Deploying on AWS

1. Create a new AWS sub-account

We highly recommend using AWS Organizations to create a sub-account whose resources are isolated but is still owned by the original billing account.

Instructions on how to create a sub-account in your AWS Organization can be found here.

2. Create an IAM user

The new IAM user that we will create is used to install and manage all of the infrastructure needed to run the vendor service. Before creating the user, it is important to create its IAM policy.

Create a new policy from the following JSON content and give it a name you will remember, like "MetamanagementInstallation". (See this tutorial as a reference.)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeSSLPolicies",
                "rds:*",
                "s3:*",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "autoscaling:*",
                "iam:*",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "ec2:*",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeListenerCertificates",
                "eks:ListClusters",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticache:*",
                "eks:CreateCluster"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": [
                "arn:aws:eks:*:*:cluster/*",
                "arn:aws:eks:*:*:nodegroup/*/*/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": [
                "rds:AuthorizeDBSecurityGroupIngress",
                "ec2:ModifyVpcEndpointServicePermissions",
                "ec2:DeleteNetworkInterfacePermission",
                "ec2:ModifySnapshotAttribute",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:ResetSnapshotAttribute"
            ],
            "Resource": "*"
        }
    ]
}

Once the IAM policy is created, create a new IAM user and attach that policy to it. Make sure that "Programmatic access" is enabled for the new user.

We then need to create a Metamanagement-specific AWS credentials file that is in the following format:

3. Accept the vendor invitation

You should have received an invitation in your email from your vendor indicating that they have invited you to install their service. Click the email and follow the instructions, filling out all of the required fields and following any secondary instructions the vendor may have given you.

After all of the information is submitted, it will take up to 30 minutes to spin up your new project. You will receive an email when this is done.

4. Set up DNS

The Metamanagement console will give you the IP address at which the cluster is being made available. You should add DNS A records mapping from the domain name you provided to that IP address. Instructions for a few common providers are linked below:

• Google Domains

• GoDaddy

• Amazon Route 53

Note that after setting up DNS, it may take another ~5 minutes for the relevant SSL certs to be generated and for your app to become fully available.

5. Accessing the new service

If you created your service in a completely new project and it must be accessible by other services running in your infrastructure, you must somehow make the new VPC accessible from other VPCs.

The first way to do this is with VPC peering. This is useful if you want unrestricted two-way access between the newly installed service and your main infrastructure. More information on VPC peering can be found here.

The second way to do this is with AWS PrivateLink. Rather than joining the VPCs, AWS PrivateLink gives you a way to allow explicit connections only to a particular service. More information on how to set this up can be found here.