Import from AWS
Description
Brainboard allows you to import your cloud infrastructure from AWS, and will generate the architecture diagram, the Terraform code and the tfstate for you.
{% hint style="info" %} This is considered a migration to Brainboard and not intended to be used a remediation to the drift.
Please check driftsection to understand how it works and how you can setup a remediation. {% endhint %}
Import from AWS provider prerequisites
When importing resources from AWS provider, Brainboard will scan your cloud account resources using the following AWS services:
- AWS Resource Groups Tagging: this service will list any resource which has been tagged at least once
- AWS resource explorer: this service will list all resources matching Resource Explorer view index.
Brainboard will scan your cloud account using the best effort method: it will try to find as many resources as possible, using AWS resource explorer in priority if possible.
Create indexes
In order for AWS Resource Explorer to list your existing resources, AWS needs to frequently update its search index.
The index is based per region, so we recommend creating indexes for all your regions and then selecting your main region as an aggregator index. An aggregator index will aggregate results from all other regions indexes.
If you haven't already created indexes, here are the steps to take:
- Open the AWS Resource Explorer console
- Navigate to the
Settingsmenu in the left panel:
- Click on
Create Indexes:
- Select all regions and click on
Create Indexes:
- Go back to the
Settingsmenu, select your aggregator region and click onChange Index Type:
- In the modal window, select
Aggregator Indexand click onSave changes:
Create a default view
When using Resource Explorer service, Brainboard will look for a default view in one of the regions you select during the import steps.
Here are the steps to create a default view in AWS Resource Explorer:
- Open the AWS Resource Explorer console
- Navigate to the
Viewsmenu in the left panel:
- Click on
Create View:
- In the view creation form, set a name for your view and make sure you select the region containing the aggregator index you created in the previous step:
- Once the view has been created, select the view and click on Actions button to set this view as default view:
Import cloud resources
Once your account is correctly configured to list cloud resources, you can import them into a new Brainboard architecture.
- Click on new architecture button in the top left corner
- Select the
import from your infrastructureoption:
.png)
- Select the
From you Cloud providersoption:
- Select AWS
- Select the credentials / the account that you want to import from
- The next pages explain the mechanism to use to import your infrastructure. Please read them to know which way is best for you and click Next
.png)
- Select the region(s) of your infrastructure
- Brainboard scans your region(s) and list all the resources for you that you can filter exactly those you want to import
- Give a name to your architecture and click on
Start import
{% hint style="info" %} Importing resources from your cloud account can take a long time, depending on the number of resources Brainboard will find in your account. You can either keep the import window open or wait for an email notification once the import is complete.
You will also be notified in the app when the import is done. {% endhint %}
This window will also display the remaining import credits in your Brainboard account.
Every time you select a resource to import, the number of credits that will be deducted from your account displayed at the bottom of the window is refreshed.
Limitations
When you import your cloud infrastructure, here is what you need to know about what is imported and how:
- The import uses AWS resource explorer or the tagging, so all the resources available through through these mechanisms are supported
- Information that are not disclosed by AWS are not available, for e.g:
- Virtual machine passwords
- Database passwords
- Sensitive information
{% hint style="info" %} So we replace these sensitive information in the code with a placeholder string "ignored-as-imported" {% endhint %}
- The goal is to run the plan without having any errors, but sometimes you may have some:
- When only one parameter is needed out of 2 possible. When we do the import, the default values are imported from AWS. So even if we are continuously improving the process to fix this mutually exclusive parameters, in some situations we keep it as it is for the user to decide what is correct.
Exclusions and optimization
It is very important when you are importing resources to filter out those you will not maintain in Terraform (as it doesn't make sense) or ephemeral resources. You can use this list as a starting point:
| AWS resource type | Comment |
|---|---|
| acm:certificate | We don't recommend importing sensitive information |
| appstream:image-builder | |
| athena:datacatalog | |
| athena:workgroup | |
| backup:recovery-point | |
| cloudformation:stack | |
| cloudformation:stackset | |
| cloudtrail:trail | |
| cloudwatch:alarm | |
| codebuild:project | |
| config:config-rule | |
| ec2:default-security-group | |
| ec2:image | |
| ec2:network-insights-path | |
| ecs:task | |
| elasticloadbalancing:targetgroup | |
| iam:mfa | |
| iam:saml-provider | |
| kms:key | |
| lambda:event-source-mapping | |
| logs:log-group | |
| memorydb:acl | |
| memorydb:parametergroup | |
| networkmanager:global-network | |
| redshift:parametergroup | |
| secretsmanager:secret | We don't recommend importing sensitive information |
| ssm:session |
Best practices
- Do smaller imports: The golden rule is to import only resources that are supposed to be managed in the same lifecycle:
- To reduce the blast radius
- Have a light tfstate for future operations
- Better diagram and code navigation
- If you have different environments like dev, staging and prod, don't import them all in one import. Separate the environments and do different imports for different purposes.
- Don't import sensitive information in clear text. Surprisingly, when you do the import, if the credentials are allowed to read the key vault secrets it will be able to list them for import. Better to not import them and just reference them using the
data objectsinstead. - After the first import, create a version in Brainboard called for e.g,
Initial import. This is an immutable snapshot that you can revert to if needed later.