Skip to content

Commit

Permalink
Merge pull request #101 from aws-samples/updates/docs
Browse files Browse the repository at this point in the history
Merge release 2.3 notes, doc updates for delegated admin, exclude account ids +
  • Loading branch information
andrewcr7 authored Nov 11, 2024
2 parents ad8fcb8 + 7580059 commit ce79010
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 40 deletions.
2 changes: 2 additions & 0 deletions ExcludeAccountIDs(sample).csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
000000000000
111111111111
84 changes: 44 additions & 40 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,24 +17,25 @@
- [Configuring an Email](#configuring-an-email)
- [Creating a Amazon EventBridge Ingestion ARN](#creating-a-amazon-eventbridge-ingestion-arn)
- [Deployment Options](#deployment-options)
- [Using AWS Health Delegated Administrator with AHA](#using-aws-health-delegated-administrator-with-aha)
- [CloudFormation](#cloudformation)
- [AHA Without AWS Organizations using CloudFormation](#aha-without-aws-organizations-using-cloudformation)
- [Prerequisites](#prerequisites)
- [Deployment](#deployment)
- [AHA With AWS Organizations on Management Account using CloudFormation](#aha-with-aws-organizations-on-management-account-using-cloudformation)
- [Prerequisites](#prerequisites-1)
- [Deployment](#deployment-1)
- [AHA With AWS Organizations on Member Account using CloudFormation](#aha-with-aws-organizations-on-member-account-using-cloudformation)
- [Prerequisites](#prerequisites-2)
- [Deployment](#deployment-2)
- [AHA Without AWS Organizations using CloudFormation](#aha-without-aws-organizations-using-cloudformation)
- [Prerequisites](#prerequisites)
- [Deployment](#deployment)
- [AHA With AWS Organizations on Management Account using CloudFormation](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-cloudformation)
- [Prerequisites](#prerequisites-1)
- [Deployment](#deployment-1)
- [AHA With AWS Organizations on Member Account using CloudFormation](#aha-with-aws-organizations-on-member-account-using-cloudformation)
- [Prerequisites](#prerequisites-2)
- [Deployment](#deployment-2)
- [Terraform](#terraform)
- [AHA Without AWS Organizations using Terraform](#aha-without-aws-organizations-using-terraform)
- [Prerequisites](#prerequisites-3)
- [Deployment - Terraform](#deployment---terraform)
- [AHA WITH AWS Organizations on Management Account using Terraform](#aha-with-aws-organizations-on-management-account-using-terraform)
- [Deployment - Terraform](#deployment---terraform-1)
- [AHA WITH AWS Organizations on Member Account using Terraform](#aha-with-aws-organizations-on-member-account-using-terraform)
- [Deployment - Terraform](#deployment---terraform-2)
- [AHA Without AWS Organizations using Terraform](#aha-without-aws-organizations-using-terraform)
- [Prerequisites](#prerequisites-3)
- [Deployment - Terraform](#deployment---terraform)
- [AHA WITH AWS Organizations on Management Account using Terraform](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-terraform)
- [Deployment - Terraform](#deployment---terraform-1)
- [AHA WITH AWS Organizations on Member Account using Terraform](#aha-with-aws-organizations-on-member-account-using-terraform)
- [Deployment - Terraform](#deployment---terraform-2)
- [Updating using CloudFormation](#updating-using-cloudformation)
- [Updating using Terraform](#updating-using-terraform)
- [New Features](#new-features)
Expand All @@ -45,8 +46,7 @@ AWS Health Aware (AHA) is an automated notification tool for sending well-format

# What's New

Release 2.2 introduces an updated schema for Health events delivered to an EventBridge bus. This allows simplified matching of events which you can then consume with other AWS services or SaaS solutions.
Read more about the [new feature and how to filter events using EventBridge](https://github.com/aws-samples/aws-health-aware/blob/main/new_aha_event_schema.md).
Release 2.3 introduces runtime performance improvements, terraform updates, allows use of Slack Workflow 2.0 webhooks (triggers), general fixes and documentation updates.

# Architecture

Expand Down Expand Up @@ -142,29 +142,29 @@ AHA can send to multiple endpoints (webhook URLs, Email or EventBridge). To use
4. Give your Event bus a name and **click** *Create*.
5. For the deployment we will need the *Name* of the Event bus **(not the ARN, e.g. aha-eb01)**.

# Deployment Options

## Using AWS Health Delegated Administrator with AHA

On 2023-07-27, AWS Health released the Delegated Admin feature. Using this feature, you can deploy AHA in a Member Account without added permissions in the Org Management account.
>NOTE: For users with company restrictions of use/deployment of resources in the organization management account.
>
>On 2023-07-27, AWS Health released the [Delegated Administrator feature](https://docs.aws.amazon.com/health/latest/ug/delegated-administrator-organizational-view.html). By enabling an account as a delegated administrator, you can use AHA in Organization Mode without the need to create and assume the management account IAM role.
To enable this feature:
1. Know the AWS Account ID of the Member Account you want to enable as a delegated administrator for AWS Health (e.g. 123456789012)
1. Know the AWS Account ID of your AWS account you want to enable as a delegated administrator for AWS Health (e.g. 123456789012)
1. In the Org Management Account, run the command `aws organizations register-delegated-administrator --account-id ACCOUNT_ID --service-principal health.amazonaws.com` replacing ACCOUNT_ID with the ID of your Member Account
1. Deploy AHA in the Member Account using the steps for
2. [AHA for users who ARE using AWS Organizations (CloudFormation)](#aha-with-aws-organizations-on-management-account-using-cloudformation)
2. [AHA for users who ARE using AWS Organizations (Terraform)](#aha-with-aws-organizations-using-terraform)


Read more: https://docs.aws.amazon.com/health/latest/ug/delegated-administrator-organizational-view.html
1. Deploy AHA in your deletegated administrator account using the steps for:

# Deployment Options
1. [AHA for users who ARE using AWS Organizations (CloudFormation)](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-cloudformation)
1. [AHA for users who ARE using AWS Organizations (Terraform)](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-terraform)

## CloudFormation
There are 3 available ways to deploy AHA, all are done via the same CloudFormation template to make deployment as easy as possible.

The 3 deployment methods for AHA are:

1. [**AHA for users WITHOUT AWS Organizations**](#aha-without-aws-organizations-using-cloudformation): Users NOT using AWS Organizations.
2. [**AHA for users WITH AWS Organizations (Management Account)**](#aha-with-aws-organizations-on-management-account-using-cloudformation): Users who ARE using AWS Organizations and deploying in the top-level management account.
2. [**AHA for users WITH AWS Organizations (Management Account)**](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-cloudformation): Users who ARE using AWS Organizations and deploying in the top-level management account.
3. [**AHA for users WITH AWS Organizations (Member Account)**](#aha-with-aws-organizations-on-member-account-using-cloudformation): Users who ARE using AWS Organizations and deploying in a member account in the organization to assume a role in the top-level management account.

## AHA Without AWS Organizations using CloudFormation
Expand All @@ -188,7 +188,7 @@ The 3 deployment methods for AHA are:
5. In the *CloudFormation* console **click** *Create stack > With new resources (standard)*.
6. Under *Template Source* **click** *Upload a template file* and **click** *Choose file* and select `CFN_DEPLOY_AHA.yml` **Click** *Next*.
- In *Stack name* type a stack name (i.e. AHA-Deployment).
- In *AWSOrganizationsEnabled* leave it set to default which is `No`. If you do have AWS Organizations enabled and you want to aggregate across all your accounts, you should be following the steps for [AHA for users who ARE using AWS Organizations (Management Account)](#aha-with-aws-organizations-on-management-account-using-cloudformation) or [AHA for users WITH AWS Organizations (Member Account)](#aha-with-aws-organizations-on-member-account-using-cloudformation)
- In *AWSOrganizationsEnabled* leave it set to default which is `No`. If you do have AWS Organizations enabled and you want to aggregate across all your accounts, you should be following the steps for [AHA for users who ARE using AWS Organizations (Management Account)](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-cloudformation) or [AHA for users WITH AWS Organizations (Member Account)](#aha-with-aws-organizations-on-member-account-using-cloudformation)
- In *AWSHealthEventType* select whether you want to receive *all* event types or *only* issues.
- In *S3Bucket* type ***just*** the bucket name of the S3 bucket used in step 3 (e.g. my-aha-bucket).
- In *S3Key* type ***just*** the name of the .zip file you created in Step 2 (e.g. aha-v1.8.zip).
Expand All @@ -203,11 +203,11 @@ The 3 deployment methods for AHA are:
9. Scroll to the bottom and **click** the *checkbox* and **click** *Create stack*.
10. Wait until *Status* changes to *CREATE_COMPLETE* (roughly 2-4 minutes or if deploying in a secondary region, it can take up to 30 minutes).

## AHA With AWS Organizations on Management Account using CloudFormation
## AHA With AWS Organizations on Management or Delegated Administrator Account using CloudFormation

### Prerequisites

1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html) from the console, so that you can aggregate all Personal Health Dashboard (PHD) events for all accounts in your AWS Organization.
1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view.html) from the console or CLI, so that you can aggregate Health events for all accounts in your AWS Organization.
2. Have at least 1 [endpoint](#configuring-an-endpoint) configured (you can have multiple)
3. Have access to deploy Cloudformation Templates with the following resources: AWS IAM policies, Amazon DynamoDB Tables, AWS Lambda, Amazon EventBridge and AWS Secrets Manager in the **AWS Organizations Master Account**.
4. If using Multi-Region, you must deploy the following 2 CloudFormation templates to allow the Stackset deployment to deploy resources **even if you have full administrator privileges, you still need to follow these steps**.
Expand Down Expand Up @@ -247,7 +247,7 @@ See: [Using AWS Health Delegated Administrator with AHA](#using-aws-health-deleg

### Prerequisites

1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html) from the console, so that you can aggregate all Personal Health Dashboard (PHD) events for all accounts in your AWS Organization.
1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view.html) from the console or CLI, so that you can aggregate Health events for all accounts in your AWS Organization.
2. Have at least 1 [endpoint](#configuring-an-endpoint) configured (you can have multiple)
3. Have access to deploy Cloudformation Templates with the following resource: AWS IAM policies in the **AWS Organizations Master Account**.
4. If using Multi-Region, you must deploy the following 2 CloudFormation templates in the **Member Account** to allow the Stackset deployment to deploy resources **even if you have full administrator privileges, you still need to follow these steps**.
Expand Down Expand Up @@ -299,7 +299,7 @@ There are 3 available ways to deploy AHA, all are done via the same Terraform te
The 3 deployment methods for AHA are:

1. [**AHA for users NOT using AWS Organizations using Terraform**](#aha-without-aws-organizations-using-terraform): Users NOT using AWS Organizations.
2. [**AHA for users WITH AWS Organizations using Terraform (Management Account)**](#aha-with-aws-organizations-on-management-account-using-terraform): Users who ARE using AWS Organizations and deploying in the top-level management account.
2. [**AHA for users WITH AWS Organizations using Terraform (Management Account)**](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-terraform): Users who ARE using AWS Organizations and deploying in the top-level management account.
3. [**AHA for users WITH AWS Organizations using Terraform (Member Account)**](#aha-with-aws-organizations-on-member-account-using-terraform): Users who ARE using AWS Organizations and deploying in a member account in the organization to assume a role in the top-level management account.

## AHA Without AWS Organizations using Terraform
Expand All @@ -321,7 +321,7 @@ $ cd aws-health-aware/terraform/Terraform_DEPLOY_AHA
2. Update parameters file **terraform.tfvars** as below
- *aha_primary_region* - change to region where you want to deploy AHA solution
- *aha_secondary_region* - Required if needed to deploy in AHA solution in multiple regions, change to another region (Secondary) where you want to deploy AHA solution, Otherwise leave to default empty value.
- *AWSOrganizationsEnabled* - Leave it to default which is `No`. If you do have AWS Organizations enabled and you want to aggregate across all your accounts, you should be following the steps for [AHA for users who ARE using AWS Organizations (Management Account)](#aha-with-aws-organizations-on-management-account-using-terraform)] or [AHA for users WITH AWS Organizations (Member Account)](#aha-with-aws-organizations-on-member-account-using-terraform)
- *AWSOrganizationsEnabled* - Leave it to default which is `No`. If you do have AWS Organizations enabled and you want to aggregate across all your accounts, you should be following the steps for [AHA for users who ARE using AWS Organizations (Management Account)](#aha-with-aws-organizations-on-management-or-delegated-administrator-account-using-terraform)] or [AHA for users WITH AWS Organizations (Member Account)](#aha-with-aws-organizations-on-member-account-using-terraform)
- *AWSHealthEventType* - select whether you want to receive *all* event types or *only* issues.
- *Communications Channels* section - enter the URLs, Emails and/or ARN of the endpoints you configured previously.
- *Email Setup* section - enter the From and To Email addresses as well as the Email subject. If you aren't configuring email, just leave it as is.
Expand All @@ -337,9 +337,9 @@ $ terraform plan
$ terraform apply
```

## AHA WITH AWS Organizations on Management Account using Terraform
## AHA with AWS Organizations on Management or Delegated Administrator Account using Terraform

1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html) from the console, so that you can aggregate all Personal Health Dashboard (PHD) events for all accounts in your AWS Organization.
1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view.html) from the console or CLI, so that you can aggregate Health events for all accounts in your AWS Organization.
2. Have at least 1 [endpoint](#configuring-an-endpoint) configured (you can have multiple)

**NOTE: ** For Multi region deployment, DynamoDB table will be created with PAY_PER_REQUEST billing mode insted of PROVISIONED due to limitation with terraform.
Expand Down Expand Up @@ -376,7 +376,7 @@ $ terraform apply
> Note: On 2023-07-27, AWS Health released the Delegated Admin feature which enables AHA deployments in member accounts without the extra steps below.
See: [Using AWS Health Delegated Administrator with AHA](#using-aws-health-delegated-administrator-with-aha)

1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view-in-health-console.html) from the console, so that you can aggregate all Personal Health Dashboard (PHD) events for all accounts in your AWS Organization.
1. [Enable Health Organizational View](https://docs.aws.amazon.com/health/latest/ug/enable-organizational-view.html) from the console or CLI, so that you can aggregate Health events for all accounts in your AWS Organization.
2. Have at least 1 [endpoint](#configuring-an-endpoint) configured (you can have multiple)

**NOTE: ** For Multi region deployment, DynamoDB table will be created with PAY_PER_REQUEST billing mode insted of PROVISIONED due to limitation with terraform.
Expand Down Expand Up @@ -446,6 +446,8 @@ $ terraform apply
**If for some reason, you still have issues after updating, you can easily just delete the stack and redeploy. The infrastructure can be destroyed and rebuilt within minutes through Terraform.**

# New Features
*Release 2.2*

We are happy to announce the launch of new enhancements to AHA. Please try them out and keep sending us your feedback!
1. A revised schema for AHA events sent to EventBridge which enables new filtering and routing options. See the [new AHA event schema readme](new_aha_event_schema.md) for more detail.
2. Multi-region deployment option
Expand All @@ -461,6 +463,8 @@ We are happy to announce the launch of new enhancements to AHA. Please try them
* If for whatever reason you need to update the Webhook URL; just update the CloudFormation or terraform Template with the new Webhook URL.
* If you are expecting an event and it did not show up it may be an oddly formed event. Take a look at *CloudWatch > Log groups* and search for the name of your Lambda function. See what the error is and reach out to us [email](mailto:[email protected]) for help.
* If for any errors related to duplicate secrets during deployment, try deleting manually and redeploy the solution. Example command to delete SlackChannelID secret in us-east-1 region.
```
$ aws secretsmanager delete-secret --secret-id SlackChannelID --force-delete-without-recovery --region us-east-1
```
```
$ aws secretsmanager delete-secret --secret-id SlackChannelID --force-delete-without-recovery --region us-east-1
```
* If you want to Exclude certain accounts from notifications, confirm your exlcusions file matches the format of the [sample ExcludeAccountIDs.csv file](ExcludeAccountIDs(sample).csv) with one account ID per line with no trailing commas (trailing commas indicate a null cell).
* If your accounts listed in the CSV file are not excluded, check the CloudWatch log group for the AHA Lambda function for the message "Key filename is not a .csv file" as an indicator of any issues with your file.

0 comments on commit ce79010

Please sign in to comment.