Deployment steps
Deploy Unity Virtual Private Cloud to Amazon Web Services
Read time 4 minutesLast updated 6 days ago
Before deployment, check the prerequisites.
If all prerequisites are met, the deployment should take 30 to 60 minutes. This time doesn't include the subsequent administration tasks, such as setting up an identity provider for single sign-on (SSO).
Follow these steps to deploy Virtual Private Cloud to your AWS account.
1. Unpackage the archive file
The archive file contains the Terraform scripts and the Helm charts that are required for deployment.- Before you download the required scripts and packaging, install the ORAS command line interface (CLI).
-
Sign in to the private container registry using your provided credentials:
$ oras login uccmpprivatecloud.azurecr.io Username: Token:
-
To list the available releases, run this command:
oras repo tags uccmpprivatecloud.azurecr.io/releases/aws-configuration
-
To pull a specific release, run the following command, which pulls the release package:
oras pull uccmpprivatecloud.azurecr.io/releases/aws-configuration:2025.13.100
-
Check that the following package is in your file system:
unity-private-cloud-aws-2025.13.100.tar.gz
-
To create the following directory, run this command:
mkdir asset-solutions-private-cloud
-
Run this command:
This directory contains all scripts and configurattion:tar -xvzf unity-private-cloud-aws-*.tar.gz -C asset-solutions-private-cloud
../asset-solutions-private-cloud
2. Set up a Terraform backend
Terraform stores its backend state in .json format. Store state files in a safe, remote place with incremental backups. You can run Terraform locally, but this practice isn't recommended as a long-term solution. To manage Terraform state remotely, you might want to use an S3 backend where object versioning is enabled. There are a number of remote backends including Terraform Cloud. If you need an S3 backend, complete these steps:-
To set up the Terraform backend, run this command:
When prompted, enter an AWS region—for example,$ ./aws/.scripts/setup-terraform-backend.sh
—and then press Enter. This script provisions a backend in your AWS account that uses both S3 and DynamoDB to restore state and state locks respectively.us-east-1
-
Make a note of the backend output:
Use the following bucket name and region for the Terraform backend configuration (store this in 'aws/terraform/backends/us-east-1.tfvars'). bucket = "terraform-state-asset-solutions-633a7c" dynamodb_table = "terraform-state-lock-633a7c" key = "infra.tfstate" region = "us-east-1"
- Create the backend file at the location that is specified in the output.
- Copy the variables from this output to the new backend file.
3. Provision resources with Terraform
Using Terraform, deploy and manage all required AWS resources.3.1 Set the Terraform variables
-
Set the following required variables. The recommended practice is to customize these variables for your own environment, in this directory:
Set these variables:aws/terraform/tfvars/us-east-1.tfvars
region = "us-east-1" vpc_id = "vpc-<YOUR_VPC_ID>" private_subnet_ids = [ "subnet-<YOUR_SUBNET_ID_1>", "subnet-<YOUR_SUBNET_ID_2>", ] asset_solutions_domain = "example.com" keycloak_mini_usf_clientsecret = "<YOUR_KEYCLOAK_CLIENT_SECRET>" # This should be unique uvcs_url = "https://plasticscm.example.com:7179" uvcs_authorization = "Bearer <YOUR_UVCS_AUTHORIZATION_TOKEN>" uvcs_repository_guid = "<YOUR_REPOSITORY_GUID>" allowed_ingress_cidrs = [ "0.0.0.0/0", ]
-
Customize the following command to your preferred region, and then run it:
$ cd aws/terraform $ make init-us-east-1 $ make apply-us-east-1 Outputs: aws_secretsmanager_secret_config_name = "asset-solutions/configuration" enable_cluster_autoscaler = true enable_external_secrets = true enable_istio = false enable_metrics_server = true environment_name = "dev" TARGET_DIR is empty. Defaulting to ../argocd/us-east-1: Merging helm values files... Copying generated Helm charts and values to target directory: ../argocd/us-east-1 ✅ Successfully generated Helm charts and values. Cleaning up temporary files...
-
To view a list of all resources that have been created with Terraform, run this command:
terraform state list
4. Install the Helm charts
Many of the required services run on Kubernetes. To deploy these services, install the Helm charts on the cluster. You can use different methods. The following steps use thehelm
-
Run this command:
This command installs all the necessary Helm charts on the Kubernetes cluster. The Helm charts are generated from the Terraform output and are stored by default in this directory:cd aws/terraform make helm-upgrade-us-east-1
.aws/argocd/us-east-1
-
To check the status of the deployments, run this command:
kubectl get pods --all-namespaces --watch
- Ensure that all pods eventually move to the Running state.
- If a pod isn't running, describe it and check its logs to find the issue.
5. Configure the DNS and certificates
To make Asset Manager secure and accessible, you need DNS records and certificates. The configuration of DNS depends on the DNS provider and certificate authority. For example, you can configure DNS with Route53 and issue certificates using AWS Certificate Manager.-
Register a fully qualified domain name (FQDN) for the frontend, for example, . By default, the deployment of Traefik creates a Classic Load Balancer in AWS and uses the certificate that is defined in the traefik_certificate_secret_name Terraform variable.
example.com
-
If you want to use AWS Certificate Manager to manage certificates, then, to reference an existing certificate, add this Terraform variable:
traefik_service_annotations = { "service.beta.kubernetes.io/aws-load-balancer-ssl-cert" : "arn:aws:acm:us-east-1:555555555555:certificate/16fc5d31-55ad-41b8-86c4-d43bce6bd95a" }