Create and connect new AWS EKS cluster

The following document shows how to create an AWS EKS cluster using the OCLI.

Prerequisites

  1. Install git if not already present.
  2. Install aws cli == 2.x.x and create an AWS profile locally with admin access to the AWS account where you want to create the new cluster.

📘

Suggestion

We highly recommend you to please go through the AWS Infrastructure requirements carefully.

Installing OCLI

  1. Download the binary using the below command.
    curl -H 'Cache-Control: max-age=0' -s "https://releases.ocli.truefoundry.tech/binaries/ocli_$(curl -H 'Cache-Control: max-age=0' -s https://releases.ocli.truefoundry.tech/stable.txt)_darwin_arm64" -o ocli
    
    curl -H 'Cache-Control: max-age=0' -s "https://releases.ocli.truefoundry.tech/binaries/ocli_$(curl -H 'Cache-Control: max-age=0' -s https://releases.ocli.truefoundry.tech/stable.txt)_darwin_amd64" -o ocli
    
    curl -H 'Cache-Control: max-age=0' -s "https://releases.ocli.truefoundry.tech/binaries/ocli_$(curl -H 'Cache-Control: max-age=0' -s https://releases.ocli.truefoundry.tech/stable.txt)_linux_arm64" -o ocli
    
    curl -H 'Cache-Control: max-age=0' -s "https://releases.ocli.truefoundry.tech/binaries/ocli_$(curl -H 'Cache-Control: max-age=0' -s https://releases.ocli.truefoundry.tech/stable.txt)_linux_amd64" -o ocli
    
  2. Make the binary executable and move it to $PATH
    sudo chmod +x ./ocli
    sudo mv ocli /usr/local/bin
    
  3. Confirm by running the command
    ocli --version
    

Configuring Input Config file

  1. To create a new cluster, you would require your AWS Account ID, Region, and an AWS Profile
  2. Run the following command to fill in the inputs interactively
    ocli infra-init
    
  3. For networking, there are two possible configurations:
    1. New VPC (Recommended) - This creates a new VPC for your new cluster.
    2. Existing VPC - You can enter your existing VPC and subnet IDs.
  4. Once all the inputs are filled, a config file with the name tfy-config.yaml would be generated in your current directory. We highly recommend you to once go through the generated config file and tally your inputs. You can also customize the inputs directly by editing the file. Below is the sample for the same:
aws:
  account:
    id: "xxxxxxxxxxxxxxxxx"
  cluster:
    name: "coolml"
    public_access:
      cidrs:
      - 0.0.0.0/0
      enabled: true
    version: "1.30"
  iam_role:
    assume_role_arns:
    - arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps
    cluster_integration:
      enabled: true
    ecr:
      enabled: true
    enabled: true
    role_enable_override: false
    role_override_name: ""
    s3:
      bucket_enable_override: false
      bucket_override_name: ""
      enabled: true
    ssm:
      enabled: true
  network:
    existing: true
    private_subnets_cidrs: []
    private_subnets_ids:
    - subnet-xxxxxxxxxxxxxxxxx
    - subnet-xxxxxxxxxxxxxxxxx
    - subnet-xxxxxxxxxxxxxxxxx
    public_subnets_cidrs: []
    public_subnets_ids:
    - subnet-xxxxxxxxxxxxxxxxx
    - subnet-xxxxxxxxxxxxxxxxx
    - subnet-xxxxxxxxxxxxxxxxx
    vpc_cidr: ""
    vpc_id: vpc-xxxxxxxxxxxxxxxxx
  profile:
    name: administrator-xxxxxxxxxxxxxxxxx
  region:
    availability_zones:
    - us-east-1a
    - us-east-1b
    - us-east-1c
    name: us-east-1
  tags: {}
  tfy_control_plane:
    enabled: false
azure: null
binaries:
  terraform:
    binary_path: null
  terragrunt:
    binary_path: null
gcp: null
provider: aws
aws:
  account:
    id: "xxxxxxxxxxxxxxxxx"
  cluster:
    name: coolml
    public_access:
      cidrs:
      - 0.0.0.0/0
      enabled: true
    version: "1.30"
  iam_role:
    assume_role_arns:
      - arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps
    cluster_integration:
      enabled: true
    ecr:
      enabled: true
    enabled: true
    role_enable_override: false
    role_override_name: ""
    s3:
      bucket_enable_override: false
      bucket_override_name: ""
      enabled: true
    ssm:
      enabled: true
  network:
    existing: false
    private_subnets_cidrs:
    - 10.222.0.0/20
    - 10.222.16.0/20
    - 10.222.32.0/20
    private_subnets_ids: []
    public_subnets_cidrs:
    - 10.222.176.0/20
    - 10.222.192.0/20
    - 10.222.208.0/20
    public_subnets_ids: []
    vpc_cidr: 10.222.0.0/16
    vpc_id: ""
  profile:
    name: administrator-xxxxxxxxxxxxxxxxx
  region:
    availability_zones:
    - us-east-2a
    - us-east-2b
    - us-east-2c
    name: us-east-2
  tags: {}
  tfy_control_plane:
    enabled: false
azure: null
binaries:
  terraform:
    binary_path: null
  terragrunt:
    binary_path: null
gcp: null
provider: aws

Create the cluster

Run the following command to create the EKS cluster and IAM roles required to create the EKS cluster. This cluster runs different terraform module and it asks for your input before generating plan for each module. Press yes to continue. You can also add an argument of --auto-approve to auto approve each module.

ocli infra-create --file tfy-config.yaml

This command may take around 30-45 minutes to complete.

📘

Saving the ocli generated code

It is very critical to save the code generated by ocli including the tfy-config.yaml to a git repo. This will help in making upgrades and maintaining your infrastructure as code.

Connecting the cluster

  1. Head over to the TrueFoundry platform and log in. If you haven't signed up yet, then you can sign up here.
  2. Once you have logged in, navigate to Settings tab from the left panel and create the new API key. Copy the API key as it will be used in the next set of commands.


  1. Run the following commands to create the cluster in the portal. The control plane URL is the URL where you are logged in

    ocli compute-plane-connect -f tfy-config.yaml --api-key API_KEY --control-plane-url CONTROL_PLANE_URL
    
  2. This will generate a token and a values.yaml file containing the token and the IAM role arns filled.

    ## @section Global Parameters
    ## @param tenantName Parameters for tenantName
    ## Tenant Name - This is same as the name of the organization used to sign up 
    ## on Truefoundry
    ##
    tenantName: "TENANT"
    
    ## @param controlPlaneURL Parameters for controlPlaneURL
    ## URL of the control plane - Same as the URL of the Truefoundry dashboard
    ##
    controlPlaneURL: "CONTROL_PLANE_URL"
    
    ## @param clusterName Name of the cluster
    ## Name of the cluster that you have created on AWS/GCP/Azure
    ##
    clusterName: "CLUSTER_NAME"
    
    ## @section Parameters for AWS
    ## Parameters for AWS
    ##
    aws:
      ## @subsection Parameters for awsLoadBalancerController
      ## @param aws.awsLoadBalancerController.enabled Flag to enable AWS Load Balancer Controller
      awsLoadBalancerController:
        enabled: true
        ## @param aws.awsLoadBalancerController.roleArn Role ARN for AWS Load Balancer Controller
        ##
        roleArn: "AWS_LOAD_BALANCER_CONTROLLER_ROLE_ARN"
    
      ## @subsection Parameters for karpenter
      ## @param aws.karpenter.enabled Flag to enable Karpenter
      ##
      karpenter:
        enabled: true
        ## @param aws.karpenter.clusterEndpoint Cluster endpoint for Karpenter
        ##
        clusterEndpoint: "CLUSTER_ENDPOINT"
        ## @param aws.karpenter.roleArn Role ARN for Karpenter
        ##
        roleArn: "KARPENTER_ROLE_ARN"
        ## @param aws.karpenter.instanceProfile Instance profile for Karpenter
        ##
        instanceProfile: "INSTANCE_PROFILE"
        ## @param aws.karpenter.defaultZones Default zones for Karpenter
        ##
        defaultZones: []
    
        ## @param aws.karpenter.interruptionQueue Interruption queue name for Karpenter
        ##
        interruptionQueue: "KARPENTER_INTERRUPTION_QUEUE"
    
      ## @subsection Parameters for awsEbsCsiDriver
      ## @param aws.awsEbsCsiDriver.enabled Flag to enable AWS EBS CSI Driver
      ##
      awsEbsCsiDriver:
        enabled: true
        ## @param aws.awsEbsCsiDriver.roleArn Role ARN for AWS EBS CSI Driver
        ##
        roleArn: "AWS_EBS_CSI_DRIVER_ROLE_ARN"
    
      ## @subsection Parameters for awsEfsCsiDriver
      ## @param aws.awsEfsCsiDriver.enabled Flag to enable AWS EFS CSI Driver
      ##
      awsEfsCsiDriver:
        enabled: true
        ## @param aws.awsEfsCsiDriver.fileSystemId File system ID for AWS EFS CSI Driver
        ##
        fileSystemId: "AWS_EFS_CSI_DRIVER_FILE_SYSTEM_ID"
        ## @param aws.awsEfsCsiDriver.region Region for AWS EFS CSI Driver
        ##
        region: "AWS_REGION"
        ## @param aws.awsEfsCsiDriver.roleArn Role ARN for AWS EFS CSI Driver
        ##
        roleArn: "AWS_EFS_CSI_DRIVER_ROLE_ARN"
    
    ## @section Parameters for istio
    ## @param istio.enabled Flag to enable Istio
    ##
    istio:
      enabled: true
    
    ## @section Parameters for tfyAgent
    ## @param tfyAgent.enabled Flag to enable Tfy Agent
    ##
    tfyAgent:
      enabled: true
      ## @param tfyAgent.clusterToken Parameters for clusterToken
      ## Token for cluster authentication
      ##
      clusterToken: "CLUSTER_TOKEN"
    
    
  3. Execute the command

    ocli compute-plane-install -f values.yaml --cluster-type aws-eks
    

Saving the output file (Optional)

Once the above command finishes, save the output using the command below:

ocli output --file tfy-config.yaml > output.txt