Batch Configuring the Resource Recorder
Scenario
To get full functionality of Config, you need to enable the resource recorder. If the resource recorder is disabled, you may have problems using other features of Config.
If you are an organization administrator, you can batch enable and configure the resource recorder for organization members using Terraform templates and RFS stacks. This effectively improves configuration efficiency by eliminating the need to confiture the resource recorder for each member account.
This section describes how to batch enable and configure the resource recorder across an organization.
Procedure Overview
Step |
Description |
---|---|
Enabling Resource Formulation Stack Set Service (RF) as a trusted service using the service Organizations |
|
Configuring a bucket policy allowing organization members to dump their resource data into the specified OBS bucket |
|
Configuring an access policy allowing organization members to send notifications with the specified SMN topic |
|
Creating an RFS stack set with a Terraform template and deploying stack instances to organization members |
Restrictions and Limitations
- Currently, an RFS stack set can be used to enable the resource recorders for up to 100 organization members.
- Only an organization administrator is allowed to created RFS stack sets.
- The resource stack set deploys resource stacks to organization members, but not the organization administrator.
- If an organization member has already enabled and configured the resource recorder, the configurations delivered through the stack set will not overwrite the current configurations of the resource recorder in the member account.
Enabling RFS as a Trusted Service
The following procedure shows how to enable RFS as a trusted service:
- Log in to the management console as an organization administrator and go to the Organizations console.
- In the navigation pane on the left, choose Services.
- In the row that contains Resource Formation Stack Set service (RF), click Enable Access in the Operation column.
- In the displayed dialog box, click OK.
Figure 1 Enabling RFS as a trusted service
Configuring an OBS Bucket Policy
If you use a Public Read and Write bucket policy, any user can read, write, and delete objects in the OBS bucket, and you can skip this step.
To store resource change notifications and resource snapshots in an OBS bucket, you need to configure one when configuring the resource recorder. If no OBS bucket is available, create one first.
In this scenario, you need to set a bucket policy allowing organization members to dump their resource data into the specified OBS bucket. The following procedure shows how to configure such a bucket policy:
- Log in to the management console with the authorizing account and go to the OBS console.
The authorizing account is the account to which the OBS bucket belongs.
- Grant member accounts related OBS permissions based on Creating a Custom Bucket Policy (JSON View).
An example bucket policy is provided here to show how to allow member accounts to store data into a specific object or folder in an OBS bucket. You need to configure the following parameters in a bucket policy:
- ${account_id}: member account IDs (domain_id). Use commas (,) to separate multiple domain IDs.
- ${agency_name}: the name of the custom IAM agency For details about how to create an IAM agency, see Cloud Service Agency. Set the authorization object to Config in the agency.
- ${bucket_name}: the name of an OBS bucket
- ${folder_name}: the name of a folder in the OBS bucket If you do not need to specify a folder or object in an OBS bucket, you do not need to configure this parameter.
{ "Statement": [ { "Sid": "org-bucket-policy", "Effect": "Allow", "Principal": { "ID": [ "domain/${account_id}:agency/${agency_name}" ] }, "Action": [ "PutObject" ], "Resource": [ "${bucket_name}/${folder_name}/RMSLogs/*/Snapshot/*", "${bucket_name}/${folder_name}/RMSLogs/*/Notification/*" ] } ] }
If you need to store resource change notifications and snapshots in an OBS bucket encrypted with KMS, you need to set permissions for the KMS key to be used across member accounts. For details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket. Specify IDs of member accounts as the pending authorization accounts
Configure an SMN Topic Policy
To send resource change notifications, you need to configure an SMN topic when configuring the resource recorder. If no SMN topic is available, create one first. After you create a topic, you must add subscriptions and request subscription confirmation.
In this scenario, you need to set a topic access policy allowing organization members to send notifications using this topic.
- Log in to the management console with the authorizing account and go to the SMN console.
The authorizing account is the account to which the SMN topic belongs.
- Grant member accounts topic permissions based on Configuring Topic Policies.
Select Specific user accounts for Users who can publish messages to this topic and enter member account IDs.
If an organization member is not granted the required permissions, they cannot receive resource change notifications sent by Config.
Creating an RFS Resource Stack Set
- Log in to the management console as an organization administrator.
- Click in the upper left corner of the page, select Resource Management under Management & Governance in the displayed service list.
- In the navigation pane on the left, choose Stack Sets.
- In the upper right corner, click Create Stack Set.
Figure 2 Creating a stack set
- On the Select Template page, configure required parameters and click Next.
- Select SERVICE_MANAGED for Permission Mode.
- Select Enable or Disable for Enable Parallel Operation. You are advised to enable parallel operations for faster stack running.
- Select a template source as needed. For details about template content, see Example Terraform Template
Figure 3 Select Template
- On the Configure Parameters page, configure required parameters based on the following picture and click Next.
Figure 4 Configure Parameters
- Stack Set Name: You can use a default or custom stack set name. Stack set names must be unique.
- Configure Parameters
- AllSupported: whether to record all resource types supported by Config. Possible values are true or false. This parameter is mandatory.
- ResourceTypes: list of resource types. This parameter is optional. If AllSupported is set to false, you need to specify specific resource types, for example, vpc.vpcs and rds.instances.
- BucketName: the name of the specified OBS bucket. This parameter is mandatory. The value must be of string type.
- BucketRegion: the region where the specified OBS bucket is deployed. This parameter is mandatory. The value must be of string type.
- AccountRegion: the subsidiary website of Huawei Cloud where member accounts are registered. Possible values include cn-north-4 (Chinese mainland website) and ap-southeast-1 (international website).
- TopicUrn: SMN topic URN. This parameter is mandatory. The value must be of string type.
- TopicRegion: the region where the specified SMN topic is deployed. This parameter is mandatory. The value must be of string type.
- ConfigAgencyName: IAM agency name. This parameter is mandatory. The value must be of string type. The agency must contain permissions for the resource recorder to call SMN to send notifications and write data into an OBS bucket.
- On the Deployment Setup page, configure required parameters based on the following picture and click Next.
Figure 5 Deployment Setup
- Deployment Setup
- Organizational Unit IDs: organization unit IDs. If the root unit ID is specified, the stack set is deployed in the entire organization.
- Domain Id Filter Type: criterion for filtering accounts
- Deployment Regions: The region where the resource stack set is deployed.
- Operation Preferences
- Max Concurrent: You are advised to select Number and set the value to 5.
- Fault Tolerance: You are advised to select Percentage and set the value to 100.
- Region Concurrency Type and Failure Tolerance Mode: Configure them as prompted.
- Deployment Setup
- On the Confirm Configurations page, confirm the configurations and click Deploy.
- In the displayed dialog box, click Yes.
The stack set will deploy a stack instance to each specified member account, and the resource recorder in each member account will be enabled and configured based on the Terraform template.
Figure 6 Deploying a resource stack set
Example Terraform Template
You can create a private RFS template based on the following example or save this example template as a local .tf file and update this file to create a resource stack set as needed.
terraform { required_providers { huaweicloud = { source = "huawei.com/provider/huaweicloud" version = ">=1.49.0" } } } provider "huaweicloud" { } variable "AllSupported" { description = "Specifies whether to select all supported resources." type = bool default = true validation { condition = can(regex("^(true|false)$", var.AllSupported)) error_message = "Must be true or false." } } variable "ResourceTypes" { description = "Specifies the resource type list. " type = list(string) default = [] } variable "BucketName" { description = "Specifies the OBS bucket name used for data dumping." type = string } variable "BucketRegion" { description = "Specifies the region where this bucket is located." type = string } variable "TopicRegion" { description = "Specifies the region where the smn topic is located." type = string } variable "AccountRegion" { description = "Specifies the region where the account is located." type = string } variable "TopicUrn" { description = "Specifies the SMN topic URN used to send notifications." type = string } variable "ConfigAgencyName" { description = "Specifies the IAM agency name which must include permissions for sending notifications through SMN and for writing data into OBS." type = string } data "huaweicloud_identity_projects" "CurrentAccountProject" { name = var.AccountRegion } resource "huaweicloud_identity_agency" "identity_agency" { name = var.ConfigAgencyName delegated_service_name = "op_svc_eps" all_resources_roles = ["SMN Administrator", "OBS Administrator", "KMS Administrator"] } resource "huaweicloud_rms_resource_recorder" "ConfigRecorder" { agency_name = var.ConfigAgencyName selector { all_supported = var.AllSupported resource_types = var.ResourceTypes } obs_channel { bucket = var.BucketName region = var.BucketRegion } smn_channel { region = var.TopicRegion topic_urn = var.TopicUrn project_id = data.huaweicloud_identity_projects.CurrentAccountProject.projects[0].id } depends_on = [huaweicloud_identity_agency.identity_agency] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot