Closed mogul closed 4 years ago
Ran into trouble deploying the broker due to differences in how cloud.gov provides DB credentials, but got excellent support from the team upstream in both GitHub and the CF Slack within one business hour.
Also filled a request upstream with the cloud.gov team on their broker. https://github.com/cloud-gov/aws-broker/issues/87
Manual deployment with a hacky workaround for the issue encountered above is working.
(And yes, I already sent the upstream team a PR fixing the ElastiCache typo.)
Noting for later: This is how to work with the csb binary from the command line.
(cd app && docker run --rm -it --volume `pwd`:/broker ubuntu:bionic bash)
Demo time!!
% cf marketplace
Getting services from marketplace in org gsa-datagov / space development as bret.mogilefsky@gsa.gov...
OK
service plans description broker
aws-rds shared-psql, medium-psql, medium-psql-redundant, large-psql, large-psql-redundant, shared-mysql, medium-mysql, medium-mysql-redundant, large-mysql, large-mysql-redundant, xlarge-psql, xlarge-psql-redundant, xlarge-mysql, xlarge-mysql-redundant, medium-oracle-se2, micro-psql Persistent, relational databases using Amazon RDS aws-broker
redis28 standard An open source in-memory data structure store. kubernetes-broker
cloud-gov-service-account space-deployer, space-auditor Manage cloud.gov service accounts with access to your organization uaa-credentials-broker
elasticsearch24 1x, 3x, 6x, 12x, medium-ha Elasticsearch 2.4 RESTful search and analytics engine kubernetes-broker
s3 basic, basic-public, basic-public-sandbox, basic-sandbox Amazon S3 provides developers with secure, durable, highly-scalable object storage s3-broker
cloud-gov-identity-provider oauth-client Manage client credentials for authenticating cloud.gov users in your app uaa-credentials-broker
redis32 standard-ha, standard, micro An open source in-memory database. kubernetes-broker
elasticsearch56 medium, medium-ha Elasticsearch 5.6 RESTful search and analytics engine kubernetes-broker
external-domain domain, domain-with-cdn Assign a custom domain to your application with TLS and an optional CDN. external-domain-broker
csb-aws-mysql small, medium, large Amazon RDS for MySQL ssb-gsa-datagov-development
csb-aws-postgresql small, medium, large Amazon RDS for PostgreSQL ssb-gsa-datagov-development
csb-aws-redis-basic small, medium, large Amazon ElstiCache for Redis - single node ssb-gsa-datagov-development
csb-aws-redis-ha small, medium, large Amazon ElstiCache for Redis - multinode with automatic failover ssb-gsa-datagov-development
csb-aws-s3-bucket private, public-read AWS S3 Bucket ssb-gsa-datagov-development
csb-google-bigquery standard A fast, economical and fully managed data warehouse for large-scale data analytics. ssb-gsa-datagov-development
csb-google-dataproc standard, ha Dataproc is a fully-managed service for running Apache Spark and Apache Hadoop clusters in a simpler, more cost-efficient way. ssb-gsa-datagov-development
csb-google-mysql small, medium, large Mysql is a fully managed service for the Google Cloud Platform. ssb-gsa-datagov-development
csb-google-postgres small, medium, large PostgreSQL is a fully managed service for the Google Cloud Platform. ssb-gsa-datagov-development
csb-google-redis basic, ha Cloud Memorystore for Redis is a fully managed Redis service for the Google Cloud Platform. ssb-gsa-datagov-development
csb-google-spanner small, medium, large Fully managed, scalable, relational database service for regional and global application data. ssb-gsa-datagov-development
csb-google-stackdriver-trace default Distributed tracing service ssb-gsa-datagov-development
csb-google-storage-bucket private, public-read Google Cloud Storage that uses the Terraform back-end and grants service accounts IAM permissions directly on the bucket. ssb-gsa-datagov-development
TIP: Use 'cf marketplace -s SERVICE' to view descriptions of individual plans of a given service.
% cf create-service csb-aws-s3-bucket private mybucket
Creating service instance mybucket in org gsa-datagov / space development as bret.mogilefsky@gsa.gov...
OK
Create in progress. Use 'cf services' or 'cf service mybucket' to check operation status.
% cf service mybucket
Showing info of service mybucket in org gsa-datagov / space development as bret.mogilefsky@gsa.gov...
name: mybucket
service: csb-aws-s3-bucket
tags:
plan: private
description: AWS S3 Bucket
documentation: https://aws.amazon.com/s3/
dashboard:
service broker: ssb-gsa-datagov-development
Showing status of last operation from service mybucket...
status: create in progress
message:
started: 2020-07-23T05:20:05Z
updated: 2020-07-23T05:20:07Z
There are no bound apps for this service.
Upgrades are not supported by this broker.
% cf create-service-key mybucket mykey
Creating service key mykey for service instance mybucket as bret.mogilefsky@gsa.gov...
OK
% cf service-key mybucket mykey
Getting key mykey for service instance mybucket as bret.mogilefsky@gsa.gov...
{
"access_key_id": "[redacted]",
"arn": "arn:aws:s3:::csb-c52b2d7b-f87d-43e1-8611-4d54db7164eb",
"bucket_domain_name": "csb-c52b2d7b-f87d-43e1-8611-4d54db7164eb.s3.amazonaws.com",
"bucket_name": "csb-c52b2d7b-f87d-43e1-8611-4d54db7164eb",
"region": "us-west-2",
"secret_access_key": "[redacted]"
}
% cf delete-service-key mybucket mykey
Really delete the service key mykey?> yes
Deleting key mykey for service instance mybucket as bret.mogilefsky@gsa.gov...
OK
% cf delete-service mybucket
Really delete the service mybucket?> yes
Deleting service mybucket in org gsa-datagov / space development as bret.mogilefsky@gsa.gov...
OK
Delete in progress. Use 'cf services' or 'cf service mybucket' to check operation status.
User Story
In order to prove the feasibility of brokering Terraform-managed services in our cloud.gov environments, the data.gov team wants to see the cloud-service-broker available and brokering a simple AWS service via Terraform in data.gov spaces.
Acceptance Criteria
cf login -a api.fr.cloud.gov --sso
and authenticate \ AND I runcf target -o gsa-datagov -s <development|staging|production>
\ WHEN I runcf marketplace
\ THEN I see the SSB's offered services and plans listedcf login -a api.fr.cloud.gov --sso
and authenticate \ AND I runcf target -o gsa-datagov -s <development|staging|production>
\ WHEN I runcf create-service csb-aws-s3-bucket private <instance-name>
\ THEN I see the instance is running AND I cancf bind-service <app-name> <instance-name>
\ AND I can see credentials for the S3 instance incf env <app-name>
AND I can see a response when I use those credentials withaws s3
Background
The goal here is to demonstrate an operational broker based on Terraform
Security Considerations (required)
This story is a spike to relax the need to follow our usual CM plan in order to Get It Done as a prototype. A follow-up story includes full CM plan compliance.
Sketch