{"id":31641510,"url":"https://github.com/dspace-group/artexa-reference-architecture-aws","last_synced_at":"2026-02-15T13:37:10.628Z","repository":{"id":316433961,"uuid":"997334456","full_name":"dspace-group/artexa-reference-architecture-aws","owner":"dspace-group","description":"ARTEXA is the dSPACE software solution for simulation artifact management. This repository contains a AWS reference architecture written in Terraform. Use these Terraform files to create all the AWS resources that are necessary to operate ARTEXA in your own AWS account.","archived":false,"fork":false,"pushed_at":"2025-11-11T07:38:22.000Z","size":39,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-11T09:16:18.424Z","etag":null,"topics":["artifacts","model-identity-card","simulation-model"],"latest_commit_sha":null,"homepage":"https://www.dspace.com/en/pub/home/products/sw/datenmanagement/artexa.cfm","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dspace-group.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-06T10:56:52.000Z","updated_at":"2025-09-24T14:17:20.000Z","dependencies_parsed_at":"2025-09-24T16:27:47.386Z","dependency_job_id":"ef5c77a8-f514-4cfe-a848-116bde84d1ee","html_url":"https://github.com/dspace-group/artexa-reference-architecture-aws","commit_stats":null,"previous_names":["dspace-group/artexa-reference-architecture-aws"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dspace-group/artexa-reference-architecture-aws","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dspace-group%2Fartexa-reference-architecture-aws","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dspace-group%2Fartexa-reference-architecture-aws/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dspace-group%2Fartexa-reference-architecture-aws/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dspace-group%2Fartexa-reference-architecture-aws/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dspace-group","download_url":"https://codeload.github.com/dspace-group/artexa-reference-architecture-aws/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dspace-group%2Fartexa-reference-architecture-aws/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29480251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-15T11:35:25.641Z","status":"ssl_error","status_checked_at":"2026-02-15T11:34:57.128Z","response_time":118,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifacts","model-identity-card","simulation-model"],"created_at":"2025-10-07T03:01:51.207Z","updated_at":"2026-02-15T13:37:10.621Z","avatar_url":"https://github.com/dspace-group.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# How to deploy AWS Infrastructure for ARTEXA\n\nThe AWS infrastructure for ARTEXA is defined in Terraform.\nTerraform is an infrastructure-as-code (IaC) tool.\nIaC codifies cloud APIs (e.g. AWS API) into declarative configuration files.\n\nCloud resources like the Kubernetes cluster are defined in `*.tf` files.\nThe Terraform declarations can be customized using variables.\nVariables are defined in `*.tfvars` files.\nTerraform reads the `*.tf` files and makes an execution plan which AWS resources to create and applies the changes.\nThe goal of the execution plan is to create the AWS infrastructure described in Terraform.\nWhen the plan is applied, AWS resources that have been created by Terraform are stored in the Terraform state.\nThe Terraform state is a file that maps the virtual resources declared in `*.tf` to real AWS resources.\nWhen you make changes to the Terraform declaration and apply the changes, Terraform compares the target state with the actual state and creates a new execution plan that only contains the changes to get from the current state to the target state.\n\nTerraform is executed on an administration machine and will connect to the AWS APIs to create the AWS resources.\n\nHere are the steps to do to create the AWS infrastructure. The single steps are explained in the remainder.\n\n1.  Create and configure AWS access\n1.  Setup Administration Machine\n    1.  Create an AWS Bastion Host (optional)\n    1.  Installation of Tools\n    1.  Configure AWS CLI\n1.  Setup Terraform\n    1.  Create Terraform State Bucket\n    1.  Create Secrets Manager Secrets\n    1.  Adjust Terraform Variables\n    1.  Apply Terraform Configuration\n\n## Create and configure AWS access\n\n-   **If you use AWS Security Credentials**\n    -   Create an IAM User, e.g., `terraform-bastion` with sufficient permissions to create, update, delete all AWS resources that are created by Terraform.\n    -   Create security credentials (access key, secret key) for this IAM User. Make sure you store the secret key in a safe location as it can be viewed only once.\n-   **If you use AWS SSO**, make sure it has sufficient permission.\n\n## Setup Administration Machine\n\nOn your administration machine, you need to install the following tools to deploy ARTEXA:\n\n1. aws CLI (https://docs.aws.amazon.com/de_de/cli/latest/userguide/getting-started-install.html)\n1. terraform\n1. kubectl\n1. helm\n\ndSPACE recommends to use an execute Terraform from an [Linux Bastion Host](https://docs.aws.amazon.com/mwaa/latest/userguide/tutorials-private-network-bastion.html).\nThe setup of an AWS Bastion Host is described in the remainder.\n\n### Create an AWS Bastion Host\n\n-   Create an IAM Role, e.g., `terraform-bastion` for the Bastion Host and attach the policy `AmazonSSMManagedInstanceCore` to it.\n-   Create an EC2 instance that will become the Bastion Host.\n\n    -   It is recommended to use Amazon Linux as Amazon Machine Image (AMI).\n    -   It is recommended to use an instance type with 4 vCPUs, 8 GB RAM (e.g. t3.xlarge)\n    -   100 GB storage are recommended\n    -   As IAM instance profile, select the IAM Role that you have created before. This will allow you to connect to the Linux Bastion Host using [Secure Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).\n\n-   Optional: If you plan to use a private EKS cluster endpoint you need to keep in mind that the Bastion and the EKS cluster need to be in the same VPC.\n-   Optional: If you plan to connect to the Bastion via SSH, you need to create a Key pair for login and check the options **Auto-assign public IP** and **Allow SSH traffic**. Make sure that you store the .pem file in a safe location. You must ensure that your Amazon EKS control plane security group contains rules to allow ingress traffic on port 443 from your bastion host. Also, you must ensure that the security group of your Bastion host allows incoming traffic on port 22.\n\nHere is an example on how to create an Bastion host using the AWS CLI.\n\n```powershell\n$imageid=\"ami-0592c673f0b1e7665\"\n$instancetype=\"t3.xlarge\"\n$keyname=\"terraform-bastion\"\n$subnetid=\"subnet-0589e800f6405d984\"\n$iaminstanceprofile=\"Arn=arn:aws:iam::123456789012:instance-profile/terraform-bastion\"\n$profile=\"123456789012_AdministratorAccess\"\n$blockdevicemappings=\"Ebs={DeleteOnTermination=true,VolumeSize=100GB,VolumeType=gp3}\"\n$tags=\"ResourceType=instance,Tags=[{Key=Name,Value=terraform-bastion}]\"\n$securitygroupids=\"sg-0ba1d8a64599759db\"\n\naws ec2 run-instances `\n--image-id $imageid `\n--instance-type $instancetype `\n--key-name $keyname `\n--subnet-id $subnetid `\n--iam-instance-profile $iaminstanceprofile `\n--associate-public-ip-address `\n--profile $profile `\n--tag-specifications $tags `\n--security-group-ids $securitygroupids `\n--dry-run\n```\n\n```powershell\n$profile=\"123456789012_AdministratorAccess\"\ncd Deploy\naws s3 sync ./instances/aws-qa s3://artexa-filetransfer/instances/aws-qa --exclude \"secrets/*\" --exclude \"terraform/.terraform/*\" --profile $profile --dryrun\naws s3 sync ./terraform s3://artexa-filetransfer/terraform --exclude \".terraform/*\" --profile $profile --dryrun\n```\n\nYou can connect to the bastion host from your administration machine using the AWS Session Manager. In this case you need to follow the instructions to [install Session Manager plugin for the AWS CLI](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html). After installing, you can create a session like this.\n\n```powershell\naws ssm start-session --target \"i-0ff045872de825c89\" --profile \"123456789012_AdministratorAccess\"\n```\n\nAlternatively to Session Manager, you can use an SSH session.\nBefore establishing an SSH connection to your AWS Bastion, make sure that the security group of your Bastion host allows incoming traffic on port 22.\n\nTo open an interactive SSH terminal, run the following command, providing your keyfile `terraform-bastion.pem` and the public DNS name of the EC2 machine:\n\n```powershell\nssh -i terraform-bastion.pem ec2-user@ec2-54-93-121-20.eu-central-1.compute.amazonaws.com\n```\n\nIf you only want to forward the kubectl access from your local administration machine to the Bastion host using a [SOCKS5 proxy](https://kubernetes.io/docs/tasks/extend-kubernetes/socks5-proxy-access-api/#using-ssh-to-create-a-socks5-proxy), run the following command:\n\n```powershell\nssh -i terraform-bastion.pem -D 1080 -q -N ec2-user@ec2-54-93-121-20.eu-central-1.compute.amazonaws.com\n```\n\nYou also need to add the proxy url to the kubeconfig on your administration machine:\n\n```diff\napiVersion: v1\nclusters:\n  - cluster:\n      server: https://333063836D6E889C17193BF63BE0D2C5.gr7.eu-central-1.eks.amazonaws.com\n+     proxy-url: socks5://localhost:1080\n```\n\n```bash\n$profile=\"123456789012_AdministratorAccess\"\naws s3 sync s3://artexa-filetransfer/terraform ~/terraform --profile $profile --dryrun\naws s3 sync s3://artexa-filetransfer/instances ~/instances --profile $profile --dryrun\n```\n\n### Installation of Tools (Amazon Linux Bastion Host)\n\n-   AWS CLI is pre-installed on Amazon Linux, so you can skip this step.\n-   To install Terraform on Amazon Linux, run the following commands (see [https://developer.hashicorp.com/terraform/install#linux](https://developer.hashicorp.com/terraform/install#linux))\n\n```bash\nsudo yum install -y yum-utils shadow-utils\nsudo yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo\nsudo yum -y install terraform-1.4.7\n```\n\n-   To install kubectl on Amazon Linux, run the following commands (see [https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#install-kubectl-binary-with-curl-on-linux)\n\n```bash\nsudo curl -LO \"https://dl.k8s.io/release/$(sudo curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"\nsudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl\n```\n\n-   To install helm on Amazon Linux, run the following commands (see [https://helm.sh/docs/intro/install/#from-script](https://helm.sh/docs/intro/install/#from-script)):\n\n```bash\nsudo curl -sLO https://get.helm.sh/helm-v3.15.2-linux-amd64.tar.gz\nsudo tar -zxvf helm-v3.15.2-linux-amd64.tar.gz\nsudo mv linux-amd64/helm /usr/local/bin/helm\n```\n\n-   Verify the tool installations:\n\n```bash\naws --version\nterraform --version\nkubectl version\nhelm version\n```\n\n### Configure AWS CLI\n\n-   You need to configure an AWS profile for your AWS account.\n-   **If you do not use AWS Security Credentials**\n    -   Run the command `aws configure` and enter the access and secret keys of your IAM user.\n-   **If you use AWS SSO**\n    -   Open the AWS access portal for your company (e.g., https://xxxx.awsapps.com/start), select the AWS account where you want deploy ARTEXA into, click on `access keys`, and note the following values: sso_region, sso_account_id, sso_role_name.\n    -   If it does not exist, create the file `~/.aws/config` on your administration machine where `~` is the home directory of your current user. Then add the profile configuration to the `~/.aws/config`. On Linux, you can use the following command to do this:\n\n```bash\ncat \u003e ~/.aws/config \u003c\u003c EOF\n[profile 123456789012_AdministratorAccess]\nregion = eu-central-1\noutput = json\nsso_start_url = https://ssocontroltower.awsapps.com/start\nsso_region = eu-central-1\nsso_account_id = 123456789012\nsso_role_name = AdministratorAccess\nEOF\n```\n\nRemark: Please do **not** use the command `aws configure sso` because it uses SSO sessions that are not supported by Terraform.\n\n## Setup Terraform\n\n### Create Terraform State Bucket\n\nPer default, the Terraform state is stored in a file `*.tfstate` on your local hard drive.\nIt is recommended to store the Terraform state in an remote S3 bucket.\n\nTo store the Terraform to an S3 bucket, you have to manually create it first.\nThe bucket name needs to be globally unique, e.g. `artexa-terraform-state`.\n\nAfter you have created the bucket, you need to link it with Terraform:\nTo do so, please make a copy of the file `backend.config.template`, name it `backend.config` and open the file in a text editor. The values have to point to an existing S3 bucket to be used to store the Terraform state:\n\n```hcl\nbucket = \"artexa-terraform-state\"\nkey    = \"development.tfstate\"\nregion = \"eu-central-1\"\nprofile= \"123456789012_AdministratorAccess\"\n```\n\nRun the following command to download any Terraform dependencies and apply the backend configuration:\n\n```pwsh\nterraform init -backend-config=\"./backend.config\"\n```\n\n### Create Secrets Manager Secrets\n\nUsername and password for the PostgreSQL databases are stored in AWS Secrets Manager.\nBefore you let Terraform create AWS resources, you need to manually create a Secrets Manager secret that stores the username and password.\nIt is recommended to create individual secrets per ARTEXA instance (e.g. production and staging instance).\nTo create the secret, open the Secrets Manager console and click the button `Store a new secret`.\nAs secret type choose `Other type of secret`.\nThe password must contain from 8 to 128 characters and must not contain any of the following: / (slash), '(single quote), \"(double quote) and @ (at sign).\nOpen the Plaintext tab and paste the following JSON object and enter your usernames and passwords:\n\n```json\n{\n    \"postgresql_password\": \"\u003cyour password\u003e\"\n}\n```\n\nAlternatively, you can create the secret with the following PowerShell script:\n\n```powershell\n$region = Read-Host \"Enter AWS region\"\n$secretname = Read-Host \"Enter secret name\"\n$password = Read-Host \"Enter PostgreSQL password\"\n$profile = Read-Host \"Enter AWS profile name\"\n$postgresqlCredentials = @\"\n{\n    \"postgresql_password\" : \"$password\"\n}\n\"@ | ConvertFrom-Json | ConvertTo-Json -Compress\n$postgresqlCredentials = $postgresqlCredentials -replace '([\\\\]*)\"', '$1$1\\\"'\naws secretsmanager create-secret --name $secretname --secret-string $postgresqlCredentials --region $region --profile $profile\n```\n\n### Adjust Terraform Variables\n\nFor your configuration, please rename the template file `terraform.tfvars` to `my-terraform.tfvars` and open it in a text editor.\nThis file contains all variables that are configurable including documentation of the variables. Please adapt the values before you deploy the resources.\n\n```diff\nartexa_instances = {\n  \"production\" = {\n+    secretname = \"\u003csecret name\u003e\"\n    }\n}\n```\n\nAlso rename the file `providers.tf.template` to `main.tf` and fill in the name of the AWS profile you have created before.\n\n```diff\nprovider \"aws\" {\n+  profile = \"\u003cprofile-name\u003e\"\n}\n```\n\n-   **If you use AWS SSO**, add the ARN of your SSO IAM role to `.tfvars`:\n\n```hcl\nmap_roles = [{\n  groups   = [\"system:masters\"]\n  rolearn  = \"arn:aws:iam::123456789012:role/AWSReservedSSO_AdministratorAccess_dda893720a26446d\"\n  username = \"admin\"\n  },\n]\n```\n\n-   **If you use AWS Security Credentials**, add the ARN of your IAM user to the `.tfvars`:\n\n```hcl\nmap_users = [{\n  groups   = [\"system:masters\"]\n  userarn  = \"arn:aws:iam::123456789012:user/terraform\"\n  username = \"terraform\"\n}]\n```\n\n-   **If you use a preconfigured VPC**, provide the ids of the VPC and its respective subnets:\n\n```hcl\nvpcId = \"vpc-08a57d82585de2bb8\"\npublic_subnet_filter  = [{ name = \"subnet-id\", values = [\"subnet-0589e800f6405d984\", \"subnet-0fa0c652281451c1f\", ] }]\nprivate_subnet_filter = [{ name = \"subnet-id\", values = [\"subnet-04a9d20fc26e8b9df\", \"subnet-0011bbfe23da556cd\"] }]\n```\n\nMake sure that your preconfigured subnets fulfill the [subnet requirements for nodes](https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html#node-subnet-reqs), i.e.,\nall subnets need the tag `kubernetes.io/cluster/\u003cinfrastructurename\u003e=shared`,\nprivate subnets need the tag `kubernetes.io/role/internal-elb=1`,\npublic subnets need the tag `kubernetes.io/role/elb=1`,\n\n## Apply Terraform Configuration\n\n-   _If you use AWS SSO_, start a new SSO session:\n\n```pwsh\naws sso login --profile 123456789012_AdministratorAccess\n```\n\n-   Apply the Terraform configuration with your variables:\n\n```pwsh\nterraform apply --var-file=\"./my-terraform.tfvars\"\n```\n\nInspect the Terraform execution plan and apply it with `yes`.\n\n## Backup and Restore\n\nARTEXA stores data in the PostgreSQL database and in S3 buckets that needs to be backed up.\nAWS supports continuous backups for Amazon RDS for PostgreSQL and S3 that allows point-in-time recovery.\n[Point-in-time recovery](https://docs.aws.amazon.com/aws-backup/latest/devguide/point-in-time-recovery.html) lets you restore your data to any point in time within a defined retention period.\n\nThe ARTEXA reference architecture creates an AWS backup plan that makes continuous backups of the PostgreSQL database and S3 buckets.\nThe backups are stored in an AWS backup vault per ARTEXA instance.\nAn IAM role is also automatically created that has proper permissions to create backups.\nTo enable backups for your ARTEXA instance, make sure you have the flag `enable_backup_service` set in your `.tfvars` file:\n\n```hcl\nartexa_instances = {\n  \"production\" = {\n        enable_backup_service    = true\n    }\n}\n```\n\n### Amazon RDS for PostgreSQL\n\nCreate a new target RDS instance (backup server) that is a copy of a source RDS instance (production server) of a specific point-in-time.\nThe command [`restore-db-instance-to-point-in-time`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/restore-db-instance-to-point-in-time.html) creates the target database.\nMost of the configuration settings are copied from the source database.\nTo be able to connect to the target instance the easiest way is to explicitly set the same security group and subnet group as used for the source instance.\n\nRestoring an RDS instance can be done via Powershell as described in the remainder:\n\n```bash\naws rds restore-db-instance-to-point-in-time --source-db-instance-identifier artexa-production-artexa --target-db-instance artexa-production-artexa-backup --vpc-security-group-ids sg-0b954a0e25cd11b6d --db-subnet-group-name artexa-reference-vpc --restore-time 2022-06-16T23:45:00.000Z --tags Key=timestamp,Value=2022-06-16T23:45:00.000Z\n```\n\nAdjust the namespace and path to the kubeconfig file in the following command.\nThe command creates a pgdump pod using the standard postgres image and open a bash:\n\n```bash\nkubectl run pgdump -ti -n your-namespace --image postgres --kubeconfig ./path/to/your/kube.config -- bash\n```\n\nIn the pod's Bash, use the pg_dump and pg_restore commands to stream the data from the backup server to the production server:\n\n```bash\npg_dump -h artexa-production-artexa-backup.cexy8brfkmxk.eu-central-1.rds.amazonaws.com -p 5432 -U dbuser -Fc artexa | pg_restore --clean --if-exists -h artexa-production-artexa.cexy8brfkmxk.eu-central-1.rds.amazonaws.com -p 5432 -U dbuser -d artexa\n```\n\nAlternatively, you can [restore the RDS instance via the AWS console](https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-rds.html).\n\n### S3\n\nThe ARTEXA reference architecture creates an S3 bucket for artifacts and enables versioning of the S3 bucket which is a requirement for point-in-time recovery.\n\nTo restore the S3 buckets to an older version you need to create an IAM role that has proper permissions:\n\n```powershell\n$rolename = \"restore-role\"\n$trustrelation = @\"\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": [\"sts:AssumeRole\"],\n      \"Effect\": \"allow\",\n      \"Principal\": {\n        \"Service\": [\"backup.amazonaws.com\"]\n      }\n    }\n  ]\n}\n\"@\necho $trustrelation \u003e trust.json\naws iam create-role --role-name $rolename --assume-role-policy-document file://trust.json --description \"Role to restore\"\naws iam attach-role-policy --role-name $rolename --policy-arn=\"arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore\"\naws iam attach-role-policy --role-name $rolename --policy-arn=\"arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores\"\n$rolearn=aws iam get-role --role-name $rolename --query 'Role.Arn'\n```\n\nRestoring an S3 bucket can be done via Powershell as described in the remainder:\nYou can restore the S3 data in-place, into another existing bucket, or into a new bucket.\n\n```powershell\n$uuid = New-Guid\n$metadata = @\"\n{\n  \"DestinationBucketName\": \"artexa-production-pkg-backup\",\n  \"NewBucket\": \"true\",\n  \"RestoreTime\": \"2022-06-20T23:45:00.000Z\",\n  \"Encrypted\": \"false\",\n  \"CreationToken\": \"$uuid\"\n}\n\"@\n$metadata = $metadata -replace '([\\\\]*)\"', '$1$1\\\"'\naws backup start-restore-job `\n--recovery-point-arn \"arn:aws:backup:eu-central-1:012345678901:recovery-point:continuous:artexa-production-pkg-0f51c39b\" `\n--iam-role-arn $rolearn `\n--metadata $metadata\n```\n\nAlternatively, you can [restore the S3 data via the AWS console](https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-s3.html).\n\n\u003c!-- prettier-ignore-start --\u003e\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.1.7 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | 5.70.0 |\n| \u003ca name=\"requirement_helm\"\u003e\u003c/a\u003e [helm](#requirement\\_helm) | 2.15.0 |\n| \u003ca name=\"requirement_kubernetes\"\u003e\u003c/a\u003e [kubernetes](#requirement\\_kubernetes) | 2.32.0 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | 5.60.0 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_artexa_instance\"\u003e\u003c/a\u003e [artexa\\_instance](#module\\_artexa\\_instance) | ./modules/artexa-aws-instance | n/a |\n| \u003ca name=\"module_eks\"\u003e\u003c/a\u003e [eks](#module\\_eks) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git | v4.32.1 |\n| \u003ca name=\"module_eks-addons\"\u003e\u003c/a\u003e [eks-addons](#module\\_eks-addons) | git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons | v4.32.1 |\n| \u003ca name=\"module_security_group\"\u003e\u003c/a\u003e [security\\_group](#module\\_security\\_group) | terraform-aws-modules/security-group/aws | 5.1.1 |\n| \u003ca name=\"module_vpc\"\u003e\u003c/a\u003e [vpc](#module\\_vpc) | terraform-aws-modules/vpc/aws | 5.5.3 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_iam_instance_profile.license_server_profile](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/iam_instance_profile) | resource |\n| [aws_iam_policy.license_server_policy](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/iam_policy) | resource |\n| [aws_iam_role.license_server_role](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/iam_role) | resource |\n| [aws_iam_role_policy_attachment.license_server_ssm](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_iam_role_policy_attachment.s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/iam_role_policy_attachment) | resource |\n| [aws_instance.license_server](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/instance) | resource |\n| [aws_lb.application-loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/lb) | resource |\n| [aws_lb_listener.httplistener](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/lb_listener) | resource |\n| [aws_lb_listener.httpslistener](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/lb_listener) | resource |\n| [aws_lb_target_group.targetgroup](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/lb_target_group) | resource |\n| [aws_s3_bucket.license_server_bucket](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/s3_bucket) | resource |\n| [aws_s3_bucket_policy.ssl_only_policy](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/s3_bucket_policy) | resource |\n| [aws_security_group.alb-sg](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/security_group) | resource |\n| [aws_security_group.allow_codemeter](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/security_group) | resource |\n| [aws_ssm_maintenance_window.install](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window) | resource |\n| [aws_ssm_maintenance_window.scan](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window) | resource |\n| [aws_ssm_maintenance_window_target.install](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window_target) | resource |\n| [aws_ssm_maintenance_window_target.scan](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window_target) | resource |\n| [aws_ssm_maintenance_window_target.scan_eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window_target) | resource |\n| [aws_ssm_maintenance_window_task.install](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window_task) | resource |\n| [aws_ssm_maintenance_window_task.scan](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_maintenance_window_task) | resource |\n| [aws_ssm_patch_baseline.production](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_patch_baseline) | resource |\n| [aws_ssm_patch_group.patch_group](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/resources/ssm_patch_group) | resource |\n| [aws_ami.amazon_linux_kernel5](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/ami) | data source |\n| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/availability_zones) | data source |\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/caller_identity) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/region) | data source |\n| [aws_subnet.private_subnet](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/subnet) | data source |\n| [aws_subnet.public_subnet](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/subnet) | data source |\n| [aws_subnets.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/subnets) | data source |\n| [aws_subnets.public_subnets](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/subnets) | data source |\n| [aws_vpc.preconfigured](https://registry.terraform.io/providers/hashicorp/aws/5.70.0/docs/data-sources/vpc) | data source |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_application_loadbalancer\"\u003e\u003c/a\u003e [application\\_loadbalancer](#input\\_application\\_loadbalancer) | Deploy an AWS Application Loadbalancer | `bool` | `false` | no |\n| \u003ca name=\"input_artexa_instances\"\u003e\u003c/a\u003e [artexa\\_instances](#input\\_artexa\\_instances) | A list containing the individual ARTEXA instances, such as 'staging' and 'production'. | \u003cpre\u003emap(object({\u003cbr\u003e    name                         = string\u003cbr\u003e    postgresqlVersion            = string\u003cbr\u003e    postgresqlStorage            = number\u003cbr\u003e    postgresqlMaxStorage         = number\u003cbr\u003e    db_instance_type_artexa      = string\u003cbr\u003e    postgresqlStorageKeycloak    = number\u003cbr\u003e    postgresqlMaxStorageKeycloak = number\u003cbr\u003e    db_instance_type_keycloak    = string\u003cbr\u003e    secretname                   = string\u003cbr\u003e    enable_deletion_protection   = bool\u003cbr\u003e    enable_backup_service        = bool\u003cbr\u003e    enable_irsa                  = bool\u003cbr\u003e    backup_retention             = number\u003cbr\u003e    enable_keycloak              = bool\u003cbr\u003e    k8s_namespace                = string\u003cbr\u003e\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e{\u003cbr\u003e  \"production\": {\u003cbr\u003e    \"backup_retention\": 7,\u003cbr\u003e    \"db_instance_type_artexa\": \"db.t3.large\",\u003cbr\u003e    \"db_instance_type_keycloak\": \"db.t3.large\",\u003cbr\u003e    \"enable_backup_service\": true,\u003cbr\u003e    \"enable_deletion_protection\": true,\u003cbr\u003e    \"enable_irsa\": true,\u003cbr\u003e    \"enable_keycloak\": true,\u003cbr\u003e    \"k8s_namespace\": \"artexa\",\u003cbr\u003e    \"name\": \"production\",\u003cbr\u003e    \"postgresqlMaxStorage\": 100,\u003cbr\u003e    \"postgresqlMaxStorageKeycloak\": 100,\u003cbr\u003e    \"postgresqlStorage\": 20,\u003cbr\u003e    \"postgresqlStorageKeycloak\": 20,\u003cbr\u003e    \"postgresqlVersion\": \"16\",\u003cbr\u003e    \"secretname\": \"aws-artexa-dev-production\"\u003cbr\u003e  }\u003cbr\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_certificate_arn\"\u003e\u003c/a\u003e [certificate\\_arn](#input\\_certificate\\_arn) | TLS certificate ARN. Only required when application\\_loadbalancer is true. | `string` | `\"\"` | no |\n| \u003ca name=\"input_cluster_endpoint_private_access\"\u003e\u003c/a\u003e [cluster\\_endpoint\\_private\\_access](#input\\_cluster\\_endpoint\\_private\\_access) | Indicates whether or not the EKS private API server endpoint is enabled. Default to EKS resource and it is false | `bool` | `false` | no |\n| \u003ca name=\"input_cluster_endpoint_public_access\"\u003e\u003c/a\u003e [cluster\\_endpoint\\_public\\_access](#input\\_cluster\\_endpoint\\_public\\_access) | Indicates whether or not the EKS public API server endpoint is enabled. Default to EKS resource and it is true | `bool` | `true` | no |\n| \u003ca name=\"input_cluster_endpoint_public_access_cidrs\"\u003e\u003c/a\u003e [cluster\\_endpoint\\_public\\_access\\_cidrs](#input\\_cluster\\_endpoint\\_public\\_access\\_cidrs) | List of CIDR blocks which can access the Amazon EKS public API server endpoint | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"0.0.0.0/0\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_codemeter\"\u003e\u003c/a\u003e [codemeter](#input\\_codemeter) | Download link for codemeter rpm package. | `string` | `\"https://www.wibu.com/support/user/user-software/file/download/13346.html?tx_wibudownloads_downloadlist%5BdirectDownload%5D=directDownload\u0026tx_wibudownloads_downloadlist%5BuseAwsS3%5D=0\u0026cHash=8dba7ab094dec6267346f04fce2a2bcd\"` | no |\n| \u003ca name=\"input_enable_patching\"\u003e\u003c/a\u003e [enable\\_patching](#input\\_enable\\_patching) | Scans license server EC2 instance and EKS nodes for updates. Installs patches on license server automatically. EKS nodes need to be updated manually. | `bool` | `false` | no |\n| \u003ca name=\"input_infrastructurename\"\u003e\u003c/a\u003e [infrastructurename](#input\\_infrastructurename) | The name of the infrastructure. | `string` | `\"artexa\"` | no |\n| \u003ca name=\"input_install_schedule\"\u003e\u003c/a\u003e [install\\_schedule](#input\\_install\\_schedule) | 6-field Cron expression describing the install maintenance schedule. Must not overlap with variable scan\\_schedule. | `string` | `\"cron(0 3 * * ? *)\"` | no |\n| \u003ca name=\"input_kubernetesVersion\"\u003e\u003c/a\u003e [kubernetesVersion](#input\\_kubernetesVersion) | The version of the EKS cluster. | `string` | `\"1.29\"` | no |\n| \u003ca name=\"input_license_server\"\u003e\u003c/a\u003e [license\\_server](#input\\_license\\_server) | Specifies whether a license server VM will be created. | `bool` | `false` | no |\n| \u003ca name=\"input_license_server_type\"\u003e\u003c/a\u003e [license\\_server\\_type](#input\\_license\\_server\\_type) | EC2 Instance type of the license server. | `string` | `\"t3a.medium\"` | no |\n| \u003ca name=\"input_linuxNodeCountMax\"\u003e\u003c/a\u003e [linuxNodeCountMax](#input\\_linuxNodeCountMax) | The maximum number of Linux nodes for the regular services | `number` | `12` | no |\n| \u003ca name=\"input_linuxNodeCountMin\"\u003e\u003c/a\u003e [linuxNodeCountMin](#input\\_linuxNodeCountMin) | The minimum number of Linux nodes for the regular services | `number` | `1` | no |\n| \u003ca name=\"input_linuxNodeSize\"\u003e\u003c/a\u003e [linuxNodeSize](#input\\_linuxNodeSize) | The machine size of the Linux nodes for the regular services | `list(string)` | \u003cpre\u003e[\u003cbr\u003e  \"m5a.4xlarge\",\u003cbr\u003e  \"m5a.8xlarge\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_maintainance_duration\"\u003e\u003c/a\u003e [maintainance\\_duration](#input\\_maintainance\\_duration) | How long in hours for the maintenance window. | `number` | `3` | no |\n| \u003ca name=\"input_map_accounts\"\u003e\u003c/a\u003e [map\\_accounts](#input\\_map\\_accounts) | Additional AWS account numbers to add to the aws-auth ConfigMap | `list(string)` | `[]` | no |\n| \u003ca name=\"input_map_roles\"\u003e\u003c/a\u003e [map\\_roles](#input\\_map\\_roles) | Additional IAM roles to add to the aws-auth ConfigMap | \u003cpre\u003elist(object({\u003cbr\u003e    rolearn  = string\u003cbr\u003e    username = string\u003cbr\u003e    groups   = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_map_users\"\u003e\u003c/a\u003e [map\\_users](#input\\_map\\_users) | Additional IAM users to add to the aws-auth ConfigMap | \u003cpre\u003elist(object({\u003cbr\u003e    userarn  = string\u003cbr\u003e    username = string\u003cbr\u003e    groups   = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_private_subnet_filter\"\u003e\u003c/a\u003e [private\\_subnet\\_filter](#input\\_private\\_subnet\\_filter) | Tag filter | \u003cpre\u003elist(object({\u003cbr\u003e    name   = string\u003cbr\u003e    values = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e[\u003cbr\u003e  {\u003cbr\u003e    \"name\": \"subnet-id\",\u003cbr\u003e    \"values\": [\u003cbr\u003e      \"subnet-0490ffe38d62c4c4c\"\u003cbr\u003e    ]\u003cbr\u003e  }\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_public_subnet_filter\"\u003e\u003c/a\u003e [public\\_subnet\\_filter](#input\\_public\\_subnet\\_filter) | Tag filter | \u003cpre\u003elist(object({\u003cbr\u003e    name   = string\u003cbr\u003e    values = list(string)\u003cbr\u003e  }))\u003c/pre\u003e | \u003cpre\u003e[\u003cbr\u003e  {\u003cbr\u003e    \"name\": \"subnet-id\",\u003cbr\u003e    \"values\": [\u003cbr\u003e      \"subnet-0490ffe38d62c4c4c\"\u003cbr\u003e    ]\u003cbr\u003e  }\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | The AWS region to be used. | `string` | `\"eu-central-1\"` | no |\n| \u003ca name=\"input_scan_schedule\"\u003e\u003c/a\u003e [scan\\_schedule](#input\\_scan\\_schedule) | 6-field Cron expression describing the scan maintenance schedule. Must not overlap with variable install\\_schedule. | `string` | `\"cron(0 0 * * ? *)\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | The tags to be added to all resources. | `map(any)` | `{}` | no |\n| \u003ca name=\"input_vpcCidr\"\u003e\u003c/a\u003e [vpcCidr](#input\\_vpcCidr) | The CIDR for the virtual private cluster. | `string` | `\"10.1.0.0/18\"` | no |\n| \u003ca name=\"input_vpcId\"\u003e\u003c/a\u003e [vpcId](#input\\_vpcId) | The ID of preconfigured VPC. Empty string will create a new VPC. Check the subnet requirements for nodes https://docs.aws.amazon.com/eks/latest/userguide/network-reqs.html#node-subnet-reqs. | `string` | `\"\"` | no |\n| \u003ca name=\"input_vpcPrivateSubnets\"\u003e\u003c/a\u003e [vpcPrivateSubnets](#input\\_vpcPrivateSubnets) | List of CIDRs for the private subnets. | `list(any)` | \u003cpre\u003e[\u003cbr\u003e  \"10.1.0.0/22\",\u003cbr\u003e  \"10.1.4.0/22\",\u003cbr\u003e  \"10.1.8.0/22\"\u003cbr\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_vpcPublicSubnets\"\u003e\u003c/a\u003e [vpcPublicSubnets](#input\\_vpcPublicSubnets) | List of CIDRs for the public subnets. | `list(any)` | \u003cpre\u003e[\u003cbr\u003e  \"10.1.12.0/22\",\u003cbr\u003e  \"10.1.16.0/22\",\u003cbr\u003e  \"10.1.20.0/22\"\u003cbr\u003e]\u003c/pre\u003e | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_application_loadbalancer\"\u003e\u003c/a\u003e [application\\_loadbalancer](#output\\_application\\_loadbalancer) | DNS name of the Application Loadbalancer |\n| \u003ca name=\"output_artexa_instances\"\u003e\u003c/a\u003e [artexa\\_instances](#output\\_artexa\\_instances) | n/a |\n| \u003ca name=\"output_eks_cluster_id\"\u003e\u003c/a\u003e [eks\\_cluster\\_id](#output\\_eks\\_cluster\\_id) | Amazon EKS Cluster Name |\n| \u003ca name=\"output_license_server\"\u003e\u003c/a\u003e [license\\_server](#output\\_license\\_server) | Private DNS name of the license server |\n\u003c!-- END_TF_DOCS --\u003e\n\u003c!-- prettier-ignore-end --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdspace-group%2Fartexa-reference-architecture-aws","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdspace-group%2Fartexa-reference-architecture-aws","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdspace-group%2Fartexa-reference-architecture-aws/lists"}