Deploying Ops Manager on AWS Using Terraform

Page last updated:

This guide describes the preparation steps required to deploy Ops Manager on Amazon Web Services (AWS) using Terraform templates.

The Terraform template for Ops Manager on AWS describes a set of AWS resources and properties. For more information about how Terraform creates resources in AWS, see AWS Provider in the Terraform documentation.

If you are deploying VMware Tanzu Application Service for VMs (TAS for VMs), review different deployment options in AWS Reference Architecture.

Prerequisites

Before you deploy Ops Manager on AWS:

In addition to reviewing the prerequisites for your runtime, ensure you have:

  • The Terraform CLI

  • In your AWS account, ensure you have an IAM user with the following permissions:

    • IAM policies:
      • AmazonEC2FullAccess
      • AmazonRDSFullAccess
      • AmazonRoute53FullAccess
      • AmazonS3FullAccess
      • AmazonVPCFullAccess
      • IAMFullAccess
      • AWSKeyManagementServicePowerUser
    • Key policies:
      • kms:UpdateKeyDescription action allowed

Step 1: Download Templates and Edit Variables File

Before you can run Terraform commands to provision infrastructure resources, you must download the AWS Terraform templates and create a Terraform template variables file. To download the templates and create a template variables file:

  1. On VMware Tanzu Network, navigate to the VMware Tanzu Application Service for VMs release.

  2. Download the AWS Terraform templates ZIP file.

  3. Extract the contents of the ZIP file.

  4. Move the extracted folder to the workspace directory on your local machine.

  5. On the command line, navigate to the extracted folder. For example:

    cd ~/workspace/pivotal-cf-terraforming-aws
    
  6. Navigate to the terraforming-pas or terraforming-pks directory that contains the Terraform files for your runtime.

  7. In the runtime directory, create a text file named terraform.tfvars.

  8. Open the terraform.tfvars file and add:

    env_name           = "YOUR-ENVIRONMENT-NAME"
    access_key         = "YOUR-ACCESS-KEY"
    secret_key         = "YOUR-SECRET-KEY"
    region             = "YOUR-AWS-REGION"
    availability_zones = ["YOUR-AZ-1", "YOUR-AZ-2", "YOUR-AZ-3"]
    ops_manager_ami    = "YOUR-OPS-MAN-IMAGE-AMI"
    dns_suffix         = "YOUR-DNS-SUFFIX"
    
    ssl_cert = <<SSL_CERT
    -----BEGIN CERTIFICATE-----
    YOUR-CERTIFICATE
    -----END CERTIFICATE-----
    SSL_CERT
    
    ssl_private_key = <<SSL_KEY
    -----BEGIN EXAMPLE RSA PRIVATE KEY-----
    YOUR-PRIVATE-KEY
    -----END EXAMPLE RSA PRIVATE KEY-----
    SSL_KEY
    
  9. Edit the values in the file according to the table below:

    Value to replace Guidance
    YOUR-ENVIRONMENT-NAME Enter a name to use to identify resources in AWS. Terraform prepends the names of the resources it creates with this environment name.

    Note: You can only enter lowercase alphanumeric characters and hyphens. Examples include pcf, pas, and pks.

    YOUR-ACCESS-KEY Enter your AWS Access Key ID of the AWS account in which you want Terraform to create resources.
    YOUR-SECRET-KEY Enter your AWS Secret Access Key of the AWS account in which you want Terraform to create resources.
    YOUR-AWS-REGION Enter the name of the AWS region in which you want Terraform to create resources. For example, us-central1.
    YOUR-AZ-1
    YOUR-AZ-2
    YOUR-AZ-3
    Enter three availability zones from your region. For example, us-central-1a, us-central-1b, us-central-1c.
    YOUR-OPS-MAN-IMAGE-AMI Enter the source code for the Ops Manager Amazon Machine Image (AMI) you want to boot. You can find this code in the PDF included with the Ops Manager release on VMware Tanzu Network.

    If you want to encrypt your Ops Manager VM, create an encrypted AMI copy from the AWS EC2 dashboard and enter the source code for the copied Ops Manager image instead. For more information about copying an AMI, see the Launch an Ops Manager AMI section of the Deploying Ops Manager on AWS Manually topic.

    To prevent the creation of an Ops Manager VM, set this value to an empty string (""). When using Platform Automation, you must disable the creation of the Ops Manager VM from Terraform. For more information, see Platform Automation.
    YOUR-DNS-SUFFIX Enter a domain name to use as part of the system domain for your deployment. Terraform creates DNS records in AWS using YOUR-ENVIRONMENT-NAME and YOUR-DNS-SUFFIX. For example, if you enter example.com for your DNS suffix and have pcf as your environment name, Terraform creates DNS records at pcf.example.com.
    YOUR-CERTIFICATE Enter a certificate to use for HTTP load balancing. For production environments, use a certificate from a Certificate Authority (CA). For test environments, you can use a self-signed certificate.

    Your certificate must specify your system domain as the common name. Your system domain is YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX.

    It also must include the following subdomains: *.sys.YOUR-SYSTEM-DOMAIN, *.login.sys.YOUR-SYSTEM-DOMAIN, *.uaa.sys.YOUR-SYSTEM-DOMAIN, *.apps.YOUR-SYSTEM-DOMAIN.

    YOUR-PRIVATE-KEY Enter a private key for the certificate you entered.

Step 2: Add Optional Variables

Complete this step if you want to:

  • Use an AWS Relational Database Service (RDS) for your TAS for VMs deployment. For more information, see Getting started with Amazon RDS in the AWS documentation.

  • Deploy the Isolation Segment tile.

In your terraform.tfvars file, specify the appropriate variables from the sections below.

Note: You can see the configurable options by opening the variables.tf file and looking for variables with default values.

Isolation Segments

If you plan to deploy the Isolation Segment tile, add the variables below to your terraform.tfvars file, replacing YOUR-CERTIFICATE and YOUR-PRIVATE-KEY with a certificate and private key.

create_isoseg_resources = 1

iso_seg_ssl_cert = <<ISO_SEG_SSL_CERT
-----BEGIN CERTIFICATE-----
YOUR-CERTIFICATE
-----END CERTIFICATE-----
ISO_SEG_SSL_CERT

iso_seg_ssl_cert_private_key = <<ISO_SEG_SSL_KEY
-----BEGIN EXAMPLE RSA PRIVATE KEY-----
YOUR-PRIVATE-KEY
-----END EXAMPLE RSA PRIVATE KEY-----
ISO_SEG_SSL_KEY

Where:

  • YOUR-CERTIFICATE is your certificate.
  • YOUR-PRIVATE-KEY is your private key.

This causes Terraform to create an additional HTTP load balancer across three availability zones to use for the Isolation Segment tile.

RDS

To use an AWS RDS for your deployment:

  1. Add the following to your terraform.tfvars file:

    rds_instance_count = 1
    
  2. To specify a username for RDS authentication, add the following variable to your terraform.tfvars file:

    rds_db_username = "YOUR-DATABASE-NAME"
    

    Where YOUR-DATABASE-NAME is the name of your RDS.

Step 3: Create AWS Resources with Terraform

To use the Terraform CLI to create resources on AWS:

  1. From the directory that contains the Terraform files, initialize the directory based on the information you specified in the terraform.tfvars file by running:

    terraform init
    

    Note: If you see the error heredoc not terminated, then open the terraform.tfvars file and delete any trailing spaces that follow heredoc terminators such as EOF. Then, run the terraform init command again.

  2. To create the execution plan for Terraform, run:

    terraform plan -out=plan
    
  3. To execute the plan from the previous step, run:

    terraform apply plan
    

    It may take several minutes for Terraform to create all the resources in AWS.

Step 4: Create DNS Record

To create a DNS record for your deployment:

  1. In a browser, navigate to the DNS provider for the DNS suffix you entered in your terraform.tfvars file.

  2. Create a new NS record for your system domain. Your system domain is YOUR-ENVIRONMENT-NAME.YOUR-DNS-SUFFIX.

  3. In this record, enter the name servers included in env_dns_zone_name_servers from your Terraform output.

Note: Terraform creates a Route53 recordset for the domain prefixed with the environment name. If your base domain is registered with AWS, ensure that the NS record from the terraform-created recordset is copied in the domain recordset before proceeding.

Next Steps

Proceed to the next step in the deployment, Configuring BOSH Director on AWS Using Terraform.