Working with Configuration Aggregator as a support for Enterprise Accounts
This tutorial shows how the Configuration Aggregator feature can be configured on an App Configuration instance at Enterprise account level to collect resource metadata from all the sub-accounts of the enterprise.
Before you begin
Ensure that the following prerequisites are in place:
- Create an App Configuration instance at the top-level of the enterprise i.e enterprise account.
- Create a Trusted Profile Template providing access for the App Configuration service instance to the IAM enabled services and Account Management services. See the following section on the Steps to create the Trusted profile template.
- Assign the Trusted profile template to the required accounts and account groups in the Enterprise. This will create the trusted profiles in all the selected accounts.
- App Configuration needs access to read the trusted profile templates. Create a trusted profile with access for Template Administrator, Assignment Administrator, viewer on All IAM Account Management services.
Creating a trusted profile on IAM
The Enterprise IAM should be enabled in the sub-accounts of an Enterprise to be managed via Enterprise. Ensure that this option is enabled, or you can modify it using the following API.
curl -s -L -X PATCH "https://accounts.test.cloud.ibm.com/v1/accounts/$ACCOUNT/traits"
-H "Content-Type: application/json"
-H "Authorization: Bearer $TOKEN"
-d "{
\"enterprise_iam_managed\": true
}"
If the trusted profile template is applied to an account group, then all the accounts and account group added in the future will also get assigned to the trusted profile template automatically.
Create policy templates
Create policy templates so that it can be used in a Trusted Profile Template. For the Configuration Aggregator functionality, the policy would need access to All IAM enabled services
with Reader, Viewer and ConfigReader
roles & All Account Management services
with Viewer and Config Reader
role.
The policy template can be created using API or UI.
Refer -
UI:
Navigate to the Access tab in your template and click on Add -> Create. Define the name and description. Select the service you want assign access to and assign the level of access.
![Creating Policy Templates Policy Templates](images/ac-creating-policy.png)
Once the policy has been created, select all the policies you want and click on add.
The policy templates created are the following:
![Reviewing Policy Templates Policy Templates](images/ac-review-policies.png)
Create Trusted Profile Template with IBM Cloud service instance as a trusted identity
In order to create a Trusted Profile template with IBM Cloud service instance as a trusted identity, you need to use the APIs. Also ensure to use type: crn
for the identities. Refer for more details : https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-tp-template-create&interface=api#create-trusted-profile-template-api.
Payload for creating trusted profile template:
POST https://iam.cloud.ibm.com/v1/profile_templates
{
"account_id": "c1d20fee2fe24c42b8ef6583283d2dcf",
"name": "Configuration Aggregator Template",
"description": "Trusted profile template for Config Aggregator to collect resources from services",
"profile": {
"name": "Configuration Aggregator",
"description": "Trusted Profile to collect resources via Config Aggregator",
"identities": [
{
"type": "crn",
"identifier": "crn:v1:bluemix:public:apprapp:us-south:c1d20fee2fe24c42b8ef6583283d2dcf:8abc9e31-5e7e-4154-b2d1-e963ee8a85a2::",
"description": "App Configuration Dev instance in Enterprise account"
}
]
},
"policy_template_references": [
{
"id": "policyTemplate-1362f690-8e7f-4a0a-bf72-bb8e5a0008c5",
"version": "1"
},
{
"id": "policyTemplate-2ba51f58-7b02-47ba-a707-1916d4650cbf",
"version": "1"
}
]
}
identities.identifier
refers to the App Configuration instance CRN that is being configured for Configuration Aggregator.
policy_template_references.id
refers to the id of the policy templates created in previous step.
Once the template is created it will show up in draft mode.
Commit the template
Once we have all the details such as policy and identities in place then you can make an update, review it and mark it as committed.
![Reviewing Policies for the Template Policy Templates](images/ac-review-policy-for-template.png)
![Committing the policies Policy Templates](images/ac-commit-template.png)
Assign accounts to the templates
Once the template is committed, it can be used for assignments. You can use the UI or API for this. You can do assignments only to the accounts that have enterprise_iam_managed
enabled.
- API: https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-tp-template-create&interface=api#assign-trusted-profile-template-api
- UI: https://cloud.ibm.com/docs/secure-enterprise?topic=secure-enterprise-tp-template-create&interface=ui#assign-trusted-profile-template-api
![Selecting Accounts you want to assign Template assignment step 1](images/ac-template-assignments-1.png)
![Assigning the accounts Template assignment step 2](images/ac-template-assignments-2.png)
Once the assignment is complete, the trusted profile will be created in all the sub-accounts. It can be validated by checking the accounts that shows that the trusted profile is enterprise-managed.
![Trusted Profile template visible in all accounts Template Assignment Trusted Profile](images/ac-trusted-profile.png)
Configure the Configuration Aggregator
Configure the Configuration aggregator using the Settings API. See the API documentation for more details.