CloudForms in AWS part 2

This part of the CloudForms in AWS blog series will walk you through how to make sure that CloudForms reaches its full potential in AWS.

IMPORTANT: If you want SmartState analysis to work you need to register your AWS account with the cloud access program. Use the link below to enable cloud access:

https://engage.redhat.com/forms/cloud-access-registration

Once you’ve registered and got confirmation you will see the RHEL-Atomic_7.4_HVM_GA-20180104-x86_64-1-Access2-GP2 AMI under the “Private images” tab

Before we configure CloudForms we need go to the AWS console and create the SNS topic for AWSConfig so that CloudForms can subscribe to messages. SNS stands for simple notification service. It enables CloudForms to subscribe to a topic which contains information about configuration change of AWS resources.

Once created you should see the following:

Next, create an AWS S3 bucket to store logs of AWS Config and CloudTrail (api logs).

Enable AWS Config and make sure to choose the created S3 bucket as well as the SNS topic we created above.

To get events via CloudWatch and CloudTrail we will need to configure a new trail in CloudTrail. In CloudTrail create a new Trail with the following information. As you can see we can also reuse the previously created S3 bucket to store the logs.

The last step to get events properly delivered through SNS is to create a new CloudWatch event rule.

If you’ve done everything correctly, CloudForms will automatically create a new SQS queue named manageiq-awsconfig-queue which pulls data from the SNS AWSConfig_topic:

Also, you test the for incoming events by stopping and starting an instance. This should be caught by the event catcher

Next and this is kind of optional if you assigned CloudForms to an Admin Role. If CloudForms is in the power user policy you have to perform this actions as Power User does not have access to IAM! The new smart state analysis in CloudForms is supposed to create the correct roles, policies and instance profiles for you. I prefer to create the policy myself for two main reasons. I prefer to create the policy myself for two main reasons.

  1. I know exactly what is happening
  2. When having CloudForms create the policies you might run into a race condition and CloudForms will complain about “No agent is set up to process requests: Value (smartstate) for parameter iamInstanceProfile.name is invalid. Invalid IAM Instance Profile name”

Create a trust policy for the role smartstate. Name the file ec2trustpolicy.json

Go ahead and create the role smartstate

We now create a custom policy which we will assign to the smartstate role.

Add the policy to the role smartstate

The next step is to create the instance profile. This is needed that the smartstate instance is allowed to perform actions against s3,sqs and ec2

Finally, you can now login to CloudForms.

On the top right corner go and click configure:

Turn on the smartproxy under roles. We will need that for the smart state analysis

Next click on the advanced tab on the right. Now, this is SUPER important! The OOTB configuration is not going to work. Search for agent_ami_login_user and change the value from ec2-user to cloud-user. It should look like this:

This is the user CloudForms will login with when it will initiate a smartstate analysis.

Finally let’s add the aws provider. You should be familiar with what access and secret keys you need to add. Important, CloudForms will need at least poweruser access.

Next hit validate on save. Don’t bother filling out the “SmartState Docker” tab as it doesn’t do anything if you fill it out at the same time.

Once saved go edit the provider again. Now go to the SmartState Docker tab. I am wondering who named these fields and the comment below. Would have been better to say “Use registry.access.redhat.com credentials or RHN credentials required to perform ….“. What you need is your RHN credentials. These are needed so that you can pull the smartstate image from the redhat docker registry.

Hit save and your done.

You have now configured everything to perform a smartstate analysis in AWS.

Go to your AWS provider and click on an instance. Under the instance configurations tab click

You can then go to the top right corner and click on Configuration -> tasks. You should see something like this

When everything is finished you will see

The next post is going to be for the geeks under us. It will explain what is going on under the hood when smart state happens.

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Hit Counter provided by laptop reviews