Installing and Configuring AWS Service Broker for VMware Tanzu

This topic describes how to install and configure AWS Service Broker for VMware Tanzu.

Prerequisites

Before you install AWS Service Broker for VMware Tanzu, you must:

  • Setup a DynamoDB Table.
  • Setup Identity and Access Management.

DynamoDB Table

Automated Setup

Prerequisites are setup using a CloudFormation template available at Github. Stack outputs provide the needed resource names for broker configuration.

Manual setup

Create the table with the following aws cli command:

aws dynamodb create-table --attribute-definitions \
AttributeName=id,AttributeType=S AttributeName=userid,AttributeType=S \
AttributeName=type,AttributeType=S --key-schema AttributeName=id,KeyType=HASH \
AttributeName=userid,KeyType=RANGE --global-secondary-indexes \
'IndexName=type-userid-index,KeySchema=[{AttributeName=type,KeyType=HASH},{AttributeName=userid,KeyType=RANGE}],Projection={ProjectionType=INCLUDE,NonKeyAttributes=[id,userid,type,locked]},ProvisionedThroughput={ReadCapacityUnits=5,WriteCapacityUnits=5}' \
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \
--region us-east-1 --table-name awssb

You can customize the table name as needed and pass in your table name using –tableName

Identity and Access Management

By default the broker uses the same credentials for provisioning ServiceInstances and for broker operations like fetching the catalog and reading/writing metadata to DynamoDB.

The user or role that the broker runs as requires the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
         "s3:GetObject",
         "s3:ListBucket"
      ],
      "Resource": [
         "arn:aws:s3:::awsservicebroker/templates/*",
         "arn:aws:s3:::awsservicebroker"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:<REGION>:<ACCOUNT_ID>:table/<TABLE_NAME>",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ssm:GetParameter",
        "ssm:GetParameters"
      ],
      "Resource": [
          "arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/asb-*",
          "arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/Asb*"
      ],
      "Effect": "Allow"
    }
  ]
}

Note: replace the <REGION>, <ACCOUNT_ID> and <TABLE_NAME> placeholders in the above json before creating the policy.

The role/user used for provisioning requires additional permissions for provisioning, binding and deprovisioning ServiceInstances. By default, this is the same user/role as the broker role, so add to that, or apply to a separate role, see Managing Resources Via Assumed Role.

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "SsmForSecretBindings",
        "Action": "ssm:PutParameter",
        "Resource": "arn:aws:ssm:<REGION>:<ACCOUNT_ID>:parameter/asb-*",
        "Effect": "Allow"
      },
      {
        "Sid": "AllowCfnToGetTemplates",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::awsservicebroker/templates/*",
        "Effect": "Allow"
      },
      {
         "Sid": "CloudFormation",
         "Action": [
            "cloudformation:CreateStack",
            "cloudformation:DeleteStack",
            "cloudformation:DescribeStacks",
            "cloudformation:DescribeStackEvents",
            "cloudformation:UpdateStack",
            "cloudformation:CancelUpdateStack"
         ],
         "Resource": [
            "arn:aws:cloudformation:<REGION>:<ACCOUNT_ID>:stack/aws-service-broker-*/*"
         ],
         "Effect": "Allow"
      },
     {
        "Sid": "ServiceClassPermissions",
        "Action": [
           "athena:*",
           "dynamodb:*",
           "kms:*",
           "elasticache:*",
           "elasticmapreduce:*",
           "kinesis:*",
           "rds:*",
           "redshift:*",
           "route53:*",
           "s3:*",
           "sns:*",
           "sqs:*",
           "ec2:*",
           "iam:*",
           "lambda:*"
        ],
        "Resource": [
           "*"
        ],
        "Effect": "Allow"
     }
   ]
}

Note: replace the <REGION>, <ACCOUNT_ID> placeholders in the above json before creating the policy.

If a custom catalog is published, this policy might need to be adapted.

Installation and Configuration

  1. Download the latest tile from the Tanzu Network
  2. Log in to Ops Manager and import the tile
  3. Complete configuration in the AWS Service Broker Configuration section. Take note of the following fields:
    • Broker ID - An ID to use for partitioning broker data in DynamoDb. if multiple brokers are used in the same AWS account, this value must be unique per broker. This is a customer selected string.
    • AWS Access Key ID and AWS Secret Access (REQUIRED) - Specify the credentials for the user created in the prerequisites section of this guide. If you are using an ec2 instance role attached to the broker hosts, leave these fields blank.
    • Target AWS Account ID and Target IAM Role Name - if you need to provision into a different account, or use a different role for provisioning, populate these with the account and role details. The role specified must allow the broker user/role to assume it
    • AWS Region - this is the default region for the broker to deploy services into, and must match the region that the DynamoDB table created in the prerequisisites section of this guide was created in (this will be decoupled in an upcoming update).
    • Amazon S3 Bucket - specify awsservicebroker
    • Amazon S3 Key Prefix - specify templates/latest/
    • Amazon S3 Region - specify us-east-1
    • Amazon S3 Key Suffix - specify -main.yaml
    • Amazon DynamoDB table name - specify the name of the table created in the prerequisites section of this guide, default is awssb