Enable AWS Resource Explorer in AWS Organizations using CloudFormation
2024年06月18日
You must create the stack sets in the organization's management account. AWS CloudFormation is a Regional service, so you can view and manage the stack sets you create from only the Region you originally created them in.
This stack set will be created in the organization management account. It can be managed from the organization management account or from the CloudFormation StackSets delegated administrator account.
After you deploy these stack sets to your organization, every account within the scope you selected, organization or organizational unit, has an aggregator index in the specified Region, and local indexes in every other Region.
$ aws organizations register-delegated-administrator \
--account-id 111122223333 \
--service-principal resource-explorer-2.amazonaws.com
PS: It is not necessary to create the IAM role "AWSServiceRoleForResourceExplorer" in the delegated administrator account for Resource Explorer. While the following CloudFormation stack set is created, this role will be created automatically.
The following template is for the delegated administrator account for Resource Explorer in the Region for Aggregator Index.
StackSet Name: resource-explorer-delegated-administrator-aggregator-index
StackSet Description: Deploy Resource Explorer in the delegated administrator account in the aggregator index Region
Managed execution: Active
Automatic deployment: Deactivated
Account filter type: Intersection - Deploys to the specified individual accounts from the provided OUs.
Deployment targets: r-xxxx
Account numbers: delegated administrator account
Regions: choose the Region for Aggregator Index
The following template is for deploying the Resource Explorer resources for the member AWS accounts.
StackSet Name: resource-explorer-member-account-aggregator-index
StackSet Description: Deploy Resource Explorer in the member accounts in the aggregator index Region
Managed execution: Active
Automatic deployment: Activated
Account removal behavior: Delete stacks
Account filter type: Difference - Excludes the specified individual accounts from the provided OUs.
Deployment targets: r-xxxx
Account numbers: delegated administrator account
Regions: choose the Region for Aggregator Index
Maximum concurrent accounts: 30 (Number)
Failure tolerance: 100 (Percentage)
Region concurrency: SEQUENTIAL
Concurrency mode: STRICT_FAILURE_TOLERANCE
Repeat the above step to create a new stack set.
StackSet Name: resource-explorer-member-account-aggregator-index-org-mgmt-account
StackSet Description: Deploy Resource Explorer in the organization management account in the aggregator index Region
Deployment targets: the OU ID of the empty OU
Because the create operation does not allow UNION account filter, we leave the "account filter type" field empty when creating the stack set.
After the stack set is created, edit the stack set.
Deploy to accounts
Account numbers: organization management account
aws cloudformation create-stack-set \
--stack-set-name resource-explorer-member-account-aggregator-index-org-mgmt-account \
--description "Deploy Resource Explorer in the organization management account in the aggregator index Region" \
--template-url https://cf-templates-2o****m5-us-west-2.s3.us-west-2.amazonaws.com/resource_explorer_member_account_uswest2.yaml \
--managed-execution Active=true
Output:
aws cloudformation create-stack-instances \
--stack-set-name resource-explorer-member-account-aggregator-index-org-mgmt-account:72200e58-****-****-****-10e657ab5d7b \
--accounts 123456789012 \
--regions us-west-2
Output:
AWS CLI create-stack-set
AWS CLI create-stack-instances
Architecture
You must create the stack sets in the organization's management account. AWS CloudFormation is a Regional service, so you can view and manage the stack sets you create from only the Region you originally created them in.
This stack set will be created in the organization management account. It can be managed from the organization management account or from the CloudFormation StackSets delegated administrator account.
Creating the stack sets for Resource Explorer
The fully deploy Resource Explorer, you must deploy two stack sets.- The first stack set creates the aggregator index and default view that lets users search for resources across all of the Regions in the account.Deploy this stack set to only the single Region in which you want to create the aggregator index.
- The second stack sets creates a local index and default view. The local index replicates its content to the aggregator index.Deploy this stack set to every enabled Region in the account except the Region that contains the aggregator index. Don't choose any Regions that aren't enabled in the accounts to which you deploy the stack. If you do, the deployment fails.
After you deploy these stack sets to your organization, every account within the scope you selected, organization or organizational unit, has an aggregator index in the specified Region, and local indexes in every other Region.
$ aws organizations register-delegated-administrator \
--account-id 111122223333 \
--service-principal resource-explorer-2.amazonaws.com
PS: It is not necessary to create the IAM role "AWSServiceRoleForResourceExplorer" in the delegated administrator account for Resource Explorer. While the following CloudFormation stack set is created, this role will be created automatically.
Sample AWS CloudFormation templates
The following sample template creates the account's aggregator index and a default view that can search for resources across all Regions in the account where you deploy an index.The following template is for the delegated administrator account for Resource Explorer in the Region for Aggregator Index.
Description: >-
CFN Stack setting up ResourceExplorer with an Aggregator Index in the us-west-2 Region, and a new Default Organization-wise View.
Resources:
Index:
Type: 'AWS::ResourceExplorer2::Index'
Properties:
Type: AGGREGATOR
Tags:
Purpose: ResourceExplorer CFN Stack
View:
Type: 'AWS::ResourceExplorer2::View'
Properties:
ViewName: Resource-Explorer-Org-View
IncludedProperties:
- Name: tags
Scope: arn:aws:organizations::111122223333:organization/o-o3******l9
Tags:
Purpose: ResourceExplorer CFN Stack
DependsOn: Index
DefaultViewAssociation:
Type: 'AWS::ResourceExplorer2::DefaultViewAssociation'
Properties:
ViewArn: !Ref View
Create the stack set with Service-managed permissions.StackSet Name: resource-explorer-delegated-administrator-aggregator-index
StackSet Description: Deploy Resource Explorer in the delegated administrator account in the aggregator index Region
Managed execution: Active
Automatic deployment: Deactivated
Account filter type: Intersection - Deploys to the specified individual accounts from the provided OUs.
Deployment targets: r-xxxx
Account numbers: delegated administrator account
Regions: choose the Region for Aggregator Index
The following template is for deploying the Resource Explorer resources for the member AWS accounts.
Description: >-
CFN Stack setting up ResourceExplorer with an Aggregator Index in the us-west-2 Region, and a new Default View.
Resources:
Index:
Type: 'AWS::ResourceExplorer2::Index'
Properties:
Type: AGGREGATOR
Tags:
Purpose: ResourceExplorer CFN Stack
View:
Type: 'AWS::ResourceExplorer2::View'
Properties:
ViewName: Resource-Explorer-View
IncludedProperties:
- Name: tags
Tags:
Purpose: ResourceExplorer CFN Stack
DependsOn: Index
DefaultViewAssociation:
Type: 'AWS::ResourceExplorer2::DefaultViewAssociation'
Properties:
ViewArn: !Ref View
Create this stack set with Service-managed permissions.StackSet Name: resource-explorer-member-account-aggregator-index
StackSet Description: Deploy Resource Explorer in the member accounts in the aggregator index Region
Managed execution: Active
Automatic deployment: Activated
Account removal behavior: Delete stacks
Account filter type: Difference - Excludes the specified individual accounts from the provided OUs.
Deployment targets: r-xxxx
Account numbers: delegated administrator account
Regions: choose the Region for Aggregator Index
Maximum concurrent accounts: 30 (Number)
Failure tolerance: 100 (Percentage)
Region concurrency: SEQUENTIAL
Concurrency mode: STRICT_FAILURE_TOLERANCE
Repeat the above step to create a new stack set.
StackSet Name: resource-explorer-member-account-aggregator-index-org-mgmt-account
StackSet Description: Deploy Resource Explorer in the organization management account in the aggregator index Region
Deployment targets: the OU ID of the empty OU
Because the create operation does not allow UNION account filter, we leave the "account filter type" field empty when creating the stack set.
After the stack set is created, edit the stack set.
Deploy to accounts
Account numbers: organization management account
aws cloudformation create-stack-set \
--stack-set-name resource-explorer-member-account-aggregator-index-org-mgmt-account \
--description "Deploy Resource Explorer in the organization management account in the aggregator index Region" \
--template-url https://cf-templates-2o****m5-us-west-2.s3.us-west-2.amazonaws.com/resource_explorer_member_account_uswest2.yaml \
--managed-execution Active=true
Output:
{
"StackSetId": "resource-explorer-member-account-aggregator-index-org-mgmt-account:72200e58-****-****-****-10e657ab5d7b"
}
-aws cloudformation create-stack-instances \
--stack-set-name resource-explorer-member-account-aggregator-index-org-mgmt-account:72200e58-****-****-****-10e657ab5d7b \
--accounts 123456789012 \
--regions us-west-2
Output:
{
"OperationId": "cb69b92b-****-****-****-e75107d6c3e6"
}
References
AWS CLI create-stack-set
AWS CLI create-stack-instances