Skip to content

Privacera Setup for AWS

Note

Please ensure you have completed the prerequisites before proceeding with the setup.

This section provides the steps to setup Privacera on AWS. The setup includes the following steps:

  1. Update the configuration file aws_pm_config_env.sh with the required details.
  2. Install Privacera Manager
  3. Deploy Privacera in Kubernetes
  4. Configure AWS ALB for Privacera (Optional)
  5. Post-Install Configuration

Download Scripts

The base installation is done using the Privacera Manager bootstrapping scripts. Go to the server where you want to install Privacera Manager and download the following files.

Bash
1
2
3
4
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/based-install/self-managed/aws/aws_pm_config_env.sh -o aws_pm_config_env.sh
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/based-install/self-managed/aws/aws_install_pm.sh -o aws_install_pm.sh
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/based-install/self-managed/aws/aws_bootstrap_privacera.sh  -o aws_bootstrap_privacera.sh
chmod a+x *.sh

For your reference, the files are in the public GitHub repository.

Update the Privacera bootstrapping configuration file

The configuration file aws_pm_config_env.sh contains the variables required for bootstrapping Privacera Manager and deploying Privacera in Kubernetes. Update them with the values specific to your deployment.

Tip

This is a one-time activity. After the initial bootstrapping, this configuration should be securely stored and deleted from the instance.

Configuration Variables Table

Variable Name Description Sample Value
DEPLOYMENT_ENV_NAME Deployment environment name, typically the name of the deployment or project. "privacera-prod" or "privacera-dev"
PRIV_MGR_IMAGE Docker image for Privacera Manager, including the repository URL and image tag. "hub2.privacera.com/privacera-manager:rel_9.0.0.3"
PRIV_MGR_PACKAGE URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. "https://privacera-host/path/privacera-manager.tar.gz"
PRIVACERA_HUB_USER Username for accessing Privacera Hub, the central repository for Privacera images. "hub_user"
PRIVACERA_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "hub_password"
ANSIBLE_VAULT_PASSWORD Password for Ansible Vault, used to encrypt and decrypt sensitive Ansible variables in the EC2 instance. "YourStrongPassword"
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD Password for the global secrets keystore. Used to encrypt sensitive information in the Pod. "YourStrongPassword"
AWS_REGION AWS region where the deployment will occur. "us-east-1"
EFS_FSID Elastic File System (EFS) File System ID for shared storage in AWS. "fs-1234567890abcdef"
SSL_DEFAULT_PASSWORD Default password for SSL certificate management. Should be a strong password to secure SSL certificates generated by Privacera Manager. "YourStrongSSLPassword"
DB Database type used. Uncomment the appropriate line for your database: MySQL or PostgreSQL. MYSQL or POSTGRESQL or NATIVE
EXTERNAL_DB_HOST Hostname or IP address of the external database. "database.example.com" or "192.168.1.100"
EXTERNAL_DB_PORT (Optional) Port of the external database if different then default port. "3306"
EXTERNAL_DB_NAME Name of the external database. "privacera_db"
EXTERNAL_DB_USER Username for accessing the external database. "db_admin"
EXTERNAL_DB_PASSWORD Password for the external database user. This should be stored securely. "YourSecureDBPassword"
AWS_ROUTE_53_DOMAIN_NAME Domain name for AWS Route 53. If Privacera will create Route 53 entries, the service name will be prefixed with this domain. "privacera.yourdomain.com"
CERTIFICATE_ARN ARN of the AWS Certificate Manager (ACM) certificate to use with the ALB "arn:aws:acm:us-east-1:1223444:certificate/622eb4db-ea45b48"
SUBNETS Subnets in which the ALB will be deployed. Comma-separated list of subnet IDs. "subnet-1234abcd,subnet-5678efgh"
AWS_ALB_GROUP Group name for the ALB. Used for grouping ALBs within a cluster. "privacera-group"
PRIVACERA_AWS_ZONE_ID AWS Zone ID for the Route 53 hosted zone. "Z3M3LMPEXAMPLE"
AWS_NLB_RANGER_INTERNAL Set to true if the Network Load Balancer (NLB) for the Ranger plugin should be internal. "true" or "false"
SECURITY_GROUPS (Optional) Security groups to associate with the ALB. Comma-separated list of security group IDs. "sg-0123456789abcdef,sg-9876543210fedcba"

Notes

  • Optional Fields: SECURITY_GROUPS is optional and should be included only if needed.
  • Database Configuration: Uncomment the appropriate database type (MYSQL or POSTGRESQL) that applies to your setup. For PoCs, you can set to NATIVE to deploy MariaDB in the same Kubernetes cluster.

Install Privacera Manager

On the EC2 instance, after updating the configuration file, run the aws_pm_install.sh script to install Privacera Manager.

Bash
bash aws_install_pm.sh aws_pm_config_env.sh
After the installation is complete, you will see files and directories created in the ~/privacera/privacera-manager/ directory.

Bash
ls ~/privacera/privacera-manager/

Configure Privacera for base installation

Run the aws_bootstrap_privacera.sh script to configure Privacera for the base installation.

Bash
bash aws_bootstrap_privacera.sh aws_pm_config_env.sh

The script will create the necessary configuration files and directories for Privacera Manager. You can verify the configuration files and directories created in the ~/privacera/privacera-manager/config/custom-vars/ directory.

Just make sure the .yml files are created in the directory.

Bash
ls ~/privacera/privacera-manager/config/custom-vars/

Tip

This script sets all the common configurations required for Privacera. If you need to customize the configurations, you can update the .yml files in the ~/privacera/privacera-manager/config/custom-vars/ directory. Please note once you update the configuration files, you shouldn't run the aws_bootstrap_privacera.sh script again, otherwise it will overwrite the changes.

Generate Kubernetes Deployment Files and Helm Charts

Run the following command to generate the Kubernetes deployment files and Helm charts for Privacera.

Note

The setup command will ask you to enter vault password. This is the same that you entered in the configuration file for ANSIBLE_VAULT_PASSWORD variable.

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh setup

Apply the Privacera Helm Charts

Run the following command to apply the Privacera Helm charts.

Bash
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade

The above command will deploy Privacera in the Kubernetes cluster. You can verify the deployment by checking the pods.

Bash
source ~/aws_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME

If any of the pods are showing up, then you can go to the next step to configure the AWS ALB for Privacera.

Configure AWS ALB for Privacera (Optional)

Run the following command to get the AWS ALB external URL.

Bash
1
2
3
source ~/aws_pm_config_env.sh; kubectl -n $DEPLOYMENT_ENV_NAME get ingress \
privacera-ingress-resource \
-o jsonpath='{.status.loadBalancer.ingress[0].hostname}'; echo ""; echo "Above is your AWS_ALB_EXTERNAL_URL"
The above command will display the AWS ALB external URL. You can need to update the below file with the AWS ALB external URL.

Tip

You could create another terminal to run the below step or you can save the AWS ALB external URL in a text file and then update the below file

Bash
cd ~/privacera/privacera-manager
vi config/custom-vars/vars.aws.alb.ingress.yml

Update the AWS_ALB_EXTERNAL_URL variable with the AWS ALB external URL you got from the previous command.

YAML
AWS_ALB_EXTERNAL_URL: "<PLEASE_CHANGE>"

Post-Install Configuration

Some of the Post Install tasks are: - Route 53 Entries - Generate the plugin tarball

Bash
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Verify the Privacera Installation

Check the Pod Status

You can run the following command to use k9s to check the pod status

Bash
source ~/aws_pm_config_env.sh; kubectl get pods -n $DEPLOYMENT_ENV_NAME

You can also use k9s to check the pod status.

Bash
cd ~/privacera/privacera-manager
source ~/aws_pm_config_env.sh; ./privacera-manager.sh k9s -n $DEPLOYMENT_ENV_NAME

Tip

To exit k9s, you can press ctrl+c and then q or ':q' to exit.

URLs for Privacera Components

If the installation is successful, you can get the URLs for the Privacera components using the following command.

Bash
cat ~/privacera/privacera-manager/output/service-urls.txt

Common URLs for Privacera components are:

Privacera Portal: https://portal-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Privacera Diagnostic Tool

You can run the Privacera Diagnostic Tool to check the health of the Privacera components. The URL path for the diagnostic tool can be found from the service-urls.txt file. It will be in the format:

https://diagnostics-server-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Privacera Health Monitoring

You can run the Privacera Health Monitoring tool to check the health of the Privacera components. The URL path for the health monitoring tool can be found from the service-urls.txt file. It will be in the format:

https://grafana-<$DEPLOYMENT_ENV_NAME>.<AWS_ALB_EXTERNAL_URL>

Delete the Configuration Files

Once the base installation is complete, you could the configuration files securely. For security reasons, you should delete the configuration files from the EC2 instance.

Bash
rm ~/aws_pm_config_env.sh

Comments