Federated Tenant Product Bootstrap
At this stage we presume that the Before you begin is covered and all required resources exist. We highly recommend using Multi-Tenant Product Setup (Preferred) if the application doesn't have an existing Federated Account/Cloud Spoke/CE.
1. Request an AWS Account
To start, you should request an AWS federated account using the Cloud Control portal in ServiceNow.
- For the account type, select Standard.
- For the environment type, select either non-production or production (if this is a new platform, start with non-production).
- Select any Region that is suitable for your workload.
- Select Yes for "Do you require a VPC?"
- If you are going to expose your workloads to the internet, select Yes for internet facing.
- For connectivity, select Connected to BP.
- In the Access and Permissions section, you should add yourself (or whoever is completing the onboarding) to the DEVOPS and IAM-ADM roles.
Using an existing AWS account? Make sure you have the right access roles using the "Grant/Revoke User Access" section of the Cloud Control portal.
New to BP AWS? You can read more about the types of AWS accounts and pre-configured IAM roles here
2. Bootstrap the AWS account
Before bootstrapping, ensure you have local AWS credentials (generated through
awsconnect) for the account you are onboarding. Then, run the
yalla bootstrap command:
~ yalla bootstrap -h
Bootstrap a new Yalla project
Usage:
yalla bootstrap [flags]
Flags:
-a, --account string AWS account to use (e.g. WS-00AY)
-c, --credentials string Path to cloud credentials file
-d, --description string Project description
-e, --environment string Project environment (e.g. dev)
-h, --help help for bootstrap
-n, --name string Project name
-r, --region string AWS region to use (e.g. eu-west-1)
-s, --snow-ref string SNOW application package ID (e.g. SPKG1234)
Provided your output looks similar to the example above, your account should now be ready to create your first Yalla workloads.
What does bootstrap do? The bootstrap process provisions an AWS IAM role that Yalla can assume from its "management account" to provision EKS clusters and other core components. There are also steps to add local VPC subnets and tag external/internal subnets for the AWS load balancer controller.
3. Create your platform.yaml
If your bootstrap command is successful, you should have a generated platform.yaml
file in the output. This file is used to define the platform metadata, EKS clusters, and
ingresses for your platform.
You should clone the Yalla repository:
git clone https://dev.azure.com/DevOps-SRE/_git/yalla
cd yalla
git switch -c <product_named_branch>
Copy the output into a file located in platforms/<platform name>/platform.yaml
in the Yalla repository where <platform name> matches the --name
that you specified when the CLI was run to bootstrap the account.
Check the contents of the file and make sure it looks correct:
platform:
name: test-proj
description: test
deployment_flow:
- phase: 1
env_name: dev
clusters:
- env_name: dev
useGoComposition: true
snow_spkg: SPKG1234
grafana:
create: true
aws:
account: "226441949578"
spoke_id: WS-019Y
region: eu-west-1
vpc_id: vpc-02d725b3c4e0022fe
subnet_ids:
- subnet-0a23a883973115708
- subnet-032abda208c2cf6e1
eks:
admin_role: WS-019Y-role-yalla-onboarding
ingresses:
internal:
domains:
- internal.test-proj-dev.bpaws.com
Next, commit your changes and push them to yalla remote. Then, create a pull request to merge
your changes into main.
Protecting your platform from external modifications
All changes to the Yalla repository require at least one peer review as a best practice. Additionally, you can setup access management in your
platform.yamlto protect your platform from edits outside of your team.
Want to understand more about platform.yaml and the hierarchy of files in the Yalla repo?
Read this document. There are also plenty of existing examples in the repo, such as Accelerate.
At this point, Yalla will begin setting up your clusters and onboarding to tools like Grafana.