This Terraform module deploys the Judge platform infrastructure on AWS for customers who have subscribed through the AWS Marketplace. It provisions all necessary AWS resources including EKS, RDS, S3, KMS, and IAM roles required to run the Judge platform.
- Prerequisites
- Quick Start
- Architecture Overview
- Module Features
- Configuration
- Deployment Steps
- Post-Deployment
- Helm Installation
- Customization Options
- Troubleshooting
- Security Considerations
- Cost Optimization
- Support
Before deploying this module, ensure you have:
- AWS Marketplace Subscription: Active subscription to Judge platform on AWS Marketplace
- AWS CLI: Version 2.x or later, configured with appropriate credentials
- Terraform: Version 1.5.0 or later
- kubectl: Version 1.29 or compatible with your EKS version
- Helm: Version 3.x or later
- IAM Permissions: Sufficient permissions to create EKS, RDS, S3, KMS, and IAM resources
Your AWS IAM user/role needs permissions to create and manage:
- EKS clusters and node groups
- RDS PostgreSQL instances
- S3 buckets
- KMS keys
- IAM roles and policies
- VPC and networking resources
- Secrets Manager secrets
- CloudWatch logs
# Clone or download this Terraform module
git clone <repository-url>
cd terraform
# Copy and customize the example configuration
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your specific values
# IMPORTANT: Add your AWS Marketplace ECR details
vim terraform.tfvars
# Initialize Terraform
terraform init
# Review the deployment plan
terraform plan
# Deploy the infrastructure
terraform apply
# Configure kubectl to connect to your new EKS cluster
aws eks update-kubeconfig --region $(terraform output -raw cluster_region) --name $(terraform output -raw cluster_name)
# Save the Helm values to a file
terraform output -raw helm_values > values.yaml
# Install Judge using Helm
helm install judge oci://$(terraform output -raw marketplace_ecr_registry)/judge \
--namespace judge \
--create-namespace \
--values values.yamlThe Judge platform deployment consists of:
- EKS Cluster: Kubernetes 1.29+ cluster with managed node groups
- RDS PostgreSQL: Multi-AZ database for persistent storage
- S3 Buckets: Three buckets for different platform services:
- Archivista: Attestation storage
- Judge: Platform data
- Release: Deployment artifacts
- KMS Key: For signing operations and encryption
- IAM Roles: Service account roles with IRSA for secure AWS service access
- VPC: Isolated network with public and private subnets
- ALB: Application Load Balancer for ingress
- Security Groups: Restrictive security groups for RDS and EKS
- GPU Nodes: For AI workload acceleration
- Route53: DNS zone management
- CloudWatch: Monitoring and logging
- Existing EKS Cluster: Deploy to your existing EKS cluster
- Existing VPC: Use your existing VPC and subnets
- Custom S3 Buckets: Specify existing bucket names
- Multi-AZ RDS deployment option
- Auto-scaling node groups
- Cross-AZ subnet deployment
- KMS encryption for data at rest
- IRSA for pod-level AWS permissions
- Private RDS instances
- Secrets Manager integration
- Security group isolation
| Variable | Description | Required | Default |
|---|---|---|---|
marketplace_ecr_registry |
AWS Marketplace ECR registry URL | Yes | - |
marketplace_account_id |
AWS Marketplace account ID | Yes | - |
aws_region |
AWS region for deployment | No | us-east-1 |
environment |
Environment name | No | prod |
domain_name |
Your domain for the platform | Recommended | - |
# Create new cluster
create_eks_cluster = true
kubernetes_version = "1.29"
# Or use existing cluster
create_eks_cluster = false
existing_cluster_name = "my-cluster"create_rds = true
rds_instance_class = "db.t3.medium" # For production: db.r6i.large or larger
rds_allocated_storage = 100
rds_max_allocated_storage = 1000
rds_multi_az = true # Recommended for production# Auto-generate bucket names (recommended)
archivista_bucket_name = ""
judge_bucket_name = ""
release_bucket_name = ""
# Or specify custom names
archivista_bucket_name = "my-company-judge-archivista"Create your terraform.tfvars file:
# Required AWS Marketplace values (get from your subscription)
marketplace_ecr_registry = "709825985650.dkr.ecr.us-east-1.amazonaws.com"
marketplace_account_id = "709825985650"
# Your configuration
aws_region = "us-east-1"
environment = "production"
domain_name = "judge.mycompany.com"
# Infrastructure sizing
node_group_desired_size = 3
rds_instance_class = "db.r6i.large"
rds_multi_az = true# Initialize Terraform providers and modules
terraform init
# Validate configuration
terraform validate
# Review deployment plan
terraform plan -out=tfplan
# Apply the configuration
terraform apply tfplan# Check EKS cluster
aws eks describe-cluster --name $(terraform output -raw cluster_name)
# Verify node groups are ready
kubectl get nodes
# Check RDS status
aws rds describe-db-instances --db-instance-identifier $(terraform output -raw rds_instance_id)
# Verify S3 buckets
aws s3 ls | grep judgePoint your domain to the ALB created by the ingress controller:
# Get the ALB DNS name after Helm installation
kubectl get ingress -n judge
# Create CNAME records for:
# - gateway.yourdomain.com
# - web.yourdomain.com
# - login.yourdomain.com
# - kratos.yourdomain.com- Create OAuth applications in GitHub/GitLab
- Update the secrets in AWS Secrets Manager:
aws secretsmanager update-secret \
--secret-id judge-marketplace-prod-github-oauth \
--secret-string '{"client_id":"xxx","client_secret":"yyy"}'The databases will be automatically initialized on first run. If manual setup is needed:
# Connect to RDS (requires proper security group access)
psql -h $(terraform output -raw rds_endpoint) -U judgeadmin -d judge
# Create application databases if needed
CREATE DATABASE archivista;
CREATE DATABASE judgeapi;After infrastructure is deployed, install Judge using Helm:
# Add namespace
kubectl create namespace judge
# Get Helm values from Terraform
terraform output -raw helm_values > values.yaml
# Install Judge
helm install judge oci://${MARKETPLACE_ECR_REGISTRY}/judge \
--namespace judge \
--values values.yaml \
--wait \
--timeout 10mFor GitOps deployment with ArgoCD:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: judge
namespace: argocd
spec:
project: default
source:
repoURL: ${MARKETPLACE_ECR_REGISTRY}
targetRevision: 1.0.0
chart: judge
helm:
valueFiles:
- values.yaml
destination:
server: https://kubernetes.default.svc
namespace: judge
syncPolicy:
automated:
prune: true
selfHeal: truecreate_eks_cluster = false
existing_cluster_name = "my-production-cluster"create_vpc = false
existing_vpc_id = "vpc-xxxxxxxxx"
existing_private_subnet_ids = ["subnet-xxx", "subnet-yyy", "subnet-zzz"]
existing_public_subnet_ids = ["subnet-aaa", "subnet-bbb", "subnet-ccc"]enable_gpu_nodes = true
gpu_instance_types = ["g4dn.xlarge"] # NVIDIA T4 GPU
gpu_node_group_min_size = 1
gpu_node_group_max_size = 3create_kms_key = false
# Provide existing KMS key ARN in module configuration# Verify marketplace subscription is active
aws marketplace-catalog describe-entity \
--catalog "AWSMarketplace" \
--entity-id "your-subscription-id"
# Check IAM policy attachment
terraform state show module.iam.aws_iam_policy.ecr_marketplace_pull# Check security groups
aws ec2 describe-security-groups \
--group-ids $(terraform output -raw rds_security_group_id)
# Verify RDS endpoint
aws rds describe-db-instances \
--db-instance-identifier $(terraform output -raw rds_instance_id) \
--query 'DBInstances[0].Endpoint'# Verify IRSA configuration
kubectl describe serviceaccount judge-api -n judge
# Check IAM role trust policy
aws iam get-role --role-name $(terraform output -raw judge_api_role_name)# Check Terraform state
terraform state list
terraform state show <resource>
# EKS cluster logs
aws eks describe-cluster --name $(terraform output -raw cluster_name)
# Pod logs
kubectl logs -n judge deployment/judge-api
kubectl logs -n judge deployment/archivista
# S3 bucket access
aws s3 ls s3://$(terraform output -raw archivista_bucket_name)/-
Network Security
- Keep RDS in private subnets
- Use security groups with minimal required access
- Enable VPC flow logs for audit
-
Data Encryption
- Enable encryption at rest for RDS
- Use KMS keys for S3 encryption
- Rotate secrets regularly
-
Access Control
- Use IRSA for pod-level permissions
- Implement least-privilege IAM policies
- Enable MFA for AWS console access
-
Monitoring
- Enable CloudWatch logging
- Set up CloudWatch alarms
- Use AWS GuardDuty for threat detection
- All data is encrypted at rest
- Network traffic is encrypted in transit
- Audit logs are maintained in CloudWatch
- Supports multi-region deployment for data residency
-
Right-sizing
- Start with smaller instances and scale up
- Use auto-scaling for node groups
- Consider Spot instances for non-critical workloads
-
Storage Optimization
- Enable S3 lifecycle policies
- Use S3 Intelligent-Tiering
- Set appropriate RDS backup retention
-
Reserved Instances
- Purchase RDS Reserved Instances for production
- Consider Savings Plans for EC2 (node groups)
| Component | Instance Type | Estimated Monthly Cost |
|---|---|---|
| EKS Control Plane | - | $73 |
| Node Groups (3x) | t3.large | $150 |
| RDS PostgreSQL | db.t3.medium | $100 |
| S3 Storage | 100GB | $3 |
| KMS | 10,000 requests | $1 |
| Total | ~$327 |
Note: Costs vary by region and usage patterns
- Documentation: Judge Platform Docs
- AWS Marketplace: Judge Listing
- GitHub Issues: Report Issues
- Check the troubleshooting section above
- Review CloudWatch logs for errors
- Contact AWS Marketplace support
- Reach out to TestifySec support team
To update to a new version:
# Update Helm chart
helm upgrade judge oci://${MARKETPLACE_ECR_REGISTRY}/judge \
--namespace judge \
--values values.yaml \
--version <new-version>This Terraform module is provided as part of your Judge platform subscription through AWS Marketplace. Usage is governed by the AWS Marketplace terms and conditions.
Version: 1.0.0
Last Updated: 2024
Maintained By: TestifySec