Skip to main content
Version: 0.9

Connect AWS

Terraform Templates for AWS Account Configuration

If your organization uses Terraform to manage AWS resources, we recommend you leverage this sample terraform setup repository in place of manually entering these values. The instructions below may still be a valuable reference when adapting the template to your needs.

At the end of these steps, you will have created:

  1. A S3 Bucket where Tecton will write feature data.
  2. The cross-account role for your Tecton Account to manage DynamoDB and S3, e.g. tecton-{DEPLOYMENT_NAME}-cross-account-role and tecton-{DEPLOYMENT_NAME}-cross-account-policy.

Create a Tecton S3 Bucket​

Tecton will use a single S3 bucket to store all of your offline materialized feature data.

To set this up, create an S3 bucket called tecton-[DEPLOYMENT_NAME] (e.g. tecton-mycompany-production).

  1. Ensure the bucket's region is the same as the region in which you'd like to deploy Tecton (e.g. us-west-2)

  2. Enable default encryption using the Amazon S3 key (SSE-S3)

  3. Add a Policy to the S3 bucket tecton-{DEPLOYMENT_NAME} to allow Tecton to read/write to it.

    1. Navigate to S3 -> tecton-{DEPLOYMENT_NAME} S3 Bucket -> Permissions. There, add the following policy, replacing {TECTON_ACCOUNT_ARN} with the ARN of your Tecton Account. Ask your Tecton Account Manager if you do not have this ARN.

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "TectonS3",
      "Effect": "Allow",
      "Principal": {
      "AWS": "{TECTON_ACCOUNT_ARN}"
      },
      "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
      "Resource": "arn:aws:s3:::tecton-{DEPLOYMENT_NAME}/*"
      },
      {
      "Sid": "TectonS3List",
      "Effect": "Allow",
      "Principal": {
      "AWS": "{TECTON_ACCOUNT_ARN}"
      },
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::tecton-{DEPLOYMENT_NAME}"
      }
      ]
      }
    2. Make sure the Object Ownership Setting for the tecton-{DEPLOYMENT_NAME} S3 Bucket is set to ACLs Disabled (Bucket Owner Enforced). This allows the AWS account with the S3 bucket to automatically own and have full control over objects written by Rift.

Create a cross-account role for the Tecton Control Plane​

Next, you'll need to create an access policy and an IAM role which the Tecton control plane will use to orchestrate AWS resources in your account.

  1. In the AWS Console of the account you want to deploy Tecton into, go to the IAM service.

  2. Click the Policies tab in the sidebar.

  3. Click Create Policy.

    1. Paste in the following JSON policy, replacing ${REGION} with the AWS region you selected for your deployment, ${ACCOUNT} with the account ID of your AWS account, ${DEPLOYMENT_NAME} with your Tecton deployment name.

      templates/rift_ca_policy.json
      loading...
    2. Click Next: Tags

    3. Add the following tag to the policy

      key: tecton-accessible:DEPLOYMENT_NAME
      value: true
    4. Click Next: Review

    5. Give the policy an easy to remember name starting with tecton-, like tecton-{DEPLOYMENT_NAME}-cross-account-policy

    6. Click Create Policy

  4. Click the Roles tab in the sidebar.

  5. Click Create role.

    1. Under Select type of trusted entity, click the Another AWS account tile.

      Create Role Image

    2. Specify Tecton's Account ID. Please contact your Account Manager to get the appropriate ID.

    3. Enable the option "Require external ID."

    4. Enter a random External ID of your choice (for example, a UUID works well). Make sure to note down the external ID that you choose -- you'll need to provide this to Tecton to complete the installation.

    5. Click the Next: Permissions button

    6. Search for the policy you just created (e.g. tecton-{DEPLOYMENT_NAME}-cross-account-policy), and click the check box next to that policy to attach the policy to the new role.

    7. Click the Next: Tags button.

    8. Click the Next: Review button.

    9. In the Role name field, enter a role name starting with tecton-, such as tecton-{DEPLOYMENT_NAME}-cross-account-role.

    10. Click Create role. You will see a list of roles displayed.

Notify the Tecton team​

Once you've completed the above setup, notify Tecton that you are ready to connect to AWS resources in your account.

Please include the following information: the ARN and External ID of the role you created for the Tecton control plane.

Was this page helpful?