Skip to main content

Onboarding your Autoscaling Groups to nOps Compute Copilot via Stackset

Configuring Multiple AWS Linked Accounts with CloudFormation for ASG

Using CloudFormation, it’s easy to automatically onboard and configure multiple linked AWS accounts to nOps. 

Creating a StackSet in your AWS Management (Master) Account will deploy Stack Instances in all child accounts automatically. It allows you to save time by configuring many accounts simultaneously (following the service-managed permissions model). 

More information on service-managed permissions

With service-managed permissions, you can deploy stack instances to accounts managed by AWS Organizations. Using this permissions model, you don't have to create the necessary IAM roles; StackSets creates the IAM roles on your behalf. With this model, you can also turn on automatic deployments to accounts that you add to your organization in the future.

How to configure via StackSet

Prerequisites

  • You must have an Admin role in your AWS Master Account.

  • Navigate to AWS Organizations > Services > CloudFormation StackSets and enable access for CloudFormation StackSets

Step-by-step guide

Step1: API Key Generation

  • Log in to your nOps dashboard.

  • Navigate to Organization Settings > API key > Generate New API Key.

  • Name the API key as desired. For example, “compute-co-pilot-asg”.

  • Save the key as we will be using it shortly.

Step 2: Deploying StackSet

Step 3: Specify StackSet details, parameters, and deployment

  • Enter the unqiue StackSet name.

  • (Optional) Include a StackSet description

  • Parameters: The following parameters need to be passed to the CF template

    ParameterKeyParameterValueModifiable?
    AdditionalPolicytrueWe highly recommend not modifying.This will ensure to create an additional policy for the Lambda Function Role giving access to KMS to attach the EBS volumes if the encryption is present in the Launch Configuration or Launch Template. 
    AutoUpdatetrueWe highly recommend not modifying. AutoUpdate will ensure you have the latest version of Lambda in your account at all times without the need for manual updating. 
    ClusterAutoScalerfalseThis must be set to 'true' only if you are configuring for Cluster AUtoscaler. 
    EnvironmentprdThis should not be modified, as this environment has been vigorously and thoroughly tested for stability. 
    ExcludeRegionscomma-separated list of AWS region codesIf you don't have region based SCP's org. wide, leave it empty. The parameter 'ExcludeRegions' enables users to specify regions to be excluded from deployment by listing them, separated by commas.The value for this parameter can be blank or a comma-separated list of AWS region codes, for example, 'eu-west-2,eu-west-3'. If no value is provided during stack creation, it will default to an empty value, including all active regions by default.
    MemorySize1024This is the total memory for the Lambda Function. We recommend that you have this at 1024 MB for stable performance.  
    ProjectID0NO
    Timeout240This is the Lambda function timeout in seconds. The timeout must be between 120 and 900 seconds
    TokenGenerated via nOps DashboardThis is the token generated from the nOps Dashboard in Step1. It is not modifiable.

  • Click Next.

  • In the Configure StackSet options add Tags if needed

  • Leave the Execution configuration as Inactive

  • Click Next In Set deployment options Select Deploy new Stacks

  • In Deploy Targets there will be 2 options:

    1. Deploy to Organization
    2. Deploy to Organizational Units (OUs)

Step 4: (If deploying to Organization):

Select this option if you want to deploy the stack into all the child accounts of the organization. Upon completion, you will see a stack in all of the child accounts except the management (master-payer) account.

  • Once you select Deploy to Organization do not modify the Auto-deployment options

  • Under the Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)

  • Change the Deployment options to the following:

    1. Maximum concurrent accounts (Optional): change to percentage > 100

    2. Failure tolerance (Optional): change to percentage > 20

    3. Region concurrency > Parallel

  • Acknowledge and submit

  • Log in to any of the child accounts to verify the deployments

  • Stackset creation successful

Step 4: (If deploying to Organizational Units):

Select this option to deploy the stack into a specific Organizational Unit of the Organization. Upon completion, you will see CloudFormation stacks in all the accounts that belong to that specific OU.

  • Choose Deploy to Organizational Units (OUs) and add the OU id.

Note: Organization Unit IDs are located in AWS Console > AWS Organizations. 2.2 You can choose different accounts based on the Account filter type and add the account ids that you want to configure, separated by commas. Note: Account IDs are located in the AWS Console > AWS Organizations.

  • Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)

  • Change the Deployment options to the following:

    1. Maximum concurrent accounts (Optional):  change to percentage > 100

    2. Failure tolerance (Optional): change to percentage > 20

    3. Region concurrency > Parallel

  • Acknowledge and submit

  • Log in to any of the child accounts to verify the deployments

  • Stackset creation successful 

Step 5: Verifying connection status on the nOps Dashboard

How to configure more accounts

Note: this guide will work only if you choose Deploy to Organization Units in the previous guide.

Let’s say you have already created AWS accounts in your Organization and want to onboard more AWS accounts. In this case, you don’t need to create a new StackSet. You just need to add more stacks to the existing one. This process is easier and faster than creating from scratch.

Prerequisites

  • StackSet configured
  • Deployed to Organizational Units

Step-by-step guide

  • Log in to your Master Payer AWS Console with admin permissions.

  • From within the AWS Console > CloudFormation > Stacksets page, click on the created StackSet.

  • Click on Actions and Add stacks to Stackset.

  • Choose Deploy to Organizational Units (OUs) and add OU id. Note: you can find Organization Unit IDs in AWS Console > AWS Organizations.

  • Choose Intersection in Account filter type and add the Account Ids (separated by commas) that you would like to configure. Note: you can find Account IDs in AWS Console > AWS Organizations.

  • Under Specify regions select either us-east-1 (N.Virginia) or us-west-2 (Oregon)

  • Please change the Deployment options as following:

    1. Maximum concurrent accounts (Optional): change to percentage >- 100
    2. Failure tolerance (Optional): change to percentage > 20
    3. Region concurrency > Parallel
  • Click on Next.

  • Click Submit.

  • After some time you will see the list of new SUCCEEDED Stack Instances for all new affected accounts. It means that all needed resources are created. 

  • New affected accounts will have a Connected status.

Resource Description

Resource NameResource TypeDescription
NASGEventBusEventBusAn event bus that receives events
NASGEventRuleEC2InstanceStateChangeEvents RuleAn event rule that monitors the change in the state of EC2 Instances (triggered on a new ASG instance launch)
NASGEventRuleEC2InstanceStateChangePermissionLambda PermissionGrants events.amazonaws.com permissions to invoke the NASGFunction lambda function based on the NASGEventRuleEC2InstanceStateChange Events Rule
NASGEventRuleScheduledCheckEvents RuleAn event rule that triggers the NASGFunction Lambda function every 30 minutes to analyze configured ASGs
NASGEventRuleScheduledCheck PermissionLambda PermissionGrants events.amazonaws.com permissions to invoke the NASGFunction Lambda function based on the NASGEventRuleScheduledCheck Events Rule
NASGFunctionLambda FunctionA Lambda function to handle events from NASGEventBus. This lambda does all the work related to ASG instance replacement.
NASGFunctionRoleIAM RoleAn IAM Role that’s necessary for the Lambda function “NASGFunction” and “NASGLambdaSelfTestFunction” with all the necessary actions related to autoscaling and EC2
NASGLambdaSelfTestFunctionLambda FunctionA Lambda function that verifies the  NASGFunction Lambda function on stack deployment and reports its status to nOps
NASGEventBridgeForwarderMultiRegionStacksetAn EventBridge forwarder that gets created via stack instances of the stackset in all the SCP-allowed regions of the same AWS account. So the events from all configured regions are forwarded to the lambda main region (us-east-1 or us-west-2)
NASGRoleCheckerRoleIAM RoleAn IAM Role used for the Lambda function “NASGRoleCheckerFunction” which has policy to read, create or modify IAM roles
NASGRoleCheckerFunctionLambda FunctionA Lambda function that verifies the existence of IAM Roles in the AWS account. These roles enable us to create a stackset in the same account which will deploy an EventBridge forwarder in all the SCP enabled regions.
RoleCheckerCloudFormation CustomResourceA Custom Resource sends a request to NASGRoleCheckerFunction and waits for a response before proceeding with the stack operation.
PrimerInvokeCloudFormation CustomResourceA Custom Resource sends a request to NASGFunction and waits for a response before proceeding with the stack operation.
nOpsCrossAccountRoleIAM RoleA cross account role, which has a trust relationship with the nOps account for the Auto update feature to assume role into. It has the “nOpsCrossAccountPolicy” attached. It is going to be created only if you set AutoUpdate parameter to true.
nOpsCrossAccountPolicyIAM PolicyThe policy which is attached to “nOpsCrossAccountRole” and has permissions only for the stack & stack resources. These are read-only and update permissions.