Although it’s fairly limited, you can add AWS as an endpoint for vRealize Automation 7 and consume EC2 AMIs as part of a blueprint. You can even add the deployed instances to an existing Elastic Load Balancer at deploy time. In this post I’ll run through the basics to get up and running and deploy your first highly available (multiple Availability Zone, load balanced) blueprint.
There are some obvious pre-requisites for attaching an AWS endpoint - for example, you need to have a VPC configured. There are plenty of resources out there for creating a VPC, so I won’t extend this post by replicating them. This is what I’m using:
AWS endpoints are not configured using a user name and password, instead you need to create a user within AWS’s Identity & Access Management console. You can find it on your AWS console under Security and Identity:
AWS best practice is to assign permissions at a group level, rather than at the user level, so lets create a group for vRA. Select the Groups page and then “Create new Group”. I’ve called my group “DefinIT-Lab”, then click Next Step.
If you look at the AWS User Roles and Credentials Required in the vRA7 documentation, you’ll see that we need to assign the Power User role to our user. To do this we can filter the list of policies and attach the PowerUserAccess policy to the new group.
Review the group name and attached polices, then click create group.
Select the Users page and then “Create New Users”. You can bulk add users, but for my purposes I need just the one for my vRA instance. I’m creating a user called DefinIT-vRA. Ensure the “Generate an access key for each user” option is ticked.
Once successfully created, the user’s credentials are also available - and before you try and access my AWS account, the user in this post has been deleted 🙂 Be sure to make a note of the credentials - once you finish the create wizard you won’t see the Secret Access Key again. You can also download the credentials as a CSV file if needed.
At this point the user has no permissions, so we need to assign a group and some permissions. Fortunately, we created a group for that purpose just now! Select the newly created user and click “Add User to Groups” under the Groups tab.
Firstly, lets set up some credentials based on the user we created earlier. Log into vRA with a user that has Infrastructure Admin permissions, select Infrastructure > Endpoints > Credentials. Click “New” to create a new credential, then enter a Name and Description that suits you. Enter the Access Key ID generated for your user as the User Name, and the Secret Access Key as the password.
Next select Endpoints and click New > Cloud > Amazon EC2
Add a Name, Description and select the Credentials we just created.
vRA will now kick off a data collection against AWS using your credentials. To check on it’s progress you can select Data Collection from the contextual menu.
Next, create a new fabric group for the AWS regions. You need to be logged in with a user that has Fabric Administrator rights. Select Infrastructure > Endpoints > Fabric Groups > New and enter a Name, Description and select the Fabric Administrators. I want to make use of the EU regions, so I called mine “AWS Free Tier EU”, and I used my existing AD group “vRA Fabric Admins”. Next select the regions you want to be able to deploy to - bearing in mind you will need a VPC in each to be able to deploy to them.
Select Infrastructure > Reservations > Reservations > New > Amazon to begin configuring the AWS reservation.
The General tab is configured as you would any other Reservation in vRA. Create a Name, assign to a Tenant, Business Group and Reservation Policy (optional), and assign a Priority.
On the Resources tab it gets a little more in depth. I have a VPC configured in eu-west-1, so I’m going to create a reservation there - I select the AWS Free Tier-eu-west-1 compute resource. I’m going to set the Machine Quota to 10, for my own peace of mind. Next specify how you’d like to handle the key pairs for the deployed VMs - you can select:
They’re pretty self explanatory, but I’m going to set it to use my existing key-pair.
Setting up an #AWS endpoint in #vRA7 shouldn't be this difficult. Add IAM keys to credentials and boom…Unauthorised! Any hints welcome!
— Steven Viljoen (@StevenViljoen) July 27, 2016