Documentation
  • Getting Started
  • Creating a Product
    • Products Overview
    • Making a Helm Chart
      • Converting from docker-compose
      • Interpolated Values
      • Image Pull Secrets
      • Cluster Ingress
      • SSL Certificates
    • Setting up the Registry
      • Google Container Registry
  • Deploying a Product
    • Deployments Overview
    • Deploying on AWS
    • Deploying on GCP
    • Deploying on Azure (beta)
  • Debugging
    • GCP Permissions Errors
    • Volume Classes
Powered by GitBook
On this page
  • 1. Create a new AWS sub-account
  • 2. Create an IAM user
  • 3. Accept the vendor invitation
  • 4. Set up DNS
  • 5. Accessing the new service
  1. Deploying a Product

Deploying on AWS

This page describes how to deploy onto AWS.

PreviousDeployments OverviewNextDeploying on GCP

Last updated 4 years ago

1. Create a new AWS sub-account

We highly recommend using AWS Organizations to create a sub-account whose resources are isolated but is still owned by the original billing account.

Instructions on how to create a sub-account in your AWS Organization can be found .

2. Create an IAM user

The new IAM user that we will create is used to install and manage all of the infrastructure needed to run the vendor service. Before creating the user, it is important to create its IAM policy.

Create a new policy from the following JSON content and give it a name you will remember, like "MetamanagementInstallation". (See as a reference.)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeSSLPolicies",
                "rds:*",
                "s3:*",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "autoscaling:*",
                "iam:*",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "ec2:*",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeListenerCertificates",
                "eks:ListClusters",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticache:*",
                "eks:CreateCluster"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": [
                "arn:aws:eks:*:*:cluster/*",
                "arn:aws:eks:*:*:nodegroup/*/*/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": [
                "rds:AuthorizeDBSecurityGroupIngress",
                "ec2:ModifyVpcEndpointServicePermissions",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:ResetSnapshotAttribute"
            ],
            "Resource": "*"
        }
    ]
}

Once the IAM policy is created, create a new IAM user and attach that policy to it. Make sure that "Programmatic access" is enabled for the new user.

We then need to create a Metamanagement-specific AWS credentials file that is in the following format:

[default]
aws_access_key_id = <access key id>
aws_secret_access_key = <secret access key>

3. Accept the vendor invitation

You should have received an invitation in your email from your vendor indicating that they have invited you to install their service. Click the email and follow the instructions, filling out all of the required fields and following any secondary instructions the vendor may have given you.

After all of the information is submitted, it will take up to 30 minutes to spin up your new project. You will receive an email when this is done.

4. Set up DNS

The Metamanagement console will give you the IP address at which the cluster is being made available. You should add DNS A records mapping from the domain name you provided to that IP address. Instructions for a few common providers are linked below:

Note that after setting up DNS, it may take another ~5 minutes for the relevant SSL certs to be generated and for your app to become fully available.

5. Accessing the new service

If you created your service in a completely new project and it must be accessible by other services running in your infrastructure, you must somehow make the new VPC accessible from other VPCs.

The first way to do this is with VPC peering. This is useful if you want unrestricted two-way access between the newly installed service and your main infrastructure. More information on VPC peering can be found .

The second way to do this is with AWS PrivateLink. Rather than joining the VPCs, AWS PrivateLink gives you a way to allow explicit connections only to a particular service. More information on how to set this up can be found .

here
this tutorial
Google Domains
GoDaddy
Amazon Route 53
here
here