# Deploying on AWS ### 1. Create a new AWS sub-account We highly recommend using AWS Organizations to create a sub-account whose resources are isolated but is still owned by the original billing account. Instructions on how to create a sub-account in your AWS Organization can be found [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html). ### 2. Create an IAM user The new IAM user that we will create is used to install and manage all of the infrastructure needed to run the vendor service. Before creating the user, it is important to create its IAM policy. Create a new policy from the following JSON content and give it a name you will remember, like "MetamanagementInstallation". (See [this tutorial](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_managed-policies.html) as a reference.) ```javascript { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeSSLPolicies", "rds:*", "s3:*", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", "autoscaling:*", "iam:*", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeAccountLimits", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeLoadBalancerPolicies", "ec2:*", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeListenerCertificates", "eks:ListClusters", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeInstanceHealth", "elasticache:*", "eks:CreateCluster" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "eks:*", "Resource": [ "arn:aws:eks:*:*:cluster/*", "arn:aws:eks:*:*:nodegroup/*/*/*" ] }, { "Sid": "VisualEditor2", "Effect": "Deny", "Action": [ "rds:AuthorizeDBSecurityGroupIngress", "ec2:ModifyVpcEndpointServicePermissions", "ec2:DeleteNetworkInterfacePermission", "ec2:ModifySnapshotAttribute", "ec2:CreateNetworkInterfacePermission", "ec2:ResetSnapshotAttribute" ], "Resource": "*" } ] } ``` Once the IAM policy is created, create a new IAM user and attach that policy to it. Make sure that "Programmatic access" is enabled for the new user. We then need to create a Metamanagement-specific AWS credentials file that is in the following format: ```bash [default] aws_access_key_id = aws_secret_access_key = ``` ### 3. Accept the vendor invitation You should have received an invitation in your email from your vendor indicating that they have invited you to install their service. Click the email and follow the instructions, filling out all of the required fields and following any secondary instructions the vendor may have given you. After all of the information is submitted, it will take up to 30 minutes to spin up your new project. You will receive an email when this is done. ### 4. Set up DNS The Metamanagement console will give you the IP address at which the cluster is being made available. You should add DNS A records mapping from the domain name you provided to that IP address. Instructions for a few common providers are linked below: * [Google Domains](https://support.google.com/domains/answer/9211383?hl=en) * [GoDaddy](https://www.godaddy.com/help/add-an-a-record-19238) * [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) Note that after setting up DNS, it may take another \~5 minutes for the relevant SSL certs to be generated and for your app to become fully available. ### 5. Accessing the new service If you created your service in a completely new project and it must be accessible by other services running in your infrastructure, you must somehow make the new VPC accessible from other VPCs. The first way to do this is with VPC peering. This is useful if you want unrestricted two-way access between the newly installed service and your main infrastructure. More information on VPC peering can be found [here](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html). The second way to do this is with AWS PrivateLink. Rather than joining the VPCs, AWS PrivateLink gives you a way to allow explicit connections only to a particular service. More information on how to set this up can be found [here](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.metamanagement.dev/deployments/aws.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.