aws-er-config-terraform.html.md.erb

---
title: Deploying PAS on AWS Using Terraform
owner: Ops Manager
iaas: AWS
install_type: terraform
---
<strong><%= modified_date %></strong>

This topic describes how to install and configure Pivotal Application Service (PAS) on Amazon Web Services (AWS).

Before beginning this procedure, ensure that you have successfully completed the [Configuring BOSH Director on AWS Using Terraform](../om/aws/config-terraform.html) topic.

<p class="note"><strong>Note:</strong> If you plan to <a href="http://docs.pivotal.io/addon-ipsec/installing.html">install the PCF IPsec add-on</a>, you must do so before installing any other tiles. Pivotal recommends installing IPsec immediately after Ops Manager, and before installing the PAS tile.</p>


## <a id='add-er'></a> Step 1: Add PAS to Ops Manager

1. If you have not already downloaded PAS, log in to [Pivotal Network](https://network.pivotal.io/products/pivotal-cf) and click PAS.

1. From the **Releases** dropdown, select the release to install and choose one of the following:
  - Click PAS to download the PAS `.pivotal` file
  - Click **PCF Small Footprint Runtime** to download the Small Footprint Runtime `.pivotal` file. For more information, see [Getting Started with Small Footprint Runtime](./small-footprint.html).

1. Navigate to the Pivotal Cloud Foundry Operations Manager Installation Dashboard.

1. Click **Import a Product** to add your tile to Ops Manager. For more information, refer to the [Adding and Deleting Products](./add-delete.html) topic.

1. Click the PAS tile in the Installation Dashboard.

    <%= image_tag("images/pas-tile.png") %>


## <a id='assign-az'></a> Step 2: Assign Availability Zones and Networks

1. Select **Assign AZ and Networks**.

1. Select an Availability Zone under **Place singleton jobs**. Ops Manager runs any job with a single instance in this Availability Zone.

1. Select all three Availability Zones under **Balance other jobs**. Ops Manager balances instances of jobs with more than one instance across the Availability Zones that you specify.

1. From the **Network** dropdown, choose the `pcf-pas-network` you created when configuring the BOSH Director tile.
	<%= image_tag("er-az.png") %>

1. Click **Save**.
  <p class="note"><strong>Note:</strong> When you save this form, a verification error displays because the PCF security group blocks ICMP. You can ignore this error.</p>
    <%= image_tag("pcfaws/er-network-error.png") %>


## <a id='er-domain-config'></a> Step 3: Configure Domains

1. Select **Domains**.

    <%= image_tag("domains.png") %>

1. Enter the system and application domains.
    * For **System Domain**, enter the value of `sys_domain` from the Terraform output. This defines your target when you push apps to PAS.
    * For **Apps Domain**, enter the value of `apps_domain` from the Terraform output. This defines where PAS should serve your apps.
    <p class="note"><strong>Note:</strong> You configured a wildcard DNS record for these domains in an earlier step.</p>

1. Click **Save**.


## <a id="networking"></a> Step 4: Configure Networking

<%= partial 'networking-cloudform' %>

## <a id='application-containers-config'></a> Step 5: Configure Application Containers

<%= partial 'application_container_config' %>

## <a id='er-appdevctrl-config'></a> Step 6: Configure Application Developer Controls

<%= partial 'application_developer_controls' %>

## <a id='app-security'></a> Step 7: Review Application Security Groups

<%= partial 'application_security_group' %>

## <a id='uaa'></a> Step 8: Configure UAA

<%= partial 'uaa-cloudform' %>

## <a id='credhub'></a> Step 9: Configure CredHub

<%= partial '_credhub' %>

## <a id='er-auth-config'></a> Step 10: Configure Authentication and Enterprise SSO

<%= partial 'authsso_config' %>

## <a id='sys-db'></a> Step 11: Configure System Databases

You can configure PAS to use an internal MySQL database provided with PCF, or you can configure an external database provider for the databases required by PAS.

<p class="note"><strong>Note:</strong> If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data first before changing the configuration. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information.
</p>

### <a id='internal-db'></a> Internal Database Configuration

<%= partial 'ert_database_internal' %>

Then proceed to [Step 13: (Optional) Configure Internal MySQL](#internal-mysql) to configure high availability for your internal MySQL databases.

### <a id='create-dbs'></a> Create External System Databases

If you want to use an external database provider for your PAS databases, you must first create the databases on the RDS instance provided by the Terraform templates.

To create the required databases on an AWS RDS instance, perform the following steps.

1. Add the AWS-provided key pair to your SSH profile so that you can access the Ops Manager VM. This is the value of the `ops_manager_ssh_private_key` from the Terraform output.

    <pre class='terminal'>ssh-add aws-keypair.pem</pre>

1. SSH in to your Ops Manager using the Ops Manager FQDN and the username `ubuntu`:

    <pre class='terminal'>ssh ubuntu@OPS_MANAGER_FQDN</pre>

1. Run the following terminal command to log in to your RDS instance through the MySQL client, using values from the terraform output to fill in the following keys:

     <pre class='terminal'>mysql --host=rds\_address --user=rds\_username --password=rds\_password</pre>

1. Run the following MySQL commands to create databases for the seven PAS components that require a relational database:
  <pre class="terminal">
  CREATE database ccdb;
  CREATE database notifications;
  CREATE database autoscale;
  CREATE database app\_usage\_service;
  CREATE database routing;
  CREATE database diego;
  CREATE database account;
  CREATE database nfsvolume;
  CREATE database networkpolicyserver;
  CREATE database silk;
  CREATE database locket;
  CREATE database credhub;
  </pre>
 </p>

1. Type `exit` to quit the MySQL client, and `exit` again to close your connection to the Ops Manager VM.

1. Reboot the RDS instance in the AWS console.

1. In PAS, select **Databases**.

1. Select the **External Databases** option.

    <%= image_tag("system-db-ext.png") %>

1. For the **Hostname** and **TCP Port** fields, complete the following fields:
  <table border="1" class="nice" >
    <tr>
      <th><strong>PAS Field</strong></th>
      <th><strong>terraform output</strong></th>
    </tr>
    <tr>
      <td><str>Hostname</str></td>
      <td><str>`rds_address`</str></td>
    </tr>
    <tr>
      <td><str>TCP Port</str></td>
      <td><str>`rds_port`</str></td>
    </tr>
  </table>

1. For each **database username** and **database password** field, complete the following fields:
  <table border="1" class="nice" >
    <tr>
      <th><strong>PAS Field</strong></th>
      <th><strong>terraform output</strong></th>
    </tr>
    <tr>
      <td><str>DATABASE-NAME database username</str></td>
      <td><str>`rds_username`</str></td>
    </tr>
    <tr>
      <td><str>DATABASE-NAME database password</str></td>
      <td><str>`rds_password`</str></td>
    </tr>
  </table>

<p class='note'><strong>Note:</strong> Ensure that the networkpolicyserver database user has the <code>ALL PRIVILEGES</code> permission.</p>

1. Click **Save**.


## <a id='internal-mysql'></a> Step 13: (Optional) Configure Internal MySQL

<%= partial 'mysql_proxy_config' %>

## <a id='filestore'></a> Step 14: Configure File Storage

<%= partial 'max_droplets_packages_config' %>

### <a id='cc-filesystem'></a> Select File Storage Location

<%= partial 'filestore_config' %>

For production-level PCF deployments on AWS, Pivotal recommends selecting the  **External S3-Compatible File Store**. For more information about production-level PCF deployments on AWS, see the [Reference Architecture for Pivotal Cloud Foundry on AWS](../refarch/aws/aws_ref_arch.html).

For additional factors to consider when selecting file storage, see the [Considerations for Selecting File Storage in Pivotal Cloud Foundry](../opsguide/storage_considerations.html) topic.

#### <a id='internal_filestore'></a> Internal Filestore

<%= partial 'filestore_internal' %>

#### <a id='external_s3'></a> External S3 or Ceph Filestore

<%= partial 'filestore_s3_config' %>

#### <a id='other'></a> Other IaaS Storage Options

[Google Cloud Storage](./gcp-er-config.html#external_gcp) and [Azure Storage](./azure-er-config.html#external_azure) are also available as file storage options, but are not recommended for typical PCF on AWS installations.


## <a id='sys-logging'></a> Step 15: (Optional) Configure System Logging

<%= partial '_system_logging' %>

## <a id='customize-apps-man'></a> Step 16: (Optional) Customize Apps

<%= partial 'custombranding' %>

## <a id='smtp'></a> Step 17: (Optional) Configure Email Notifications

PAS uses SMTP to send invitations and confirmations to Apps Manager users. You must complete the **Email Notifications** page if you want to enable end-user self-registration.

1. Select **Email Notifications**.

    <%= image_tag("cloudform/smtp.png") %>

1. Enter your reply-to and SMTP email information.

1. For **SMTP Authentication Mechanism**, select `none`.

1. Click **Save**.

<p class='note'><strong>Note:</strong> If you do not configure the SMTP settings using this form, the administrator must create orgs and users using the cf CLI tool. See <a href="../adminguide/cli-user-management.html">Creating and Managing Users with the cf CLI</a> for more information.</p>


## <a id='config-autoscaler'></a> Step 18: (Optional) Configure App Autoscaler

<%= partial 'app-autoscaler' %>

## <a id='config-cc'></a> Step 19: Configure Cloud Controller

<%= partial 'cloud-controller' %>

## <a id='config-smoke-test'></a> Step 20: Configure Smoke Tests

<%= partial '_smoketests' %>

## <a id='advanced-features'></a> Step 21: (Optional) Enable Advanced Features

<%= partial '_advanced-features' %>

## <a id='errands'></a> Step 22: Configure Errands

<%= partial 'errands' %>

## <a id='config-elb'></a> Step 23: Configure Router (or HAProxy) to Elastic Load Balancer

1. In the PAS tile, click **Resource Config**.
  <%= image_tag("images/resource_config.png") %>

1. Enter the name of your SSH load balancer depending on which release you are using. You can specify multiple load balancers by entering the names separated by commas.
  * **Pivotal Application Service (PAS)**: In the **ELB Name** field of the **Diego Brain** row, enter the value of `ssh_elb_name` from the Terraform output.
  * **Small Footprint Runtime**: In the **ELB Name** field of the **Control** row, enter the value of `ssh_elb_name` from the Terraform output.

1. In the **ELB Name** field of the **Router** row, enter the value of `web_elb_name` from the Terraform output.
    <p class="note"><strong>Note:</strong> If you are using HAProxy in your deployment, then put the name of the load balancers in the **ELB Name** field of the **HAProxy** row instead of the **Router** row. For a high availability configuration, scale up the HAProxy job to more than one instance.</p>

1. In the **ELB Name** field of the **TCP Router** row, enter the value of `tcp_elb_name` from the Terraform output.

1. Click **Save**.

## <a id='disable-resources'></a> Step 24: (Optional) Scale Down and Disable Resources

<%= partial 'disable_resources' %>

## <a id='stemcell'></a> Step 25: Download Stemcell

<%= partial "download-stemcell" %>

## <a id='complete'></a> Step 26: Complete the PAS Installation

1. Click the **Installation Dashboard** link to return to the Installation Dashboard.

1. Click **Review Pending Changes**, then **Apply Changes**. If the following ICMP error message appears, click **Ignore errors and start the install**.

    <%= image_tag("cloudform/install-error.png") %>

    The install process generally requires a minimum of 90 minutes to complete. The image shows the Changes Applied window that displays when the installation process successfully completes.

    <%= image_tag("cloudform/ops-manager-complete.png") %>