Cloud Accounts
Enable Cloud Account Support (Optional)
CloudCasa can allow users to register their AWS, Azure, or GCP accounts to provide enhanced backup, restore, and migration/replication features for cloud Kubernetes engines and database services. This feature is disabled by default, and requires additional steps for each cloud provider that will be enabled.
AWS
To enable AWS cloud account support, the following AWS resources will need to be deployed:
S3 Bucket: This bucket will be used to store the CloudFormation stack template which users will use to register their own AWS accounts.
SNS Topics: Once the user registers their AWS account, a message is sent to an SNS topic in the same region the CloudFormation stack was created. Since CloudFormation is a regional service, an SNS topic must be created in each AWS region that will be supported.
SQS Queue: After the user registration message is sent to the SNS topic, the message is then placed in an SQS queue where it waits to be processed.
Lambda Function: The lambda function gets the registration message from the SQS queue and returns relevant information back to the CloudCasa server through a specified callback URL.
These resources can be deployed using Terraform. Run the following command to download and unzip the tar file containing all of the Terraform template files:
curl -s -L https://github.com/catalogicsoftware/cloudcasa-artifacts/raw/master/aws/cloudcasa-aws_0.1.9.tgz \
| tar -xvzf -
The Terraform template files have been provided in the cloudcasa-aws directory. In order to deploy these AWS resources and enable the AWS cloud account feature, follow these steps:
Create a new IAM user for CloudCasa. This IAM user will be used to assume the cross-account role for every AWS cloud account registered through CloudCasa, and must have administrator access.
Ensure that the AWS credentials for your IAM user are set using either environment variables or your AWS credentials file. See Terraform AWS authentication for details.
Once the CloudCasa server has been installed (after running both Helm install and upgrade commands), navigate to the
cloudcasa-awsdirectory and run theset_regions.shscript. This script is used to control which AWS regions are supported for AWS cloud account registration. By default, all enabled regions will be used:cd ./cloudcasa-aws # ./set_regions.sh us-east-1,us-east-2,us-west-1,us-west-2 ./set_regions.sh
Initialize the Terraform configuration and create a workspace:
terraform init terraform workspace new cloudcasa-aws-registration
Deploy resources using Terraform:
terraform apply --auto-approve --var cc-server-ip="<callback_url_for_lambda>" --var cc_cf_template_s3_bucket_name="<new_s3_bucket_name>" --var ssl_verify=true
Parameters:
var.cc-server-ip: This should be set to
https://<CLOUDCASA-ENVOY-EXTERNAL-IP>. This is the callback URL the Lambda function will use during AWS account registration.var.cc_cf_template_s3_bucket_name: The name of the new S3 bucket to be used to store the CloudFormation stack template. This can be anything globally unique.
var.ssl_verify: Enable/disable SSL verification for callback URL. Optional. Default is set to true.
Terraform will then deploy all of the AWS resources required for the CloudCasa AWS cloud account registration feature.
Finally, run the helm upgrade command to enable the AWS cloud account feature and set the bucket name and credentials for the IAM user with administrator access:
helm upgrade cloudcasa-server cloudcasa/cloudcasa-server --wait --create-namespace \ --namespace cloudcasa-server --reuse-values \ --set cloudaccounts.aws.enabled=true \ --set cloudaccounts.aws.cfTemplateS3Bucket=<cc_cf_template_s3_bucket_name> \ --set cloudaccounts.aws.accessKeyId=<AWS_ACCESS_KEY_ID> \ --set cloudaccounts.aws.secretAccessKey=<AWS_SECRET_ACCESS_KEY>
Azure
To enable Azure cloud account support, follow these steps to configure your Azure account:
Go to the Azure Portal and create a App Registration of type “Single tenant”.
Generate a client ID and client secret for the created app.
Go to the “Access control (IAM)” section in the subscription details, and create a custom role with the “Microsoft.Authorization/roleAssignments/write” permission.
Assign the newly created role at the subscription level to the service principal assigned to the created app. Make sure to select “Allow user to assign all roles” in the “Conditions” tab.
Once the setup on Azure account is done, run the helm upgrade command to enable the Azure cloud account feature:
helm upgrade cloudcasa-server <TGZ-FILE> \
--wait \
--create-namespace \
--namespace cloudcasa-server \
--reuse-values \
--set cloudaccounts.azure.enabled=true \
--set cloudaccounts.azure.clientID=<AZURE_APP_CLIENT_ID> \
--set cloudaccounts.azure.clientSecret=<AZURE_APP_SECRET> \
--set cloudaccounts.azure.subscriptionID=<AZURE_SUBSCRIPTION_ID> \
--set cloudaccounts.azure.tenantID=<AZURE_TENANT_ID> \
--set cloudaccounts.azure.servicePrincipalID=<AZURE_SERVICE_PRINCIPAL_ID> \
Note
For the Azure cloud account feature, subscriptions located in the tenant where the app registration was created cannot be added as cloud accounts in CloudCasa. This limitation comes from the Azure Lighthouse service.
Note
Please make sure to use certificates signed by a trusted Certificate Authority. Otherwise, ARM template deployment might fail with the “InvalidContentLink” error.
Google Cloud
To enable GCP cloud account support, follow these steps to configure your GCP project:
Create a new Service Account.
Generate a new JSON key for the service account and covert it to one line.
Once the setup in your Google Cloud project is done, run the Helm upgrade command to enable the GCP cloud account feature:
helm upgrade cloudcasa-server <TGZ-FILE> \
--wait \
--create-namespace \
--namespace cloudcasa-server \
--reuse-values \
--set cloudaccounts.gcp.enabled=true \
--set cloudaccounts.gcp.serviceAccountKey='<GCP_SERVICE_ACCOUNT_JSON_KEY>' \
Note
Please remember that the “cloudaccounts.gcp.serviceAccountKey’ must be a one-line JSON object in a string format.