Skip to content

Latest commit

 

History

History
280 lines (240 loc) · 19.7 KB

AWSCloudSpec.md

File metadata and controls

280 lines (240 loc) · 19.7 KB

Compute Compute

Amazon Elastic Compute Cloud Amazon Elastic Compute Cloud

EC2 Instance EC2 Instance

AMI Name Platform Description Mandatory
amazon-eks-node Linux/UNIX Default node pool instances (auto-scaled) Yes
amazon-eks-node Linux/UNIX Execution node pool instances (auto-scaled). The default instance type for the execution node pool is t3.medium. Running a large number of simulations in parallel may exceed the maximum number of vCPUs limited in the service quota Running On-Demand All Standard (A, C, D, H, I, M, R, T, Z) instances. No
amzn2-ami-hvm-2.0.20210813.1-x86_64-gp2 Amazon Linux dSPACE license server No

Elastic IP address Elastic IP address

Description
Elastic IP Address for NAT Gateway

Launch template

Name Mandatory
Launch template for default node pool. Yes
Launch template for execution node pool. No

Amazon EC2 Auto Scaling Amazon EC2 Auto Scaling

Auto Scaling Group

Name Mandatory
Auto scaling group for default node pool. Yes
Auto scaling group for execution node pool. No

Containers Containers

Amazon Elastic Kubernetes Service Amazon Elastic Kubernetes Service

Cluster

Name Description Mandatory
<tenant>-<environment>-<zone>-eks Kubernetes cluster for SIMPHERA. Yes

Node group

Description Mandatory
Node group for SIMPHERA services and other auxiliary third-party services like Keycloak, nginx, etc. Yes
Node group for the executors that perform the testing of the system under test. No

Database Database

Amazon Relational Database Amazon Relational Database

PostgreSQL instance PostgreSQL instance

Name Description Mandatory
<tenant>-<environment>-<zone>-simphera Store data records of items like projects, test suites, etc. Yes
<tenant>-<environment>-<zone>-keycloak Keycloak stores SIMPHERA users in a separate Amazon RDS PostgreSQL instance. Yes

Management & Governance Management & Governance

Amazon CloudWatch Amazon CloudWatch

Log groups Log groups

Name Description
/aws/eks/<tenant>-<environment>-<zone>-eks/cluster Node metrics and Kubernetes system logs.
/<tenant>-<environment>-<zone>-eks/worker-fluentbit-logs EKS container logs.

Networking & Content Delivery Networking & Content Delivery

Amazon Virtual Private Cloud Amazon Virtual Private Cloud

Internet gateway Internet gateway

Description
Internet Gateway for SIMPHERA Virtual Private Network.

NAT gateway NAT gateway

Description
NAT Gateway for SIMPHERA Virtual Private Network.

Security group

Group name Group description Direction Protocol Port range Rule description
eks-cluster-sg-<tenant>-<environment>-<zone>-eks> EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads. inbound tcp 30128 kubernetes.io/rule/nlb/health
inbound All All
inbound tcp 30804 kubernetes.io/rule/nlb/health
inbound icmp 3 - 4 kubernetes.io/rule/nlb/mtu
outbound All All
default default VPC security group inbound All All
outbound All All
<tenant>-<environment>-<zone>-db-sg PostgreSQL security group inbound tcp 5432 PostgreSQL access from within VPC
<tenant>-<environment>-<zone>-eks-eks_worker_sg Security group for all nodes in the cluster. inbound All All Allow node to communicate with each other.
inbound tcp 1025 - 65535 Allow workers pods to receive communication from the cluster control plane.
inbound tcp 443 Allow pods running extension API servers on port 443 to receive communication from cluster control plane.
outbound All All Allow nodes all egress to the Internet.
<tenant>-<environment>-<zone>-eks-eks_cluster_sg EKS cluster security group. inbound tcp 443 Allow pods to communicate with the EKS cluster API.
outbound All All Allow cluster egress access to the Internet.

Subnet

Name
Public subnet in region 1 zone a
Public subnet in region 1 zone b
Public subnet in region 1 zone c
Private subnet in region 1 zone a
Private subnet in region 1 zone b
Private subnet in region 1 zone c
Database subnet in region 1 zone a
Database subnet in region 1 zone b
Database subnet in region 1 zone c

Virtual Private Cloud

Name Mandatory
Virtual network for SIMPHERA. Yes

Elastic Load Balancing Elastic Load Balancing

Network Load Balancer Network Load Balancer

Description Mandatory
Network Load Balancer for EKS created by nginx controller. Yes

Storage Storage

Amazon Simple Storage Service Amazon Simple Storage Service

Bucket Bucket

Name Description ACL Mandatory
<tenant>-<environment>-<zone> Stores binary data like zipped files containing simulation models, test results, vehicle models, etc. private Yes
<tenant>-<environment>-<zone>-license-server This bucket is used for the initial setup of the license server to transfer several license files securely between an administration PC and the license server private No

Amazon Elastic Block Store Amazon Elastic Block Store

Volume Volume

Description Mandatory
Volume attached to the license server EC2 No
Kubernetes Persistent Volumes CouchDB nodes (deprecated) No

Security, Identity, & Compliance Security, Identity, & Compliance

AWS Key Management Service AWS Key Management Service

Customer managed keys

Description Mandatory
EKS cluster secret encryption key No
EKS Workers FluentBit CloudWatch Log group KMS Key No

AWS Identity and Access Management AWS Identity and Access Management

Role Role

Role name Description Policies
<tenant>-<environment>-<zone>-eks-aws-for-fluent-bit-sa-irsa AWS IAM Role for the Kubernetes service account aws-for-fluent-bit-sa.
<tenant>-<environment>-<zone>-eks-aws-node-irsa AWS IAM Role for the Kubernetes service account aws-node.
<tenant>-<environment>-<zone>-eks-cluster-autoscaler-sa-irsa AWS IAM Role for the Kubernetes service account cluster-autoscaler-sa.
<tenant>-<environment>-<zone>-eks-cluster-role
<tenant>-<environment>-<zone>-eks-default
<tenant>-<environment>-<zone>-eks-execnodes
<tenant>-<environment>-<zone>-eks-ingress-nginx-sa-irsa AWS IAM Role for the Kubernetes service account ingress-nginx-sa.
<tenant>-<environment>-<zone>-eks20220328155518107300000008
<tenant>-<environment>-<zone>-s3-role IAM role for the MinIO service account

Policy Policy

Policy name Description Managed By
<tenant>-<environment>-<zone>-eks-fluentbit IAM Policy for AWS for FluentBit Customer
AmazonEKS_CNI_Policy This policy provides the Amazon VPC CNI Plugin (amazon-vpc-cni-k8s) the permissions it requires to modify the IP address configuration on your EKS worker nodes. This permission set allows the CNI to list, describe, and modify Elastic Network Interfaces on your behalf. More information on the AWS VPC CNI Plugin is available here: https://github.com/aws/amazon-vpc-cni-k8s AWS
<tenant>-<environment>-<zone>-eks-cluster-autoscaler-irsa Cluster Autoscaler IAM policy Customer
AmazonEKSClusterPolicy This policy provides Kubernetes the permissions it requires to manage resources on your behalf. Kubernetes requires Ec2:CreateTags permissions to place identifying information on EC2 resources including but not limited to Instances, Security Groups, and Elastic Network Interfaces. AWS
AmazonEKSServicePolicy This policy allows Amazon Elastic Container Service for Kubernetes to create and manage the necessary resources to operate EKS Clusters. AWS
<tenant>-<environment>-<zone>-eks-elb-sl-role-creation20220328154446563700000001 Permissions for EKS to create AWSServiceRoleForElasticLoadBalancing service-linked role Customer
AmazonEKSVPCResourceController Policy used by VPC Resource Controller to manage ENI and IPs for worker nodes. AWS
AmazonEKSWorkerNodePolicy This policy allows Amazon EKS worker nodes to connect to Amazon EKS Clusters. AWS
AmazonEC2ContainerRegistryReadOnly Provides read-only access to Amazon EC2 Container Registry repositories. AWS
AmazonSSMManagedInstanceCore The policy for Amazon EC2 Role to enable AWS Systems Manager service core functionality. AWS
<tenant>-<environment>-<zone>-eks-ingress-nginx-sa-policy A generic AWS IAM policy for the ingress nginx irsa. Customer
<tenant>-<environment>-<zone>-s3-policy Allows access to S3 bucket. Customer