This Terraform module automates the process of integrating your AWS account with nOps, a cloud management and optimization platform. It streamlines the setup of necessary AWS resources and permissions, enhancing the onboarding experience for nOps users.
- Automatic detection of existing nOps projects for the AWS account
- Creation of new nOps projects if none exist
- Handling of master and member AWS accounts
- Automatic setup of IAM roles and policies for nOps integration
- S3 bucket creation and configuration for master accounts
- Integration with nOps API for secure token exchange
- Terraform v1.0+
- AWS CLI configured with appropriate permissions
- nOps API key
The below example shows how to add the management (root) AWS account integration:
- Being authenticated on the Payer account of the AWS organization, add the following code:
terraform {
required_providers {
nops = {
source = "nops-io/nops"
}
}
}
provider "nops" {
# nOps API key that will be used to authenticate with the nOps platform to onboard the account.
# It's recommended to not commit this value into VCS, to securely provide this value use a tfvars that isn't commited into any repository.
# This value can also be provided as an environment variable NOPS_API_KEY
nops_api_key = "XXXXXXX"
}
provider "aws" {
alias = "root"
}
module tf_onboarding {
providers = {
aws = aws.root
}
source = "nops-io/nops-integration/aws"
# nOps API key that will be used to authenticate with the nOps platform to onboard the account.
}- Initialize Terraform:
terraform init
- Plan and apply the Terraform configuration:
terraform plan -out=plan
terraform apply plan
Onboarding child accounts is performed using the same module, it already contains the logic to react when its being applied on any account that is not root
terraform {
required_providers {
nops = {
source = "nops-io/nops"
}
}
}
provider "nops" {
# nOps API key that will be used to authenticate with the nOps platform to onboard the account.
# It's recommended to not commit this value into VCS, to securely provide this value use a tfvars that isn't commited into any repository.
# This value can also be provided as an environment variable NOPS_API_KEY
nops_api_key = "XXXXXXX"
}
provider "aws" {
alias = "child"
region = "us-east-1"
}
module tf_onboarding {
providers = {
aws = aws.child
}
source = "nops-io/nops-integration/aws"
}The nOps Terraform provider supports importing existing projects into the state as to allow already onboarded customers to manage their projects with IaC. In order to import a project follow the next steps:
- First, grab the project ID from nOps. You can get it from the AWS accounts dashboard, each account has an ID below its name.
- Then in your Terraform configuration run the following commands:
terraform import module.tf_onboarding.nops_project.project XXXXX
You should see the following output
module.tf_onboarding.nops_project.project: Importing from ID "XXXX"...
module.tf_onboarding.nops_project.project: Import prepared!
Prepared nops_project for import
module.tf_onboarding.nops_project.project: Refreshing state...
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
- After the above, we need to import the integration with the AWS account, for this run the following replacing your AWS account ID.
terraform import module.tf_onboarding.nops_integration.integration XXXXXX
You should see the following output, with the AWS account ID being imported into the state.
module.tf_onboarding.nops_integration.integration: Importing from ID "XXXXXX"...
module.tf_onboarding.nops_integration.integration: Import prepared!
Prepared nops_integration for import
module.tf_onboarding.nops_integration.integration: Refreshing state...
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
A variable named min_required_permissions has been declared in the nOps terraform module that enables customers choosing a more restricted setup to be able to use the platform.
In order to enter this restricted mode, set the variable to true. Take into consideration that nOps will not be able to get the full metadata for AWS resources with this setup.
To review these permissions, refer to the policies page or the Terraform module for the most recent updates.
If you see an error like the following
Error: Error getting remote project data
with module.tf_onboarding.data.nops_projects.current,
on .terraform/modules/tf_onboarding/data.tf line 9, in data "nops_projects" "current":
9: data "nops_projects" "current" {}
Check that the API key value being provided is valid and exists in your account. Your current API keys are listed here.
nOps supports onboarding unique AWS accounts per Client, onboarding the same AWS account multiple times for one Client isn't allowed. So if you see an error like the following
Error: Error: a project already exists for this AWS account "XXXXXX" with ID YYYY, please review or import.
with module.tf_onboarding_should_fail.nops_project.project,
on .terraform/modules/tf_onboarding_should_fail/main.tf line 1, in resource "nops_project" "project":
1: resource "nops_project" "project" {}
Project found for AWS account "XXXX"
Then check that the credentials being used to deployed are correct. If they are, we support importing projects into the Terraform state. Please refer to the import section.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| http | ~> 3.0 |
| nops | >= 0.0.6 |
| null | 3.2.3 |
| time | ~> 0.7 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
| nops | >= 0.0.6 |
| time | ~> 0.7 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.nops_integration_role | resource |
| aws_iam_role_policy.nops_compute_copilot_policy | resource |
| aws_iam_role_policy.nops_essentials_policy | resource |
| aws_iam_role_policy.nops_integration_minimum_policy | resource |
| aws_iam_role_policy.nops_integration_policy | resource |
| aws_iam_role_policy.nops_system_bucket_policy | resource |
| aws_iam_role_policy.nops_wafr_policy | resource |
| aws_iam_role_policy_attachment.nops_integration_readonly_policy_attachment | resource |
| aws_s3_bucket.nops_system_bucket | resource |
| aws_s3_bucket_policy.nops_bucket_policy | resource |
| aws_s3_bucket_public_access_block.nops_bucket_block_public_access | resource |
| aws_s3_bucket_server_side_encryption_configuration.nops_bucket_encryption | resource |
| nops_integration.integration | resource |
| nops_project.project | resource |
| time_sleep.wait_for_resources | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy.iam_readonly_access | data source |
| aws_organizations_organization.current | data source |
| nops_projects.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_key | [DEPRECATED] The nOps API key, can be supplied as an env var NOPS_API_KEY or in the provider call in your configuration. | string |
"" |
no |
| cloud_account_name | Name with which the AWS account will appear on the nOps platform, leave empty for a name with format: AWS Account XXXXXX. | string |
"" |
no |
| min_required_permissions | If true, IAM policies with the min base permissions for nOps to get cost and usage data will be created. Some platform features will not be available. | bool |
false |
no |
| reconfigure | [DEPRECATED] If true, allows overriding existing project settings. If false, stops execution if project already exists. | bool |
false |
no |
| system_bucket_name | [DEPRECATED] The name of the system bucket for nOps integration. | string |
"na" |
no |
| Name | Description |
|---|---|
| current_client_id | The client ID of the current account in nOps |
| is_master_account | Whether the current account is the master account |
| master_account_id | The account ID of the AWS Organization's master account |
| project_aws_list | List of projects in nOps |
| role_arn | The ARN of the IAM role |
| system_bucket_name | The name of the S3 bucket (if created) |