Step 7: Configuring a migration automation server

The migration automation server is used to run migration automation.

Build a Windows Server 2019 or later server

We recommend creating the server in your AWS account, but it can also be created in your on-premises environment. If built in an AWS account, it must be in the same AWS account and Region as Cloud Migration Factory. To review the server requirements, refer to Migration automation server.

Wherever you deploy the Windows instance, it should be deployed as a standard Windows 2019 or later installation that meets your security and operational requirements.

Installing required software to support the automations

1. Download Python v3.12.1.

2. Log in as administrator and install Python v3.12.1, and choose Customize installation.

3. Choose Next, and select Install for all users and Add Python to environment variables. Choose Install.

   

4. Verify that you have administrator privileges, open cmd.exe, and run the following commands to install the Python packages one at a time:

   python -m pip install requests
   python -m pip install paramiko
   python -m pip install boto3

   If any of these commands fail, upgrade pip by running the following command:

   python -m pip install --upgrade pip

5. Install AWS CLI (Command Line Interface).

6. Install using the PowerShell for AWS module , ensuring that you have the -Scope AllUsers parameter included in the command.

   Install-Module -Name AWSPowerShell -Scope AllUsers

7. Open PowerShell Script Execution, by opening the PowerShell CLI as Administrator and run the following command:

   Set-ExecutionPolicy RemoteSigned

Configure AWS permissions for the migration automation server and install AWS Systems Manager Agent (SSM Agent)

Depending on where you deploy the migration execution server, choose one of the options below to configure AWS permissions for the migration automation server. The IAM role or policy provides the permission to the automation server and the access to AWS Secrets Manager to get agent installation keys and factory service account credentials. You can deploy the migration automation server either to AWS as an EC2 instance or on-premises.

Option 1: Use the following procedure to configure the permissions for the migration automation server in Amazon EC2 and in the same AWS account and Region as the factory.

1. Navigate to the AWS CloudFormation console and select the solution’s stack.

2. Select the Outputs tab, under the Key column, locate AutomationServerIAMRole and record the Value to use later in the deployment.

   

3. Navigate to the Amazon Elastic Compute Cloud console.

4. From the left navigation pane, select Instances.

5. On the Instances page, use the Filter Instances field and enter the name of the migration execution server to find the instance.

6. Select the instance and select Actions on the menu.

7. Select Security from the drop-down list, and then select Modify IAM role.

   

8. From the list of IAM roles, locate and select the IAM role containing the value for AutomationServerIAMRole that you recorded in Step 2, and choose Save.

9. Use your remote desktop protocol (RDP) to log in to the migration automation server.

10. Download and install SSM Agent on the migration automation server.

    Note

    By default, AWS Systems Manager agent is preinstalled on Windows server 2016 Amazon Machine Images. Perform this step only if the SSM Agent is not installed.

11. Add the following tag to the migration automation server EC2 instance: Key= role and Value = mf_automation.

    

12. Open the AWS Systems Manager console and choose Fleet Manager. Check the automation server status, and make sure the SSM Agent ping status is online.

Option 2: Use the following procedure to configure the permissions for the migration automation server on-premises.

1. Navigate to the AWS CloudFormation console and select the solution’s stack.

2. Select the Outputs tab, under the Key column, locate AutomationServerIAMPolicy and record the value to use later in the deployment.

   

3. Navigate to the Identity and Access Management console.

4. From the left navigation pane, select Users, then choose Add users.

5. In the User name field, create a new user.

6. Choose Next.

7. On the Set permissions page, under Permissions options, select Attach policies directly. A list of policies displays.

8. From the list of policies, locate and select the policy containing the value for AutomationServerIAMPolicy that you recorded in Step 2.

9. Choose Next, then verify that the correct policy is selected.

10. Choose Create user.

11. After you're redirected to the Users page, choose the user you created in the previous step, and then choose the Security credentials tab.

12. In the Access keys section, choose Create access key.

    Note

    Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself.

    The only time that you can view or download the secret access key is when you create the keys. You cannot recover them later. However, you can create new access keys at any time. You must also have permissions to perform the required IAM actions. For more information, see Permissions required to access IAM resources in the IAM User Guide.

13. To view the new access key pair, choose Show. You will not have access to the secret access key again after this dialog box closes. Your credentials will look something like this:

    • Access key ID: AKIAIOSFODNN7EXAMPLE

    • Secret access key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

14. To download the key pair, choose Download .csv file. Store the keys in a secure location. You will not have access to the secret access key again after this dialog box closes.

    Important

    Keep the keys confidential to protect your AWS account and never email them. Do not share them outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your secret key.

15. After you download the .csv file, choose Close. When you create an access key, the key pair is active by default, and you can use the pair right away.

16. Use your remote desktop protocol (RDP) to log in to the migration execution server.

17. Signed in as an administrator, open a command prompt (CMD.exe).

18. Run the following command to configure the AWS credentials on the server. Replace <your_access_key_id>, <your_secret_access key>, and <your_region> with your values:

    SETX /m AWS_ACCESS_KEY_ID <your_access_key_id>
    SETX /m AWS_SECRET_ACCESS_KEY <your_secret_access key>
    SETX /m AWS_DEFAULT_REGION <your_region>

19. Reboot automation server.

20. Install the AWS Systems Manager agent using Hybrid mode (on-prem servers).

    1. Create a hybrid activation; see Create an activation (console) in the AWS Systems Manager User Guide. During this process, when asked to provide an IAM Role, select an existing IAM role and choose the role with the suffix -automation-server which was automatically created when the Cloud Migration Factory stack was deployed.

    2. Log in to the migration automation server as administrator.

    3. Install AWS Systems Manager Agent (SSM Agent); see Install SSM Agent for a hybrid and multicloud environment in the AWS Systems Manager User Guide. Use the hybrid activation created in step 20.a.

    4. Once the agent is successfully installed, in the AWS Systems Manager console, choose Fleet Manager. Identify the node ID with mi- prefix with Online status.

       

    5. Select the Node ID and make sure the IAM role is the one you selected with automation-server suffix.

    6. Add the following tag for this Hybrid node: Key = role and Value = mf_automation. All lower case.