Customizing the Cloud Foundry Deployment Manifest Stub for AWS
Page last updated: December 24, 2015
This topic describes how to customize the Cloud Foundry deployment manifest stub
for AWS.
After you complete this task, use the scripts/generate_deployment_manifest script in
the cf-release repository to generate your Cloud Foundry deployment manifest.
Save a copy of the manifest stub as a YAML file in your deployment directory. Follow the editing instructions to customize the manifest stub with information about your environment.
Cloud Foundry Deployment Manifest Stub for AWS
---
meta:
environment: ENVIRONMENT
director_uuid: DIRECTOR_UUID
networks:
- name: cf1
subnets:
- range: 10.10.16.0/20
reserved:
- 10.10.16.2 - 10.10.16.9
static:
- 10.10.16.10 - 10.10.16.255
gateway: 10.10.16.1
dns:
- 10.10.0.2
cloud_properties:
security_groups:
- cf
subnet: (( properties.template_only.aws.subnet_ids.cf1 ))
- name: cf2
subnets:
- range: 10.10.80.0/20
reserved:
- 10.10.80.2 - 10.10.80.9
static:
- 10.10.80.10 - 10.10.80.255
gateway: 10.10.80.1
dns:
- 10.10.0.2
cloud_properties:
security_groups:
- cf
subnet: (( properties.template_only.aws.subnet_ids.cf2 ))
properties:
template_only:
aws:
access_key_id: AWS_ACCESS_KEY
secret_access_key: AWS_SECRET_ACCESS_KEY
availability_zone: ZONE_1
availability_zone2: ZONE_2
subnet_ids:
cf1: SUBNET_ID_1
cf2: SUBNET_ID_2
domain: DOMAIN
system_domain: SYSTEM_DOMAIN
system_domain_organization: SYSTEM_DOMAIN_ORGANIZATION
app_domains:
- APP_DOMAIN
cc:
droplets:
droplet_directory_key: DROPLET_DIRECTORY_KEY
buildpacks:
buildpack_directory_key: BUILDPACK_DIRECTORY_KEY
staging_upload_user: STAGING_UPLOAD_USER
staging_upload_password: STAGING_UPLOAD_PASSWORD
bulk_api_password: BULK_API_PASSWORD
db_encryption_key: CCDB_ENCRYPTION_KEY
ccdb:
db_scheme: CCDB_SCHEME
roles:
- tag: CCDB_USER
name: CCDB_USER_NAME
password: CCDB_PASSWORD
databases:
- tag: cc
name: ccdb
address: CCDB_ADDRESS
port: CCDB_PORT
consul:
encrypt_keys:
- CONSUL_ENCRYPT_KEY
ca_cert: CONSUL_CA_CERT
server_cert: CONSUL_SERVER_CERT
server_key: CONSUL_SERVER_KEY
agent_cert: CONSUL_AGENT_CERT
agent_key: CONSUL_AGENT_KEY
loggregator_endpoint:
shared_secret: LOGGREGATOR_ENDPOINT_SHARED_SECRET
nats:
user: NATS_USER
password: NATS_PASSWORD
router:
status:
user: ROUTER_USER
password: ROUTER_PASSWORD
uaa:
admin:
client_secret: ADMIN_SECRET
cc:
client_secret: CC_CLIENT_SECRET
clients:
cc_routing:
secret: CC_ROUTING_SECRET
cloud_controller_username_lookup:
secret: CLOUD_CONTROLLER_USERNAME_LOOKUP_SECRET
doppler:
secret: DOPPLER_SECRET
gorouter:
secret: GOROUTER_SECRET
login:
secret: LOGIN_CLIENT_SECRET
notifications:
secret: NOTIFICATIONS_CLIENT_SECRET
jwt:
verification_key: JWT_VERIFICATION_KEY
signing_key: JWT_SIGNING_KEY
policy:
keys:
key_pair_1:
verificationKey: |
-----BEGIN CERTIFICATE-----
MIIDBjCCAe4CCQCz3nn1SWrDdTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTE1MDMwMzE4NTMyNloXDTE2MDMwMjE4NTMyNlowRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKtTK9xq/ycRO3fWbk1abunYf9CY6sl0Wlqm9UPMkI4j0itY2OyGyn1YuCCiEdM3
b8guGSWB0XSL5PBq33e7ioiaH98UEe+Ai+TBxnJsro5WQ/TMywzRDhZ4E7gxDBav
88ZY+y7ts0HznfxqEIn0Gu/UK+s6ajYcIy7d9L988+hA3K1FSdes8MavXhrI4xA1
fY21gESfFkD4SsqvrkISC012pa7oVw1f94slIVcAG+l9MMAkatBGxgWAQO6kxk5o
oH1Z5q2m0afeQBfFqzu5lCITLfgTWCUZUmbF6UpRhmD850/LqNtryAPrLLqXxdig
OHiWqvFpCusOu/4z1uGC5xECAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAV5RAFVQy
8Krs5c9ebYRseXO6czL9/Rfrt/weiC1XLcDkE2i2yYsBXazMYr58o4hACJwe2hoC
bihBZ9XnVpASEYHDLwDj3zxFP/bTuKs7tLhP7wz0lo8i6k5VSPAGBq2kjc/cO9a3
TMmLPks/Xm42MCSWGDnCEX1854B3+JK3CNEGqSY7FYXU4W9pZtHPZ3gBoy0ymSpg
mpleiY1Tbn5I2X7vviMW7jeviB5ivkZaXtObjyM3vtPLB+ILpa15ZhDSE5o71sjA
jXqrE1n5o/GXHX+1M8v3aJc30Az7QAqWohW/tw5SoiSmVQZWd7gFht9vSzaH2WgO
LwcpBC7+cUJEww==
-----END CERTIFICATE-----
signingKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAq1Mr3Gr/JxE7d9ZuTVpu6dh/0JjqyXRaWqb1Q8yQjiPSK1jY
7IbKfVi4IKIR0zdvyC4ZJYHRdIvk8Grfd7uKiJof3xQR74CL5MHGcmyujlZD9MzL
DNEOFngTuDEMFq/zxlj7Lu2zQfOd/GoQifQa79Qr6zpqNhwjLt30v3zz6EDcrUVJ
16zwxq9eGsjjEDV9jbWARJ8WQPhKyq+uQhILTXalruhXDV/3iyUhVwAb6X0wwCRq
0EbGBYBA7qTGTmigfVnmrabRp95AF8WrO7mUIhMt+BNYJRlSZsXpSlGGYPznT8uo
22vIA+ssupfF2KA4eJaq8WkK6w67/jPW4YLnEQIDAQABAoIBAQCDVqpcOoZKK9K8
Bt3eXQKEMJ2ji2cKczFFJ5MEm9EBtoJLCryZbqfSue3Fzpj9pBUEkBpk/4VT5F7o
0/Vmc5Y7LHRcbqVlRtV30/lPBPQ4V/eWtly/AZDcNsdfP/J1fgPSvaoqCr2ORLWL
qL/vEfyIeM4GcWy0+JMcPbmABslw9O6Ptc5RGiP98vCLHQh/++sOtj6PH1pt+2X/
Uecv3b1Hk/3Oe+M8ySorJD3KA94QTRnKX+zubkxRg/zCAki+as8rQc/d+BfVG698
ylUT5LVLNuwbWnffY2Zt5x5CDqH01mJnHmxzQEfn68rb3bGFaYPEn9EP+maQijv6
SsUM9A3lAoGBAODRDRn4gEIxjPICp6aawRrMDlRc+k6IWDF7wudjxJlaxFr2t7FF
rFYm+jrcG6qMTyq+teR8uHpcKm9X8ax0L6N6gw5rVzIeIOGma/ZuYIYXX2XJx5SW
SOas1xW6qEIbOMv+Xu9w2SWbhTgyRmtlxxjr2e7gQLz9z/vuTReJpInnAoGBAMMW
sq5lqUfAQzqxlhTobQ7tnB48rUQvkGPE92SlDj2TUt9phek2/TgRJT6mdcozvimt
JPhxKg3ioxG8NPmN0EytjpSiKqlxS1R2po0fb75vputfpw16Z8/2Vik+xYqNMTLo
SpeVkHu7fbtNYEK2qcU44OyOZ/V+5Oo9TuBIFRhHAoGACkqHhwDRHjaWdR2Z/w5m
eIuOvF3lN2MWZm175ouynDKDeoaAsiS2VttB6R/aRFxX42UHfoYXC8LcTmyAK5zF
8X3SMf7H5wtqBepQVt+Gm5zGSSqLcEnQ3H5c+impOh105CGoxt0rk4Ui/AeRIalv
C70AJOcvD3eu5aFq9gDe/1ECgYBAhkVbASzYGnMh+pKVH7rScSxto8v6/XBYT1Ez
7JOlMhD667/qvtFJtgIHkq7qzepbhnTv5x3tscQVnZY34/u9ILpD1s8dc+dibEvx
6S/gYLVorB5ois/DLMqaobRcew6Gs+XX9RPwmLahOJpZ9mh4XrOmCgPAYtP71YM9
ExpHCQKBgQCMMDDWGMRdFMJgXbx1uMere7OoniBdZaOexjbglRh1rMVSXqzBoU8+
yhEuHGAsHGWQdSBHnqRe9O0Bj/Vlw2VVEaJeL1ewRHb+jXSnuKclZOJgMsJAvgGm
SOWIahDrATA4g1T6yLBWQPhj3ZXD3eCMxT1Q3DvpG1DjgvXwmXQJAA==
-----END RSA PRIVATE KEY-----
scim:
users:
- admin|ADMIN_PASSWORD|scim.write,scim.read,openid,cloud_controller.admin,doppler.firehose
uaadb:
db_scheme: UAADB_SCHEME
roles:
- tag: UAADB_USER
name: UAADB_USER_NAME
password: UAADB_USER_PASSWORD
databases:
- tag: uaa
name: uaadb
address: UAADB_ADDRESS
port: UAADB_PORT
Editing Instructions
| Deployment Manifest Stub Contents | Editing Instructions |
|---|---|
|
Replace ENVIRONMENT with an arbitrary name describing your environment, e.g. aws-prod.
|
|
Replace DIRECTOR_UUID with the BOSH Director UUID. Use
bosh status --uuid to view the BOSH Director UUID.
|
|
This example assumes you have two subnets in your AWS VPC with CIDRs 10.10.16.0/20 and 10.10.80.0/20 respectively. Update the values for range, reserved, static, and gateway accordingly if the CIDRs for your subnets are different.
This also assumes that you have a security group cf suitable for your Cloud Foundry VMs. Change this too if the name of your security group is different.
|
|
Replace AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY with AWS credentials to allow Cloud Controller to manage assets in the S3 buckets you have prepared for this deployment.
Replace ZONE_1 and ZONE_2 with two EC2 Availability Zones that you want to distribute your deployment across.
Replace SUBNET_ID_1 and SUBNET_ID_2 with the VPC subnet IDs corresponding to the subnets configured in the networks section above.
|
|
Replace DOMAIN and SYSTEM_DOMAIN with the domain you have configured for accessing system components (e.g. the Cloud Controllers will be reachable at api.SYSTEM_DOMAIN).
Pick any name you like for the SYSTEM_DOMAIN_ORGANIZATION, this organization will be created and configured to own the SYSTEM_DOMAIN.
Replace APP_DOMAIN with the default root domain you want associated with applications pushed to your Cloud Foundry installation.
|
|
Replace DROPLET_DIRECTORY_KEY with the directory (bucket) used to store droplets.
Replace BUILDPACK_DIRECTORY_KEY with the directory (bucket) used to store
buildpacks.
Replace STAGING_UPLOAD_USER with the account user name used to upload files to the Cloud Controller.
Replace STAGING_UPLOAD_PASSWORD with the password of the account used to upload files to the Cloud Controller.
Replace BULK_API_PASSWORD
with the password used to access the bulk_api.
Replace CCDB_ENCRYPTION_KEY
with a secure key that you generate to encrypt sensitive values in the
Cloud Controller database.
|
|
This assumes you are using an external MySQL or PostgreSQL database service like Amazon RDS for your Cloud Controller database, and have already provisioned this. Replace CCDB_SCHEME, CCDB_USER, CCDB_USER_NAME, CCDB_PASSWORD, CCDB_ADDRESS, and CCDB_PORT with the appropriate values.
|
|
See the instructions on security configuration for consul. |
|
Replace LOGGREGATOR_ENDPOINT_SHARED_SECRET with any secure secret.
|
|
Replace NATS_USER and
NATS_PASSWORD with a secure username and password. Cloud Foundry components will use this to communicate with each other over the NATS message bus.
|
|
Replace ROUTER_USER and
ROUTER_PASSWORD with a secure username and password.
|
|
Replace all the *_SECRETs with secure secrets.
|
|
Replace JWT_SIGNING_KEY with an RSA private key, and JWT_VERIFICATION_KEY with the corresponding RSA public key.
|
|
Replace ADMIN_PASSWORD with a secure password. This will be the password for the Admin user of your Cloud Foundry installation.
|
|
This assumes you are using an external MySQL or PostgreSQL database service like Amazon RDS for your UAA database, and have already provisioned this. Replace UAADB_SCHEME, UAADB_USER, UAADB_USER_NAME, UAADB_PASSWORD, UAADB_ADDRESS, and UAADB_PORT with the appropriate values.
|