Armory Enterprise on the AWS Cloud

Quick Start Reference Deployment

QS

July 2021
Thomas A. McGonagle, Peter Blinstrubas, Armory
Andrew Gargan, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Armory in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This guide provides instructions for deploying the Armory Quick Start reference architecture on the AWS Cloud. This Quick Start provides a nearly continuous deployment foundation for AWS Cloud infrastructures. It deploys the Armory platform, a developer-based view of software delivery, according to AWS best practices and guidelines. It is target agnostic, so teams can deploy their code at scale to any and all clouds using a single path to production. For more information, see Armory Docs.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Armory Enterprise on AWS

Armory provides a scalable and flexible platform for automating software delivery. To help companies deploy software into multiple clouds, the core of Armory’s platform is powered by Operator, an open-source, continuous-delivery platform developed by Netflix and Google. Continuous delivery is a process that builds production software on a consistent basis.

Armory Operator acts as a workflow engine by combining build, provision, and deploy steps into an automated pipeline. It deploys your workloads, such as containers, packages, and Amazon Machine Images (AMIs) to your AWS environment. This includes Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Kubernetes Service (Amazon EKS), Amazon Elastic Container Service (Amazon ECS), and AWS Lambda.

With Armory’s integrations, you can automate your code from commit to production, where users can then monitor applications, scale up, scale down, roll back, or roll forward. You can use Armory to view and automate all of these actions.

AWS costs

You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

The Armory Quick Start is free to try but requires an Armory license for production environments. To obtain a license, contact Armory.

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Amazon EKS environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Armory Enterprise on AWS

The Quick Start sets up the following:

  • A highly available architecture that spans three Availability Zones.

  • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.

  • In the public subnets:

    • A Linux bastion host, configured for Kubernetes, in an Auto Scaling group to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnets.

    • A managed network address translation (NAT) gateway to allow outbound internet access for resources in the private subnets.

  • In the private subnets:

    • A group of Kubernetes nodes.

    • ElastiCache Redis for caching storage for Orca and Clouddriver.

    • Amazon Aurora for persistent storage of Orca and Clouddriver assets.

  • Amazon EKS for the underlying Kubernetes infrastructure and platform.

  • Amazon Simple Storage Service (Amazon S3) for persistent storage of Armory objects.

  • An Armory Operator installation in an Amazon EKS cluster, which creates the Kubernetes control plane.

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with the following products and resources:

  • Kubectl

  • SSH

  • AWS CLI

  • Armory Enterprise

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment uses

VPCs

1

Elastic IP addresses

1

Security groups

4

AWS Identity and Access Management (IAM) roles

10

Auto Scaling groups

2

Application Load Balancers

1

Network Load Balancers

1

t3.xlarge

3

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare your AWS account

To start the workshop, you must have an AWS account. If you do not have an account, sign up for one at https://aws.amazon.com/free/. Generate a key for the AWS Region you work in and download and configure the following resources:

  • Kubectl

  • AWS CLI

Deployment options

This Quick Start provides one deployment option:

  • Deploy Armory Enterprise into a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, bastion hosts, and other infrastructure components. It then deploys Armory Enterprise into an Amazon EKS cluster in this new VPC.

This Quick Start lets you configure Classless Inter-Domain Routing (CIDR) blocks, instance types, and Amazon EKS settings, as discussed later in this guide.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For more information, see Planning the deployment, earlier in this guide.

  2. Ensure that your AWS account is configured correctly, as discussed in the Technical requirements section.

  3. Use the Region selector in the navigation bar to choose the AWS Region where you want to deploy Amazon EKS.

  4. Choose the key pair that you created earlier. In the navigation pane of the Amazon EC2 console, choose Key Pairs, and then choose your key pair from the list.

Launch the Quick Start

  1. Optionally, if you want to configure advanced parameters, launch the advanced configuration template.

  2. Choose one of the following options to launch the AWS CloudFormation template into your AWS account. For help with choosing an option, see Deployment options, earlier in this guide.

Deploy Armory Enterprise into a new VPC

Deployment takes 15–90 minutes to complete, depending on the parameter values you choose.

  1. Check the Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Amazon EKS is built. The template launches in the US East (Ohio) Region by default.

    Some services are not supported in all AWS Regions. For a current list of supported Regions, see Amazon Elastic Kubernetes Service endpoints and quotas.
  2. On the Select template page, keep the default setting for the template URL, and then choose Next.

  3. On the Specify stack details page, change the stack name if needed. Review the parameters for the template, and provide values for any parameters that require input. For all other parameters, review the default settings, and customize them as necessary.

    If Amazon EKS is already deployed in your account, ensure that the Per account shared resources parameter is set to No. If you deploy a new Amazon EKS instance in the same Region as a previously deployed instance, set Per region shared resources to No.
    If you created and intend to use an advanced configuration stack, ensure that you set the value for Config set name to match the value you used when you launched the advanced configuration stack.
    Unless you are customizing this Quick Start’s templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.
  4. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  5. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  6. Choose Create stack to deploy the stack.

  7. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Armory Enterprise deployment is ready.

  8. To view the created resources, see the values displayed in the Outputs tab for the stack.

Test the deployment

These steps must run from a network that has access to the Kubernetes API, as configured by the EKS public access endpoint and Kubernetes API public access CIDR parameters. For more information, see Installing Kubectl. If you enabled the optional bastion host, connect to it by using SSH. Use the key pair that you specified during deployment and the IP address from the Outputs tab of the AWS CloudFormation stack. The bastion host already has Kubectl installed and configured so that it connects to the cluster. To test the CLI, connect to the cluster, and run the following command:
$ kubectl version
  1. Confirm that the output includes the server version, which indicates a successful connection to the Kubernetes control plane.

Client Version: version.Info\{Major:"1", Minor:"11", GitVersion:"<version number>", GitCommit:"<commit ID>", GitTreeState:"clean", BuildDate:"2018-12-06T01:33:57Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Server Version: version.Info\{Major:"1", Minor:"11+", GitVersion:" <version number>", GitCommit:" <commit ID>", GitTreeState:"clean", BuildDate:"2018-12-06T23:13:14Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
  1. Check for a successful connection between the nodes and cluster by running the get nodes command.

$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-25-239.us-west-2.compute.internal Ready <none> 10m <version number>
ip-10-0-27-244.us-west-2.compute.internal Ready <none> 10m <version number>
ip-10-0-35-29.us-west-2.compute.internal Ready <none> 10m <version number>

Best practices for using Amazon EKS

Use AWS CloudFormation for ongoing management

We recommend using AWS CloudFormation for managing updates and resources that are created by this Quick Start. Using the Amazon EC2 console, CLI, or API to change or delete resources can cause future AWS CloudFormation operations on the stack to behave unexpectedly.

Monitor additional resource usage

Users of the Amazon EKS cluster can create elastic load balancers and Amazon EBS volumes as part of their Kubernetes applications. Because these carry additional costs, grant users of the EKS cluster the minimum permissions required by Kubernetes Role Based Access Control (RBAC), and monitor resource usage through the Kubernetes CLI or API for persistent volume claims (PVC) and LoadBalancer resources across all namespaces. To disable this functionality, update the ControlPlaneRole IAM role in the child stack to restrict access to the Kubernetes control plane for specific AWS API operations, such as ec2:CreateVolume and elb:CreateLoadBalancer.

Security

Amazon EKS uses AWS IAM to authenticate your Kubernetes cluster, but it still relies on native Kubernetes RBAC. This means that IAM is used only for valid entities. All permissions for interacting with your Amazon EKS cluster’s Kubernetes API are managed by the native Kubernetes RBAC system. We recommend that you grant least-privilege access via Kubernetes RBAC.

Adding Kubernetes users

This Quick Start creates an IAM role that creates the Kubernetes control plane. The AWS CloudFormation custom resources and Linux bastion host use the IAM role to access the Kubernetes API. Additional IAM users and roles can be added as Kubernetes administrators (system:master Kubernetes cluster role) by entering an ARN into the Additional EKS admin ARN parameter when you launch this Quick Start. To add users after the stack launches, see Managing users or IAM roles for your cluster.

Use AWS CloudFormation to manage Kubernetes resources

This Quick Start includes AWS CloudFormation registry types that allow authoring, creating, and managing Kubernetes-based applications. For an example, see the example-workload template.

Optional add-ins

This Quick Start contains optional configurations and add-ins for Kubernetes that enhance the functionality and reduce post-deployment configuration tasks for customers.

Cluster autoscaler

Cluster autoscaler automatically adjusts the size of the Kubernetes cluster when there are insufficient resources or nodes.

Managed node group

With Amazon EKS–managed node groups, provisioning and lifecycle management of the nodes is automated. All nodes are provisioned as part of an Auto Scaling group, which means you cannot use the Cluster autoscaler option. Nodes are created using the latest Amazon EKS–optimized Amazon Linux 2 AMI.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to Disabled. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained, and instances remain running so you can troubleshoot the issue.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for the stack. Ensure that you delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.

Q. A resource type starting with AWSQS:: failed on stack create, update, or deletion.

A. These resources are AWS CloudFormation registry resource types created by the Quick Start. Logs for it are stored in Amazon CloudWatch Logs with a group prefix of /cloudformation/registry/awsqs-.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. Launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer, or from a location other than Amazon S3, you might encounter template size limitations when you create the stack. For more information, see AWS CloudFormation quotas.

Customer responsibility

After you successfully deploy this Quick Start, confirm that your resources and services are updated and configured — including any required patches — to meet your security and other needs. For more information, see the AWS Shared Responsibility Model.

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for deploying into a new VPC

Table 1. Network configuration
Parameter label (name) Default value Description

Availability Zones (AvailabilityZones)

Requires input

Availability Zones to use for the subnets in the VPC. This deployment uses two Availability Zones.

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR block for the VPC.

Number of Availability Zones (NumberOfAZs)

2

Number of Availability Zones to use in the VPC. This must match the parameter for the list of Availability Zones.

Private subnet 1 CIDR (PrivateSubnet1CIDR)

10.0.0.0/19

CIDR block for private subnet 1, located in Availability Zone 1.

Private subnet 2 CIDR (PrivateSubnet2CIDR)

10.0.32.0/19

CIDR block for private subnet 2, located in Availability Zone 2.

Private subnet 3 CIDR (PrivateSubnet3CIDR)

10.0.64.0/19

CIDR block for private subnet 3, located in Availability Zone 3.

Public subnet 1 CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR block for public subnet 1, located in Availability Zone 1.

Public subnet 2 CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR block for public subnet 2, located in Availability Zone 2.

Public subnet 3 CIDR (PublicSubnet3CIDR)

10.0.160.0/20

CIDR block for the public (DMZ) subnet 3, located in Availability Zone 3.

Table 2. Linux bastion configuration
Parameter label (name) Default value Description

Provision bastion host (ProvisionBastionHost)

Enabled

Skip creating a bastion host by choosing "Disabled."

Key pair name (KeyPairName)

Requires input

Name of an existing key pair for connecting to your Amazon EC2 instance. A key pair consists of a private key and public key.

Permitted IP range (RemoteAccessCIDR)

Requires input

Allowed CIDR block for external SSH access.

Table 3. Database configuration
Parameter label (name) Default value Description

Database name (DBName)

AuroraMySQLDB

Name of the Amazon Aurora database.

Database administrator (DBMasterUsername)

msadmin

Administrator name for the database account.

Database administrator password (DBMasterUserPassword)

Requires input

Administrator password for the database account. This value must include 1 uppercase letter, 1 lowercase letter, 1 number, and 1 symbol (excluding quotes and the following symbols: / @).

Database automatic minor version upgrades (DBAutoMinorVersionUpgrade)

false

To enable automatic minor version upgrades, choose "true."

Database backup retention period (DBBackupRetentionPeriod)

35

Number of days (1–35) to retain automatic database snapshots.

Database engine version (DBEngineVersion)

Aurora-MySQL5.6.10a

Version of the database engine. Currently, multi-master clusters are available only for Aurora-MySQL5.6.10a. Serverless is available only for Aurora-MySQL5.6.10a and Aurora-MySQL5.7-2.07.1. For more information, see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.AuroraFeaturesRegionsDBEngines.grids.html.

Database instance class (DBInstanceClass)

db.r5.large

Name of the compute and memory-capacity class of the database instance. The db.t3 instance class does not support Amazon RDS performance insights.

Database encryption enabled (DBAllocatedStorageEncrypted)

true

To disable database encryption, choose "false."

Table 4. Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)

aws-quickstart

Name of the S3 bucket for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens. It cannot start or end with a hyphen (-). For more information, see https://aws-quickstart.github.io/option1.html.

Quick Start S3 bucket Region (QSS3BucketRegion)

us-east-2

AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. For more information, see https://aws-quickstart.github.io/option1.html.

Quick Start S3 key prefix (QSS3KeyPrefix)

quickstart-armory-enterprise/

Amazon S3 key prefix used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). It must end with a forward slash. For more information, see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMetadata.html and https://aws-quickstart.github.io/option1.html.

Table 5. Amazon EKS cluster configuration
Parameter label (name) Default value Description

Amazon EKS public access endpoint (EKSPublicAccessEndpoint)

Disabled

Configure access to the Kubernetes API server endpoint from outside of your VPC.

Additional EKS administrator ARN (IAM user) (AdditionalEKSAdminUserArn)

Blank string

(Optional) IAM user Amazon Resource Name (ARN) to be granted administrative access to the Amazon EKS cluster.

Additional EKS administrator ARN (IAM role) (AdditionalEKSAdminRoleArn)

Blank string

(Optional) IAM role Amazon Resource Name (ARN) to be granted administrative access to the Amazon EKS cluster.

Instance type (NodeInstanceType)

t3.xlarge

Amazon EC2 instance type.

Node volume capacity (NodeVolumeSize)

100

Capacity of Amazon EBS volume, in gigabytes, used by Amazon EKS node instances.

Number of nodes (NumberOfNodes)

3

Number of Amazon EKS node instances. The default is one for each Availability Zone.

Maximum number of nodes (MaxNumberOfNodes)

6

Maximum number of Amazon EKS node instances. The default is three.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.