As a Cloud Operations administrator, you can continuously discover your existing cloud accounts and onboard them to Tanzu Hub. You can also provision new accounts, apply governance to them, and investigate the findings for the CIS benchmarks that get applied to the accounts when you provision them.

Onboard an existing account

When you onboard an existing account, Tanzu Hub discovers your cloud account and creates an inventory of the resources in your account. You can create a desired state template from the current state of the account. Then, you can use that desired state template to continuously enforce the desired state of the account.

Before you onboard an account, follow these prerequisites.

  • For Amazon AWS accounts and Microsoft Azure accounts:
    • Verify that you are an administrator or a member in a project in Tanzu Hub.
    • Verify that you have a cloud account in Tanzu Hub for the discovered member account in Amazon AWS or the discovered subscription in Microsoft Azure. For details, go to Setting up connection accounts in VMware Tanzu Hub.
    • When you onboard an existing cloud account, you must configure elevated credentials on the account so that you can enforce governance on it. For details, refer to the appropriate topic for your cloud provider in Setting up connection accounts in VMware Tanzu Hub.
  • Only for Amazon AWS:
  • Only for Microsoft Azure: Verify that you have a subscription in your Azure account.

To have Tanzu Hub discover and onboard your account, and continuously apply governance on the desired state of the account, follow these steps.

This example demonstrates how to onboard an existing Amazon AWS account. The steps are similar for Microsoft Azure.

  1. Log in to Tanzu Hub.
  2. Connect the account to Tanzu Hub so that it can begin collecting data from it. Go to the relevant topic for your provider in: Setting up connection accounts in VMware Tanzu Hub.
  3. In Tanzu Hub, click Guardrails > Summary
  4. Click the link to the account that has the most open findings.
  5. Create a governance desired state template from the current state of the account.
    1. Click Account Actions.
    2. Click Templatize Account and review the information populated in the dialog box.
    3. Select a single region, and click Create Template. When you select the region, a desired state template gets created that includes the resources in the region, including global resources.
    4. In the status pop-up message, click the link to the desired state template list. The status of the policy creation displays that it is in progress. When the policy creation finishes, the status changes to Ready. You can then use the policy to enforce governance on your account.
  6. Expand the policy that got created, and review the code in the policy.
  7. If needed, you can download the policy and make any changes to it.
  8. When you are ready to apply the policy to your account, click Apply Policy.
  9. Provide the information for governance of the onboarded account.
    1. For the general section, select Onboarded accounts, select the account you are onboarding, and select the region.
    2. For the desired state section, provide the input parameters for the desired state template to run, and click Validate Inputs.
    3. For the monitor or enforce section, select an option. To enforce the policy, you must have elevated credentials on the account. For details, go to Setting up connection accounts in VMware Tanzu Hub.
    4. Click Apply Desired State Templates.

When the policy runs, Tanzu Hub discovers all the resources for your accounts. For more information about the resource states that you can use in your desired state templates, go to Supported Idem states in VMware Tanzu Guardrails desired state templates.

Provision a new account

When you provision a new AWS account or a new Azure subscription, the provisioning process onboards the root account or root subscription that you created, and creates the new account or subscription under the root account or subscription.

Before you provision a new account or subscription, follow these prerequisites.

Prerequisites for provisioning all accounts and subscriptions:
  • You must have the roles of Tanzu Hub admin and Tanzu Guardrails admin.
  • Be aware that the following desired states get created, by default, on the new account or subscription that you provision under the root account or subscription. These desired states monitor the CIS benchmark rules for AWS and Azure that VMware Aria Automation for Secure Clouds enables.
    • VMware Aria Automation for Secure Clouds - CIS AWS foundation Benchmark 1.5.0
    • VMware Aria Automation for Secure Clouds - CIS AZURE foundation Benchmark 1.5.0
Prerequisites for provisioning new AWS accounts:
  • Be aware that the provisioning of a new AWS account occurs in the context of an AWS root account that you create and onboard in Tanzu Hub.
  • Create an AWS root account that has access to all the AWS services and resources in the account.
    • You can create the root account in your AWS instance, or you can create it in Tanzu Hub by clicking Set Up and Configure > Accounts > New Account, and providing the information.
  • Onboard the AWS root account in Tanzu Hub. Then, verify that the root account has both elevated privileges and read-only privileges. For details, go to Setting up connection accounts in VMware Tanzu Hub.
  • Verify that organization trails are enabled on the root account. Organization trails allow for auditing and monitoring the root account and any child accounts.
  • If you are enabling an account for a cost recommendation, you must add the read-only permission ce:GetRightsizingRecommendation. For more information about AWS permissions, refer to Access permissions for Amazon AWS desired state templates in VMware Tanzu Guardrails.
Prerequisites for provisioning new Azure subscriptions:
  • Be aware that the provisioning of a new Azure subscription occurs in the context of an Azure root subscription that you create and onboard in Tanzu Hub.
  • Create an Azure root subscription that has access to all the Azure services and resources in the subscription.
    • You can create the root subscription in your Azure instance, or you can create it in Tanzu Hub by clicking Set Up and Configure > Accounts > New Account, and providing the information.
    • You will select the root subscription when you provision a new Azure subscription in Tanzu Hub.
  • Onboard the Azure root subscription in Tanzu Hub. Then, verify that the root account has both elevated privileges and read-only privileges. For details, go to Setting up connection accounts in VMware Tanzu Hub.
  • In your Microsoft Azure instance, you must provide extra permissions that enable Tanzu Hub to automate the provisioning of new Azure subscriptions. You will manually assign the following permissions to Tanzu Hub:
    • Subscription Creator permission
    • API permissions

    To assign these permissions, follow these steps.

    1. Invoke the API that you must run for the put command.
      1. To use the put command, go to Enrollment Account Role Assignments - Put command.
      2. To follow the correct use for the request body and parameters, go to Assign roles to Azure Enterprise.
      3. Provide the following input parameters:
        Parameter Description
        Billing Account Name The ID that uniquely identifies a billing account, <BILLING_ACCOUNT_ID>.
        Enrollment Account Name The ID that uniquely identifies an enrollment account, <ENROLLMENT_ACCOUNT_ID>.
        billingRoleAssignmentName The ID that uniquely identifies a role assignment.
        api-version The version of the API to be used with the client request. The current version is 2019-10-01-preview.
        Subscription Creator role Definition ID The location of the role definition ID.

        /providers/Microsoft.Billing/billingAccounts/<BILLING_ACCOUNT_ID>/enrollmentAccounts/<ENROLLMENT_ACCOUNT_ID>/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71
    2. Locate the principal ID.
      1. Search for the Azure active directory.
      2. Click Enterprise Applications.
      3. Apply the filter of Application Type == All Applications.
      4. Search for the name of the subscription that you created.
      5. Copy the object ID and pass it as a principal ID.
    3. Obtain the principal tenant ID: principalTenantID.
      1. Navigate to App Registrations.
      2. Search for the elevated application in your subscription. The principal tenant ID, also called the Director (tenant) ID, appears in the overview area.
    4. Enable the API permissions for Tanzu Hub.
      1. Navigate to App Registrations.
      2. Search for the elevated application in your subscription.
      3. Click API permissions, and click Add a permission.
      4. For the Delegated permission, add Application.ReadWriteAll.
      5. For the Application permission, add ApplicationReadWrite.All.
      6. For the Application permission, add Application.ReadWrite.OwnedBy

After you complete the prerequisites, you can provision your new account or subscription.

For more information about Azure permissions, refer to Access permissions for Microsoft Azure desired state templates in VMware Tanzu Guardrails.

To provision a new AWS account or a Microsoft Azure subscription:

After you complete the prerequisites, you can provision a new AWS root account or a new Azure subscription.

  • New AWS accounts get provisioned under the AWS root account.
  • New Azure subscriptions get provisioned under the Azure root subscription.

To provision a new account or subscription, follow these steps.

  1. Log in to Tanzu Hub.
  2. Click Guardrails > Summary.
  3. Click Provision new accounts, and click the relevant cloud provider card.
    • For AWS: Select the root account, OU, account information, and any cloud tags.
    • For Azure: Select the root subscription, billing and enrollment information, account information, and any cloud tags.
    • For AWS and Azure: To be able to enforce desired states on the account or subscription, keep the project scope to None (Organization scope)
  4. Click Create Account.
    • The onboarding, provisioning, and event stream configuration begins.
    • If the provisioning process times out, click the Retry button.

    The new account or subscription appears in Tanzu Hub in the list of accounts.

  5. View the new account or subscription.
    1. Click Configure > Accounts.
    2. When the status of the account or subscription displays OK, you can begin to apply desired state templates to it.

Apply a desired state template to your new account

You can apply a desired state template to your newly provisioned account to create a desired state for the account.

To locate the desired state templates:

  1. Click Guardrails > Policies.
  2. On the Templates card, click View.
  3. Filter the desired state templates as needed.
  4. Click a desired state template, and click Apply Policy.
  5. Enter the general selections, and select the type of accounts on which to apply the desired state template.
    • Onboarded Accounts: Manually onboarded accounts and accounts that Tanzu Hub provisions and onboards.
    • All Provisioned Accounts: Existing accounts and any accounts that you will provision in Tanzu Hub.
    • All Accounts: All onboarded accounts. As accounts get added or removed, the desired state in the desired state template gets applied to those accounts.
  6. Select the desired state templates you need.
  7. Define the desired states and validate the inputs.
  8. Click Monitor or Enforce. If you choose to enforce desired states, you must have elevated credentials. For details, go to Setting up connection accounts in VMware Tanzu Hub.
  9. Click Apply Desired State Templates, and review the findings.

When the desired state template runs, it creates a desired state for your account. Any drift from the desired state of the account appears as a finding in Tanzu Hub.

Monitor your account for drifts from the desired state

Review the findings for your account, and investigate the drift findings that have the highest attention score.

  1. Click Guardrails > Findings.
  2. Filter the results to display the drift findings.
  3. Resolve any drifts from the desired state that the desired state template defined.

For more information, go to Investigate VMware Tanzu Guardrails findings.