workload-discovery-on-aws
workload-discovery-on-aws copied to clipboard
aws-solutions
Question: No Import Option?
I've deployed this stack using AWS Organizations and it deployed successfully.
When I login to the cloudfront site that it created and go to /accounts there are no accounts listed and there is no "Import" option anywhere.
What have I done wrong?
You haven't done anything wrong. :) Account import is not done through the UI in AWS_ORGANIZATION mode, there's more detail about how it works in the implementation guide: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/aws-organizations-account-discovery-mode.html.
I think the most likely thing that's happened here is that the discovery process is running out of memory.
You can verify by following these steps:
- Sign in to the Amazon Elastic Container Service console.
- Select the cluster named
workload-discovery-cluster. - Choose the Tasks tab.
- Select the Stopped option from Filter desired status dropdown menu.
- In the Last Status column check for the error message OutOfMemoryError: Container killed due to memory usage
The resolution is in step 3 in this part of the troubleshooting section of the docs here: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/troubleshooting.html#resources-not-discovered-after-account-has-been-imported.
Thanks for the suggestions!
I ended up tearing the stack down and deploying it again in a different region and then the Import option showed up. The instructions are a bit misleading. It makes it seem like you don't have to do anything else when using AWS Organizations, but it didn't start working until I deployed the Global and Regional templates from the Import page as StackSets.
No, the import button should not be present in AWS Organization mode, the solution deploys the stacksets with the global template on your behalf when you choose that mode. You can see this with the condition in the CFN:
https://github.com/aws-solutions/workload-discovery-on-aws/blob/2386c69fc61c8961d18ee423203a8b2ee66feab9/source/cfn/templates/main.template#L610
The whole point of the AWS Organizations integration is so that customers do not have to deploy and manage the account import CFN templates themselves.
If it wasn't an out of memory issue then the other reason you may not have seen accounts in Organizations mode was that the account you deployed to did not have the correct permissions as descibed here: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/choosing-the-deployment-account.html
If you are deploying Workload Discovery on AWS to an AWS Organization, the solution must be installed in a delegated admin account where StackSets and multi-Region AWS Config capabilities have been enabled.
The reason for this is that if the account is not a delegated admin then the discovery process is not able to call the ListAccounts API to get the list of accounts to discover from the org.
I definitely have a delegated admin account setup, and all the list-delegated-administrators commands came back looking correct before I deployed so I'm not sure why it wasn't able to work without the StackSet deployment. I'm not too worried about it since it's working now.
Is there some kind of built in limit for items in the Diagrams? None of the diagrams seem to be complete. For example, I was wanting to create a diagram of all VPCs and Peering Connections. I have 26 accounts with VPCs, however even though I'm not filtering by account or region it seems like it only uses resources from a handful of random accounts when generating the diagram.
Workload Discovery only supports the relstionship types that we get from AWS Config and other custom relationships that we derive in code. We don't capture VPC peering relationships as we can't derive that information from the data sources we currently consume. You can see a list of many of the relationships we do support here:
https://aws-solutions.github.io/workload-discovery-on-aws/workload-discovery-on-aws/2.0/data_model.html
However, I think VPC peering relationships are something I would like us to capture so I will add that to our backlog as we can get that information by doing a call to the DescribeVpcPeeringConnections API.