Skip to main content

Setup the Ahana Compute Plane

This page will walk you through the details of creating your Ahana Compute Plane in your AWS account. It’s easy to get going. Let’s start with granting Ahana cross-account access via a new AWS IAM role using the Ahana account ID and custom external ID.

Step 1: Create a new AWS IAM Role#

The Ahana Compute Plane requires several AWS services. To provision resources like Amazon Elastic Kubernetes Service, S3 and others, the role that Ahana Cloud assumes needs to be have a policy with permissions that allow Ahana to orchestrate and deploy the needed resources in your account.

You need to choose a method for setting up the necessary AWS role. CloudFormation is recommended.

AWS IAM Role Creation

Automatic using CloudFormation#

  1. Click the Open CloudFormation button

AWS IAM Role Creation

  1. Login to the AWS console.

CloudFormation Quick Create

  1. On the CloudFormation page, tick the checkbox and click Create Stack

CloudFormation Quick Create

  1. After a couple of minutes, the IAM Role with the necessary permissions will be created.

Manually#

To create a new IAM Role and Policy manually, visit the Appendix section Create a new IAM Policy manually

Step 2: Provide Ahana with the AWS IAM Role ARN#

  1. Go to the Outputs section of the CloudFormation Stack and copy the Value ARN.

Find the Role ARN in the CloudFormation output

  1. Paste the ARN value into the Ahana SaaS Console Role ARN Text field.

Enter the Role ARN in Ahana

Step 3: Finish the Compute Plane Setup#

1. Select a region for the Compute plane deployment#

Select a region where you want the Ahana Compute plane to be deployed.

tip

It is recommended that you select a region where your data sources are located so that the compute and storage are co-located.

Finish Ahana Compute Plane Setup

2. Select availability zones#

You will be required to pick between 2 and 3 availability zones. This is because the compute plane uses Amazon EKS (Kubernetes) and EKS by default is created across AZ's for high availability.

3. Enter a Tenant name#

Enter a Tenant name that will be used for endpoints of various clusters.

important

Once the compute plane is created the tenant name cannot be changed. Please be thoughtful of the tenant name entered.

4. Confirm setup#

Now you are ready to create the Ahana Compute Plane. Go ahead and click on the "Complete Setup" button. It will ask you to confirm the setup.

Confirm setup

It takes anywhere between 20 and 40 minutes to create the compute plane, depending on the region. Once completed, you will receive an email notification about the successful provisioning. Refreshing the Ahana Console will allow take you to the Ahana Home Console.

Compute Plane confirmation email

Ahana SaaS Console Home

Appendix#

Create a new IAM Policy manually#

1. Copy the Ahana provided AWS policy#

Copy the Ahana-provided IAM Policy

2. Update permissions in the a new policy#

Create a new AWS IAM policy using the Ahana AWS Policy provided.

Go to the JSON Editor tab as shown below.

Create a new IAM Policy

Next, delete the existing JSON and paste the Ahana Policy you have copied into the JSON editor. Click on Review

Paste policy in the JSON Editor

3. Create the new policy#

Next, give the policy a name and description as shown below.

Name the policy

Next, review the policy and create it as shown below.

Complete policy creation

For your reference, here is the JSON policy used.

note

The Ahana AWS IAM policy required is completely tagged so that the control plane only delete resources that are tagged with ahana. Remember: the longer the policy with more conditions and limitations, the stronger the policy!

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:CreateVpc",
"ec2:CreateSubnet",
"ec2:CreateRouteTable",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:ModifyVpcAttribute",
"ec2:ModifySubnetAttribute",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:RunInstances",
"ec2:CreateVolume",
"ec2:AttachVolume",
"ec2:CreateTags",
"ec2:AllocateAddress",
"ec2:CreateNatGateway",
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:DeleteSecurityGroup"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/aws:eks:cluster-name": "ahana-eks-cluster"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:Delete*",
"ec2:Detach*",
"ec2:Disassociate*",
"ec2:TerminateInstances",
"ec2:ReleaseAddress"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListInstanceProfiles",
"iam:CreateServiceLinkedRole",
"iam:GetRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:*"],
"Resource": [
"arn:aws:iam::*:role/AHANA-*",
"arn:aws:iam::*:instance-profile/AHANA-*",
"arn:aws:iam::*:policy/ahana-*"
]
},
{
"Effect": "Allow",
"Action": ["eks:ListClusters", "eks:ListUpdates"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["eks:*"],
"Resource": [
"arn:aws:eks:*:*:cluster/ahana-eks-cluster",
"arn:aws:eks:*:*:nodegroup/ahana-eks-cluster/*/*"
]
},
{
"Effect": "Allow",
"Action": ["cloudformation:DescribeStacks"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["cloudformation:*"],
"Resource": "arn:aws:cloudformation:*:*:stack/AHANA-*"
},
{
"Effect": "Allow",
"Action": ["elasticloadbalancing:DescribeLoadBalancers"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ACM:RequestCertificate",
"ACM:DescribeCertificate",
"ACM:ListCertificates",
"ACM:AddTagsToCertificate"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ACM:DeleteCertificate"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ahana:saasowner": "Ahana"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutBucketTagging",
"s3:DeleteBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::ahana-*"
},
{
"Effect": "Allow",
"Action": ["autoscaling:UpdateAutoScalingGroup"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/eks:cluster-name": "ahana-eks-cluster"
}
}
},
{
"Effect": "Allow",
"Action": ["autoscaling:DescribeAutoScalingGroups"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["lambda:*"],
"Resource": [
"arn:aws:lambda:*:*:layer:ahana-*",
"arn:aws:lambda:*:*:function:ahana-*"
]
},
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": "arn:aws:s3:::*ahana-cloudformation-lambda-*"
}
]
}

Create a new AWS IAM Role#

1. Copy the Ahana Account ID#

To create cross account access, you will need to first copy the Ahana SaaS Console Account ID.

Copy the Ahana Account ID

2. Setup the new role#

Start to create a new AWS IAM Role. Select the "Another AWS account" box as shown below.

Create a new role

Paste the Ahana account ID into the "Account ID" text box.

Select the "Require external ID" checkbox. This is an AWS Best practice that Ahana uses. Next, go back to the Ahana SaaS Console and copy the "External ID" from the Ahana SaaS Console and paste it into the "External ID" textbox. Then go to the next step by clicking the "Next: Permissions" button.

Setup role with Ahana account

3. Attach the IAM Policy to the new role#

Attach the newly created policy. In our example, we name the policy "Ahana-Cloud-Policy" and we'll attach that as seen below. Then click on the "Next: Tags" button.

Attach policy to the role

4. Finish role creation#

You can skip the "Add tags" step. Click on the "Next: Review" button to move forward.

Skip the tags step

Next, give the new role a name and description and click the "Create Role" button.

Finish role creation