Help Center/ Config/ User Guide/ Resource Recorder/ Batch Configuring the Resource Recorder

Updated on 2024-11-12 GMT+08:00

View PDF

Batch Configuring the Resource Recorder

Scenario

To get full functionality of Config, you need to enable the resource recorder. If the resource recorder is disabled, you may have problems using other features of Config.

If you are an organization administrator, you can batch enable and configure the resource recorder for organization members using Terraform templates and RFS stacks. This effectively improves configuration efficiency by eliminating the need to confiture the resource recorder for each member account.

This section describes how to batch enable and configure the resource recorder across an organization.

Procedure Overview

Step	Description
Enabling RFS as a Trusted Service	Enabling Resource Formulation Stack Set Service (RF) as a trusted service using the service Organizations
Configuring an OBS Bucket Policy	Configuring a bucket policy allowing organization members to dump their resource data into the specified OBS bucket
Configure an SMN Topic Policy	Configuring an access policy allowing organization members to send notifications with the specified SMN topic
Creating an RFS Resource Stack Set	Creating an RFS stack set with a Terraform template and deploying stack instances to organization members

Restrictions and Limitations

Currently, an RFS stack set can be used to enable the resource recorders for up to 100 organization members.
Only an organization administrator is allowed to created RFS stack sets.
The resource stack set deploys resource stacks to organization members, but not the organization administrator.
If an organization member has already enabled and configured the resource recorder, the configurations delivered through the stack set will not overwrite the current configurations of the resource recorder in the member account.

Enabling RFS as a Trusted Service

The following procedure shows how to enable RFS as a trusted service:

Log in to the management console as an organization administrator and go to the Organizations console.
In the navigation pane on the left, choose Services.
In the row that contains Resource Formation Stack Set service (RF), click Enable Access in the Operation column.
In the displayed dialog box, click OK.

Figure 1 Enabling RFS as a trusted service

Configuring an OBS Bucket Policy

If you use a Public Read and Write bucket policy, any user can read, write, and delete objects in the OBS bucket, and you can skip this step.

To store resource change notifications and resource snapshots in an OBS bucket, you need to configure one when configuring the resource recorder. If no OBS bucket is available, create one first.

In this scenario, you need to set a bucket policy allowing organization members to dump their resource data into the specified OBS bucket. The following procedure shows how to configure such a bucket policy:

Log in to the management console with the authorizing account and go to the OBS console.

The authorizing account is the account to which the OBS bucket belongs.
Grant member accounts related OBS permissions based on Creating a Custom Bucket Policy (JSON View).

An example bucket policy is provided here to show how to allow member accounts to store data into a specific object or folder in an OBS bucket. You need to configure the following parameters in a bucket policy:
- ${account_id}: member account IDs (domain_id). Use commas (,) to separate multiple domain IDs.
- ${agency_name}: the name of the custom IAM agency For details about how to create an IAM agency, see Cloud Service Agency. Set the authorization object to Config in the agency.
- ${bucket_name}: the name of an OBS bucket
- ${folder_name}: the name of a folder in the OBS bucket If you do not need to specify a folder or object in an OBS bucket, you do not need to configure this parameter.
```
{
  "Statement": [
    {
      "Sid": "org-bucket-policy",
      "Effect": "Allow",
      "Principal": {
        "ID": [
          "domain/${account_id}:agency/${agency_name}"
        ]
      },
      "Action": [
        "PutObject"
      ],
      "Resource": [
        "${bucket_name}/${folder_name}/RMSLogs/*/Snapshot/*",
        "${bucket_name}/${folder_name}/RMSLogs/*/Notification/*"
      ]
    }
  ]
}
```
If you need to store resource change notifications and snapshots in an OBS bucket encrypted with KMS, you need to set permissions for the KMS key to be used across member accounts. For details, see Storing Resource Change Notifications and Resource Snapshots to an Encrypted OBS Bucket. Specify IDs of member accounts as the pending authorization accounts

Configure an SMN Topic Policy

To send resource change notifications, you need to configure an SMN topic when configuring the resource recorder. If no SMN topic is available, create one first. After you create a topic, you must add subscriptions and request subscription confirmation.

In this scenario, you need to set a topic access policy allowing organization members to send notifications using this topic.

Log in to the management console with the authorizing account and go to the SMN console.

The authorizing account is the account to which the SMN topic belongs.
Grant member accounts topic permissions based on Configuring Topic Policies.

Select Specific user accounts for Users who can publish messages to this topic and enter member account IDs.

If an organization member is not granted the required permissions, they cannot receive resource change notifications sent by Config.

Creating an RFS Resource Stack Set

Log in to the management console as an organization administrator.
Click in the upper left corner of the page, select Resource Management under Management & Governance in the displayed service list.
In the navigation pane on the left, choose Stack Sets.
In the upper right corner, click Create Stack Set.

Figure 2 Creating a stack set
On the Select Template page, configure required parameters and click Next.
- Select SERVICE_MANAGED for Permission Mode.
- Select Enable or Disable for Enable Parallel Operation. You are advised to enable parallel operations for faster stack running.
- Select a template source as needed. For details about template content, see Example Terraform Template
Figure 3 Select Template
On the Configure Parameters page, configure required parameters based on the following picture and click Next.

Figure 4 Configure Parameters
- Stack Set Name: You can use a default or custom stack set name. Stack set names must be unique.
- Configure Parameters
  - AllSupported: whether to record all resource types supported by Config. Possible values are true or false. This parameter is mandatory.
  - ResourceTypes: list of resource types. This parameter is optional. If AllSupported is set to false, you need to specify specific resource types, for example, vpc.vpcs and rds.instances.
  - BucketName: the name of the specified OBS bucket. This parameter is mandatory. The value must be of string type.
  - BucketRegion: the region where the specified OBS bucket is deployed. This parameter is mandatory. The value must be of string type.
  - AccountRegion: the subsidiary website of Huawei Cloud where member accounts are registered. Possible values include cn-north-4 (Chinese mainland website) and ap-southeast-1 (international website).
  - TopicUrn: SMN topic URN. This parameter is mandatory. The value must be of string type.
  - TopicRegion: the region where the specified SMN topic is deployed. This parameter is mandatory. The value must be of string type.
  - ConfigAgencyName: IAM agency name. This parameter is mandatory. The value must be of string type. The agency must contain permissions for the resource recorder to call SMN to send notifications and write data into an OBS bucket.
On the Deployment Setup page, configure required parameters based on the following picture and click Next.

Figure 5 Deployment Setup
- Deployment Setup
  - Organizational Unit IDs: organization unit IDs. If the root unit ID is specified, the stack set is deployed in the entire organization.
  - Domain Id Filter Type: criterion for filtering accounts
  - Deployment Regions: The region where the resource stack set is deployed.
- Operation Preferences
  - Max Concurrent: You are advised to select Number and set the value to 5.
  - Fault Tolerance: You are advised to select Percentage and set the value to 100.
  - Region Concurrency Type and Failure Tolerance Mode: Configure them as prompted.
On the Confirm Configurations page, confirm the configurations and click Deploy.
In the displayed dialog box, click Yes.

The stack set will deploy a stack instance to each specified member account, and the resource recorder in each member account will be enabled and configured based on the Terraform template.

Figure 6 Deploying a resource stack set

Organization members can disable and modify their resource recorders at any time. An organization administrator can also modify or delete a resource stack set at any time. After a stack set is deleted, the resource recorder in the deployed member account will be disabled.

Example Terraform Template

You can create a private RFS template based on the following example or save this example template as a local .tf file and update this file to create a resource stack set as needed.

terraform {
  required_providers {
    huaweicloud = {
      source  = "huawei.com/provider/huaweicloud"
      version = ">=1.49.0"
    }
  }
}

provider "huaweicloud" {
}

variable "AllSupported" {
  description = "Specifies whether to select all supported resources."
  type        = bool
  default     = true

  validation {
    condition     = can(regex("^(true|false)$", var.AllSupported))
    error_message = "Must be true or false."
  }
}

variable "ResourceTypes" {
  description = "Specifies the resource type list. "
  type        = list(string)
  default     = []
}

variable "BucketName" {
  description = "Specifies the OBS bucket name used for data dumping."
  type        = string
}

variable "BucketRegion" {
  description = "Specifies the region where this bucket is located."
  type        = string
}

variable "TopicRegion" {
  description = "Specifies the region where the smn topic is located."
  type        = string
}

variable "AccountRegion" {
  description = "Specifies the region where the account is located."
  type        = string
}


variable "TopicUrn" {
  description = "Specifies the SMN topic URN used to send notifications."
  type        = string
}

variable "ConfigAgencyName" {
  description = "Specifies the IAM agency name which must include permissions for sending notifications through SMN and for writing data into OBS."
  type        = string
}

data "huaweicloud_identity_projects" "CurrentAccountProject" {
  name = var.AccountRegion
}

resource "huaweicloud_identity_agency" "identity_agency" {
  name                   = var.ConfigAgencyName
  delegated_service_name = "op_svc_eps"
  all_resources_roles = ["SMN Administrator", "OBS Administrator", "KMS Administrator"]
}

resource "huaweicloud_rms_resource_recorder" "ConfigRecorder" {
  agency_name = var.ConfigAgencyName

  selector {
    all_supported  = var.AllSupported
    resource_types = var.ResourceTypes
  }

  obs_channel {
    bucket = var.BucketName
    region = var.BucketRegion
  }

  smn_channel {
    region = var.TopicRegion
    topic_urn = var.TopicUrn
    project_id = data.huaweicloud_identity_projects.CurrentAccountProject.projects[0].id
  }
  depends_on = [huaweicloud_identity_agency.identity_agency]
}

Parent topic: Resource Recorder

Previous topic: Configuring the Resource Recorder

Next topic: Notifications