE -----END CERTIFICATE----- SSL_CERT ssl_private_key = <<SSL_KEY -----BEGIN EXAMPLE RSA PRIVATE KEY----- YOUR-PRIVATE-KEY -----END EXAMPLE RSA PRIVATE KEY----- SSL_KEY
Edit the values in the file according to the table below.
Value to replace Guidance YOUR-ENVIRONMENT-NAME
Enter a name to use to identify resources in AWS. Terraform prepends the names of the resources it creates with this environment name. Note: You can only enter lowercase alphanumeric characters and hyphens. Examples include
pcf
,pas
, andpks
.YOUR-ACCESS-KEY
Enter your AWS Access Key ID of the AWS account in which you want Terraform to create resources. YOUR-SECRET-KEY
Enter your AWS Secret Access Key of the AWS account in which you want Terraform to create resources. YOUR-AWS-REGION
Enter the name of the AWS region in which you want Terraform to create resources. Example: us-central1
.YOUR-AZ-1
YOUR-AZ-2
YOUR-AZ-3Enter three availability zones from your region. Example: us-central-1a
,us-central-1b
,us-central-1c
.YOUR-OPS-MAN-IMAGE-AMI
Enter the source code for the Ops Manager Amazon Machine Image (AMI) you want to boot. You can find this code in the PDF included with the Ops Manager release on Pivotal Network.
If you want to encrypt your Ops Manager VM, create an encrypted AMI copy from the AWS EC2 dashboard and enter the source code for the copied Ops Manager image instead. For more information about copying an AMI, use Launch an Ops Manager AMI in the manual AWS configuration topic.
To prevent the creation of an Ops Manager VM, set this value to an empty string (""
). When using Platform Automation, you must disable the creation of the Ops Manager VM from Terraform. For more information, see Platform Automation.YOUR-DNS-SUFFIX
Enter a domain name to use as part of the system domain for your deployment. Terraform creates DNS records in AWS using YOUR-ENVIRONMENT-NAME
andYOUR-DNS-SUFFIX
. For example, if you enterexample.com
for your DNS suffix and havepcf
as your environment name, Terraform will create DNS records atpcf.example.com
.YOUR-CERTIFICATE
Enter a certificate to use for HTTP load balancing. For production environments, use a certificate from a Certificate Authority (CA). For test environments, you can use a self-signed certificate. Your certificate must specify your system domain as the common name. Your system domain is
YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX
.It also must include the following subdomains:
*.sys.YOUR-SYSTEM-DOMAIN
,*.login.sys.YOUR-SYSTEM-DOMAIN
,*.uaa.sys.YOUR-SYSTEM-DOMAIN
,*.apps.YOUR-SYSTEM-DOMAIN
.YOUR-PRIVATE-KEY
Enter a private key for the certificate you entered.
Step 2: Add Optional Variables
Complete this step if you want to do any of the following in PAS:
- Use an AWS Relational Database Service (RDS) for your deployment. For more information, see Getting started with Amazon RDS in Amazon RDS resources.
- Deploy the PCF Isolation Segment tile.
In your terraform.tfvars
file, specify the appropriate variables from the sections below.
Note: You can see the configurable options by opening the variables.tf
file and looking for variables with default values.
Isolation Segments
If you plan to deploy the PCF Isolation Segment tile, add the following variables to your terraform.tfvars
file,
replacing YOUR-CERTIFICATE
and YOUR-PRIVATE-KEY
with a certificate and private key.
This causes terraform to create an additional HTTP load balancer across three availability zones to use for the PCF Isolation Segment tile.
create_isoseg_resources = 1
iso_seg_ssl_cert = <<ISO_SEG_SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
ISO_SEG_SSL_CERT
iso_seg_ssl_cert_private_key = <<ISO_SEG_SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
ISO_SEG_SSL_KEY
RDS
If you want to use an RDS for Ops Manager and PAS, add the following to your
terraform.tfvars
file:rds_instance_count = 1
If you want to specify a username for RDS authentication, add the following variable to your
terraform.tfvars
file.rds_db_username = "your-database-name"
Step 3: Create AWS Resources with Terraform
Follow these steps to use the Terraform CLI to create resources on AWS:
From the directory that contains the Terraform files, run
terraform init
to initialize the directory based on the information you specified in theterraform.tfvars
file.terraform init
Run
terraform plan -out=plan
to create the execution plan for Terraform.terraform plan -out=plan
Run
terraform apply plan
to execute the plan from the previous step. It may take several minutes for Terraform to create all the resources in AWS.terraform apply plan
Step 4: Create DNS Record
In a browser, navigate to the DNS provider for the DNS suffix you entered in your
terraform.tfvars
file.Create a new NS record for your system domain. Your system domain is
YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX
.In this record, enter the name servers included in
env_dns_zone_name_servers
from your Terraform output.
Note: Terraform creates a Route53
recordset for the domain prefixed with the environment name. If your base domain is registered with AWS, ensure that the NS record from the terraform-created recordset is copied in the domain recordset before proceeding.
What to Do Next
Proceed to the next step in the deployment, Configuring BOSH Director on AWS Using Terraform.