Deployment steps
Deploy Unity Virtual Private Cloud to Amazon Web Services
Read time 3 minutesLast updated 7 days ago
Before deployment, check the prerequisites.
If all prerequisites are met, the deployment should take 30 to 60 minutes. This time doesn't include the subsequent administration tasks, such as setting up an identity provider for single sign-on (SSO).
Follow these steps to deploy Virtual Private Cloud to your AWS account.
1. Unpackage the archive file
The archive file contains the Terraform scripts and the Helm charts that are required for deployment.- Before you download the required scripts and packaging, install the ORAS command line interface (CLI).
-
Sign in to the private container registry using your provided credentials:
$ oras login uccmpprivatecloud.azurecr.io Username: Token:
-
To list the available releases, run this command:
oras repo tags uccmpprivatecloud.azurecr.io/releases/aws-configuration
-
To pull a specific release, run the following command, which pulls the release package:
oras pull uccmpprivatecloud.azurecr.io/releases/aws-configuration:2025.13.100
-
Check that the following package is in your file system:
unity-private-cloud-aws-2025.13.100.tar.gz
-
To create the following directory, run this command:
mkdir asset-solutions-private-cloud
-
Run this command:
This directory contains all scripts and configurattion:tar -xvzf unity-private-cloud-aws-*.tar.gz -C asset-solutions-private-cloud
../asset-solutions-private-cloud
2. Set up a Terraform backend
Terraform stores its backend state in .json format. Store state files in a safe, remote place with incremental backups. You can run Terraform locally, but this practice isn't recommended as a long-term solution. To manage Terraform state remotely, you might want to use an S3 backend where object versioning is enabled. There are a number of remote backends including Terraform Cloud. If you need an S3 backend, complete these steps:-
To set up the Terraform backend, run this command:
When prompted, enter an AWS region—for example,./aws/scripts/setup-terraform-backend.sh
—and then press Enter. This script provisions a backend in your AWS account that uses both S3 and DynamoDB to restore state and state locks respectively.us-east-1
- The script automatically creates the backend file and writes the required configuration to it.
The script creates the backend file and copies the backend variables to it. You don't need to perform these operations manually.The terraform backend has been successfully created and stored in 'aws/terraform/backends/us-east-1.tfvars'.
3. Provision resources with Terraform
Using Terraform, deploy and manage all required AWS resources.3.1 Set the Terraform variables
-
Set the following required variables. The recommended practice is to customize these variables for your own environment, in this directory:
Set these variables:aws/terraform/tfvars/us-east-1.tfvars
region = "us-east-1" vpc_id = "vpc-<YOUR_VPC_ID>" private_subnet_ids = [ "subnet-<YOUR_SUBNET_ID_1>", "subnet-<YOUR_SUBNET_ID_2>", ] asset_solutions_domain = "example.com" keycloak_mini_usf_clientsecret = "<YOUR_KEYCLOAK_CLIENT_SECRET>" # This should be unique uvcs_url = "https://plasticscm.example.com:7179" uvcs_authorization = "Bearer <YOUR_UVCS_AUTHORIZATION_TOKEN>" uvcs_repository_guid = "<YOUR_REPOSITORY_GUID>" allowed_ingress_cidrs = [ "0.0.0.0/0", ]
-
Customize the following command to your preferred region, and then run it:
$ cd aws/terraform $ make init-us-east-1 $ make apply-us-east-1 Outputs: aws_secretsmanager_secret_config_name = "asset-solutions/configuration" enable_cluster_autoscaler = true enable_external_secrets = true enable_istio = false enable_metrics_server = true environment_name = "dev" TARGET_DIR is empty. Defaulting to ../argocd/us-east-1: Merging helm values files... Copying generated Helm charts and values to target directory: ../argocd/us-east-1 ✅ Successfully generated Helm charts and values. Cleaning up temporary files...
-
To view a list of all resources that have been created with Terraform, run this command:
terraform state list
4. Install the Helm charts
Many of the required services run on Kubernetes. To deploy these services, install the Helm charts on the cluster. You can use different methods. The following steps use thehelm
-
Run this command:
This command installs all the necessary Helm charts on the Kubernetes cluster. The Helm charts are generated from the Terraform output and are stored by default in this directory:cd aws/terraform make helm-upgrade-us-east-1
.aws/argocd/us-east-1
-
To check the status of the deployments, run this command:
kubectl get pods --all-namespaces --watch
- Ensure that all pods eventually move to the Running state.
- If a pod isn't running, describe it and check its logs to find the issue.
5. Configure the DNS and certificates
To make Asset Manager secure and accessible, you need DNS records and certificates. The configuration of DNS depends on the DNS provider and certificate authority. For example, you can configure DNS with Route53 and issue certificates using AWS Certificate Manager.-
Register a fully qualified domain name (FQDN) for the frontend, for example, . By default, the deployment of Traefik creates a Classic Load Balancer in AWS and uses the certificate that is defined in the traefik_certificate_secret_name Terraform variable.
example.com
-
If you want to use AWS Certificate Manager to manage certificates, then, to reference an existing certificate, add this Terraform variable:
traefik_service_annotations = { "service.beta.kubernetes.io/aws-load-balancer-ssl-cert" : "arn:aws:acm:us-east-1:555555555555:certificate/16fc5d31-55ad-41b8-86c4-d43bce6bd95a" }