Supportability on AWS Cloud Discovery for Shareable AWS resources


Details

Shareable AWS resources are AWS resources that are made available across AWS accounts enabled by AWS RAM. 

In current releases (Orlando, Paris, Quebec), during AWS Cloud Discovery, a shareable AWS resource is only discovered in the datacenter / service account where it belongs to.

--------

Due to this limitation, Shareable AWS resources can cause warning "Uncompleted partial payloads persisted in Discovery flow" in the discovery log, and IRE error like below in the node log:

 identification_engine                    : MISSING_DEPENDENCY In payload no relations defined for dependent class [cmdb_ci_cloud_subnet] that matches any containment/hosting rules: [cmdb_ci_network <- Contains <- cmdb_ci_cloud_subnet]. 

--------

This is because after CAPI to Pattern migration, some AWS patterns are building partial payloads using source_native_key with service account, datacenter and object id.

IRE will further use the source_native_key to match and update relevant CMDB record.

However, the source_native_key in a partial payload for a shareable AWS resource can be created with service account that is not where it belongs to, thus IRE cannot match it to any CMDB record.

For example, a VPC belongs to Service Account A, region ap-southeast-2, and the source_native_key for it should be A_ap-southeast-2_vpcObjectId.

Service Account B uses this VPC, in region ap-southeast-2. When discovering Service Account B, the pattern will build source_native_key B_ap-southeast-2_vpcObjectId.

This payload will not match to any CMDB record and will cause "Uncompleted partial payloads persisted in Discovery flow" message and IRE error.

--------

Affected pattern includes but not limited to:

Amazon AWS - Route Table (LP)
Amazon AWS - ACL (LP)
Amazon AWS - NIC (LP)
Amazon AWS - Security Group (LP)

Additional Information

Shareable AWS resources

CAPI to Pattern Migration