AWS Ops Automator
AWS Ops Automator

Automated Deployment

Before you launch the automated deployment, please review the considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy an AWS Ops Automator into your account.

Time to deploy: Approximately 15 minutes

What We'll Cover

The procedure for deploying this architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step.

Step 1. Launch the AWS Ops Automator Stack in the Primary Account

  • Launch the AWS CloudFormation template into your primary AWS account.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

Step 2. Launch a Task Template in the Primary Account

  • Launch the applicable task-configuration AWS CloudFormation template into the primary account.

  • Review the template parameters, and adjust if necessary.

Step 3. Launch a Role Template in the Secondary Account(s) (Optional)

  • Launch the applicable role AWS CloudFormation template into the secondary account with applicable resources.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

Step 4. Launch the Event Forwarder Template in Secondary Account(s) (Optional)

  • Launch the applicable event forwarder AWS CloudFormation template into the secondary account with applicable resources.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

Step 5. Tag Your Resources

  • Apply the custom tag to applicable resources.

Step 1. Launch the AWS Ops Automator Stack in the Primary Account

This automated AWS CloudFormation template deploys the AWS Ops Automator in your primary account. Launch this template using an AWS Identity and Access Management (IAM) role specifically created for this purpose. For more information, see the Security section.

Note

You are responsible for the cost of the AWS services used while running this solution. See the Cost section for more details. For full details, see the pricing webpage for each AWS service you will be using in this solution.

  1. Sign in to the AWS Management Console and click the button below to launch the ops-automator AWS CloudFormation template.

    
                                AWS Ops Automator launch button

    You can also download the template as a starting point for your own implementation.

  2. The template is launched in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the region selector in the console navigation bar.

    Note

    The AWS Ops Automator is not available in the AWS GovCloud (US) Regions at this time.

  3. On the Select Template page, keep the default setting for Choose a Template and select Next.

  4. On the Specify Details page, assign a name to your solution stack.

  5. Under Parameters, review the parameters for the template, and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Task Scheduler Tag Name OpsAutomatorTaskList The tag key (name) that identifies applicable resources. The tag value will contain the list of tasks to be performed on tagged resources. See Step 5 for detailed information.
    Enable CloudWatch Metrics Yes Choose whether to collect CloudWatch Metrics data for Ops Automator. You can configure detailed metrics for individual tasks can be configured at the task-level.
    Schedule active? Yes Choose whether to activate the scheduling task feature.
    Clean up task tracking table? Yes Choose whether to clean the task tracking table.
    Export Task Tracking Table to Amazon S3 No Choose whether to export the task tracking table to Amazon S3.
    Hours to keep tasks? 168 The number of hours to keep a task before it is automatically deleted from the tracking table
    Keep failed tasks? Yes Choose whether to store failed tasks in the Amazon DynamoDB table.
    Log Retention Days 30 The number of days to keep logs before they are automatically deleted from the tracking table
    Days to keep configuration backups 7 The number of days to keep a configuration backup file before it is automatically deleted
  6. Choose Next.

  7. On the Options page, choose Next.

  8. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in approximately 15 minutes.

Step 2. Launch a Task Template in the Primary Account

Before you configure a task, review the information in Appendix A for the applicable action.

Note

If you used the ActionsConfiguration.html file to launch the task, continue to step 7. For more information on the file, see Role and Task Templates.

  1. In the primary account’s Amazon S3 console, navigate to the bucket for the AWS Ops Automator solution stack.

    Note

    You can find the name of the S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is value of the ConfigurationBucketName key.

  2. In the TaskConfiguration folder, select the applicable template.

  3. Copy the Link value.

  4. In the AWS CloudFormation console, select Create Stack.

  5. Select Specify an Amazon S3 template URL.

  6. Paste the template link into the text box and select Next.

  7. Enter a Stack name.

  8. Under Parameters, review the parameters for the template and modify them as necessary. For more information, see Appendix A.

  9. Select Next.

  10. Select Next. Then, on the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  11. Choose Create to deploy the stack.

Note

If you delete the AWS Ops Automator stack, all task stacks and configurations will be deleted.

Step 3. Launch a Role Template in the Secondary Account(s) (Optional)

Use this procedure to create a role to perform tasks on resources in secondary accounts.

Note

This role template is generated by the primary Ops Automator stack. The template will only set up a trust relationship between a secondary account and the primary account for which this template was generated. If you run multiple Ops Automator stacks in a single account, verify that you select the template from the Ops Automator stack you want to give the secondary account access to.

  1. In the primary account’s Amazon S3 console, navigate to the bucket for the AWS Ops Automator solution stack.

    Note

    You can find the name of the Amazon S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is value of the ConfigurationBucketName key.

  2. In the AccountsConfiguration folder, select the AccountRoleConfiguration template.

  3. Select Download and note the location of the downloaded template.

  4. In the secondary account’s AWS CloudFormation console, select Create Stack.

    Important

    You must deploy the AccountRoleConfiguration template in the main account if you want to perform tasks on resources in the main account. You must also use the same value for the Custom Rolename parameter across all stacks. For more information, see Role Configuration.

  5. Select Upload a template to Amazon S3.

  6. Select Choose File.

  7. Navigate to the downloaded template and select Choose. Then, select Next.

  8. Enter a Stack name and select Next.

  9. To give the Ops Automator Lambda function in the primary account access to actions in this account, set the applicable parameters to Yes. For example, to allow the solution to create backups in Amazon DynamoDB in this account, set the DynamoDB Create backup parameter to Yes.

  10. Optional: Enter a Custom Rolename. For more information, see Role Configuration.

  11. Select Next. Then, on the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  12. Choose Create to deploy the stack.

  13. After the stack deploys, navigate to the stack Outputs tab and copy the Value of the CrossAccountRoleArn key.

Step 4. Launch the Event Forwarder Template in Secondary Account(s) (Optional)

Use this procedure forward events from secondary accounts to the primary account. Launch this template in each applicable account and each applicable region.

Important

To use actions triggered by events across accounts and regions, you must deploy the event forwarder AWS CloudFormation template (AccountForwardEvents) in each applicable account and region, and you must deploy the account role configuration template (AccountRoleConfiguration) in each account.

  1. In the primary account’s Amazon S3 console, navigate to the bucket for the AWS Ops Automator solution stack.

    Note

    You can find the name of the Amazon S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is value of the ConfigurationBucketName key.

  2. In the AccountsConfiguration folder, select the AccountForwardEvents AWS CloudFormation template.

  3. Copy the Link value.

  4. Select Download and note the location of the downloaded template.

  5. In the secondary account’s AWS CloudFormation StackSets console, select Create StackSet.

  6. Select Specify an Amazon S3 template URL.

  7. Paste the template link into the text box and select Next.

  8. Enter a StackSet name.

  9. To forward events from this account to the primary account, set the applicable parameters to Yes. For example, to allow the solution to forward tag-change events for Amazon EC2, set the EC2 Tag Change events parameter to Yes.

  10. Select Next.

  11. Select Next. Then, on the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  12. Choose Create to deploy the stack.

Step 5. Tag Your Resources

When you deployed the AWS CloudFormation template, you defined the tag key for the solution’s custom tag. For the AWS Ops Automator to recognize a resource, the tag key on that resource must match the custom tag name stored in the solution’s Amazon DynamoDB table. Therefore, it is important that you apply tags consistently and correctly to all applicable resources. You can continue to use existing tagging strategies for your resources while using this solution.

On the AWS Management Console, use the Tag Editor to apply or modify tags for multiple resources at a time. You can also apply and modify tags manually in the console.

Setting the Tag Value

As you apply a tag to a resource, use the tag key you defined during initial configuration and set the tag value to the name of an AWS Ops Automator task stack to perform that task on the resource. For example, a user might define OpsAutomatorTaskList as the tag key. Then, the user creates a stack called CopyResource. To identify the resources to be copied, the user assigns the OpsAutomatorTaskList tag key with a value of CopyResource to each resource.

To perform multiple tasks on a single resource, use a comma-separated list of those tasks as the tag value. Continuing from the previous example, a user can assign the tag OpsAutomatorTaskList tag key with the value CopyResource,DeleteResource to identify resources to be copied, then deleted.