Amazon EC2 Providers
Permissions for Amazon EC2 Providers
Further limiting API access limitations can limit Automate capabilities, as Automate scripts directly access the AWS SDK to create brand new application functionality.
The AWS services primarily accessed by the ManageIQ API include:
-
Elastic Compute Cloud (EC2)
-
CloudFormation
-
CloudWatch
-
Elastic Load Balancing
-
Simple Notification Service (SNS)
-
Simple Queue Service (SQS)
Manually Creating an Amazon EC2 Role
To eliminate the need to assign Admin group privileges to the Amazon EC2 provider, create an IAM role following the procedure described in Creating a Role for an AWS Service (Console) in the Amazon Web Services documentation.
Use the following parameters:
-
Select EC2 as the service the role will use.
-
Attach the following permissions:
-
AmazonEC2FullAccess
-
AmazonS3FullAccess
-
AmazonSQSFullAccess
-
-
Enter
smartstate
for the Role name.
Once the IAM role is created, assign the provider Power User privileges as described in Permissions for Amazon EC2 Providers.
Adding Amazon EC2 Providers
Complete the following procedure to add an Amazon EC2 cloud provider in ManageIQ.
-
Browse to menu: Compute > Clouds > Providers.
-
Click Configuration, then click (Add a New Cloud Provider).
-
Enter a Name for the provider.
-
From the Type list, select Amazon EC2.
-
Select a Region.
-
Select the appropriate Zone if you have more than one available.
-
Under Endpoints, click the Default tab.
-
Enter the Endpoint URL.
Note:
AWS allows users to set a custom endpoint URL when connecting to certain services, which you can add in the ManageIQ user interface per Amazon EC2 provider. See Interface VPC Endpoints (AWS PrivateLink) for more information.
-
Generate an Access Key in the Security Credentials of your Amazon AWS account. The Access Key ID acts as your User ID, and your Secret Access Key acts as your Password.
-
Click Validate to validate the credentials.
-
-
Click the SmartState Docker tab.
- Enter the SmartState Docker User Name and SmartState Docker Password.
-
Click Add.
Enabling Public AMIs from Amazon EC2
By default, public AMIs from an Amazon EC2 provider are not viewable in ManageIQ. To make these images viewable, you must edit the main configuration file for the appliance.
Note:
Syncing all public images may require additional memory resources. Also, bear in mind that syncing happens in each configured Amazon EC2 provider, which will require a similar amount of total memory resources.
-
Browse to the settings menu, then menu: Configuration > Zone > Advanced.
-
Select the configuration file to edit from the File list. If not already automatically selected, select EVM Server Main Configuration.
-
Set the get_public_images parameter:
-
Set the parameter to get_public_images: true to make public images viewable.
-
Set the parameter to get_public_images: false to make public images not viewable.
-
-
Optionally, configure an array of filters in public_images_filters to restrict which images are synced. See http://docs.aws.amazon.com/sdkforruby/api/Aws/EC2/Client.html#describe_images-instance_method for more details.
Enabling AWS Config Notifications
Amazon’s AWS Config notifies subscribers of changes in a region through its Simple Notification Service (SNS). ManageIQ subscribes to the SNS service for AWS Config deltas and converts the deltas into ManageIQ events.
-
Enable the AWS Config service in the AWS Management Console. See the AWS Config Developer Guide for more information.
-
Create a new Amazon SNS topic named
AWSConfig_topic
. ManageIQ automatically connects to this topic. -
(Optional) Configure the frequency of delta creation in the AWS Management Console.
You can assign ManageIQ policies to the AWS events listed
below. The appliance performs a provider refresh on all these events
except for AWS_EC2_Instance_UPDATE
.
Event | Policies | Refresh |
---|---|---|
AWS_EC2_Instance_CREATE |
src_vm vm_create |
ems |
AWS_EC2_Instance_UPDATE |
N/A |
ems |
AWS_EC2_Instance_running |
src_vm vm_start |
ems |
AWS_EC2_Instance_stopped |
src_vm vm_power_off |
ems |
AWS_EC2_Instance_shutting-down |
src_vm vm_power_off |
ems |
Enabling Amazon EC2 Events
After adding an Amazon EC2 provider and configuring an SNS topic in Enabling AWS Config Notifications, create a CloudTrail, then configure CloudWatch rules on your EC2 provider to automatically get events in ManageIQ for monitoring the provider.
Note:
The following procedures are accurate at time of publishing. See the Amazon AWS documentation for further details on these steps.
Creating a CloudTrail
In the CloudTrail area of the AWS Management Console, create a trail and an S3 bucket:
-
Create a Trail with a custom name.
-
(Optional) If you want to apply the trail to all of your ManageIQ regions, select Yes for Apply trail to all regions.
-
For Management Events, select Read/Write events: All.
-
Create a new S3 bucket.
Creating CloudWatch Rules Based on Event Patterns
In the CloudWatch area of the AWS Management Console, create three rules: one rule each for EC2, volumes, and snapshots.
To create a CloudWatch rule for EC2:
-
Browse to menu: Events > Rules and click Create rule.
-
Select the Event Pattern radio button to specify the event source.
-
Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:
{ "source": [ "aws.ec2" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "ec2.amazonaws.com" ] } }
-
Click Add target and specify the following attributes:
-
Type:
SNS Topic
-
Topic:
AWSConfig_topic
-
Input:
Matched event
-
-
Click Configure Details to save these details.
-
Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.
-
Click Create rule to save the CloudWatch rule.
Repeat the same procedure to create a CloudWatch rule for EC2 Instance State-changes:
-
Browse to menu: Events > Rules and click Create rule.
-
Select the Event Pattern radio button to specify the event source.
-
Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:
{ "source": [ "aws.ec2" ], "detail-type": [ "EC2 Instance State-change Notification" ] }
-
Click Add target and specify the following attributes:
-
Type:
SNS Topic
-
Topic:
AWSConfig_topic
-
Input:
Matched event
-
-
Click Configure Details to save these details.
-
Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.
-
Click Create rule to save the CloudWatch rule.
Repeat the same procedure to create a CloudWatch rule for volumes, pasting the code snippet below to the Event Pattern Preview box:
-
Browse to menu: Events > Rules and click Create rule.
-
Select the Event Pattern radio button to specify the event source.
-
Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:
{ "source": [ "aws.ec2" ], "detail-type": [ "EBS Volume Notification" ] }
-
Click Add target and specify the following attributes:
-
Type:
SNS Topic
-
Topic:
AWSConfig_topic
-
Input:
Matched event
-
-
Click Configure Details to save these details.
-
Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.
-
Click Create rule to save the CloudWatch rule.
Repeat the same procedure to create a CloudWatch rule for snapshots, pasting the code snippet below to the Event Pattern Preview box:
-
Browse to menu: Events > Rules and click Create rule.
-
Select the Event Pattern radio button to specify the event source.
-
Edit the Event Pattern Preview box, and paste and save the following code to create a rule based on a custom event pattern:
{ "source": [ "aws.ec2" ], "detail-type": [ "EBS Snapshot Notification" ] }
-
Click Add target and specify the following attributes:
-
Type:
SNS Topic
-
Topic:
AWSConfig_topic
-
Input:
Matched event
-
-
Click Configure Details to save these details.
-
Configure a name and description for the rule if desired. Ensure the Enabled checkbox is selected for State.
-
Click Create rule to save the CloudWatch rule.
EC2 can now automatically refresh events in ManageIQ.
Adding Amazon Cloud Regions
ManageIQ allows administrators to add Amazon cloud regions on the appliance server. You can use this capability to add new regions that have been set up since ManageIQ was released. Once adding the region it will be available when creating a new Amazon EC2 provider.
-
Click Settings > Application Settings.
-
Click on the Settings accordion, then click ManageIQ: Region at the top. Optionally, a server can be selected (within Zones) to limit the additional region to that server only.
-
Click on the Advanced tab.
-
Search for
:ems_amazon:
, and enter the regions you want to add under:additional_regions:
.Example. To add hypothetical `lunar-base-1` `lunar-base-2` regions: :ems_amazon: :additional_regions: :lunar-base-1: :name: Lunar Base 1 :hostname: ec2.lunar-base-1.amazonaws.com :description: Lunar Base 1 :lunar-base-2: :name: Lunar Base 2 :hostname: ec2.lunar-base-2.amazonaws.com :description: Lunar Base 2
-
Click Save.
Disabling Amazon Cloud Regions
ManageIQ allows administrators to disable Amazon cloud regions on the appliance server. Use this capability to disable certain classified regions like AWS GovCloud. Once disabled, the region will not be available when adding an Amazon EC2 provider.
-
Click Settings > Application Settings.
-
Click on the Settings accordion, then click ManageIQ: Region at the top. Optionally, a server can be selected (within Zones) to limit the additional region to that server only.
-
Click on the Advanced tab.
-
Search for
:ems_amazon:
, and enter the regions you want to disable under:disabled_regions:
.Example. To disable the `ap-northeast-1` region: :ems_amazon: :disabled_regions: - us-gov-west-1 - ap-northeast-1
-
Click Save.