With the arrival of the vRealize Automation Cloud May 2022 release, the foundation for a new governance capability known as Cloud Guardrails (currently in tech preview) has been introduced in Cloud Assembly.
Tech Preview means that not all functionality and capabilities are currently available, but we are releasing incremental capabilities to gather your feedback. You’ll see this feature suite grow in capabilities over the next several releases.
You can learn the basics about this new functionality at this Cloud Guardrails blog, but today I would like to show you more about Cloud Guardrails with a use case, the AWS Landing Zone Use Case.
So, what is an AWS Landing Zone?
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. The following diagram shows a basic organization that consists of five accounts that are organized into four organizational units (OUs) under the root. The organization also has several policies that are attached to some of the OUs or directly to accounts. For a description of each of these items, refer to the AWS Organizations documentation.
Cloud Guardrails can help you to define and enforce complex AWS Organizations , in fact Cloud Guardrails Library includes, out-of-the-box, the “Create AWS Landing Zone” Idem SLS templates that you can import into an existing Cloud Assembly Project.
If we inspected the content of the “Create AWS Landing Zone” Idem SLS template, you would find that it will help us to create a Root Organization and enable Service Control Policies for it (if they were both not there already), a set o nested organizational units (OUs), a series of SCP Policies, such as: preventing EC2 Access to Root, disabling CloudWatch, etc. Create an AWS member account and finally, attach all those policies to the AWS member account and organizational units (OUs)
Great, but how we can execute, or better yet, enforce, this “Create AWS Landing Zone” Idem SLS template, including the appropriate input for my personal environment? BTW, this is known as the “Desired State“
From this inspecting view you can “Create Desired State“, note that, you can also go to the “Desired States” menu option and select “New Desired State“, either way, you need to make sure to give it a name, select the template (if it is not done already) and provide a valid Cloud Assembly’s Cloud Account (this will tell Cloud Guardrails which credentials to use) when creating he “Desired State“, then just hit Create
Now, here you can provide, update, validate and save your input, you can clearly see which resources have been properly validated and have the necessary input but also which ones are missing for you to complete,
Once you have successfully validated your input, the Run Desired State option will be enabled for you, and ready to run or better said, enforce your “Desired State“.
As mentioned at the introductory Cloud Guardrails blog, under the enforcements option, you can track your Desired State status and re-enforce them at the any point, say for addressing configuration drafting (things that Cloud Guardrails will do for you in upcoming releases)
And if you look at AWS Organizations UI, you will discover our new organizational units (OUs), Member Accounts
And policies with their corresponding policy attachments
You can see it in action here:
Conclusion:
vRealize Automation has made it a priority to expand its capabilities deeper in the public cloud space. One of the identified areas is in the provisioning, policy application, and continuous management of public cloud environments with an everything-as-code approach. This initial Cloud Guardrails Initial functionality release represents a first step toward that vision.
