Manually configuring SQS, SNS, and EventBridge rules - Adaptive Applications - BlueCat Gateway - 21.3.1

If your AWS user account has write permissions to SQS, SNS, and EventBridge, the Enable Visibility after Discovery option attempts to create the queue and rule if they do not exist in AWS. If your AWS user account does not have the correct write permissions, you must manually configure the SQS, SNS, and EventBridge rules. The following section outlines how to create the required rules for your account in AWS to enable visibility.

Cloud Discovery & Visibility creates a hash which is appended to the names of EventBridge, SNS Topic, and SQS Queue strings. The hash is produced from a string that is a combination of the ARN username, Address Manager URL, the Address Manager username, the AWS region name, the AWS account, and the configuration name, separated by underscores. In the following example, the string consists of the following information:

• ARN username—dduong
• Address Manager URL—192.168.56.93
• Address Manager username —dduong
• AWS region name—us-west-1
• AWS account—938684065067
• Configuration name—us-west-1
  Note: If the BLUECAT CONFIGURATION field is empty, the configuration name is the AWS region name. In this example, us-west-1.

You can manually generate the hash of the string using the following command:

echo -n <string> | md5sum

If this fails due to the account having insufficient write permissions to those services, contact an AWS administrator to grant you temporary write access or have them configure the AWS SQS Standard queue, SNS, and EventBridge Rule as follows:

• Create a Standard SNS topic in your region with the name BC-CDV-SNS-EC2-TOPIC-<hash string>. In the following example, the topic created is BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8:
  
  
  
  
  When configuring the Standard SNS topic, use the following values for each associated key:

  Key	Value
  Type	Standard
  Name	BC-CDV-SNS-EC2-TOPIC-<hash string> In this example, BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Encryption - optional	Disabled
  Access policy - optional	Method: Basic Define who can publish messages to the topic: Only the topic owner Define who can subscribe to this topic: Only the topic owner
  Delivery retry policy (HTTP/S) - optional	Use the default delivery retry policy { "http": { "defaultHealthyRetryPolicy": { "numRetries": 3, "numNoDelayRetries": 0, "minDelayTarget": 20, "maxDelayTarget": 20, "numMinDelayRetries": 0, "numMaxDelayRetries": 0, "backoffFunction": "linear" }, "disableSubscriptionOverrides": false } }
  Delivery status logging - optional	Default

• Create a Standard SQS queue in your region with a name in the following format: BC-CDV-<hash string>. In the following example, the queue created is BC-CDV-30d431e82a945cd7819fb3cce23c61a8:
  
  
  
  
  When configuring the Standard SQS queue, use the following values for each associated key:

  Key	Value
  Type	Standard
  Env	Prod
  Queue name	BC-CDV-<hash string> In this example, BC-CDV-30d431e82a945cd7819fb3cce23c61a8

  Configuration
  Visibility timeout	30 seconds
  Message retention period	4 days
  Delivery delay	0 seconds
  Maximum message size	256 KB
  Receive message wait time	0 seconds

  Access policy - Define who can access your queue
  Method	Basic
  Define who can send messages to the queue	Only the queue owner
  Define who can receive messages from the queue	Only the queue owner

  Optional Configuration
  Dead-letter queue	Disable
  Delivery status logging - optional	Default

• Create a EventBridge Rule for AWS VPC, EC2 with a name in the following format: BC-CDV-EC2-CW-<hash string>. Configure the following policy with the target configured as the name of the EventBridge Rule for AWS VPC, EC2:
  
  
  
  
  When configuring the EventBridge Rule, use the following values for each associated key:

  Key	Value
  Event Pattern	{ "source": [ "aws.ec2", "aws.elasticloadbalancing" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "ec2.amazonaws.com", "elasticloadbalancing.amazonaws.com" ] } }
  Targets	BC-CDV-SNS-EC2-TOPIC-<hash string> In this example, BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Name	BC-CDV-EC2-CW-<hash string> In this example, BC-CDV-EC2-CW-30d431e82a945cd7819fb3cce23c61a8
  State	Enabled

• Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.
  
  
  
  
  When configuring the subscription, use the following values for each associated key:

  Key	Value
  Topic ARN	The topic ARN of topic name BC-CDV-SNS-EC2-TOPIC-<hash string> In this example, arn:aws:sns:us-west-1:<aws-account-id>:BC-CDV-SNS-EC2-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Protocol	Amazon SQS
  Endpoint	The SQS ARN of queue name BC-CDV-<hash string> In this example, arn:aws:sqs:us-west-1:<aws-account-id>:BC-CDV-30d431e82a945cd7819fb3cce23c61a8
  Enable raw message delivery	Unchecked
  Subscription filter policy - optional	None
  Redrive policy (dead-letter queue) - optional	Disabled

• If you are configuring visibility for AWS Route 53, create a Standard SNS topic in the us-east-1 region with a name in the following format: BC-CDV-SNS-R53-TOPIC-<hash string>. In the following example, the topic created is BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8:
  
  
  
  
  When configuring the Standard topic for AWS Route 53, use the following values for each associated key:

  Key	Value
  Type	Standard
  Name	BC-CDV-SNS-R53-TOPIC-<hash string> In this example, BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Encryption - optional	Disabled
  Access policy - optional	Method: Basic Define who can publish messages to the topic: Only the topic owner Define who can subscribe to this topic: Only the topic owner
  Delivery retry policy (HTTP/S) - optional	Use the default delivery retry policy { "http": { "defaultHealthyRetryPolicy": { "numRetries": 3, "numNoDelayRetries": 0, "minDelayTarget": 20, "maxDelayTarget": 20, "numMinDelayRetries": 0, "numMaxDelayRetries": 0, "backoffFunction": "linear" }, "disableSubscriptionOverrides": false } }
  Delivery status logging - optional	Default

• Create a EventBridge Rule for AWS Route53 with a name in the following format: BC-DV-R53-CW-<hash string>. Configure the following policy with the target configured as the name of the EventBridge Rule for AWS Route53:
  
  
  
  
  When configuring the AWS Route 53 EventBridge Rule, use the following values for each associated key:

  Key	Value
  Event Pattern	{ "source": [ "aws.route53" ], "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "eventSource": [ "route53.amazonaws.com" ] } }
  Targets	BC-CDV-SNS-R53-TOPIC-<hash string> In this example, BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Name	BC-CDV-CW-R53-RULE-<hash string> In this example, BC-CDV-CW-R53-RULE-30d431e82a945cd7819fb3cce23c61a8
  State	Enabled

• Create a subscription with the previously configured topic, the protocol set as Amazon SQS, and the endpoint set to the ARN of the previously configured SQS.
  
  
  
  
  When configuring the Amazon Route 53 subscription, use the following values for each associated key:

  Key	Value
  Topic ARN	The topic ARN of topic name BC-CDV-SNS-R53-TOPIC-<hash string> In this example, arn:aws:sns:us-west-1:<aws-account-id>:BC-CDV-SNS-R53-TOPIC-30d431e82a945cd7819fb3cce23c61a8
  Protocol	Amazon SQS
  Endpoint	The SQS ARN of queue name BC-CDV-<hash string> In this example, arn:aws:sqs:us-west-1:<aws-account-id>:BC-CDV-30d431e82a945cd7819fb3cce23c61a8
  Enable raw message delivery	Unchecked
  Subscription filter policy - optional	None
  Redrive policy (dead-letter queue) - optional	Disabled