forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcloudform-template.html.md.erb
146 lines (101 loc) · 9.36 KB
/
cloudform-template.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
---
title: Deploying the CloudFormation Template for Pivotal Cloud Foundry® on AWS
owner: Ops Manager
---
<strong><%= modified_date %></strong>
This topic describes how to deploy the CloudFormation template for [Pivotal Cloud Foundry®](https://network.pivotal.io/products/pivotal-cf) (PCF) on Amazon Web Services (AWS).
An AWS CloudFormation template describes a set of AWS resources and properties.
Follow the instructions below to use a CloudFormation template to create the
infrastructure that you need to deploy PCF to AWS.
The template is designed to ouput the resources necessary for two availability zones (AZ), with a private and public subnet designated for each az. The Elastic Load Balancer will be attached to the public subnet of both AZs to balance traffic across both environments.
<p class="note"><strong>Note</strong>: The CloudFormation template for Elastic Runtime includes a reference to another CloudFormation template for Ops Manager. For more information on how IaaS user roles are configured for each template, refer to the <a href="iaas-user-roles.html">Pivotal Cloud Foundry® IaaS User Role Guidelines</a> topic.</p>
<p class='note'><strong>Note</strong>: Before following the procedure below, confirm that you have selected the correct region within your AWS account. All of the AWS resources for your deployment must exist within a single region. See the <a href='http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones'>Amazon documentation on regions and availability zones</a> for help selecting the correct region for your deployment.</p>
## <a id='download-template'></a>Step 1: Download the PCF CloudFormation Template ##
1. Sign in to [Pivotal Network](https://network.pivotal.io/).
1. Select <b>Elastic Runtime</b>. From the <b>Releases</b> drop-down menu, select the release that you wish to install.
1. Download the **PCF 1.7 Cloudformation script for AWS**.
1. Save the file as `pcf.json`.
## <a id='upload-cert'></a>Step 2: Upload an SSL Certificate to AWS ##
You can add an SSL Certificate using two methods:
* The [AWS CLI](#aws-cli)
* The [AWS Certificate Manager](#aws-certificate-manager)
### <a id="aws-cli"></a>(Option) Create SSL Certificate using the AWS CLI
The [AWS CLI](https://aws.amazon.com/cli/) must be installed on your machine and configured to a user account with admin access privileges on your AWS account.
1. Obtain or create an SSL server certificate. See the [AWS docs on SSL certificates](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html). When you create a certificate signing request (CSR) in the “Create a Server Certificate” instructions, you must use your system wildcard domain (example: `*.my-pcf-apps-domain.com`) as the Common Name input.
1. Add the following additional domains and wildcards using OpenSSL’s SAN (subjectAltName) extension: `*.system.yourdomain.com`, `*.login.system.yourdomain.com`, `*.uaa.system.yourdomain.com`, and `*.apps.yourdomain.com`.
<p class='note'><strong>Note</strong>: If you are using a self-signed cert or selected the "Generate Self-Signed RSA Certificate" option during the <a href="./../customizing/cloudform-er-config.html#security-config">Deploying Elastic Runtime on AWS</a> installation process, you can ignore the step above. However, make sure you upload the self-signed cert to AWS and attach the cert to the listeners on the AWS Elastic Load Balancer. Pivotal recommends only using a self-signed cert for testing and development.</p>
1. Upload your SSL certificate to AWS. For more information, see the [AWS docs on uploading SSL certificate using the CLI](http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html).
<pre class='terminal'>
$ aws iam upload-server-certificate \
--server-certificate-name YOUR-CERTIFICATE \
--certificate-body file://YOUR-PUBLIC-KEY-CERT-FILE.pem \
--private-key file://YOUR-PRIVATE-KEY-FILE.pem \
</pre>
For example:
<pre class='terminal'>
$ aws iam upload-server-certificate \
--server-certificate-name myServerCertificate \
--certificate-body file://my-certificate.pem \
--private-key file://my-private-key.pem
</pre><p class='note'><strong>Note</strong>: If you receive an upload error (MalformedCertificate), run the following command to convert your server certificate to the PEM format as required by the AWS Identity and Management (IAM) service:
<code>$ openssl x509 -inform PEM -in my-certificate.pem</code><br/>Then try your upload again.</p>
1. After successfully uploading the certificate to your AWS account, you will see output metadata for your certificate. For example:
<pre class="highlight json">
{
"ServerCertificateMetadata": {
"ServerCertificateId": "ASCAI3HRFYUTD55KNAF64",
"ServerCertificateName": "myServerCertificate",
"Expiration": "2016-10-18T18:41:59Z",
"Path": "/",
"Arn": "arn:aws:iam::9240874958318:server-certificate/myServerCertificate",
"UploadDate": "2015-10-19T19:10:57.404Z"
}
}
</pre>
1. Record the value of the <code>Arn</code> key to use when configuring your AWS resource stack. Alternatively, if you know the name of the certificate, you can run the following command to retrieve certificate metadata at a later point: <pre class='terminal'>$ aws iam get-server-certificate --server-certificate-name YOUR-CERT-NAME</pre> For example: <pre class='terminal'>$ aws iam get-server-certificate --server-certificate-name myServerCertificate</pre>
### <a id="aws-certificate-manager"></a> (Option) Create SSL Certificate using the AWS Certificate Manager
Refer to the [Amazon Certificate Manager](https://aws.amazon.com/certificate-manager/) documentation to use the AWS Certificate Manager to manage your SSL certificates and generate a certificate ARN. You will need the ARN in the next step.
## <a id='create-stack'></a>Step 3: Create a Resource Stack Using the CloudFormation Template ##
1. Log in to the [AWS Console](https://console.aws.amazon.com/).
1. In the second column, under **Management Tools**, click **CloudFormation**.
<%= image_tag("cloudform/cloudformation.png") %>
1. Click **Create New Stack**.
<%= image_tag("cloudform/newstack.png") %>
1. Select **Upload a template to Amazon S3**.
<%= image_tag("cloudform/uploadtemplate.png") %>
1. Click **Browse**. Browse to and select the `pcf.json`, the **Pivotal Cloud Foundry® Cloudformation script for AWS** file that you downloaded. Click **Next**.
1. On the next screen, name the stack `pcf-stack`.
1. <a id='parameters'></a>In the **Specify Parameters** page, complete the
following fields:
<%= image_tag("cloudform/new_stack_params.png") %>
* **01NATKeyPair**: Use the drop-down menu to select the name of your pre-existing AWS key pair. If you do not have a pre-existing key pair, create one in [AWS](http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-create-keypair.html) and return to this step.
* **02NATInstanceType**: Do not change this value.
* **03OpsManagerIngress**: Do not change this value.
<p class="note"><strong>Note</strong>: The first parameter name begins with `03`.</p>
* **04RdsDBName**: Do not change this value.
* **05RdsUserName**: Enter a username for the RDS database.
<p class='note'><strong>Note</strong>: Do not enter the username
<code>rdsadmin</code>. AWS reserves the <code>rdsadmin</code> user
account for internal database instance management.
</p>
<p class="note"><strong>Note</strong>: Your username must include only numbers, letters or the `_` character or your deployment will fail without a useful error.</p>
* **06RdsPassword**: Enter a password for the RDS database.
* **07SSLCertificateARN**: Enter your SSL Certificate ARN.
* **08OpsManagerTemplate**: The default template link provided here works. Otherwise you can enter your own S3 bucket location of the Ops Manager CloudFormation script.
* **09ElbPrefix**: Prefix for the generated names of the ELBs. Any string you specify in this field will be prefixed to `-pcf-elb` to form the name of your ELBs. Leave empty to use the default prefix of <code>AWS::StackName</code>.
* **10AllowHttpOnElb**: Set this to `true` to listen for HTTP traffic on port 80. This is the default. Set it to `false` to only listen for traffic on ports 443 and 4443.
1. Click **Next**.
1. On the **Options** page, leave the fields blank and click **Next**.
<%= image_tag("cloudform/options.png") %>
1. On the **Review** page, select the **I acknowledge that this template might cause AWS CloudFormation to create IAM resources** checkbox and click **Create**.
<%= image_tag("cloudform/acknowledge.png") %>
AWS runs the CloudFormation script and creates the infrastructure that you need to deploy PCF to AWS. This may take a few moments. You can click on the **Events** tab to view the progress of the setup.
When the installation process successfully completes, AWS displays **CREATE_COMPLETE** as the status of the stack.
<%= image_tag "cloudform/aws-cloudform-stacks.png" %>
After completing this procedure, complete all of the steps in the following
topics:
* [Launching an Ops Manager Director Instance on AWS](./cloudform-om-deploy.html)
* [Configuring Ops Manager Director for AWS](./cloudform-om-config.html)
* [Deploying Elastic Runtime on AWS](./cloudform-er-config.html)
---
Return to [Installing Pivotal Cloud Foundry® Using AWS CloudFormation](./cloudform.html).