Install Turbot Guardrails Enterprise Database (TED)

In this guide, you will:

  • Use AWS Service Catalog to install Turbot Guardrails Enterprise Database (TED).
  • Monitor and troubleshoot the TED install process.

Turbot Guardrails Enterprise Database (TED) is an AWS Service Catalog product that provides automated configuration and management of the infrastructure needed to run the enterprise version of Turbot Guardrails in your AWS account.

TED is the database layer of a Turbot Guardrails Enterprise deployment. Creates and manages the Guardrails database infrastructure Hive, which defines physical database and caching resources shared by multiple workspaces.

Prerequisites

  • Access to the Guardrails AWS account with Administrator Privileges.
  • Familiarity with AWS Console, Service Catalog, and CloudFormation services.
  • Available Domain name(s) and Valid ACM Certificate(s).

Step 1: Access AWS Console

Open the AWS Console and navigate to the Service Catalog service in the region where you wish to install TEF.

Step 2: Navigate to Products

Select the Products section from the left navigation menu.

Step 3: Launch Product

Select Turbot Guardrails Enterprise Foundation from the products list, select Launch Product.

Step 4: Name Provisioned Product

Select a Name for the provisioned project. Typically, this will be "ted".

Step 5: Find Version

Sort the Product versions section by Created time (descending) to see the latest available version.

Step 6: Select Version

Select the desired TED version under Product Versions. Usually, you will want the latest version.

Step 7: Hive Configuration

Enter the Database Hive Name

Select the Primary Region. This is where the primary Database currently resides. If set to empty, Turbot Guardrails will use the Alpha region set by TEF as the database's primary region.

Step 7: Database Configuration

Choose an Instance Type for DB. The correct RDS instance type depends on many factors, including the number of resources and controls, the required performance, and cost considerations. db.m5.2xlarge is a common starting point.

Leave the Primary endpoint blank because this is the first region being installed. This is field is only needed when adding a replica in an additional region.

Step 8: Configure Database - Advanced - High Availability

Select Multi-AZ Failover Enabled settings. If true, and this region includes the primary instance, then create a failover instance in a different availability zone to the primary instance. In production, a failover instance is recommended

Select Enable Read Replica for this region. If true, create a read replica for the hive in this region. In production, it's recommended to have a read replica instance in each region where Turbot Guardrails is running (including the region where the primary instance resides).

Step 9: Configure Database - Advanced - Engine

Select DB Engine as Postgres and DB Engine Parameter Group Family as postgres15. Then, choose the supported DB Engine Version and Read Replica DB Engine Version from the dropdown list, and decide whether to enable Allow major version upgrade for RDS.

Step 10: Configure Database - Advanced - Storage

Select the desired Storage Type based on your requirements. If unsure, GP3 is a reliable starting option. If you choose IO1, you'll need to specify the Provisioned IOPS (only applicable to the IO1 type). Amazon documentation for valid values and rations.

Step 11: Configure Database - Advanced - Encryption

In the Use AWS KMS DB Encryption field, select either aws/rds to use the predefined AWS KMS key for RDS, or Hive CMK to create a customer-managed key specific to the hive (which is typically more secure and recommended). Similarly select the Encryption method for Redis.

Step 12: Configure Database - Advanced - Authentication

The Master User Name for DB defaults to "master", leave the MasterPassword field blank if running TED for the first time, and later update it directly on the database if needed, then update the TED stack with the custom password; alternatively, you can choose to Use AWS IAM for DB Access, which is recommended as it eliminates the need to store or rotate secrets.

Step 13: Configure Database - Advanced - Backup & Snapshots

It is recommended to enable Deletion Protection to protect database resources from deletion, by explicitly setting it to false. You may also set the Backup Retention Period to specify how many days automated backups will be retained, and choose whether to Delete Automated Backups when the primary instance is deleted (the recommended value is false).

Step 14: Configure Database - Advanced - Logging

Select the Type of Statements to be Logged and set the Minimum Duration for Logging in ms to define the threshold execution time above which statements will be logged. Then set the value to Delete logs older than N minutes.

Enable or Disable Performance Insights for your database instances and set the Maximum Concurrent Connections along with the Alarm and Critical Alarm Threshold for maximum number of concurrent connections.

Step 15: Configure Cache

Choose to Use Elasticache and select the desired values for ElastiCache Version, Cache Node Type and the Cache Number Of Nodes.

Step 16: Configure Advanced - Foundation Parameters and Overrides

The Foundation Parameters allow the TED stack to use SSM parameters defined in the TEF stack. You should only change these values if you did not use the default Resource Name Prefix (turbot) in the TEF stack.

The Foundation Overrides allow you to override values defined in the TEF stack. You will likely want to leave these blank.

Step 17: Advanced - Infrastructure

Select a Resource Name Prefix which will be added to all Turbot Guardrails resources. Because this prefix will be used across many resource types and different resource types have different name restrictions, you should avoid special characters and uppercase letters. This prefix should match the name prefix you used in the TEF stack.

Note

It is HIGHLY RECOMMENDED that you use the default prefix! The TEF Stack will export the parameters that you have select to an SSM parameter, and they will use this prefix. Using the default will greatly simplify TE deployments and upgrades.

Step 18: Launch Product

Select Launch product.

Step 19: Monitor Installation

You have initiated the installation of the new TED version. This triggers an update of several nested CloudFormation stacks.

The TED stack should be in the CREATE_IN_PROGRESS status.

Step 20: Review

  • The TEF CloudFormation stack status should change to CREATE_COMPLETE indicating the installation completed successfully.

  • The TE Provisioned product status should change to Available.

Next Steps

Please see the following resources to learn more about Turbot Guardrails Enterprise:

Troubleshooting

IssueDescriptionGuide
Permission IssuesIf the current logged-in user lacks permission to modify, update, or create resources in the stack, or if IAM roles or SCPs have changed, preventing built-in roles from accessing needed configuration settings.Troubleshoot Permission Issues
Further AssistanceIf you continue to encounter issues, please open a ticket with us and attach the relevant information to assist you more efficiently.Open Support Ticket