The Policy Engine allows users who have been assigned the Super Admin role to automate certain actions for newly discovered EC2 instances and current instances based on matching keywords. The maximum number of permitted policies or policy limit is 500.
Policies may be set up to attach a specific schedule to discovered resources or to assign them to a certain team. Depending on how the policy is set up, users may be prohibited from detaching or attaching schedules, allowed to only snooze resources, and so on.
The policy engine also supports Continuous Policy Enforcement. If enabled on the main Policy Screen of the ParkMyCloud console, this feature will re-apply your policies every time your resources are discovered (typically every 5-10 minutes).
This ensures your system always matches your intended configuration, even if you change the name of a resource or its tags. Formerly, the system only applied policies when a resource was first discovered, or when the Admin selected the Reapply All command (which is also still available).
Policies may only be created, modified, and removed by users who have been assigned the Super Admin Role. Team Leads are only permitted to view policies in ParkMyCloud.
How Policies Work in ParkMyCloud
Created policies are stored in a single ruleset for each organization. Access has been restricted to the Super Admin role because these policies are held at an organizational level. Only users with the Super Admin role are able to create, edit, or remove policies in ParkMyCloud.
By default, policies only affect newly discovered resources and not resources that are already in the system. They are also executed in the order they are displayed. This means that subsequent policies only act on resources not affected by earlier policies. Once all resources have been acted upon, no more policies will be executed, even if additional ones have been created.
If the first policy's scope impacts all discovered resources in ParkMyCloud, then no other policies would be executed during that specific discovery pass. The order of policies can be changed by using the provided icon (see Changing the Policy Execution Order).
After resources have been discovered and acted upon, users may make changes to the resources based on the permissions given by their assigned role and within the bounds of any restrictions included as part of the policies.
Let's say a resource has been assigned a parking schedule and assigned to a team. A team member is able to detach the schedule, attach a different one, or move the resource to a different team, as long as the Never Park or Snooze Only restrictions have not been applied.
If the Never Park restriction has been applied, then the user will not be able to perform any actions on the resource including attaching/detaching schedules, toggling states, or snoozing the schedule.
If the Snooze Only restriction has been applied, then the user will only be able to place a snooze on the schedule and will then be able to toggle the state while the snooze is in effect. The actions users are allowed to perform will depend on their assigned role and what restrictions have been chosen in the policy configuration.
The Policy Engine can be accessed by clicking on Policies in the left navigational menu. Policy information will appear on the right side of the screen after clicking on this option. Only users with the Super Admin Role are able to create, remove, or change policies.
After clicking on Policies, all existing policies along with options for creating, reordering, editing, removing, and re-applying policies to your resources will be shown on the right side of the screen. When no policies have been set up, the screen will appear as shown below:
The screen will appear differently once a few policies have been created in ParkMyCloud. You will see the current execution order of policies along with any assigned schedules, teams, and actions. The Right Dive > Icon indicates that additional information may be viewed for each policy. Click on any policy within the list and the screen will dive right to display this additional information.
Only users with the Super Admin Role are allowed to create and edit policies in ParkMyCloud. If you are a Super Admin, the Edit Screen will appear as shown below:
If you are a Team Lead, you will be able to click on the Polices in the left navigational menu and view the policy details, but will not be permitted to make changes. The Edit Screen will appear as shown below for Team Leads. It will not contain options for saving changes or removing the policy. The user will also not be able to alter the displayed configuration.
Users who have been assigned the Team Member or Purchasing roles are not allowed to view the policy information and will not see this option in the left navigational menu when logged in.
When a policy is created, the dialog box may be used to provide a policy name, enter a set of keywords to define the policies scope, and to choose common actions to take for any resources matching the policy. More than one of these actions may be chosen and configured for a given policy in ParkMyCloud.
- Schedule - Automatically attach a parking schedule or detach (remove) a parking schedule.
- Assign to Team - Choose a team for new resources to be automatically assigned to during discovery.
- Restrictions - Restrict or un-restrict resources falling within the policy scope (snooze only, never park, no restrictions).
- ASG Parking Method - Changes how AWS Autoscale Groups behave when parked.
Terminate Instances: This is the default mode of operation, where ParkMyCloud will park an ASG by reducing its desired size, and AWS will terminate ASG instances as needed to reach the intended size. If this is the desired method, you do not need to select this action unless you are using it to modify an existing deployment. By default, the system will set the parked size of an ASG to zero instances. If something other than zero is desired, then you will need to go to the ASG details within the ParkMyCloud console and modify the desired minimum manually.
Stop Instances: This advanced action will set the parking method for this ASG to use the ASG Stop Instances mode. In this mode, ParkMyCloud will suspend the internal AWS ASG processes that would normally automatically launch a new instance, and then will STOP the instances. When unparking, the instances will be restarted, and the appropriate AWS ASG processes restored. If this action is taken, the system will configure a default set of suspended processes for the ASG. If something other than these defaults is desired, then you will need to go to the ASG details within the ParkMyCloud console and modify the desired suspended processes manually.
- Accept Pending SmartParking Recommendation - This option can be used to select a pending SmartParking recommendation metric threshold (Conservative, Balanced, or Aggressive) for the policy.
Once the scope has been defined, the policy may be tested to see what resources fall within the defined scope. This allows you to evaluate the scope and make any needed changes before saving and/or applying the policy to resources.
After a policies have been created, you will be able to change their order in the policy engine and apply them based on the defined order. This order may be changed at any time and will be followed for each new discovery. Changes to a policy (order, restrictions, etc.) will take effect on the next discovery for new resources only unless you have used the re-apply all policies option.
When a policy needs to be applied to a current resource, this will involve using the Reapply All Now option, which will apply current policies to any resources already in the system that fall within the defined scope.
Important: It is important to be careful when using this option and to be aware of what policies will be applied, as not doing so could result in potential harm to hundreds or thousands of resources.
You can also elect to have your policies applied on an ongoing basis via the Always Apply option. This is especially helpful when managing a large organization which exclusively uses policies to manage schedules, teams, and so on.
When many policies exist in ParkMyCloud, you can use the Filter Field to find one or multiple policies. This is helpful when changes must be made to a policy or one needs to be removed. The filter field may also be used to locate a policy and change its execution order.
For example, if you type in the name of a policy such as Test Server 1 and then hit Enter on your keyboard, then only policies matching that name appear in the list. Use the X to remove the filter and view all policies again.
The drop-down arrow on the right-end of the filter field may be used to enter more specific search criteria including: policy name, schedule, team, or action. This information corresponds to each displayed column. Enter a value for one or more filters and then click on Search to filter the results based on the value(s).
The results will appear as shown below and can be cleared by clicking on the X to the right of "Filtered".
Please see the following pages for more information: