How to configure Amazon Web Services (AWS) for BCD

The provisioning part of BCD is now deprecated and will be removed ! We do not recommend using it.

This tutorial describes how to configure Amazon Web Services (AWS) for BCD.
These configuration steps are required to allow BCD to programmatically manage your AWS instances and to be able to connect to your Bonita stack.

Sign Up for AWS

If you do not have an Amazon Web Services account yet, first sign up as described in this AWS user guide: Sign Up for AWS.

AWS Setup for BCD

In order to use Amazon EC2 instances, some configuration steps need to be performed as a prerequisite. The following steps are the basic requirements to set up AWS credentials for Ansible automation.
Further configuration instructions for AWS single sign-on can be found on this page.

  1. Create an IAM Policy to grant full access to Amazon EC2 on a specific region (eg. us-west-2)

    • Policy name: EC2FullAccess_us-west-2

    • Policy document:

       {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": "ec2:*",
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "ec2:Region": "us-west-2"
              }
          }
      }
  ]
 }

  2. Create an IAM Policy to give PassRole permission in order to be able to associate a specific role with the EC2 instances of a cluster.

    • Policy name: IAMPassRole

    • Policy document:

       {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": "iam:PassRole",
          "Effect": "Allow",
          "Resource": "*"
      }
  ]
 }

  3. Create an IAM Group

    • Group name: bonita-provisioning

    • Select the IAM Policies created previously

    For some usage you may be interested to create a role and attach to it the corresponding policies, see Configure AWS single sign-on or Assume IAM role within AWS Organizations.

  4. Create an IAM Policy to allow ec2 instances of a cluster to autodiscover themselves on a specific region (eg. us-west-2).

    • Policy name: ClusterBCD_us-west-2

    • Policy document:

       {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": [
              "ec2:DescribeInstances"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "ec2:Region": "us-west-2"
              }
          }
      }
  ]
 }
      Pay attention that for security reasons, pushing AWS user credentials to EC2 instances (as done with BCD 1.0.x) is no longer supported.

  5. Create an IAM Role for an AWS service

    • Select EC2 to "Allows EC2 instances to call AWS services on your behalf."

    • Select the IAM Policy created previously (ClusterBCD_us-west-2)

    • Role name: ClusterBCD

  6. Create an IAM User

    • Access type: Programmatic access

    • Add user to the IAM group created previously

    • Download as .csv (or copy) Access key information (Access key ID and Secret access key) for later use

  7. Now let’s assume you are using an EC2 region which supports the EC2-VPC platform. Therefore a default VPC and default subnets should already be available.

  8. Create an EC2 Security Group

    • Security group name: sg_bonita-provisioning

    • Add an Inbound rule to allow communication between Bonita stack components

      • Type: All Traffic, Source: <security_group_id_of_sg_bonita-provisioning>

    • Add an Inbound rule to allow Ansible to connect via SSH

      • Type: SSH, Source: My IP

    • Add an Inbound rule to allow remote connection to Bonita Tomcat via HTTP

      • Type: Custom TCP Rule, Port Range: 8081, Source: My IP

    • Add an Inbound rule to allow remote connection to Bonita databases

      • Type: Custom TCP Rule, Source: My IP

        • with bonita_db_vendor: postgres - Port Range: 5432

        • with bonita_db_vendor: mysql - Port Range: 3306

        • with bonita_db_vendor: oracle - Port Range: 1521

  9. Create an EC2 Key Pair

    • Note: A key pair is linked to an AWS region

    • Download the .pem private key file

    • Ensure private key file permissions: $ chmod 400 <keyfile_basename>.pem

BCD is compatible with official Ubuntu cloud images as EC2 AMI (Amazon Machine Images).
Use the Amazon EC2 AMI Locator tools to identify IDs of such images.

Dynamic EC2 inventory configuration

When deploying to AWS, BCD uses dynamic Amazon EC2 inventory with a ec2_wrapper.sh script.

This ec2_wrapper.sh script can be further configured with the ec2.ini.j2 template.

For instance, if you are running the BCD controller from outside EC2, the vpc_destination_variable parameter should be set to ip_address. If you are running the BCD controller from within EC2, the vpc_destination_variable parameter should be set to private_ip_address.
This parameter is managed by the ec2_vpc_destination_variable BCD variable.

More information on dynamic EC2 inventory management can be found in this blog post.