Subscribing to our service
Use the AWS Marketplace to subscribe to our service. Through AWS Marketplace, our service is invoiced from you as part of your AWS monthly bill, and requires no separate contracts and/or payment methods to be established.
Note
If you have multiple AWS accounts, we recommend that you subscribe to our service only once from one account. You can use our service against multiple accounts with a single subscription.
Provisioning our access
In order for cloudnap.io to be able to schedule your resources, we need an access role provisioned in each of your AWS accounts that you want to use our service with.
This access role provides us with limited access to your AWS resources. We access this role using cross-account role assume, which is an AWS security best practice. We further utilize an external ID to further enhance the security when assuming the role.
Note
The access policies in our role are designed with a least privilege principal. The permissions you will grant us allow us to only perform the functions required by our service, and nothing more.
Specifically, the policies grant us no access to your instances, your data or databases, or access into your networks.
You have multiple options to choose from on how to provision our access role:
- You can install the provided CloudFormation template on the account(s)
- You can use CDK to deploy the provided CDK stack on your account(s)
- Or you can use any of the tools you already use, such as Terraform, to deploy the required role
Deployment
A deployment is the highest level concept defining a collection of resources across one or more AWS accounts in one or more AWS regions.
A deployment can be in Enabled or Disabled state. When Disabled, no off hours activities are performed.
Accounts and regions are independent
Resources in each AWS account and region are brough down and back up independent of each other.
AWS Account and Region
For simplicity, resources in a single AWS Account and Region are recommended to be attached to a single deployment only.
Take care if attaching to multiple deployment
If resources in an Account and Region are connected to multiple deployments, take care in crafting the related Filters in such a way that no single resource is connected to multiple deployments.
Filter
Filters can optionally be connected to a deployment. Filters operate either on an opt-in or opt-out bases (configurable per filter). If multiple filters are applied, the resulting collection of AWS resources is a combination (AND logic) of all the filters. If no filters are provided, then all resources in all the AWS accounts and Regions connected to the Deployment are in scope.
Two filters are supported at this time:
- Service -filter
- Tag -filter
Both filters can be used to either opt-in or opt-out of either AWS service categories, or individual resources based on tag key values.
A filter can be connected to multiple Deployments. In such case, an update to the filter is applied to all the connected Deployments.
Schedule
Schedules define when off hours begin and end. A single Schedule can be attached to a Deployment at any time. If no schedule is attached, the Deployment is effectively in a disabled state.
A schedule can be connected to multiple Deployments. In such case, an update to the Schedule is applied to all the connected Deployments.
Work in progress
Detailed documentation for the format of the schedule is not available yet
ChatOps
In order to be easily accessible, cloudnap.io integrates to both Slack and Teams based chat tools.
You can invite the cloudnap bot into your chat channels. The bot will broadcast messages when environments are about to be brought down for off hours, as well when resumed, such as below:
From these messages, channel members can directely postpone or cancel the off hours action if their work is not yet complete for the day.
Work in progress
Detailed documentation for the Chat integrations is not available yet
API
All aspects of the configuration of cloudnap.io can be managed using our REST API.
Work in progress
Detailed documentation for the API is not available yet