You're reading for free via Ekant Mate (AWS APN Ambassador)'s Friend Link. Become a member to access the best of Medium.
Member-only story
Enable AWS Resource Explorer at the Organizational Level — Automate Across All Accounts
How to Enable AWS Resource Explorer at the Organizational Level and Automatically Enable It for All New Accounts?
Learn how to enable AWS Resource Explorer at the organizational level using Terraform and CloudFormation StackSets. Automate Resource Explorer across all accounts, ensuring new accounts are automatically configured.
Introduction
AWS Resource Explorer is a powerful service designed to simplify the management and exploration of your AWS resources. With this service, you can search for resources across regions and accounts, making it an essential tool for large organizations. This guide will show you how to enable AWS Resource Explorer at the organizational level and ensure it is automatically deployed to any new AWS accounts created within your organization.
As we do not have any resource available in terraform at the moment, hence using the cloudformation to deploy the resources.
Why Enable Resource Explorer at the Organizational Level?
Managing resources in a large-scale AWS environment often involves dealing with multiple accounts, regions, and services. By enabling AWS Resource Explorer across the entire organization, you can centralize your resource search capabilities. This simplifies the administration and improves visibility across AWS environments, enabling your team to respond faster and more effectively to operational requirements.
Once implemented, this setup ensures that Resource Explorer is automatically configured in all newly added accounts. You won’t need to repeat manual steps every time a new account is added to your organization.
This blog post covers how to:
- Set up a delegated administrator for AWS Resource Explorer at the organizational level.
- Automatically deploy CloudFormation stacks for creating an aggregator index and local indexes across all accounts.
- Automate this process to ensure AWS Resource Explorer is enabled for new accounts automatically.
Terraform Code Overview
The following Terraform code does exactly that — enables Resource Explorer at the organizational level with automatic deployment in new accounts. Here’s a breakdown of the code.
Step-by-Step Configuration
Note : All the stacks are deployed in the Master account.
1. Delegated Administrator for AWS Resource Explorer
First, designate a specific account as the delegated administrator for AWS Resource Explorer. This allows the account to manage the service on behalf of the entire AWS Organization. In the code snippet below, local.audit_account_id represents the account ID that will act as the delegated administrator.
resource "aws_organizations_delegated_administrator" "admin_aws_resource_explorer" {
account_id = "12345678910" ##Audit account ID##
service_principal = "resource-explorer-2.amazonaws.com"
}2. Configuring CloudFormation Stack Templates
AWS Resource Explorer indexes resources, allowing for centralized search across all accounts and regions. To automate the setup, we will use CloudFormation stacks to deploy the following:
- An Aggregator Index that consolidates resource information across accounts and regions.
- Local Indexes in individual accounts to organize resources within a specific region here we are taking us-east-1.
Aggregator CloudFormation Template
This CloudFormation template creates an aggregator index and a default view for Resource Explorer. The index type is set to AGGREGATOR, ensuring that it collects resource data across the organization.
data "template_file" "aggregator" {
template = jsonencode({
"Description" : "CFN Stack setting up ResourceExplorer with an Aggregator Index, and a new Default View.",
"Resources" : {
"Index" : {
"Type" : "AWS::ResourceExplorer2::Index",
"Properties" : {
"Type" : "AGGREGATOR",
"Tags" : {
"Purpose" : "ResourceExplorer CFN Stack"
}
}
},
"View" : {
"Type" : "AWS::ResourceExplorer2::View",
"Properties" : {
"ViewName" : "DefaultView",
"IncludedProperties" : [{
"Name" : "tags"
}],
"Tags" : {
"Purpose" : "ResourceExplorer CFN Stack"
}
},
"DependsOn" : "Index"
},
"DefaultViewAssociation" : {
"Type" : "AWS::ResourceExplorer2::DefaultViewAssociation",
"Properties" : {
"ViewArn" : {
"Ref" : "View"
}
}
}
}
})
}Local CloudFormation Template
This CloudFormation template creates a local index and default view for Resource Explorer within a single region of an individual account.
data "template_file" "local" {
template = jsonencode({
"Description" : "CFN Stack setting up ResourceExplorer with a Local Index, and a new Default View.",
"Resources" : {
"Index" : {
"Type" : "LOCAL",
"Tags" : {
"Purpose" : "ResourceExplorer CFN Stack"
}
}
},
"View" : {
"Type" : "AWS::ResourceExplorer2::View",
"Properties" : {
"ViewName" : "DefaultView",
"IncludedProperties" : [{
"Name" : "tags"
}],
"Tags" : {
"Purpose" : "ResourceExplorer CFN Stack"
}
},
"DependsOn" : "Index"
},
"DefaultViewAssociation" : {
"Type" : "AWS::ResourceExplorer2::DefaultViewAssociation",
"Properties" : {
"ViewArn" : {
"Ref" : "View"
}
}
}
}
})
}3. Deploying the Aggregator Stack
Now, deploy the aggregator index in the designated master account. The aws_cloudformation_stack resource provisions the CloudFormation stack that creates the aggregator index and default view.
resource "aws_cloudformation_stack" "resource_explorer_aggregator_master" {
name = "resource-explorer-aggregator-master"
template_body = data.template_file.aggregator.rendered
}4. Deploying the Local Index Stack
Similar to the aggregator stack, deploy a local index stack for managing resources within a region. In this case, the template is deployed using the aws_cloudformation_stack resource.
## Define provider for another region ##
provider "aws" {
region = "us-east-1"
alias = "master_us"
profile = "profile_name"
allowed_account_ids = "account_ids"
}
resource "aws_cloudformation_stack" "resource_explorer_local_master" {
name = "resource-explorer-local-master"
provider = aws.master_us
template_body = data.template_file.local.rendered
}5. Automating Deployment with StackSets
AWS CloudFormation StackSets allow you to deploy CloudFormation stacks across multiple AWS accounts and regions. By configuring the stack sets for both the aggregator and local indexes, you ensure that Resource Explorer is automatically enabled for all new accounts.
Before enabling AWS Resource Explorer for all member accounts within your AWS Organization, you must first enable it in the master account (also known as the management account).
Aggregator StackSet
This StackSet deploys the aggregator index across all organizational accounts, automatically deploying stacks in new accounts as they are created.
resource "aws_cloudformation_stack_set" "resource_explorer_aggregator_stackset" {
name = "Resource-Explorer-Aggregator"
template_body = data.template_file.aggregator.rendered
permission_model = "SERVICE_MANAGED"
auto_deployment {
enabled = true
retain_stacks_on_account_removal = false
}
}Local StackSet
The local index StackSet deploys a local Resource Explorer index in each new account and region.
resource "aws_cloudformation_stack_set" "resource_explorer_local_stackset" {
name = "Resource-Explorer-Local"
template_body = data.template_file.local.rendered
permission_model = "SERVICE_MANAGED"
auto_deployment {
enabled = true
retain_stacks_on_account_removal = false
}
}6. Deploying StackSet Instances
Finally, deploy the instances of the stack sets in the specified organizational units. This ensures that Resource Explorer is set up in all regions of your organization.
data "aws_organizations_organization" "org" {}
resource "aws_cloudformation_stack_set_instance" "resource_explorer_aggregator_stackset" {
deployment_targets {
organizational_unit_ids = [data.aws_organizations_organization.org.roots[0].id]
}
region = local.region
stack_set_name = aws_cloudformation_stack_set.resource_explorer_aggregator_stackset.name
}resource "aws_cloudformation_stack_set_instance" "resource_explorer_local_stackset" {
deployment_targets {
organizational_unit_ids = [data.aws_organizations_organization.org.roots[0].id]
}
region = "us-east-1"
stack_set_name = aws_cloudformation_stack_set.resource_explorer_local_stackset.name
}7. Create Org level View In AWS Resource Explorer.
To create a view that allows you to search and explore resources using AWS Resource Explorer, you need to set up a custom view in Resource Explorer. A view in AWS Resource Explorer is essentially a filtered, structured way to display your resources based on specific criteria, such as tags or properties.
Conclusion
By using AWS Organizations and CloudFormation StackSets, you can automate the process of enabling AWS Resource Explorer across your entire organization. With this setup, any new AWS account that is added to your organization will automatically have Resource Explorer enabled, allowing for centralized resource discovery and management across all regions and services.
This solution greatly simplifies managing resources at scale, ensuring that all your accounts can take advantage of AWS Resource Explorer without manual configuration.
Please follow me for more such innovative blogs And if you find my blogs helpful, I’d really appreciate your claps — they motivate me to keep sharing more valuable insights.
Thank you for being awesome!
In Plain English 🚀
Thank you for being a part of the In Plain English community! Before you go:
- Be sure to clap and follow the writer ️👏️️
- Follow us: X | LinkedIn | YouTube | Discord | Newsletter
- Visit our other platforms: CoFeed | Differ
- More content at PlainEnglish.io
