Configuring Multiple AWS Linked Accounts with CloudFormation for ASG
Using CloudFormation, it’s easy to automatically onboard and configure multiple linked AWS accounts to nOps.
Creating a StackSet in your AWS Management (Master) Account will deploy Stack Instances in all child accounts automatically. It allows you to save time by configuring many accounts simultaneously (following the service-managed permissions model).
More information on service-managed permissions
With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations. Using this permissions model, you don’t have to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. With this model, you can also turn on automatic deployments to accounts that you add to your organization in the future.
How to configure via StackSet
Prerequisites
- You must have an Admin role in your AWS Master Account.
- Navigate to AWS Organizations > Services > CloudFormation StackSets and enable access for CloudFormation StackSets
Step-by-step guide
Step1: API Key Generation
- Log in to your nOps dashboard.
- Navigate to Organization Settings > API key > Generate New API Key.
- Name the API key as desired. For example, “compute-co-pilot-asg”.
- Save the key as we will be using it shortly.
Step 2: Deploying StackSet
- Log in to your AWS Master Payer account with admin permissions.
- From within the AWS Console > CloudFormation > Stacksets page, click Create Stackset.
- In the Specify template section, choose Amazon S3 URL.
Add the following S3 URL: https://nops-prd-asg-lambda-us-east-1.s3.amazonaws.com/v0.5.2/cloudformation/lambda-v0.5.2.yaml\
Step 3: Specify StackSet details, parameters, and deployment
- Enter the StackSet name as nOps-ASG-Main (Note: This name must be entered exactly as defined for Auto Update to function.)
- (Optional) Include a StackSet description
- Parameters: The following parameters need to be passed to the CF template
| ParameterKey | ParameterValue | Modifiable? |
|---|---|---|
| AdditionalPolicy | true | We highly recommend not modifying.This will ensure to create an additional policy for the Lambda Function Role giving access to KMS to attach the EBS volumes if the encryption is present in the Launch Configuration or Launch Template. |
| AutoUpdate | true | We highly recommend not modifying. AutoUpdate will ensure you have the latest version of Lambda in your account at all times without the need for manual updating. |
| Environment | prd | This should not be modified, as this environment has been vigorously and thoroughly tested for stability. |
| MemorySize | 1024 | This is the total memory for the Lambda Function. We recommend that you have this at 1024 MB for stable performance. |
| ProjectID | 0 | NO |
| Timeout | 240 | This is the Lambda function timeout in seconds. The timeout must be between 120 and 900 seconds |
| Token | Generated via nOps Dashboard | This is the token generated from the nOps Dashboard in Step1. It is not modifiable. |
| ExcludeRegions | comma-separated list of AWS region codes | The parameter ‘ExcludeRegions’ enables users to specify regions to be excluded from deployment by listing them, separated by commas.The value for this parameter can be blank or a comma-separated list of AWS region codes, for example, ‘eu-west-2,eu-west-3’. If no value is provided during stack creation, it will default to an empty value, including all active regions by default.. |
- Click Next.
- In the Configure StackSet options add Tags if needed
- Leave the Execution configuration as Inactive
- Click Next In Set deployment options Select Deploy new Stacks
- In Deploy Targets there will be 2 options
- Deploy to Organization
- Deploy to Organizational Units (OUs)
Step 4: (If deploying to Organization):
Select this option if you want to deploy the stack into all the child accounts of the organization. Upon completion, you will see a stack in all of the child accounts except the management (master-payer) account.
- Once you select Deploy to Organization do not modify the Auto-deployment options
- Under the Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
- Change the Deployment options to the following:
- Maximum concurrent accounts (Optional): change to percentage > 100
- Failure tolerance (Optional): change to percentage > 20
- Region concurrency > Parallel
- Acknowledge and submit
- Log in to any of the child accounts to verify the deployments
- Stackset creation successful
Step 4: (If deploying to Organizational Units):
Select this option to deploy the stack into a specific Organizational Unit of the Organization. Upon completion, you will see CloudFormation stacks in all the accounts that belong to that specific OU.
- Choose Deploy to Organizational Units (OUs) and add the OU id.
Note: Organization Unit IDs are located in AWS Console > AWS Organizations. 2.2 You can choose different accounts based on the Account filter type and add the account ids that you want to configure, separated by commas. Note: Account IDs are located in the AWS Console > AWS Organizations.
- Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
- Change the Deployment options to the following:
- Maximum concurrent accounts (Optional): change to percentage > 100
- Failure tolerance (Optional): change to percentage > 20
- Region concurrency > Parallel
- Acknowledge and submit
- Log in to any of the child accounts to verify the deployments
- Stackset creation successful
Step 5: Verifying connection status on the nOps Dashboard
How to configure more accounts
Note: this guide will work only if you choose Deploy to Organization Units in the previous guide.
Let’s say you have already created AWS accounts in your Organization and want to onboard more AWS accounts. In this case, you don’t need to create a new StackSet. You just need to add more stacks to the existing one. This process is easier and faster than creating from scratch.
Prerequisites
- StackSet configured
- Deployed to Organizational Units
Step-by-step guide
- Log in to your Master Payer AWS Console with admin permissions.
- From within the AWS Console > CloudFormation > Stacksets page, click on the created StackSet.
- Click on Actions and Add stacks to Stackset.
- Choose Deploy to Organizational Units (OUs) and add OU id. Note: you can find Organization Unit IDs in AWS Console > AWS Organizations.
- Choose Intersection in Account filter type and add the Account Ids (separated by commas) that you would like to configure. Note: you can find Account IDs in AWS Console > AWS Organizations.
- Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)
- Please change the Deployment options as following:
a. Maximum concurrent accounts (Optional): change to percentage >- 100
b. Failure tolerance (Optional): change to percentage > 20
c. Region concurrency > Parallel
- Click on Next.
- Click Submit.
- After some time you will see the list of new SUCCEEDED Stack Instances for all new affected accounts. It means that all needed resources are created.
- New affected accounts will have a Connected status.
Resource Description
| Resource Name | Resource Type | Description |
|---|---|---|
| NASGEventBus | EventBus | An event bus that receives events |
| NASGEventRuleEC2InstanceStateChange | Events Rule | An event rule that monitors the change in the state of EC2 Instances (triggered on a new ASG instance launch) |
| NASGEventRuleEC2InstanceStateChangePermission | Lambda Permission | Grants events.amazonaws.com permissions to invoke the NASGFunction lambda function based on the NASGEventRuleEC2InstanceStateChange Events Rule |
| NASGEventRuleScheduledCheck | Events Rule | An event rule that triggers the NASGFunction Lambda function every 30 minutes to analyze configured ASGs |
| NASGEventRuleScheduledCheck Permission | Lambda Permission | Grants events.amazonaws.com permissions to invoke the NASGFunction Lambda function based on the NASGEventRuleScheduledCheck Events Rule |
| NASGFunction | Lambda Function | A Lambda function to handle events from NASGEventBus. This lambda does all the work related to ASG instance replacement. |
| NASGFunctionRole | IAM Role | An IAM Role that’s necessary for the Lambda function “NASGFunction” and “NASGLambdaSelfTestFunction” with all the necessary actions related to autoscaling and EC2 |
| NASGLambdaSelfTestFunction | Lambda Function | A Lambda function that verifies the NASGFunction Lambda function on stack deployment and reports its status to nOps |
| NASGEventBridgeForwarderMultiRegion | Stackset | An EventBridge forwarder that gets created via stack instances of the stackset in all the SCP-allowed regions of the same AWS account. So the events from all configured regions are forwarded to the lambda main region (us-east-1 or us-west-2) |
| NASGRoleCheckerRole | IAM Role | An IAM Role used for the Lambda function “NASGRoleCheckerFunction” which has policy to read, create or modify IAM roles |
| NASGRoleCheckerFunction | Lambda Function | A Lambda function that verifies the existence of IAM Roles in the AWS account. These roles enable us to create a stackset in the same account which will deploy an EventBridge forwarder in all the SCP enabled regions. |
| RoleChecker | CloudFormation CustomResource | A Custom Resource sends a request to NASGRoleCheckerFunction and waits for a response before proceeding with the stack operation. |
| PrimerInvoke | CloudFormation CustomResource | A Custom Resource sends a request to NASGFunction and waits for a response before proceeding with the stack operation. |
| nOpsCrossAccountRole | IAM Role | A cross account role, which has a trust relationship with the nOps account for the Auto update feature to assume role into. It has the “nOpsCrossAccountPolicy” attached. It is going to be created only if you set AutoUpdate parameter to true. |
| nOpsCrossAccountPolicy | IAM Policy | The policy which is attached to “nOpsCrossAccountRole” and has permissions only for the stack & stack resources. These are read-only and update permissions. |