Introduction

This topic is a comprehensive guide for using Tanzu Cloud Service Broker for AWS if you have service instances that belong to deactivated plans. It will:

• Help you identify and manage instances that have become orphaned due to plan deactivation, ensuring that these instances remain secure and functional.
• Raise awareness of the importance of maintaining security standards and minimizing the attack surface for orphaned service instances.
• Give you practical strategies for handling these instances, including migration and transitioning to user-defined instances, in light of changes in service plan support and available features.
• Discuss the implications of plan deactivation on your service instances and the necessary steps to prevent potential service disruptions or security vulnerabilities.
• Guide you through checking for orphaned service instances by using specific command-line tools.

Commands for Orphaned Instance Management

This section provides a concise summary of the commands and steps required for detecting orphaned service instances in the Tanzu Cloud Service Broker for AWS (CSB) and Cloud Foundry environments.

Detecting Orphaned Service Instances

1. Install the upgrade-all-services CLI plug-in by running:

   cf install-plugin -r CF-Community "UpgradeAllServices"
   

2. Check for orphaned instances by using the plug-in. Run this command to identify instances linked to deactivated plans:

   cf upgrade-all-services <broker_name> -check-deactivated-plans
   

3. Review logs: Review output of the plug-in to identify any instances that require attention.

If there are any service instances belonging to deactivated plans, it is essential to resolve these before attempting any further upgrades of the Cloud Service Broker for AWS. For more information, see strategies for handling orphaned instances.

Section 1: Overview of Orphaned Service Instances

In the context of the CSB for AWS and Cloud Foundry environments, it’s essential to understand what constitutes orphaned service instances, why they occur, and the best practices for managing them.

What Is an Orphaned Service Instance?

• Definition: An orphaned service instance refers to a service instance that Cloud Foundry recognizes as part of the CSB, but the CSB lacks the necessary information to manage it effectively.
• Implications: Having orphaned instances in your Cloud Foundry environment can lead to challenges in manageability, upgradeability, agility, and security:
  • Manageability: These instances cannot have their configurations changed when required.
  • Upgradeability: These instances cannot be upgraded when required.
  • Agility: Management of these instances can become critical at inopportune moments.
  • Security: Inability to manage these instances can pose significant security risks, especially in situations requiring immediate response.

Why Do Orphaned Instances Exist?

• Service removal: Instances can become orphaned when the service to which they belong is removed, either for strategic reasons or other considerations.
• Plan removal: Instances can become orphaned due to the removal of plans, either for strategic reasons or other considerations.
• Custom plan changes: Upgrades in the CSB can lead to the removal of old custom plans, which can also cause orphaned instances.
• Plan ID changes: Altering the plan ID in the service catalog can lead to the treatment of existing resources as different, resulting in orphaned instances. This is because the CSB views the modified plan ID as a new resource, disconnected from its original configuration and management context.

Recommended Actions for Orphaned Instances

When the Cloud Service Broker for AWS is upgraded or configuration changes are made to plans, check for orphaned service instances. For more information, see detecting orphaned service instances.

Section 2: Identifying and Managing Orphaned Service Instances

This section provides guidance on identifying service instances that have become orphaned in the CSB for AWS and Cloud Foundry environments. Addressing these instances is crucial for maintaining security, manageability, upgradeability, and agility.

Identifying Orphaned Service Instances

• Using CLI tools: Utilize Cloud Foundry CLI tools to identify orphaned instances.

  • CLI Cloud Foundry upgrade-all-services plug-in - Flag -check-deactivated-plans: You can use this flag to check for instances linked to deactivated plans.
  • For more information, see the following documentation:
    • Cloud Foundry CLI Reference Guide - Install CLI Plugin.
    • Cloud Foundry Documentation - Using a Cloud Foundry CLI Plugin.
    • Cloud Foundry Community - Cloud Foundry CLI UpgradeAllServices Plugin.
    • UpgradeAllServices CLI Plugin on GitHub - Flags.

  • Plug-in Installation: To further clarify the installation of the plug-in, here is a code example:

    # Example code to demonstrate plugin installation
    cf install-plugin -r CF-Community "UpgradeAllServices"
    

  • Example of execution: To further clarify the use of the plug-in, here is a code example:

    # Example code to demonstrate plugin usage
    cf upgrade-all-services <broker_name> -check-deactivated-plans
    

  • Example of log: To further clarify the use of the plug-in, here is an execution example:

    ✓ cf upgrade-all-services csb-broker-dev -check-deactivated-plans                                              
    2024-01-16T14:34:43Z: discovering service instances for broker: csb-broker-dev
    2024-01-16T14:34:43Z: skipping instance: "s3-dev" guid: "1fe84e95-21c0-4acd-9bd9-6f2796971e46" Deactivated Plan: "default" Offering: "csb-aws-s3-bucket" Offering guid: "837f5ff6-5765-44a0-8b78-d7e3ebc8d428" Upgrade Available: false Last Operation Type: "create" State: "succeeded"
    upgrade-all-services plugin failed: discovered deactivated plans associated with instances. Review the log to collect information and restore the deactivated plans or create user provided services
    

Section 3: Strategies for Handling Orphaned Instances

Section 3 outlines the steps and strategies necessary for managing and resolving issues related to orphaned service instances in CSB for AWS and Cloud Foundry environments.

Options for Addressing Newly Orphaned Instances

If an orphaned service instance was created with the current version of the Cloud Service Broker for AWS, it can be resolved by doing one of the following:

1. Move to a new plan: when a service instance belongs to a deactivated plan, you can update the service instance to be associated with a valid plan. First, identify a valid plan for the service instance, then issue a command to update the plan. Changing a plan might update the service instance properties to match the default properties of the new plan.

   cf update-service SERVICE-INSTANCE-NAME -p NEW-PLAN-NAME
   

   Where: - SERVICE-INSTANCE-NAME is the name of the service instance. - NEW-PLAN-NAME is the name of the valid plan that you have chosen.

2. Restore removed plans: you may choose to restore a plan that was removed. To do this, update the plan configuration in the tile. The plan must have the same name, ID, and properties as before. For more information, see Configure services with Cloud Service Broker for AWS.

Options for Addressing Historic Orphaned Instances

If an orphaned service instance was created with a previous version of the Cloud Service Broker for AWS, it is not possible to resume management of the service instance with a later version of the Cloud Service Broker for AWS. In such cases, your options include:

1. Transitioning to a user-provided service instance: You can keep the service instance in AWS, but it will no longer be managed by the Cloud Service Broker for AWS, instead it becomes a user-provided service instance.

   • Obtain the credentials of the service instance from CredHub.
   • Use the cf create-user-provided-service command to create a new service instance with the credentials.
   • Bind apps to the new user-provided service instance.
   • Restart the apps.
   • Purge the orphaned service instance by using the cf purge-service-instance command.

2. Remove the service instance: You can remove the service instance. To do this:

   • Back up any data that you want to retain from the service instance. You can import this data into a newly created service instance if desired.
   • Remove the service instance via the AWS console or CLI.
   • Purge the service instance from CloudFoundry by using the cf purge-service-instance command.
   • Log into the Cloud Service Broker for AWS app with cf ssh <app name> and then run the command app/cloud-service-broker purge <service instance id>. This removes data about the service instance and all binding from the Cloud Service Broker for AWS database.

Implications of Ignoring Orphaned Instances

• Neglecting orphaned instances during CSB updates can lead to an unhealthy environment.
• Upgrade instructions for custom plans related to orphaned instances can become ineffective, necessitating manual migration.

Summary

We have addressed the crucial aspects of managing orphaned service instances within the Tanzu Cloud Service Broker for AWS and Cloud Foundry environments. The key takeaways include:

The Significance of Orphaned Service Instances

• Orphaned instances defined: Disconnected service instances are those recognized by Cloud Foundry but they cannot be managed by the CSB due to missing information.
• Risks and challenges: These instances pose significant risks in terms of manageability, upgradeability, agility, and security. Their presence can hinder system updates, configuration changes, and timely response to security threats.

Proactive Steps and Best Practices

• Identifying instances: Regularly use Cloud Foundry CLI tools to check for orphaned instances, especially use the UpgradeAllServices plug-in with the -check-deactivated-plans flag.
• Root causes: Instances become orphaned primarily due to plan removals, changes in custom plans, or by altering plan IDs.
• Effective management: Involves regular checks, database purge if necessary, and avoiding outdated methods like recreating plans to rejoin instances to the broker.

Resolution Strategies

• User-provided instances: Emphasize moving to user-provided instances or migrating data to new instances within the broker.
• Avoid complications: If you ignore orphaned instances, especially during CSB updates, it can lead to an unhealthy environment and complicated upgrade processes.

Final Thoughts

Managing orphaned service instances is an essential aspect of maintaining a secure, agile, and manageable cloud environment. By following these strategies and guidelines, you can ensure that your Cloud Foundry environments remain robust and responsive to changing needs and potential security risks.