Cloudformation
In order to get started with nOps, the first step is to subscribe to nOps on the AWS marketplace. Next, you'll create an nOps login and set up your AWS payer account. We've made the setup process as easy as possible for you while complying with AWS security best practices.
In this setup, nOps takes care of creating the S3 bucket, Cost and Usage Report (CUR), and IAM policies through a CloudFormation stack.
Prerequisites
To successfully set up the AWS account(s), the AWS user must possess:
- An accepted AWS Marketplace offer.
important
Contact sales@nops.io if you do not have an MPPO.
- Administrator access to the Payer account.
This Admin access must have permissions to :
- Deploy AWS CloudFormation stacks
- Create IAM roles
- Create Lambda functions
- Create S3 buckets
- Configure and access the AWS Cost and Usage Report (CUR)
- CURs enabled in the organization.
- Ensure that your AWS account has not exceeded the limit of 10 free Cost and Usage Reports (CURs) per month, as this can block the creation of a new report during setup. Manage or delete existing CUR reports
Getting Started
In this section, you need to select the account setup method. In the scope of this article, we will deal with the Cloudformation Setup.
To learn more about IaC Setup, see Onboarding with Terraform.
Onboarding the AWS Payer Account
As soon as you access a newly created nOps account, a popup will appear.
To onboard using Cloudformation, choose the Onboard with Cloudformation or click on the Cloudformation Setup button on the landing page.
The following screen will be shown afterwards.
At this step, we have generated an API key for your future use. Please copy and store it somewhere secure. It will be used to securely connect with the nOps platform.
You will be redirected to your AWS Cloudformation Create Stack page. Make sure all parameters are provided, including the API key that was generated for you. Click on the checkbox for "I acknowledge that AWS CloudFormation might create IAM resources". nOps needs this permission to automate the creation of the IAM role.
The default deployment region for the Cloudformation stack is us-west-2. You can easily change the region of the CF stack from the CloudFormation screen once you launch it from nOps. Make sure you deploy from a supported region.
After you click the checkbox, click on the Create button to create the infrastructure and notify nOps that data ingestion can begin.
On the AWS console CloudFormation > Stacks > Stack Detail:
- If you have all the required permissions, as mentioned in the prerequisites section, the setup will start creating the stack with the status "CREATE_IN_PROGRESS". Once the stack is created the "Status" will change to "CREATE_COMPLETE". You can click the browser refresh button to check progress. Normally it takes 1 to 2 minutes to complete the process.
- If you don't have proper permissions then you will see errors as shown in the screenshot below, and the stack will not be created. You can assign the necessary permissions to the AWS user or ask other teammates to rerun the setup.
- Once the stack creation is successful, return to nOps Dashboard
nOps will check the account connectivity with AWS and check the CloudFormation stack permissions. If everything is correct, you will see a message confirming that your account has been linked successfully, and a list of child accounts will appear.
If you have any questions, please contact us at help@nops.io
On initial ingestion, nOps will pull the data from AWS accounts based on the following durations:
- Cost data: starting from the month of onboarding.
- Default data retention period: upto previous 1 year (after backfilling the nOps CUR)
- Rules: Current date.
To take a look at the nOps CloudFormation template, see the nOps YAML Template.
How to Onboard Child Accounts ?
Adding Multiple Child AWS Accounts with CloudFormation
Prerequisites
-
You must have Admin role permissions in AWS before you can add multiple AWS accounts to nOps using CloudFormation.
-
You have configured your Payer account.
-
Enable Stackset in AWS Organizations and AWS CloudFormation within AWS.
-
Stackset Trusted Access must be enabled.
Once you've taken care of the prerequisites, the next steps are simple and straightforward.
If you don't have Stacksets enabled, or Trusted Access enabled, follow the steps below. nOps uses stacksets to easily deploy the integration resources on all your accounts under the root organization ID, this makes it very easy to onboard all acounts to the nOps platform.
Enable Stacksets
To enable CloudFormation StackSets in AWS Organizations, go to AWS Organizations / Services. If you see Access disabled for CloudFormation StackSets, you will need to enable it.
Once enabled, you should see Access enabled:
Enable Trusted Access
When navigating to CloudFormation / StackSets, you will be able to tell if Trusted Access is enabled. If it's not, there will be a blue banner stating Tusted Access is not enabled. Click to enable Trusted Access. You may choose to disable it after configuration if you wish to do so.
To create and deploy a stackset for the linked accounts, make sure that you are logged into your AWS Management Account with Admin rights. The process to create the Stackset to casade down to all of your linked accounts, nOps will use a Cloudformation stack to configur the Stackset.
Within the nOps Platform
To get started, you will need to be logged in as an admin in the nOps platform.
- To the top right, navigate to your login / Organization Settings.
- Click the Cloudformation Setup button.
- Confirm you are logged into your AWS Management account with admin rights, then click Run Cloudformation Stackset.
In the new tab that opens, everything is pre-filled for you. This new Cloudformation stack will deploy a stackset in each account belonging to your organization, this will integrate all your accounts to nOps at once.
- Confirm the account you are logged into is the management account the Stack is deploying in.
- Scroll down to the bottom and click Create Stack.
This process can take several minutes to complete.
Once the process is completed, return to nOps platform. You will see linked accounts configured on nOps platform.
It can take up to 24 hours before you start seeing the different nOps dashboards and compliance views populated with data from your workloads.
If you have any questions, please contact us at help@nops.io.
Onboard a single child account
Onboarding a single child AWS account is performed by following the same process as onboarding the Payer account, but the PayerAccount parameter will be changed to false when deploying the stack.
- Make sure that you are logged into your AWS child Account you want to onboard.
- Click on Cloudformation Setup in the child AWS account you want to onboard and proceed.
- Click on Proceed from the pop up.
You will be redirected to your AWS Cloudformation Create Stack page in your single account. Click on the checkbox for "I acknowledge that AWS CloudFormation might create IAM resources". nOps needs this permission to automate the creation of the IAM role.
After you click the checkbox, click on the Create button to create the infrastructure and notify nOps that data ingestion can begin.
IAM and CloudFormation��
The IAM policy used by nOps is scoped to the necessary read and write permissions only, customers can also opt out of readonly to least privilege IAM policies, however some features of the nOps platform might not be available in this case. Reference the following policy for more information abot the IAM role and least privilege policies for nOps integration
Lambda function automates the creation of the nOps project and API communication, its necessary for the nOps integration to work.
The code for the Lambda function is available for your review. Click the link to get the YAML file.
Troubleshooting Tips
- Do you have a pop-up blocker on your browser? A pop-up blocker on your browser will stop nOps from redirecting you to an AWS account to create a stack.
- There may have been a disconnect when creating the CloudFormation stack causing the stack to have an error of ROLLBACK_ERROR. In this case, re-try the automatic setup, then delete the first one.
- Is it pulling in incorrect data? When you have multiple access to AWS accounts, it can import the wrong data. Ensure that you're logged in to the correct account prior to starting the integration process.
- If you belong to an Organization (multiple accounts linked to a Master Account) ensure that you are logged into the Master account before running the wizard (so the billing data is populated) or having organizational billing data files exported to one of your buckets.