Automated deployment - Ops Automator

Automated deployment

Before you launch this solution, review the considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy Ops Automator into your account.

Time to deploy: Approximately 15 minutes

Deployment overview

The procedure for deploying this architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step.

Step 1. Launch the Ops Automator stack in the primary account

  • Launch the AWS CloudFormation template into your primary AWS account.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

  • (Optional) Create an Amazon Elastic Container Service (Amazon ECS) image.

Step 2. Launch a Task Template in the Primary Account

  • Launch the applicable task-configuration AWS CloudFormation template into the primary account.

  • Review the template parameters, and adjust if necessary.

Step 3. (Optional) Launch a role template in the secondary account(s)

  • Launch the applicable role AWS CloudFormation template into the secondary account with applicable resources.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

Step 4. (Optional) Launch the event forwarder template in secondary account(s)

  • Launch the applicable event forwarder AWS CloudFormation template into the secondary account with applicable resources.

  • Enter values for required parameters: Stack Name.

  • Review the other template parameters, and adjust if necessary.

Step 5. Tag Your Resources

  • Apply the custom tag to applicable resources.

Step 1. Launch the Ops Automator stack in the primary account

You must deploy this AWS CloudFormation template in your primary account. Launch this template using an AWS Identity and Access Management (IAM) role specifically created for this purpose. For more information, refer to the Security section.

Note

You are responsible for the cost of the AWS services used while running this solution. Refer to the Cost section for more details. For full details, refer to the pricing webpage for each AWS service you will be using in this solution.

  1. Sign in to the AWS Management Console and use the button below to launch the ops-automator AWS CloudFormation template.

    
                                Ops Automator launch button

    Optionally, you can download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    Ops Automator is not available in the AWS GovCloud (US) Regions at this time.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and STS quotas in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for the template, and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Task Scheduler Tag Name OpsAutomatorTaskList The tag key (name) that identifies applicable resources. The tag value will contain the list of tasks to be performed on tagged resources. Refer to Step 5 for detailed information.
    Enable CloudWatch Metrics Yes Choose whether to collect CloudWatch Metrics data for Ops Automator. You can configure detailed metrics for individual tasks can be configured at the task-level.
    Schedule active? Yes Choose whether to activate the scheduling task feature.
    Clean up task tracking table? Yes Choose whether to clean the task tracking table.
    Export Task Tracking Table to Amazon S3 No Choose whether to export the task tracking table to Amazon S3.
    Hours to keep tasks? 168 The number of hours to keep a task before it is automatically deleted from the tracking table.
    Keep failed tasks? Yes Choose whether to store failed tasks in the Amazon DynamoDB table.
    Log Retention Days 30 The number of days to keep logs before they are automatically deleted from the tracking table.
    Days to keep configuration backups 7 The number of days to keep a configuration backup file before it is automatically deleted.
    ECS/Fargate No Choose whether Ops Automator should use Fargate to run tasks.
    Cluster VPC <blank> Optional - Existing VPC Id to use for Fargate.
    Cluster Subnets <blank> Optional - Comma separated list of two existing VPC Subnet Ids where ECS instances will run. Required if setting VPC.
    Cluster Availability Zones <blank> Optional - Comma-delimited list of VPC availability zones in which to create subnets. Required if setting VPC.
  6. Choose Next.

  7. On the Options page, choose Next.

  8. On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a status of CREATE_COMPLETE in approximately 15 minutes.

(Optional) Create an Amazon ECS image

If you chose the Amazon ECS/AWS Fargate option in Step 1.5 (modifying the parameters), you must create a Docker image and upload it to the ECS repository, ops-automator. This process assumes that you are familiar with Docker and have the Docker software installed locally. Refer to Appendix J for detailed instructions.

Step 2. Launch a Task Template in the Primary Account

Before you configure a task, review the information in Appendix A for the applicable action.

Note

If you used the ActionsConfiguration.html file to launch the task, continue to Step 2.7. For more information on the file, refer to Role and Task Templates.

  1. In the primary account’s Amazon Simple Storage Service (Amazon S3) console, navigate to the bucket for the Ops Automator solution stack.

    Note

    You can find the name of the S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is the value of the ConfigurationBucketName key.

  2. In the TaskConfiguration folder, select the applicable template.

  3. Copy the Link value.

  4. In the AWS CloudFormation console, select Create Stack.

  5. Select Specify an Amazon S3 template URL.

  6. Paste the template link into the text box and select Next.

  7. Enter a Stack name.

  8. Under Parameters, review the parameters for the template and modify them as necessary. For more information, refer to Appendix A.

  9. Select Next.

  10. Select Next. Then, on the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  11. Choose Create to deploy the stack.

Note

If you delete the Ops Automator stack, all task stacks and configurations will be deleted.

Step 3. (Optional) Launch a role template in the secondary account(s)

Use this procedure to create a role to perform tasks on resources in secondary accounts.

Note

This role template is generated by the primary Ops Automator stack. The template will only set up a trust relationship between a secondary account and the primary account for which this template was generated. If you run multiple Ops Automator stacks in a single account, verify that you select the template from the Ops Automator stack you want to give the secondary account access to.

  1. In the primary account’s Amazon S3 console, navigate to the bucket for the Ops Automator solution stack.

    Note

    You can find the name of the Amazon S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is the value of the ConfigurationBucketName key.

  2. In the AccountsConfiguration folder, select the AccountRoleConfiguration template.

  3. Select Download and note the location of the downloaded template.

  4. In the secondary account’s AWS CloudFormation console, select Create Stack.

    Important

    You must deploy the AccountRoleConfiguration template in the primary account if you want to perform tasks on resources in the primary account. You must also use the same value for the Custom Rolename parameter across all stacks. For more information, refer to Role configuration.

  5. Select Upload a template to Amazon S3.

  6. Select Choose File.

  7. Navigate to the downloaded template and select Choose. Then, select Next.

  8. Enter a Stack name and select Next.

  9. To give the Ops Automator Lambda function in the primary account access to actions in the secondary account, set the applicable parameters to Yes. For example, to allow the solution to create backups in Amazon DynamoDB in the secondary account, set the DynamoDB Create backup parameter to Yes.

  10. Optional: Enter a Custom Rolename. For more information, refer to Role Configuration.

  11. Select Next. Then, on the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  12. Choose Create to deploy the stack.

  13. After the stack deploys, navigate to the stack Outputs tab and copy the Value of the CrossAccountRoleArn key.

Step 4. (Optional) Launch the event forwarder template in secondary account(s)

Use this procedure to forward events from secondary accounts to the primary account. Launch this template in each applicable account and each applicable Region.

Important

To use actions triggered by events across accounts and Regions, you must deploy the event forwarder AWS CloudFormation template (AccountForwardEvents) in each applicable account and Region, and you must deploy the account role configuration template (AccountRoleConfiguration) in each account.

  1. In the primary account’s Amazon S3 console, navigate to the bucket for the Ops Automator solution stack.

    Note

    You can find the name of the Amazon S3 bucket in the AWS CloudFormation stack Outputs tab. The bucket name is the value of the ConfigurationBucketName key.

  2. In the AccountsConfiguration folder, select the AccountForwardEvents AWS CloudFormation template.

  3. Copy the Link value.

  4. In the secondary account, navigate to the AWS CloudFormation console and under StackSets, select View stacksets.

  5. On the StackSets page, select Create StackSet.

  6. Select Specify an Amazon S3 template URL.

  7. Paste the template link into the text box and select Next.

  8. Enter a StackSet name.

  9. To forward events from this account to the primary account, set the applicable parameters to Yes. For example, to allow the solution to forward tag-change events for Amazon EC2, set the EC2 Tag Change events parameter to Yes.

  10. Select Next.

  11. Select Next. Then, on the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  12. Choose Create to deploy the stack.

Step 5. Tag Your Resources

When you deployed the AWS CloudFormation template, you defined the tag key for the solution’s custom tag. For Ops Automator to recognize a resource, the tag key on that resource must match the custom tag name stored in the solution’s Amazon DynamoDB table. Therefore, it is important that you apply tags consistently and correctly to all applicable resources. You can continue to use existing tagging strategies for your resources while using this solution.

On the AWS Management Console, use the Tag Editor to apply or modify tags for multiple resources. You can also apply and modify tags manually in the console.

Setting the Tag Value

As you apply a tag to a resource, use the tag key you defined during initial configuration and set the tag value to the name of an Ops Automator task stack to perform that task on the resource. For example, a user might define OpsAutomatorTaskList as the tag key. Then, the user creates a stack called CopyResource. To identify the resources to be copied, the user assigns the OpsAutomatorTaskList tag key with a value of CopyResource to each resource.

To perform multiple tasks on a single resource, use a comma-separated list of those tasks as the tag value. Continuing from the previous example, a user can assign the tag OpsAutomatorTaskList tag key with the value CopyResource,DeleteResource to identify resources to be copied, then deleted.