Preparing to Deploy PCF on AWS Using Terraform

Prerequisites
Step 1: Download and Edit the Terraform Variables File
Step 2: Add Optional Variables
- Isolation Segments
- RDS
Step 3: Create AWS Resources with Terraform
Step 4: Create DNS Record
What to Do Next

Page last updated:

This guide describes the preparation steps required to install Pivotal Cloud Foundry (PCF) on Amazon Web Services (AWS) using Terraform templates.

The Terraform template for PCF on AWS describes a set of AWS resources and properties. For more information about how Terraform creates resources in AWS, see the AWS Provider topic on the Terraform site.

You may also find it helpful to review different deployment options in the Reference Architecture for Pivotal Cloud Foundry on AWS.

Prerequisites

In addition to fulfilling the prerequisites listed in the Installing Pivotal Cloud Foundry on AWS topic, ensure you have the following:

The Terraform CLI
In your AWS project, ensure you have an IAM user with the following permissions:
- AmazonEC2FullAccess
- AmazonRDSFullAccess
- AmazonRoute53FullAccess
- AmazonS3FullAccess
- AmazonVPCFullAccess
- IAMFullAccess
- AWSKeyManagementServicePowerUser

Step 1: Download and Edit the Terraform Variables File

Before you can run Terraform commands to create infrastructure resources, you must fill out a template variables file.

In a browser, navigate to Pivotal Network and log in.
Select Pivotal Application Service
Download the AWS Terraform Templates zip file.
Extract the contents of the zip file. Move the folder for your runtime, terraforming-pas or terraforming-pks, to the workspace directory on your local machine.
On the command line, navigate to the folder. For example:
```
$ cd ~/workspace/pivotal-cf-terraforming-aws
```
Create a new file named terraform.tfvars with the following command:
```
touch terraform.tfvars
```

Open the terraform.tfvars file and copy in the following contents:

env_name           = "YOUR-ENVIRONMENT-NAME"
access_key         = "YOUR-ACCESS-KEY"
secret_key         = "YOUR-SECRET-KEY"
region             = "YOUR-AWS-REGION"
availability_zones = ["YOUR-AZ-1", "YOUR-AZ-2", "YOUR-AZ-3"]
ops_manager_ami    = "YOUR-OPS-MAN-IMAGE-AMI"
dns_suffix         = "YOUR-DNS-SUFFIX"

ssl_cert = <<SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
SSL_CERT

ssl_private_key = <<SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
SSL_KEY

Edit the values in the file according to the table below:

Value to replace	Guidance
`YOUR-ENVIRONMENT-NAME`	Enter a name to use to identify resources in AWS. Terraform prepends the names of the resources it creates with this environment name. Example: `pcf`.
`YOUR-ACCESS-KEY`	Enter your AWS Access Key ID of the AWS project in which you want Terraform to create resources.
`YOUR-SECRET-KEY`	Enter your AWS Secret Access Key of the AWS project in which you want Terraform to create resources.
`YOUR-AWS-REGION`	Enter the name of the AWS region in which you want Terraform to create resources. Example: `us-central1`.
`YOUR-AZ-1 YOUR-AZ-2 YOUR-AZ-3`	Enter three availability zones from your region. Example: `us-central-1a`, `us-central-1b`, `us-central-1c`.
`YOUR-OPS-MAN-IMAGE-AMI`	Enter the source code for the Ops Manager Amazon Machine Image (AMI) you want to boot. You can find this code in the PDF included with the Ops Manager release on Pivotal Network. If you want to encrypt your Ops Manager VM, create an encrypted AMI copy from the AWS EC2 dashboard and enter the source code for the coped Ops Manager image instead. For more information about copying an AMI, see step 9 of Launch an Ops Manager AMI in the manual AWS configuration topic.
`YOUR-DNS-SUFFIX`	Enter a domain name to use as part of the system domain for your PCF deployment. Terraform creates DNS records in AWS using `YOUR-ENVIRONMENT-NAME` and `YOUR-DNS-SUFFIX`. For example, if you enter `example.com` for your DNS suffix and have `pcf` as your environment name, Terraform will create DNS records at `pcf.example.com`.
`YOUR-CERTIFICATE`	Enter a certificate to use for HTTP load balancing. For production environments, use a certificate from a Certificate Authority (CA). For test environments, you can use a self-signed certificate. Your certificate must specify your system domain as the common name. Your system domain is `YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX`. It also must include the following subdomains: `.sys.YOUR-SYSTEM-DOMAIN`, `.login.sys.YOUR-SYSTEM-DOMAIN`, `.uaa.sys.YOUR-SYSTEM-DOMAIN`, `.apps.YOUR-SYSTEM-DOMAIN`.
`YOUR-PRIVATE-KEY`	Enter a private key for the certificate you entered.

Step 2: Add Optional Variables

Complete this step if you want to do any of the following in Pivotal Application Service (PAS):

Use an RDS for your deployment
Deploy the Isolation Segment tile

In your terraform.tfvars file, specify the appropriate variables from the sections below.

Note: You can see the configurable options by opening the variables.tf file and looking for variables with default values.

Isolation Segments

If you plan to deploy the Isolation Segment tile, add the following variables to your terraform.tfvars file, replacing YOUR-CERTIFICATE and YOUR-PRIVATE-KEY with a certificate and private key. This causes terraform to create an additional HTTP load balancer across three availability zones to use for the Isolation Segment tile.

create_isoseg_resources = 1

iso_seg_ssl_cert = <<ISO_SEG_SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
ISO_SEG_SSL_CERT

iso_seg_ssl_cert_private_key = <<ISO_SEG_SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
ISO_SEG_SSL_KEY

RDS

If you want to use an RDS for Ops Manager and PAS, add the following to your terraform.tfvars file:
```
rds_instance_count = 1
```
If you want to specify a username for RDS authentication, add the following variable to your terraform.tfvars file.
```
rds_db_username = username
```

Step 3: Create AWS Resources with Terraform

Follow these steps to use the Terraform CLI to create resources on AWS:

From the directory that contains the Terraform files, run terraform init to initialize the directory based on the information you specified in the terraform.tfvars file.

  terraform init

Run terraform plan -out=plan to create the execution plan for Terraform.

  terraform plan -out=plan

Run terraform apply plan to execute the plan from the previous step. It may take several minutes for Terraform to create all the resources in AWS.

  terraform apply plan

Step 4: Create DNS Record

In a browser, navigate to the DNS provider for the DNS suffix you entered in your terraform.tfvars file.
Create a new NS record for your PCF system domain. Your system domain is YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX.
In this record, enter the name servers included in env_dns_zone_name_servers from your Terraform output.

What to Do Next

Proceed to the next step in the deployment, Configuring BOSH Director on AWS Using Terraform.

Create a pull request or raise an issue on the source for this page in GitHub