AWS Cloud Operations Blog

How to create a change template using AWS Systems Manager Change Manager

AWS Systems Manager Change Manager, a capability of AWS Systems Manager, is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. With Change Manager, you can use preapproved change templates to help automate change processes for your resources and help avoid unintentional results when making operational changes.

Change templates can be helpful during audits to show how standard changes are made. Here are some use cases:

  • To stop a non-production environment for a workload over the weekend.
  • To replace production EC2 instances from an updated AMI that is at required patch levels, making production instances secure and compliant.
  • To release new software version by using deployment methods like blue/green.

In this blog post, we’ll show how you can create a preapproved change template to stop an Amazon Elastic Compute Cloud (Amazon EC2) instance.

Before you begin

Quick Setup helps you configure frequently used AWS services and features across your organization. You can use Quick Setup to set up Change Manager.

Create a change template to stop an EC2 instance

1. Sign in to the AWS Management Console and open the Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the left navigation pane, expand Change Management, and then choose Change Manager.
3. On the Change Manager page, choose Settings, and then choose Edit.

Change Manager page displays Overview, Requests, Approvals, Templates, and Settings tabs.

Figure 1: Settings tab

4. In Best practices, under Change templates, the Require template review and approval before use option is enabled by default. Under Change requests, choose Create an Amazon SNS topic. For more information, see Creating Amazon SNS Topic in the Amazon Simple Notification Service developer guide.

In Best practices, there are Change requests and Change templates sections. In this example, ChangeTemplateBlogSNS is entered in the Notification topic field. The Require template review and approval before use checkbox is selected.

Figure 2: Best practices

5. In Template reviewers, choose Add.
6. In Select IAM approvers, choose an IAM user or group, and then choose Add approvers. Scroll to the bottom of the Settings page, and then choose Save.

Select IAM approvers includes Users and Groups tabs. In this example, there are three users in the Users list.

Figure 3: Select IAM approvers

7. On the Change Manager page, choose Create template.
8. On the Create change template page, enter a name for your template (for example, TemplateCreationBlog).

In the Create change template page, under Template name, TemplateCreationBlog is entered.

Figure 4: Create change template

9. In Change template details, do the following:

  • For Description, enter a brief explanation of how the change template you are creating is to be used (in this example, To create a template for stopping EC2 instances.)
  • For Change template type, choose Standard change template. The other option, an emergency change template, is used for situations when a change must be made even if changes are otherwise blocked by an event in the calendar used by Change Calendar.
  • The Runbook options section is used to specify the runbooks that users can choose from when they’re creating a change request. In this example, choose Select a single runbook.
  • For Runbook, choose the names and versions of the runbooks that users can choose from for their change requests. In this example, choose AWS-StopEC2Instance.

Change template details displays fields and options completed as described in the blog post.

Figure 5: Change template details

10. In Template information, provide details related to this change template, and then choose Show preview. Figure 6 shows some sample questions to help you complete this section.

Template information page displays these questions: What is the purpose of this change? Are there any manual steps that need to be run as part of this change? What is the expected end state of the system after this change? What could happen if everything goes wrong with this change and how is the risk mitigated?

Figure 6: Template information

11. In Change request approvals, under First-level approvals, click Add approver, and then choose Template specified approvers. On Select IAM approvers, choose the Users tab or the Groups tab, and then choose Add approvers.

You can use the Change request approvals page to specify up to five levels of approvers for change requests created from the change template. From the Add approver dropdown, the Template specified approvers and Request specified approvers options are displayed.

Figure 7: Change request approvals

12. The options under Amazon SNS topic for approval notifications allow you to specify the SNS topic to use to notify approvers that a change request is ready for their review. In this example, choose Select an existing SNS topic.
13. To add an additional level of approvers, in Change request approvals, choose Add approval level and repeat step 11. In this post, we are using first-level approvals only. (See Figure 8.)

Amazon SNS topic for approval notifications provides the following options: Enter an SNS ARN, Create an Amazon SNS topic, Select an existing Amazon SNS topic, and Allow requesters to specify an Amazon SNS topic.

Figure 8: Amazon SNS topic and Add approval level

14. You can use the Monitoring section to enter a CloudWatch alarm to monitor the progress of runbook workflows that are based on this template. In this blog post, we’re not using monitoring.
15. In Notifications, choose the SNS topic that will be used to notify the template reviewer. In this example, choose Select an existing SNS topic.

In Notifications, under SNS topics for updates to requests made from this template, there are the following options: Enter an SNS ARN, Create an Amazon SNS topic, and Select an existing Amazon SNS topic.

Figure 9: Notifications

16. (Optional) In Tags, enter one or more tag key-value pairs to the change template, and then choose Add tag. In this example, for the first tag, for Key, enter environment. For Value, enter production. For the second tag, for Key, enter Weekend shutdown. For Value, enter true.

The Tags section is completed as described in the post.

Figure 10: Tags

17. Choose Save and Preview, and then choose Submit for review.

18. Choose the Templates tab to view your change template request. You’ll see in Figure 11 that it has a status of Pending review.

On the Templates tab, the TemplateCreationBlog template has a status of Pending review.

Figure 11: TemplateCreationBlog with Pending review status

19. This pending request is now in the reviewers’ account waiting for their approval. Sign in as a reviewer. On the Templates tab, choose the change template request.
20. Verify that the change template request is correct, and then choose Approve. If the change template needs any modification, you can choose Reject.

The details for the TemplateCreationBlog template include the Automation runbook (AWS-StopEC2Instance), description (To create a template for stopping EC2 instances), owner, author, and status (Pending review).

Figure 12: Approve TemplateCreationBlog

21. In Approve change template, enter approval comments, and then choose Approve.

In Approve change template, you can enter optional comments. In this example, Approved is entered into the Comments field.

Figure 13: Approve change template

22. On the Templates tab, you can now see the TemplateCreationBlog template has a status of Approved.

On the Templates tab, TemplateCreationBlog has a status of Approved.

Figure 14: Approved change template

Conclusion

In this blog post, we showed you how to create and approve a change template request. You can use the approved templates to create change requests. For more information, see Creating change requests in the AWS Systems Manager User Guide.

About the authors:

Snehal Nahar

Snehal Nahar is a Senior Technical Account Manager based in Charlotte, North Carolina. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games, and watching TV.

Yagya Vir Singh

Yagya Vir Singh is a Senior Technical Account Manager based in Nashville, Tennessee. He is passionate about AWS technologies and loves to help customers achieve their goals. Outside of the office, he loves to be with his friends and family and spend time outdoors.