Find out the optimal way to set up Hyperglance, when deploying via the AWS Marketplace
In this article, you'll learn:
Hyperglance needs access to the AWS API in order to collect data. By default, the AWS endpoints are public IPs. There are various methods of securing access to Hyperglance, you will be led by your security posture as to which one to use.
The order in terms of each option's complexity is as follows:
1. The Hyperglance instance has a Public IP, inbound access is limited using a security group.
2. The Hyperglance instance has a Public IP, inbound and outbound access is limited using a security group and a Network Access List (NACL).
3. The Hyperglance instance is placed behind a NAT Gateway or Load balancer.
4. The Hyperglance instance runs in a private subnet and has multiple Virtual Private Cloud Endpoints configured for access to the AWS API via private IPs.
You can find more information about these 4 AWS deployment options here
2. Choose the appropriate number of resources and then 'Continue to Subscribe'
3. Accept the terms
4. This will take us to a page describing the next steps, read and return to the launch page
5. Select 'Continue to Configuration'
6. It will take a few minutes before the subscription is ready. Once the subscription is live, choose the region you want the Hyperglance instance to be created in.
7. Select 'Continue to Launch'
8. Select ‘Launch CloudFormation’
9. Once you have selected 'Launch CloudFormation', select to 'Launch'
10. You'll be taken to CloudFormation in your AWS console. There is nothing to change here as the S3 template is already selected. Select 'Next'.
11. In the 'Specify stack details' page you have the option to name the CloudFormation stack, and decide on things like assigning a public IP.
Hyperglance needs access to the AWS API in order to pull down the information needed.
Be careful when choosing the VPC & Subnet you want Hyperglance to be deployed in. It's possible to mismatch the VPC & Subnet causing the stack creation to fail.
12. Once that’s set, select 'Next'
13. You’ll then get the option to tag tags. In the example below, we have added 'Hyperglance' as a 'Name' tag.
14. Scroll down to the bottom of the page, select 'Stack creation options' and select 'Disabled' for 'Rollback on Failure'. This will allow you to see which steps fail if the stack has issues.
After you've done that, select 'Next'.
15. On the review screen, scroll down to the bottom to accept the disclaimer and select 'Create stack. This enables CloudFormation to start creating the Hyperglance instance.
16. You’ll be taken to the CloudFormation stack console page. It'll take up to 10 minutes to finish the instance creation.
17. Once the stack has been created successfully, go to the 'Outputs' tab. This'll show you how you can connect to the Hyperglance Instance.
18. By default, Hyperglance’s password is the instance name, so copy that and then click on the link to go to Hyperglance.
Be careful when copying and pasting the instance name. Sometimes there is an extra space at the start/end of the string that will prevent you from authenticating successfully.
19. Proceed to the Hyperglance console page (acknowledging the browser warning)
20. You can now see, and log in to, the Hyperglance console. The default userid is ‘admin’ and the password is the Hyperglance instance-id.
Make sure you use HTTPS (port 443) to connect to Hyperglance
21. After logging in the first time, you'll be asked to select the regions that you'd like Hyperglance to monitor. By default, Hyperglance will pull in the inventory from the account you’ve used to create the instance.
To pull in the data from the account Hyperglance is running in, you don't need to add an ARN. Just add an Alias, select the regions you want to collect, then select 'Submit'.
22. If you want to add other accounts, then Hyperglance can use STS Assume-Role to access other AWS accounts if you provide a suitable Role ARN for Hyperglance to use. You can add as many accounts as you need via this administration page.
23. Leave 'Is Billing Only' option unchecked, so that Hyperglance will pull down inventory (as well as billing data, if available).
24. Hyperglance will automatically update to the latest version, assuming you are connected to the internet. If you weren't connected during your setup, make sure you use these instructions to update Hyperglance to the latest version. All user data is retained through an update, including authentication credentials, rules, and tag-view keys.
Deploy Hyperglance Rule Automations for AWS
Enable Hyperglance to automate, fix and optimize your cloud.
Our repository contains terraform configurations, that deploy an S3 Bucket and Lambda function that you connect with your Hyperglance EC2 Instance. Giving you the power to automate your cloud and fix configuration issues quickly & easily.
Before you can deploy automations you will need:
- Terraform CLI - Install instructions
- AWS CLI - Install instructions
- IAM permissions configured on the Hyperglance Instance - See below.
The IAM Policy on the Role associated with the Hyperglance EC2 Instance will need the following permissions added:
Follow the pre-requisite steps above.
Connect the AWS CLI to the AWS account that hosts Hyperglance by running: aws configure
Note: You will need an AWS IAM access and secret key.
$ aws configure
AWS Access Key ID [None]: ENTER_YOUR_ACCESS_KEY_HERE
AWS Secret Access Key [None]: ENTER_YOUR_SECRET_KEY_HERE
Default region name [None]: us-east-1
Default output format [None]: json
Clone our repo or download the zip
$ git clone https://github.com/hyperglance/aws-rule-automations.git
Deploy the stack:
Terraform will prompt for the region you wish to deploy to and for final confirmation.
$ cd aws-rule-automations/deployment/terraform/automations
$ terraform init
$ terraform apply
Once complete, the bucket name and lambda function ARN will be returned:
Apply complete! Resources: 8 added, 0 changed, 0 destroyed.
bucket_name = "hyperglance-automations-lucky-marmoset"
lambda_arn = "arn:aws:lambda:us-east-1:0123456789:function:hyperglance-automations-stinky-fish"
The lambda ARN is required to configure automations across accounts
Copy these into the Hyperglance UI: Settings ➔ Automations ➔ S3 Bucket Name or visit this URL: https://your-hyperglance-ip/#/admin/automations
Note: Leave the 'Role ARN' field blank. This is only needed if you deploy the stack to a different AWS account from the Hyperglance Instance.
That's it - Automations are now enabled!
- Within Hyperglance click on any rule or visit the Advanced Search page to start exploring automations features.
- If you need automations to run on resources from other AWS Accounts then continue on to follow our multi-account guide below.
Adding Hyperglance automation permissions to your accounts
To grant the automations Lambda access to resources in other AWS accounts you will need to create a special cross-account role in each of those accounts:
- Set the lambda_arn to the arn of the lambda function which was given as an output in the main account configuration.
Connect to an AWS Account where you wish to deploy the Role:
- Run: aws configure
- You will need AWS IAM access and secret keys for this account.
Deploy the Role:
$ cd aws-rule-automations/deployment/terraform/xaccount_role
$ terraform init
$ terraform apply
Easily add your own automations or modify existing ones!
Automations are written in Python3, each one is a self-contained Python (.py) file. Find them here: https://github.com/hyperglance/aws-rule-automations/tree/master/lambda/automations
To add a new automation:
- Add a new .py file
- Implement the hyperglance_automation() function with logic for your automation.
- Implement the info() function to inform the Hyperglance UI about your automation:
- Any UI inputs it needs from the user,
- A list of compatible resource types.
- Re-deploy the terraform stack with terraform apply
- Done: Your new automation will be immediately available and ready to use in the Hyperglance UI.