Microsoft Workloads on AWS
Automatically create self-managed licenses in multiple accounts using tags
In this blog post, we will demonstrate how you can set up self-managed licenses to be tracked automatically through tagging. Managing licenses for software running on Amazon Elastic Compute Cloud (Amazon EC2) is critical for compliance and auditing purposes. Amazon Web Services (AWS) provides a free tool, AWS License Manager, to help you manage your licenses. However, license tracking and visibility can become challenging in multi-account and multi-Region environments.
By deploying the AWS CloudFormation template provided, you can automatically find resources that are using self-managed licenses (such as in a Bring Your Own License solution) using tags, which can be discovered by an AWS Lambda function. Through License Manager’s Delegated Administrator feature, you will be shown the licenses within License Manager in one specified delegated account.
Solution overview
This solution uses the following AWS services:
- AWS Organizations
- AWS License Manager
- AWS Lambda
- AWS EventBridge
- AWS Resource Tags
- AWS CloudFormation
- AWS CloudFormation StackSets
- AWS Resource Access Manager
As part of the solution, you will deploy two Lambda functions from the provided template. One Lambda function will 1/check for existing tags on resources within the Regions the StackSet is deployed in and 2/will add those resources to the license with matching tags. The other Lambda function will remove any resources that are added to a license with matching tags that no longer have the matching tags applied. You can control the frequency of these checks using a cron expression when deploying the StackSet.
The Lambda function within the CloudFormation template is only going to search for the tag key provided during deployment. For example, during the deployment of the CloudFormation template, you select “PO” as the TagKey. License Manager needs to have the tag key “PO” with the tag value “1234” attached to a self-managed license, as shown in Table 1. Any Amazon EC2 instance with a tag key “PO” and tag value “1234” will be automatically added to the self-managed license.
If you want to automatically populate another self-managed license, you could use tag key “PO” with a different value; for example, the tag value “5678”. All Amazon EC2 instances with the tag key “PO” and tag value “5678” will be added to that second self-managed license and captured by the same CloudFormation deployment.
If you want to use a different tag key—for example, “Purchase Order”—you will need to deploy the CloudFormation template for the new tag key and specify this TagKey during deployment.
tagKey/tagValue | |||
Amazon EC2 | PO/1234 | Match | Same Stack (Same tagKey) |
Self-manged license | PO/1234 | ||
Amazon EC2 | PO/5678 | Match | |
Self-manged license | PO/5678 | ||
Amazon EC2 | PurchaseOrder/0987 | Match | New Stack |
Self-manged license | PurchaseOrder/0987 |
Table 1: The relation between Cloudforamtion stack and tag key
Prerequisites
- License Manager needs to be onboarded.
- For multiple account solutions, you will need to configure AWS Organizations, as well as set up License Management delegation.
- All resources that are part of this solution will need to have tags applied.
Walkthrough
There are two deployment options provided, depending on your use case. The first method is focused on gathering license information for a single account and all of its enabled Regions. The second method is for customers looking for organizational visibility into their license usage, as shown in Figure 1.
Method 1 – Single account
In this scenario, the assumption is that you are only running a single account with AWS. In this single account, you will manage the licenses within the same account your Amazon EC2 instances are deployed in.
- Sign up for License Manager and create your self-managed license. There is no additional cost for License Manager, however, you have to enroll the account.
- Go the License Manager console and click on Start using AWS License Manager, as shown in Figure 2.
- You will be prompted to grant IAM License Manager permissions. Figure 3 shows where you can select the box to grant the permissions and click on Grant Permissions.
- Once you are in the License Manager console, select Self-managed licenses, then Create self-managed license, as shown in Figure 4.
- In the Configuration Details, you will need to provide the name as well as the license type (for instance, if your license is per vCPU, select vCPU). You can also select Enforce license limit, which will not allow any other resource to use that license if the number for license type is exceeded.
- It is optional for you to select Expand the Tags. Provide the tag key and value you will use on the Amazon EC2 instances you wish to add to this license, as shown in Figure 5. The tag key value will also need to match the value provided when deploying the CloudFormation template.
- Select Submit.
- Deploy the automation for License Manager detection.
- Download CloudFormation template.
- If you want to deploy the StackSet across multiple Regions, you will need to ensure you grant self-managed permissions.
- Go to the CloudFormation console and select on StackSets on the left and click on Create StackSet on the right side, as shown in Figure 6.
- If you are deploying into multiple Regions, you will need to provide the IAM role you created in step 1. If you are not deploying into other Regions besides the Region you are currently using, you can skip this step.
- For Prepare Template, as shown in Figure 7, select Template is ready. For Specify template, select Upload a template file. Click on Choose file and browse to the path you downloaded the AutodiscoverLicensesBasedOnTag.yml file to. Click on Next.
- Provide a StackSet name.
- Figure 8 shows EventBridgeRuleScheduleToAdd, which is a cron statement to control how frequently the automation will run to check for tags to add to License Manager. By default, it will run every Sunday at 12:00 AM.
- EventBridgeRuleScheduleToRemove is a cron statement to control how frequently the automation will run to check for resources that have had the tags removed. This will remove the resources from the license. By default, it will run every Sunday at 1 AM.
- TagKey is used by the solution to link the Amazon EC2 instance with the self-managed license. You can use PO as an example. Refer to Table 1 for more examples. Click on Next.
- Leave Configure StackSet options as default. If your organization requires modifications to these options, they should not affect the functionality of the solution. Select Next.
- For Set deployment options, you will need to provide the account you are deploying this StackSet into. Since this should only be a single account deployment, you can copy the account number in the upper right of the console.
- As shown in Figure 9, you will also need to specify the Regions you are deploying the StackSet into. If you are deploying into another Region besides the current Region you are in, you will need to make sure you followed Step 1 above for multi-Region deployments. You can use the defaults for Deployment options.
- Finally, review the stack details. If satisfied with the options, check the box for I acknowledge that AWS CloudFormation might create IAM resources with custom names. Select Submit.
Method 2 – AWS Organizations with multiple accounts
In this scenario, there will be multiple accounts. Account A will be the management account in AWS Organizations. A management account is the account you use to create an organization, invite other existing accounts to the organization, designate delegated administrator accounts, apply policies, and more.
The second account, Account B, will be our License Manager account. This account will be the delegated account to manage licenses in all accounts that are part of the organization.
The additional accounts will be where your tagged Amazon EC2 instances and application workloads are deployed that you want to track with License Manager.
To quickly recap, we are using the three following accounts for this example:
- Account A: Management account
- Account B: License Manager delegated account
- Additional accounts (any other account in the organization)
It should be noted that while you will be using a multi-account setup with this method, the licensing solution can be deployed in a single account setup. If you want to use a single account, follow the steps in method 1.
There are three main steps for this multi-account method. If you already have Organizations set up, you can skip to Step 2 (License Manager delegation).
- Click on AWS Organizations to access the Organizations console, as shown in Figure 10.
- Click on Create an Organization.
- Click on Add an AWS Account.
- Here you can either create new accounts to be part of the Organization you just created or add existing accounts. For this scenario, you will be adding existing accounts. To add existing accounts, you will choose Invite an existing AWS Account.
- You must verify the management account’s email address before you can invite AWS accounts to join your organization. You can click on Send verification email, as shown in Figure 11.
- Check the email address configured with Account A. You should receive an email titled “AWS Organizations email verification request.” Click on the Verify your email address button.
- As shown in Figure 12, you can now add the additional accounts you want to be part of the Organization; in this case, Account B and any other account you want to manage as part of your multi-account solution. To do this, select Add an AWS Account. In the next window, select Invite an existing AWS account. You can then choose to use the email address or account ID of the AWS accounts to invite. To invite multiple accounts, select Add another Account to provide multiple emails/account IDs. You can optionally add a message to include in the invitation and set tags. Once you’ve finished, select Send Invitation.
- To accept the invitation, you can check the email address associated with the account(s) you invited. You will see an email titled “Your AWS account has been invited to join an AWS organization.” In this email, you can select Accept invitation. Optionally, you can log into the accounts you have invited, go to the Organizations console, and click on invitations to accept the invite.
- Once all of the invites have been accepted, you should be able to log into the management account (Account A) and see all of the accounts you have added under Organization, as shown in figure 12.
- Set up the License Manager Delegated Administrator If you already have License Manager delegations set up, you can skip to Step 3 (Deploy and test the automation).
- From the management account, you need to enable License Manager. To do this, go to the AWS License Manager console page and select Start Using AWS License Manager, as shown in Figure 13. You will then be prompted to grant License Manager the required IAM permissions to manage licenses.
- From the AWS License Manager console, you can configure the account delegation. Select Settings. Select the Delegated administration tab. From here, you can set the account to delegate license administration. In this scenario, we are using the licensing Account B, as shown in Figure 14.
- From the account you set as the delegated administrator (in this case, account B), log into License Manager, as shown in figure 15. Select Settings. From the Managed license tab, select Turn On for Cross-account resource discovery. You should only need to perform this step from the account you will be managing licenses from.
- Link AWS Organizations accounts from Management account (Account A).
- Do the same as above for the Licensing account (Account B).
- Lastly, you will want to make sure that AWS Resource Access Manager (AWS RAM) is enabled as a trusted service at the organization level. Log into the Management account and go to the AWS Organizations console. Select Services and then select AWS RAM in the list of services. From here, you should be able to enable trusted access. An example of RAM being enabled in AWS Organizations is shown in Figure 16.
- Deploy and test the License Management CloudFormation template.
- Navigate to the CloudFormation console in the Management account, as shown in figure 17.
- Select StackSets.
- If you haven’t used StackSets before, complete the CloudFormation StackSets prerequisites. In this example, we are using service-managed permissions. You can use self-managed permissions as well if required.
- Choose Create StackSet.
- In the Specify template area, choose Upload a template file. Choose Choose file and select the template you downloaded. Leave all other parameters at their default values. Choose Next.
- For Template source, choose Upload a template file. Choose Choose file and select the template you downloaded in step 1. Choose Next.
- For Stack name, enter a stack name.
- In the Parameters area, set the following fields, as shown in Figure 18:
- For the AWSAccountId, enter in the Licensing account (Account B).
- EventBridgeRuleScheduleToAdd, which is a cron statement to control how frequently the automation will run to check for tags to add to license manager. By default, it will run every Sunday at 12:00 AM.
- EventBridgeRuleScheduleToRemove is a cron statement to control how frequently the automation will run to check for resources that have had the tags removed. This will remove the resources from the license. By default, it will run every Sunday at 1 AM.
- TagKey is used to specify the key on tags the automation will search for to add to your self-managed license. You can use PO as an example. Refer to Table 1 for more examples. Click on Next.
- In the Target Account(s) area, select the OU, Region, and/or additional Regions. Choose Next.
- In the Configure stack options page, choose Next.
- Select I acknowledge that AWS CloudFormation might create IAM resources with custom names, then choose Submit.
- The CloudFormation can take a few minutes to deploy. Once completed, the automation will run at the time you specified (in this example, every 12 hours).
- If you would like to test the Lambda function to make sure it is picking up the Amazon EC2 instances, you can go to the Lambda function in one of the target accounts using the console and look for the function named “license-LicenseManagerLambdaFunction-xxxx”. Select the Test tab, provide any name for Event name, and then click on the Test button in the upper right corner.
- Once you’ve tested the function or allowed it to run at its scheduled time, you should be able to log into the Licensing account and go to the License Manager console. Select Self-managed licenses and you should see the resources in the application account(s) listed, as shown in Figure 19.
Cleanup
Deploying this solution will provision AWS resources and incur costs. Once you have completed testing and no longer need the agent scaling mechanism in place, you can remove the provisioned resources by deleting the AWS CloudFormation stack you created as a part of this example. Navigate to the CloudFormation Console and select the stack that you created. Choose Delete, and then choose Confirm when prompted. Any Lambda function that you are using as part of this solution will be deleted, and all resources originally created by the CloudFormation template will be removed.
Conclusion
AWS License Manager has allowed customers more visibility and tracking into their licenses being utilized on AWS infrastructure. By using the template provided in this blog post, you can automatically track license usage across multiple accounts using custom tags and ensure you have an accurate number of resources being used at any one time.