Setting up Configuration Aggregator for enterprise accounts

In this tutorial, you learn how to set up the Configuration Aggregator in App Configuration at the enterprise account level to collect resource metadata from all child accounts in your enterprise.

Objectives

In this tutorial, you complete the following tasks:

Create policy templates for Configuration Aggregator access.
Create a trusted profile template with your App Configuration instance as a trusted identity.
Commit the trusted profile template.
Assign the template to enterprise accounts.
Set up Configuration Aggregator to collect resource metadata from the enterprise.

Before you begin

Make sure you have the following prerequisites:

An IBM Cloud enterprise account. For more information about creating an enterprise, see What is an enterprise?
An App Configuration instance created at the enterprise account level. For more information, see Creating an App Configuration service instance.
Manager access to the App Configuration service.
Administrator access to IAM Account Management services in the enterprise account.
Enterprise IAM enabled in all child accounts that you want to manage. You can verify or enable this setting by using the following API call:
```
curl -s -L -X PATCH "https://accounts.cloud.ibm.com/v1/accounts/$ACCOUNT/traits"
-H "Content-Type: application/json"
-H "Authorization: Bearer $TOKEN"
-d "{
 \"enterprise_iam_managed\": true
}"
```
Replace $ACCOUNT with your account ID and $TOKEN with your IAM access token.

If you apply the trusted profile template to an account group, all accounts added to that group in the future automatically receive the trusted profile template assignment.

Create policy templates

Policy templates define the access permissions that Configuration Aggregator needs to collect resource metadata from your enterprise accounts. You need to create policy templates that grant the following access:

Reader, Viewer, and ConfigReader roles on All IAM-enabled services.
Viewer and ConfigReader roles on All Account Management services.

You can create policy templates by using the IBM Cloud console or API.

In the IBM Cloud console, go to Manage > Access (IAM) > Templates.
Click Create to create a new policy template.
In the Access tab, click Add > Create.
Enter a name and description for your policy template.
Select the service that you want to assign access to.
Assign the following access:
- Reader, Viewer, and ConfigReader roles on All IAM-enabled services.
- Viewer and ConfigReader roles on All Account Management services.
Click Add to save the policy.

The following image shows the policy creation interface where you define the name, description, and access levels:

Policy creation interface showing fields for name, description, service selection, and access level assignment — Creating policy templates

After you create all the required policies, select them and click Add to include them in your template.

The following image shows the completed policy templates ready for use:

List of policy templates showing IAM-enabled services and Account Management services with their assigned roles — Reviewing policy templates

Create a trusted profile template

A trusted profile template allows your App Configuration instance to access resources across your enterprise accounts. You must create this template by using the IAM API and specifying your App Configuration instance CRN as a trusted identity.

To create a trusted profile template, make a POST request to the IAM profile templates endpoint:

POST https://iam.cloud.ibm.com/v1/profile_templates

Use the following JSON payload as the request body:

{
  "account_id": "YOUR_ENTERPRISE_ACCOUNT_ID",
  "name": "Configuration Aggregator Template",
  "description": "Trusted profile template for configuration aggregator to collect resources from services",
  "profile": {
    "name": "Configuration Aggregator",
    "description": "Trusted profile to collect resources through configuration aggregator",
    "identities": [
      {
        "type": "crn",
        "identifier": "YOUR_APP_CONFIGURATION_INSTANCE_CRN",
        "description": "App Configuration instance in enterprise account"
      }
    ]
  },
  "policy_template_references": [
    {
      "id": "YOUR_POLICY_TEMPLATE_ID_1",
      "version": "1"
    },
    {
      "id": "YOUR_POLICY_TEMPLATE_ID_2",
      "version": "1"
    }
  ]
}

Replace the following values in the payload:

YOUR_ENTERPRISE_ACCOUNT_ID: Your enterprise account ID
YOUR_APP_CONFIGURATION_INSTANCE_CRN: The CRN of your App Configuration instance that you want to configure for Configuration Aggregator
YOUR_POLICY_TEMPLATE_ID_1 and YOUR_POLICY_TEMPLATE_ID_2: The IDs of the policy templates that you created in the previous step

When you use type: crn for identities, you specify a service instance as a trusted identity. For more information, see Creating a trusted profile template.

After you create the template, it appears in draft mode and is ready for review.

Commit the template

After you create the trusted profile template with all the required policies and identities, you need to review and commit it before you can assign it to accounts.

In the IBM Cloud console, go to Manage > Access (IAM) > Templates.
Locate your Configuration Aggregator template in the list.
Review the template details, including the policies and trusted identities.
Click Commit to finalize the template.

The following image shows the policy review interface where you can verify all policies attached to the template:

Reviewing policies for the template

The following image shows the commit interface where you finalize the template:

Committing the template

After you commit the template, it becomes available for assignment to enterprise accounts and account groups.

Assign the template to child accounts

After you commit the template, you can assign it to enterprise accounts or account groups. You can assign templates only to accounts that have enterprise-managed IAM enabled.

You can assign the template by using the IBM Cloud console or API

In the IBM Cloud console, go to Manage > Access (IAM) > Templates.
Locate your Configuration Aggregator template and click Assign.
Select the accounts or account groups that you want to assign the template to.
Review your selections and click Assign.

The following image shows the account selection interface where you choose which accounts receive the template:

Account selection interface displaying a list of enterprise accounts and account groups available for template assignment — Selecting accounts for template assignment

The following image shows the assignment confirmation interface:

Assignment confirmation interface showing the selected accounts and the assign button to complete the process — Confirming account assignments

After the template is assigned, the trusted profile is created in all the child accounts you selected. You can verify the assignment by checking each account to confirm that the trusted profile appears as enterprise-managed.

The following image shows how the trusted profile appears in child accounts after it's been assigned:

Trusted profile visible in assigned accounts

Enable configuration aggregator

After you assign the trusted profile template to your enterprise accounts, you can enable Configuration Aggregator in your App Configuration instance.

You can enable Configuration Aggregator by using the App Configuration Settings API.

You can also choose to use Terraform IBM Modules (TIM) for App Configuration that has built-in support for Configuration Aggregator, automatically provisioning the necessary Trusted Profiles, templates, and custom IAM roles which enables a fully-automated approach to configure and manage an App Configuration instance at Enterprise account level.