Prerequisites - Workload Discovery on AWS

Prerequisites

Gather deployment parameter details

Before deploying Workload Discovery on AWS, review your configuration details for the Amazon OpenSearch Service service-linked role and AWS Config.

Verify whether you have an AWSServiceRoleForAmazonOpenSearchService role

The deployment creates an Amazon OpenSearch Service cluster inside an Amazon Virtual Private Cloud (Amazon VPC). The template uses a service-linked role to create the OpenSearch Service cluster. However, if you already have the role created in your account, use the existing role.

To check if you already have this role:

  1. Sign in to the Identity and Access Management (IAM) console for the account you plan to deploy this solution to.

  2. In the Search box, enter AWSServiceRoleForAmazonOpenSearchService.

  3. If your search returns a role, select No for the CreateOpensearchServiceRole parameter when you launch the stack.

Verify AWS Config is set up

Workload Discovery on AWS uses AWS Config to gather the majority of resource configurations. When deploying the solution or importing a new Region, you must confirm whether AWS Config is already set up and working as expected. The AlreadyHaveConfigSetup CloudFormation parameter informs Workload Discovery on AWS of whether to set up AWS Config.

The following snippet is taken from the AWS CLI Command Reference. Run the command in the Region you intend to deploy Workload Discovery on AWS or import into Workload Discovery on AWS.

Enter the following command:

aws configservice get-status

If you receive a response similar to the output, then there is a Configuration Recorder and Delivery Channel running in that Region. Select Yes for the AlreadyHaveConfigSetup CloudFormation parameter.

Output:

Configuration Recorders:

name: default
recorder: ON
last status: SUCCESS

Delivery Channels:

name: default
last stream delivery status: SUCCESS
last history delivery status: SUCCESS
last snapshot delivery status: SUCCESS

If you are configuring AWS CloudFormation StackSets, then you must include this Region in the batch of Regions that already have AWS Config configured.

Verify your AWS Config details in your account

The deployment will attempt to set up AWS Config. If you already use AWS Config in the account that you plan to either deploy to or make discoverable by Workload Discovery on AWS, select the relevant parameters when you deploy this solution. Furthermore, for successful deployment, ensure that you haven’t restricted the resources that AWS Config scans.

To check your current AWS Config configuration:

  1. Sign in to the AWS Config console.

  2. Choose Settings and ensure the Record all resources supported in this Region and Include global resources boxes are selected.

Verify your VPC configuration

If deploying to an existing VPC, verify your private subnets can route requests to AWS services.

If you choose the option to deploy the solution in an existing VPC, you must ensure that the Workload Discovery on AWS Lambda functions and the Amazon ECS tasks running in the private subnets of your VPC can connect to other AWS services. The standard way to enable this is with NAT gateways. You can list the NAT gateways in your account as shown in the following code sample.

aws ec2 describe-route-tables --filters Name=association.subnet-id,Values=<private-subnet-id1>,<private-subnet-id2> --query 'RouteTables[].Routes[].NatGatewayId'

Output:

[
    "nat-1111111111111111",
    "nat-2222222222222222"
]
Note

If less than two results return, the subnets do not have the correct number of NAT gateways.

If your VPC doesn’t have NAT gateways, then you must either provision them or ensure that you have VPC endpoints for all the AWS services listed in the AWS APIs section.