This topic describes how to install and configure Tanzu Cloud Service Broker for AWS (Cloud Service Broker for AWS).

Prerequisites for Installing Cloud Service Broker for AWS

Before you install Cloud Service Broker for AWS, you must have:

  • A small MySQL database:

    This database is used as the state database. The broker requires this database to store its state.

  • AWS account credentials:

    The broker needs the following credentials to manage resources within an account:

    - Access Key ID
    - Secret Access Key
    

    If the AWS account where the instances are created differs from the one the platform runs in, the user is responsible for setting up the necessary networking.

  • IAM Policies:

    The AWS account needs the following IAM policies:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                "dynamodb:CreateTable",
                "dynamodb:CreateTableReplica",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeBackup",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeTable",
                "dynamodb:DescribeTimeToLive",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "dynamodb:TagResource",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "elasticache:CreateCacheSubnetGroup",
                "elasticache:CreateReplicationGroup",
                "elasticache:DeleteCacheSubnetGroup",
                "elasticache:DeleteReplicationGroup",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeCacheSubnetGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:ListTagsForResource",
                "elasticache:ModifyReplicationGroup",
                "elasticache:ModifyReplicationGroupShardConfiguration",
                "iam:CreateAccessKey",
                "iam:CreateUser",
                "iam:DeleteAccessKey",
                "iam:DeleteUser",
                "iam:DeleteUserPolicy",
                "iam:GetAccountAuthorizationDetails",
                "iam:GetPolicy",
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys",
                "iam:ListAttachedUserPolicies",
                "iam:ListGroupsForUser",
                "iam:ListPolicies",
                "iam:ListUserPolicies",
                "iam:PutUserPolicy",
                "rds:AddTagsToResource",
                "rds:CreateDBCluster",
                "rds:CreateDBInstance",
                "rds:CreateDBParameterGroup",
                "rds:CreateDBSubnetGroup",
                "rds:DeleteDBCluster",
                "rds:DeleteDBInstance",
                "rds:DeleteDBParameterGroup",
                "rds:DeleteDBSnapshot",
                "rds:DeleteDBSubnetGroup",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBSubnetGroups",
                "rds:ListTagsForResource",
                "rds:ModifyDBInstance",
                "rds:ModifyDBParameterGroup",
                "s3:CreateBucket",
                "s3:DeleteAccessPointPolicy",
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteObject",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:PutAccessPointPolicy",
                "s3:PutAccountPublicAccessBlock",
                "s3:PutBucketAcl",
                "s3:PutBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketRequestPayment",
                "s3:PutBucketTagging",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "sqs:CreateQueue",
                "sqs:DeleteQueue"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }
    

Install Cloud Service Broker for AWS

To install the Cloud Service Broker for AWS using Ops Manager Installation Dashboard:

  1. Download the product file from VMware Tanzu Network.

  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.

  3. Under Import a Product, click + next to the version number of Cloud Service Broker for AWS in the left sidebar. This adds the tile to your staging area.

  4. Click the newly added Cloud Service Broker for AWS tile.

Configure the Cloud Service Broker for AWS

The following procedures describe configuring the panes on the Cloud Service Broker for AWS tile.

Configure AZs and Networks

This section describes how to choose an AZ to run the service broker for Cloud Service Broker for AWS. It also describes how to select networks for Cloud Service Broker for AWS.

To configure AZs and networks:

  1. Click Assign AZs and Networks.

  2. Configure the fields as follows:

    Field Instructions
    Place singleton jobs in Select the AZ in which the broker VM for Cloud Service Broker for AWS runs. The broker runs as a singleton job.
    Balance other jobs in Select the AZs in which other jobs can run.
    Network Select a subnet for the Cloud Service Broker for AWS broker. This is typically the same subnet that includes the component VMs for VMware Tanzu Application Service for VMs (TAS for VMs).
  3. Click Save.

Configure AWS Credentials

This section describes how to configure the AWS credentials that Cloud Service Broker for AWS requires to manage service instances.

To configure AWS credentials:

  1. Click AWS Config.

  2. Configure the fields as follows:

    Field Instructions
    AWS Access Key Enter the AWS Access Key
    AWS Secret Access Key Enter the AWS Secret Access Key
    Region Enter the Region where your VPC is located
  3. Click Save.

Configure a State Database

This section describes how to associate Cloud Service Broker for AWS with a MySQL database, the state database.

About Encrypting the State Database

In production environments, VMware recommends that you enable encryption. This encrypts certain sensitive information in the state database, such as IaaS credentials. The encryption password that you enter on the Service Broker Config pane is used to generate an encryption key.

Applying changes takes longer than normal when you first enable encryption and when you change the encryption password.

Note: VMware recommends enabling backup and restore capabilities in the MySQL database before attempting encryption. This is because if something goes wrong, and your database is only partially encrypted, it is safest to revert to the most recent database backup.

Prerequisite

You must have a small MySQL database to use as the state database.

Procedure: Configure a State Database

To configure Cloud Service Broker for AWS with a database:

  1. Click Service Broker Config.

    Fields for configuring the service broker.
See the following steps for detailed descriptions of the configurable fields.

  2. Configure the fields as follows:

    Field Instructions
    Database host Enter the host name of the prerequisite state database.
    Database username and Database password Enter the credentials for the state database. The example shown in the screenshot in the previous step refers to setting the username for a MySQL tile provisioned database. If you are configuring a database provisioned by another service, refer to the documentation for that service for the correct username format. For RDS MySQL, see the AWS documentation.
    Database port Enter the port number for connection to the state database. Defaults to 3306.
    Database name Enter the name of an existing database to use as the state database.
    TLS Enforcement Select the type of TLS enforcement you want. If you select Custom, enter your CA certificate, client certificate, and key.
    Enable encryption of the Cloud Service Broker database If you want the sensitive data to be encrypted, select this checkbox and the Add button. If you do not want to encrypt the data, leave the checkbox unselected and do not fill in the Database Encryption Passwords fields.
    Label Enter a unique password label. You cannot change this label after you save.
    Password Enter a secure password that is at least 20 characters long. You cannot change this password after you save.
    Primary Select this checkbox if this is the password that you want to use to encrypt the data. You must mark one and only one password as primary.
  3. Click Save.

  4. Return to the Ops Manager Installation Dashboard.

  5. Click Review Pending Changes.

  6. Click Apply changes to install the Cloud Service Broker for AWS tile.

If you later want to change the password on the state database, see Rotate the Encryption Password on the State Database below.
If you later want to turn off encryption, see Remove Encryption from the State Database below.

Configure Services with Cloud Service Broker for AWS

This section describes how to configure services and service plans offered by the Cloud Service Broker for AWS within the Cloud Foundry Marketplace on your instance of Cloud Foundry.

Cloud Service Broker for AWS specifies new service plans through JSON. An example is provided, using the smallest possible size, within each service.

To configure services and service plans:

  1. Click the already-installed Cloud Service Broker for AWS tile in your Ops Manager tile Dashboard.

  2. Find the service you want to make available in the left hand navigation under the Settings tab.

  3. Enter additional plans as additional JSON objects within the provided field. For details about properties for each service configuration, see Service Plan Reference.

    Note: When developers create or update a service instance, they cannot override any plan-level properties that you set in this field.

  4. (Optional) To use different credentials to the ones specified in the AWS Config tab, supply the credentials as properties to a plan instance in the additional plans box:

    [
      {
        "name" : "PLAN-NAME",
        "id" : "UUID",
        "description" : "PLAN-DESCRIPTION",
        "aws_access_key_id" : "AWS_ACCESS_KEY_ID",
        "aws_secret_access_key" : "AWS_SECRET_ACCESS_KEY",
        ...
      }
    ]
    
  5. Click Save.

  6. Return to the Ops Manager Installation Dashboard and click Review Pending Changes.

  7. Click Apply changes.

  8. Review your Cloud Foundry Marketplace to see the new plan sizes.

Rotate the Encryption Password on the State Database

If you have already set an encryption password and want to change it, follow the instructions below:

To rotate the password on the state database:

  1. Click Service Broker Config.

  2. Clear the Primary checkbox.

  3. Click Add.

  4. Enter a new Label and Password for the new password, and select Primary.

    You cannot change the label or password after you save.

  5. Click Save.

  6. Return to the Ops Manager Installation Dashboard.

  7. Click Review Pending Changes.

  8. Click Apply changes to install the Cloud Service Broker for AWS tile.

  9. (Recommended) After the apply changes process completes, delete the non-primary label and password pair and apply changes again.

Remove Encryption from the State Database

If the data in the state database was previously encrypted and you want to disable encryption, follow the instructions below.

To remove encryption from the state database:

  1. Click Service Broker Config.

  2. Clear the Enable encryption of the Cloud Service Broker database checkbox.

  3. Clear the Primary checkbox, but do not change the Label or Password fields.

  4. Click Save.

  5. Return to the Ops Manager Installation Dashboard.

  6. Click Review Pending Changes.

  7. Click Apply changes to install the Cloud Service Broker for AWS tile.

  8. (Recommended) After the apply changes process completes, delete all label and password pairs and apply changes again.

check-circle-line exclamation-circle-line close-line
Scroll to top icon