AWS GovCloud Account Configuration and Troubleshooting in CloudHealth

search cancel

AWS GovCloud Account Configuration and Troubleshooting in CloudHealth

book

Article ID: 283553

calendar_today

Updated On:

Products

CloudHealth

Issue/Introduction

This documentation is designed to provide information regarding how to configure GovCloud accounts within CloudHealth as well as identify and diagnose issues that may be associated to GovCloud visibility in the platform.

Resolution

Configuring GovCloud Accounts

Before getting started, it's important to understand that GovCloud accounts are inherently different than normal accounts. GovCloud accounts require a second "blank" standard account to serve as the way billing information is reported. To view account activity and usage reports for the AWS GovCloud account, you must sign in to the standard AWS account (using credentials from that account). You cannot view usage and activity from the AWS Management Console for the AWS GovCloud Region so CloudHealth uses the relationship between the two AWS accounts to populate cost and usage information within the platform.

STEP 1 - Configure Accounts in AWS

Two (2) GovCloud accounts will need to be configured within AWS

A "Commercial" account that receives the Detailed Billing Record/Cost and Usage Report. This configuration will be like any normal AWS account setup but should ideally be left blank and not used for any other purpose besides supporting the GovCloud "Assets" account. It will act as a parent account to the actual GovCloud "Asset" account.
An "Assets" account that contains all of the infrastructure. This is the actual GovCloud account that will reside within any of the special GovCloud AWS regions. This account holds all of the infrastructure but reporting cannot be pulled directly from these accounts (this is why a separate "Commercial" account is required).

Additional details on this can be found within AWS documentation here: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/usage-and-payment.html

NOTE: AWS states that it is a best practice to create a new AWS account that you will use only for AWS GovCloud (US) access (the "Commercial" account). This allows the following:

Transfer the AWS GovCloud (US) account to another party.
Ensure the root user of the standard AWS account, which is the parent account of the AWS GovCloud (US) account, is a U.S. Citizen.
Fully close the AWS GovCloud (US) accounts without affecting your other AWS workloads.
Software vendors who want to be listed in the AWS GovCloud (US) Region should sign up as Direct Customer whether they are resellers or not.

STEP 2 - Create a Read-Only IAM User in AWS

This authentication is required for GovCloud accounts. Instructions on how to configure this are listed in the link below.

Configure AWS GovCloud Account

NOTE: User level authentication is only necessary for GovCloud accounts. Normal accounts are recommended to use role based authentication.

STEP 3 - Configure Accounts in CloudHealth

Two (2) accounts will need to be configured within CloudHealth

A "Commercial" account that will be either Standalone or Consolidated - All billing and usage will appear as though it originated from this configured account (this corresponds to the "Commercial" GovCloud account in AWS. This should be set up in CloudHealth as a "Standard" account type.
A blank account that will be Linked to the "Commercial" account - This is where the infrastructure lives and will be linked to the "Assets" AWS account. This should be set up in CloudHealth as a "GovCloud" account type.

NOTE: This configuration takes place within the customer tenant if they are channel customers.

Commercial Account Example

Account Name should reflect the appropriate account that is to be used for reporting/billing
Account Type should be "Standard"
Authorization Type should be the recommended "Role" type for the best security
Billing fields can potentially be populated but will most likely be blank as this account will generally be linked to a consolidated account

Assets Account Example

Account Name should reflect the appropriate GovCloud account that houses assets and infrastructure
Account Type should be "GovCloud"
Authorization Type should be "User"
Billing fields should be left blank in all situations

Partner Considerations

STEP 4 (For Partners ONLY) - Link Accounts via API

Follow the instructions in the link below for "Connect GovCloud Commercial Account to GovCloud Asset Account" to ensure proper communication is made to the Partner tenant.

https://apidocs.cloudhealthtech.com/#partner_connect-govcloud-commercial-account-to-govcloud-asset-account

NOTE: This step must be completed from the main Partner tenant

The full list of GovCloud APIs available is the following:

Connect GovCloud Commercial Account to GovCloud Asset Account
List All GovCloud Linkages Owned by Current Customer
Details of Single GovCloud Linkage
Update Single GovCloud Linkage
Understand Format of GovCloud Linkage Payload

GovCloud Commercial Accounts: All accounts that show "Linked" Account Type and "Role Based" Authentication Type in CloudHealth. These column values may slightly differ but you can be sure they are the definitely the Commercial accounts due to the Billing Account field being populated as well.

GovCloud Asset Accounts: All accounts that show "No Current Billing" Account Type and "User Based" Authentication Type in CloudHealth. Asset accounts will always have these two Account and Authentication types as well as the Billing Account field being blank.

NOTE: An AWS GovCloud "Asset" account is always associated to a single standard AWS "Commercial" account for billing and payment purposes

Diagnosing and Resolving GovCloud Issues

For any issue that is surrounding a GovCloud account, it's important to run through a few checks to ensure the configuration i correct before trying to diagnose an issue further. The first few steps that you should always take are the following:

Check the account configuration in CloudHealth to ensure at least two accounts exist to support the GovCloud assets
- If you cannot easily determine a "Commercial" account that is associated to the GovCloud "Asset" account, additional work will need to be conducted.
  - Confirm with the customer that two accounts were configured and exist within AWS
  - Configure the accounts appropriately within CloudHealth
- If there are two accounts visible, move to step 2.
Make sure the accounts are configured correctly within CloudHealth
- Check that the following conditions are true and fix anything that is not correct:
  - The "Commercial" account should be set up as a normal AWS account and be linked to the consolidated bill.
  - The "Asset" account (this is the actual GovCloud account) should be configured as "GovCloud" account type, should show "No Current Billing", and use User based authentication
- If the accounts appear to be configured correctly, follow up with the customer to confirm the AWS configuration.
  - If it's a direct customer and there are still issues you should move to regular troubleshooting or create a JIRA to research further if needed
  - If it's a channel customer managed by a partner, move to step 3
(PARTNERS) Confirm that the appropriate GovCloud APIs were used
- A connection needs to be made from the partner tenant for CloudHealth to display the appropriate reporting and run partner billing accurately
  - Ask the customer whether or not they have run the "Connect GovCloud Commercial Account to GovCloud Asset Account" and to run it if they haven't
  - Once the API has been run, move to step 4
(PARTNERS) Rerun bill processing
- After everything is confirmed to be complete from above, a billing rerun may be necessary
  - If any of the above configuration was needed, submit a JIRA to rerun billing
  - If all of this has been completed and there are still issues you should move to regular troubleshooting or create a Jira to research further if needed

Feedback

thumb_up Yes

thumb_down No