Welcome to ezyflo: Setup Guide

Welcome to ezyFlo

This guide will help you set up ezyFlo on AWS step-by-step. Whether you're new to AWS or an experienced user, we'll walk you through everything you need to get started. Expect this process to take about 30-60 minutes.

What you'll need: An AWS account, a web browser, a local terminal, (Windows PowerShell or macOS shell), and a little patience. Let's get your ezyFlo environment up and running!

Before You Begin

Make sure you have the following ready to ensure a smooth setup:

An AWS account with Root or Administrator access is required.
If you do not have an account, sign up here.
For non-administrator users, contact your FortunaCloud Sales Executive to obtain the list of required IAM policies and permissions.
A command-line interface (CLI) such as PowerShell, macOS Terminal, or any AWS CLI-enabled environment for accessing the EC2 instance.
Custom Domain Setup (via AWS Route 53):
1. Go to the AWS Route 53 Console and create a hosted zone for your custom domain, such as acme.com.
2. If your domain is managed outside AWS (e.g., Namecheap, GoDaddy), update your registrar's DNS settings with the nameservers provided by Route 53. If your domain is in AWS, no extra configuration is required.
Quota Check: Ensure your AWS account has at least 100 vCPUs available in the target region. Connect using AWS CloudShell then run these commands to verify:
```
aws service-quotas get-service-quota --service-code ec2 --quota-code L-34B43A08
aws service-quotas get-service-quota --service-code ec2 --quota-code L-1216C47A
```
If your quota is below 100, request an increase in the AWS Service Quotas Console.
SMTP Configuration
To enable email notification of One Time Password (OTP) as part of Multi-Factor Authentication (MFA) based on SMTP service.
- Choose a supported SMTP provider (e.g., Office365, Amazon SES, Gmail SMTP, Mailgun, SendGrid, etc.).
- If using AWS SES, verify your sending domain or email address in the SES Console.
- Collect the following SMTP credentials:
  - SMTP server endpoint
  - SMTP port (usually 587 or 465)
  - SMTP username
  - SMTP password or API key

Following AWS regions are supported for ezyFlo platform :

Region Name	Region	Availability Zones (Compute)
US East (Ohio)	us-east-2	3
US East (N. Virginia)	us-east-1	6
US West (Oregon)	us-west-2	4
Africa (Cape Town)	af-south-1	3
South America (São Paulo)	sa-east-1	3
Asia Pacific (Hong Kong)	ap-east-1	3
Asia Pacific (Hyderabad)	ap-south-2	3
Asia Pacific (Mumbai)	ap-south-1	3
Asia Pacific (Seoul)	ap-northeast-2	4
Asia Pacific (Singapore)	ap-southeast-1	3
Asia Pacific (Sydney)	ap-southeast-2	3
Asia Pacific (Tokyo)	ap-northeast-1	3
Canada (Central)	ca-central-1	3
China (Beijing) Region	cn-north-1	3
China (Ningxia)	cn-northwest-1	3
Europe (Frankfurt)	eu-central-1	3
Europe (Ireland)	eu-west-1	3
Europe (London)	eu-west-2	3
Europe (Milan)	eu-south-1	3
Europe (Paris)	eu-west-3	3
Europe (Spain)	eu-south-2	3
Europe (Stockholm)	eu-north-1	3
Middle East (UAE)	me-central-1	3
AWS GovCloud (US-West)	us-gov-west-1	3
AWS GovCloud (US-East)	us-gov-east-1	3

Set Up Credentials in AWS Secrets Manager
Create secure credentials for ezyFlo using AWS Secrets Manager. Use a working email address for admin_email, as it will be used for Multi-Factor Authentication (MFA). You will need to enter a security code sent to this email to complete the setup.

Warning: Ensure the secret name infra-creds doesn't already exist in Secrets Manager. Check in the AWS Console first.

Requirements:

Usernames: 12 lowercase letters (e.g., fcadmin, airflowadmin).
Passwords: 32 characters, mix of lowercase, uppercase, and numbers.
Email: A valid, accessible email address for MFA verification.

                    
# Create a new secret in AWS Secrets Manager named 'infra-creds'
aws secretsmanager create-secret \
--name infra-creds \
--description "Credentials for services" \
--secret-string '{
     "grafana_username": "admin",
     "grafana_password": "ouopOgSFbyADuXLGHPUm",
     "airflow_username": "airflowadmin",
     "airflow_password": "RvlidZcecpenFjlHYaFJ",
     "docdb_username": "fcdocdb",
     "docdb_password": "RvlidZcecpenFjlHYaFJ",
     "airflow_psqldb_username": "fcpsqlairflow",
     "airflow_psqldb_password": "RvlidZcecpenFjlHYaFJ",
     "openfga_psqldb_username": "fcpsqlopenfga",
     "openfga_psqldb_password": "RvlidZcecpenFjlHYaFJ",
     "admin_email": "example@email.com",
     "smtp_server": "smtp.example.com",
     "sender_email": "user@example.com",
     "sender_password": "sample-password" 
   }'

What it does:

aws secretsmanager create-secret: Creates a new secret in AWS Secrets Manager.
--name infra-creds: Names the secret infra-creds.
--description: Describes the secret's purpose.
--secret-string: Stores usernames, passwords, and other settings for ezyFlo services.

Tip: After running this, note the secret's ARN. You'll need it in the setup steps.

Setup Steps

Follow these steps to deploy ezyFlo on AWS. Steps 1-5 can be performed in the AWS Console, CloudShell, or a local terminal with AWS CLI configured. Step 6 must be executed on the EC2 instance via SSH. Each step includes a command to run, an explanation, and tips to help you succeed.

1. Subscribe to ezyFlo

Add ezyFlo to your AWS account via the AWS Marketplace.

Visit the ezyFlo Marketplace page.
Click Subscribe to add ezyFlo to your account.
Wait for confirmation that ezyFlo is ready to deploy (this may take a few minutes).

Tip: Check your AWS Marketplace dashboard to confirm the subscription.

2. Select AWS Region and Terminal

Select the AWS region where you want to deploy ezyFlo (e.g., us-east-2). The region determines the geographic location of your infrastructure (EC2 instances, S3 buckets, etc.). Then, choose whether to use AWS CloudShell or a local terminal for running setup scripts.

Obtain AWS Credentials: Contact your IT team to obtain your AWS Access Key ID and Secret Access Key. These credentials are required to configure the AWS CLI for authentication.

If using the AWS Console (e.g., CloudShell): You can choose the region from the region selector in the top-right corner of the AWS Console. Then, open CloudShell by searching for it in the top search bar. A terminal window will appear in your browser.

If using a local terminal with AWS CLI: Ensure that awscli v2 is installed. Follow these steps to install and configure the AWS CLI:

Install AWS CLI v2: Download and install the AWS CLI v2 for your operating system from the AWS CLI installation guide.
Configure AWS CLI: Run the following command in your terminal to configure the AWS CLI with your credentials:
```
aws configure
```
You will be prompted to enter:
- AWS Access Key ID: Provided by your IT team.
- AWS Secret Access Key: Provided by your IT team.
- Default region name: Enter your chosen region (e.g., us-east-2).
- Default output format: Recommended to set as json.

Tip: Choose a region close to your primary users for better performance. Ensure consistency across your setup by using the same region for all resources. CloudShell may take a moment to load the first time. Store your AWS credentials securely and never share them.

3. Configure Environment Variables

Before running the prechecks script, export the required environment variables. These values are used by the scripts to deploy and validate the ezyFlo setup.

Important Note: If you are using a non-administrative IAM user, ensure that the value of CUSTOMER_ABBREVIATION matches the prefix used in IAM roles pre-defined in your management-monitoring-policy.json (e.g., demo in demo-eks-s3-access-role).

If you are not sure of the correct abbreviation, please contact your IAM or IT team to confirm the naming convention used when provisioning role/user for your environment.

# Configure your AWS environment variables for seamless deployment
# Replace the values below with your specific AWS and project details

export AWS_ACCOUNT_NUMBER="123456789012"      # Your 12-digit AWS account ID, found in the AWS Management Console
export DOMAIN_NAME="acme.com"                 # Your registered domain name (e.g., acme.com)
export DOMAIN_PREFIX="automation"             # Subdomain prefix for your application (e.g.,automation, app, staging, prod)
export AWS_REGION="us-east-1"                 # AWS region for resource deployment (e.g., us-east-1, eu-west-2)
export AZS="us-east-1a,us-east-1b,us-east-1c" # Comma-separated Availability Zones in your region for high availability
export CUSTOMER_ABBREVIATION="demo"           # Short code for your project in 4 letters. (e.g., demo, abcd)
export IDENTITY_ARN="arn:aws:iam::123456789012:user/deployment-user"  # ARN of the IAM user or role for deployment
export CREDS_ARN="arn:aws:secretsmanager:us-east-1:123456789012:secret:prod-creds-abc123"  # ARN of Secrets Manager secret
export USE_ADMIN_POLICY="false"               # Set to "true" for admin access, "false" for least privilege (recommended)

Note: You must run these commands in the same terminal session (CloudShell or local) where you will run the prechecks script.

4. Run Automated Prechecks

This script validates your AWS environment to ensure compatibility and permissions before continuing. You can run it in either AWS CloudShell or a local terminal with AWS CLI v2 installed and configured.

curl -s https://ezyflo.fortunaclouds.com/scripts/prechecks.sh -o prechecks.sh && bash prechecks.sh

What this script does:

Verifies that the AWS CLI is properly installed and configured.
Checks if the provided domain is available.
Validates the IAM permissions of the current AWS user.
Ensures sufficient vCPU quotas for both on-demand and spot EC2 instances.

Note: This script may take a few minutes. Do not close your terminal or CloudShell while it's running.

5. Run the Initial Setup Script

Run the setup script to provision the foundational AWS resources required by ezyFlo, such as IAM roles, S3 buckets, and an EC2 instance. You can run this script using either AWS CloudShell or a local terminal with AWS CLI configured.

curl -s https://ezyflo.fortunaclouds.com/scripts/aws-setup.sh -o aws-setup.sh && bash aws-setup.sh

What it does:

curl -s: Downloads the setup script from ezyFlo's server.
bash aws-setup.sh: Executes the script to provision required infrastructure components.

Note: This script can be run from AWS CloudShell or a local terminal. Just ensure your AWS CLI is correctly configured with the required credentials and region.

After the script completes:

5.1. Follow the Setup Instructions (CloudShell Only): If you’re running from AWS CloudShell, use the script below to display the SSH command and PEM setup instructions for accessing your EC2 instance.

curl -s https://ezyflo.fortunaclouds.com/scripts/helper.sh -o helper.sh && bash helper.sh

Important Note: Only run helper.sh inside AWS CloudShell. It depends on CloudShell-specific paths and permissions and is not intended for local environments.

This script will output the SSH command (e.g., ssh -i ./keys/fc_admin_us-east-2_20250510123045_abcd1234_key.pem ubuntu@3.141.59.26) along with instructions for creating the keys folder, saving your PEM file, and connecting to the EC2 instance.

5.2. Perform all subsequent steps on the EC2 instance (CloudShell Only):

After connecting via SSH using the command from step 5.1, you'll be logged into the EC2 instance as the ubuntu user.
All commands from Step 6 onward must be executed in the EC2 SSH session—not from CloudShell or your local terminal.

5.3. Alternative: Retrieve PEM file from AWS Secrets Manager (CloudShell Only):

If you can't access the PEM file from CloudShell, retrieve it manually from AWS Secrets Manager:
Go to the Secrets Manager section in the AWS Console.
Look for the secret named ec2-ssh-key/fc_admin_${REGION}_<suffix>_key (replace ${REGION} with your region, e.g., us-east-2, and <suffix> with the suffix shown in the script output).
Click Retrieve secret value, copy the secret string (PEM key), and save it locally in a keys directory with proper file permissions.

Tip: Always store the PEM file and SSH command securely. Keep your session active during Terraform deployment to avoid corrupting the Terraform state.

6. Execute ezyFlo Onboarding

Run the onboarding script in your local terminal. This script combines the entire setup process into a single step — including infrastructure setup, Helm chart download, and deployment configuration using Terraform.

curl -s https://ezyflo.fortunaclouds.com/scripts/onboard.sh -o onboard.sh && bash onboard.sh

What it does:

Prepares the ezyFlo infrastructure directory structure and backend files.
Downloads and extracts the ezyFlo Terraform and Helm configuration.
Authenticates with AWS ECR and pulls required container images.
Executes Terraform to deploy the complete ezyFlo environment.

Tip: The onboarding process may take 30–45 minutes to complete. Keep your SSH session active during the process to avoid interrupting resource provisioning.

Common Issues & Fixes

Error: Secret already exists: In Before You Begin section, if infra-creds exists, delete it in AWS Secrets Manager or choose a different name.
Quota exceeded: If Step 6 fails due to insufficient CPU quotas, request an increase in the AWS Service Quotas dashboard.
Permission denied (AWS CLI): Ensure the EC2 instance's IAM role has sufficient permissions (set up in Step 5).

If you encounter other issues, contact support@fortunaclouds.com.

Next Steps

Congratulations! Your ezyFlo environment should now be running. Here's what to do next:

Access ezyFlo: Access ezyFlo at the domain configured in Step 3 (e.g., automation.acme.com).
Log in: Reach out to FortunaClouds support team for login credentials.
Get support: Join the ezyFlo community forum or email support@fortunaclouds.com for help.

EzyFlo Infrastructure Cleanup Guide

Follow these steps to clean up your ezyFlo infrastructure on AWS. You can perform the cleanup using either AWS CloudShell or AWS CLI on your local machine.

1. Choose Your Terminal Environment

You can use one of the following to connect and destroy your infrastructure:

AWS CloudShell: A browser-based terminal within the AWS Console. Ensure you're in the same region where ezyFlo was deployed (e.g., us-east-2).
AWS CLI on Local Machine: Ensure you’ve configured the CLI using aws configure with credentials and the correct region.

2. Retrieve EC2 SSH Access

If you used AWS CloudShell during onboarding, you can re-run the helper script to retrieve the SSH command and PEM file setup instructions:

curl -s https://ezyflo.fortunaclouds.com/scripts/helper.sh -o helper.sh && bash helper.sh

This will display the SSH command to connect to the EC2 instance (e.g., ssh -i ./keys/your_key.pem ubuntu@<EC2_PUBLIC_IP>).

Note: The helper.sh script is only supported in CloudShell. If you're using a local terminal, ensure you already have the PEM file downloaded during onboarding.

After connecting to the EC2 instance, you can proceed with the cleanup commands from within the SSH session.

3. Run Cleanup Commands on the EC2 Instance

Once connected to the EC2 instance via SSH, run the following commands to initiate the cleanup process:

Disable active infrastructure by commenting out all resources in the fc.tf file.
Enable the destruction logic by setting the default value of the flag in destroy.tf to true.
Trigger the Terraform destroy workflow using the existing configuration file.


sed -i 's/^/#/' /home/ubuntu/ezyFlo-infra/terraform/fc.tf
sed -i 's/^\(\s*default\s*=\s*\)false/\1true/' /home/ubuntu/ezyFlo-infra/terraform/destroy.tf                  
cd /home/ubuntu/ezyFlo-infra/terraform
bash ./fc.sh -t /home/ubuntu/ezyFlo-infra/terraform.tfvars

Note: These commands must be run from the ubuntu user inside the EC2 instance created during onboarding.

4. Monitor Spot Instance Termination on the EC2 Instance

Allow approximately 10 minutes for all Spot Instances to terminate gracefully. During this period, you can monitor the status of your cluster nodes using the following command:

kubectl get nodes

Note: You should see exactly 2 nodes running after the Spot Instances have terminated.

5. Destroy Infrastructure from the EC2 Instance

After the Spot Instances have terminated, initiate the infrastructure teardown process from within the EC2 instance.

Use the following nohup command to run the destroy script in the background. This allows you to safely disconnect from the EC2 session while the process continues running:

nohup bash -c "cd /home/ubuntu/ezyFlo-infra/terraform && terraform plan -out=qainfra.out --destroy -var-file='/home/ubuntu/ezyFlo-infra/terraform.tfvars' && terraform apply 'qainfra.out'" > destroy-output.log 2>&1 &

Note: The destroy process typically takes around 30–40 minutes to complete. You can check progress by reviewing the destroy-output.log file:

cd /home/ubuntu/ezyFlo-infra/terraform
tail -f destroy-output.log

6. Final Cleanup from CloudShell or Local AWS CLI

After you exit the EC2 instance, perform the final resource cleanup using either AWS CloudShell or AWS CLI on your local machine.

Run the following command to delete residual resources (e.g., IAM roles, S3 buckets, etc.):

curl -s https://ezyflo.fortunaclouds.com/scripts/aws-cleanup.sh -o aws-cleanup.sh && bash aws-cleanup.sh

During execution, you will be prompted to confirm certain actions (typically twice). Follow the prompts to continue.

Note: This script is compatible with both CloudShell and AWS CLI on your local machine. Make sure your terminal session is configured with the correct AWS credentials and region.

If you encounter errors related to S3 bucket deletion, follow these manual steps:

Identify the bucket: Go to the AWS S3 Console and search for buckets with names containing your project prefix (e.g., fc_admin).
Empty the bucket: Select the bucket, click "Empty", and confirm deletion of all objects and versions (if versioning is enabled).
Delete the bucket: After emptying, return to the bucket list, click "Delete", and confirm the deletion.

Once the S3 bucket has been deleted manually, please run the cleanup script again to ensure all resources are fully removed:

bash aws-cleanup.sh