Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: No Import Option? #564

Open
RobBiddle opened this issue Dec 6, 2024 · 5 comments
Open

Question: No Import Option? #564

RobBiddle opened this issue Dec 6, 2024 · 5 comments
Labels
question Further information is requested

Comments

@RobBiddle
Copy link

I've deployed this stack using AWS Organizations and it deployed successfully.
When I login to the cloudfront site that it created and go to /accounts there are no accounts listed and there is no "Import" option anywhere.
What have I done wrong?
image
@svozza
Copy link
Contributor

svozza commented Dec 9, 2024
edited
Loading

You haven't done anything wrong. :) Account import is not done through the UI in AWS_ORGANIZATION mode, there's more detail about how it works in the implementation guide: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/aws-organizations-account-discovery-mode.html.

I think the most likely thing that's happened here is that the discovery process is running out of memory.

You can verify by following these steps:

  1. Sign in to the Amazon Elastic Container Service console.
  2. Select the cluster named workload-discovery-cluster.
  3. Choose the Tasks tab.
  4. Select the Stopped option from Filter desired status dropdown menu.
  5. In the Last Status column check for the error message OutOfMemoryError: Container killed due to memory usage

The resolution is in step 3 in this part of the troubleshooting section of the docs here: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/troubleshooting.html#resources-not-discovered-after-account-has-been-imported.

@RobBiddle
Copy link
Author

Thanks for the suggestions!

I ended up tearing the stack down and deploying it again in a different region and then the Import option showed up.
The instructions are a bit misleading. It makes it seem like you don't have to do anything else when using AWS Organizations, but it didn't start working until I deployed the Global and Regional templates from the Import page as StackSets.

@svozza
Copy link
Contributor

svozza commented Dec 10, 2024
edited
Loading

No, the import button should not be present in AWS Organization mode, the solution deploys the stacksets with the global template on your behalf when you choose that mode. You can see this with the condition in the CFN:

workload-discovery-on-aws/source/cfn/templates/main.template

Line 610 in 2386c69

Condition: IsUsingOrganizations

The whole point of the AWS Organizations integration is so that customers do not have to deploy and manage the account import CFN templates themselves.

If it wasn't an out of memory issue then the other reason you may not have seen accounts in Organizations mode was that the account you deployed to did not have the correct permissions as descibed here: https://docs.aws.amazon.com/solutions/latest/workload-discovery-on-aws/choosing-the-deployment-account.html

If you are deploying Workload Discovery on AWS to an AWS Organization, the solution must be installed in a delegated admin account where StackSets and multi-Region AWS Config capabilities have been enabled.

The reason for this is that if the account is not a delegated admin then the discovery process is not able to call the ListAccounts API to get the list of accounts to discover from the org.

@shujacks shujacks added the question Further information is requested label Dec 11, 2024
@RobBiddle
Copy link
Author

I definitely have a delegated admin account setup, and all the list-delegated-administrators commands came back looking correct before I deployed so I'm not sure why it wasn't able to work without the StackSet deployment. I'm not too worried about it since it's working now.

Is there some kind of built in limit for items in the Diagrams? None of the diagrams seem to be complete.
For example, I was wanting to create a diagram of all VPCs and Peering Connections.
I have 26 accounts with VPCs, however even though I'm not filtering by account or region it seems like it only uses resources from a handful of random accounts when generating the diagram.

@svozza
Copy link
Contributor

svozza commented Dec 12, 2024

Workload Discovery only supports the relstionship types that we get from AWS Config and other custom relationships that we derive in code. We don't capture VPC peering relationships as we can't derive that information from the data sources we currently consume. You can see a list of many of the relationships we do support here:

https://aws-solutions.github.io/workload-discovery-on-aws/workload-discovery-on-aws/2.0/data_model.html

However, I think VPC peering relationships are something I would like us to capture so I will add that to our backlog as we can get that information by doing a call to the DescribeVpcPeeringConnections API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RobBiddle @svozza @shujacks