Skip to content

Latest commit

 

History

History
181 lines (106 loc) · 11.9 KB

README.md

File metadata and controls

181 lines (106 loc) · 11.9 KB

Flexera Automation CloudFormation Template

Overview

Template to create a CloudFormation Stack with IAM Role and Permission Policy resources required by Flexera Automation.

Three supported versions are provided as options:

  • FlexeraAutomationPolicies.template: Current production version of the template. Recommended for most use cases.
  • FlexeraAutomationPoliciesReadOnly.template: Identical to the above but with only read-only permissions. Recommended when there are concerns over the template having options for more than just read-only access.
  • FlexeraAutomationPoliciesSimple.template: Template that simply attaches the built-in arn:aws:iam::aws:policy/ReadOnlyAccess AWS policy by default with the option to add other policies by name manually via parameter. Recommended when custom inline policies are not desired. Note that this grants more access than simply applying FlexeraAutomationPolicies.template with the default options, since this provides read-only access to everything in the AWS account rather than just to the resources needed for Flexera automation.

Amazon S3 Template URL

https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template

Usage

The CloudFormation Template can be deployed to multiple accounts (as a CloudFormation StackSet) or to a single account (as a CloudFormation Stack).

Create StackSet (Multiple Accounts)

AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts with a single operation.

See AWS Docs > CloudFormation > Working with StackSets for more information.

Recommended: Create CloudFormation StackSet with AWS Console

Click to expand instructions: Create CloudFormation StackSet with AWS Console

Note: The following steps are very closely aligned with AWS Official Docs here:

AWS Docs > CloudFormation > Create a stack set with service-managed permissions using the AWS CloudFormation console

As you follow the official docs, you can use the recommended configurations below.

  • Under Permissions, choose Service-managed permissions

    If trusted access with AWS Organizations is disabled, a banner displays. Trusted access is required to create or update a stack set with service-managed permissions. Only the administrator in the organization's management account has permissions to manage trusted access

  • Under Prepare template, choose Template is ready.

  • Under Specify template, provide the template S3 URL:

    https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template

    It's recommended to use an official release for Production use-cases (i.e. vX.Y.Z). All official releases can be found under releases/ folder and are published to https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_vX.Y.Z.template. An example of an release template S3 URL:

    https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_vX.Y.Z.template

  • On the Specify StackSet details page, provide a name for the stack set, specify Flexera Organization ID and any other parameters, and then choose Next.

    Naming the Stack Name the same value as IAM Role Name parameter is recommended.

    For example, if IAM Role Name parameter is FlexeraAutomationPolicies-Org12345, then the recommended StackSet name is FlexeraAutomationPolicies-Org12345.

  • On the Configure StackSet options page, under Tags, specify any tags to apply to resources in your stack. This is optional. The resources created by the template do not have any cost associated and so the need for tags may only apply for certain use-cases.

  • For Execution configuration, choose Active so that StackSets performs non-conflicting operations concurrently and queues conflicting operations.

  • On the Set deployment options page, under Deployment targets, we recommend choosing Deploy to organization to deploy to all accounts in your organization.

  • On the Auto-deployment options, under Automatic deployment, Enabled is recommended to automatically deploy to new accounts added to organization or target OUs in the future.

  • If you enabled automatic deployment, under Account removal behavior, Delete stacks recommended to remove access when an account is removed from organization or target OUs in the future.

  • Under Specify regions, choose only 1 region to deploy the StackSet to.

    We recommend to use the same region the CloudFormation StackSet is deployed to.

    This template creates IAM Role and IAM Policy resources, which are "Global" resources. If this CloudFormation Template is deployed to more than 1 region using the same "IAM Role Name" and "IAM Role Path" parameter value, there will be a conflict trying to create IAM Roles that have the same name.

  • On the Deployment options

    • Under Maximum concurrent accounts, choose Percent and set field value to 100.

      Using 100% maximum concurrent accounts is recommended to increase deployment speed of the Stack instances.

    • Under Maximum concurrent accounts, choose Percent and set field value to 100.

      Using 100% failure tolerance is recommended to allow all account Stack instances to attempt even if one Stack instance fails.

    • Under Region Concurrency, choose Sequential.

      This ultimately has no affect as the CloudFormation StackSet should be deployed to only 1 region.

  • Click Next, and review the summary of the StackSet before continuing.

  • At bottom, under Capabilities, check the box next to I acknowledge that AWS CloudFormation might create IAM resources with custom names and click Submit button to create the StackSet

    This acknowledgment is required because AWS CloudFormation will create an IAM Role and an IAM Policy (as expected).

  • Allow Stack instances to deploy and get to "Current" Status. If any fail, you can review the details of the failed Stack instances and take action as needed.

  • Construct IAM Role ARN for AWS STS Credential Setup in Flexera Automation

    The IAM Role ARN is the ARN of the IAM Role created by the CloudFormation Template and is needed when creating the AWS STS Credential in Flexera Automation. You only need to create 1 AWS STS Credential in Flexera Automation for each StackSet that is created because all IAM Roles created by the StackSet will have the same name and can leverage AWS STS Multi-Account Credential Usage.

    The CloudFormation Template Outputs are not visible at the StackSet level, and instead we recommend constructing the IAM Role ARN using the following:

    arn:aws:iam::<AWS Account ID>:role/<IAM Role Name>

    • <AWS Account ID> is the AWS Account ID of the account the CloudFormation Stack instance has been deployed to.
    • <IAM Role Name> is the value of the IAM Role Name parameter provided to the CloudFormation StackSet.

    For example, if the Stack instance was deployed to AWS Account 123456789012 and the IAM Role Name parameter was FlexeraAutomationPolicies-Org12345, then the IAM Role ARN to input in Flexera Platform would be arn:aws:iam::123456789012:role/FlexeraAutomationPolicies-Org12345.

    See Flexera Docs > Automation > AWS STS Multi-Account Credential Usage for more information.

Create Stack (Single Account)

If you do not have an AWS Organization setup, or you prefer to deploy to a single account, then you can use the CloudFormation Template to create a CloudFormation Stack.

Recommended: Create CloudFormation Stack with AWS Console using "Quick-create" link

Alternatives to create CloudFormation Stack:

Click to expand instructions: Create CloudFormation Stack with AWS CLI 
# Create Stack using CloudFormation Templates Parameter Default Values
aws cloudformation create-stack \
  --template-url https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template \
  --stack-name FlexeraAutomationAccessRole \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameters ParameterKey=paramFlexeraOrgId,ParameterValue=12345
Click to expand instructions: Create CloudFormation Stack with Terraform 
resource "aws_cloudformation_stack" "FlexeraAutomationAccessRole" {
  name         = "FlexeraAutomationAccessRole"
  template_url = "https://flexera-cloudformation-public.s3.us-east-2.amazonaws.com/FlexeraAutomationPolicies_latest.template"

  parameters = {
    paramFlexeraOrgId = "12345"
  }

  capabilities = [
    "CAPABILITY_NAMED_IAM", # Required to create IAM Role
  ]

}

For Maintainers

New versions of tools/cloudformation-template/FlexeraAutomationPolicies.template and tools/cloudformation-template/FlexeraAutomationPoliciesReadOnly.template are created automatically by the tools/cloudformation-template/aws_cft_generator.rb script. This script runs automatically via GitHub Actions whenever a change is made to the master branch. This script uses the permissions file data/policy_permissions_list/master_policy_permissions_list.json to obtain the information needed to generate the CloudFormation Template. This file, in turn, is sourced through its own automation that scrapes policy template README files.

New releases are created automatically by the tools/cloudformation-template/aws_cft_new_release.rb script. This script runs daily and checks whether the most recent version of tools/cloudformation-template/FlexeraAutomationPolicies.template has any changes compared to the latest release. If changes are present, a new minor version is created and stored in the tools/cloudformation-template/releases directory.