Reference: Setting up a multi-account AWS target

Starting with version 8.14.4, you can configure a single AWS target to access multiple accounts (either all accounts or a subset of accounts). This feature is also referred to as 'multi-account target' and is intended to eliminate the need to configure several targets to access the same accounts.

  1. (Recommended) If you have existing AWS targets and you added them before version 8.14.4 to discover individual accounts, you can consolidate them starting with version 8.14.4 for efficiency.

    Note:

    Skip this step if your existing targets are for AWS accounts that are not included in the multi-account target that you are setting up in the next step.

    To consolidate existing AWS targets, it is recommended that you delete them before adding a multi-account target. Otherwise, you will see a notification about duplicate targets when you view the details for the multi-account target.

    Navigate to Settings > Target configuration and then delete the targets individually.

    To ensure a seamless transition to a multi-account target, Turbonomic persists data for the deleted targets, as long as the data is not scheduled for deletion based on your data retention settings. To prevent any potential data loss, it is recommended that you set up a multi-account target immediately after deleting your existing targets.

  2. Set up a multi-account target.

    1. In AWS, set up an IAM user or IAM role for the management account that manages member accounts.

      After you set up the IAM identity, record the following information. You need this information when you add the multi-account target in the Turbonomic user interface.

      • For an IAM role, record the ARN.

      • For an IAM user, record the access key ID and secret access key.

    2. In AWS, set up a cross-account IAM role for the member accounts. The multi-account target in Turbonomic uses this role to discover the member accounts.

      After you set up the role, record the IAM role name (not the ARN). You need this information when you add the multi-account target. The default name is Turbonomic_Org_Access.

    3. In the Turbonomic user interface, navigate to Settings > Target configuration and then click Add target.

    4. Select AWS and then click Connect Target.

    5. In the Connection overview page, specify the display name and select Multiple accounts.

    6. In the Management account access page, click the IAM Role or IAM User tab, depending on the IAM identity that you set up for the management account.

      • For an IAM role, specify the ARN that you recorded in a previous step.

      • For an IAM user, specify the access key ID and secret access key that you recorded in a previous step.

    7. In the Member account access page, specify the cross-account IAM role name that you recorded in a previous step.

    8. Complete the target addition steps and click Add target.

    9. In the Target configuration page, find the multi-account target that you just added and then click View.

      • The Current state tab shows the status of the multi-account target. The status shows a warning if there are issues discovering the accounts that you configured for the target.

        Current state tab

        If you did not delete individual targets as described at the beginning of this topic, the Current state tab also shows a notification that informs you of duplicate targets. It is recommended that you delete these individual targets since the AWS accounts they manage are now discovered as part of the multi-account target that you just set up. The notification stops displaying after the targets are deleted.

        Note:

        It is possible to configure a multi-account target along with a single-account target. For example, you can configure a multi-account target to access the management account and all but one member accounts, and a single-account target to access the member account that is not included in the multi-account target. When you configure multiple targets, be sure that no account exists in more than one target. Otherwise, the same notification about duplicate targets displays since there are multiple targets reporting the same account. You will need to either update or delete targets until only one of them is accessing that account.

      • The Related targets tab shows the number of accounts that the multi-account target manages and a warning icon if there are issues with any of the accounts. Click the tab to review the details for the accounts.

        Related targets tab