Amazon Web Services (AWS) Integration through CloudFormation

This integration will provision IAM role(s) to provide Compute Software access to your AWS account(s).

AWS IAM Access Roles

The access IAM roles can be created using your organization's preferred method for managing AWS resources. This varies by organization, so we will provide some example scenarios.

AWS Console

The manual steps use the AWS CloudFormation console to provision the IAM roles in your AWS account.

1. Navigate to the Compute Software platform AWS Integration page and click "Add New Integration."

2. In the modal, input a Name for your integration. e.g., My AWS Account

3. Click the link for "Launch Stack in CloudFormation." This will open the CloudFormation console in a new browser tab with all the necessary parameters prefilled.

4. Ensure you are logged into the AWS account you wish to provision the Compute Software IAM roles in.

5. Ensure "I acknowledge that AWS CloudFormation might create IAM resources with custom names." is checked. Click "Create stack".

Activity Log

6. After the stack says CREATE_COMPLETE, navigate to the Outputs tab and locate the row for PlatformRoleARN. This value will be used to create the integration in the Compute Software application.

Activity Log

Infrastructure as Code (Terraform, CDK, Pulumi, etc.)

In more complex cases with numerous AWS accounts, organizations may choose to manage resources with IaaC or custom tooling. Compute Software supports this by providing a CloudFormation template and a Terraform module to provision the access roles. If you use CDK, Pulumi, or custom tooling, we recommend the CloudFormation template. If you use Terraform, we recommend the Terraform module.

CloudFormation (CDK, Pulumi, etc.)

1. Navigate to the Compute Software AWS Integrations page and click "Add New Integration".

2. In the modal, locate the table row for "External ID", and save the value for use as a CloudFormation template parameter.

Activity Log

3. For each AWS account in your organization, create a CloudFormation Stack with the URL https://computesoftware-public-cf.s3.us-west-2.amazonaws.com/templates/aws-iam-20220211.json and parameter PlatformRoleExternalId set to the value located in the previous step.

For example, to create the stack using the AWS CLI, issue the following command.

aws cloudformation create-stack \
	--template-url "https://computesoftware-public-cf.s3.us-west-2.amazonaws.com/templates/aws-iam-20220211.json" \
	--stack-name computesoftware-platform-roles \
	--parameters ParameterKey=PlatformRoleExternalId,ParameterValue=${EXTERNAL_ID} \
	--capabilities CAPABILITY_NAMED_IAM

Terraform Module

1. Navigate to the Compute Software AWS Integrations page and click "Add New Integration".

2. In the modal, locate the table row for "External ID", and save the value for use as a Terraform module variable.

Activity Log

3. For each AWS account in your organization, provision the Terraform module with the platform_role_external_id parameter set to the value located in the previous step.


module "computesoftware-roles" {
  source  = "ComputeSoftware/computesoftware-roles/aws"
  version = "1.0.4"
  platform_role_external_id = "<< paste external ID here >>"
}

Platform Integration

After provisioning the IAM access roles in your AWS accounts, a Compute Software platform integration must be created. There are two options for integration creation: 1. Automatic Discovery via AWS Organizations (recommended) 2. Manual.

Choose Automatic Discovery via AWS Organizations if your AWS accounts are a part of an AWS Organization, and you would like the platform to automatically discovery newly created accounts. Organizations that have many AWS accounts, dynamically create AWS accounts, or prefer automation tend to choose this option.

Choose Manual if you want full control over which AWS accounts are integrated into the platform.

Automatic Discovery via AWS Organizations

To automatically discovery AWS accounts in your AWS Organization, you must first manually add a management account. Afterwards, the platform will automatically discover all member AWS accounts and create a platform integration.

1. To find a management account, log into the AWS Organizations console and locate the account with the "management account" tag. This is the account that you run the CloudFormation template in.

Activity Log

2. Ensure the IAM access roles have been created in this account. Locate the platform IAM role ARN created in this account (by default it will be named "compute-software-platform-role"). If you used CloudFormation, this will be the the PlatformRoleARN Output value. If you used Terraform, this will be the platform_role_arn Output.

3. Navigate to the Compute Software platform AWS Integration page and click "Add New Integration."

4. In the modal, input a Name for your integration. e.g., AWS Root

5. Paste the platform role ARN into the Role ARN input.

6. Click "Add Integration".

7. After the integration is added, you should see a Status of "Healthy" and "Management account?" set as "Yes".

Activity Log

8. Click the toggle for "Auto Discover New Accounts". New Organization member account integration will be automatically created within 12 hours.

Manual

1. Navigate to the Compute Software platform AWS Integration page and click "Add New Integration."

2. In the modal, input a Name for your integration. e.g., AWS Root

3. Provision the AWS access IAM roles and locate the platform role ARN for the account you would like to add.

4. Paste the platform role ARN into the Role ARN input.

5. Click "Add Integration".