Oparin

Amazon EC2 Providers

Permissions for Amazon EC2 Providers

Further limiting API access limitations can limit Automate capabilities, as Automate scripts directly access the AWS SDK to create brand new application functionality.

The AWS services primarily accessed by the ManageIQ API include:

  • Elastic Compute Cloud (EC2)

  • CloudFormation

  • CloudWatch

  • Elastic Load Balancing

  • Simple Notification Service (SNS)

  • Simple Queue Service (SQS)

Manually Creating an Amazon EC2 Role

To eliminate the need to assign Admin group privileges to the Amazon EC2 provider, create an IAM role following the procedure described in Creating a Role for an AWS Service (Console) in the Amazon Web Services documentation.

Use the following parameters:

  1. Select EC2 as the service the role will use.

  2. Attach the following permissions:

    1. AmazonEC2FullAccess

    2. AmazonS3FullAccess

    3. AmazonSQSFullAccess

  3. Enter smartstate for the Role name.

Once the IAM role is created, assign the provider Power User privileges as described in Permissions for Amazon EC2 Providers.

Adding Amazon EC2 Providers

Complete the following procedure to add an Amazon EC2 cloud provider in ManageIQ.

  1. Browse to menu: Compute > Clouds > Providers.

  2. Click Configuration, then click 1862 (Add a New Cloud Provider).

  3. Enter a Name for the provider.

  4. From the Type list, select Amazon EC2.

  5. Select a Region.

  6. Select the appropriate Zone if you have more than one available.

  7. Under Endpoints, click the Default tab.

    1. Enter the Endpoint URL.

      Note:

      AWS allows users to set a custom endpoint URL when connecting to certain services, which you can add in the ManageIQ user interface per Amazon EC2 provider. See Interface VPC Endpoints (AWS PrivateLink) for more information.

    2. Generate an Access Key in the Security Credentials of your Amazon AWS account. The Access Key ID acts as your User ID, and your Secret Access Key acts as your Password.

    3. Click Validate to validate the credentials.

  8. Click the SmartState Docker tab.

    1. Enter the SmartState Docker User Name and SmartState Docker Password.
  9. Click Add.

Enabling Public AMIs from Amazon EC2

By default, public AMIs from an Amazon EC2 provider are not viewable in ManageIQ. To make these images viewable, you must edit the main configuration file for the appliance.

Note:

Syncing all public images may require additional memory resources. Also, bear in mind that syncing happens in each configured Amazon EC2 provider, which will require a similar amount of total memory resources.

  1. Browse to the settings menu, then menu: Configuration > Zone > Advanced.

  2. Select the configuration file to edit from the File list. If not already automatically selected, select EVM Server Main Configuration.

  3. Set the get_public_images parameter:

    1. Set the parameter to get_public_images: true to make public images viewable.

    2. Set the parameter to get_public_images: false to make public images not viewable.

  4. Optionally, configure an array of filters in public_images_filters to restrict which images are synced. See http://docs.aws.amazon.com/sdkforruby/api/Aws/EC2/Client.html#describe_images-instance_method for more details.

Enabling AWS Config Notifications

Amazon’s AWS Config notifies subscribers of changes in a region through its Simple Notification Service (SNS). ManageIQ subscribes to the SNS service for AWS Config deltas and converts the deltas into ManageIQ events.

  1. Enable the AWS Config service in the AWS Management Console. See the AWS Config Developer Guide for more information.

  2. Create a new Amazon SNS topic named AWSConfig_topic. ManageIQ automatically connects to this topic.

  3. (Optional) Configure the frequency of delta creation in the AWS Management Console.

You can assign ManageIQ policies to the AWS events listed below. The appliance performs a provider refresh on all these events except for AWS_EC2_Instance_UPDATE.

Event Policies Refresh

AWS_EC2_Instance_CREATE

src_vm

vm_create

ems

AWS_EC2_Instance_UPDATE

N/A

ems

AWS_EC2_Instance_running

src_vm

vm_start

ems

AWS_EC2_Instance_stopped

src_vm

vm_power_off

ems

AWS_EC2_Instance_shutting-down

src_vm

vm_power_off

ems

Enabling Amazon EC2 Events

After adding an Amazon EC2 provider and configuring an SNS topic in Enabling AWS Config Notifications, create a CloudTrail, then configure CloudWatch rules on your EC2 provider to automatically get events in ManageIQ for monitoring the provider.

Note:

The following procedures are accurate at time of publishing. See the Amazon AWS documentation for further details on these steps.

Creating a CloudTrail

In the CloudTrail area of the AWS Management Console, create a trail and an S3 bucket:

  1. Create a Trail with a custom name.

  2. (Optional) If you want to apply the trail to all of your ManageIQ regions, select Yes for Apply trail to all regions.

  3. For Management Events, select Read/Write events: All.

  4. Create a new S3 bucket.

Creating CloudWatch Rules Based on Event Patterns

In the CloudWatch area of the AWS Management Console, create three rules: one rule each for EC2, volumes, and snapshots.

When an SNS topic is deleted and recreated (manually or by ManageIQ), CloudWatch rules must be recreated as well, even though the SNS target topic for CloudWatch rules appears to be assigned to these rules. The CloudWatch rule does not send events to this recreated topic until it is recreated too.

To create a CloudWatch rule for EC2:

  1. Browse to menu: Events > Rules and click Create rule.

  2. Select the Event Pattern radio button to specify the event source.

  3. Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:

    {
      "source": [
        "aws.ec2"
      ],
      "detail-type": [
        "AWS API Call via CloudTrail"
      ],
      "detail": {
        "eventSource": [
          "ec2.amazonaws.com"
        ]
      }
    }
    
  4. Click Add target and specify the following attributes:

    • Type: SNS Topic

    • Topic: AWSConfig_topic

    • Input: Matched event

  5. Click Configure Details to save these details.

  6. Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.

  7. Click Create rule to save the CloudWatch rule.

Repeat the same procedure to create a CloudWatch rule for EC2 Instance State-changes:

  1. Browse to menu: Events > Rules and click Create rule.

  2. Select the Event Pattern radio button to specify the event source.

  3. Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:

    {
      "source": [
        "aws.ec2"
      ],
      "detail-type": [
        "EC2 Instance State-change Notification"
      ]
    }
    
  4. Click Add target and specify the following attributes:

    • Type: SNS Topic

    • Topic: AWSConfig_topic

    • Input: Matched event

  5. Click Configure Details to save these details.

  6. Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.

  7. Click Create rule to save the CloudWatch rule.

Repeat the same procedure to create a CloudWatch rule for volumes, pasting the code snippet below to the Event Pattern Preview box:

  1. Browse to menu: Events > Rules and click Create rule.

  2. Select the Event Pattern radio button to specify the event source.

  3. Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:

    {
      "source": [
        "aws.ec2"
      ],
      "detail-type": [
        "EBS Volume Notification"
      ]
    }
    
  4. Click Add target and specify the following attributes:

    • Type: SNS Topic

    • Topic: AWSConfig_topic

    • Input: Matched event

  5. Click Configure Details to save these details.

  6. Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.

  7. Click Create rule to save the CloudWatch rule.

Repeat the same procedure to create a CloudWatch rule for snapshots, pasting the code snippet below to the Event Pattern Preview box:

  1. Browse to menu: Events > Rules and click Create rule.

  2. Select the Event Pattern radio button to specify the event source.

  3. Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:

    {
      "source": [
        "aws.ec2"
      ],
      "detail-type": [
        "EBS Snapshot Notification"
      ]
    }
    
  4. Click Add target and specify the following attributes:

    • Type: SNS Topic

    • Topic: AWSConfig_topic

    • Input: Matched event

  5. Click Configure Details to save these details.

  6. Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.

  7. Click Create rule to save the CloudWatch rule.

EC2 can now automatically refresh events in ManageIQ.

Adding Amazon Cloud Regions

ManageIQ allows administrators to add Amazon cloud regions on the appliance server. You can use this capability to add new regions that have been set up since ManageIQ was released. Once adding the region it will be available when creating a new Amazon EC2 provider.

  1. Click config gear (Configuration).

  2. Click on the Settings accordion, then click ManageIQ Region at the top.

  3. Click on the Advanced tab.

  4. Search for :ems_amazon:, and enter the regions you want to add under :additional_regions:.

    Example. To add hypothetical `lunar-base-1` `lunar-base-2` regions:
    
    :ems_amazon:
      :additional_regions:
        :lunar-base-1:
          :name: Lunar Base 1
          :hostname: ec2.lunar-base-1.amazonaws.com
          :description: Lunar Base 1
        :lunar-base-2:
          :name: Lunar Base 2
          :hostname: ec2.lunar-base-2.amazonaws.com
          :description: Lunar Base 2
    
  5. Click Save.

Disabling Amazon Cloud Regions

ManageIQ allows administrators to disable Amazon cloud regions on the appliance server. Use this capability to disable certain classified regions like AWS GovCloud. Once disabled, the region will not be available when adding an Amazon EC2 provider.

  1. Click config gear (Configuration).

  2. Click on the Settings accordion, then click Zones.

  3. Click the zone where the ManageIQ server is located, then click on the EVM server.

  4. Click on the Advanced tab.

  5. Search for :ems_amazon:, and enter the regions you want to disable under :disabled_regions:.

    Example. To disable the `ap-northeast-1` region:
    
    :ems_amazon:
      :disabled_regions:
      - us-gov-west-1
      - ap-northeast-1
    
  6. Click Save.