AWS Cloud Operations Blog
Centrally track Oracle database licenses in AWS Organizations using AWS License Manager and AWS Systems Manager
As you continue to run your business-critical workloads in hybrid environments, you’ll most likely face the challenges of license management of products, such as Microsoft, SAP, Oracle, and IBM due to limited visibility and governance. You’ll most likely eventually over-provision licenses to avoid the headache with third-party license providers or under-provisioning licenses, only to face steep penalties.
AWS License Manager makes it simpler to track your licensing usage for licenses from different vendors. Here are the two main use cases:
- AWS license included – using AWS license included instances allows you access to fully-compliant licenses, where AWS handles the tracking and management for you.
- Bring Your Own License (BYOL) – License Manager makes it easy for you to set rules to manage, discover, and report software (BYOL) license usage.
License Manager utilizes AWS Systems Manager agent to discover applications and database editions. However, a few complex scenarios like discovering Oracle database edition requires user access and permissions to the Oracle database. Therefore, due to limited insights in the Oracle editions and management packs, license compliance management becomes a challenging process. In this post, I’ll show you how to build a solution using Systems Manager and License Manager to centrally discover and track your BYOL Oracle database editions and management packs across AWS accounts and Regions within an AWS Organizations.
Note:
- This solution can discover and track Oracle databases from version 11.2 and later, running on Amazon Elastic Compute Cloud (Amazon EC2), Linux flavour instances.
- Information derived from this solution is to be used for informational purposes only and does not represent any license entitlement or requirement.
Prerequisites
To deploy this solution across multiple regions and/or accounts in an organization, complete the following steps.
- Database Options/Packs Usage Reporting. To help identify which features and license options are used in a database, you will need the Oracle provided options_packs_usage_statistics.sql script on MOS in Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1). Please refer to MOS DOC ID 1309070.1 for additional information on DBA_FEATURE_USAGE_STATISTICS, which is the main source of information for the above script.
- Enable trusted access with Organizations for CloudFormation. This solution leverages AWS CloudFormation and StackSets to provision all of the required components. Because StackSets perform stack operations across multiple accounts and Regions, before you can create your first stack set you need the necessary permissions defined in your AWS accounts. Complete the following tasks as described in Enable trusted access with AWS Organizations:
- Enable all of the features in Organizations. Enabling all of the features allows the solution to create StackSets with service-managed permissions and sharing license configurations with member accounts.
- Enable trusted access with Organizations. Enabling trusted access allows StackSets to create the necessary AWS Identity and Access Management (IAM) roles in the organization’s management account and member accounts when the solution creates stack sets with service-managed permissions.
- Use a delegated administrator. This solution uses the management account within AWS Organizations, but you can also designate an account (delegated administrator) to manage this on behalf of the organization. If you intend to use a delegated account then you will need to register it as delegated administrator for CloudFormation stack set operations as described in Register a delegated administrator.
- Distribute license configurations with member accounts in all target regions. To distribute self-managed licenses within your organization, from the License Manager console of the organization’s management account, choose Settings, and then select Link AWS Organizations accounts. When you select this option, we add a service-linked role to the management and member accounts. Repeat this step for all target regions. If you intend to use delegated administrator account, then from the License Manager console of the organization’s management account, choose Settings, and under Delegated administrator, choose Delegate administrator. Enter the account ID number for the AWS account that you want to assign, and then choose Delegate. You can’t use the ID for the management account. It must be a member account.
Once completed, under the Settings section you should see a link to the new Resource Share ARN (AWS Resource Access Manager (AWS RAM)), as shown in the following figure.
Figure 1: License Manager Settings with resource share ARN
- Create license configurations. In License Manager, create license configurations for these Oracle database editions in each AWS Region where Oracle databases are deployed:
- OracleDbEELicenseConfiguration for Enterprise Edition
- OracleDbSE2LicenseConfiguration for Standard Edition 2
- OracleDbPELicenseConfiguration for Personal Edition
- OracleDbXELicenseConfiguration for Express Edition
A license configuration represents the licensing terms in the agreement with your software vendor. Using AWS CloudShell, run the following command to create the following license configurations (case-sensitive), replace REGION with your target regions.
For instructions to create these license configurations using the console, see Create a license configuration in the License Manager User Guide.
- Share license configurations. After defining your license configurations, use Organizations or AWS RAM to share those license configurations with your member accounts. For instructions to share license configurations, see the Tracking software usage across multiple AWS accounts using AWS License Manager post.
After you share your principals (AWS account/Organization/Organizational unit) and resources (license configurations), you should see them in the AWS RAM console:
Figure 2: Shared principals and resources in the AWS RAM console
- Manage instances using Systems Manager. A managed instance is an Amazon EC2 instance that is configured for use with Systems Manager. Managed instances can use Systems Manager services such as Run Command, Patch Manager, and Session Manager. You must make sure that all instances targeted for this solution meet the prerequisites to become a managed instance including configuring instance permissions for Systems Manager as described in Setting up Systems Manager for EC2 instances.
Solution overview
The following figure shows the solution architecture. In addition to License Manager, the solution uses the following Systems Manager features:
- Automation to orchestrate the discovery workflow.
- State Manager to invoke the Automation document on a user-defined frequency.
- Inventory to maintain the information collected about the instances, the Oracle database editions and management packs running on them.
Note that Steps 1 – 8 help you discover the Oracle editions and packs. Steps 9–11 help you query and visualize the discovered data using Amazon Athena and Amazon QuickSight. This post is focused toward the discovery and tracking of Oracle database editions and management packs, to learn more about data visualization refer to Query and visualize Microsoft SQL Server license utilization using Amazon Athena and Amazon QuickSight.
Figure 3: Solution architecture
- Invoke the OracleDbLTS-Orchestrate Automation: State Manager invokes the OracleDbLTS-Orchestrate Automation and passes the required parameters using which the solution determines the target Organizational Unit IDs/AWS accounts and Regions where your Oracle database instances are deployed.
- Remove old custom Inventory data: In this step, the Orchestrate Automation first invokes the OracleDbLTS-DeleteInventory Automation in the target member account to remove the old custom Inventory schema in Systems Manager Inventory, making sure that Inventory data is current. Inventory data comprises of Oracle database editions and all the packs installed and/or used.
- Invoke the OracleDbLTS-ManageLicenceUtilization Automation: Once the deletion has been completed, the OracleDbLTS-Orchestrate Automation invokes the OracleDbLTS-ManageLicenceUtilization Automation to initiate the discovery of Oracle databases in your account and track their utilization for license management.
- Remove old License Manager data: The Automation first disassociates the target instance from an existing License Configuration. This makes sure that the latest discovered licenses are available in License Manager for scenarios where changes have been made on the instance. For example, somebody deletes or installs a new edition of Oracle database on the target instance after the previous Automation run.
- Download license tracking solution scripts: These three scripts are required to query the database instance to determine the edition and management packs installed and used.
- Discovery: The Discover Automation then targets instances based on the State Manager association definition to determine the type of Oracle database running, and stores this data in the artifacts bucket under ssm-output. Instances can be targeted using ParameterValues, ResourceGroup or with tag: (default), AWS::EC2::Instance, InstanceIds, instanceids. Refer the API reference for Target for more details.
- Update Inventory: The discovered data is used to update the Systems Manager Inventory. In this step, Automation creates two new custom schemas along with the metadata to store the Oracle edition details along with the management packs.
- Update License Manager: Finally, the Automation updates the License Manager with the license utilization data and associates the target instance with the appropriate license specification that has been defined in License Manager. Discovered data under ssm-output is cleared for the next run.
Note that Steps 1 – 8 utilizes Systems Manager Automation to discover and track Oracle database editions and packs. Refer to Steps 9 – 11 if you want to aggregate, query, and visualize the discovered data.
- Aggregate Inventory data using resource data sync: You can use Systems Manager resource data sync to send Inventory data collected from all of your managed instances across the member accounts to a single Amazon Simple Storage Service (Amazon S3) bucket. Then, resource data sync automatically updates the centralized data when new Inventory data is collected. For more details, see Walkthrough: Use resource data sync to aggregate inventory data.
- Query the centralized Inventory data: You can use Amazon Athena which provides an interactive query service to analyze the Inventory data in Amazon S3 using standard SQL.
- Visualize Inventory data: With Amazon QuickSight you can create and publish interactive BI dashboards with insights powered by machine learning (ML).
Walkthrough
To deploy the solution, download this CloudFormation template and deploy it in the management or delegated administrator account of your organization.
This template deploys the following resources required for this solution:
- Systems Manager documents
-
- OracleDbLTS-Orchestrate includes the logic to run step 1 and 3 of the walk-through.
- OracleDbLTS-DeleteInventory includes the logic to run step 2 of the walk-through.
- OracleDbLTS-ManageLicenceUtilization includes the logic to run steps 4-8 of the walk-through.
- IAM roles and policy
-
- OracleDbLTS-SystemsManagerAutomationAdministrationRole, for the administration of the Automation documents.
- OracleDbLTS-SystemsManagerAutomationExecutionRole, which is deployed using StackSets across all the target accounts and regions for the execution of the Automation documents.
- OracleDbLTS-SSMS3BucketPolicy, a managed policy that gets added to all the target managed instance’s IAM role(s) which allows Systems Manager to read and write from the artifacts bucket.
- OracleDbLTSUtilityFunctionRole, required for the lambda function OracleDbLTS-UtilityFunction.
- S3 bucket
-
- An artifacts bucket that will store all the required tracking scripts and (transient) output from Systems Manager.
- OracleDbLTS-UtilityFunction
-
- A lambda utility function to
- create the State Manager associations, one association for 50 child OUs under the specified TargetOUs parameter. This helps address the following limits within Automation (1) 50 organizational units/accounts as TargetLocation (TargetLocation), and (2) ability to run recursively through OUs (running automations in multiple AWS Regions and accounts).
- setup the S3 bucket including copying the two scripts required for the solution.
- A lambda utility function to
Once your template has been deployed, use AWS CloudShell to upload the options_packs_usage_statistics.sql script to the s3://ARTIFACT-BUCKET-TARGET/scripts/ bucket.
Invoking the solution using a State Manager association
Association(s) created by the OracleDbLTS-UtilityFunction invokes the solution once upon creation, and then follows the user-defined cron interval for future executions. By default the cron schedule for the associations is triggered to run on the last Tuesday of every month at midnight UTC.
Validating that the execution ran successfully
After the association has triggered the Automation, open the Systems Manager console in the management account, and from the left navigation pane choose Automation. In Automation executions, you should see the status of OracleDbLTS-Orchestrate along with OracleDbLTS-DeleteInventory and OracleDbLTS-ManageLicenceUtilization, as shown in the following figure.
Figure 4: Automation executions (management account)
For more details on the status of individual instances, you can click on the Step ID of OracleDbLTS-ManageLicenceUtilization and navigate to the instance of interest, as shown in the figure below.
Figure 5: Automation execution detail (management account)
To confirm that the license utilization data has been updated in License Manager, using the management account and selected Region, open the License Manager console. Depending on the licenses consumed, the Customer managed licenses list will look something like the below figure:
Figure 6: Customer managed licenses (management account)
All information regarding the Oracle database, including editions and management packs utilization, is aggregated in Systems Manager Inventory in the member account. You can view this information in the Inventory (aggregated view) console or Fleet Manager (instance view) console. The previous figure and following figure show the details of an Oracle database edition and management packs being utilized in Fleet Manager.
Figure 7: Oracle database edition in Fleet Manager (member account)
Figure 8: Oracle database feature/management packs usage details in Fleet Manager (member account)
If you want to aggregate, query, and visualize the discovered data, you can refer to steps 9 – 11 in the Solution overview.
Note that Systems Manager Agent runs on Amazon EC2 instances using root permissions (Linux) or SYSTEM permissions (Windows Server). This gives it the ability to switch to the Oracle user, which then has the permissions to query the certain tables and databases to query all of the information required to track the license utilization. For more details regarding restricting the permissions of the Systems Manager Agent, you can refer to Restricting access to root-level commands through SSM Agent.
Adding new accounts and Regions
If you add new OUs outside of the currently targeted OUs or Regions, then you must update the CloudFormation template. However, if you are only adding accounts to the already targeted OUs then the solution will automatically target them.
CloudFormation:
- In the CloudFormation console, choose the original template that you deployed, and then choose Update.
- Leave the Use the current template option selected.
- Under Automation Documents, update the TargetRegions and/or TargetOUs parameters with the new values.
Clean up
If you want to remove the resources and solution after testing, then you can clean up the resources deployed by the CloudFormation template using the CloudFormation console or AWS CLI to delete the main CloudFormation stack. When you delete the CloudFormation stack, all of the solution components will be deleted.
Conclusion
In this post, I showed you how to use License Manager, Systems Manager, and Organizations to automate the tracking of your Oracle database licenses, including management packs running on Amazon EC2 instances across multiple accounts and Regions. This solution can be extended to govern other software licenses consumed not only in AWS, but also across your hybrid environments, throughout your organization to avoid any surprises during your next audit.
About the author: