Merge pull request #1093 from segmentio/dl-manual-setup

moving this from a google doc into an actual doc

Author: markzegarelli

src/connections/storage/catalog/data-lakes/index.md

@@ -20,7 +20,7 @@ Before you set up Segment Data Lakes, you need the following resources:
 
 You can use the [open source Terraform module](https://github.com/segmentio/terraform-aws-data-lake) to automate much of the set up work to get Data Lakes up and running. If you’re familiar with Terraform, you can modify the module to meet your organization’s needs, however Segment guarantees support only for the template as provided. The Data Lakes set up uses Terraform v0.11+. To support more versions of Terraform, the aws provider must use v2, which is included in our example main.tf.
 
-You can also use our [manual set up instructions](https://docs.google.com/document/d/1GlWzS5KO4QaiVZx9pwfpgF-N-Xy2e_QQcdYSX-nLMDU/view) to configure these AWS resources if you prefer.
+You can also use our [manual set up instructions](/docs/connections/storage/data-lakes/data-lakes-manual-setup) to configure these AWS resources if you prefer.
 
 The Terraform module and manual set up instructions both provide a base level of permissions to Segment (for example, the correct IAM role to allow Segment to create Glue databases on your behalf). If you want stricter permissions, or other custom configurations, you can customize these manually.
 
@@ -57,12 +57,12 @@ Once the Data Lakes destination is enabled, the first sync will begin approximat
 
 ## Step 3 - Verify Data is Synced to S3 and Glue
 
-You will see event data and [sync reports](https://segment.com/docs/connections/storage/data-lakes/sync-reports) populated in S3 and Glue after the first sync successfully completes. However if an [insufficient permission](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#insufficient-permissions) or [invalid setting](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#invalid-settings) is provided during set up, the first data lake sync will fail.
+You will see event data and [sync reports](/docs/connections/storage/data-lakes/sync-reports) populated in S3 and Glue after the first sync successfully completes. However if an [insufficient permission](/docs/connections/storage/data-lakes/sync-reports/#insufficient-permissions) or [invalid setting](/docs/connections/storage/data-lakes/sync-reports/#invalid-settings) is provided during set up, the first data lake sync will fail.
 
 To be alerted of sync failures via email, subscribe to the `Storage Destination Sync Failed` activity email notification within the App Settings > User Preferences > [Notification Settings](https://app.segment.com/goto-my-workspace/settings/notifications).
 ![](images/dl_activity_notifications2.png)
 
-`Sync Failed` emails are sent on the 1st, 5th and 20th sync failure. Learn more about the types of errors which can cause sync failures [here](https://segment.com/docs/connections/storage/data-lakes/sync-reports/#sync-errors).
+`Sync Failed` emails are sent on the 1st, 5th and 20th sync failure. Learn more about the types of errors which can cause sync failures [here](/docs/connections/storage/data-lakes/sync-reports/#sync-errors).
 
 
 ## (Optional) Step 4 - Replay Historical Data

src/connections/storage/data-lakes/data-lakes-manual-setup.md

@@ -0,0 +1,192 @@
+---
+hidden: true
+title: Configure the Data Lakes AWS Environment
+---
+
+The instructions below will guide you through the process required to configure the environment required to begin loading data into your Segment Data Lake. For a more automated process, see [Step 1 - Configure AWS Resources](#step-1---configure-aws-resources) above.
+
+
+## Step 1 - Create an S3 Bucket
+
+In this step, you'll create the S3 bucket that will store both the intermediate and final data.
+
+> info ""
+> Take note of the S3 bucket name you set in this step, as the rest of the set up flow requires it. In these instructions, `segment-data-lake` is used.
+
+During the set up process, create a Lifecycle rule and set it to expire staging data after **14 days**. For more information, see Amazon's documentation, [How do I create a lifecycle?](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html).
+
+![Create a Lifecycle rule to expire staging data after 14 days](images/01_14-day-lifecycle.png)
+
+## Step 2 - Configure an EMR cluster
+
+Segment requires access to an EMR cluster to perform necessary data processing. We recommend starting with a small cluster, with the option to add more compute as required.
+
+### Configure the hardware and networking configuration
+
+1. Locate and select EMR from the AWS console.
+2. Click **Create Cluster**, and open the **Advanced Options**.
+3. In the Advanced Options, on Step 1: Software and Steps, ensure the following options are selected, along with the defaults:
+   - `Use for Hive table metadata`
+   - `Use for Spark table metadata` ![Select to use for both Have and Spark table metadata](images/02_hive-spark-table.png)
+4. In the Networking setup section, select to create the cluster in either a public or private subnet. Creating the cluster in a private subnet is more secure, but requires some additional configuration. Creating a cluster in a public subnet is accessible from the internet. However, you can configure strict security groups to prevent inbound access to the cluster. See Amazon's document, [Amazon VPC Options - Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-clusters-in-a-vpc.html) for more information. As a best practice, Segment recommends that you consult with your network and security before you configure your EMR cluster.
+5. In the Hardware Configuration section, create a cluster with the nodes listed below. This configuration uses the default **On demand** purchasing option for the instances.
+   - **1** master node
+   - **2** core nodes
+   - **2** task nodes ![Configure the number of nodes](images/03_hardware-node-instances.png)
+ 
+For more information about configuring the cluster hardware and networking, see Amazon's document, [Configure Cluster Hardware and Networking](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-instances.html).
+
+### Enable EMR managed scaling for the Core and Task nodes
+
+On the **Cluster Scaling** settings, select **Use EMR-managed scaling**, and select the following number of task units:
+- Minimum: **2**
+- Maximum: **8**
+- On-demand limit: **8**
+- Maximum Core Node: **2**
+
+![Configure the Cluster scaling options](images/04_cluster-scaling.png)
+
+### Configure logging
+
+On the General Options step, configure logging to use the same S3 bucket you configured as the destination for the final data (`segment-data-lakes` in this case). Once configured, logs will be written to a new prefix, and separated from the final processed data.
+
+Set value of the **vendor** tag to `segment`.
+
+![Configure logging](images/05_logging.png)
+
+### Secure the cluster
+
+On the Security step, ensure that the following steps have been completed:
+1. Create or select an **EC2 key pair**.
+2. Choose the appropriate roles in the **EC2 instance profile**.
+3. Select the appropriate security groups for the Master and Core & Task types.
+
+![Secure the cluster](images/06_secure-cluster.png)
+
+## Step 3 - Create an Access Management role and policy
+
+The following steps provide examples of the IAM Role and IAM Policy.
+
+### IAM Role
+
+Create a `segment-data-lake-role` role for Segment to assume. Attach the following trust relationship document to the role:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "arn:aws:iam::294048959147:role/customer-datalakes-prod-admin",
+          "arn:aws:iam::294048959147:role/datalakes-aws-worker",
+          "arn:aws:iam::294048959147:role/datalakes-customer-service"
+        ]
+      },
+      "Action": "sts:AssumeRole",
+      "Condition": {
+        "StringEquals": {
+          "sts:ExternalId": [
+            "SOURCE_1",
+            "SOURCE_N"
+          ]
+        }
+      }
+    }
+  ]
+}
+```
+
+> note ""
+> **NOTE:** Replace the `ExternalID` list with the Segment `SourceId` values that are synced to the Data Lake.
+
+### IAM Policy
+
+Add a policy to the role created above to give Segment access to the relevant Glue databases and tables, EMR cluster, and S3
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "elasticmapreduce:TerminateJobFlows",
+                "elasticmapreduce:RunJobFlow",
+                "elasticmapreduce:DescribeStep",
+                "elasticmapreduce:DescribeCluster",
+                "elasticmapreduce:CancelSteps",
+                "elasticmapreduce:AddJobFlowSteps"
+            ],
+            "Effect": "Allow",
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "elasticmapreduce:ResourceTag/vendor": "segment"
+                }
+            }
+        },
+                {
+            "Sid": "",
+            "Effect": "Allow",
+            "Action": [
+                "glue:UpdateTable",
+                "glue:UpdatePartition",
+                "glue:GetTables",
+                "glue:GetTableVersions",
+                "glue:GetTableVersion",
+                "glue:GetTable",
+                "glue:GetPartitions",
+                "glue:GetPartition",
+                "glue:DeleteTableVersion",
+                "glue:DeleteTable",
+                "glue:DeletePartition",
+                "glue:CreateTable",
+                "glue:CreatePartition",
+                "glue:CreateDatabase",
+                "glue:BatchGetPartition",
+                "glue:BatchDeleteTableVersion",
+                "glue:BatchDeleteTable",
+                "glue:BatchDeletePartition",
+                "glue:BatchCreatePartition"
+            ],
+            "Resource": [
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:table/*",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:database/default",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:database/*",
+                "arn:aws:glue:$REGION:$YOUR_ACCOUNT:catalog"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": "*",
+            "Resource": [
+                "arn:aws:s3:::$BUCKET_NAME/*", 
+                "arn:aws:s3:::$BUCKET_NAME"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "athena:*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+}
+```
+
+> note ""
+> **NOTE:** The policy above grants full access to Athena, but the individual Glue and S3 policies decide which table can be queried. Segment queries only for debugging purposes, and will notify you be for running any queries.
+
+## Debugging
+
+Segment requires access to the data and schema for debugging data quality issues. The modes available for debugging are:
+- Access the individual objects stored in S3 and the associated schema in order to understand data discrepancies
+- Run an Athena query on the underlying data stored in S3
+  - Ensure Athena uses Glue as the data catalog. Older accounts may not have this configuration, and may require some additional steps to complete the upgrade. The Glue console typically displays a warning and provides a link to instructions on how to complete the upgrade.
+  - An easier alternative is to create a new account that has Athena backed by Glue as the default. 
+