LogoLogo
HomePricingSelf-hosted docsAPI docsLogin
  • Home
  • Login to hava
  • Developer
  • Getting Started
    • Quickstart
      • Create New Account
      • Import Demo Data
      • Creating Environments
      • Exporting Diagrams
  • AWS Marketplace
  • Using Hava
    • Providers & Sources
    • Environments
      • Creating Environments
      • Filtering Environments
  • Importing Data
    • Demo Data
    • AWS
      • Getting Started with AWS
        • Cross Account Role
        • Read Only IAM User
        • Minimum Access IAM User
      • AWS Supported Resources
      • AWS Views
        • Infrastructure
        • Security
        • Container - ECS
        • List
    • Azure
      • Getting Started with Azure
        • Powershell
        • Azure Portal
      • Azure Supported Resources
      • Azure Views
        • Infrastructure
        • Azure Security View
        • List
    • Google Cloud
      • Getting Started with GCP
        • Service Account
        • Import Multiple Projects
        • Enabling APIs
      • GCP Supported Resources
      • GCP Views
        • Infrastructure
        • List
    • Kubernetes
      • Getting Started with Kubernetes
        • Read Only Kubeconfig
        • Automatic Import of Managed Kubernetes
          • AWS EKS Cluster Configuration
        • Converting certificate files to certificate data fields
      • Kubernetes Supported Resources
      • Kubernetes Views
        • Container
        • List
    • Import Errors
  • Discover
    • Importing
    • Searching
      • Search Overview
      • Search Syntax
        • VPC Search
        • Wildcard Search
        • Tag Search
        • Deep Search
      • Search Examples
        • Discover Resources From Regions
        • Create a multiple VPC diagram
        • Defining Custom Environments
    • Versioning
      • Tracking Changes in Cloud Architecture
    • Manual Sync
  • Diagram
    • Listing Environments
      • Filtering Environments
      • Favouriting Environments
    • Viewing Environments
      • Diagram Controls
      • Diagram Layout
      • Switch Between Views
      • Diagram Canvas Resource Filters
    • Draw Custom Connections
  • Diagnose
    • Architectural Monitoring Alerts
    • Attributes
    • Cost Estimation
    • Diff View - Comparing Diagrams
    • Infrastructure
      • View Route Tables
      • View ACLs
      • View Security Groups
    • Reports
      • AWS Compliance Reports
  • Document
    • Environment Notes
    • Embed
    • Exporting Diagrams
    • Edit
      • Draw.io
  • Collaboration
    • Teams
    • Inviting Users
    • Disabling users
    • SSO/SAML
      • Overview
      • Azure AD - SAML Setup
      • Azure AD - OIDC Setup
      • Okta - SAML Setup
      • Okta - OIDC Setup
      • Trouble Shooting SSO
    • Project folders
  • Integrations
    • AWS Control Tower
    • CLI
    • Confluence Cloud
    • GitHub
    • Terraform
  • API
    • API Docs
  • Account & Billing
    • Types Of Hava Accounts
    • Change Subscription
    • Switch to AWS marketplace
    • Change Password
    • MFA
    • Download Invoice
    • Cancel Account
    • Account Audit Log
  • Quick Look
    • Quick AWS Overview
    • Security Overview
    • Customize the Hava Dashboard
Powered by GitBook
On this page
  • Overview
  • Deployment
  • Requirements
  • Deploying using Terraform
  • Configuration
  • Block lists
  • Security

Was this helpful?

  1. Integrations

AWS Control Tower

PreviousProject foldersNextCLI

Last updated 1 year ago

Was this helpful?

Hava can be integrated with AWS Control Tower to automatically manage the Sources registered in Hava as AWS Accounts are added or removed using the account vending machine. This makes the process of managing AWS Sources in Hava fully automatic and hands-off.

Overview

The integration is based around a lambda that is executed on specific events in Control Tower and is also run as a schedule. It will connect to each account in the organisation using the control tower admin role and configure a read only role for Hava, and then register the role with Hava.

Hava then uses AWS Cross Account Role access to connect to the registered account and import metadata about the resources deployed in the account.

Deployment

The integration can be found in our GitHub organization here:

It contains the lambda, as well as a Terraform template to deploy all the required resources.

Requirements

  • Access to the base organization account

  • Terraform CLI

  • Hava Teams account with an API token

  • Hava API token stored in AWS Systems Manager Parameter Store

Deploying using Terraform

The recommended approach to deploying this integration is to use the provided Terraform template, as it will deploy all the required resources and have been tested to work across multiple different organisations.

1. Clone the repository

Start by either downloading or cloning the repository to get a full copy of all the files on your local system, or where you will be deploying the template from.

2. Create a configuration file

There are a few configuration values that needs to be set up for the template to deploy successfully. Create a terraform.tfvars file inside the Terraform directory and add the following values.

hava_external_id = "<insert external id>"
hava_token_path = "/hava-integration/token" # update this if not the same as your path in Parameter Store
hava_dry_run = true
  • hava_external_id is the unique external id for your Hava account. This is used for security purposes to make sure the AWS roles generated for Hava can only be used by Hava. This can be found on the "add source" modal in the Hava UI.

  • hava_token_path is the path to the API token in AWS Systems Manager Parameter store. This is a secure way to store the API token without having to pass this through insecure channels or store this in the Terraform state file.

  • hava_dry_run is used to enable dry run mode, and set the integration to write changes to the logs, but not execute any changes against either Hava nor AWS APIs. We leave this as true to begin with while we test.

3. Applying changes

Use the Terraform CLI to initialise and apply the changes to the AWS Organization rool account from the terraform directory.

terraform init
terraform apply

4. Testing the deployment

Once the terraform apply is complete, open the AWS Console and locate the deployed Lambda. By default it will be called hava-integration.

Use the console to run a test with no input. This should execute the lambda in dry-run mode and allow you to verify that everything is running as expected by checking the logs.

5. Disable dry run mode

Once tests confirm everything is running as expected update the terraform.tfvars file with hava_dry_run=false and apply the changes.

6. Manually trigger the integration

Now that everything is deployed, manually trigger the integration by running the test like in step 4. This will go through a full synchronization of all accounts in the organization and start building the diagrams for each in Hava.

Configuration

Block lists

Security

The external id parameter is used together with the Hava AWS Account id to ensure that only Hava can access this role.

More details on the configuration values can be found in the readme for the Terraform template:

To allow certain OUs or accounts to be ignored by the integration, there is a block list for OUs and account IDs. Details on how to configure this can be found in .

This integration creates a role in each AWS Account in the organization with the AWS Managed policy ReadOnlyAccess. Details on this role can be found in the .

https://github.com/teamhava/hava-integration-controltower
https://github.com/teamhava/hava-integration-controltower/blob/main/terraform/README.md
github
lambda source
Add Source Modal