diff --git a/articles/deploying-fleet-on-aws-with-terraform.md b/articles/deploying-fleet-on-aws-with-terraform.md index e7d1673737..44116da7c9 100644 --- a/articles/deploying-fleet-on-aws-with-terraform.md +++ b/articles/deploying-fleet-on-aws-with-terraform.md @@ -6,20 +6,20 @@ Deploying on AWS with Fleet’s reference architecture will get you a fully func ## Prerequisites: -- AWS CLI installed +- AWS CLI installed and configured. - Terraform installed (version 1.04 or greater) - AWS Account and IAM user capable of creating resources - Clone [Fleet](https://github.com/fleetdm/fleet) or copy the [Terraform files](https://github.com/fleetdm/fleet/tree/main/infrastructure/dogfood/terraform/aws) ## Bootstrapping -To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, we’ll create a S3 bucket and DynamoDB table using the values defined in `remote-state/main.tf`. Override the `prefix` terraform variable to get unique resources and the `region` variable to use you preferred AWS region. +To bootstrap our [remote state](https://www.terraform.io/docs/language/state/remote.html) resources, we’ll create a S3 bucket and DynamoDB table using the values defined in `remote-state/main.tf`. We'll override the `prefix` terraform variable to get unique resources and the `region` variable to use the same region set in the AWS CLI (you can run `aws configure get region` to see what region is set). From the `/remote-state` directory, run: -2. `terraform init` -3. `terraform workspace new prod` -4. `terraform apply -var prefix="" -var region=""` +1. `terraform init` +2. `terraform workspace new -fleet-remote-state` +3. `terraform apply -var prefix="-fleet" -var region=""` You should be able to see all the resources that Terraform will create — the **S3 bucket** and the **dynamodb** table: @@ -31,11 +31,12 @@ From the `/remote-state` directory, run: Terraform will perform the actions described above. Only 'yes' will be accepted to approve. - Enter a value: ``` - After typing `yes` you should have a new S3 bucket named `-terraform-remote-state` And the table `-terraform-state-lock`. Keep these handy because we’ll need them in the following steps. + After typing `yes` you should have a new S3 bucket named `-fleet-terraform-remote-state` And the table `-fleet-terraform-state-lock`. Keep these handy because we’ll need them in the following steps. + + You may see a warning during this process. It is safe to ignore. Now that the remote state is configured, we can move on to setting up the infrastructure for Fleet. @@ -49,10 +50,10 @@ Next, we’ll update the terraform setup in the `/aws` directory's [main.tf](htt terraform { // bootstrapped in ./remote-state backend "s3" { - bucket = "-terraform-remote-state" + bucket = "-fleet-terraform-remote-state" region = "" - key = "fleet" - dynamodb_table = "-terraform-state-lock" + key = "-fleet" + dynamodb_table = "-fleet-terraform-state-lock" } required_providers { aws = { @@ -63,27 +64,29 @@ terraform { } ``` -We’ll also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the `/aws` directory named `prod.tfvars`, and copy/paste the variables below (note the bucket names will have to be unique for your environment): +We’ll also need a `tfvars` file to make some environment-specific variable overrides. Create a file in the `/aws` directory named `prod.tfvars`, and copy/paste the variables below: ``` +prefix = "-fleet-prod" fleet_backend_cpu = 1024 fleet_backend_mem = 4096 //software inventory requires 4GB redis_instance = "cache.t3.micro" -fleet_min_capacity = 1 -fleet_max_capacity = 5 -domain_fleetdm = //YOUR FLEET DOMAIN +fleet_min_capacity = 0 +fleet_max_capacity = 0 +domain_fleetdm = "" software_inventory = "1" vulnerabilities_path = "/fleet/vuln" -osquery_results_s3_bucket = "-osquery-results-archive-dev" -osquery_status_s3_bucket = "-osquery-status-archive-dev" +osquery_results_s3_bucket = "-fleet-prod-osquery-results-archive" +osquery_status_s3_bucket = "-fleet-prod-osquery-status-archive" ``` +Feel free to use whatever values you would like for the `osquery_results_s3_bucket` and `osquery_status_s3_bucket`. Just keep in mind that they need to be unique across AWS. We're setting the initial capacity for `fleet` to `0` to prevent the fleet service from attempting to start until setup is complete. Now we’re ready to apply the terraform. From the `/aws` directory, Run: 1. `terraform init` -2. `terraform workspace new prod` -3. `terraform apply -var-file=prod.tfvars` +2. `terraform workspace new -fleet-prod` +3. `terraform apply --var-file=prod.tfvars` You should see the planned output, and you will need to confirm the creation. Review this output, and type `yes` when you are ready. @@ -129,23 +132,55 @@ redis_cluster_members = toset([ target_group_arn_suffix = "targetgroup/fleetdm/0f3bec83c8b02f58" ``` -We can use the output here to create an AWS ECS Task that will migrate the database and prepare it for use. +We'll need some of these values in the next step. + +## Prepare the database + +Now all we need to do is prepare the database for use. We'll run an AWS ECS Task that will migrate the database and prepare it for use. ``` -aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate: --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[],securityGroups=[]}" +aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate: --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[],securityGroups=[]}" ``` -Where `` is one of the private subnets, and `` is the security group from the output for example: +Where `` is `fleet-migration-task-revision`, `` is one of the private subnets, and `` is the security group from the previous output. + +For the example output from `terraform apply` in the previous step, the command would look like this: ``` aws ecs run-task --cluster fleet-backend --task-definition fleet-migrate:4 --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[subnet-03a54736c942cd1e4],securityGroups=[sg-00c9fa9632d7e03ca]}" ``` -Running this command should kick off the migration task, and Fleet should be ready to go. +Running this command will kick off the migration task, and Fleet will be ready to go. ![AWS Console ECS Clusters](../website/assets/images/articles/deploying-fleet-on-aws-with-terraform-2-640x313@2x.png) -Navigating to `https://fleet.queryops.com` we should be greeted with the Setup page. +At this point, you can go to your Fleet domain and start [using Fleet](https://fleetdm.com/docs/using-fleet). + +## Start the Fleet service + +Now that Fleet has everything it needs, we're ready to start the service. + +First, we'll need to edit our production variables to increase Fleet's capacity and allow the service to start. In the `prod.tvars` file, update `fleet_min_capacity` and `fleet_max_capacity`: + +``` +prefix = "-fleet-prod" +fleet_backend_cpu = 1024 +fleet_backend_mem = 4096 //software inventory requires 4GB +redis_instance = "cache.t3.micro" +fleet_min_capacity = 1 +fleet_max_capacity = 5 +domain_fleetdm = "" +software_inventory = "1" +vulnerabilities_path = "/fleet/vuln" +osquery_results_s3_bucket = "-fleet-prod-osquery-results-archive" +osquery_status_s3_bucket = "-fleet-prod-osquery-status-archive" +``` + +Then apply the updates: + +`terraform apply --var-file=prod.tfvars` + +Once the process completes, your Fleet instance is ready to use! Check out the documentation for more details on [using Fleet](https://fleetdm.com/docs/using-fleet). ## Conclusion