AWS API calls are notoriously hard to read, understand and use. Our goal is to help users connect individual API calls as a node in Fylamynt workflows.
The integration between Fylamynt and AWS lets you:
Use AWS services (e.g. EC2) through a drop-down list
Navigate to Settings > Cloud Services > Set Up AWS Target Account
Click "Add AWS Account" to configure Fylamynt integration with your AWS account.
There are two steps needed to integrate Fylamynt with your AWS account.
In your AWS account, create an IAM role that allows Fylamynt to assume a role.
In Fylamynt, provide the ARN to that IAM role and give it a name.
We will cover three possible ways to create an AWS IAM role with assume role permissions. Fylamynt provides two scrips, one for Terraform and one for Python, to create the role. It's also possible to use the AWS console directly to create the role. You only need to use one of these options, or, if you're comfortable with some other tool (AWS CLI, for example) feel free to use that.
Both the Terraform template and the python script require you to have an AWS access key and AWS access secret for your AWS account.
If you are already using Terraform to provision your AWS account, this convenience script will help create a role with the correct permissions to allow Fylamynt to invoke AWS actions inside your account on your behalf.
The Python script assumes you have a working AWS account and have set up an access key.
Install Boto3 The boto3 python package provide programmatic access to the AWS api. https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
In a shell, use pip to install boto3:
# pip3 install boto3
Download the Fylamynt python script zip file.
Extract the zip file.
Change into the extracted directory
Edit a policy document.
There are two policy JSON documents provided in the zip file. "custom_policy.json" provides full access to several services AWS account, and read_only_policy.json gives read-only access to a set of services. Feel free to edit those as you see fit.
Execute the script
You will need:
Fylamynt Account ID (from the right side of the setup page).
Fylamynt External ID (from the right side of the setup page).
AWS Account Key (from your AWS account)
AWS Account Secret (from your AWS account)
The policy JSON file you'd like to use.
python3 ./fylamynt_iam_role.py --accid FYLAMYNT_ACCOUNT_ID --extid FYLAMYNT_EXTERNAL_ID --accesskey AWS_ACCOUNT_KEY --secretkey AWS_ACCOUNT_SECRET --policyjson POLICY_JSON
If it ran correctly, execution should look like this:
[14:29:36] INFO [utils.<module>:209] Creating IAM Role: Fylamynt_AWSIntegrationRole[14:29:37] INFO [utils.<module>:216] Fylamynt IAM Policy has been created[14:29:37] INFO [utils.<module>:220] Creating IAM Role: Fylamynt_AWSIntegrationRole[14:29:37] INFO [utils.<module>:227] Fylamynt IAM Role has been created[14:29:37] INFO [utils.attach_policy_to_role:191] Attached IAM Policy 'Fylamynt_AWSIntegrationPolicy' to IAM Role 'Fylamynt_AWSIntegrationRole' successfully[14:29:37] INFO [utils.<module>:231] Fylamynt IAM Role, Policy has been createdAdd IAM role ARN to Fylamynt 'get-started' page to complete AWS integration: arn:aws:iam::XXXXXXXXXXX:role/Fylamynt_AWSIntegrationRole
These are the existing instructions on the page. Pull the screenshot images from there.
Manually Create AWS AssumeRole
Go to the IAM console for your AWS target account.
Select Create role
Select Another AWS account for the Role Type.
For Account ID, copy-paste Your Fylamynt Account ID from the right panel. This is the AWS account ID that hosts the Fylamynt application, and you are granting that account access to your AWS target account.
Check off Require external ID and copy-paste the “External ID” from the right panel. Make sure you leave Require MFA disabled. For more information about the External ID, check out this document in the IAM User Guide.
Click Next: Permissions.
If you already have a policy, select it. Otherwise, the Fylamynt team can help you create a policy that suits your needs. For non-critical test accounts, you can choose the PowerUserAccess managed policy. This will unlock the full functionality of the Fylamynt platform.
Attach Permission Policies
Select the appropriate tags and proceed.
Name the role and add a description that denotes that this role is for Fylamynt access. Click Create Role. Copy-paste the ARN for the created role from the AWS IAM console into the AssumeRole ARN field in the right panel on this Fylamynt page.
Enter a friendly name, or alias, for this AWS target account into theAccount Alias field in the right panel on this page. Alias may contain any alphabets and dashes. You select a target environment that your Fylamynt workflow run against by picking one of your target accounts as runtime input.
Enter the AWS region name where your Fylamynt workflows will run against.
Click Add Target Account. You are now able to use Fylamynt with this account!
The AWS Execution Action allows you to call any AWS API endpoint supported by the boto3 library. See boto3 documentation here: https://boto3.amazonaws.com/v1/documentation/api/latest/index.html
The AWS Service you want to call.
The API call you want to make to the above service.
After you select a service (e.g. EC2, S3, IAM) and an operation (e.g. 'DescribeInstances', 'CreateBucket'), a further list of parameters for that call will appear on the right sidebar. These will be specific to the call you're making.
Specific output of the AWS Execution Action depends on the Service and Operation selected above.
The 'output' tab on the right panel will show a preview of the JSON output of the given operation.
Suppose we have a blue-green deployment environment, where we have a set of EC2 instances tagged "Deployment":"blue" and another set tagged "Deployment":"green". Green is currently in production, and we want to get a list of the instance IDs of the blue instances so we can do some other operation on them later.
We are going to use the AWS Action to get a list of of the blue Ec2 instances and then use a second AWS Action to send a 'stop_instances' to them.
Starting from a new workflow, drag an "AWS" action node onto the canvas from the left-hand "Add" sidebar.
For that input, set the service to "Ec2" and the operation to "DescribeInstances".
Now we'll set up a filter so we only get the blue instances we're interested in. This is an implementation of AWS filters, which can get quite complex. More information here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html
Click "Add Filters".
For the "Name" field, enter "tag:Description".
Click "Add Value"
For the value, enter "blue".
Click Save in the "value" dialog.
Click Save again to save the whole filter.
The filters section should look like this:
Now we have a node that will find our 'blue' deployment EC2 instances.
Now drag a second AWS Action from the left sidebar, then drag a line from the bottom of the first AWS node to the top of the second. Then click on the second node to select it.
Select "Ec2" for the service and "StopInstances" for the operation.
A new field will appear under the Service/Operation area, and the first 'Required Input' will be "InstanceIds".
Click the gear to the left of the "InstanceIds" label gear image
Select "Set value from previous step"
Click on "Choose a step".
Click on "Choose an output from the step"
Choose "output" from the dropdown.
Now we'll pick just the Instance ID field from the previous step.
Click on "Configure" under "$.output".
You will see listing of the JSON of the output of the previous describe instances step. We want the Instance ID for each instance in the Instances list in that document. Find "Instances" and scroll down to "InstanceID". Click on that.
You will see a dialog that looks like this:
Click "Save Output".
The right sidebar should look like this:
Now we're ready to stop the blue instances. If we added other AWS Action steps further down, they could also use the Instance ID list provided above.