Containers
Managing ROSA subscriptions at scale
One aspect of operating applications at scale is managing software in a manner that provides control as well as caters for self service and agility. As the modernization of applications and overall business processes takes place, agility requirements drive the need for teams to have access to the tools they require.
How does a large-scale enterprise ensure that software subscriptions are provided to teams that require them, but at the same time, allow teams to deploy solutions such as Red Hat OpenShift Service on AWS (ROSA) when needed?
This post will cover common implementations within large customer environments. I will explore restrictions and means of control that are being put in place and discuss AWS services being used to provide control and management building blocks. I will then discuss new features available to AWS Marketplace, AWS Organizations, and AWS License Manager, and how Red Hat OpenShift Service on AWS (ROSA) makes use of these features.
Management and control
At scale, customers make use of multiple AWS accounts. These accounts can be provisioned using AWS Control Tower and associated with the overall payment scheme using AWS Organizations. As an example, a business unit wanting to deploy application workloads on ROSA may need to create a new AWS account for nonproduction and another for production. These accounts can be provided by a cloud center of excellence (CCOE) team, or application owners could have self-service access to Control Tower to deploy accounts on their own. This allows for a repeatable, agile process.
Though teams may be allowed to deploy services and structures in a self-service manner, it is not common for application owners and all business units within a company to be able to procure new software subscriptions. One such example is AWS Marketplace products; teams may not have permissions to subscribe to a Marketplace product.
How does this impact ROSA?
ROSA makes use of AWS Marketplace for billing in order to provide a unified billing experience. Before an application team can provision ROSA clusters, they first need to enable ROSA on the AWS account. Application teams deploying new accounts need to enable these new AWS accounts for ROSA. If these teams do not have permission to subscribe, they will not be able to enable ROSA.
Restricted teams may be presented with the following:
Subscription sharing
AWS License Manager allows customers to enable ROSA within one AWS account and then share to grant the use of that subscription to other AWS accounts within the same organization. This has been possible for some time however, the process has been rather manual. A customer has to share the subscription once per account. This is not ideal if you are a large customer with hundreds of AWS accounts.
Recently launched, managed entitlements is a new feature that allows subscriptions to be shared with an entire AWS organization instead of individual accounts. So for a customer with 200 accounts, this is now a process of sharing the subscription once instead of 200 times. This blog post touches on this new ability.
Sharing ROSA subscriptions
Step 1
Enable ROSA in an AWS account linked to an organization.
Go to ROSA in the AWS Management Console and choose the enable button. The person performing this task will need the ability to subscribe to AWS Marketplace subscriptions. Enabling the ROSA service in this account will not incur costs; billing for ROSA only starts if a cluster is provisioned using the ROSA CLI.
This AWS account, if not already part of an AWS organization, can be added to one. This document discusses the creation of an organization and how to invite AWS accounts to it.
Once ROSA is enabled, select the Enable service across your AWS Organization link to share this with other AWS accounts within the organization.
Following the link will achieve a few things. First, it will take you to the AWS License Manager console. It will also pre-create the service-linked roles needed for the account to share subscriptions with other accounts.
Step 2
Grant the subscription by either selecting AWS accounts on a per-account basis or to the greater AWS organization. Within License Manager, select granted licenses on the left:
Select the ROSA granted subscription. This will take you to the details page of that grant. Choose Create grant.
Step 3
A ROSA subscription can be shared with specific AWS accounts, such as enabling application teams’ nonproduction and production accounts. This grant process will need to be repeated multiple times (once per AWS account). As such, this is not ideal for a large number of AWS accounts. Instead, you can add the AWS account number to the grant.
For large-scale organizations, ROSA subscriptions can be shared with the entire AWS organization in a single action. In this case, provide the organization ID instead of an AWS account number.
In the case of ROSA, the service is enabled across the entire AWS account, so the selection of Region is not a critical factor.
Step 4
Activate the shared subscription. Other accounts within the AWS organization will need to accept or activate the grant. Once this is done, application owners can deploy ROSA clusters using the ROSA CLI. There are a few ways in which activation can be completed: activation of individual account grants, bulk activate, and individual self-service. In the context of enabling ROSA at scale, we will touch on bulk and self-service activation.
Bulk activate
To bulk activate all individual account licenses, do the following:
- Open AWS License Manager in the AWS Management Console and go to your organization’s parent grant page.
- Select Granted Licenses on the left.
- Select the License.
- Select the Grant.
- Select Activate.
Activation and deactivation of licenses for a specific organization ID triggers individual license activations at the AWS account level. In some cases, account-level licenses might not activate due to existing licenses already active in those accounts. To check account-level grant statuses, on the Granted licenses page, choose the name of the AWS Organizations grant to see the grant’s details page.
This process is ideal for enabling ROSA across the entire organization. Again, this will not incur any costs, and it will only allow teams in accounts linked to the AWS organization to launch ROSA clusters. Costs will only be incurred if and when clusters are deployed using the ROSA CLI.
Enable individual self-service activation
Accounts can individually activate their own licenses. You need not take any further action. To activate their own licenses, grant recipients can log in to AWS License Manager.
Step 5
Launching ROSA clusters in the granted account.
Conclusion
Now that ROSA integrates the AWS License Manager ability to share subscriptions with an entire AWS Organization and creates the required service-linked roles automatically for customers, large-scale ROSA customers will enjoy an easier, faster user experience. This is also a means of enabling teams to make use of ROSA without allowing access to a very large software portfolio.
Related resources: