This Terraform module automates the process of integrating your AWS account with nOps, a cloud management and optimization platform. It streamlines the setup of necessary AWS resources and permissions, enhancing the onboarding experience for nOps users.
- Automatic detection of existing nOps projects for the AWS account
- Creation of new nOps projects if none exist
- Handling of master and member AWS accounts
- Automatic setup of IAM roles and policies for nOps integration
- S3 bucket creation and configuration for master accounts
- Integration with nOps API for secure token exchange
- Terraform v1.0+
- AWS CLI configured with appropriate permissions
- nOps API key
The below example shows how to add the management (root) AWS account integration:
- Being authenticated on the Payer account of the AWS organization, add the following code:
provider "aws" {
alias = "root"
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::123456789012:role/admin-role"
}
}
module tf_onboarding {
providers = {
aws = aws.root
}
source = "nops-io/nops-integration/aws"
# This bucket will be created by the module with the name provided here, make sure its globally unique.
system_bucket_name = "example"
# nOps API key that will be used to authenticate with the nOps platform to onboard the account.
api_key = "nops_api_key"
}- Initialize Terraform:
terraform init
- Plan and apply the Terraform configuration:
terraform apply
If you want to reconfigure an existing nOps account:
terraform apply -var="reconfigure=true"
or
module tf_onboarding {
providers = {
aws = aws.root
}
source = "nops-io/nops-integration/aws"
system_bucket_name = "example"
api_key = "nops_api_key"
reconfigure = true
}- Troubleshooting
If you want to reinstall the stack you might got problem like
│ Error: creating IAM Role (NopsIntegrationRole-xxxxx): EntityAlreadyExists: Role with name NopsIntegrationRole-xxxxx already exists.
You can import the role to terraform state by running the following command
terraform import aws_iam_role.nops_integration_role NopsIntegrationRole-xxxxx
Onboarding child accounts is performed using the same module, it already contains the logic to react when its being applied on any account that is not root
provider "aws" {
alias = "child"
region = "us-east-1"
assume_role {
role_arn = "arn:aws:iam::xxxxxxxx:role/admin-role"
}
}
module tf_onboarding {
providers = {
aws = aws.child
}
source = "nops-io/nops-integration/aws"
# This bucket will be created by the module with the name provided here, make sure its globally unique.
system_bucket_name = "example"
# nOps API key that will be used to authenticate with the nOps platform to onboard the account.
api_key = "nops_api_key"
}| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | ~> 4.0 |
| http | ~> 3.0 |
| null | 3.2.3 |
| time | ~> 0.7 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| http | ~> 3.0 |
| null | 3.2.3 |
| time | ~> 0.7 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.nops_integration_role | resource |
| aws_iam_role_policy.nops_eventbridge_integration_policy | resource |
| aws_iam_role_policy.nops_integration_policy | resource |
| aws_iam_role_policy.nops_system_bucket_policy | resource |
| aws_s3_bucket.nops_system_bucket | resource |
| aws_s3_bucket_server_side_encryption_configuration.nops_bucket_encryption | resource |
| null_resource.check_api_errors | resource |
| null_resource.check_existing_project | resource |
| null_resource.force_new_role | resource |
| null_resource.project_check | resource |
| null_resource.reconfigure_trigger | resource |
| time_sleep.wait_for_iam_role | resource |
| aws_caller_identity.current | data source |
| aws_organizations_organization.current | data source |
| http_http.check_current_client | data source |
| http_http.check_project_aws | data source |
| http_http.create_nops_project | data source |
| http_http.notify_nops_integration_complete | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_key | The nOps API key | string |
n/a | yes |
| nops_principal | The nOps principal account number | string |
"202279780353" |
no |
| nops_url | The nOps base URL | string |
"https://app.nops.io/" |
no |
| reconfigure | If true, allows overriding existing project settings. If false, stops execution if project already exists. | bool |
false |
no |
| system_bucket_name | The name of the system bucket for nOps integration | string |
n/a | yes |
| Name | Description |
|---|---|
| current_client_id | The client ID of the current account in nOps |
| is_master_account | Whether the current account is the master account |
| is_master_account_out | Indicates if the account is the master account |
| master_account_id | The account ID of the AWS Organization's master account |
| nops_integration_status | Indicates if the nOps integration notification was sent |
| notify_nops_integration_complete_status | Status of the nOps integration notification |
| project_aws_list | List of projects in nOps |
| project_status | Status of the nOps project for this account |
| role_arn | The ARN of the IAM role |
| system_bucket_name | The name of the S3 bucket (if created) |