Installing the AWS Service Broker

AWS Service Broker building blocks:

  • Broker API : This is a run as a container workload within OpenShift. The api allows dev and ops teams to use OC commands to deploy services, the broker api interprets these and invokes AWS CloudFormation to deploy the services within the desired AWS account.

  • Templates : These are prescriptive AWS CloudFormation templates used by the broker to provision AWS services. Customers can use the templates as are or modify these to meet their specific business needs, or completely replace their with their own teamplates.

  • AWS S3 : AWS S3 is an object store, a bucket will store the templates. Customers can make use of an existing S3 bucket containing the existing service templates, or they can create their own S3 bucket to maintain their own custom product catalog. Customers deploying the AWS Service broker within AWS Govcloud will need to create their own custom catalog and S3 bucket.

  • AWS DynamoDb table : A nosql dynomoDB table which is deployed into a customer account is used for state tracking of the broker. Customers can deploy a table per broker or have multiple brokers use the same table.

  • AWS IAM role : Permissions are needed to inyteract with the S3 bucket containing the templates, the DynamoDB table containing the state tracking during install. Permissions for interacting with CloudFormation to provision and manage each service offered via the broker.The AWS Service Broker can make use of AWS access keys for a IAM user or make use of an IAM role. Making use of a role is strongly recommended.

High level

Deploy prerequisists Enable Kubernettes service catalog AWS Service Broker configuration Installing the broker

Enabling the Kubernettes Service catalog:

Step 1

Connect to the OpenShift cluster using the Cli tools.

This is convered on detail in the getting started section.
Step 2

Enabling Service catalog

This entails editing two files using the oc command.

oc edit servicecatalogapiservers
Under spec, set the managementState field to Managed:


spec:
  logLevel: Normal
  managementState: Managed


oc edit servicecatalogcontrollermanagers
Under spec, set the managementState field to Managed:


spec:
  logLevel: Normal
  managementState: Managed

The oc edit edit will open a vi exit editor. If you are not familair with vi press 'i' to enter insert mode, this will allow you to edit the doc then press 'esc' to edit edit mode then press ':wq' to pass the write and quit instruction to the editor.

The OpenShift operator will install and enable all the components

Deploying Prerequisites

If you are completing this as part of an instructor lead lab these prerequisises may have already been deployed and you can skip to installing and configuring the broker.

Step 1

Download Pre req CFN template

wget https://raw.githubusercontent.com/awslabs/aws-servicebroker/release-v1.0.1/setup/prerequisites.yaml
Step 2

launch the stack

aws cloudformation create-stack \
    --stack-name awssbprerequisites \
    --template-body file://prerequisites.yaml \
    --capabilities CAPABILITY_NAMED_IAM \

wait for the stack to complete building

until [[ `aws cloudformation describe-stacks \
  --stack-name "awssbprerequisites" \
  --query "Stacks[0].[StackStatus]" \
  --output text` == "CREATE_COMPLETE" ]]; \
  do  echo "The stack is NOT in a state of CREATE_COMPLETE at `date`"; \
  sleep 30; done && echo "The Stack is built at `date` - Please proceed"

Installing and configuring the Broker

Step 1

Download Broker files

wget https://raw.githubusercontent.com/awslabs/aws-servicebroker/release-v1.0.1/packaging/openshift/deploy.sh
wget https://raw.githubusercontent.com/awslabs/aws-servicebroker/release-v1.0.1/packaging/openshift/aws-servicebroker.yaml
wget https://raw.githubusercontent.com/awslabs/aws-servicebroker/release-v1.0.1/packaging/openshift/parameters.env
chmod +x deploy.sh

The Deploy.sh will create all the resources within OpenShift to deploy the AWS Service Broker

The aws-servicebroker.yaml defines all the OpenShift artifacts.

The Parameters.env defines configurations for the Broker.

  • TARGETACCOUNTID=

    • which AWS account resources will be deployed into.

  • TARGETROLENAME=

    • Name of the IAM role if used instead of AWS access keys, this is recommended and the role will be craeted as a pre req

  • VPCID=

    • VPC the AWS service will be deployed into, if this is left blank it would need to be provided as an input for Services when launched

  • REGION=us-east-1

    • This is the AWS region the broker, and resources provisioned by the broker are launched into. This is not the region the S3 bucket containing the template catalog exist in. VCPID and REGION need to match.

  • IMAGE=awsservicebroker/aws-servicebroker:beta

  • IMAGEPULLPOLICY=Always

  • S3BUCKET=awsservicebroker

    • Name of the AWS S3 bucket the templates are stored in, this default name is a bucket owned by AWS. For customers with a desire for a custom catalog or in AWS Gocloud, they would create their own S3 bucket and update the name here.

  • S3KEY=templates/latest

  • S3REGION=us-east-1

    • This is the region the template bucket exists in and does not need to match the REGION above. If using the AWS provided bucket this region will always be us-east-1. If creating your own bucket for a custom catalog, this will need to match the region in which the bucket exists.

  • TABLENAME=awssb

    • This is the name of the DynamoDB table used for state tracking, the table is deployed as a pre req

  • VERBOSITY=10

  • BROKERID=awsservicebroker

    • This is a ID to indetify each broker instance. Multiple brokers can be deployed and use the same dynamoDB table, in this case each broker needs to have a unique ID within the table.

  • PRESCRIBE_OVERRIDES=true

    Step 2

    Update the Parameter.env for your context

TARGETACCOUNTID= <you can get the account id from the workshop login page>
TARGETROLENAME=
VPCID=
....
REGION=
TABLENAME=
....
BROKERID=
...
Stpe 3

Run the deploy script.

./deploy.sh
or
./deploy.sh <AWS access key> <AWS access secret>
** If not using a role, access keys and secrets need to be provided
project
project
project