Cloudformation
In order to get started with nOps, the first step is to subscribe to nOps on the AWS marketplace. Next, you'll create an nOps login and set up your AWS payer account. We've made the setup process as easy as possible for you while complying with AWS security best practices.
In this setup, nOps takes care of creating the S3 bucket, Cost and Usage Report (CUR), and IAM policies through a CloudFormation stack.
Prerequisites
To successfully set up the AWS account(s), the AWS user must possess:
- An accepted AWS Marketplace offer.
important
Contact sales@nops.io if you do not have an MPPO.
- Access to the Payer account, if you are using AWS Organizations.
- Permission to create and run an AWS CloudFormation stack.
- Permission to create AWS Identity and Access Management (IAM) roles in your account.
- CURs enabled in the organization.
If you add an AWS child account instead of a Payer Account, nOps will only see the cost details of the specific child account instead of the cost details of the entire organization.
Getting Started
In this section, you need to select the account setup method. In the scope of this article, we will deal with the Cloudformation Setup.
To learn more about IaC Setup, see Onboarding with Terraform.
Onboarding the AWS Payer Account
In order to follow the next steps, create an nOps API key that will be used to securely connect with the platform from Cloudformation.
As soon as you access a newly created nOps account, a popup will appear.
To onboard using Cloudformation, choose the Onboard with Cloudformation or click on the Cloudformation Setup button on the landing page.
The following screen will be shown afterwards.
In order to follow the next steps, create an nOps API key using Generate API Key button that will be used to securely connect with the platform from Cloudformation.
Enter the name of AWS account and click on Set up Account,
you will be redirected to your AWS Cloudformation Create Stack page. Make sure to fill the API key field with the one created as a prerequisite. Click on the checkbox for “I acknowledge that AWS CloudFormation might create IAM resources”. nOps needs this permission to automate the creation of the IAM role.
The default deployment region for the Cloudformation stack is us-west-2. You can easily change the region of the CF stack from the CloudFormation screen once you launch it from nOps. Make sure you deploy from a supported region.
After you click the checkbox, click on the Create button to create the infrastructure and notify nOps that data ingestion can begin.
On the AWS console CloudFormation > Stacks > Stack Detail:
- If you have all the required permissions, as mentioned in the prerequisites section, the setup will start creating the stack with the status “CREATE_IN_PROGRESS”. Once the stack is created the “Status” will change to “CREATE_COMPLETE”. You can click the browser refresh button to check progress. Normally it takes 1 to 2 minutes to complete the process.
- If you don’t have proper permissions then you will see errors as shown in the screenshot below, and the stack will not be created. You can assign the necessary permissions to the AWS user or ask other teammates to rerun the setup.
- Once the stack creation is successful, return to nOps Dashboard
Once the stack is created, come back to nOps. nOps will check the account connectivity with AWS and check the CloudFormation stack permissions.
If you have any questions, please contact us at help@nops.io
On initial ingestion, nOps will pull the data from AWS accounts based on the following durations:
- Cost data: 6 months look back + current month.
- Rules: Current date.
- CloudTrail Events: 14 days look back.
To take a look at the nOps CloudFormation template, see the nOps YAML Template.
Adding Multiple Child AWS Accounts with CloudFormation
Prerequisites
-
You must have Admin role permissions in AWS before you can add multiple AWS accounts to nOps using CloudFormation.
-
You have configured your Payer account.
-
Enable Stackset in AWS Organizations and AWS CloudFormation within AWS.
-
Stackset Trusted Access must be enabled.
-
nOps API key created, you can use the same one from onboarding the Payer account.
Once you’ve taken care of the prerequisites, the next steps are simple and straightforward.
If you don't have Stacksets enabled, or Trusted Access enabled, follow the steps below. nOps uses stacksets to easily deploy the integration resources on all your accounts under the root organization ID, this makes it very easy to onboard all acounts to the nOps platform.
Enable Stacksets
To enable CloudFormation StackSets in AWS Organizations, go to AWS Organizations / Services. If you see Access disabled for CloudFormation StackSets, you will need to enable it.
Once enabled, you should see Access enabled:
Enable Trusted Access
When navigating to CloudFormation / StackSets, you will be able to tell if Trusted Access is enabled. If it's not, there will be a blue banner stating Tusted Access is not enabled. Click to enable Trusted Access. You may choose to disable it after configuration if you wish to do so.
To create and deploy a stackset for the linked accounts, make sure that you are logged into your AWS Management Account with Admin rights. The process to create the Stackset to casade down to all of your linked accounts, nOps will use a Cloudformation stack to configur the Stackset.
Within the nOps Platform
To get started, you will need to be logged in as an admin in the nOps platform.
- To the top right, navigate to your login / Organization Settings.
- Click the Cloudformation Setup button.
- Confirm you are logged into your AWS Management account with admin rights, then click Run Cloudformation Stack.
In the new tab that opens, everything is pre-filled for you in the Cloudformation Stack except the API key, fill that value. This new Cloudformation stack will deploy a stackset in each account belonging to your organization, this will integrate all your accounts to nOps at once.
- Confirm the account you are logged into is the management account the Stack is deploying in.
- Scroll down to the bottom and click Create Stack.
This process can take several minutes to complete.
Once the process is completed , you will see linked accounts configured on nOps platform.
It can take up to 24 hours before you start seeing the different nOps dashboards and compliance views populated with data from your workloads.
If you have any questions, please contact us at help@nops.io.
Onboard a single account
Onboarding a single AWS account is performed by following the same process as onboarding the Payer account, but change the PayerAccount parameter to false when deploying the stack.
- Make sure that you are logged into your AWS Account you want to onboard.
- Create an nOps API key, see this page for more details on how to create a key.
- Click on Cloudformation Setup in the child AWS account you want to onboard and proceed.
- Click on Run Cloudformation Stack from the pop up.
you will be redirected to your AWS Cloudformation Create Stack page in your single account. Make sure to fill the API key field with the one created as a prerequisite. Click on the checkbox for “I acknowledge that AWS CloudFormation might create IAM resources”. nOps needs this permission to automate the creation of the IAM role.
After you click the checkbox, click on the Create button to create the infrastructure and notify nOps that data ingestion can begin.
IAM and CloudFormation
The IAM policy used by nOps is scoped to the necessary read and write permissions only, customers can also opt out of readonly to least privilege IAM policies, however some features of the nOps platform might not be available in this case. Reference the following policy for more information abot the IAM role and least privilege policies for nOps integration
Lambda function automates the creation of the nOps project and API communication, its necessary for the nOps integration to work.
The code for the Lambda function is available for your review. Click the link to get the YAML file.
Troubleshooting Tips
- Do you have a pop-up blocker on your browser? A pop-up blocker on your browser will stop nOps from redirecting you to an AWS account to create a stack.
- There may have been a disconnect when creating the S3 stack causing the stack to have an error of ROLLBACK_ERROR. In this case, re-try the automatic setup, then delete the first one.
- Is it pulling in incorrect data? Make sure that you are logging into the correct account. When you have multiple access to AWS accounts, it can import the wrong data. Ensure that you’re logged in to the correct account prior to starting the integration process.
- If you belong to an Organization ( multiple accounts linked to a Master Account) ensure that you are logged into the Master account before running the wizard (so the billing data is populated) or having organizational billing data files exported to one of your buckets.