Provision CelerData Cloud BYOC on AWS
Deploy a CelerData Cloud BYOC cluster on AWS step by step:
Read this article before you start a Terraform configuration for your cluster deployment on AWS.
Preparations
Before using the CelerData Cloud BYOC provider to create infrastructure at the AWS account level for the first time, you must complete the following preparations:
AWS prerequisites
-
Have an AWS account with administrative privileges.
-
Have an AWS S3 bucket.
-
Have an IAM user, to which the following policy is attached, and create an access key pair for the IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:GetRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:CreateInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole"
],
"Resource": "*"
}
]
}
CelerData prrerequisites
Obtain the credentials with which you can authenticate into the CelerData Cloud BYOC platform. For details, see Authentication.
Terraform prerequisites
-
Install Terraform in your terminal.
-
Have a Terraform project. In your terminal, create an empty directory (for example,
terraform
) and then switch to it. (Each separate set of Terraform configuration files must be in its own directory, which is called a Terraform project.)
Configure providers
This section assumes that you have completed the preparations.
Create a .tf
file (for example, main.tf
) in your Terraform project. Then, add the following code snippet to the .tf
file:
terraform {
required_providers {
celerdatabyoc = {
source = "CelerData/celerdatabyoc"
version = "<provider_version>"
}
aws = {
source = "hashicorp/aws"
version = "4.26.0"
}
}
}
provider "celerdatabyoc" {
client_id = "<client_id>"
client_secret = "<client_secret>"
}
provider "aws" {
region = "<region_name>"
access_key = "<your_access_key>"
secret_key = "<your_secret_key>"
}
locals {
s3_bucket = "<bucket_name>"
}
The parameters you need to specify are as follows:
provider_version
: Enter the CelerData provider version of your choice. We recommend that you select the latest provider version, for exampleversion = "1.0.2"
. You can view the provider versions offered by CelerData Cloud BYOC from the CelerData Cloud BYOC provider page.client_id
andclient_secret
: Enter the Client ID and Secret of your application key. See "For CelerData."region_name
: Enter the ID of the AWS region in which you want your CelerData cluster to run. See Supported cloud platforms and regions.access_key
andsecret_key
: Enter the access key ID ("access key" for short) and secret access key ("secret key" for short) of your access key pair. See "For AWS." For security purposes, you can set the access key and secret key as environment variables.s3_bucket
: Enter the name of your S3 bucket. This way, the bucket element is set as a local value, and you can then directly set the argument for the bucket element in your Terraform configuration tolocal.s3_bucket
to save time. See Local Values.
Describe infrastructure
This section provides a sample infrastructure configuration that automates the deployment of a classic CelerData cluster on AWS to help you understand how you can work with the CelerData Cloud BYOC provider. It assumes that you have completed the preparations and have configured the providers.
To create a classic CelerData cluster, you need to declare the following resources, which represent the infrastructure to be built, in the .tf
file (for example, main.tf
) in which you have configured the providers.
Data credential-related resources
data "celerdatabyoc_aws_data_credential_assume_policy" "assume_role" {}
resource "celerdatabyoc_aws_data_credential_policy" "role_policy" {
bucket = local.s3_bucket
}
resource "aws_iam_role" "celerdata_data_cred_role" {
name = "<celerdata_data_credential_role_name>"
assume_role_policy = data.celerdatabyoc_aws_data_credential_assume_policy.assume_role.json
description = "<celerdata_data_credential_role_description>"
inline_policy {
name = "<celerdata_data_credential_role_policy_name>"
policy = celerdatabyoc_aws_data_credential_policy.role_policy.json
}
}
resource "celerdatabyoc_aws_data_credential" "data_credential" {
name = "<celerdata_data_credential_name>"
role_arn = aws_iam_role.celerdata_data_cred_role.arn
instance_profile_arn = aws_iam_instance_profile.celerdata_data_cred_profile.arn
bucket_name = local.s3_bucket
policy_version = celerdatabyoc_aws_data_credential_policy.role_policy.version
}
celerdatabyoc_aws_data_credential_policy
This resource contains only the following required argument:
bucket
: (Forces new resource) The name of the AWS S3 bucket for which to generate the JSON policy document and that stores query profiles. Set this argument tolocal.s3_bucket
, as we recommend that you set the bucket element as a local values3_bucket
in your Terraform configuration. See Local Values.
aws_iam_role
(celerdata_data_cred_role)
This resource contains the following required arguments and optional arguments:
Required:
assume_role_policy
: The policy that grants an entity permission to assume the IAM role referenced in the data credential. Set the value todata.celerdatabyoc_aws_data_credential_assume_policy.assume_role.json
.
Optional:
name
: (Forces new resource) The name of the IAM role referenced in the data credential. Enter a unique name. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.description
: The description of the IAM role.inline_policy
: The configuration block that defines an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Terraform will not manage any inline policies in this resource. Configuring one empty block (namely,inline_policy {}
) will cause Terraform to remove all inline policies added out of band onapply
.name
: The name of the IAM policy that will be attached to the IAM role referenced in the data credential.policy
: The IAM policy that will be attached to the IAM role. Set the value tocelerdatabyoc_aws_data_credential_policy.role_policy.json
.
celerdatabyoc_aws_data_credential
This resource contains the following required arguments and optional arguments:
Required:
role_arn
: (Forces new resource) The ARN of the IAM role referenced in the data credential. Set the value toaws_iam_role.celerdata_data_cred_role.arn
.instance_profile_arn
: (Forces new resource) The instance profile ARN of the IAM role referenced in the data credential. Set the value toaws_iam_instance_profile.celerdata_data_cred_profile.arn
.bucket_name
: (Forces new resource) The name of the AWS S3 bucket for which to generate the policy document and that stores query profiles. Set this argument tolocal.s3_bucket
, as we recommend that you set the bucket element as a local values3_bucket
in your Terraform configuration. See Local Values.policy_version
: (Forces new resource) The version of the policy. Set the value tocelerdatabyoc_aws_data_credential_policy.role_policy.version
.
Optional:
name
: (Forces new resource) The name of the data credential. Enter a unique name.
Deployment credential-related resources
resource "aws_iam_instance_profile" "celerdata_data_cred_profile" {
name = "<celerdata_data_credential_profile_name>"
role = aws_iam_role.celerdata_data_cred_role.name
}
resource "celerdatabyoc_aws_deployment_credential_policy" "role_policy" {
bucket = local.s3_bucket
data_role_arn = aws_iam_role.celerdata_data_cred_role.arn
}
resource "celerdatabyoc_aws_deployment_credential_assume_policy" "role_policy" {}
resource "aws_iam_role" "deploy_cred_role" {
name = "<celerdata_deployment_credential_role_name>"
assume_role_policy = celerdatabyoc_aws_deployment_credential_assume_policy.role_policy.json
description = "<celerdata_deployment_credential_role_description>"
inline_policy {
name = "<celerdata_deployment_credential_role_policy_name>"
policy = celerdatabyoc_aws_deployment_credential_policy.role_policy.json
}
}
resource "celerdatabyoc_aws_deployment_role_credential" "deployment_role_credential" {
name = "<celerdata_deployment_credential_name>"
role_arn = aws_iam_role.deploy_cred_role.arn
external_id = celerdatabyoc_aws_deployment_credential_assume_policy.role_policy.external_id
policy_version = celerdatabyoc_aws_deployment_credential_policy.role_policy.version
}
aws_iam_instance_profile
This resource contains only the following optional arguments:
name
: (Forces new resource) The name of the instance profile. Enter a unique name. If omitted, Terraform will assign a random, unique name. This argument conflicts withname_prefix
. The value of this argument can be a string of characters consisting of upper and lowercase alphanumeric characters and these special characters:_
,+
,=
,,
,.
,@
,-
. Spaces are not allowed.role
: The name of the IAM role to add to the instance profile. Set the value toaws_iam_role.celerdata_data_cred_role.name
.
celerdatabyoc_aws_deployment_credential_policy
This resource contains only the following required arguments:
bucket
: The name of the AWS S3 bucket. Set this argument tolocal.s3_bucket
, as we recommend that you set the bucket element as a local values3_bucket
in your Terraform configuration. See Local Values.data_role_arn
: (Forces new resource) The ARN of the IAM role referenced in the deployment credential. Set the value toaws_iam_role.celerdata_data_cred_role.arn
.
aws_iam_role
(deploy_cred_role)
This resource contains the following required arguments and optional arguments:
Required:
assume_role_policy
: The policy that grants an entity permission to assume the IAM role referenced in the deployment credential. Set the value tocelerdatabyoc_aws_deployment_credential_assume_policy.role_policy.json
.
Optional:
name
: (Forces new resource) The name of the IAM role referenced in the deployment credential. Enter a unique name. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.description
: The description of the IAM role.inline_policy
: The configuration block that defines an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Terraform will not manage any inline policies in this resource. Configuring one empty block (namely,inline_policy {}
) will cause Terraform to remove all inline policies added out of band onapply
.name
: The name of the IAM policy that will be attached to the IAM role.policy
: The IAM policy that will be attached to the IAM role referenced in the deployment credential. Set the value tocelerdatabyoc_aws_deployment_credential_policy.role_policy.json
.
celerdatabyoc_aws_deployment_role_credential
This resource contains the following required arguments and optional arguments:
Required:
role_arn
: (Forces new resource) The ARN of the cross-account IAM role referenced in the deployment credential. Set the value toaws_iam_role.deploy_cred_role.arn
.external_id
: (Forces new resource) The external ID that is used to create the cross-account IAM role referenced in the deployment credential. Set the value tocelerdatabyoc_aws_deployment_credential_assume_policy.role_policy.external_id
.policy_version
: (Forces new resource) The version of the policy. Set the value tocelerdatabyoc_aws_deployment_credential_policy.role_policy.version
.
Optional:
name
: (Forces new resource) The name of the deployment credential. Enter a unique name.
Network configuration-related resources
resource "celerdatabyoc_aws_network" "network" {
name = "<VPC_name>"
subnet_id = "<subnet_id>"
security_group_id = "<security_group_id>"
region = "<AWS_VPC_region>"
deployment_credential_id = celerdatabyoc_aws_deployment_role_credential.deployment_role_credential.id
vpc_endpoint_id = "<vpc_endpoint_id>"
}
The celerdatabyoc_aws_network
resource contains the following required arguments and optional arguments:
Required:
name
: (Forces new resource) The name of the AWS VPC hosting the cluster. Enter a unique name.subnet_id
: (Forces new resource) The ID of the subnet within the AWS VPC.security_group_id
: (Forces new resource) The ID of the security group within the AWS VPC.region
: (Forces new resource) The ID of the AWS region to which the AWS VPC belongs. See Supported cloud platforms and regions.deployment_credential_id
: (Forces new resource) The ID of the deployment credential. Set the value tocelerdatabyoc_aws_deployment_role_credential.deployment_role_credential.id
.
Optional:
vpc_endpoint_id
: (Optional) The ID of your endpoint within your VPC. Set this argument if you need to achieve a more stringent network communication method.
CelerData cluster-related resources
resource "celerdatabyoc_classic_cluster" "demo_cluster" {
deployment_credential_id = celerdatabyoc_aws_deployment_role_credential.deployment_role_credential.id
data_credential_id = celerdatabyoc_aws_data_credential.data_credential.id
network_id = celerdatabyoc_aws_network.network.id
cluster_name = "<cluster_name>"
fe_instance_type = "<fe_node_instance_type>"
fe_node_count = 1
be_instance_type = "<be_node_instance_type>"
be_node_count = 1
// optional
be_volume_config {
vol_number = <vol_number>
vol_size = <vol_size>
iops = <iops>
throughput = <throughput>
}
default_admin_password = "<SQL_user_initial_password>"
expected_cluster_state = "Running"
resource_tags = {
celerdata = "<tag_name>"
}
csp = "aws"
region = "<AWS_VPC_region>"
}
Apply configurations
After you finish configuring the providers and describing the infrastructure objects in your Terraform configuration, follow these steps to apply the configuration in your Terraform project:
-
Initialize and install the providers defined in the Terraform configuration:
terraform init
-
Verify that your Terraform project has been properly configured:
terraform plan
If there are any errors, edit the Terraform configuration and re-run the preceding command.
-
Apply the Terraform configuration:
terraform apply
When the system returns a "Apply complete!" message, the Terraform configuration has been successfully applied.
After you change the provider versions in the Terraform configuration, you must run terraform init -upgrade
to initialize the providers and then run terraform apply
again to apply the Terraform configuration.
Delete configurations
You can delete your Terraform configuration if you no longer need it.
Deleting a Terraform configuration means destroying all resources created by the CelerData Cloud BYOC provider.
To delete a Terraform configuration, run the following command in your Terraform project:
terraform destroy
When the system returns a "Destroy complete!" message, the Terraform configuration has been successfully deleted and the cluster created by the Terraform configuration is also released.