License

Usage Engine Private Edition requires a license in order to be installed.

If you do not have a license, then follow the instructions in the self service portal on how to retrieve a license.

ECR Access Keys

The Usage Engine Private Edition container images are hosted in the DigitalRoute AWS ECR registry, and in order to get access to them, DigitalRoute have provided you with the required access keys. If you, for one reason or another, have not received these access keys, then please contact the DigitalRoute technical support.

General Purpose Tools

The following general purpose tools are required to be installed locally:

helm: To be able to install the required software in the Kubernetes cluster.
Installation instructions: https://helm.sh/docs/intro/install/
kubectl: To interact with the Kubernetes cluster.
Installation instructions: https://kubernetes.io/docs/tasks/tools/#kubectl
terraform: This is used to configure the Kubernetes cluster.
Installation instructions: https://developer.hashicorp.com/terraform/install

Domain DNS Setup

This reference installation of Usage Engine Private Edition involves making it publicly available on the internet. For this to work, a public hosted zone is required to be set up prior the installation. This is your parent domain that will be used for subdomain creation later to allow Usage Engine Private Edition access through hostname.

If you do not want to make Usage Engine Private Edition publicly available on the internet, this is not a requirement.

Be aware that, in this case, URL(s) used to explain how to access certain resources later on in this installation guide, such as Desktop Online, may not work.

AWS Specific Tools

The following AWS specific tools are required to be installed locally:

AWS CLI: The AWS command line interface.
Installation instructions: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
eksctl: The Amazon EKS command line interface.
Installation instructions: https://eksctl.io/installation/

For details on compatible versions, please refer to the https://infozone.atlassian.net/wiki/x/owDKCg .

Minimum IAM Policy

To use the installation guide, you need to ensure the user who performs the installation was granted with minimum permission in order to be able to provision AWS resources.

You do not need to setup the following if the user that performs the installation has the AdministratorAccess policy.

For best practice it is preferably to set up a minimum IAM policy for the user to perform the installation.

For IAM user creation, please refer to AWS documentation for guidance https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html.

The following table contains the policies required by the application.

Application

IAM Policies

eksctl

Refer to https://eksctl.io/usage/minimum-iam-policies/

Terraform

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"sts:GetCallerIdentity",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeVpcs",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeSubnets",
				"rds:AddTagsToResource",
				"rds:ListTagsForResource",
				"rds:CreateDBInstance",
				"rds:CreateDBSubnetGroup",
				"rds:DeleteDBSubnetGroup",
				"rds:DeleteDBInstance",
				"rds:ModifyDBInstance",
				"ec2:Describe*",
				"rds:Describe*",
				"rds:CreateDBParameterGroup",
				"rds:ModifyDBParameterGroup",
				"rds:DeleteDBParameterGroup",
				"rds:CreateOptionGroup",
				"rds:ModifyOptionGroup",
				"rds:DeleteOptionGroup"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"route53:GetHostedZone",
				"route53:CreateHostedZone",
				"route53:ListHostedZones",
				"route53:ChangeTagsForResource",
				"route53:ChangeResourceRecordSets",
				"route53:ListResourceRecordSets",
				"route53:GetChange",
				"route53:ListTagsForResource",
				"route53:GetDNSSEC",
				"route53:DeleteHostedZone"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"acm:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"kms:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"elasticfilesystem:Describe*",
				"elasticfilesystem:DeleteAccessPoint",
				"elasticfilesystem:CreateMountTarget",
				"elasticfilesystem:CreateFileSystem",
				"elasticfilesystem:ListTagsForResource",
				"elasticfilesystem:DeleteMountTarget",
				"elasticfilesystem:CreateAccessPoint",
				"elasticfilesystem:DeleteFileSystem",
				"elasticfilesystem:TagResource",
				"elasticfilesystem:UpdateFileSystem"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ssm:Describe*",
				"ssm:GetParameter*",
				"ssm:ListTagsForResource",
				"ssm:PutParameter",
				"ssm:DeleteParameter*",
				"ssm:AddTagsToResource"
			],
			"Resource": "*"
		},
		{
			"Action": "iam:CreateServiceLinkedRole",
			"Effect": "Allow",
			"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "rds.amazonaws.com"
				}
			}
		}
	]
}

Pre-requisites - AWS (4.1)