LogoLogo
  • Guide
    • Introduction
    • Setup
    • CloudQL
    • Compliance
    • Key Terminology
    • Running Audits
    • Embed Compliance Checks in Pipelines
  • Advanced
    • Controls
      • Controls with Inline Policy
      • Controls with References Policies
      • Policies
      • Summary
    • Control Groups
    • Framework
    • Product Architecture
  • advanced-setup
    • Deploy on DigitalOcean / Linode
    • Deploy to AWS
    • Single Sign-On
    • Production Hardening
  • Platform
    • FAQ
Powered by GitBook

© 2025 open governance Inc.

On this page
  1. advanced-setup

Deploy to AWS

PreviousDeploy on DigitalOcean / LinodeNextSingle Sign-On

Last updated 3 months ago

1

Build Infrastructure 15 Mins

We've tested automation that provisions the required infra.

Deploy Infrastructure

git clone https://github.com/opengovern/automation.git
cd automation/terraform/eks
terraform init
terraform plan
terraform apply -auto-approve

Connect to Kubernetes Clusters; After infrastructure is provisioned, you will be an output similar to this:

Outputs:

configure_kubectl = "aws eks --region us-east-2 update-kubeconfig --name opencomply-abc123"
eks_cluster_name = "opencomply"

Run the output of configure_kubectl command to connect to Kubernetes Cluster

Deploy Infrastructure

git clone https://github.com/opengovern/automation.git
cd automation/product-install/aws/eks
tofu init
tofu plan
tofu apply -auto-approve

Connect to Kubernetes Clusters; After infrastructure is provisioned, you will be an output similar to this:

configure_kubectl = "aws eks --region us-east-2 update-kubeconfig --name opencomply-abc123"
eks_cluster_name = "opencomply-abc123"
vpc_id = "vpc-0abc123def456ghi7"

Run the command provided by configure_kubectl command to connect to Kubernetes Cluster

2

Install App

helm repo add opencomply https://charts.opencomply.io
helm repo update
helm install -n opencomply opencomply opencomply/opencomply --create-namespace
3

Configure HTTPS Certificate with ACM

If you already have an ACM certificate for your domain in the same region as Kubernetes, you can simply export the ARN of the existing certificate

export CERTIFICATE_ARN=arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-1234567890a

  1. To request a new ACM certificate for the domain using DNS validation:

    aws acm request-certificate \
      --domain-name $DOMAIN \
      --validation-method DNS \
      --idempotency-token deploy-2024 \
  2. Retrieve the Certificate ARN and DNS Validation Records:

    CERTIFICATE_ARN=$(aws acm list-certificates --region us-east-1 --query "CertificateSummaryList[?DomainName=='demo.opengovernance.io'].CertificateArn" --output text)
    echo "Certificate ARN: $CERTIFICATE_ARN"
    
    VALIDATION_RECORDS=$(aws acm describe-certificate --certificate-arn $CERTIFICATE_ARN --region us-east-1 --query "Certificate.DomainValidationOptions[].ResourceRecord" --output json)
    echo "Validation Records: $VALIDATION_RECORDS"
  1. Access AWS Certificate Manager:

    Navigate to the .

  2. Request a Public Certificate:

    • Click Request a certificate -> Choose Request a public certificate -> Request a certificate.

  3. Add Domain Names:

    • Enter your domain name In this guide - we will use demo.opengovernance.io; use your own

    • Click Next.

  4. Select Validation Method:

    • Choose DNS validation.

    • Click Next.

    • Click Confirm and request.

  5. Validate Domain Ownership:

    • ACM provides CNAME records for DNS validation.

    • Add these CNAME records to your DNS provider.

  6. Wait for Validation:

    • ACM will validate the domain once the DNS records propagate.

  7. Record the Certificate ARN:

    • After validation, note down the Certificate ARN from the ACM console.

  8. Set Environment Variables: export DOMAIN_NAME="demo.opengovernance.io" export CERTIFICATE_ARN="arn:aws:acm:us-east-1:account-id:certificate/certificate-id"

4

Deploy Load Balancer

a. Create Ingress

Use a heredoc to define and apply the Ingress YAML, injecting environment variables for DOMAIN_NAME and CERTIFICATE_ARN.

kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: opencomply
  name: opencomply-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/backend-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: "$CERTIFICATE_ARN"
    kubernetes.io/ingress.class: alb
spec:
  ingressClassName: alb
  rules:
    - host: "$DOMAIN_NAME"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-proxy  # Replace with actual service name if different
                port:
                  number: 80
EOF

b. Retrieve the Load Balancer DNS Name:

LB_DNS=$(kubectl get ingress opengovernance-ingress -n opengovernance -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo "Load Balancer DNS: $LB_DNS"

c. Create DNS Records

  • Host/Name: demo.example.io

  • Type: CNAME

  • Value/Points to: $LB_DNS

5

Restart App

a. Update App Config

helm upgrade opencomply opencomply/opencomply -n opencomply -f <(cat <<EOF
global:
  domain: ${DOMAIN}
dex:
  config:
    issuer: https://${DOMAIN}/dex
EOF
)

b. Restart Services

kubectl delete pods -l app=nginx-proxy -n opencomply && kubectl delete pods -l app.kubernetes.io/name=dex -n opencomply

App is not accessible at https://<your-domain-name>

⏱️
AWS Certificate Manager console