Edit me

Configuring Multiple AWS Linked Accounts with CloudFormation for ASG

Using CloudFormation, it’s easy to automatically onboard and configure multiple linked AWS accounts to nOps. 

Creating a StackSet in your AWS Management (Master) Account will deploy Stack Instances in all child accounts automatically. It allows you to save time by configuring many accounts simultaneously (following the service-managed permissions model). 

More information on service-managed permissions

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations. Using this permissions model, you don’t have to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. With this model, you can also turn on automatic deployments to accounts that you add to your organization in the future.

How to configure via StackSet

Prerequisites

  • You must have an Admin role in your AWS Master Account.
  • Navigate to AWS Organizations > Services > CloudFormation StackSets and enable access for CloudFormation StackSets

Step-by-step guide

Step1: API Key Generation

  • Log in to your nOps dashboard.
  • Navigate to Organization Settings > API key > Generate New API Key.
  • Name the API key as desired. For example, “compute-co-pilot-asg”.
  • Save the key as we will be using it shortly.

Step 2: Deploying StackSet

  • Log in to your AWS Master Payer account with admin permissions.
  • From within the AWS Console > CloudFormation > Stacksets page, click Create Stackset.
  • In the Specify template section, choose Amazon S3 URL

Add the following S3 URL: https://nops-prd-asg-lambda-us-east-1.s3.us-east-1.amazonaws.com/v0.6.1/cloudformation/lambda-v0.6.1.yaml

Step 3: Specify StackSet details, parameters, and deployment

  • Enter the unqiue StackSet name.
  • (Optional) Include a StackSet description
  • Parameters: The following parameters need to be passed to the CF template
ParameterKey ParameterValue Modifiable?
AdditionalPolicy true We highly recommend not modifying.This will ensure to create an additional policy for the Lambda Function Role giving access to KMS to attach the EBS volumes if the encryption is present in the Launch Configuration or Launch Template. 
AutoUpdate true We highly recommend not modifying. AutoUpdate will ensure you have the latest version of Lambda in your account at all times without the need for manual updating. 
Environment prd This should not be modified, as this environment has been vigorously and thoroughly tested for stability. 
MemorySize 1024 This is the total memory for the Lambda Function. We recommend that you have this at 1024 MB for stable performance.  
ProjectID 0 NO
Timeout 240 This is the Lambda function timeout in seconds. The timeout must be between 120 and 900 seconds
Token Generated via nOps Dashboard This is the token generated from the nOps Dashboard in Step1. It is not modifiable.
ExcludeRegions comma-separated list of AWS region codes The parameter ‘ExcludeRegions’ enables users to specify regions to be excluded from deployment by listing them, separated by commas.The value for this parameter can be blank or a comma-separated list of AWS region codes, for example, ‘eu-west-2,eu-west-3’. If no value is provided during stack creation, it will default to an empty value, including all active regions by default..

  • Click Next.
  • In the Configure StackSet options add Tags if needed
  • Leave the Execution configuration as Inactive
  • Click Next In Set deployment options  Select Deploy new Stacks
  • In Deploy Targets there will be 2 options 
  1. Deploy to Organization
  2. Deploy to Organizational Units (OUs)

Step 4: (If deploying to Organization):

Select this option if you want to deploy the stack into all the child accounts of the organization. Upon completion, you will see a stack in all of the child accounts except the management (master-payer) account.

  • Once you select Deploy to Organization do not modify the Auto-deployment options
  • Under the Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
  • Change the Deployment options to the following:
  1. Maximum concurrent accounts (Optional): change to percentage > 100
  2. Failure tolerance (Optional): change to percentage > 20
  3. Region concurrency > Parallel

  • Acknowledge and submit

  • Log in to any of the child accounts to verify the deployments

  • Stackset creation successful

Step 4: (If deploying to Organizational Units):

Select this option to deploy the stack into a specific Organizational Unit of the Organization. Upon completion, you will see CloudFormation stacks in all the accounts that belong to that specific OU.

  • Choose Deploy to Organizational Units (OUs) and add the OU id.

Note: Organization Unit IDs are located in AWS Console > AWS Organizations. 2.2 You can choose different accounts based on the Account filter type and add the account ids that you want to configure, separated by commas. Note: Account IDs are located in the AWS Console > AWS Organizations.

  • Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
  • Change the Deployment options to the following:
  1. Maximum concurrent accounts (Optional):  change to percentage > 100
  2. Failure tolerance (Optional): change to percentage > 20
  3. Region concurrency > Parallel

  • Acknowledge and submit

  • Log in to any of the child accounts to verify the deployments

  • Stackset creation successful 

Step 5: Verifying connection status on the nOps Dashboard

How to configure more accounts

Note: this guide will work only if you choose Deploy to Organization Units in the previous guide.

Let’s say you have already created AWS accounts in your Organization and want to onboard more AWS accounts. In this case, you don’t need to create a new StackSet. You just need to add more stacks to the existing one. This process is easier and faster than creating from scratch.

Prerequisites

  • StackSet configured
  • Deployed to Organizational Units

Step-by-step guide

  • Log in to your Master Payer AWS Console with admin permissions.
  • From within the AWS Console > CloudFormation > Stacksets page, click on the created StackSet.
  • Click on Actions and Add stacks to Stackset.
  • Choose Deploy to Organizational Units (OUs) and add OU id. Note: you can find Organization Unit IDs in AWS Console > AWS Organizations.

  • Choose Intersection in Account filter type and add the Account Ids (separated by commas) that you would like to configure. Note: you can find Account IDs in AWS Console > AWS Organizations.
  • Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
  • Please change the Deployment options as following:

a. Maximum concurrent accounts (Optional): change to percentage >- 100

b. Failure tolerance (Optional): change to percentage > 20

c. Region concurrency > Parallel

  • Click on Next.

  • Click Submit.
  • After some time you will see the list of new SUCCEEDED Stack Instances for all new affected accounts. It means that all needed resources are created. 

  • New affected accounts will have a Connected status.

Resource Description

Resource Name Resource Type Description
NASGEventBus EventBus An event bus that receives events
NASGEventRuleEC2InstanceStateChange Events Rule An event rule that monitors the change in the state of EC2 Instances (triggered on a new ASG instance launch)
NASGEventRuleEC2InstanceStateChangePermission Lambda Permission Grants events.amazonaws.com permissions to invoke the NASGFunction lambda function based on the NASGEventRuleEC2InstanceStateChange Events Rule
NASGEventRuleScheduledCheck Events Rule An event rule that triggers the NASGFunction Lambda function every 30 minutes to analyze configured ASGs
NASGEventRuleScheduledCheck Permission Lambda Permission Grants events.amazonaws.com permissions to invoke the NASGFunction Lambda function based on the NASGEventRuleScheduledCheck Events Rule
NASGFunction Lambda Function A Lambda function to handle events from NASGEventBus. This lambda does all the work related to ASG instance replacement.
NASGFunctionRole IAM Role An IAM Role that’s necessary for the Lambda function “NASGFunction” and “NASGLambdaSelfTestFunction” with all the necessary actions related to autoscaling and EC2
NASGLambdaSelfTestFunction Lambda Function A Lambda function that verifies the  NASGFunction Lambda function on stack deployment and reports its status to nOps
NASGEventBridgeForwarderMultiRegion Stackset An EventBridge forwarder that gets created via stack instances of the stackset in all the SCP-allowed regions of the same AWS account. So the events from all configured regions are forwarded to the lambda main region (us-east-1 or us-west-2)
NASGRoleCheckerRole IAM Role An IAM Role used for the Lambda function “NASGRoleCheckerFunction” which has policy to read, create or modify IAM roles
NASGRoleCheckerFunction Lambda Function A Lambda function that verifies the existence of IAM Roles in the AWS account. These roles enable us to create a stackset in the same account which will deploy an EventBridge forwarder in all the SCP enabled regions.
RoleChecker CloudFormation CustomResource A Custom Resource sends a request to NASGRoleCheckerFunction and waits for a response before proceeding with the stack operation.
PrimerInvoke CloudFormation CustomResource A Custom Resource sends a request to NASGFunction and waits for a response before proceeding with the stack operation.
nOpsCrossAccountRole IAM Role A cross account role, which has a trust relationship with the nOps account for the Auto update feature to assume role into. It has the “nOpsCrossAccountPolicy” attached. It is going to be created only if you set AutoUpdate parameter to true.
nOpsCrossAccountPolicy IAM Policy The policy which is attached to “nOpsCrossAccountRole” and has permissions only for the stack & stack resources. These are read-only and update permissions.
Configuring ASGs by Tag
Compute Copilot For ASG Support Matrix
Onboarding your Autoscaling Groups to nOps Compute Copilot
Configure Commitment Management
Compute Copilot for ECS
Onboarding your EKS clusters to Copilot for EKS Cluster Autoscaler
EKS Provisioner Examples
Compute Copilot for EKS - Karpenter Beta Support
Onboarding your EKS clusters to Compute Copilot for EKS Karpenter
Back to top       Home
Tags: copilot