Solution Components - Ops Automator

Solution Components

Included Actions

Ops Automator features an extensive suite of actions that you can use to configure automated tasks. An action consists of metadata that specifies which resources and properties to select from AWS services, the aggregation level of the selected resources, the permissions required to access and modify that resource, and the code that implements the action logic. An action can be used in multiple tasks with different parameters or resource selection criteria.

To initiate an action, you must launch the specific task template. This creates a new task that defines the time interval or resource event that triggers the action, the action parameters that define how the task should be performed, the tags that determine which resources will receive the actions, and the accounts and Regions where the resources are located. For more information about the task-configuration templates included with this solution, refer to Appendix A.

For a complete list of Ops Automator actions, refer to Appendix B.

Combining Actions

With the Ops Automator, you can combine multiple task stacks to create end-to-end scenarios that handle complex tasks. Ops Automator actions can dynamically tag created and affected resources for follow up actions. For example, you can configure a task to create snapshots for Amazon Elastic Block Store (Amazon EBS) volumes and tag those snapshots. Another task can select those snapshots and delete them automatically using a retention count or a number of retention days. For a sample configuration, see Appendix G.

You can set actions to be triggered by resource-specific or tag-modification events, enabling you to construct event-driven workflows.

The solution includes an example template you can use to combine and deploy multiple tasks as custom resources from a single AWS CloudFormation template. You can find the template in the solution’s Amazon Simple Storage Service (Amazon S3) bucket in the TaskConfigurations/ScenarioTemplates folder. For more information, refer to Appendix H.

Role and Task Templates

When you deploy Ops Automator, the solution automatically creates an Amazon S3 bucket in the primary account that contains folders with configuration templates and scripts for creating tasks.

One folder (AccountsConfiguration) contains the templates required to create the AWS Identity and Access Management (IAM) role necessary to perform tasks in secondary accounts, and to forward events from these secondary accounts to the primary account.

Another folder (TaskConfiguration) contains templates to create tasks based on parameters you define.

The bucket also contains an HTML file (ActionsConfiguration.html) that lists all available actions. When you download this file and open it in a web browser, you can use the links in it to open the AWS Management Console and create a task for the selected action.

If you delete the Ops Automator stack in the primary account, all task stacks and configurations are deleted.

Task Execution Across Accounts

Role Configuration

To perform tasks on resources in secondary accounts, you must launch the role configuration template (AccountRoleConfiguration.template) in each secondary account. When the role configuration stack is launched in a secondary account, it creates a trust relationship with the IAM role in the Ops Automator primary stack that allows the solution’s Lambda function to make the required API calls across accounts.

The role configuration template includes AWS CloudFormation parameters for every available Ops Automator action grouped by AWS service. To give the Lambda function permission to perform a specific action in the secondary account, set the applicable parameter to Yes. For example, to allow the solution to create backups in Amazon DynamoDB in the secondary account, set the DynamoDB Create backup parameter to Yes.

The template includes a parameter (Custom Rolename) that allows you to specify a custom role name that you can use for task execution in secondary accounts. A custom role name allows you to split Ops Automator permissions into smaller subsets for groups of tasks, or to specify a name that complies with company naming standards.

Important

You must deploy the AccountRoleConfiguration template in the primary account if you want to perform tasks on resources in the primary account. You must also use the same value for the Custom Rolename parameter across all stacks. For example, if you deploy the Ops Automator stack in account A and want to run the Amazon EC2 Create Snapshot task in accounts A and B, you must deploy the template in account A and account B. You must also use the same Custom Rolename in accounts A and B.

The solution is configured to use the default role name (<ops-automator-stackname>-OpsAutomatorActionsRole). If you want to use a custom role name, you must specify the custom name in the Cross-Account Role name parameter in the applicable task template. The solution uses this role to run the task in all applicable secondary accounts.

Important

We recommend using AWS CloudFormation StackSets to deploy these stacks in an easy and consistent way.

Event Forwarding

Ops Automator tasks can be triggered by events. For example, a task that starts an Amazon Elastic Compute Cloud (Amazon EC2) instance can be triggered when tags are set on an instance. To enable the solution to trigger these event-based tasks across accounts and Regions, the events from those accounts and Regions must be forwarded to the primary account. Use the event forwarder template (AccountForwardEvents) to forward events from secondary accounts and Regions to the primary account. You must deploy this template in each applicable secondary account and Region to forward events.

When the event forwarder stack is launched, it creates Amazon CloudWatch rules for selected events and uses an AWS Lambda function to forward events to the primary Ops Automator Lambda function via an Amazon Simple Notification Service (Amazon SNS) topic. Applicable accounts are automatically allowed access to put events in the SNS topic.

The event forwarder template includes AWS CloudFormation parameters for every available event. To give the Lambda function permission to forward a specific event to the primary account, set the applicable parameter to Yes. For example, to allow the solution to forward tag-change events for Amazon EC2, set the EC2 Tag Change events parameter to Yes.

We recommend using AWS CloudFormation StackSets to deploy these stacks in an easy and consistent way.

Important

We recommend using AWS CloudFormation StackSets to deploy these stacks in an easy and consistent way.

Placeholders

Ops Automator features several placeholders you can use in parameters such as names, prefixes, descriptions, and tag names and values set by Ops Automator actions. Placeholders have the format {name}. When tasks are run, placeholders are replaced with dynamic values. This allows the solution to give created resources dynamic names and descriptions, and to set dynamic tag names and values on created or affected resources. For more information, refer to Appendix E.

Performance

Ops Automator is designed to accommodate task processing for a large number of resources. By default, this solution enables on-demand provisioning for its Amazon DynamoDB tables to provide sufficient read and write capacity to store tracking and configuration data for each resource it manages. Some actions include parameters that enable you to select larger Lambda functions to run specific steps of a task.

Daily Backups

Ops Automator creates a daily backup of the Amazon DynamoDB configuration table. Configuration backup files are stored in the Backups folder in the solution’s Amazon S3 bucket. The solution’s primary template includes a parameter where you define the retention period for these backup files.

Logging and Notifications

Ops Automator leverages Amazon CloudWatch Logs for logging. The solution logs which AWS Lambda function handled each event; when each task was run; which tasks were run; the state of implemented tasks; whether each task completed; which resources were selected for each task; the execution time of the next task; and debugging, warning, and error messages. For more information, refer to Appendix F.

Warning and error messages are also published to a solution-created Amazon Simple Notification Service (Amazon SNS) topic. You can find the name of the Amazon SNS topic in the Outputs tab of the primary solution stack. The topic name is the value of the IssueSNSTopic key.

You can also configure tasks to send notifications for every started or completed task using the TaskNotifications parameter in the task template. If you set this parameter, a notification is sent to the Amazon SNS topic when the task execution starts and completes. You can find the name of the Amazon SNS topic in the Outputs tab of the primary solution stack. The topic name is the value of the NotificationSNSTopic key.

Amazon S3 Buckets

This solution creates two Amazon S3 buckets. One bucket (<ops-automator-stackname>-task-resources-suffix) is used to store resource information for resources that are larger than 16 MB. The other bucket (<ops-automator-stackname>-reporting-suffix) is used to store reports generated by tasks. The folder structure of this bucket is /actionname/taskname/reportname.