Install TEF into New VPC

In this guide, you will:

  • Use AWS Service Catalog to install Turbot Guardrails Enterprise Foundation (TEF). This guide demonstrates the installation process using the default Network Option A - Created in this Stack, where Turbot Guardrails manages the creation of the VPC and related networking resources.
  • Monitor and troubleshoot the TEF install process.

The Turbot Guardrails Enterprise Foundation (TEF) is an AWS Service Catalog product that provides automated configuration and management of the infrastructure needed to run the enterprise version of Turbot Guardrails in your AWS account.

The TEF CloudFormation stack creates and manages the networking and compute components that will be shared by all workspaces in a Turbot Guardrails Enterprise installation (Collective).

Prerequisites

Step 1: Access AWS Console

Open the AWS Console and navigate to the Service Catalog service in the region where you wish to install TEF.

Step 2: Navigate to Products

Select the Products section from the left navigation menu.

Step 3: Launch Product

Select Turbot Guardrails Enterprise Foundation from the products list, select Launch Product.

Step 4: Name Provisioned Product

Select a Name for the provisioned project. Typically, this will be tef.

Step 5: Find Version

Sort the Product versions section by Created time (descending) to see the latest available version.

Step 6: Select Version

Select the desired TEF version under Product Versions. Usually, you will want the latest version.

Step 7: Configure Installation

The required parameters for this installation option are as below

Installation Domain Name: This should be the base domain name for the installation (for example, turbot.mycompany.com). This should be unique per Guardrails installation. You cannot share an Installation Domain Name across multiple collectives. Workspaces will be set up as subdomains of this installation domain (for example, dev.turbot.mycompany.com). If you elect to create a public API gateway, it will also be a subdomain of the installation domain (for example, external.mycompany.turbot.com).

Important

Domain names CANNOT be shared across multiple TEF installs if the API Gateway is deployed. Attempting to do so will result in connection errors.

Turbot Certificate ARN: This is used for the Turbot Console (and gateway, if applicable) in this region. This must be the ARN of an ACM certificate in this region, and the certificate domain name must match the Installation Domain Name.

Important

A wildcard certificate is highly recommended. Without a wildcard cert, the certificate will need to be updated with the new workspaces as they are brought online. Wildcard certificates should include entries for both the base Installation Domain Name and a wildcard for workspaces (e.g., turbot.mycompany.com and *.turbot.mycompany.com). If wildcard certificates are not allowed, the certificate should cover the base Installation Domain Name, all workspace domain names, and any public API gateways.

Important

Manager DNS records in Route 53 It is highly recommended that you allow Turbot to manage DNS records in Route53. If you choose not to do so, you must manually update DNS records every time you install a new version in your workspaces.

Note

Each region must be given a different Region Code identifier, allowing the stacks to be automatically coordinated for peering etc. Select "alpha" as the Region Code for this first region.

Proceed to Logging section leaving the Turbot Guardrails License Key field blank.

Step 8: Configure Logging

Select the desired values for Turbot Handler Log Retention Days, Audit Trail Log Retention Days, Turbot Guardrails Process Log Objects Retention Days, and Turbot Guardrails Mod Installation Data Retention Days, or leave them all at their default values.

Step 9: Configure Network with New VPC - Created in this Stack

The Turbot Guardrails Enterprise Foundation setup can create the VPC to host Turbot Guardrails, when Network Option A is selected for the installation. Leave all fields in Network - This Region [Option B - Predefined] as blank as this option is used to install Guardrails into an existing VPC .

Important

Any subnet with an empty CIDR will NOT be created. For each subnet type, there are 3 possible subnets that corresponds to 3 different availability zones. If you wish to create a 2 AZ network, only enter CIDRs for subnets #1 and #2. Enter the desired NAT Gateway High Availability configuration.  For a production deployment, you should choose Multi-AZ.

Keep rest of the parameters for Load Balancer, Proxy, Security Groups at their default values and proceed to Advanced - ECS EC2 configuration section.

Step 10: Advanced - ECS EC2 Configuration

By default, support is provided for the Instance Type for EC2 ECS host and AMI type for EC2 ECS host for AWS Graviton (ARM64) instances.

Note

You can choose between Standard Instances (powered by Intel/AMD processors with the AMD64 architecture) or Graviton Instances (powered by AWS Graviton processors using the ARM64 architecture).

Caution

For Graviton Instances, ensure that your TE version is at least 5.47.x. Standard Instances are compatible with all TE versions.

You can modify the rest of the parameters as needed, or leave them at their default values.

Step 11: Launch Product

Select Launch product.

Step 12: Monitor Installation

You have initiated the installation of the new TEF version. This triggers an update of several nested CloudFormation stacks.

The TEF provisioned product should be in the Under Change status.

Step 13: Enable Termination Protection

Important

To ensure that the TEF stack is not accidentally deleted, it is strongly recommend that termination protection is enabled.

Select the TEF Provisioned Product, select Outputs tab, and use the CloudFormationStackARN Value link to navigate to the respective CloudFormation stack.

Select the TEF stack. The description of the correct stack should say Turbot Guardrails Enterprise Foundation <version>.

Select Edit termination protection from Stack actions dropdown menu.

Choose Termination protection as Activated and select Save.

Step 14: Review

  • The TEF CloudFormation stack status should change to CREATE_COMPLETE indicating the installation completed successfully.

  • The TE Provisioned product status should change to Succeeded.

Next Steps

Please see the following resources to learn more about Turbot Guardrails Enterprise:

Troubleshooting

IssueDescriptionGuide
Permission IssuesIf the current logged-in user lacks permission to modify, update, or create resources in the stack, or if IAM roles or SCPs have changed, preventing built-in roles from accessing needed configuration settings.Troubleshoot Permission Issues
Further AssistanceIf you continue to encounter issues, please open a ticket with us and attach the relevant information to assist you more efficiently.Open Support Ticket