Configuration Aggregator

Configuration Aggregator can be used to facilitate a Cloud Governance SME with up-to-date configuration data of IBM Cloud resources in one place so that comprehensive information is available for goverance and compliance initiatives. All the plans of the App Configuration service will have the Configuration Aggregator feature available. As an app owner, the user has to explicitly enable the Configuration Aggregator. It can be done on the App Configuration instance either via API, SDK or Dashboard. The App Configuration service will start the resource collection and periodically to keep the metadata current via reconciliation. User can use the query API to get the updated metadata of the service instances in the account.

Configuration Aggregator feature can be configured on an App Configuration instance at Enterprise account level to collect resource metadata from all the sub-accounts of the enterprise. A trusted profile template should be created providing access to App Configuration service instance to all the IAM enabled services. The trusted profile template should then be assigned to the required accounts in the Enterprise, which in turn creates the trusted profile in the respective sub-accounts providing access to App Configuration service instance to collect resource metadata.

By default, recording is always set to be OFF.

Enable Configuration aggregator - Single Account

To enable configuration aggregator, complete these steps:

In the App Configuration console, click Configuration aggregator.
Click on Define an aggregation. The side panel opens with fields for setting up recording details.

Set up recording - Single Account
Select either all regions or specific regions from the region list. Click on Save to complete. This will create a Trusted Profile on App Configuration instance having reader access for reading the configurations of the resources.
Click on toggle button to enable recording. It will ask for confirmation. Click on Turn on button.

Enable Recording - Single Account

Enable Configuration aggregator - Enterprise Account

In order to enable configuration aggregator feature for enterprise account, user must complete following Pre-requisities:

Create an App Configuration instance at the top-level of the enterprise i.e enterprise account.
Create a Trusted Profile Template providing access for the App Configuration service instance to the IAM enabled services and Account Management services. Refer here

Trusted Profile Template - Enterprise Account

The trusted profile template cannot be assigned to the enterprise account i.e the top level account of the enterprise. If you choose to collect metadata of resources in the enterprise account, you should create a separate trusted profile that should be applied at the top level account additionally.

Assign the Trusted profile template to the required accounts and account groups in the Enterprise.

The Enterprise IAM should be enabled in the sub-accounts of an Enterprise to be managed via Enterprise. For more details, refer here

To enable configuration aggregator for an enterprise account, complete above pre-requisites and following steps:

In the App Configuration console, click Configuration aggregator.
Click on Define an aggregation. The side panel opens with fields for setting up recording details.

Set up recording - Enterprise Account
Provide the Set up record details:
- Region - regions from which user wants to collect configuration data.
- Enterprise ID - enterprise account id.
- Trusted template ID - trusted profile template id created as pre-requisite.
- Trusted profile ID - trusted profile id created as pre-requisite.
Click Save.
Click on toggle button to enable recording. It will ask for confirmation. Click on Turn on button.

Enable Recording - Enterprise Account

Retrieve Resource Metadata

We can query for the configurations of IBM Cloud resources using list API. It will provide with the detailed metadata of the resources when Configuration Aggregator is enabled for an App Configuration instance. For more details, refer here.