Prerequisites
Gather deployment parameter details
Before deploying Workload Discovery on AWS, review your configuration details for the Amazon OpenSearch Service service-linked role and AWS Config.
Verify whether you have an AWSServiceRoleForAmazonOpenSearchService role
The deployment creates an Amazon OpenSearch Service cluster inside an Amazon Virtual Private Cloud (Amazon VPC). The template uses a service-linked role to create the OpenSearch Service cluster. However, if you already have the role created in your account, use the existing role.
To check if you already have this role:
-
Sign in to the Identity and Access Management (IAM) console
for the account you plan to deploy this solution to. -
In the Search box, enter
AWSServiceRoleForAmazonOpenSearchService
. -
If your search returns a role, select
No
for the CreateOpensearchServiceRole parameter when you launch the stack.
Verify AWS Config is set up
Workload Discovery on AWS uses AWS Config to gather the majority of resource configurations. When deploying the solution or importing a new Region, you must confirm whether AWS Config is already set up and working as expected. The AlreadyHaveConfigSetup CloudFormation parameter informs Workload Discovery on AWS of whether to set up AWS Config.
The following snippet is taken from the AWS CLI Command Reference
Enter the following command:
aws configservice get-status
If you receive a response similar to the output, then there is a Configuration
Recorder and Delivery Channel running in that Region. Select Yes
for the
AlreadyHaveConfigSetup CloudFormation parameter.
Output:
Configuration Recorders: name: default recorder: ON last status: SUCCESS Delivery Channels: name: default last stream delivery status: SUCCESS last history delivery status: SUCCESS last snapshot delivery status: SUCCESS
If you are configuring AWS CloudFormation StackSets, then you must include this Region in the batch of Regions that already have AWS Config configured.
Verify your AWS Config details in your account
The deployment will attempt to set up AWS Config. If you already use AWS Config in the account that you plan to either deploy to or make discoverable by Workload Discovery on AWS, select the relevant parameters when you deploy this solution. Furthermore, for successful deployment, ensure that you haven’t restricted the resources that AWS Config scans.
To check your current AWS Config configuration:
-
Sign in to the AWS Config
console. -
Choose Settings and ensure the Record all resources supported in this Region and Include global resources boxes are selected.
Verify your VPC configuration
If deploying to an existing VPC, verify your private subnets can route requests to AWS services.
If you choose the option to deploy the solution in an existing VPC, you must ensure that the Workload Discovery on AWS Lambda functions and the Amazon ECS tasks running in the private subnets of your VPC can connect to other AWS services. The standard way to enable this is with NAT gateways. You can list the NAT gateways in your account as shown in the following code sample.
aws ec2 describe-route-tables --filters Name=association.subnet-id,Values=<private-subnet-id1>,<private-subnet-id2> --query 'RouteTables[].Routes[].NatGatewayId'
Output:
[ "nat-1111111111111111", "nat-2222222222222222" ]
Note
If less than two results return, the subnets do not have the correct number of NAT gateways.
If your VPC doesn’t have NAT gateways, then you must either provision them or ensure that you have VPC endpoints for all the AWS services listed in the AWS APIs section.