---
title: Setup for AWS
description: This page outlines the steps that the ForgeOps Team took when setting up AWS before deploying the CDM.
component: forgeops
version: 7.4
page_id: forgeops::cdm/eks/setup/aws-env
canonical_url: https://docs.pingidentity.com/forgeops/7.4/cdm/eks/setup/aws-env.html
keywords: ["CDM", "AWS", "Terraform"]
section_ids:
  next_step: Next step
---

# Setup for AWS

This page outlines the steps that the ForgeOps Team took when setting up AWS before deploying the CDM.

Perform these steps before you deploy the CDM:

1. Create and configure an IAM group:

   1. Create a group with the name `cdm-users`.

   2. Attach the following AWS preconfigured policies to the `cdm-users` group:

      * `IAMUserChangePassword`

      * `IAMReadOnlyAccess`

      * `AmazonEC2FullAccess`

      * `AmazonEC2ContainerRegistryFullAccess`

      * `AWSCloudFormationFullAccess`

   3. Create two policies in the IAM service of your AWS account:

      1. Create the `EksAllAccess` policy using the `eks-all-access.json` file in the /path/to/forgeops/etc/aws-example-iam-policies directory.

      2. Create the `IamLimitedAccess` policy using the `iam-limited-access.json` file in the /path/to/forgeops/etc/aws-example-iam-policies directory.

   4. Attach the policies you created to the `cdm-users` group.

      Remember, the CDM is a reference implementation and [is not for production use](../../../start/start-here.html#cdm-sandbox). The policies you create in this procedure are suitable for the CDM. When you [create a project plan](../../../start/start-here.html#planning), you'll need to determine how to configure AWS permissions.

   5. Assign one or more AWS users who will set up CDM to the `cdm-users` group.

2. If you haven't already done so, set up your aws command-line interface environment using the aws configure command.

3. Verify that your AWS user is a member of the `cdm-users` group:

   ```
   $ aws iam list-groups-for-user --user-name my-user-name --output json
   {
       "Groups": [
           {
               "Path": "/",
               "GroupName": "cdm-users",
               "GroupId": "ABCDEFGHIJKLMNOPQRST",
               "Arn": "arn:aws:iam::048497731163:group/cdm-users",
               "CreateDate": "2020-03-11T21:03:17+00:00"
           }
       ]
   }
   ```

4. Verify that you are using the correct user profile:

   ```
   $ aws iam get-user
   {
       "User": {
           "Path": "/",
           "UserName": "my-user-name",
           "UserId": "...",
           "Arn": "arn:aws:iam::01...3:user/my-user-name",
           "CreateDate": "2020-09-17T16:01:46+00:00",
           "PasswordLastUsed": "2021-05-10T17:07:53+00:00"
       }
   }
   ```

5. Copy the file that contains default Terraform variables to a new file:

   1. Change to the /path/to/forgeops-extras/terraform directory.

   2. Copy the terraform.tfvars file to override.auto.tfvars \[[1](#_footnotedef_1 "View footnote.")].

   Copying the terraform.tfvars file to a new file preserves the original content in the file.

6. Determine the cluster size: [small, medium, or large](../../architecture.html#cluster-sizes).

7. Define your cluster's configuration:

   1. Open the override.auto.tfvars file.

   2. Determine the location of your cluster's configuration in the override.auto.tfvars file:

      | Cluster size | Section containing the cluster configuration |
      | ------------ | -------------------------------------------- |
      | Small        | `cluster.tf_cluster_eks_small`               |
      | Medium       | `cluster.tf_cluster_eks_medium`              |
      | Large        | `cluster.tf_cluster_eks_large`               |

   3. Modify your cluster's configuration by setting values in the section listed in the table:

      1. Modify your cluster's configuration by setting values in the section listed in the table:

      2. Set the value of the `enabled` variable to `true`.

      3. Set the value of the `meta.cluster_name` variable to the name of the Amazon EKS cluster you'll create.

      4. Set the values of the `location.region` and `location.zones` variables to the region and zones where you'll deploy the CDM.

         Before continuing:

         * Go to the [Amazon Elastic Kubernetes Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/eks.html) page and verify the region you're specifying supports Amazon EKS.

         * Run the aws ec2 describe-availability-zones --region region-name command to identify three availability zones in your AWS region.

   4. Save and close the override.auto.tfvars file.

8. Ensure your region has an adequate CPU quota for the CDM.

   Locate these two variables in your cluster's configuration in the override.auto.tfvars file:

   * `node_pool.type`: the machine type to be used in your cluster

   * `node_pool.max_count`: the maximum number of machines to be used in your cluster

   Your quotas must be large enough to let you allocate the maximum number of machines in your region. If your quotas are too low, request and wait for a quota increase from Amazon Web Services before attempting to create your CDM cluster.

## Next step

* [icon: check-square-o, set=fa][Understand CDM architecture on EKS](architecture.html)

* [icon: check-square-o, set=fa][Install third-party software](sw.html)

* [icon: check-square-o, set=fa][Get the forgeops and forgeops-extras repositories](forgeops.html)

* [icon: check-square-o, set=fa][Set up your AWS environment](#)

* [icon: square-o, set=fa]*[Create a Kubernetes cluster](cluster.html)*

***

[1](#_footnoteref_1). The Terraform configuration contains a set of variables under `forgerock` that adds labels required for clusters created by ForgeRock employees. If you're a ForgeRock employee creating a cluster, set values for these variables.