Move AWS Resources to another Account

amazon ec2amazon-web-services

We are running various AWS resources currently in an account namely but not limited to :

EC2 (we can copy AMIs), RDS,VPC,IAM, S3, SNS, CloudWatch, CloudFront,Auto Scaling

we now want to move everything to another AWS Account. How Do I move all?

I need to get the S3 Buckets synced and so does CloudFront.

I was trying to get hold off CloudFormation and generated a CloudFormer Template. Then I imported the template to new AWS Account and Launched a new Stack out of this Template.

What's next ??

I can't see EC2 Servers created, nor S3, security group, EBS, nothing is there on the new account.

How do I move all the resources in one go ?

Thank you.
Sandeep

Best Answer

If you build your entire infrastructure with CloudFormation you could more easily replicate it, even in another account.

You still need to deal with data migration, which will be different depending on your deployment setup.

If you use configuration management most if not all of your OS can be replicated in your other account too.

While AWS does have a method of reverse engineering a CloudFormation template based on your current environment I've never tried it, sounds like you should give it a go.

The aws cli has commands to move s3 data "aws s3 sync s3://from s3://to". You may need to export or otherwise share other data like RDS and SNS.

Related Solutions

How to specify VPC and subnet in AWS CloudFormation template

If you want to continue using default VPC you deleted you will have to contact AWS support to create it again. AWS resources from the template you are using depnd on it.

Otherwise you have to customize it a bit so it can be used with your non-default VPCs. There are suggested changes:

0) Pass your VPC ID and your subnet IDs as CloudFormation parameters:

    "myVPC": {
        "Description" : "Id of my VPC",
        "Type"        : "String",
        "Default"     : "vpc-XXXXXXXX"
    },

    "MySubnet": {
        "Description" : "My subnet from my VPC",
        "Type": "String",
        "Default": "subnet-YYYYYYYY"
    },      

    "RDSSubnets": {
        "Description" : "RDS subnets from my VPC",
        "Type": "CommaDelimitedList",
        "Default": "subnet-YYYYYYY1,subnet-YYYYYY2"
    },

1) Security groups have to be created within your new VPC identified by VPC ID:

"DBSecurityGroup": {
  "Type": "AWS::RDS::DBSecurityGroup",
  "Properties": {
===>>> "EC2VpcId" : { "Ref" : "myVPC" }, <<<====
       "DBSecurityGroupIngress": { "EC2SecurityGroupName": { "Ref": "WebServerSecurityGroup"} },
       "GroupDescription"      : "Frontend Access"
  }
},

"WebServerSecurityGroup" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
===>>> "VpcId" : {"Ref" : "myVPC"}, <<<====
       "GroupDescription" : "Enable HTTP access via port 80 and SSH access",
       "SecurityGroupIngress" : [
         {"IpProtocol" : "tcp", "FromPort" : "80", "ToPort" : "80", "CidrIp" : "0.0.0.0/0"},
         {"IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : { "Ref" : "SSHLocation"}}
       ]
  }
}

2) change your EC2 instance to use your VPC subnet1:

"WebServer": {
  "Type": "AWS::EC2::Instance",
  ...
  "Properties": {
     "SubnetId": { "Ref": "MySubnet1" },
  ...

3) Create RDS DB subnet group with your VPC subnets dedicated for RDS (you need to create a subnet in the VPC in at least two of the Availability Zones of the region where the VPC exists):

"MyDBSubnetGroup" : {
  "Type" : "AWS::RDS::DBSubnetGroup",
  "Properties" : {
    "DBSubnetGroupDescription" : "Subnets available for the RDS DB Instance",
    "SubnetIds" : { "Ref" : "RDSSubnets" },
  }
},

4) change your RDS instance to use your VPC subnet and security group (replace DBSecurityGroups parameter with VPCSecurityGroups):

"DBInstance" : {
  "Type": "AWS::RDS::DBInstance",
  "Properties": {
      "DBSubnetGroupName" : { "Ref" : "MyDBSubnetGroup" },
      "VPCSecurityGroups" : [ { "Ref" : "DBSecurityGroup" } ],
      ...

You can find more details about used parameters in AWS documentation:

Way to create AWS autoscaling lifecycle hooks with CloudFormation without a race condition

It's not an ideal solution, but would a two-pass stack creation be a valid workaround?

Set DesiredCapacity property in the AutoScalingGroup resource to 0 on initial stack creation. This allows the LaunchConfiguration, AutoScalingGroup, and LifecycleHook resources to be created without actually launching any instances.
Set DesiredCapacity to your desired count (> 0) on a subsequent stack update. This should launch your desired instances after the LifecycleHook has been created.

Best Answer

Related Solutions

How to specify VPC and subnet in AWS CloudFormation template

Way to create AWS autoscaling lifecycle hooks with CloudFormation without a race condition

Related Topic