Tamr’s AWS resources need to be launched into an existing Virtual Private Cloud (VPC) setup that meets certain requirements. The reference network architecture here described is designed to support the Tamr AWS scale-out deployment following security best practices.
The Tamr VPC spans two Availability Zones (AZs) and includes the following resources by default:
- Load balancing Subnets (2): hosts the Application Load Balancer.
- Application subnet (1): hosts the EC2 Instance where the Tamr application is deployed (also known as Tamr VM).
- Compute subnet (1): hosts the Amazon EMR clusters and is launched in the same AZ as the Application subnet.
- Data subnets (2): used for deploying a Multi-AZ PostgreSQL Relational Database Service (RDS) instance and a Multi-AZ Amazon ElasticSearch (ES) Service domain.
- S3 Gateway VPC Endpoint: provides a secure, reliable connection to Amazon S3 without requiring an Internet gateway or NAT device.
- Network ACLs: grants access to subnets to only the resources they need and acts as another layer of security for the VPC.
Includes the most basic VPC that can support a Tamr deployment.
Includes a VPC with all the variables configured.
Includes the following resources:
-
Application load_balancer
-
load_balancing subnets (2)
-
NAT gateway
-
HTTPS
-
The Tamr-VM with a sample website for validation.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.36, !=4.0.0, !=4.1.0, !=4.2.0, !=4.3.0, !=4.4.0, !=4.5.0, !=4.6.0, !=4.7.0, !=4.8.0 |
| Name | Version |
|---|---|
| aws | >= 3.36, !=4.0.0, !=4.1.0, !=4.2.0, !=4.3.0, !=4.4.0, !=4.5.0, !=4.6.0, !=4.7.0, !=4.8.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_subnet_cidr_block | The application subnet's CIDR range | string |
n/a | yes |
| availability_zones | The list of availability zones where we should deploy resources | list(string) |
n/a | yes |
| compute_subnet_cidr_block | The data subnet CIDR range | string |
n/a | yes |
| data_subnet_cidr_blocks | The data subnet's CIDR range | list(string) |
n/a | yes |
| interface_endpoint_ingress_sg | Application Security group ID to associate with the interface endpoint as allowed ingress traffic. | string |
n/a | yes |
| name_prefix | A prefix to add to the names of all created resources. | string |
n/a | yes |
| vpc_cidr_block | The cidr range for the vpc | string |
n/a | yes |
| create_load_balancing_subnets | Enable the creation of load balancing subnets for deploying a load balancer | bool |
true |
no |
| create_public_subnets | Enable the creation of public subnets for internet facing resources | bool |
false |
no |
| enable_nat_gateway | Enable the creation of a NAT gateway | bool |
false |
no |
| ingress_cidr_blocks | The cidr range that will be accessing the tamr vm. | list(string) |
[ |
no |
| load_balancing_subnets_cidr_blocks | The load_balancing subnets' CIDR range | list(string) |
[ |
no |
| public_subnets_cidr_blocks | The public subnets' CIDR range | list(string) |
[ |
no |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |
| tamr_unify_port | Identifies the default access HTTP port | string |
"9100" |
no |
| Name | Description |
|---|---|
| application_subnet_cidr_block | The CIDR block of the Application Subnet. |
| application_subnet_id | ID of the subnet where mainly the Tamr VM and the Cloudwatch VPC Endpoint will be created. If abac_valid_tags key values are set, this subnet is required to have a valid key value tag as well. |
| compute_subnet_id | ID of the subnet where mainly the EMR cluster will be created. If abac_valid_tags key values are set, this subnet is required to have a valid key value tag as well. |
| data_subnet_ids | ID of the subnet where mainly the RDS will be created. If abac_valid_tags key values are set, this subnet is required to have a valid key value tag as well. |
| load_balancing_subnet_ids | ID of the Application Load Balancer subnet. |
| public_subnet_ids | ID of the public subnets created in the VPC. |
| tamr_ec2_availability_zone | The list of availability zones where we should deploy resources. |
| vpc_cidr_block | The CIDR block of the VPC. |
| vpc_id | VPC ID of the network. |
| vpce_logs_endpoint_dnsname | Cloudwatch VPC Interface Endpoint DNS name which will be provided to the script to install and configure the Cloudwatch agent. |
Run make terraform/docs to generate the section of docs around terraform inputs, outputs and requirements.
Run make lint, this will run terraform fmt, in addition to a few other checks to detect whitespace issues.
NOTE: this requires having docker working on the machine running the test
- Update version contained in
VERSION - Document changes in
CHANGELOG.md - Create a tag in github for the commit associated with the version
Apache 2 Licensed. See LICENSE for full details.