IBM Cloud Docs
Configuration Aggregator

Configuration Aggregator

Configuration Aggregator can be used to facilitate a Cloud Governance SME with up-to-date configuration data of IBM Cloud resources in one place so that comprehensive information is available for goverance and compliance initiatives. All the plans of the App Configuration service will have the Configuration Aggregator feature available. As an app owner, the user has to explicitly enable the Configuration Aggregator. It can be done on the App Configuration instance either via API, SDK or Dashboard. The App Configuration service will start the resource collection and periodically to keep the metadata current via reconciliation. User can use the query API to get the updated metadata of the service instances in the account.

Configuration Aggregator feature can be configured on an App Configuration instance at Enterprise account level to collect resource metadata from all the sub-accounts of the enterprise. A trusted profile template should be created providing access to App Configuration service instance to all the IAM enabled services. The trusted profile template should then be assigned to the required accounts in the Enterprise, which in turn creates the trusted profile in the respective sub-accounts providing access to App Configuration service instance to collect resource metadata.

By default, recording is always set to be OFF.

Default Configuration Aggregator
Default Configuration Aggregator

Enable Configuration aggregator - Single Account

To enable configuration aggregator, complete these steps:

  1. In the App Configuration console, click Configuration aggregator.

  2. Click on Define an aggregation. The side panel opens with fields for setting up recording details.

    Enable Configuration Aggregator - Set up recording
    Set up recording - Single Account

  3. Select either all regions or specific regions from the region list. Click on Save to complete. This will create a Trusted Profile on App Configuration instance having reader access for reading the configurations of the resources.

  4. Click on toggle button to enable recording. It will ask for confirmation. Click on Turn on button.

    Enable Configuration Aggregator - Enable recording
    Enable Recording - Single Account

Enable Configuration aggregator - Enterprise Account

In order to enable configuration aggregator feature for enterprise account, user must complete following Pre-requisities:

  1. Create an App Configuration instance at the top-level of the enterprise i.e enterprise account.

  2. Create a Trusted Profile Template providing access for the App Configuration service instance to the IAM enabled services and Account Management services. Refer here

    Enable Configuration Aggregator - Trusted Profile Template
    Trusted Profile Template - Enterprise Account

The trusted profile template cannot be assigned to the enterprise account i.e the top level account of the enterprise. If you choose to collect metadata of resources in the enterprise account, you should create a separate trusted profile that should be applied at the top level account additionally.

  1. Assign the Trusted profile template to the required accounts and account groups in the Enterprise.

The Enterprise IAM should be enabled in the sub-accounts of an Enterprise to be managed via Enterprise. For more details, refer here

To enable configuration aggregator for an enterprise account, complete the pre-requisites and following steps:

  1. In the App Configuration console, click Configuration aggregator.

  2. Click on Define an aggregation. The side panel opens with fields for setting up recording details.

    Enable Configuration Aggregator - Set up recording - Enterprise Account
    Set up recording - Enterprise Account

  3. Provide the Set up record details:

    • Region - regions from which user wants to collect configuration data.
    • Enterprise ID - enterprise account id.
    • Trusted template ID - trusted profile template id created as pre-requisite.
    • Trusted profile ID - trusted profile id created as pre-requisite.
  4. Click Save.

  5. Click on toggle button to enable recording. It will ask for confirmation. Click on Turn on button.

    Enable Configuration Aggregator - Enable Recording - Enterprise Account
    Enable Recording - Enterprise Account

Retrieve Resource Metadata

We can query for the configurations of IBM Cloud resources using list API. It will provide with the detailed metadata of the resources when Configuration Aggregator is enabled for an App Configuration instance. For more details, refer here.

List of Services Supported by Configuration Aggregator

Configuration Aggregator supports the following services:

List of services supported by Configuration Aggregator
Name of service
Cloud Object Storage
Kubernetes Service
Red Hat OpenShift
Virtual server for VPC
Virtual Private Cloud
Block storage volume for VPC
Block storage snapshots for VPC
Secrets Manager
Databases for PostgreSQL
Databases for Redis
Databases for ElasticSearch
Databases for EnterpriseDB
Databases for ETCD
Databases for MongoDB
Databases for MySQL
Identity and Access Management
Key Protect
Container Registry
Load Balancer for VPC
Security Group for VPC
SSH Keys for VPC
Subnet for VPC
Virtual Private Endpoint (VPE) for VPC
Auto Scale (Instance Group) for VPC
Bare Metal servers for VPC
Client VPN for VPC
Dedicated Host for VPC
Floating IP for VPC
Flow Logs - VPC
Custom image for VPC
Placement Groups for VPC
Code Engine
Network ACL - VPC
DNS Service - VPC
VPN for VPC
IBM Cloud Backup - VPC
Public Gateway
Event Streams (messagehub)
IBM Cloud Direct Link
Transit Gateway
Toolchain
IBM Cloudant CLI
IBM Cloud Internet Services (CIS)
Schematics
Cloud Monitoring
Security and Compliance Center (SCC)
Hyper Protect Crypto Services (HPCS)
App ID
App Configuration
Catalog Management
Event Notifications
Messages for RabbitMQ
IBM Cloud Projects
IBM Cloud Activity Tracker
IBM Cloud Activity Tracker Event Routing
watsonx.ai Runtime
IBM Power Virtual Server