EPAM Cloud Orchestrator. Maestro CLI Admin Utility · 2018. 3. 24. · EPAM Cloud Orchestrator Maestro CLI Admin Utility Admin Guide March 2018 Version 2.0.2. ... single enterprise

Legal Notice: This document contains privileged and/or confidential information and may not be disclosed, distributed or

reproduced without the prior written permission of EPAM®.

EPAM Cloud Orchestrator

Maestro CLI Admin Utility

Admin Guide

February 2021

Version 2.6

EPAM Cloud Orchestrator. Maestro CLI Admin Utility

EPAM PUBLIC 2

CONTENTS

Preface .................................................................................................................................... 8

About this Guide .............................................................................................................. 8

Audience .......................................................................................................................... 8

Structure of the Guide...................................................................................................... 8

Documentation References ............................................................................................. 9

1 Introduction .................................................................................................................... 10

2 General .......................................................................................................................... 11

2.1 Maestro CLI Admin Utility Purpose ........................................................................ 11

2.2 Connecting to Admin Utility .................................................................................... 11

2.3 File Upload ............................................................................................................. 12

3 Maestro CLI Use for Project Management .................................................................... 13

3.1 Refreshing Project Status ...................................................................................... 13

3.2 Migrating Instance to CSA ..................................................................................... 13

3.3 Setting Checkpoint Quota for Project .................................................................... 14

3.4 Setting Volume Quota for Project .......................................................................... 14

3.5 Setting Instance Quota for Project ......................................................................... 15

4 Using Admin Utility ......................................................................................................... 16

4.1 Basic Principles ...................................................................................................... 16

4.2 Maestro CLI Admin Utility Help .............................................................................. 16

4.3 Command Execution .............................................................................................. 18

4.4 Asynchronous Commands ..................................................................................... 19

4.5 Command Output ................................................................................................... 20

5 Command Groups ......................................................................................................... 21

5.1 General .................................................................................................................. 21

5.1.1 SHOW............................................................................................................. 21

5.1.2 SUBSCRIPTION ............................................................................................. 29

5.1.3 ACCOUNT ...................................................................................................... 31

5.1.4 SETTINGS ...................................................................................................... 33

5.1.5 ORCH ............................................................................................................. 44

5.1.6 INIT ................................................................................................................. 53


EPAM PUBLIC 3

5.1.7 INTEGRITY .................................................................................................... 55

5.1.8 CLI .................................................................................................................. 56

5.1.9 STATUS ......................................................................................................... 57

5.2 Security .................................................................................................................. 58

5.2.1 ADMIN ............................................................................................................ 58

5.2.2 PERMISSION ................................................................................................. 62

5.2.3 SECURITY ..................................................................................................... 68

5.2.4 USER .............................................................................................................. 70

5.2.5 LUMINATE ..................................................................................................... 72

5.2.6 QUALYS ......................................................................................................... 74

5.3 Infrastructure .......................................................................................................... 80

5.3.1 ZONE .............................................................................................................. 80

5.3.2 PROJECT ....................................................................................................... 81

5.3.3 INSTANCE ..................................................................................................... 95

5.3.4 VOLUMES ...................................................................................................... 96

5.3.5 IMAGE ............................................................................................................ 96

5.3.6 RESOURCES ................................................................................................. 96

5.3.7 RABBIT ........................................................................................................... 97

5.3.8 RADAR ........................................................................................................... 97

5.4 Billing ...................................................................................................................... 97

5.4.1 BILLING .......................................................................................................... 97

5.4.2 PRICING_POLICY ......................................................................................... 98

5.4.3 TIMELINE ....................................................................................................... 98

5.5 AWS ....................................................................................................................... 99

5.5.1 AWS................................................................................................................ 99

5.5.2 AWS_SECURITY ......................................................................................... 123

5.5.3 AWS_RI ........................................................................................................ 132

5.5.4 AWS_S3 ....................................................................................................... 134

5.5.5 AWS_WORKSPACE .................................................................................... 135

5.5.6 TEMPLATE ................................................................................................... 139

5.6 AZURE ................................................................................................................. 140


EPAM PUBLIC 4

5.6.1 AZURE.......................................................................................................... 140

5.7 GOOGLE .............................................................................................................. 160

5.7.1 GOOGLE ...................................................................................................... 160

5.8 CSA, HP OO, OpenStack (PRIVATE CLOUD) .................................................... 179

5.8.1 CSA .............................................................................................................. 179

5.8.2 HPOO ........................................................................................................... 179

5.8.3 OPEN_STACK ............................................................................................. 180

5.8.4 HARDWARE ................................................................................................. 210

5.8.5 ENTERPRISE ............................................................................................... 210

5.8.6 EXOSCALE .................................................................................................. 210

5.9 PaaS .................................................................................................................... 212

5.9.1 PAAS ............................................................................................................ 212

5.9.2 CHEF ............................................................................................................ 212

5.9.3 DOCKER ...................................................................................................... 212

5.10 TEMP ................................................................................................................... 213

6 Maestro CLI Admin Utility – Use Cases ...................................................................... 214

6.1 AWS – Administration Cases ............................................................................... 214

6.1.1 AWS Zone Creation ...................................................................................... 214

• Zone Creation ............................................................................................... 214

• Zone Virtual Profile Configuration ................................................................ 215

• Adding Machine Images to AWS Zone ........................................................ 216

• Setting Cost Center for AWS Zone .............................................................. 216

6.1.2 Project Activation in AWS ............................................................................. 216

• EC2 Instance Role Configuration ................................................................. 218

• SSO Configuration ........................................................................................ 218

• SSO Roles Configuration ............................................................................. 220

• AWS Policy Management ............................................................................. 220

• IAM Role Group Configuration ..................................................................... 222

• Security Groups Configuration ..................................................................... 223

• Security Groups Backup ............................................................................... 224


EPAM PUBLIC 5

• CloudTrail Service Activation ....................................................................... 225

6.1.3 Access to AWS ............................................................................................. 226

6.1.4 AWS Organizations ...................................................................................... 226

6.1.5 Reserved Instances ...................................................................................... 227

• Displaying Reserved Instances .................................................................... 227

• Modifying Reserved Instances ..................................................................... 227

• Displaying Reserved Instance Offerings ...................................................... 228

• Purchasing Reserved Instances ................................................................... 228

6.2 Microsoft Azure – Administration Cases .............................................................. 230

6.2.1 Azure Zone Creation .................................................................................... 230

• Azure Enrolment Setup ................................................................................ 230

• Zone Creation ............................................................................................... 230

• Setting Cost Center for Azure Zone ............................................................. 231

• Adding Machine Images to Azure Zone ....................................................... 232

6.2.2 Activating a Project in Microsoft Azure ......................................................... 232

• Project Activation .......................................................................................... 232

• Network Configuration .................................................................................. 233

• Configuration Check ..................................................................................... 234

6.3 CSA – Administration cases ................................................................................ 235

6.3.1 CSA Zone Creation ...................................................................................... 235

• CSA Zone Creation ...................................................................................... 235

• Orchestration Instance Assignment to CSA Zone ........................................ 236

• Setting Cost Center for CSA Zone ............................................................... 236

• Adding Shapes to CSA Zone ....................................................................... 237

6.3.1 Activating a Project in CSA .......................................................................... 237

6.3.2 Reimporting Instances to CSA ..................................................................... 238

• CSA Subscription Deletion ........................................................................... 238

• Instance Restoring to CSA ........................................................................... 239

• Subscription Synchronization ....................................................................... 239

6.4 Google Cloud Platform – Administration Cases .................................................. 240


EPAM PUBLIC 6

6.4.1 Google Account Configuration ..................................................................... 240

6.4.2 Google Account Entity in Orchestrator Database ........................................ 240

6.4.3 Adding Google Zones ................................................................................... 241

• Retrieving Google Zones .............................................................................. 242

• Adding Google Zones ................................................................................... 242

• Editing Google Zones ................................................................................... 242

6.4.4 Project Activation in Google Cloud ............................................................... 243

6.4.5 Adding Images in Google Cloud ................................................................... 244

• Retrieving Google Public Images ................................................................. 244

• Adding Google Images ................................................................................. 245

6.4.6 Custom Image Creation in Google Cloud..................................................... 245

6.4.7 Public and Static IPs ..................................................................................... 246

6.4.8 Volumes in Google Cloud ............................................................................. 247

6.4.9 Google IAM Users ........................................................................................ 247

• Temporary Users .......................................................................................... 247

• Ordinary IAM Users ...................................................................................... 248

• System IAM Users ........................................................................................ 249

6.4.10 Other ............................................................................................................. 249

• Init Scripts ..................................................................................................... 249

• Interactive Operations .................................................................................. 249

6.5 OpenStack – Administration Cases ..................................................................... 249

6.5.1 OpenStack Controller Hosts ......................................................................... 249

6.5.2 OpenStack Hosts and Host Aggregates ....................................................... 250

6.5.3 OpenStack Zone Management .................................................................... 250

• Zone Creation ............................................................................................... 250

• Zone Editing ................................................................................................. 252

• Retrieving the List of OpenStack Zones ....................................................... 252

• Orchestration Instance Assignment to OpenStack Zone ............................. 252

• Adding Shapes to OpenStack Zone ............................................................. 253

• Shape Management in OpenStack .............................................................. 254


EPAM PUBLIC 7

• Adding Machine Images to OpenStack Zone ............................................... 254

• Machine Image Management in OpenStack ................................................ 255

• Custom Image Management in OpenStack ................................................. 256

• Push Notifications Configuration .................................................................. 256

• Enabling Notifications ................................................................................... 258

• Pricing Policy Creation for OpenStack Zone ................................................ 258

• Setting Cost Center for OpenStack Zone ..................................................... 259

6.5.1 Project Activation in OpenStack ................................................................... 259

• Personal Projects in OpenStack ................................................................... 260

6.5.2 OpenStack Networking ................................................................................. 260

6.5.3 DNS Name Creation in OpenStack .............................................................. 260

6.5.4 OpenStack Metadata .................................................................................... 261

6.5.5 OpenStack Recycle Bin ................................................................................ 261

• Recycle Bin Creation .................................................................................... 262

• Recycle Bin Management ............................................................................ 262

• Management of Resources in Recycle Bin .................................................. 263

6.5.6 OpenStack Instance State ............................................................................ 263

6.5.7 Other ............................................................................................................. 264

• Volume Errors ............................................................................................... 264

• Shape Change on OpenStack ...................................................................... 264

6.6 Simple User Configuration ................................................................................... 264

6.6.1 User Creation ............................................................................................... 265

6.6.2 User Assignment to Project .......................................................................... 265

6.6.3 Permission Assignment ................................................................................ 266

6.6.4 Permission Update ....................................................................................... 266

Annex A – Admin CLI Commands Usage in Different Virtualization Platforms .................. 268

Annex B – Admin CLI Commands Requiring File Upload ................................................... 270

Annex C – Admin CLI Commands Sending Emails as the Result of Execution ................. 270

Annex D – AWS-Related Collections in Database .............................................................. 271

Table of Figures................................................................................................................... 273


EPAM PUBLIC 8

Version history ..................................................................................................................... 274

PREFACE

ABOUT THIS GUIDE

Maestro CLI Admin Utility Guide is the description of the Admin Utility console, the commands used by

Cloud administrators and their syntax and purpose.

AUDIENCE

This guide is intended for the support and maintenance personnel performing configuration and setup

tasks, maintenance works and assisting users with matters beyond the self-service scope.

STRUCTURE OF THE GUIDE

The guide consists of the following chapters:

Introduction – the brief description of EPAM Orchestrator and its basic concept

General – the description of Maestro CLI Admin Utility purpose and the instructions on connecting to the

Maestro CLI Admin Utility for Windows and Linux operating systems

Maestro CLI Use for Project Management – the description of admin commands existing in Maestro CLI

Using Admin Utility – the description of the basic principles of Maestro CLI Admin Utility usage, the

command string structure and the instructions on using the Maestro CLI Admin Utility help

Command Groups – the list of command groups available in Maestro CLI Admin Utility together with the

brief descriptions of commands within each group

Maestro CLI Admin Utility – Use Cases – the description of several common cases of Maestro CLI Admin

Utility usage with the command examples

Annex A – Admin CLI Commands Usage in Different Virtualization Platforms – the reference table of

commands used for project management in different virtualization platforms

Annex B – Admin CLI Commands Requiring File Upload – the list of commands referring to the content of

previously uploaded files and the description of the file content

Annex C – Admin CLI Commands Sending Emails as the Result of Execution – the list of commands

using email addresses as output for the data obtained as the result of the command execution

Annex D – AWS-Related Collections in Database – the list of collections serving AWS platform with their

descriptions


EPAM PUBLIC 9

DOCUMENTATION REFERENCES

EPAM Orchestration is described in details in a number of documents, focused on different aspects of

Orchestration usage, and on different types of users.

You can find these documents on our Documentation page.

The answers to the most frequently asked questions can be found on the FAQ page.

EPAM Cloud terms and conditions are described in our EPAM Cloud Terms and Conditions. Please take

a look at this document in order to avoid misunderstandings and conflicts that may arise during the

service usage.

The terminology of EPAM Cloud and the related products can be found on the Glossary page.

Please email your comments and feedback to EPAM Cloud Consulting at

[email protected] to help us provide you with documentation that is as clear,

correct and readable as possible.

https://cloud.epam.com/site/learn/documentation

https://cloud.epam.com/site/learn/f=a=q

https://cloud.epam.com/site/about/terms_and_agreements/epc_terms_and_conditions.pdf

https://cloud.epam.com/site/learn/glossary

mailto:[email protected]


EPAM PUBLIC 10

1 INTRODUCTION

Cloud computing is the computing model in which pooled resources and services are generally available

via the Internet and accessible via self-service portals by dynamic assignment to multiple tenants. Cloud

computing systems are characterized by high elasticity, that is, the ability to scale in or out according to

the customers’ demand. Resource usage is charged on the pay-as-you-go basis, for which purpose cloud

computing systems include monitoring, controlling and reporting functionality.

Cloud services made generally available form a public cloud. The same infrastructure deployed for a

single enterprise only comprises a private cloud. Private clouds operate totally within their own secure

environments. Cloud infrastructure having the features of both public and private cloud joined by a

proprietary or standardized technology is described as hybrid cloud.

EPAM Cloud Orchestrator can be characterized as a hybrid cloud, because, in addition to the private

cloud services, it supports integration with external cloud platforms.

According to Forrester’s Vendor Landscape: Private Cloud Software Solutions report, private cloud

solutions fall into three major categories defined by their implementation method and the administration

tools used: Cloud Platforms, combining physical and virtual resources into IaaS cloud environments,

Standalone Cloud Management Tools, managing virtual resources on the basis of public and private

cloud platforms, and Private Cloud Suites, combining the features of the two categories mentioned

above.

EPAM Cloud Orchestrator belongs to Standard Cloud Management Tools which can be based on one of

virtualization platforms (AWS, Microsoft Azure, HP OO, OpenStack or CSA) and performs cloud

management, monitoring, account billing, access management and support.

According to the Private Cloud Software Reference Architecture described in the above-mentioned

Forrester’s report, the Maestro CLI Admin Utility represents the Admin Portal implemented as a

command-line interface. Together with other cloud management components, the Admin Portal forms the

comprehensive Hybrid Cloud Management Solution.

https://www.forrester.com/report/Vendor+Landscape+Private+Cloud+Overview/-/E-RES104670


EPAM PUBLIC 11

2 GENERAL

For the purposes of project management in EPAM Cloud, a special tool, Maestro CLI Admin Utility, is

used. In addition, certain project management operations are performed using the commands of Maestro

CLI. This document describes options available both in the dedicated Admin Utility and in the Maestro

CLI.

2.1 MAESTRO CLI ADMIN UTILITY PURPOSE

The Admin Utility is a tool allowing to monitor and maintain the Cloud infrastructure and projects hosted

within, provide support and consulting on the Cloud projects operation and issues which may occur from

time to time.

2.2 CONNECTING TO ADMIN UTILITY

Connection to the Admin Utility is performed via SSH. To set up your connection, generate a keypair with

the or2addkey Maestro CLI Command or any other key generation tool. Once the keypair is generated,

add your domain login ([email protected]) at the end of the public part of the keypair

and send it to Level 3 Support Team, to register a personal account for you.

Connect to Admin Utility:

- Linux:

ssh -i /path/to/your/private.key -p 2001 [email protected]

- Windows:

1. Convert your Private Key:

• Start PuTTYgen

• Click Load. By default, PuTTYgen displays only files with the extension .ppk. To

locate your .pem file, select the option to display files of all types.

Figure 1 – Locating Private Key

• Select your .pem file from the keypair which you specified when launching your

instance then click Open. Click OK to dismiss the confirmation dialog box.

• Click Save private key to save the key in the format acceptable by PuTTY.

PuTTYgen displays a warning about saving the key without a passphrase. Click Yes.

• Specify the same name for the key that you used for the keypair (for example, my-

key-pair). PuTTY automatically adds the .ppk file extension.

2. Start PuTTY (use [email protected] and 2001 port). Add your private key in


https://winscp.net/eng/docs/ui_puttygen



EPAM PUBLIC 12

Connection>SSH>Auth.

2.3 FILE UPLOAD

Some commands use content of a file in their performance. In such cases, files have to be uploaded

before the command execution. The files are uploaded using SCP, Secure Copy Protocol. SCP uses

SSH in file transfer. To upload a file, use the following command:

scp -P port -i <path-to-keypair-pem-file> local_file_path host:filename

Files are to be uploaded outside the Maestro Admin Utility, that is, before logging in. When specifying

the local path to the file, make sure you are using the relative pathname and not the absolute

pathname, otherwise the file upload will fail.


EPAM PUBLIC 13

3 MAESTRO CLI USE FOR PROJECT MANAGEMENT

Maestro Command Line Interface (CLI) is a tool used to send basic Orchestrator commands via the

command line. Maestro CLI is widely used by the EPAM Cloud user community for virtual machine

management.

For information on setting up Maestro CLI and the required components, logging in and basic usage

guidelines, please refer to the Quick Start Guide.

Access to CLI commands is based on the system of permissions. The project management

(administration) commands are available only to users with the ALL_SYSTEM_OPERATIONS

permission and are hidden from all other users. Currently, the following Admin commands are available:

3.1 REFRESHING PROJECT STATUS

or2-refresh-projects (or2refp)

The command refreshes the status of the specified project or of all projects in the specified region.

CLI Parameters

Parameter name Description Required

--full Show full command output instead of default basic one No

-P, --plain-output Use plain output instead of default table output No

--json Show command output in json format No

-p, --project Project abbreviation in UPSA No

-r, --region Virtualization region Yes

--help Display command help No

Command example:

or2refp –p project –r region

3.2 MIGRATING INSTANCE TO CSA

or2-migrate-csa-instance (or2migcsains)

The command registers the specified instance in CSA.

CLI Parameters





-p, --project Project abbreviation in UPSA Yes


-m, --image Machine image Yes

-I, --instance-name Instance name Yes

-g, --migration-date Migration date in the yyyy-mm-dd’T’HH format Yes

-s, --shape Instance type Yes


https://cloud.epam.com/site/learn/quick_start/csug_01_quick_start.pdf


EPAM PUBLIC 14

Command example:

or2refp -p project -r region -s shape -i instance_name -m image –g

migration_date

3.3 SETTING CHECKPOINT QUOTA FOR PROJECT

or2-set-project-checkpoint-quota (or2setpchq)

The command defines the maximum number of checkpoints which can be created for the specified

project and region.

CLI Parameters







-m, --maxCount The number of checkpoints which can be created Yes


Command example:

or2setpchq -p project -r region -m checkpoint_count

3.4 SETTING VOLUME QUOTA FOR PROJECT

or2-set-project-volume-quota (or2setpvq)

The command defines the maximum number and size of additional volumes created in the specified

project and region within the specified time interval.

CLI Parameters







-c, --count The number of volumes which can be created within the

specified time interval Yes

-s, --maxSize Maximum volume size in GB Yes

-t, --time Volume creation interval in hours Yes


Command example:

or2setpvq -p project -r region –s max_size –c count –t time_interval


EPAM PUBLIC 15

3.5 SETTING INSTANCE QUOTA FOR PROJECT

or2-set-project-instance-quota (or2setpiq)

The command defines the maximum number of instances created in the specified project and region

within the specified time interval.

CLI Parameters







-c, --count The number of instances which can be created within the

specified time interval Yes

-t, --time Instance creation interval in hours Yes


Command example:

or2setpiq -p project -r region –c count –t time_interval


EPAM PUBLIC 16

4 USING ADMIN UTILITY

4.1 BASIC PRINCIPLES

Maestro CLI Admin Utility operates by executing commands sent via the command line. Each command

consists of the group name, the command name and the arguments.

The group name defines the general area of the command application (e.g. ‘aws’ – commands related to

AWS, ‘project’ – commands related to projects, etc.).

The command name is the actual command string defining the action to be performed (e.g.

‘delete_zone’, ‘grant_access’, etc.)

The arguments define the specific object of the command and/or the values to be set for it (e.g. -p –

project abbreviation in UPSA, -s – shape name, etc.).

For example:

permission add_user -e email

In this example ‘permission’ is the group name of all permission-related commands, ‘add_user’ is the

command name indicating that the command creates a new user and ‘-e email’ is the argument

containing the email of the user to be created.

Please note that in case a parameter is specified incorrectly, the command will not return an error. All

parameters specified before the incorrect one, will be applied. The incorrect parameter and others

following it, will be skipped. In case the applied parameters are enough for the command execution, the

command will be run.

4.2 MAESTRO CLI ADMIN UTILITY HELP

The correct format and the required arguments for each command can be found in the ‘Help’ topics. To

get the complete list of all command groups available in the Maestro CLI Admin Utility, type ‘help’ in the

command line:

Figure 2 – Command groups


EPAM PUBLIC 17

This command returns the alphabetical list of all command groups with their brief description.

To see the commands included in each group, type the group name:

Figure 3 – List of commands in a group

The response will contain the list of all commands in their correct format and the brief explanation of their

purpose and action. The ‘usage’ line shows the valid command syntax.

To get help for a particular command, type the complete command with the -h or --help parameter:

Figure 4 – Command help

The response will contain the list of all possible arguments which can be used in the command. The

mandatory arguments are marked with ‘*’.

Some commands require one of the optional parameters to be used in all cases. In this case, the

command will return an error message if no optional parameter is specified. The error message will

contain the prompt to use one of the optional parameters.

The ‘usage’ line shows the complete syntax of the command including the arguments. Some of the

arguments have a short and a full form which have the same effect.

If an invalid command is sent, the response may indicate the missing or invalid parameter:

Figure 5 – Error message indicating missing parameter

Boolean parameters with only ‘true’ or ‘false’ options are set to ‘false’ by default. To set them to ‘true’

only the argument without any value should be specified, otherwise the command will be rejected with

the ‘command not found’ error message. For example, the orch assign -z region -o OrchestratorID -a

command will be rejected if any value is sent for the -a parameter.


EPAM PUBLIC 18

4.3 COMMAND EXECUTION

Some commands in Maestro CLI Admin Utility require the user’s reconfirmation of their intent to execute

the command. When the user types the command string and presses ‘Enter’, the system responds with

the following message: ‘Are you sure you want to perform the operation…? Type “y” or “n”’. The user has

to confirm the operation by typing “y” or abort it by typing “n”.

Such reconfirmation is required, for example, for all ‘activate_project’ commands, the ‘billing lock’,

‘billing unlock’ commands, etc.

Certain other commands require the particular instance to be stopped before the command can be

executed. When the command string is entered, the following message is displayed: ‘The orchestrator

instance should be stopped for performing this operation. Do you want to continue?’ If the user confirms

the operation, the system checks whether the instance has been stopped and proceeds with the

command execution. If the instance has not been stopped, the command is rejected with an error

message.

Instance stopping is required, for example, for all ‘add_zone’ commands, the ‘zone delete’ command,

the commands related to the RabbitMQ server configuration.

If you run a command immediately after stopping the instance, the system may still return the message

prompting to stop it, as the instance status might not be updated yet. In this case allow up to 10 minutes

after the instance stopping to run the command again.

However, to accelerate the process, the reconfirmations can be disabled by switching the system to the

so-called ‘quiet’ mode. In the quiet mode the system does not require command reconfirmation before

execution but executes it immediately. The ‘quiet’ mode is controlled by the ‘quiet on’ and ‘quiet off’

commands:

• quiet on Switches the ‘quiet’ mode on

• quiet off Switches the ‘quiet’ mode off

By default, the ‘quiet’ mode in disabled.

Certain commands requiring password for their execution cannot be run in the ‘quiet’ mode. The

password is not specified as one of the mandatory parameters but is to be entered later, at the system

prompt. If a command is sent in the ‘quiet’ mode, the following error message is displayed: “This

command can’t be running in quiet mode!”. The following commands cannot be used with the ‘quiet’

mode enabled:

• azure add_subscript

• azure_custom add_subscript

• aws add_user

• csa add_zone

• hpoo configvs

• open_stack add_zone

• open_stack notific_config

• permission add_user

• rabbit shovel

• rabbit create_upstream

• settings set_upsa_config

• google add_temp_access_user


EPAM PUBLIC 19

• zone orch_settings

4.4 ASYNCHRONOUS COMMANDS

When a command is executed in Maestro CLI Admin Utility, the CLI is unavailable until the command

execution is complete. However, some commands requiring long time for execution (up to several hours)

are performed in the background while the CLI can be used for other purposes. Such commands are

called asynchronous commands.

When an asynchronous command is executed, its status can be retrieved by the ‘status get’ command. It

shows the command progress or completion together with the data generated during the command

execution. The command syntax is as follows:

status get –g command_group –n command_name

Each asynchronous command can be run only once simultaneously on the same Orchestrator node. If an

asynchronous command has been sent by one of the users, other users cannot send the same command

until the first command instance is completed.

Maestro CLI Admin Utility supports the following asynchronous commands:

• arm check_config Checks ARM configuration

• arm config_project Configures the project for using the ARM API

• arm set_def_groups Applies configuration of Azure security groups

• aws check_config Checks AWS configuration

• aws config_sso Configures AWS SSO

• aws create_account Creates an AWS account via the Organization API

• aws export_billing_data Sets up billing data export

• aws_security set_def_groups Applies configuration of AWS security groups

• billing close_month Closes the billing month.

• billing health_check Checks billing consistency.

• billing send_units_reports Sends business unit reports

• integrity check Checks data integrity.

• csa get_capacity Shows open, close, current values and blocked actions for all CSA regions

• project clean_up Marks instances and volumes as deleted, closes timelines and removes AWS instances usage profiles

• radar aggregate Aggregates Radar data for the specified month

• timeline check_resource Validates all timelines for a resource

• zone delete Marks the specified zone as inactive or deletes it together with all its references.


EPAM PUBLIC 20

• open_stack admin_sg Creates or updates, if exists, the configuration for admin project's security group for the specified security mode

• open_stack cross_region_access

Describes, enables or disables cross-region access for the project

4.5 COMMAND OUTPUT

Execution of some commands results in generation of certain data. Such data is delivered to the user

according to the command settings. The command output can be either the SSH console or the email of

the user which is currently logged in.

The command output is defined by the ‘--target' parameter value which has to be set to ‘ssh_console’ or

‘email’. The following commands support the target selection:

• chef get_nodes

• csa check_offerings

• integrity check

• pricing_policy get

• show all_zones

• show all_projects

• subscription show_default

• aws_security check_mfa

• aws_ri describe

At the same time, with certain commands the user can specify whether the generated data is to be

delivered in the plain text format or in the HTML format. To obtain the command output in the HTML

format, the ‘--html' parameter has to be sent in the command. The following commands support HTML

output:

• chef get_nodes

• integrity check

• instance refresh_missing

• volumes refresh_missing

• show all_zones

• show all_projects

• subscription show_default

If no target selection is offered, the HTML file is delivered to the SSH console.

The ‘aws_security get_backup’ and ‘billing health_check’ commands always deliver data to the user’s

email in the HTML format. No output selection is supported.


EPAM PUBLIC 21

5 COMMAND GROUPS

The commands implemented in Maestro CLI Admin Utility cover various scenarios and issues occurring

in the everyday work of the Cloud Support Team. However, they can be classified under several

categories according to their application and purpose.

5.1 GENERAL

The ‘General’ category of commands includes the commands related to the basic Orchestrator settings

and functions.

5.1.1 SHOW

The ‘show’ group includes the commands used to display the specified items or lists of items.

We recommend starting your introduction to Maestro CLI Admin Utility with this group of commands, as

they can give you the basic idea of how the Admin Utility works, how the command strings are built and

how the responses are organized. At the same time, these commands return a lot of useful data about

the objects and resources managed by EPAM Orchestrator, their parameters and value formats.

The ‘show’ group includes the following commands:

Command Description

show all_projects Shows brief info about all projects. The list of requested projects can be filtered by zone and region names

show all_regions Shows brief info about all regions

show all_zones Shows brief info about all zones. The list of requested zones can be filtered by regions, virtual type and zone status (active/inactive)

show project Shows configuration for the specific project

show zone Shows configuration for the specific zone

show settings Shows general settings for the whole orchestrator

show audit Retrieves admin audit. Provides info about invocation of the specified commands

show project_dls Shows project DL emails to be included in/excluded from ORG Cloud Users

To see the list of arguments used with the commands of the ‘show’ group, type show [command_name]

-h in the command line.

5.1.1.1 show all_projects

Invoke: show all_projects

Shows brief information about all projects. The list of requested projects can be filtered by zone and

region names.

Admin CLI Parameters


-h, --help Display command help No

-z, --zone Virtualization zone No

-r, --region Virtualization region No

--inactive Show only inactive projects No

--active Show only active projects No

--html Use to get output in HTML format No

--target Parameter to indicate where to display the result of the command. Must be one of [ssh_console, file, email]

No


EPAM PUBLIC 22

Response Elements

Name Description

Project name Project name

Project code Project code

Zone name Zone name

Region name Region name

Active States whether the project is active

Billable States whether the project is billable

Command Example

The command below retrieves the list of active projects in the specified zone.

show all_projects --active -z zone

Response example

Command Example

show all_projects --active -z zone --target email

You will receive the email with the command execution results.


EPAM PUBLIC 23

5.1.1.2 show all_regions

Invoke: show all_regions

Retrieves brief information about all regions.



[-h | --help] Display command help No

Response Elements

Name Description

Name Region name

Type Environment type

Zone count Number of virtual zones available in the region

DNS name prefix DNS prefix used for the zone

Command example

show all_regions

Response example

5.1.1.3 show all_zones

Invoke: show all_zones

Shows brief information about all zones. The list of requested zones can be filtered by regions, virtual

type and zone status (active/inactive).




-r, --region Virtualization region No

-v, --virt Filter by virtualization type No

--inactive Show only inactive zones No

--active Show only active zones No

--html Use to get output in HTML format No


No


EPAM PUBLIC 24

Response Elements

Name Description

Zone name Zone name


Virt type Virtual type

Active Show whether the zone is active

Status Show zone status

Node Node name

Command Example

show all_zones -r PROJECT NAME

Response example

Command Example

show all_zones -r PROJECT NAME -t email

You will receive an email with the command execution results.


EPAM PUBLIC 25

5.1.1.4 show project

Invoke: show project

Shows configuration for the specific project.




-p, --project Project abbreviation in EPAM Cloud Yes

-z, --zone Virtualization zone Yes

Response Elements

Name Description

Project name Project name

Active Show whether the project is active

Billable Show whether the project is billable

Zone name Zone name

Region Region name

Quotas Show details about quota

Allowed shape Show allowed shapes

Instance quota Show instance quota

Storage volume quota Show volume quota

Autoconfiguration IP whitelist Show autoconfiguration whitelist

Command Example

show project -p PROJECT_NAME -z ZONE_NAME

Response example


EPAM PUBLIC 26

5.1.1.5 show zone

Invoke: show zone Shows configuration for the specific zone.





Response Elements

Name Description

Zone name Zone name

Virt type Virtual type

Active Show whether the zone is active

Status Show zone status

Command example

show zone -z Zone Name

Response example


EPAM PUBLIC 27

5.1.1.6 show settings

Invoke: show settings

Shows general settings for the whole orchestrator.



[-h | --help] Display command help No

Response Elements

Name Description

Orchestration mode Orchestration mode

Current DB version Show current DB version

Users authorized for testing Show the list of persons authorized for testing

Command example

show settings

Response example

5.1.1.7 show audit

Invoke: show audit

Retrieves admin audit. Provides info about invocation of the specified commands. The command name

should be specified in quotation marks.




-p, --project Project abbreviation in EPAM Cloud No


-g, --group Command group (e.g. "aws") Yes

-c, --command Command name (e.g. "activate_project") Yes

-f, --from The date to describe from in yyyy-MM-dd'T'HH:mm format (UTC) No

-t, --to The date to describe to in yyyy-MM-dd'T'HH:mm format (UTC) No

-l, --limit Limit of audit events (10 by default) No


EPAM PUBLIC 28



No

Response Elements

Name Description

Date Date

User email User email

Command name Command name

Parameters Show the list of parameters of the command

Command example

show audit -g group_name -c "command_name"

Response example

5.1.1.8 show project_dls

Invoke: show project_dl

Shows project DL emails to be included in/excluded from ORG Cloud Users.



-h , --help Display command help No

-f , --file File with the list of ORG Cloud Users emails (copy from Outlook) Yes


EPAM PUBLIC 29

5.1.2 SUBSCRIPTION

The ‘subscription’ group includes the commands related to configuration of notification and report

subscriptions. The following commands are available:

Command Description

subscription show_templates Shows subscription templates

subscription show_default Shows default subscriptions

subscription update_default Updates default subscription

subscription update_template Updates subscription template

To see the list of arguments used with the commands of the ‘subscription’ group, type subscription

[command_name] -h in the command line.

5.1.2.1 subscription show_templates

Invoke: subscription show_templates

Shows subscription templates




-t, --template Template name No

Command example:

subscription show_templates

Response example:

5.1.2.2 subscription show_default

Invoke: subscription show_default

Shows default subscriptions




-t, --template Template name No

--html Use to get output in html format No

--target Parameter to indicate where display result of command. Must

be one of [ssh_console, file, email] No

Command example:

subscription show_default


EPAM PUBLIC 30

Response example:

5.1.2.3 subscription update_default

Invoke: subscription update_default

Updates default subscription




-t, --template Template name Yes

-c, --coordinator Send mail to Project Coordinator No

-p, --primary Send mail to Primary Contact No

-s, --secondary Send mail to Secondary Contact No

-u, --username Send mail to User No

-a, --allow Allow customization [true, false] No

Before you get the response, confirm that you want to perform the operation.

Command example:

subscription update_default -t <template_name>

Response example:

5.1.2.4 subscription update_template

Invoke: subscription update_template

Updates subscription template




-t, --template Template name Yes

-d, --description Template description No


EPAM PUBLIC 31


-e, --enabled Enabled in system [true, false] No

-v, --visible Visible to user [true, false] No


Command example:

subscription update_template -t <template_name>

Response example:

5.1.3 ACCOUNT

The ‘account’ group includes the commands related to EPAM Orchestrator accounts. The following

commands are available:

Command Description

account subscribe Subscribes emails to the given EO account

account unsubscribe Unsubscribes emails from the given EO account

account add_project_to_customer Adds project to the given customer EO account

To see the list of arguments used with the commands of the ‘account’ group, type account


5.1.3.1 account subscribe

Invoke: account subscribe

Subscribes emails to the given EO account




-e, --email Email to subscribe on EO Account. For several - just repeat Yes

-a, --account-id EO Account id Yes

Command example:

account subscribe -e <[email protected]> -a <account->id

Response example:


EPAM PUBLIC 32

5.1.3.2 account unsubscribe

Invoke: account unsubscribe

Unsubscribes emails from the given EO account




-e, --email Email to unsubscribe from EO Account. For several - just

repeat Yes

-a, --account-id EO Account id Yes

Command example:

account unsubscribe -e <[email protected]> -a <account-id>

Response example:

5.1.3.3 account add_project_to_customer

Invoke: account add_project_to_customer

Adds project to the given customer EO account




-i, --account-id EO account id No

-n, --account-name EO account name No


Command example:

account add_project_to_customer -p <project ID>

Response example:


EPAM PUBLIC 33

5.1.4 SETTINGS

The ‘settings’ group includes the commands related to the general system settings. The following


Command Description

settings configure_mail_processing Configures mail processing

settings describe Describes orchestration settings

settings describe_mail_processing Describes mail processing

settings describe_support_mails_receivers Describes support mails receivers

settings edit_test_emails Adds/removes user emails that have access to EO in testing mode

settings epam_metrics Enables or disables EPAM metrics integration

settings get_blacklist Describes blacklist emails

settings get_test_emails Describes emails authorized for testing

settings healthcheck_to Sets health check timeout

settings manage_blacklist Manages blacklist emails

settings manage_emails_authorized_for_m2reporting_testing Adds/removes/describes user emails that authorized for M2 reporting testing

settings manage_prefix_lists_state Enables or disables AWS prefix lists

settings manage_support_mail_receivers Adds and removes receivers for some support reports

settings report_cache Configurates Report Cache

settings set_upsa_config Sets UPSA client configuration

settings switch_m3_key_management Enables or disables M3 mail processing

settings switch_m3_mail_processing Enables or disables M3 mail processing

settings switch_ownership Enables or disables ownership service

settings terraform Enables or disables terraform service

settings upsa Enables or disables UPSA integration

settings zcloud_role Enables or disables UPSA zCloudRole integration

To see the list of arguments used with the commands of the ‘settings’ group, type settings


5.1.4.1 settings configure_mail_processing

Invoke: settings configure_mail_processing

Configures mail processing




-n, --notificationGroup Notification group. For several groups repeat the parameter: -n

GROUP1 -n GROUP2 Yes

-t, --processing-type Processing type [M2, M2_OVER_M3, M3, DISABLED] Yes


EPAM PUBLIC 34

Command example:

settings configure_mail_processing -n <notification group> -t

<processing-type>

Response example:

5.1.4.2 settings describe

Invoke: settings describe

Describes orchestration settings




Command example:

settings describe

Response example:

5.1.4.3 settings describe_mail_processing

Invoke: settings describe_mail_processing

Describes mail processing





EPAM PUBLIC 35

Command example:

settings describe_mail_processing

Response example:

5.1.4.4 settings describe_support_mails_receivers

Invoke: settings describe_support_mails_receivers

Describes support mails receivers




Command example:

settings describe_support_mails_receivers

Response example:

5.1.4.5 settings edit_test_emails

Invoke: settings edit_test_emails

Adds/removes user emails that have access to EO in testing mode




-e, --email A list of user emails to add Yes

-r, --remove Use this flag to remove something instead of adding it No



EPAM PUBLIC 36

Command example:

settings edit_test_emails -e [email protected]

Response example:

5.1.4.6 settings epam_metrics

Invoke: settings epam_metrics

Enables or disables EPAM metrics integrationaccount unsubscribe




-e, --enable Enable metrics integration No

-d, --disable Disable metrics integration No


Command example:

settings epam_metrics

Response example:

5.1.4.7 settings get_blacklist

Invoke: settings get_blacklist

Describes blacklist emails




Command example:

settings get_blacklist

Response example:


EPAM PUBLIC 37

5.1.4.8 settings get_test_emails

Invoke: settings get_test_emails

Describes emails authorized for testing




Command example:

settings get_test_emails

Response example:

5.1.4.9 settings healthcheck_to

Invoke: settings healthcheck_to

Sets health check timeout




-t, --timeout Health check timeout in seconds Yes


Command example:

settings healthcheck_to -t <timeout>

Response example:

5.1.4.10 settings manage_blacklist

Invoke: settings manage_blacklist

Manages blacklist emails




-e, --email A list of user emails to add Yes




EPAM PUBLIC 38

Command example:

settings manage_blacklist

Response example:

5.1.4.11 settings manage_emails_authorized_for_m2reporting_testing

Invoke: settings manage_emails_authorized_for_m2reporting_testing

Adds/removes/describes user emails that authorized for M2 reporting testing




-e, --email A list of user emails to add/remove No

-a, --action Action: add, remove, describe (default action: describe) No


Command example:

settings manage_emails_authorized_for_m2reporting_testing

Response example:

5.1.4.12 settings manage_prefix_lists_state

Invoke: settings manage_prefix_lists_state

Enables or disables AWS prefix lists




-e, --enable Enable AWS prefix lists No

-d, --disable Disable AWS prefix lists No


EPAM PUBLIC 39

Command example:

settings manage_prefix_lists_state

Response example:

5.1.4.13 settings manage_support_mail_receivers

Invoke: settings manage_support_mail_receivers

Adds and removes receivers for some support reportsaccount unsubscribe




-I, --title Title of the report: aws_images_healthcheck_report, instance_run_report Yes

-t, --to List of the receivers in 'to' for the report No

-c, --cc List of the 'cc' for the report No

-a, --add Option for adding specified receivers No

-r, --remove Option for removing specified receivers No


Command example:

settings manage_support_mail_receivers -t

Response example:

5.1.4.14 settings report_cache

Invoke: settings report_cache

Configurates Report Cache





EPAM PUBLIC 40


-e, --report-cache-enabled

Enable Report Cache boolean No

-d, --report-cache-disabled

Disabled Report Cache boolean No


Command example:

settings report_cache

Response example:

5.1.4.15 settings set_upsa_config

Invoke: settings set_upsa_config

Sets UPSA client configuration settings




-l, --upsa-login Upsa login Yes

--host Upsa host Yes


Command example:

settings set_upsa_config -l <upsa-login> --host <upsa host>

Response example:

5.1.4.16 settings switch_m3_key_management

Invoke: settings switch_m3_key_management

Enables or disables M3 mail processing




-e, --enable Enable M3 key management No


EPAM PUBLIC 41


-d, --disable Disable M3 key management No


Command example:

settings switch_m3_key_management

Response example:

5.1.4.17 settings switch_m3_mail_processing

Invoke: settings switch_m3_mail_processing

Enables or disables M3 mail processing




-e, --enable Enable M3 key management No

-d, --disable Disable M3 key management No

Command example:

settings switch_m3_mail_processing

Response example:

5.1.4.18 settings switch_ownership

Invoke: settings switch_ownership

Enables or disables ownership service




-e, --enable Enable ownership service No

-d, --disable Disable ownership service No



EPAM PUBLIC 42

Command example:

settings switch_ownership

Response example:

5.1.4.19 settings terraform

Invoke: settings terraform

Enables or disables terraform service




-e, --enable Enable terraform service No

-d, --disable Disable terraform service No


Command example:

settings terraform

Response example:

5.1.4.20 settings upsa

Invoke: settings upsa

Enables or disables UPSA integration





EPAM PUBLIC 43


-o, --use-off-storage-and-act-directory

Use offline storage and active directory instead of UPSA.

Allowed values: true, false. No

-d, --disable-synchronization

Disable synchronization for projects, users, accounts, etc. from

offline storage, AD or UPSA. Orchestrator will work only with

users from DB. or2acces will be unavailable. Allowed values:

true, false

No


Command example:

settings upsa

Response example:

5.1.4.21 settings zcloud_role

Invoke: settings zcloud_role

Enables or disables UPSA zCloudRole integration




-e, --enable Enable UPSA zCloudRole integration No

-d, --disable Disable UPSA zCloudRole integration No

Command example:

settings zcloud_role

Response example:


EPAM PUBLIC 44

5.1.5 ORCH

The ‘orch’ group includes the commands related to Orchestrator. The following commands are available:

Command Description

orch assign Assigns/unassigns an instance to/from zone

orch assign_cur Assigns/unassigns current instance to/from zone

orch config_healthch Updates healthCheckSettings for instance

orch config_zabbix Updates ZabbixGraphMode configuration for instance

orch dconfig Describes configuration settings from local configuration and database

orch dis_recovery Sets/unsets disaster recovery flag

orch get_instances Gets instances count per node and related zones

orch get_nodes Gets short information about orchestration nodes

orch get_version Get version of application artifacts

orch hardware_devices_integration Manages hardwareDevicesIntegrationSupported flag and hardwareDevicesZoneName

orch integr_service Manages integrationService flag

orch jenkins_service Manages jenkins service flag

orch mob_integr_service Manages mobileFarmIntegrationSupported flag and mobileFarmZoneName

orch switch_mode Switches orchestration modes between Maintenance, Running and Testing

orch set_profile Sets profile for node

Use this command with care, as the Orchestrator mode settings affect entire Orchestrator performance.

To see the list of arguments used with the commands of the ‘orch’ group, type orch [command_name] -

h in the command line.

5.1.5.1 orch assign

Invoke: orch assign

Assigns/unassigns an instance to/from zone




-o, --orch-id An Orchestrator instance ID Yes

-z, --zone The list of zones Yes

-u, --unassign Use this flag to unassign orch from zones No

-b, --billing Use this flag to make orch responsible for billing No

-a, --active Use this flag to make orch instance active No


Command example:

orch assign -o <instance_id> -z <zone>

Response example:


EPAM PUBLIC 45

5.1.5.2 orch assign_cur

Invoke: orch assign_cur

Assigns/unassigns current instance to/from zone




-z, --zone The list of zones Yes

-u, --unassign Use this flag to unassign orch from zones No

-b, --billing Use this flag to make orch responsible for billing No

-a, --active Use this flag to make orch instance active No


Command example:

orch assign_cur -z <zone>

Response example:

5.1.5.3 orch config_healthch

Invoke: orch config_healthch

Updates healthCheckSettings for instance





-t, --timeout Updates healthCheckSettings.reportHealthCheckTimeout

value (integer) No

-m, --mongo Updates healthCheckSettings.mongoLatencyThreshold value

(long millis) No

-r, --rabbit Updates healthCheckSettings.rabbitLatencyThreshold value

(long millis) No


EPAM PUBLIC 46


Command example:

orch config_healthch -o <instance_id>

Response example:

5.1.5.4 orch config_zabbix

Invoke: orch config_zabbix

Updates ZabbixGraphMode configuration for instance





-p, --proxy Updates zabbixGraphMode.proxy value (true/false) No

-r, --renderer Updates zabbixGraphMode.renderer value (true/false) No


Command example:

orch config_zabbix -o <instance_id>

Response example:

5.1.5.5 orch dconfig

Invoke: orch dconfig

Describes configuration settings from local configuration and database




-m, --mode Finds orchestrators in specified mode. Must be one of

[running, maintenance, testing] No

--flag Finds the orchestrator which has the provided flag set to true No

-n, --node Finds orchestrator by name No

Command example:

orch dconfig


EPAM PUBLIC 47

Response example:

5.1.5.6 orch dis_recovery

Invoke: orch dis_recovery

Sets/unsets disaster recovery flag




--on set flag No

--off unset flag No

Command example:

orch dis_recovery

Response example:

5.1.5.7 orch get_instances

Invoke: orch get_instances

Gets instances count per node and related zones




-o, --orch-id An Orchestrator instance ID No

Command example:

orch get_instances


EPAM PUBLIC 48

Response example:

5.1.5.8 orch get_nodes

Invoke: orch get_nodes

Gets short information about orchestration nodes




Command example:

orch get_nodes

Response example:

5.1.5.9 orch get_version

Invoke: orch get_version

Get version of application artifacts




Command example:

orch get_version


EPAM PUBLIC 49

Response example:

5.1.5.10 orch hardware_devices_integration

Invoke: orch hardware_devices_integration

Manages hardwareDevicesIntegration Supported flag and hardwareDevicesZoneName




-o, --orch-id Integration Orchestrator instance id(integrationService : true) Yes

-e, --enabled Enabled flag - true or false Yes



Command example:

orch hardware_devices_integration -o <instance id> -z <zone> -e

<value>

Response example:

5.1.5.11 orch integr_service

Invoke: orch integr_service

Manages integrationService flag




-o, --orch-id] An Orchestrator instance ID Yes

-I, --integr IntegrationService flag - true or false Yes


Command example:

orch integr_service -o <instance id> -I <value>


EPAM PUBLIC 50

Response example:

5.1.5.12 orch jenkins_service

Invoke: orch jenkins_service

Manages jenkins service flag





-j, --jenkins Jenkins service flag - true or false Yes


Command example:

orch jenkins_service -o <instance id> -j <value>

Response example:

5.1.5.13 orch mob_integr_service

Invoke: orch mob_integr_service

Manages mobileFarmIntegrationSupported flag and mobileFarmZoneName




-o, --orch-id Integration Orchestrator instance id (integrationService : true) Yes

-e, --enabled Enabled flag - true or false Yes



Command example:

orch mob_integr_service -o <instance id> -e <value>

Response example:


EPAM PUBLIC 51

5.1.5.14 orch switch_mode

Invoke: orch switch_mode

Switches orchestration modes between Maintenance, Running and Testing




-o, --orch-id An Orchestrator instance ID No

-m, --mode Mode to switch to. Possible values [RUNNING, TESTING, MAINTENANCE] Yes

--all To switch mode on all instances No

-I, --ignore-billing-lock To ignore billing lock while changing status to MAINTENANCE No


Command example:

orch switch_mode -m <mode>

Response example:

5.1.5.15 orch set_profile

Invoke: orch set_profile

Sets profile for node




-b, --billing-node New billing node name No

-m, --mail-node New node for emails processing No

-i, --ip-validation-node

New node for ip validation report No

-q, --qualys-node New node for qualys job processors No

--monitoring-node

New monitoring node No

-u, --ui-node UI node name No

-v, --virt-schedules-

invoker

This node regularly updates AWS IAM users and checks statuses of Azure subscriptions

No

-s, --monitors-schedules

This node will send “Broken schedules” report and set schedules from Schedules collection to PENDING state if they were in PROCESSING state more than two hours

No


EPAM PUBLIC 52


-c, --chef-data-provider

This node caches chef monitoring data and generates "Problems found with Chef monitoring" report

No

-a, --active-node [Set node as active No

-r, --core-operations-scheduler

This flag enables the following core scheduled operations: update Upsa users, update projects and accounts from Upsa, check maestro stacks state, backup mongo, execute user schedule, create email report "User schedule execution report", release expired locks in Locks collection

No

--chef-supported

Enables chef schedule processor, that gathers monitoring data from chef and updates chef roles for zones No

--report-operations-scheduler

Enables report operations scheduler on the node No

--archive-operations-scheduler

Enables scheduled archiving for collection IntegrationEvents, lets you call audit archive operation from JMX

No

--change-owner-processor

Enables

[CHANGE_OWNER_POSTPONED_NOTIFICATION_PROCESSOR,

CHANGE_OWNER_PROCESSOR] job processor on node

No

--run-hardware-instance-processor

Enables [RUN_HARDWARE_INSTANCE_PROCESSOR] job

processor on node No

--terminate-unused-

instances-processor

Enables

[TERMINATE_UNUSED_PERSONAL_INSTANCES_PROCESSOR]

job processor on node

No

--terminate-resources-processor

Enables [TERMINATE_RESOURCES_PROCESSOR] job processor

on node No

--aws-inspector-assessment-run-

processor

Enables

[AWS_INSPECTOR_ASSESSMENT_RUN_JOB_PROCESSOR] job

processor on node

No

--aws-proxy Enables awsProxy calls on the node No

--flag-value * Flag value. Allowed values: [true, false] Yes


Command example:

orch set_profile -b <billing-node> --flag-value <value>

Response example:


EPAM PUBLIC 53

5.1.6 INIT

The ‘init’ group includes the commands related to Orchestrator initialization. The following commands are

available:

Command Description

init config Initializes the OrchestratorConfig collection

init region Initializes the Regions collection

init settings Initializes the OrchestrationSettings collection

init version Initializes the Version collection

The commands of the ‘init’ group type are used without arguments, as their action consists of initializing

the specified collection.

5.1.6.1 init config

Invoke: init config

Initializes the OrchestratorConfig collection





Command example:

init config

Response example:


EPAM PUBLIC 54

5.1.6.2 init region

Invoke: init region

Initializes the Regions collection




-r, --region Region name Yes


Command example:

init region -r <region name>

Response example:

5.1.6.3 init settings

Invoke: init settings

Initializes the OrchestrationSettings collection





Command example:

init settings

Response example:

5.1.6.4 init version

Invoke: init version

Initializes the Version collection






EPAM PUBLIC 55

Command example:

init version

Response example:

5.1.7 INTEGRITY

The ‘integrity’ group includes the ‘integrity check’ command checking the data integrity. The command

also includes the integrity check settings.

Command Description

integrity check Checks data integrity

To see the list of arguments used with the ‘integrity check’ command, type integrity check -h in the

command line.

5.1.7.1 integrity check

Invoke: integrity check

Checks data integrity




-m, --mode Check mode: [ALL, QUICK (by default), AUDIT, BILLING] No

-q, --show-queries Switch on/off queries No

-d, --show-broken-documents

Switch on/off broken documents No

-v, --verbosity Verbosity level: [WARN (by default), ERROR] No

-c, --checker Checkers ID. Specify this parameter to activate necessary checkers No


--target Parameter to indicate where display result of command. Must

be one of [ssh_console, file, email] No

The command will be executed in the asynchronous mode.

Command example:

integrity check


EPAM PUBLIC 56

Response example:

5.1.8 CLI

The ‘cli’ group includes ‘cli notify’ command notifying the user about CLI update. The ‘cli notify’

command uses no arguments.

Command Description

cli notify Notifies users about recent CLI update

5.1.8.1 cli notify

Invoke: init version

Notifies users about recent CLI update




Command example:

cli notify

Response example:


EPAM PUBLIC 57

5.1.9 STATUS

The ‘status’ group includes the commands related to command status. The following commands are

available:

Command Description

status get Retrieves current status of the asynchronous commands

status interrupt Interrupts asynchronous command execution if the command supports it

To see the list of arguments used with the commands of the ‘status’ group, type status [command_name]


5.1.9.1 status get

Invoke: status get

Retrieves current status of the asynchronous commands




-g, --group Command group Yes

-n, --name Command name Yes

--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]

No

Command example:

status get -g <command group> -n <command name>

Response example:

5.1.9.2 status interrupt

Invoke: status interrupt

Interrupts asynchronous command execution if the command supports it




-g, --group Command group No

-n, --name Command name No

Command example:

status interrupt -g <command group> -n <command name>


EPAM PUBLIC 58

Response example:

5.2 SECURITY

The ‘Security’ category includes the commands related to user account management, permission

assignment and mapping, as well as the settings and configuration of Qualys security scanner.

5.2.1 ADMIN

The ‘admin’ group includes commands related to admin user and admin user groups management. The

following commands are available:

Command Description

admin add_group Adds new admin user group

admin add_user Adds new admin user

admin delete_group Deletes admin user group

admin delete_user Deletes admin user

admin describe_group Describes available Admin CLI user groups with allowed and blocked actions

admin get_groups Displays the list of Admin CLI user groups

admin get_users Displays the list of Admin CLI users for the specified group or retrieves info about the user according his email

admin update_group Updates admin user group

admin update_user Updates existing active users

To see the list of arguments used with the commands of‘admin’ group, type admin [command_name] -h

in the command line.

5.2.1.1 admin add_group

Invoke: admin add_group

Adds new admin user group




-n, --group-name User group name Yes

-a, --allowed-actions Allowed actions in format: <command_group>:<command1>,<command2> or <command_group>:

Yes

-b, --blocked-actions Blocked actions in format: <command_group>:<command1>,<command2>

No

Command example:

admin add_group --group-name <group name> --allowed-actions <group:*>

--blocked-actions <group:command>

Response example:


EPAM PUBLIC 59

5.2.1.2 admin add_user

Invoke: admin add_user

Adds new admin user




-e, --email User email Yes

-k, --public-key User SSH public key Yes

-g, --group Admin user group name Yes

Command example:

admin add_user --email <[email protected]> --group <group name> --

public-key <public key name>

Response example:

5.2.1.3 admin delete_group

Invoke: admin delete_group

Deletes admin user group





Command example:

admin delete_group --group-name <group name>

Response example:

5.2.1.4 admin delete_user

Invoke: admin delete_user

Deletes admin user




-e, --email Admin username Yes

Command example:

admin delete_user --email <[email protected]>


EPAM PUBLIC 60

Response example:

5.2.1.5 admin describe_group

Invoke: admin describe_group

Describes available Admin CLI user groups with allowed and blocked actions





Command example:

admin describe_group --group-name <group name>

Response example:

5.2.1.6 admin get_groups

Invoke: admin get_groups

Displays the list of Admin CLI user groups




-a, --all-groups Show all groups. Deleted groups are not displayed by default Yes

Command example:

admin get_groups

Response example:


EPAM PUBLIC 61

5.2.1.7 admin get_users

Invoke: admin get_users

Displays the list of Admin CLI users for the specified group or retrieves info about the user according his

email




-e, --email User email No

-g, --group-name User group name No

-a, --all-users Show all users. Deleted users are not displayed by default Yes

Command example:

admin get_users --email <[email protected]>

Response example:

5.2.1.8 admin update_group

Invoke: admin update_group

Updates admin user group





-a, --allowed-actions Allowed actions in format: <command_group>:<command1>,<command2> or <command_group>:

Yes

-b, --blocked-actions Blocked actions in format: <command_group>:<command1>,<command2>

No

Command example:

admin update_group --group-name <group name> --allowed-actions

<group:*> --blocked-actions <group:command2>

Response example:

5.2.1.9 admin update_user

Invoke: admin update_user

Updates existing active users




EPAM PUBLIC 62



-e, --email User email Yes

-k, --public-key User SSH public key

-g, --group Admin user group name

Command example:

admin update_user --email <[email protected]> --group <group name>

Response example:

5.2.2 PERMISSION

The ‘permission’ group includes the commands related to user and permission management. The


Command Description

permission add_group Adds a new permission group with the list of allowed and denied actions. Permission group can be added for the project

permission add_pmc_mapping Adds project role permission group mapping

permission add_user Creates a new autouser

permission add_user_mapping Adds user permission group mapping for the specified user

permission assign Assigns an autouser to a project

permission del_group Removes permission group

permission del_pmc_mapping Removes project role permission group mapping

permission del_user Deletes simple user

permission del_user_mapping Removes user permission group mapping

permission get_perm_groups Gets the list of available actions for the specified group, that can be performed by the user in Maestro CLI

permission get_user_mapping Describes permission group mappings for the specified user

permission prolong_group_mapping

Change expiration date permission group mapping

permission set_user_requestor Sets requestor for a simple user

permission unassign Unassigns an autouser from a project

To see the list of arguments used with the commands of the ‘permission’ group, type permission


5.2.2.1 permission add_group

Invoke: permission add_group

Adds a new permission group with the list of allowed and denied actions. Permission group can be added

for the project




-g, --group Permission group name. Yes

-o, --operation Operation name. For several operation repeat the parameter Yes



EPAM PUBLIC 63

Command example:

permission add_group --group <group name> --operation <operation name>

--project <project name>

Response example:

5.2.2.2 permission add_pmc_mapping

Invoke: permission add_pmc_mapping

Adds project role permission group mapping




-r, --role-id Project role id Yes

-g, --group Permission group name. For several groups repeat the parameter

Yes


-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] No

Command example:

add_pmc_mapping --role-id <role id> --group <group name>

Response example:

5.2.2.3 permission add_user

Invoke: permission add_user

Creates a new autouser




-e, --email User email address Yes

-u, --username User full name Yes

-l, --login User login Yes

-r, --requestor Requestor of the simple user No

Command example:

add_user --email <[email protected]> --username <full name> --login

<user login>

Response example:


EPAM PUBLIC 64

5.2.2.4 permission add_user_mapping

Invoke: permission add_user_mapping

Adds user permission group mapping for the specified user






-g, --group Permission group name. For several groups repeat the parameter

Yes

-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] No

Command example:

add_user_mapping --email <[email protected]> --group <group name>

Response example:

5.2.2.5 permission assign

Invoke: permission assign

Assigns an autouser to a project






--force Force operation even for EPAM user No

Command example:

assign --email <[email protected]> --project < project name>

Response example:

5.2.2.6 permission del_group

Invoke: permission del_group

Removes permission group




-g, --group Permission group name. Yes


Command example:

del_group --group <group name> --project <project name>


EPAM PUBLIC 65

Response example:

5.2.2.7 permission del_pmc_mapping

Invoke: permission del_pmc_mapping

Removes project role permission group mapping




-r, --role-id Project role id Yes


Command example:

del_pmc_mapping --role-id <role id> --project <project name>

Response example:

5.2.2.8 permission del_user

Invoke: permission del_user

Deletes simple user





Command example:

del_user --email <[email protected]>

Response example:

5.2.2.9 permission del_user_mapping

Invoke: permission del_user_mapping

Removes user permission group mapping






Command example:

del_user_mapping --email <[email protected]> --project <project name>


EPAM PUBLIC 66

Response example:

5.2.2.10 permission get_perm_groups

Invoke: permission get_perm_groups

Gets the list of available actions for the specified group, that can be performed by the user in Maestro CLI




-n, --name Permission group name No


Command example:

get_perm_groups --name <permission group name> --project <project

name>

Response example:

5.2.2.11 permission get_user_mapping

Invoke: permission get_user_mapping

Describes permission group mappings for the specified user




-e, --email User email address No

-r, --role-id Project role id No


Response Elements

Name Description

Permission group names Permission group names

Project Project name


EPAM PUBLIC 67

Response Elements

Name Description

Role ID Role id

Email User email address

Creation date Creation date

Expiration date Expiration date

Command example:

get_user_mapping --role-id <role id> --project <project name>

Response example:

5.2.2.12 permission prolong_group_mapping

Invoke: permission prolong_group_mapping

Changes expiration date permission group mapping




-r, --role-id Project role id No


-e, --email User email address No

-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] Yes

Command example:

prolong_group_mapping --role-id <role id> --project <project name> --

expiration-date <expiration date>

Response example:

5.2.2.13 permission set_user_requestor

Invoke: permission set_user_requestor

Sets requestor for a simple user





-r, --requestor Requestor of the simple user Yes


EPAM PUBLIC 68

Command example:

set_user_requestor --email <[email protected]> --requestor

<[email protected]>

Response example:

5.2.2.14 permission unassign

Invoke: permission unassign

Unassigns an autouser from a project






--force Force operation even for EPAM user No

Command example:

unassign --email <[email protected]> --project <project name>

Response example:

5.2.3 SECURITY

The ‘security’ group includes the commands related to security management. The following commands

are available:

Command Description

security get_def_group Sends current default security groups configuration

security update_def_group Adds ingress rule to a specified security group

security update_security_cont Updates security contact

security vulnerability_report Sends vulnerability report for single project

To see the list of arguments used with the commands of the ‘security’ group, type security


5.2.3.1 security get_def_group

Invoke: security get_def_group

Sends current default security groups configuration




-g, --security-group-name

Security group name No

Command example:


EPAM PUBLIC 69

security get_def_group

Response example:

5.2.3.2 security update_def_group

Invoke: security update_def_group

Adds ingress rule to a specified security group




-g, --security-group-name

Security group name Yes

-i, --ip-range IPv4 CIDR range to add new rule in a specified security group.

Example: 74.11.192.96/27 Yes

-d, --description Description No


Command example:

security update_def_group -g <security-group-name> -i <ip-range>

Response example:

5.2.3.3 security update_security_cont

Invoke: security update_security_cont

Updates security contact




-e, --email Security contact emails. For several emails repeat the parameter: -e EMAIL1 -e EMAIL2 -e EMAIL3

Yes

-p, --phone Security contact phone. Provide a security contact international information phone number including the country code (for example,+1-425-1234567)

No

Command example:

security update_security_cont -e <email>

Response example:


EPAM PUBLIC 70

5.2.3.4 security vulnerability_report

Invoke: security vulnerability_report

Sends vulnerability report for single project






Command example:

security vulnerability_report -p <project>

Response example:

5.2.4 USER

The ‘user’ group includes the commands related to user management. The following commands are

available:

Command Description

user describe Describes the specified user

user import_from_upsa Imports the specified user from UPSA

user prolong_access_token Prolong access token for the autouser

user refresh Refreshes the status of the specified user in EPAM Cloud Orchestrator and activates personal projects if they are not activated

To see the list of arguments used with the commands of the ‘user’ group, type user [command_name] -


5.2.4.1 user describe

Invoke: user describe

Describes the specified user





Command example:

describe --email <[email protected]>

Response example:


EPAM PUBLIC 71

5.2.4.2 user import_from_upsa

Invoke: user import_from_upsa

Imports the specified user from UPSA





Command example:

import_from_upsa --email <[email protected]>

Response example:

5.2.4.3 user prolong_access_token

Invoke: user prolong_access_token

Prolong access token for the autouser





-r, --reason Reason to prolong access Yes

-d, --date Date prolong to in format YYYY-MM-DD. Must be in future and not exceed one year from now Yes

Command example:

prolong_access_token --email <[email protected]> --reason <reason>

--date <YYYY-MM-DD>

Response example:

5.2.4.4 user refresh

Invoke: user refresh


EPAM PUBLIC 72

Refreshes the status of the specified user in EPAM Cloud Orchestrator and activates personal projects if

they are not activated





Command example:

refresh --email <[email protected]>

Response example:

5.2.5 LUMINATE

The ‘luminate’ group includes the commands related to Luminate configuration. The following commands

are available:

Command Description

luminate add_site Adds Luminate site

luminate setup Sets up Luminate configuration

luminate update_app Update EO Luminate application config

luminate update_settings Updates Luminate settings

To see the list of arguments used with the commands of the ‘luminate’ group, type luminate


5.2.5.1 luminate add_site

Invoke: luminate add_site

Adds Luminate site





-s, --site-id Site ID Yes

Command example:

luminate add_site -z <zone> -s <site-id>

Response example:

5.2.5.2 luminate setup

Invoke: luminate setup

Sets up Luminate configuration


EPAM PUBLIC 73




-i, --client-id Client ID Yes

Command example:

luminate setup -i <client-id>

Response example:

5.2.5.3 luminate update_app

Invoke: luminate update_app

Update EO Luminate application config




-n, --node Orchestration node Luminate application will point to No

-z, --zone Zone name which Luminate site will used No

Command example:

luminate update_app

Response example:

5.2.5.4 luminate update_settings

Invoke: luminate update_settings

Updates Luminate settings




-n, --node Orchestration node Luminate application will point to No

-z, --zone Zone name which Luminate site will used No

Command example:

luminate update_settings

Response example:


EPAM PUBLIC 74

5.2.6 QUALYS

The ‘qualys’ group includes the commands related to Qualys platform management. The following


Command Description

qualys add_cv_policy Adds Cloud View policy to Qualys platform

qualys configure_platform Configures Qualys platform

qualys create_connector Creates new Cloud View Connector for the specified project

qualys delete_connector Deletes Cloud View Connector from Qualys for the specified project

qualys get_connector Gets Cloud View Connector from Qualys for the specified project

qualys get_platform Displays Qualys platform configuration

qualys list_cv_policies Lists Cloud View policies in Qualys platform

qualys list_platforms Lists all Qualys platforms

qualys manage_excluded_controls Sets Qualys Cloud View Controls to Qualys Platform as excluded

qualys remove_cv_policy Removes Cloud View policy from Qualys platform

qualys update_platform Updates Qualys platform config

To see the list of arguments used with the commands of the ‘qualys’ group, type qualys

[command_name] -h in the command line

5.2.6.1 qualys add_cv_policy

Invoke: qualys add_cv_policy

Adds Cloud View policy to Qualys platform




-i, --platform-id Qualys platform id Yes

-p, --policy-id Policy id Yes

-t, --policy-title Policy title Yes

-c, --cloud Cloud provider Yes

Command example:

qualys add_cv_policy -i <platform-id> -p <policy-id> -t <policy-

title> -c <cloud>

Response example:

5.2.6.2 qualys configure_platform

Invoke: qualys configure_platform

Configures Qualys platform


EPAM PUBLIC 75




-n, --name Qualys platform name Yes

--api-host Qualys Platform API host (example: qualysapi.qualys.com) Yes

--platform-host Qualys Platform host (example: qualysguard.qualys.com) Yes

--port Platform API port Yes

--protocol Platform API protocol [HTTP, HTTPS] Yes

-l, --login Qualys login Yes

-p, --password Qualys password Yes

--drt, --default-report-template

Default report template Yes

--drf, --default-report-format

Default report format Yes

--default Is default qualys platform No

Command example:

qualys configure_platform -n <qualys platform name> --api-host <value>

-platform-host <value> --port <value> --protocol <value> --drt

<default-report-template> --drf <default-report-format> -l <login>

-p <password>

Response example:

5.2.6.3 qualys create_connector

Invoke: qualys create_connector

Creates new Cloud View Connector for the specified project







Command example:

qualys create_connector -i <platform-id> -p <project> -c <cloud>

Response example:


EPAM PUBLIC 76

5.2.6.4 qualys delete_connector

Invoke: qualys delete_connector

Deletes Cloud View Connector from Qualys for the specified project







Command example:

qualys delete_connector -p <project> -i <platform-id> -c <cloud>

Response example:

5.2.6.5 qualys get_connector

Invoke: qualys get_connector

Gets Cloud View Connector from Qualys for the specified project








EPAM PUBLIC 77

Command example:

qualys get_connector -p <project> -i <platform-id> -c <cloud>

Response example:

5.2.6.6 qualys get_platform

Invoke: qualys get_platform

Displays Qualys platform configuration




-i, --id Qualys platform id Yes

Command example:

qualys get_platform -id <platform id>

Response example:


EPAM PUBLIC 78

5.2.6.7 qualys list_cv_policies

Invoke: qualys list_cv_policies

Lists Cloud View policies in Qualys platform





-p, --policy-id Policy id No

-c, --cloud Cloud provider No

Command example:

qualys list_cv_policies -i <platform-id>

Response example:

5.2.6.8 qualys list_platforms

Invoke: qualys list_platforms

Lists all Qualys platforms




Command example:

qualys list_platforms

Response example:


EPAM PUBLIC 79

5.2.6.9 qualys manage_excluded_controls

Invoke: qualys manage_excluded_controls

Sets Qualys Cloud View Controls to Qualys Platform as excluded





-c, --control Control Id. For several shapes repeat the parameter: -c CID1 -

c CID2 -c CID3 Yes

-a, --add Use this flag to add excluded controls No

-r, --remove Use this flag to remove excluded controls No

Command example:

qualys manage_excluded_controls -i <platform-id> -c <control>

Response example:

5.2.6.10 qualys remove_cv_policy

Invoke: qualys remove_cv_policy

Removes Cloud View policy from Qualys platform





-p, --policy-id Policy id Yes

Command example:

qualys remove_cv_policy -i <platform-id> -p <policy-id>

Response example:

5.2.6.11 qualys update_platform

Invoke: qualys update_platform

Updates Qualys platform config




-i, --id Qualys platform id Yes


EPAM PUBLIC 80


-n, --name Qualys platform name No

--api-host Qualys Platform API host (example: qualysapi.qualys.com) No

--platform-host Qualys Platform host (example: qualysguard.qualys.com) No

--port Platform API port No

--protocol Platform API protocol [HTTP, HTTPS] No

-l, --login Qualys login No

-p, --password Qualys password No

--drt, --default-report-template

Default report template No

--drf, --default-report-format

Default report format No

--default Is default qualys platform No

Command example:

qualys update_platform -id <platform id>

Response example:

5.3 INFRASTRUCTURE

The ‘Infrastructure’ category includes the commands related to different resources existing in EPAM

Cloud and to the overall infrastructure of the system.

5.3.1 ZONE

The ‘zone’ group includes the commands related to zone management. The following commands are

available:

Command Description

zone add Adds a new zone

zone add_location Adds physical location for the specified zone

zone change_status Changes zone in YYYY-MM-DDTHH format

zone conf_service Configures EPAM Cloud Services for the specified zone

zone configure_qualys Configures Qualys properties for the specified zone

zone delete Marks zone as inactive or deletes zone and all references

zone deprecate Deprecates the specified zone. Deprecated zone means that it has limited functionality and will be removed in the nearest future. Usually, zone gets deprecated when it migrates to another region.

zone describe_locations Describes zone locations

zone get_actions Displays actions blocked for the specified zone

zone get_admins Displays the list of administrators for the specified zone

zone get_default_scan_service Displays default scan service for zone

zone get_nonadmin_act Displays actions blocked for non admins

zone get_resources Displays all active resources in the specified zone on email

zone manage_actions Manages actions blocked for the specified zone

zone manage_admins Adds or removes users to the list of administrators of the specified zone


EPAM PUBLIC 81

zone manage_user_schedules Manages user schedules for a zone

zone non_admins_act Manages actions blocked for non-administrators

zone orch_settings Sets zone orchestration settings

zone set_default_scan_service Sets default scan service for zone

zone set_location Sets zone location

zone set_virt_profile Configures the specified zone

zone switch_mode Manages integrationMode flag

To see the list of arguments used with the commands of the ‘zone’ group, type zone [command_name] -


5.3.2 PROJECT

The ‘project’ group includes the commands related to project management. The following commands are

available:

Command Description

project activate Activates an project(ENTERPRISE or WORKSPACE) in EPAM Cloud Orchestrator

project activ_dl Activates project DL in AWS

project check_billing_types Checks billing projects types consistency

project clean_up Marks instances and volumes as deleted, closes timelines and removes instances usage profiles

project deactivate Deactivates the specified project

project del_dl Removes project DL in AWS

project del_ip_wl Deletes IP addresses white list for project

project delete Deletes the project

project describe_blacklist Describes blacklist of projects

project get_ip_wl Describes IP addresses white list for the project

project hide Hides the project in the specified zone from UI and CLI

project link Links one project to another and disables quotas for the linked project

project manage_blacklist Adds and removes projects from the blacklist

project set_ac_flag Sets autoconfiguration flag for the project

project set_act_ins_quota Sets up project active instance quota

project set_custom_chef Sets or unsets project's custom chef server

project set_default_owner Sets a default owner for the project. All notifications about orphan resources will be sent to his email.

project set_default_vlan Sets a default VLAN for the specified project and zone. For OpenStack regions only. Do not use command for CSA-type zone.

project set_expiration_date Sets expiration date for a project in specific zone

project set_ip_wl Sets IP addresses white list for the project

project set_personal_quota Sets the quota level for the specified position

project set_quota Sets up monthly project quotas and quota notification plan for the project resources

project set_shapes Sets allowed shapes for the project in the specified zone

project set_type Sets project type

project unhide Unhides the project in the specified zone from UI and CLI

project unlink Breaks links of the specified project

project update_threshold Update threshold size for the project in specified zone

To see the list of arguments used with the commands of the ‘project’ group type project



EPAM PUBLIC 82

5.3.2.1 project activate

Invoke: project activate

Activates a project (ENTERPRISE or WORKSPACE) in EPAM Cloud Orchestrator





-z, --zone Virtualization zone. It supports following zones' types: ENTERPRISE, WORKSPACE Yes

-f, --fake-project Fake project No

Response Elements

Name Description

pmcCode Project code

name Project name

zone Zone name

shapes Shapes

primaryContacts Primary contacts

secondaryContacts Secondary contacts

instanceCreationIntervalHours Instance creation interval described in hours

volumeCreationIntervalHours Volume creation interval described in hours

maxVolumeSizeGb Maximum volume size in Gb

activationDate Activation date

expirationDate Expiration date

subscriptionId Subscription ID

Command example:

activate --project <project name> --zone <zone name>

Response example:

5.3.2.2 project activ_dl

Invoke: project activ_dl

Activates project DL in AWS






EPAM PUBLIC 83

Command example:

activ_dl --project <project name>

Response example:

5.3.2.3 project check_billing_types

Invoke: project check_billing_types

Checks billing projects types consistency




Command example:

check_billing_types

Response example:

5.3.2.4 project clean_up

Invoke: project clean_up

Marks instances and volumes as deleted, closes timelines and removes instances usage profiles




-z, --zone Single zone or type: EPAM, HARDWARE, AWS, AZURE, GOOGLE

Yes


-r, --resource-type Resource type: INSTANCE, VOLUME, MACHINE_IMAGE. All if it is empty.

No

Command example:

clean_up --zone <zone name> --project <project name> --resource-type

<resource type+ >



EPAM PUBLIC 84

Response example:

5.3.2.5 project deactivate

Invoke: project deactivate

Deactivates the specified project




-z, --zone Virtualization zone. You can use virt type instead of zone name (only AWS, AZURE, GOOGLE supported) or ALL to deactivate specified project in all zones

Yes

-p, --project Project abbreviation in EPAM Cloud. You can use ALL to deactivate all projects in the specified zone Yes

-r, --no-resources Use this flag to deactivate all projects without active resources in specified zone No

-f, --force Use this flag to ignore project state No

Response Elements

Name Description


zone Zone name



active Status



Command example:

deactivate --zone <zone name> --project <project name>

Response example:


EPAM PUBLIC 85

5.3.2.6 project del_dl

Invoke: project del_dl

Removes project DL in AWS





Command example:

del_dl --project <project name>

Response example:

project del_ip_wl

Invoke: project del_ip_wl

Deletes IP addresses white list for project






-a, --ip-addresses IP addresses list for delete Yes

Command example:

del_ip_wl --project <project name> --zone <zone name> -a <ip

addresses>

Response example:

5.3.2.7 project delete

Invoke: project delete

Deletes the project







EPAM PUBLIC 86

Command example:

delete --project <project name> --zone <zone name>

Response example:

5.3.2.8 project describe_blacklist

Invoke: project describe_blacklist

Describes blacklist of projects






Command example:

describe_blacklist

Response example:

5.3.2.9 project get_ip_wl

Invoke: project get_ip_wl

Describes IP addresses white list for the project






Command example:

get_ip_wl --project <project name> --zone <zone name>

Response example:


EPAM PUBLIC 87

5.3.2.10 project hide

Invoke: project hide

Hides the project in the specified zone from UI and CLI






Command example:

hide --project <project name> --zone <zone name>

Response example:

5.3.2.11 project link

Invoke: project link

Links one project to another and disables quotas for the linked project




-p, --project Project abbreviation in UPSA that should be linked Yes

-l, --link-to Project abbreviation in UPSA to what this project should be linked Yes

-d, --linked-date Project linked date. Valid date format: [yyyy-MM] No

Command example:

link --project <demo-project> --link-to <link>

Response example:

5.3.2.12 project manage_blacklist

Invoke: project manage_blacklist

Adds and removes projects from the blacklist




-p, --project Project abbreviation in UPSA, multiple parameter Yes

-z, --zone Zone name, multiple parameter No

-a, --add Option for adding specified projects No

-r, --remove Option for removing specified projects No


EPAM PUBLIC 88

Command example:

manage_blacklist --project <project name> --<action>

Response example:

5.3.2.13 project set_ac_flag

Invoke: project set_ac_flag

Sets autoconfiguration flag for the project






-t, --disableType AutoConfiguration disable type. Allowed values are: [ALL, WINDOWS, LINUX, NONE]. No

-a, --action Manage action, allowed values are: [describe, setup]. By default is describe No

Command example:

set_ac_flag --project <project name> --zone <zone name>

Response example:

5.3.2.14 project set_act_ins_quota

Invoke: project set_act_ins_quota

Sets up project active instance quota






EPAM PUBLIC 89


-v, --value New value for active instance quota Yes

--all-personal Option for setup quota for all personal projects No

Command example:

set_act_ins_quota --project <project name> --value <quota value>

Response example:

5.3.2.15 project set_custom_chef

Invoke: project set_custom_chef

Sets or unsets project's custom chef server






-c, --clear Clear custom chef config No

--host Custom chef's host. host:port or ip:port. i.e. ec2-107-21-220-70.compute-1.amazonaws.com:4000 No

-u, --validation-key-url Chef's validation key URL No

Command example:

set_custom_chef --project <project name> --zone <zone name> --host

<host name>

Response example:

5.3.2.16 project set_default_owner

Invoke: project set_default_owner

Sets a default owner for the project. All notifications about orphan resources will be sent to his email.





-u, --username User full name Yes

Command example:

set_default_owner --project demo-project --username demo-name

Response example:


EPAM PUBLIC 90

5.3.2.17 project set_default_vlan

Invoke: project set_default_vlan

Sets a default VLAN for the specified project and zone. For OpenStack regions only. Do not use

command for CSA-type zone.






-v, --vlan Name of the vlan No

Command example:

set_default_vlan --zone <zone name> --project <project name> --vlan

<vlan id>

Response example:

5.3.2.18 project set_expiration_date

Invoke: project set_expiration_date

Sets expiration date for a project in specific zone





-z, --zone Virtualization zone. You can use virt type instead of zone name (only AWS, AZURE, GOOGLE supported) or ALL to set expiration date for specified project in all zones

Yes

-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd] Yes

Command example:

set_expiration_date --project <project name> --zone <zone name> --

expiration-date < expiration date yyyy-mm-dd>

Response example:


EPAM PUBLIC 91

5.3.2.19 project set_ip_wl

Invoke: project set_ip_wl

Sets IP addresses white list for the project






-a, --ip-addresses IP addresses list Yes

-o, --override Override the existing ip white list No

Command example:

set_ip_wl --project <project name> --zone <zone name> --ip-addresses

<ip addresses>

Response example:

5.3.2.20 project set_personal_quota

Invoke: project set_personal_quota

Sets the quota level for the specified position




-i, --id Job Function Id Yes

-l, --level Quota level Yes

Command example:

set_personal_quota --id <id> --level <level>

Response example:

5.3.2.21 project set_quota

Invoke: project set_quota

Sets up monthly project quotas and quota notification plan for the project resources






-t, --type Quota type [ALL, ALL_AWS, ALL_AZURE, ALL_GOOGLE, ALL_EPAM, EACH, EACH_AWS, EACH_AZURE, EACH_GOOGLE, EACH_EPAM, SINGLE (per region)]

Yes


EPAM PUBLIC 92


--stop Quota exceed action STOP [true, false] No

--approve, --allow-after-approve

Quota exceed action ALLOW_AFTER_APPROVE [true, false] No

--deny, --deny-run-vm Quota exceed action DENY_RUN_VM [true, false] No

-a, --activate Activates quota No

-d, --deactivate Deactivates quota No

-q, --quota Quota amount - maximum allowed monthly cost for the project in the selected region No

-n, --notification-plan Quota notifications, [90%, 100%] by default. For several notifications repeat the parameter No

Command example:

set_quota --project <project name> --a <activate> --stop <value>

--allow-after-approve <value>--deny-run-vm <value> --type <value>

--quota <value>

Response example:

5.3.2.22 project set_shapes

Invoke: project set_shapes

Sets allowed shapes for the project in the specified zone






-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN Yes

-o, --override Override the existing shapes No

Command example:

set_shapes --project <project name> --zone <zone name> --shape <shape

name>

Response example:

5.3.2.23 project set_type

Invoke: project set_type

Sets project type





EPAM PUBLIC 93



-t, --type Project type: BILLABLE, NOT_BILLABLE, NOT_DEFINED Yes

Command example:

set_type --project <project name> --type <project type>

Response example:

5.3.2.24 project unhide

Invoke: project unhide

Unhides the project in the specified zone from UI and CLI






Command example:

unhide --project <project name>

Response example:

5.3.2.25 project unlink

Invoke: project unlink

Breaks links of the specified project





Command example:

unlink --project <project name>

Response example:


EPAM PUBLIC 94

5.3.2.26 project update_threshold

Invoke: project update_threshold

Update threshold size for the project in specified zone






-t, --threshold-size New threshold size for project No

Command example:

update_threshold --project <project name> --zone <zone name> --

threshold-size <value>

Response example:


EPAM PUBLIC 95

5.3.3 INSTANCE

The ‘instance’ group includes the commands related to instances. The following commands are

available:

Command Description

instance maintenance Sets or releases the maintenance mode for instance. To set the maintenance mode, just specify '-s/--set' option among with time frame option. To release maintenance mode, omit '-s/--set' option, and specify only project, zone and instance id

instance refresh_missing Finds and marks as deleted all missing instances for the project

To see the list of arguments used with the commands of the ‘instance’ group, type instance


5.3.3.1 instance maintenance

Invoke: instance maintenance

Sets or releases the maintenance mode for instance. To set the maintenance mode, just specify '-s/--set'

option among with time frame option. To release maintenance mode, omit '-s/--set' option, and specify

only project, zone and instance id






-i, --instance-id Instance id. Yes

-t, --time-frame Time frame. Presents the end time of maintenance (required only if maintenance mode must be set) No

-s, --set Is maintenance mode must be set. No

Command example:

instance maintenance -p <project> -z <zone> -i <instance-id>

Response example:

5.3.3.2 instance refresh_missing

Invoke: instance refresh_missing

Finds and marks as deleted all missing instances for the project




-p, --project Project abbreviation in UPSA. Type 'all' to refresh missing instances on all projects No

-z, --zone Virtualization zone. Use flag all to refresh in all zones Yes


EPAM PUBLIC 96




Command example:

instance refresh_missing -z <zone>

Response example:

5.3.4 VOLUMES

The ‘volumes’ group includes the commands related to storage volume management. The following


Command Description

volumes refresh_missing Finds and marks as deleted all missing volumes for the project

volumes set_sys_disks Updates system disk property

To see the list of arguments used with the commands of the ‘volumes’ group, type volumes


5.3.5 IMAGE

The ‘image’ group includes ‘image hide’ command which manages hiding of PUBLIC/ENTERPRISE

images by image ID (for hiding specified images from user).

Command Description

image hide Manages hiding of PUBLIC/ENTERPRISE images by image ID (for hiding specified images from user)

5.3.6 RESOURCES

The ‘resources’ group includes the ‘resources change_ownership’ command which sets a different

user as the project owner. This command is used when the project owner is dismissed or leaves the

project while their resources remain. In this case the remaining resources can be moved to another user

who should be assigned to the same project. The other command in this group is ‘resources

add_os_client_ar’ which downloads OpenShift client archive to EPAM Orchestrator.

Command Description

resources add_os_client_ar Downloads OpenShift client archive to EO

resources change_ownership Changes resources ownership

To see the list of arguments used with the commands of the ‘resources’ group, type resources [command_name] -h in the command line.


EPAM PUBLIC 97

5.3.7 RABBIT

The ‘rabbit’ group includes the commands related to the RabbitMQ server configuration. The following


Command Description

rabbit check Checks local RabbitMQ server configuration

rabbit clean Removes redundant queues and exchanges from RabbitMQ server. Please make sure that Orchestrator is stopped.

rabbit config Configures local RabbitMQ server. Please make sure that Orchestrator is stopped.

rabbit create_upstream Creates a new federation upstream parameter. Please make sure that Orchestrator is stopped.

rabbit federate Federates all exchanges with another broker(s), defined in upstream parameters. Please make sure that Orchestrator is stopped.

rabbit shovel Create shovel configuration to move messages from replies queue. Please make sure that Orchestrator is stopped.

rabbit show_upstreams Describes existing federation upstream parameters

To see the list of arguments used with the commands of the ‘rabbit’ group, type rabbit


5.3.8 RADAR

The ‘radar’ group includes the commands related to zones monitoring. The following commands are

available:

Command Description

radar add_credits Adds credits for the specified cloud to radar. Can be applied only for previous months.

radar aggregate Aggregates radar for the specified month

radar send_report Sends cloud radar report for the specified date

For the arguments used with the commands of the ‘radar’ group type radar [command_name] -h in the

command line.

5.4 BILLING

The ‘Billing’ category includes the commands related to billing configuration and pricing policy in EPAM

Cloud.

5.4.1 BILLING

The ‘billing’ group includes the commands related to billing in EPAM Cloud. The following commands are

available:

Command Description

billing add_services Adds supported service(s)

billing aggregate_yearly_records Aggregates yearly billing records

billing archive_collection Archives outdated documents from collection

billing aws_china Processes China billing report file

billing aws_update_period Describes or changes AWS billing update period

billing azure_api Describes or changes Azure API version

billing cbm_for_account Closes billing month for single account and generates non-sendable report


EPAM PUBLIC 98

billing close_month Closes billing month

billing describe_bss_projects Shows all BSS projects for BSS report type only

billing describe_business_units Shows all business units

billing describe_month Describes billing month

billing download Disables or enables billing updating for the specified provider

billing get_customer Provides customers for the specified projects

billing get_services Describe supported services

billing get_top_accounts_report Sends report for the top 10 expensive EO accounts

billing health_check Checks billing consistency

billing hide_location Hides hardware location from or2price command

billing lock Locks billing

billing manage_bss_projects Adds and removes BSS projects for BSS report type only

billing reset Resets billing for the specified project in the specified Cloud

billing send_sponsor_report Sends sponsors report

billing send_units_reports Sends business unit reports

billing set_adjustment Sets cost adjustments for the specified project

billing set_cost_center Sets cost center name

billing unlock Unlocks billing

billing update_aws_cost_column_name Updates AWS cost column name

billing update_monitoring Updates monitoring data

billing update_reports_config Updates business units reports configuration

billing upload_azure_report Uploads Azure billing report from bucket to MongoDB

To see the list of arguments used with the commands of the ‘billing’ group, type billing


5.4.2 PRICING_POLICY

The ‘pricing_policy’ group includes the commands related to the pricing policy. The following commands

are available:

Command Description

pricing_policy change_time_unit_to_per_second Updates timeUnit scales and time unit to PER_SECOND for open pricing policy

pricing_policy check Validates and shows pricing policy changes

pricing_policy get Shows pricing policies details as xml file

pricing_policy revert Removes open policy and removes useTo field from previous policy

pricing_policy update Updates pricing policies

To see the list of arguments used with the commands of the ‘pricing_policy’ group, type pricing_policy


5.4.3 TIMELINE

The ‘timeline’ group includes the commands related to instance billing timelines. The following


Command Description

timeline check_resource Validates all timelines for the resource

timeline close Forcibly closes all timelines for the specified resources

timeline open Forcibly opens timelines for the specified resources

To see the list of arguments used with the commands of the ‘timeline’ group, type timeline



EPAM PUBLIC 99

5.5 AWS

The ‘AWS’ category includes the commands related to resource configuration and management on the

AWS platform, as well as to the management of security groups in AWS.

5.5.1 AWS

The ‘aws’ group includes the commands related to the AWS platform. The following commands are

available:

Command Description

aws activ_cloudtrail Activates AWS Cloud Trail service for the project

aws activate_project Activates an AWS project in EPAM Cloud Orchestrator

aws activate_ssm Activates AWS SSM for project

aws add_account Adds AWS account

aws add_az Adds availability zone for the specified AWS region

aws add_group Adds IAM group to the project

aws add_image Adds AWS image

aws add_user Adds a new user

aws add_zone Adds a new AWS zone

aws assoc_inst_prof Associates instance profile

aws assume_role Enables or disables using assume role for the account

aws attach_policy Attaches IAM policy to the IAM entity in DB

aws check_account Checks the AWS account associated with the specified project

aws check_config Checks AWS configuration (including Cloud Trail, Security Groups, default instance role the for project)

aws config_account Configures AWS account

aws config_group Configures IAM group, updates group policy, changes group name (for the Project scope only)

aws config_project Creates basic EPC project configuration

aws config_sso Configures SSO

aws create_account Create AWS account via organization API

aws create_alias Creates an alias for your AWS account

aws create_organization_role Creates custom role for assuming

aws deactiv_cloudtrail Deactivates Cloud Trail on the project

aws del_account Marks AWS account as deleted in the DB or deletes account permanently. Removes AwsOrganizationRoles in both cases.

aws delete_image Deletes image form AWS zone. Assigns status DELETED for the image and does not delete it on AWS side

aws delete_on_termination Sets up deleteOnTermination policy for the project

aws delete_organization_role Deletes role for assuming

aws delete_user Deletes IAM user

aws describe_az Retrieves availability zones for the specified zone

aws describe_groups Describes IAM groups for the project

aws detach_policy Detaches policy from the IAM entity in DB

aws export_cost_and_usage_report Sets up cost and usage report export

aws export_detailed_billing_report Sets up detailed billing report export to the S3 bucket

aws get_accounts Describes existing AWS accounts

aws get_cloudtrail Describes Cloud Trail

aws get_iam_entities Describe available roles

aws get_policies Describes available policies. Gives the name and policy type

aws get_token Returns a set of temporary security credentials

aws list_organization_roles Shows the list of roles for assuming

aws move_account Moves linked account to another paying account

aws remove_az Removes availability zone for the specified AWS region

aws remove_saml Removes SAML provider

aws rename_user Renames IAM user


EPAM PUBLIC 100

aws save_policy Saves IAM policy to DB

aws set_ami_up_desc Set Ami amazonDescriptionTemplate field used to update Linux Ami IDs

aws set_def_role Creates default instance role in AWS account for the specified project

aws sso_add_custom_role Adds custom SSO role for the particular user

aws sso_del_custom_role Deletes custom SSO role for the particular user

aws sso_get_custom_role Gets custom SSO roles

aws sso_manage_access Manages access to AWS SSO, restricts access to the particular roles

aws manage_def_role Manage default instance role in AWS account

aws tag_user Adds or deletes tag for IAM user

aws up_group_policy Uploads group policy from DB to the specified group for the specified AWS accounts

aws up_man_policy Uploads managed policy to the specified AWS accounts

aws update_amis Updates AWS Windows AMIs

aws upload_ssm_document Uploads an SSM document to the DB

To see the list of arguments used with the commands of the ‘aws’ group, type aws [command_name] -h


5.5.1.1 aws active_cloudtrail

Invoke: aws active_cloudtrail

Activates AWS Cloud Trail service for the project.






-b, --bucket-name S3 bucket name No

-l,--log-file-prefix Log file prefix No

5.5.1.2 aws activate_project

Invoke: aws activate_project

Activates an AWS project in EPAM Cloud Orchestrator.





-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN

Yes


-c, --account AWS account name No

-y, --paying-account-name

AWS paying account name. In this case linked account will be chosen from the specified paying account pool.

No


-n, --subnet-id ID of AWS region subnet in which all resources of a project will be created.

No

--all All zones except unreachable. No


EPAM PUBLIC 101


-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd]. No

--skip-cloud-trail Use this flag to skip cloud trail activation No

Response Elements

Name Description


name Project name

zone Zone name

shapes Shapes








subscriptionId Subscription ID

Command example

aws activate_project -p <project> -f -s <shape> -s <shape> -c

<aws_account_name> -z <zone> --skip-cloud-trail

Command response

5.5.1.3 aws activate_ssm

Invoke: aws activate_ssm

Activates AWS SSM for the project.






Command example:

aws activate_ssm -p <project> -z <zone>

Command response:


EPAM PUBLIC 102

5.5.1.4 aws add_account

Invoke: aws add_account

Adds AWS account.




-c, --access-key AWS access key. Required for reachable accounts. No

-a, --account-id AWS account ID Yes

-s, --secret-key AWS secret key. Required for reachable accounts. No

-t, --type AWS account type. Should be one of: PAYING, LINKED Yes

-f, --bill-from The date to start billing from. Required for reachable PAYING accounts

Yes

-b, --bucket-name AWS bucket name. Required for reachable PAYING accounts No

-l, --log-bucket AWS cloud trail bucket prefix. Required for reachable PAYING accounts

No

-p, --paying-account-name

Paying account name. Required for LINKED accounts No

-u, --unreachable Unreachable account No

Response Elements

Name Description

id Object id in MongoDB

name AWS account name

account AWS account ID

type AWS account type

mostRecentRecordDate The most recent record date

unreachable Show whether the account is unreachable (true/false)

deleted Show whether the account was deleted (true/false)

createdDate Creation date

Command example

aws add_account -a <account_id> -t <account type> -p <paying_account

_name>

Command response


EPAM PUBLIC 103

5.5.1.5 aws add_az

Invoke: aws add_az

Adds availability zone for the specified AWS region.




--z, --zone Virtualization zone Yes

-a, --availability-zone AWS availability zone (e.g. us-east-1b) Yes

5.5.1.6 aws add_group

Invoke: aws add_group

Adds IAM group to the project.





-n, --name Group name Yes

-l, --policy-location Group policy location Yes

5.5.1.7 aws add_image

Invoke: aws add_image

Adds AWS image.




-i, --image-id Image ID Yes

-d, --description Image description Yes

-g, --group Image group: [public, enterprise] Yes

-u, --username Default SSH user Yes

-t, --os-type Type of operating system: [Windows, Linux, CoreOS, Fedora CoreOS]. Required with description-template

No

-a. --ami-id AWS image ID. Cannot be used with description-template and all-zones

No

-s, --description-template

AWS description search template. Cannot be used with ami-id No

-v, --virt-profile Name of zone virt profile to associate with, by default x64.hvm No


--all-zones All zones, except unreachable. Cannot be used with ami-id No

--rewrite Rewrite parameters of existing image No

Response Elements

Name Description

Zone Zone name

AWS AMI AWS AMI


EPAM PUBLIC 104

Response Elements

Name Description

Status Show command status

Message Provide additional information

Command example

aws add_image -i Ubuntu16.04_64-bit -d "Ubuntu 16.04 64-bit LTS" -s

"Canonical, Ubuntu, 16.04 LTS, amd64 xenial image build on*" -g public

-t linux -u ubuntu --all-zones --rewrite

Command response

5.5.1.8 aws add_user

Invoke: aws add_user

Adds a new user.






-a, --auto Create auto user No

-r, --creation-reason Short description of creation reason Yes

Response Elements

Name Description

Secret key Secret key

Access key Access key

User name Username

Command example

aws add_user -p <project> -e <[email protected]> -a -r test

Command response


EPAM PUBLIC 105

5.5.1.9 aws add_zone

Invoke: aws add_zone

Adds a new AWS zone.




-l, --location Location (e.g. North Europe) No

--ar, --aws-region AWS region code. (e.g. eu-central-1) Yes

-a, --availability-zone AWS availability zone Yes

--ra, --aws-region-abbreviation

AWS region abbreviation. Required for reachable zones. Use Cost Explorer to find it or visit following link: https://docs.aws.amazon.com/en_us/AmazonS3/latest/dev/aws-usage-report-understand.html

No

-c, --cf-endpoint CF2 endpoint. Required for reachable zones No

-e, --ec-endpoint EC2 endpoint. Required for reachable zones No

-t, --ct-endpoint CT endpoint. Required for reachable zones No

-s, --s-endpoint S3 endpoint. Required for reachable zones No

-w, --cw-endpoint CloudWatch endpoint. Required for reachable zones. No



--assign Assigns zone to the currently active node No

--disable-billing-mix-mode

Defines whether this zone supports billing mode No

--unreachable Marks zone as unreachable by the orchestrator No

5.5.1.10 aws assoc_inst_prof

Invoke: aws assoc_inst_prof

Associates instance profile.





--all Applies for all No

5.5.1.11 aws assume_role

Invoke: aws assume_role

Enables or disables using assume role for the account


https://docs.aws.amazon.com/en_us/AmazonS3/latest/dev/aws-usage-report-understand.html

https://docs.aws.amazon.com/en_us/AmazonS3/latest/dev/aws-usage-report-understand.html


EPAM PUBLIC 106




-l, --linked-account-name

Linked account name Yes

-a, --activate Flag for activation No

-d, --deactivate Flag for deactivation No

5.5.1.12 aws attach_policy

Invoke: aws attach_policy

Attaches IAM policy to the IAM entity in DB




-p, --policy AWS policy name Yes

-n, --entity-name AWS IAM entity name Yes

-t, --type AWS IAM entity type. One of: SSO_ROLE Yes

5.5.1.13 aws check_account

Invoke: aws check_account

Checks the AWS account associated with the specified project.






AWS Linked account name No

5.5.1.14 aws check_config

Invoke: aws check_config

Checks AWS configuration (including Cloud Trail, Security Groups, default instance role the for project).





--target Parameter to indicate where to display result of the command. Must be one of [ssh_console, file, email]

No

Command example

aws check_config -p <project>


Command response


EPAM PUBLIC 107

5.5.1.15 aws config_account

Invoke: aws config_account

Configures AWS account.





AWS Linked account name No


5.5.1.16 aws config_group

Invoke: aws config_group

Configures IAM group, updates group policy, changes group name (for the Project scope only).





-s, --scope Scope. [DEFAULT, PROJECT]. Default value: DEFAULT No


-l, --policy-location Group policy location No

5.5.1.17 aws config_project

Invoke: aws config_project

Creates basic EPC project configuration.





-c. --account AWS account name Yes


-f, --default-common-costs

Default for common costs flag No

-n, --subnet-id ID of AWS region subnet in which all resources of a project will be created.

No

Command example

aws config_project -p <project> -c <aws_account_name> -z <zone>


EPAM PUBLIC 108

Command response

5.5.1.18 aws config_sso

Invoke: aws config_sso

Configures SSO.






5.5.1.19 aws create_account

Invoke: aws create_account

Create AWS account via organization API.




-p, --paying-account-name

AWS Paying account name Yes

-e, --email Account email Yes

Command example

aws create_account -p <aws_paying account name> -e [email protected]


Command response

5.5.1.20 aws create_alias

Invoke: aws create_alias Creates an alias for your AWS account.




-a, --account AWS account name No

-s, --alias AWS account alias No


EPAM PUBLIC 109

5.5.1.21 aws create_organization_role

Invoke: aws create_organization_role

Creates custom role for assuming.




-r, --root AWS Account ID that will assume the role Yes


-l, --policy AWS Managed Policy arn list. For several shapes repeat the parameter: -l arn1 -l arn2 -l arn3

Yes

-n, --name Role name Yes

-d, --description Short description of creation reason Yes

-I, --id External ID No

5.5.1.22 aws deactiv_cloudtrail

Invoke: aws deactiv_cloudtrail

Deactivates Cloud Trail on the project






5.5.1.23 aws del_account

Invoke: aws del_account

Marks AWS account as deleted in the DB or deletes account permanently. Removes

AwsOrganizationRoles in both cases.




-a, --account AWS account name Yes

-p, --delete-permanently

Use this flag to delete AWS account document from DB No

-f, --force Force operation. Only for case when account will be marked as deleted.

No

Command example

aws del_account -a <aws_account_name> -f



EPAM PUBLIC 110

Command response

5.5.1.24 aws delete_image

Invoke: aws delete_image

Deletes image form AWS zone. Assigns status DELETED for the image and does not delete it on AWS

side.




-I, --image-id Image ID Yes

-v, --virt-typ Virtualization type: [HVM, PV] No

-a, --ami AWS image ID No


--all-zones All zones, except unreachable No

5.5.1.25 aws delete_on_termination

Invoke: aws delete_on_termination

Sets up deleteOnTermination policy for the project.





-a, --activate Flag for activation No

-d, --deactivate Flag for deactivation No

5.5.1.26 aws delete_organization_role

Invoke: aws delete_organization_role

Deletes role for assuming.





-n, --name Role name Yes


EPAM PUBLIC 111

5.5.1.27 aws delete_user

Invoke: aws delete_user

Deletes IAM user.




-u, --username Username Yes

-r, --reason Reason Yes


5.5.1.28 aws describe_az

Invoke: aws describe_az

Retrieves availability zones for the specified zone.





--all All zones No

Response Elements

Name Description

Zone name Zone name

Availability zones Availability zones

Command example

aws describe_az -z <zone>

Command response

5.5.1.29 aws describe_groups

Invoke: aws describe_groups

Describes IAM groups for the project.





Command Example

aws describe_groups -p <project>


EPAM PUBLIC 112

You will receive the response in JSON format.

5.5.1.30 aws detach_policy

Invoke: aws detach_policy Detaches policy from the IAM entity in DB





-n, --entity-name AWS IAM entity name Yes

-t, --type AWS IAM entity type. One of: SSO_ROLE Yes

5.5.1.31 aws export_cost_and_usage_report

Invoke: aws export_cost_and_usage_report

Sets up cost and usage report export.




-a, --account-name AWS account name. Example: awsacc-cb2ccd2f Yes

-b, --bucket-name AWS bucket name. Will be created if not exists. Required for activation.

No

-d, --deactivate Flag for deactivation. Activation by default No

5.5.1.32 aws export_detailed_billing_report

Invoke: aws_export_detailed_billing_report

Sets up detailed billing report export to the S3 bucket.




-a, --account-name AWS account name. Example: awsacc-cb2ccd2f Yes

-b, --bucket-name AWS bucket name. Will be created if not exists. Required for activation.

No

-z, --zone AWS bucket's zone name. Required for activation No

-t, --archive-type Archive type: zip, gzip. Default: gzip. No

-d, --deactivate Flag for deactivation. Activation by default No


EPAM PUBLIC 113

5.5.1.33 aws get_accounts

Invoke: aws_get_accounts

Describes existing AWS accounts.




-t, --type AWS account type. Should be one of: PAYING, LINKED No


-p, --project Project abbreviation in EPAM Cloud. Use 'none' to get accounts in pool

No

Response Elements

Name Description

Account name Account name

Account id Account ID

Account type Account type

Used by Show the project that uses this account

Created date Creation date

Unreachable Show whether the account is unreachable. (true/false)

External id External ID

Command example

aws get_accounts

Command response

5.5.1.34 aws get_cloudtrail

Invoke: aws-get_cloudtrail

Describes Cloud Trail.





EPAM PUBLIC 114




Response Elements

Name Description

project Project name

region Region name

trail Trail

bucket Bucket name

logPrefix Log prefix

logValidationEnabled Shows whether log validation is enabled

Command example

aws get_cloudtrail -z <zone> -p <project>

Command response

5.5.1.35 aws get_iam_entities

Invoke: aws get_iam_entities Describe available roles.




-n, --name AWS IAM entity name. Will get all entities with general info, if not specified

No

-t, --type AWS IAM entity type. Use for filtering by type or for describing detailed info by name. One of: SSO_ROLE

No

Response Elements

Name Description

name Role name

iamEntityType IAM entity type

scope Scope

Command example

aws get_iam_entities

Command response


EPAM PUBLIC 115

5.5.1.36 aws get_policies

Invoke: aws get_policies

Describes available policies. Gives the name and policy type.




-n, --name AWS policy name. Policy will be sent to email No

Response Elements

Name Description

name Policy name

type Policy type

Command example

aws get_policies

Response example


EPAM PUBLIC 116

5.5.1.37 aws grant_licenses

Invoke: aws_grant_licenses

Grant AWS Marketplace licenses from Organization Parent to the project account





--all Execute for all active projects No

Command example:

aws_grant_licenses -p <project>

Response example:

5.5.1.38 aws get_token

Invoke: aws_get_token

Returns a set of temporary security credentials.





--a, --account AWS account name No

--json Use this flag to get output as plain JSON No


EPAM PUBLIC 117

5.5.1.39 aws list_organization_roles

Invoke: aws list_organization_roles

Shows the list of roles for assuming.





-n, --name Role name No

Response Elements

Name Description

roleName Role name

roleArn Role ARN

projectCode Project code

description Description

externalId External ID

Command example

aws list_organization_roles

Response example

5.5.1.40 aws manage_def_role

Invoke: aws manage_def_role

Manage default instance role in AWS account




-a, --action Policy action, allowed values are: [DESCRIBE, ATTACH,

DETACH], by default is describe

No

-n, --policy-name The name of policy. Required for actions ATTACH and

DETACH

No

Command example:

aws manage_def_role -a action -n policy-name


EPAM PUBLIC 118

Command response:

5.5.1.41 aws move_account

Invoke: aws_move_account Moves linked account to another paying account.




-l, --linked-account AWS linked account name Yes

-p, --paying-account Target AWS paying account name Yes

5.5.1.42 aws remove_az

Invoke: aws_remove_az

Removes availability zone for the specified AWS region.





-a, --availability-zone AWS availability zone (e.g. us-east-1b) Yes

5.5.1.43 aws remove_saml

Invoke: aws_remove_saml

Removes SAML provider







EPAM PUBLIC 119

5.5.1.44 aws rename_user

Invoke: aws_rename_user

Renames IAM user.




-u, --username Name of the user to be renamed Yes

-n, --new-username New name of the user Yes


5.5.1.45 aws save_policy

Invoke: aws save_policy

Saves IAM policy to DB




-n, --name AWS policy name Yes

-f, --file File name. Please be sure that you have placeholders instead

of accounts, buckets names No

-t, --type Type. One of: INLINE, MANAGED, MANAGED_CUSTOM,

ORGANIZATION, S3 Yes

5.5.1.46 aws set_ami_up_desc

Invoke: aws_set_ami_up-desc

Set Ami amazonDescriptionTemplate field used to update Linux Ami IDs.





-i, --image-id Image ID on EO Yes

-d, --description-template

Amazon description template

No

-c, --clean-up Flag for clean up Amazon description template No

5.5.1.47 aws set_def_role

Invoke: aws set_def_role

Creates default instance role in AWS account for the specified project





EPAM PUBLIC 120



5.5.1.48 aws sso_add_custom_role

Invoke: aws_sso_add_custom_role

Adds custom SSO role for the particular user




-e,--email User email address Yes

-n, --name AWS IAM role name. Use command 'get_iam_entities -t

SSO_ROLE' to see possible options. Yes


Response example:

5.5.1.49 aws sso_del_custom_role

Invoke: aws_sso_del_custom_role

Deletes custom SSO role for the particular user.





-n,--name AWS IAM role name. Use command 'get_iam_entities -t

SSO_ROLE' to see possible options. Yes


5.5.1.50 aws sso_get_custom_role

Invoke: aws_sso_get_custom_role

Gets custom SSO roles.





Command response:


EPAM PUBLIC 121

5.5.1.51 aws sso_manage_access

Invoke: aws sso_manage_access

Manages access to AWS SSO, restricts access to the particular roles.






-i, --iam-entity-name AWS IAM role name. Use command 'get_iam_entities -t

SSO_ROLE' to see possible options. No

-a, --action Action type [list(default), create, delete] No

5.5.1.52 aws tag_user

Invoke: aws tag_user

Adds or deletes tag for IAM user.




-p, --project * Project abbreviation in EPAM Cloud Yes

-e,--email * User email address Yes

--add Add tag to user No

--delete Delete tag from user No

5.5.1.53 aws up_group_policy

Invoke: aws up_group_policy

Uploads group policy from DB to the specified group for the specified AWS accounts.




-n, --name AWS group name No

-a, --account AWS account names for uploading policy. Upload for all

accounts if not set. No

5.5.1.54 aws up_man_policy

Invoke: aws up_man_policy

Uploads managed policy to the specified AWS accounts.




-n, --name AWS policy name No


EPAM PUBLIC 122


-f, --file File name Yes

-a, --account AWS account names for uploading policy. Upload for all

accounts if not specified. Yes

5.5.1.55 aws update_amis

Invoke: aws update_amis

Updates AWS AMIs.





-t, --os-type OS type. Allowed values are: WINDOWS, LINUX No

Response Elements

Name Description

Zone Zone name

Old ami ID Old ami ID

New ami ID New ami ID

Image amazon description Amazon image description

Command example

aws update_amis

Response example

5.5.1.56 aws upload_ssm_document

Invoke: aws upload_ssm_document

Uploads a SSM document to the DB.




-f, --file-name AWS SSM document file name Yes


EPAM PUBLIC 123

Command example:

aws upload_ssm_document -f <file_name>

Command response:

5.5.2 AWS_SECURITY

The ‘aws_security’ group includes the commands related to the security in AWS. The following


Command Description

aws_security check_mfa Describes users without MFA

aws_security configure_organization_scp Configures organization SCP

aws_security delete_user_mfa_device Deletes user MFA device from IAM

aws_security describe_backups Describes security groups backup information for the project

aws_security describe_keys Lists access keys for the orchestrator user

aws_security describe_sg_resources Describes security group resources

aws_security disable_orchestrator_user Disables the specified orchestrator user in all AWS accounts

aws_security get_backup Gets project security groups backup information Sends the backup configuration of the security groups to email

aws_security lock_organization Sets all AWS accounts in organization to read only mode

aws_security manage_custom_acl Manages Network ACL for the specified project

aws_security manage_prefix_lists Manages prefix lists with db configuration

aws_security manage_sec_groups Manages security groups in AWS account

aws_security reset_user_password_mfa Resets user password and MFA devices

aws_security restore_groups Restores backup configuration for the AWS security group. Before the restoring current backup will be created.

aws_security rotate_keys Rotates access key for the orchestrator user, creates and sets new access key, disables or deletes old access keys.

aws_security save_groups Saves current security groups configuration

aws_security set_def_groups Applies configuration for the AWS security groups

To see the list of arguments used with the commands of the ‘aws_security’ group, type aws_security


5.5.2.1 aws_security check_mfa

Invoke: aws security check_mfa

Describes users without MFA.





No


EPAM PUBLIC 124

5.5.2.2 aws_security configure_organization_scp

Invoke: aws security configure_organization_scp

Configures organization SCP.




-p , --project Project abbreviation in EPAM Cloud No


5.5.2.3 aws_security delete_user_mfa_device

Invoke: aws security delete_user_mfa_device

Deletes user MFA device from IAM.






Response example:

5.5.2.4 aws_security describe_backups

Invoke: aws security describe_backups

Describes security groups backup information for the project.





Response example:


EPAM PUBLIC 125

5.5.2.5 aws_security describe_keys

Invoke: aws security describe_keys

Lists access keys for the orchestrator user




-c , --account AWS account name No

-p , --project Project abbreviation in EPAM Cloud No

--all Execute for all reachable accounts No

Response example:

5.5.2.6 aws_security describe_sg_resources

Invoke: aws_security describe_sg_resources

Describes security group resources






-g, --group-id Security group id No

-I, --instance Operational instance id No

--describe-rules Describe security group rules No

--describe-unused Describe security groups which are not attached to any network interface

No


No

Response example:


EPAM PUBLIC 126

5.5.2.7 aws_security disable_orchestrator_user

Invoke: aws security disable_orchestrator_user

Disables the specified orchestrator user in all AWS accounts.




5.5.2.8 aws_security get_backup

Invoke: aws security get_backup

Gets project security groups backup information. Sends the backup configuration of the security groups to email





-i, --backup-id Backup id for restoring No

-d, --date The date to restoring from in [yyyy-MM-dd'T'HH, yyyy-MM-dd'T'HH:mm] format (UTC)

No

-l, --label To restore by label No

Response example:

5.5.2.9 aws_security lock_organization

Invoke: aws security lock_organization

Sets all AWS accounts in organization to read only mode.




5.5.2.10 aws_security manage_custom_acl

Invoke: aws security manage_custom_acl

Manages custom project Network ACL.






--add Use this flag to add new custom ACL entry No

--delete Use this flag to delete existing custom ACL entry No


EPAM PUBLIC 127


--egress Use this flag to specify whether the ACL entry is egress.

(Ingress by default) No

-n, --number Rule number. Must be a number in range 1 to 32766 No

-r, --protocol Ip Protocol. Use -1 for All protocols/All ports No

-c, --cidr CIDR block No

-f, --from-port From port No

-t, --to-port To port No

-a, --action Action. Allowed values are: Allow, Deny No

Response example:

5.5.2.11 aws_security manage_prefix_lists

Invoke: aws security manage_prefix_lists

Manages prefix lists with db configuration.




-a, --action Manage action, allowed values are: setup, describe, check Yes


-m, --max-size Max size No

-s, --security-group Security group name No

Command example:

aws_security manage_prefix_lists -a <action> -z <zone> -m <max-size>

-s <security-group>

5.5.2.12 aws_security manage_sec_groups

Invoke: aws security manage_sec_groups

Manages security groups in AWS account






-n, --group-name Security group name. No

-e, --description Security group description. Required for action CREATE No


EPAM PUBLIC 128


-a, --action Security group action. Allowed values are [CREATE, DESCRIBE, DELETE, ADD_RULE, DELETE_RULE, LIST_RULES].

No

-s, --security-group-id Security group id. Required for action DELETE, ADD_RULE and DELETE_RULE

No

-v, --vpc-id VPC id. Required for action CREATE, optionally can be used for DESCRIBE action.

No

-r, --protocol Ip protocol. For example, TCP, UDP. Use -1 for all protocols. No

-d, --direction Rule type, allowed values are [inbound, outbound]. No

-o, --port-range The port range (for the TCP and UDP protocols). No

-I, --ip-range IP range. For several ip ranges repeat the parameter: -i 0.0.0.0/0 -i value 1.1.1.1/1

No

-f, --prefix-list-id Prefix list id. For several prefix lists repeat the parameter -f No

-c, --source-group-id The security group id which you can set as destination/source of security group rule. Allowed for action ADD_RULE and DELETE_RULE.

No

-t, --instance Instance id. Applicable for ATTACH and DETACH actions No

--ni, --network-interface-id

Network interface id. Applicable for ATTACH and DETACH actions

No

--tz, --target-zone Target zone name. Parameter is required only for CLONE action

No


No

Response Elements

Name Description

Security group name Security group name

Security group id Security group id

VPC ID VPC ID

Description Description

Action CREATE

Command example:

manage_sec_groups --project <project> --zone <zone> --action create --

group-name <group name> --description <description> --vpc-id <vpc id>

Response example:

Action DESCRIBE

manage_sec_groups --project <project> --zone <zone>

Response example:


EPAM PUBLIC 129

Action DELETE

Command example:

manage_sec_groups --project <project> --zone <zone> --action delete --

security-group-id <security group id>

Response example:

Action ADD_RULE

Command example:

manage_sec_groups --project <project> --zone <zone> --action add_rule

--security-group-id <security-group id> --direction <direction> --

protocol <protocol> --source-group-id <source group id>

Response example:

Action DELETE_RULE

Command example:

manage_sec_groups --project <project> --zone <zone> --action

delete_rule --security-group-id <security group id> --direction

<direction> --protocol <protocol> --source-group-id <source group id>

Response example:

Action LIST_RULES

Command example:

manage_sec_groups --project <project> --zone <zone> --action

list_rules

Response example:


EPAM PUBLIC 130

5.5.2.13 aws_security reset_user_password_mfa

Invoke: aws security reset_user_password_mfa

Reset user password and MFA devices






Response example:

5.5.2.14 aws_security restore_groups

Invoke: aws security restore_groups

Restores backup configuration for aws security group. Before the restoring current backup will be created.





-I, --backup-id Backup id for restoring No

-d, --date The date to restoring from in [yyyy-MM-dd'T'HH, yyyy-MM-dd'T'HH:mm] format (UTC)

No



Response example:

5.5.2.15 aws_security rotate_keys

Invoke: aws security rotate_keys

Rotates access key for orchestrator user. Creates and sets new access key. Disables or deletes old

access keys.




EPAM PUBLIC 131



-a, --action Action. Allowed values: [create, disable, delete] Yes



--all Execute for all reachable accounts No

5.5.2.16 aws_security save_groups

Invoke: aws security save_groups

Saves security groups configuration.






Response example:

5.5.2.17 aws_security set_def_groups

Invoke: aws security set_def_groups

Applies configuration for aws security groups






--all-zones Applies for all zones (activated for project) No

--all-projects Applies for all projects in all zones No

-v, --vpc-id Vpc id. If isn't defined, default vpc will be used No

Response example:


EPAM PUBLIC 132

5.5.3 AWS_RI

The ‘aws_ri’ group includes the commands related to AWS Reserved Instances. The following


Command Description

aws_ri buy Buys Reserved Instances

aws_ri describe Describes Reserved Instances

aws_ri list_offerings Describes Reserved Instance offerings

aws_ri modify Modifies Reserved Instances

To see the list of arguments used with the commands of the ‘aws_ri’ group, type aws_ri


5.5.3.1 aws_ri buy

Invoke: aws ri buy

Buys Reserved Instances.






-i, --offering-id Offering id. Use 'aws_ri list_offerings' to list possible options Yes

-c, --count Count Yes

Command example:

aws ri buy -i <offering-id> -z <zone> -p <project> --count

Command response:

5.5.3.2 aws_ri describe

Invoke: aws ri describe

Describes Reserved Instances.




-f, --force-update Update info from amazon before describing. Will take a lot of time!

No


No


EPAM PUBLIC 133

Response Elements

Name Description

AWS ID AWS RI ID


Zone AWS zone

AZ Availability zone

Start date Start date of the reserved instance state

End date End date of the reserved instance state

Count Number of reserved instances

Product description Description of the reserved instance

Shape AWS instance type

Command example:

aws ri describe

Command response:

5.5.3.3 aws_ri list_offerings

Invoke: aws ri list_offerings

Describes Reserved Instance offerings






-t, --instance-type AWS instance type Yes

-o, --os OS. One of the: linux, windows Yes

-s, --scope Scope. One of the: az, region Yes

--all Add marketplace RIs to result No

Response example:


EPAM PUBLIC 134

5.5.3.4 aws_ri modify

Invoke: aws ri modify

Modifies Reserved Instances




-I, --ri-id RI id Yes

-c, --target-configuration

Target availability zone name, shape and count. Input format: 'az:shape:count'.

To provide several configurations use this option several times. Example: -c us-west-2a:t2.micro:4.

If you want to use REGION scope use "all' value for 'az'.

Example: -c all:t2.micro:4

Yes


5.5.4 AWS_S3

The ‘aws_s3’ group includes the commands related to AWS S3 configuration. The following commands

are available:

Command Description

aws_s3 create_bucket Creates AWS S3 bucket for the specified AWS project

aws_s3 describe_s3_config Describes default AWS S3 configuration

aws_s3 set_s3_config Sets default AWS S3 configuration

To see the list of arguments used with the commands of the ‘aws_s3’ group, type aws_s3


5.5.4.1 aws_s3 create_bucket

Invoke: aws s3 create_bucket

Creates AWS S3 bucket for the specified AWS project.






-b, --bucket-name S3 bucket name Yes

--rn, --expiration-rule-name

Expiration rule name No

-d, --expiration-in-days Expiration in days No

Response example:


EPAM PUBLIC 135

5.5.4.2 aws_s3 describe_s3_config

Invoke: aws s3 describe_s3_config

Describes default AWS S3 configuration




Response example:

5.5.4.3 aws_s3 set_s3_config

Invoke: aws s3 set_s3_config

Sets default AWS S3 configuration.




-a, --default-account Default AWS account name Yes

-b, --default-bucket-name

Default S3 bucket name Yes

--rn, --default-expiration-rule-name

Default expiration rule name No

Response example:

5.5.5 AWS_WORKSPACE

The ‘aws_workspace’ group includes the commands related to workspaces in AWS. The following


Command Description

aws_workspace bundles Manages EO's standard bundles. Managing bundles is allowed only for the single account that supports workspace launch. All adding this way bundles will be available for launch via ESP

aws_workspace launch Launches an AWS Workspace

aws_workspace manage_accounts Manages AWS accounts that support Workspaces

aws_workspace manage_directory Describes or updates directory ID for the specified supported AWS region of the specified AWS account

aws_workspace manage_regions Manages supported AWS regions for specified AWS account

To see the list of arguments used with the commands of the ‘aws_workspace’ group, type

aws_workspace [command_name] -h in the command line.


EPAM PUBLIC 136

5.5.5.1 aws_workspace bundles

Invoke: aws_workspace bundles

Manages EO's standard bundles. Managing bundles is allowed only for the single account that supports

workspace launch. All adding this way bundles will be available for launch via ESP




-r, --region AWS region name No

-b, --bundle AWS bundle ID No

-o, --os-type OS type. Use it to filter the DESCRIBE result. Allowed values are: LINUX, WINDOWS

No

-m, --compute-type Compute type. Use it to filter the DESCRIBE result No

-c, --action Management action. Allowed values are: ADD, DESCRIBE, DELETE

Yes

Command example:

aws_workspace bundles -c <action>

Response example:

5.5.5.2 aws_workspace launch

Invoke: aws_workspace launch

Launches an AWS Workspace






-r, --region AWS region Yes

-q, --request Request number Yes

-b, --bundle AWS bundle ID No

-m, --mode Running mode. Available values are: AUTO_STOP, ALWAYS_ON

Yes

-o, --os-type OS type. Available values are: LINUX, WINDOWS No

-c, --compute-type Compute type No

-t, --root-volume Root volume size No

-u, --user-volume User volume size No


EPAM PUBLIC 137

Command example:

aws_workspace launch -e <[email protected]> -p <project> -r <region>

-q <request> -m <mode>

Response example:

5.5.5.3 aws_workspace manage_accounts

Invoke: aws_workspace manage_accounts

Manages AWS accounts that support Workspaces





-c, --action Management action. Allowed values are: ADD, DESCRIBE, DISABLE_LAUNCH

Yes

Command example:

aws_workspace manage_accounts -c <action>

Response example:


EPAM PUBLIC 138

5.5.5.4 aws_workspace manage_directory

Invoke: aws_workspace manage_directory

Describes or updates directory ID for the specified supported AWS region of the specified AWS account






-d, --directory AWS directory ID of the new directory. Required parameter for UPDATE action

No

-c, --action Management action. Allowed values are: DESCRIBE, UPDATE

Yes

Command example:

aws_workspace manage_directory -c <action>

Response example:

5.5.5.5 aws_workspace manage_regions

Invoke: aws_workspace manage_regions

Manages supported AWS regions for specified AWS account






-d, --directory AWS directory ID. Optional parameter for ADD action No

-c, --action Management action. Allowed values are: ADD, DESCRIBE, DELETE

Yes

Command example:

aws_workspace manage_regions -c <action>

Response example:


EPAM PUBLIC 139

5.5.6 TEMPLATE

The ‘template’ group includes the ‘template analyze’ command used to perform analysis of the

CloudFormation template from the previously uploaded file. The command displays the human-readable

template description in the response.

Command Description

template analyze Generates description for the template

To see the list of arguments used with the ‘template analyze’ command, type template analyze -h in the

command line.

5.5.6.1 template analyze

Invoke: template analyze

Generates description for the template.




-f, --file File name. Yes

Response example:


EPAM PUBLIC 140

5.6 AZURE

The ‘azure’ category includes the commands related to resource configuration and management on the

Microsoft Azure platform, as well as to the custom configuration of Azure for specific project

requirements.

5.6.1 AZURE

The ‘azure’ group includes the commands related to Microsoft Azure. The following commands are

available:

Command Description

azure activate_project Activates project in Microsoft Azure

azure add_enrolment Adds a new Microsoft Azure enrolment

azure add_image Adds machine image to be used with ARM API. Images list is available on Azure portal marketplace or from CLI (for more details please use azure help vm image command)

azure add_subscript Adds a new Microsoft Azure subscription

azure add_zone Adds a new Microsoft Azure zone

azure add_zone_alias Adds an alias to existing Microsoft Azure zone

azure analyze_sg Analyzes default security group for extra rules

azure change_credsz Changes Azure tenant's credentials

azure check_config Checks ARM configuration

azure config_project Configures project for using ARM API

azure del_subscript Removes existing Microsoft Azure subscription from EO

azure delete_image Deletes image form Azure zone. Assigns status DELETED for image and does not delete it on Azure

azure get_net_config Retrieves information about network configuration for the specified project(s)

azure get_subscript Describes existing Azure subscriptions

azure get_tenants Describes available tenants for the specified Azure enrollment

azure grant_access Grants access to Azure Portal

azure init_lookup Initially adds ARM resource to EO

azure list_image_versions Lists the VM image versions available in the Azure Marketplace

azure list_offers Lists the VM image offers available in the Azure Marketplace

azure list_publishers Lists the VM image publishers available in the Azure Marketplace

azure list_skus Lists the VM image SKUs available in the Azure Marketplace.

azure manage_currency Updates currency and rate for Microsoft Azure enrolment

azure manage_subscript_status Enables or disables the specified subscription in EO

azure manage_tenants Adds and removes Azure tenants in EO

azure manage_trusted_ip Adds a custom security config for specified project for allowing inbound or outbound connection to/from instances of this project.

azure move_subscript Moves subscription to another directory

azure revoke_access Revokes access to Azure Portal

azure set_def_groups Applies configuration for the default Azure security groups

azure shape_mapping Configures shape mapping for the specified zone

azure share_credit Shares credit among all projects of the given enrolment proportionally to their workload

azure subscript_pool Describes the subscription pool for current available enrollments

azure switch_subscript_tenant Switches subscription tenant to another alias


EPAM PUBLIC 141

5.6.1.1 azure activate_project

Invoke: azure activate_project

Activates project in Microsoft Azure.






Yes



-u, --subscription-name Subscription name (Azure specific parameter) No


--all All zones No

Response Elements

Name Description


Name Project name

Zone Virtualization zone

Shapes Shape names

Primary Contacts Primary contacts

Secondary Contacts Secondary contacts

Instance Creation Interval

(Hours) Instance creation interval described in hours

Volume Creation Interval

(Hours) Volume creation interval described in hours

Max Volume Size (GB) Maximum volume size described in GB

Activation Date Start date of the activated project state

Expiration Date End date of the activated project state

Subscription ID Subscription ID

Command example:

azure activate_project -p <project> -s <shape> -z <zone> -u

<subscription name>

Response example:

5.6.1.2 azure add_enrolment

Invoke: azure add_enrolment


EPAM PUBLIC 142

Adds a new Microsoft Azure enrolment




-e, --enrolment-number

Enrolment number Yes

-a, --azure-access-key Usage API access key granted by Enterprise Administrator Yes

-b, --bill-from The date to start billing from in yyyy-MM-dd'T'HH format Yes


Command example:

azure add_enrolment -e <enrolment number> -a <azure access key> -b

<bill from>

Response example:

5.6.1.3 azure add_image

Invoke: azure add_image

Adds machine image to be used with ARM API. Images list is available on Azure portal marketplace or

from CLI (for more details please use azure help vm image command)




-i, --image-id Image ID. Example: Debian8_64-bit, W2012Std Yes

-d, --description Image description. Example: "Debian GNU/Linux 8 64-bit", "Windows Server 2012 Standard Edition"

Yes


-t, --os-type Type of operating system: [windows, linux, coreos, fedora coreos]

Yes

-p, --publisher Image publisher. Example: Canonical, OpenLogic, MicrosoftWindowsServer

Yes

-o, --offer Image offer. Example: UbuntuServer, CentOS, WindowsServer

Yes

-s, --sku Image sku. Example: 14.04.4-LTS, 6.6, 2008-R2-SP1) Yes

-v, --version Image version. Example: 14.04.201604060 Yes



--all-zones All zones No


Response Elements

Name Description



EPAM PUBLIC 143

Response Elements

Name Description




Command example:

azure add_image -i <image-id> -d <description> -g <group> -t <os-

type> -p <publisher> -o <offer> -s <sku> -v <version> -u

<username> -z <zone>

Response example:

5.6.1.4 azure add_subscript

Invoke: azure add_subscript

Adds a new Microsoft Azure subscription




-s, --subscription-id Azure subscription ID (GUID) Yes



-a, --tenant-alias Tenant alias (use it only for reachable subscription) No

-u, --unreachable Marks subscription as unreachable for Orchestrator No

-c, --account-name Account name (Required for unreachable subscriptions. Use it to override tenant account name value for reachable subscriptions)

No


Command example:

azure add_subscript -s <subscription id> -e <enrolment number> -a

<tenant alias>

Response example:

5.6.1.5 azure add_zone

Invoke: azure add_zone


EPAM PUBLIC 144

Adds a new Microsoft Azure zone






-l, --location Azure location (e.g. North Europe) Yes

-a, --api-name Azure location api name (e.g. northeurope) Yes



Defines whether this zone supports billing mode. If disabled - Billing Engine shows costs based on EO audit only, otherwise EO audit will be integrated(mixed) with costs coming from a cloud provider (e.g. in a form of CSV reports)

No


Command example:

azure add_zone -l <location> -r <region> --assign <true> -z <zone>

-a <api name> --disable-billing-mix-mode <false>

Response example:

5.6.1.6 azure add_zone_alias

Invoke: azure add_zone_alias

Adds an alias to existing Microsoft Azure zone





-a, --alias Zone alias (e.g. northeurope for North Europe) Yes


Command example:

azure add_zone_alias -z <zone> -a <alias>

Response example:


EPAM PUBLIC 145

5.6.1.7 azure analyze_sg

Invoke: azure analyze_sg

Analyzes default security group for extra rules




-s, --subscription Subscription name No


Command example:

azure analyze_sg

Response example:

5.6.1.8 azure change_creds

Invoke: azure change_creds

Changes Azure tenant's credentials




-e, --enrolment-number Enrolment number Yes

-a, --alias Azure tenant alias Yes

-i, --client-id Client id No

-k, --client-key Client key No

-c, --account-name Account name No


EPAM PUBLIC 146


Command example:

azure change_creds -e <enrolment-number> -a <alias> -i <client-id>

-k <client-key> -c <account-name>

Response example:

5.6.1.9 azure check_config

Invoke: azure check_config

Checks ARM configuration




a, --all All subscriptions No




Command example:

azure check_config -p <project>

Response example:

5.6.1.10 azure config_project

Invoke: azure config_project

Configures project for using ARM API




--all Perform for all active azure projects flag No

--all-zones Perform for single project in all active azure zones flag No

-p,--project Project abbreviation in EPAM Cloud No

-z,--zone Virtualization zone No



EPAM PUBLIC 147

Command example:

azure-config_project -p <project> -z <zone>

Response example:

5.6.1.11 azure del_subscript

Invoke: azure del_subscript

Removes existing Microsoft Azure subscription from EPAM Orchestrator




-n, --name Azure subscription name Yes


Command example:

azure del_subscript -n <subscription name>

Response example:

5.6.1.12 azure delete_image

Invoke: azure delete_image

Deletes image form Azure zone. Assigns status DELETED for image and does not delete it on Azure







Response Elements

Name Description





Command example:

azure delete_image -i <image id> --all zones


EPAM PUBLIC 148

Response example:

5.6.1.13 azure get_net_config

Invoke: azure get_net_config

Retrieves information about network configuration for the specified project(s)




-p, --project-code Project code to retrieve network configuration for. For several projects repeat the parameter: -p projectName1 -p projectName2 -p projectNameN.

Yes

Response Elements

Name Description

Project Name Project name

Zone Name Virtualization zone name

Configured Provides information about configured action status

Command example:

azure get_net_config -p <project code>

Response example:

5.6.1.14 azure get_subscript

Invoke: azure get_subscript

Describes existing Azure subscriptions





Enrolment number to describe subscriptions No




EPAM PUBLIC 149

Response Elements

Name Description

Enrolment Number Enrolment Number

Subscription GUID Azure subscription ID

Tenant Alias Tenant alias

Subscription Name Subscription Name

Account Name Account Name

Used by Show the project that uses this account

Unreachable Unreachable action status

Disabled Disabled action status

Command example:

azure get_subscript -p <project>

Response example:

5.6.1.15 azure get_tenants

Invoke: azure get_tenants

Describes available tenants for the specified Azure enrollment






Response Elements

Name Description

Alias Alias

Tenant ID Tenant ID

Client ID Client ID

Account Name Name of account in Azure

Command example:

azure get_tenants -e <enrolment number>

Response example:


EPAM PUBLIC 150

5.6.1.16 azure grant_access

Invoke: azure grant_access

Grants access to Azure Portal





-p, --project Project code to which the user should have access on Azure Portal

Yes


Command example:

azure grant_access -p <project> -e <[email protected]>

Response example:

5.6.1.17 azure init_lookup

Invoke: azure init_lookup

Initially adds ARM resource to EPAM Orchestrator




-p,--project Project abbreviation in EPAM Cloud Yes

Command example:

azure init_lookup -p <project>

Response example:

5.6.1.18 azure list_image_versions

Invoke: azure list_image_versions


EPAM PUBLIC 151

Lists the VM image versions available in the Azure Marketplace





-p, --publisher An image publisher name Yes

-o, --offer An image publisher offer Yes

-s, --sku An image publisher sku Yes

Command example:

azure list_image_versions -z <zone> -p <publisher> -o <offer> -s

<sku>

Response example:

5.6.1.19 azure list_offers

Invoke: azure list_offers

Lists the VM image offers available in the Azure Marketplace






Response example:

5.6.1.20 azure list_publishers

Invoke: azure list_publishers

Lists the VM image publishers available in the Azure Marketplace






EPAM PUBLIC 152

Command example:

azure list_publishers -z <zone>

Response example:

5.6.1.21 azure list_skus

Invoke: azure list_skus

Lists the VM image SKUs available in the Azure Marketplace.






-o, --offer An image publisher offer Yes

Command example:

azure list_skus -z <zone> -p <publisher> -o <offer>

Response example:

5.6.1.22 azure manage_currency

Invoke: azure manage_currency

Updates currency and rate for Microsoft Azure enrolment






-a, --action Action: [DESCRIBE, UPDATE] Yes

-y, --year Year No

-m, --month Month No


EPAM PUBLIC 153


-c, --currency Currency symbol or abbreviation No

-r, --rate Exchange rate. All costs will be multiplied by this rate to get value in the specified currency.

No

-d, --disable Disable rate applying No


Command example:

azure manage_currency -e <enrolment number> -a <action>

Response example:

5.6.1.23 azure manage_subscript_status

Invoke: azure manage_subscript_status

Enables or disables the specified subscription in EPAM Orchestrator




-s, --subscription Subscription name Yes

-a, --action Subscription change status option. Available action: enable or disable

Yes

Command example:

azure manage_subscript_status -s <subscription> -a <action>

Response example:

5.6.1.24 azure manage_tenants

Invoke: azure manage_tenants

Adds and removes Azure tenants in EPAM Orchestrator







-t, --tenant Tenant id No


EPAM PUBLIC 154


-I, --client-id Client id No

-k, --client-key Client key No


--add Option for adding tenant No

--delete Option for deleting tenant No


Command examples:

azure manage_tenants -e <enrolment number> -a <alias> -t <tenant>

-i <client-id> -k <client-key> -c <account-name> --add

azure manage_tenants -e <enrolment number> -a <alias> --delete

Response example:

5.6.1.25 azure manage_trusted_ip

Invoke: azure manage_trusted_ip

Adds a custom security config for specified project for allowing inbound or outbound connection to/from

instances of this project.






-a, --action Action type, allowed actions are: ADD, REMOVE and DESCRIBE. If parameter not specified, DESCRIBE action will be executed by default.

No

--sr, --source Source ranges for rule. Specify one or more IP range or parameter 'ANY'. For several ip ranges repeat the parameter: --sr 0.0.0.0/0 --sr 1.1.1.1/1

No

--dr, --destination Destination ranges for rule. Specify one or more IP range or parameter 'ANY'. For several ip ranges repeat the parameter: --dr 0.0.0.0/0 --dr 1.1.1.1/1

No

-r, --protocol Ip protocol. For example TCP, UDP. Use ANY parameter for all protocols

No

-o, --port-range The port range (for the TCP and UDP protocols). For several port ranges repeat the parameter: -o 22-25 -o 30-35. If parameter is not specified - security config for all ports will be created

No

-e, --description Description for security rule No

-d, --direction Rule direction, allowed values are [INGRESS, EGRESS]. No

-n, --name Security rule name. No


EPAM PUBLIC 155

Response Elements

Name Description


Zone name Zone name

Name Security rule name

Protocol Protocol

Direction Direction


Port-ranges Port ranges

Source ranges Source ranges

Destination ranges Destination ranges


Action DESCRIBE

Command example:

manage_trusted_ip --project <project name> --zone <zone>

Response example:

Action ADD

Command example:

manage_trusted_ip --project <project name> --zone <zone> --action add

--name <security rule name> --source <source> --destination

<destination> --direction <direction> --protocol <protocol>

Response example:

Action REMOVE

Command example:

manage_trusted_ip --project <project> --zone <zone> --action remove --

name <security rule name>

Response example:


EPAM PUBLIC 156

5.6.1.26

azure move_subscript

Involve: azure move_subscript

Moves subscription to another directory








Command example:

azure move_subscript -s <subscription> -a <alias> -c <account-name>

Response example:

5.6.1.27 azure revoke_access

Invoke: azure revoke_access

Revokes access to Azure Portal





-p,--project Project abbreviation in EPAM Cloud Yes


Command response:

azure revoke_access -e <email> -p <project>

Response example:

5.6.1.28 azure set_def_groups

Invoke: azure set_def_groups


EPAM PUBLIC 157

Applies configuration for the default Azure security groups





Command example:

azure set_def_groups

Response example:

5.6.1.29

azure shape_mapping

Invoke: azure shape_mapping

Configures shape mapping for the specified zone






-s, --shape-mapping

Shape mapping pair: epc_shape=foreign_shape.

Use "=" as delimiter. For several mappings repeat the parameter: -s epc_shape1=foreign_shape1 -s epc_shape2=foreign_shape2 -s epc_shapeN=foreign_shapeN. If you use Windows command line, please, encase the -s parameter in quotes i.e. "epc_shape=foreign_shape".

Yes

Command example:

azure shape_mapping --all zones -s <shape mapping>

Response example:

5.6.1.30 azure share_credit

Invoke: azure share_credit

Shares credit among all projects of the given enrolment





EPAM PUBLIC 158


-e, --enrolment Enrolment number (e.g. 54168053) Yes

-c, --credit Credit value in USD. SIGN MATTERS! Yes

-d, --description What this credit is given for Yes

-y, --year Year Yes

-m, --month Month (digits from 1 to 12) Yes


Command example:

azure share_credit -e <enrolment number> -c <credit> -d

<description> -m <month> -y <year>

Response example:

5.6.1.31

azure subscript_pool

Invoke: azure subscript_pool

Describes the subscription pool for current available enrollments




Response Elements

Name Description

Enrolment number Virtualization zone

Total Count Total count of subscriptions

In Use Count Count of subscriptions in use

Command example:

azure subscript_pool

Response example:

5.6.1.32 azure switch_subscript_tenant

Invoke: azure switch_subscript_tenant

Switches subscription tenant to another alias



EPAM PUBLIC 159







Command example:

azure switch_subscript_tenant -s <subscription> -a <alias>

Response example:


EPAM PUBLIC 160

5.7 GOOGLE

The ‘google’ category includes the commands related to resource configuration and management in

Google Cloud Platform.

5.7.1 GOOGLE

The ‘google’ group includes the commands related to Google Cloud Platform. The following commands

are available:

Command Description

google activate_project Activates project in a Google zone

google add_account_system_username Adds system username for the Google account

google add_image Adds Google image

google add_zone Adds new Google zone

google change_password Changes password for user intended for providing temporary access

google check_config Checks Google configuration for the specified project

google config_export_billing_data Configures export Google billing data to BigQuery

google configure_network Configures networking for the project in Google region

google delete_image Deletes image form a Google zone. Assigns status DELETED for the image and does not delete it in Google Cloud.

google describe_instance_firewalls Describes firewall rules which affect specified instance

google edit_zone Edits Google zone settings

google list_accounts Retrieves the list of existing Google accounts

google list_iam_users Retrieves the list of IAM users in the specified project

google list_images Retrieves the list of images in the specified project in the Google region

google list_pr_roles Retrieves the list of applied EPAM Orchestrator custom roles for the Google project

google list_projects Retrieves the list of existing Google projects

google list_zones Retrieves the list of existing Google zones

google manage_acc_user Manages G-Suite users put under EPAM Orchestrator

google manage_alpha_locations Adds or removes an attached zone's alpha locations. Alpha locations are required for billing purpose.

google manage_iam_user Manages IAM users for the specified project

google manage_api Manages Google APIs state

google manage_external_ip

Manages external IP's configuration for specified Google project

google manage_policy Manages existing IAM policies

google manage_role Manages default user project role definition in EPAM Orchestrator

google setup_account Sets up new Google account

google update_acc_configs Updates Google account settings

google update_images Refreshes information about images (family, licenses etc.)

google upload_role Uploads updated default user project role on Google side

To see the list of arguments used with the commands of the ‘google’ group, type google



EPAM PUBLIC 161

5.7.1.1 google activate_project

Invoke: google activate_project

Activates project in a Google zone





-s, --shape Shape name. For several shapes repeat the parameter: -s

SHAPE1 -s SHAPE2 -s SHAPEN Yes


-e, --existing-project-id Existing Google project ID to use. No



--all All zones No


Command example:

google activate_project -p <project> -s <shape> -s <shape> -z

<zone>

Response example:

5.7.1.2 google add_image

Invoke: google add_image

Adds Google image




-i, --image-id Image ID. Example: Ubuntu14.04_64-bit Yes



-t, --os-type Type of operating system: [windows, linux, coreos, fedora coreos] Yes

-p, --google-project-id Google image project ID. See https://cloud.google.com/compute/docs/images for more details

Yes


-n, --google-image-

name Google image name. Cannot be used with image family No

https://cloud.google.com/compute/docs/images


EPAM PUBLIC 162


-f, --google-image-

family Google image family. Cannot be used with image name No





Command example:

google add_image -i <image-id> -d <description> -g <group>

-t <os-type> -p <google project id> -u <username> -n <google

image name>

Response example:

5.7.1.3 google add_zone

Invoke: google add_zone

Adds new Google zone






-a, --account-id Google account ID. For example, account-91b5e7ec Yes

-z, --google-zone-name

Google zone name. For example, us-central1-a or europe-west1-c. For more information refer to https://cloud.google.com/compute/docs/regions-zones/regions-zones

Yes


--disable-billing-mix-mode Defines whether this zone supports billing mode No

https://cloud.google.com/compute/docs/regions-zones/regions-zones



EPAM PUBLIC 163


-a, --aws-nearest-zone AWS nearest zone. Required for autoconfiguration. No


Command example:

google add_zone -r <region> -z <zone> -a <account-id> -z <google

zone name> -l <location>

Response example:

5.7.1.4 google change_password

Invoke: google change_password

Changes password for user intended for providing temporary access




-u, --username Google account user. Yes

-p, --password Set custom password or not. If not specified, password will be generated.

No

Command example:

google change_password -u <user> -p <password>

Response example:

5.7.1.5 google check_config

Invoke: google check_config

Checks Google configuration for the specified project




-p, --project Project abbreviation in EPAM Cloud. Can be used multiple times to specify multiple projects

No




EPAM PUBLIC 164

Command example:

google check_config -p <project>

Response example:

5.7.1.6 google config_export_billing_data

Invoke: google config_export_billing_data

Configures export Google billing data to BigQuery




-g, --google-account-id

Google COMPUTE account id Yes


-d, --dataset Dataset name for billing exporting. Will be automatically created if does not exist No

-t, --table Table name. Suffix with month and year will be added for each month. No

-e, --deactivate Flag for deactivation. Activation by default No

Command example:

google config_export_billing_data -g <google account id>

-p <project> -d <data set> -t <table>


EPAM PUBLIC 165

Response example:

5.7.1.7 google configure_network

Invoke: google configure_network

Configures networking for the project in Google region





Command example:

google configure_network -p <project>

Response example:

5.7.1.8 google delete_image

Invoke: google delete_image

Deletes image from a Google zone. Assigns status DELETED for the image and does not delete it in

Google Cloud.








Command example:

google delete_image -i <image-id> -z <zone>

Response example:


EPAM PUBLIC 166

5.7.1.9 google describe_instance_firewalls

Invoke: google describe_instance_firewalls

Describes firewall rules which affect specified instance






-i, --instance Instance name No


No


Command example:

google describe_instance_firewalls -p <project> -z <zone>

Response example:

5.7.1.10 google edit_zone

Invoke: google edit_zone

Edits Google zone settings





-a, --aws-nearest-zone

AWS nearest zone. Required for autoconfiguration. Specify

'<null>' to unset. Yes

Command example:

google edit_zone -z <zone> -a <aws-nearest-zone>

Response example:


EPAM PUBLIC 167

5.7.1.11 google list_accounts

Invoke: google list_accounts

Retrieves the list of existing Google accounts




Response Elements

Name Description

Account ID Account ID

Approver Approver email address

Account purpose Account purpose Client ID Client ID Admin project ID Admin project ID

Billing account ID Billing account ID Account Domain Account Domain

Command example:

google list_accounts

Response example:

5.7.1.12 google list_iam_users

Invoke: google list_iam_users

Retrieves the list of IAM users in the specified project





Response Elements

Name Description

Username Username

Default role Default role

Custom Roles Settings Custom Roles Settings

System System status

Command example:

google list_iam_users -p <project>


EPAM PUBLIC 168

Response example:

5.7.1.13 google list_images

Invoke: google list_images

Retrieves the list of images in the specified project in the Google region




-p, --project-id Google project ID to retrieve images from. For example, centos-cloud or coreos-cloud. For the complete projects list refer to https://cloud.google.com/compute/docs/images

Yes

-d, --deprecated Include deprecated images or not. No

Response Elements

Name Description

Name Name of the image

Disk Size (GB) Size of the disk in GB

deprecated Shows if the image is in a deprecated state

Status Shows image status

Command example:

google list_images -p <project>

Response example:

5.7.1.14 google list_pr_roles

Invoke: google list_pr_roles



EPAM PUBLIC 169

Retrieves the list of applied EO custom roles for the Google project






No

Command example:

google list_pr_roles -p <project>

Response example:

5.7.1.15 google list_projects

Invoke: google list_projects

Retrieves the list of existing Google projects




Command example:

google list_projects

Response example:

5.7.1.16 google list_zones

Invoke: google list_zones

Retrieves the list of existing Google zones



EPAM PUBLIC 170




Response Elements

Name Description

Name Zone name



Availability zone Availability zone

Linked availability zone Linked availability zone

Location Location

Nearest AWS zone Nearest AWS zone

Untracked availability zone Untracked availability zone

Command example:

google list_zones

Response example:

5.7.1.17 google manage_acc_user

Invoke: google manage_acc_user

Manages G-Suite users put under EO




-a, --action Manage action. Allowed are: [GET, ADD, SUSPEND, RESUME, REMOVE_FROM_EO]

Yes


Response Elements

Name Description

Username Username

Status Status of the user

First password First password

Last UI access Last UI access

Owner ID Owner ID

Command example:

google manage_acc_user -a <action> -e <email>


EPAM PUBLIC 171

Response example:

5.7.1.18 google manage_alpha_locations

Invoke: google manage_alpha_locations

Adds or removes an attached zone's alpha locations. Alpha locations are required for billing purpose.





-c, --action Action: [ADD, DESCRIBE, REMOVE] Yes

-a, --alpha-location Alpha location for billing purposes(e.g. us-central2) No


Command example:

google manage_alpha_locations -z <zone> -c <action> -a <alpha-

location>

Response example:

5.7.1.19

google manage_iam_user

Invoke: google manage_iam_user

Manages IAM users for the specified project






-a, --action Manage action. Allowed are: [ADD, DELETE_ROLE, DELETE_USER] Yes

-r, --reason Short description of action reason No


EPAM PUBLIC 172


-d, --default-role Default role name. Allowed are: [BasicReadAccess, FullReadAccess, BasicUserAccess, AdminUserAccess] No

-f, --role Full Google role name. No


Command example:

google manage_iam_user -p <project> -e <email> -a<action> -r

<reason>

Response example:

5.7.1.20 google manage_api

Invoke: google manage_api

Manages Google APIs state





-a, --action Managed action. Allowed values are: [list, describe, enable, disable]

Yes

-n, --name API service name No


Command example:

google manage_api -p <project> -a <action>

Response example:


EPAM PUBLIC 173

5.7.1.21 google manage_external_ip

Invoke: google manage_external_ip

Manages external IP's configuration for specified Google project





-a, --action Action type, allowed actions are ADD, REMOVE and DESCRIBE. If parameter not specified, DESCRIBE will be executed.

No

-w, --network Network name No

-i, --ip-range IP range. For several ip ranges repeat the parameter: -i 0.0.0.0/0 -i value 1.1.1.1/1

No

-d, --direction Direction of the traffic, allowed values are: INGRESS, EGRESS.

No

-n, --name Firewall rule name. Mandatory for ADD and REMOVE actions, optional for DESCRIBE action.

No

--st, --source-tags Source network tags. No

-ss, --source-service-account

Source service account email address No

-tt, --target-tags Target network tags No

-ts, target-service-account

Target service account email address No

-e, --description Description for firewall rule. No

-c, --action-on-match Action for rule on match. Allowed values are: ALLOW and DENY

No

-y, --priority Priority for rule. Priority can be 0 - 65535 No

-r, --protocol-config Configs for protocol and ports. Example -r tcp:1-65536 -r ah -r udp:22,23. Use ALL parameter for all protocols.

No


No

Action DESCRIBE

Response Elements

Name Description

Name Project name

Google project ID Google project ID

Network Network

Source tags Source tags

Target tags Target tags

Source service accounts Source service accounts

Target service accounts Target service accounts

IP ranges IP ranges

Direction Direction


Allowed Allowed

Denied Denied

Action Action

Priority Priority


EPAM PUBLIC 174

Command example:

manage_external_ip --project <project>

Response example:

Action ADD

Command example:

google manage_external_ip --project <project name> --action add --

network <network> -i <ip range> --direction <direction> --name

<firewall rule name> --sourse-tags <sourse-tags > --target-service-

account <accounts> --description <description> --action-on-match

<allow> --priority <priority> --protocol-config <all>

Response example:

Action REMOVE

Command example:

google manage_external_ip --project <project name> --action remove --

name <firewall rule name>

Response example:

5.7.1.22 google manage_policy

Invoke: google manage_policy

Manages existing IAM policies




-n, --policy-name Name of default policy No

-g, --google-action Google action. For several actions repeat the parameter: -g ACTION1 -g ACTION2 -g ACTIONN

No

-f, --file-name .csv-file with Google actions to setup. Replace actions in policy.

No

-a, --action Manage action. Allowed are: [UPDATE, GET, LIST] Yes

-d, --delete Remove actions from policy if any No


No


EPAM PUBLIC 175

Command example:

google manage_policy -n <policy name> -a <action>

Response example:

5.7.1.23 google manage_role

Invoke: google manage_role

Manages default user project role definition in EO




-a, --action Manage action. Allowed are: [UPDATE, LIST]. Default: LIST No

-n, --role-name Name of default role. Allowed are: [BasicReadAccess, FullReadAccess, BasicUserAccess, AdminUserAccess] No

-p, --policy Attached policy. For several actions repeat the parameter: -p POLICY1 -p POLICYN No

-d, --delete Remove policy from role No

Command example:

google manage_role -a <action> -n <role name>

Response example:

5.7.1.24 google setup_account

Invoke: google setup_account

Sets up new Google account



EPAM PUBLIC 176




-u, --username Account username ([email protected]) Yes


-p, --purpose Account purpose. Allowed values: COMPUTE, ADMIN_DIRECTORY Yes

--domain Account domain. For example: epam.com Yes

-a, --admin-project-id Admin project ID. Required for COMPUTE accounts No

-b, --billing-account-id Billing account ID. Required for COMPUTE accounts No

-d, --billing-dataset-name

BigQuery billing dataset name No

Response Elements

Name Description


Approver Approver

Account purpose Account purpose

Client ID Client ID

Admin project ID Admin project ID

Billing account ID Billing account ID

Account domain Account domain

Command example:

5.7.1.25 google setup_account -u <username> -i <client-id> -p <purpose>

--domain <domain name> -a <admin-project-id> -b <billing-account-

id>google update_acc_configs

Invoke: google update_acc_configs

Updates Google account settings




-n, --account-id Existed Account ID (account-xxxxxxxx) Yes

-u, --approver Approver account username ([email protected]) No

-i, --client-id Client ID No

--domain Account domain. For example: epam.com No


-b, --billing-account-id Billing account ID. Required for COMPUTE accounts No

-d, --billing-dataset-name

BigQuery billing dataset name No

-r, --refresh-token Indicates if the refreshToken regeneration is needed No




EPAM PUBLIC 177

Response Elements

Name Description


Approver Approver

Account purpose Account purpose

Client ID Client ID

Admin project ID Admin project ID

Billing account ID Billing account ID

Account domain Account domain


Command example:

google update_acc_configs -n <account-id> -u <username> -i

<client-id> --domain <domain> -a <admin-project-id> -b <billing-

account-id> -r <refresh-token>

Response example:

5.7.1.26 google update_images

Invoke: google update_images

Refreshes information about images (family, licenses etc.)





Command example:

google update_images -z <zone> Response example:

5.7.1.27 google upload_role

Invoke: google upload_role

Uploads updated default user project role on Google side






EPAM PUBLIC 178


-n, --role-name Name of default role. Note, that command will try to upload all, if role not specified. No

--all-projects Upload role to all activated projects No


Command example:

google upload_role -p <project> -n <role name>

Response example:


EPAM PUBLIC 179

5.8 CSA, HP OO, OPENSTACK (PRIVATE CLOUD)

This category includes the commands related to resource management in CSA, HP OO and OpenStack

virtualization platforms.

5.8.1 CSA

The ‘csa’ group includes the commands related to HP Cloud Services Automation. The following


Command Description

csa activate_project Activates an HP Cloud Services Automation project in EPAM Cloud Orchestrator

csa add_offering Adds a new CSA offering

csa add_ownership Adds HP CSA ownership for the specified zone and instances

csa add_secondary_catalog Adds a CSA secondary catalog

csa add_shape Adds a new CSA shape

csa add_zone Adds a new CSA zone

csa check_offerings Checks CSA offerings

csa config_api Sets HP CSA API userId, catalogId

csa config_image Update image description for the Hardware MAC image

csa del_subscript Deletes HP CSA subscriptions from CSA only

csa fix_old_project Changes CSASubscription requestor (project) if the current project is inactive

csa get_capacity Shows open, close, current values and blocked action for all CSA regions

csa put_under_eo Puts existing HP CSA subscription under EO

csa restore_missing Restores missing EO instances existing in CSA

csa restore_to_csa Restores HP CSA subscriptions from EO to CSA

csa set_capacity Sets open and close values for a single CSA region

csa set_catalog Sets catalog ID to active HP CSA subscriptions in the specified zone

csa sync_from_csa Synchronizes HP CSA subscription fields from CSA to EO

csa vlan_activate Activates a new VLAN for project

To see the list of arguments used with the commands of the ‘csa’ group, type csa [command_name] -h


5.8.2 HPOO

The ‘hpoo’ group includes the commands related to HP Operations Orchestration. The following


Command Description

hpoo activate_project Activates an HP OO project in EPAM Cloud Orchestrator

hpoo add_zone Adds a new HP OO zone

hpoo check_flows Checks that flows are present and valid on HP OO

hpoo config_flow Configures HP OO flow

hpoo config_zone Configures a new HP OO zone

hpoo configvs Configures HP OO VSphere host name/username and password

hpoo get_problem_inst Retrieves the list of instances in starting state or having no IP

hpoo refresh_images Refreshes the list of machine images in EPAM Cloud Orchestrator

hpoo vlan_activate Activates a new VLAN for the project

To see the list of arguments used with the commands of the ‘hpoo’ group, type hpoo [command_name]



EPAM PUBLIC 180

5.8.3 OPEN_STACK

The ‘open_stack’ group includes the commands related to the OpenStack virtualization platform. The


Command Description

open_stack activate_project Activates a project in OpenStack

open_stack activate_zones_personal_project Activates a separate tenant for hosting personal projects' resources in the specified zone.

open_stack add_image Adds an image to the OpenStack Zone

open_stack add_predefined_user Adds a predefined user to the project or to all projects in the specified OpenStack zone

open_stack add_shapes Creates default shapes for an OpenStack zone. For more details see OrchestrationSettings.openStackDefaultShapes

open_stack add_zone Adds a new OpenStack zone

open_stack admin_sg Creates or updates, if exists, the configuration for admin project's security group for the specified security mode

open_stack apply_custom_group Applies custom project security group to the existing VMs

open_stack clean_up_ports Cleans up network ports that are currently not in use on OpenStack

open_stack config_tenant_net Configures tenant limited network

open_stack create_recycle_bin Creates Recycle bin for the OpenStack zone

open_stack cross_project_access Describes, enables or disables cross-project access

open_stack cross_region_access Describes, enables or disables cross-region access for the project

open_stack delete_image Deletes an image from the OpenStack zone. Assigns status DELETED for the image and does not delete it on OpenStack

open_stack delete_project_image Deletes project image on OpenStack and marks it as deleted in DB

open_stack delete_requested_storage Deletes requested storage

open_stack delete_shapes Deletes shapes by flavor ID

open_stack deprecate_shapes Deprecates shapes for the OpenStack zone

open_stack describe_recycle_bin Describes Recycle bin for the OpenStack zone

open_stack edit_recycle_bin Edits Recycle bin properties for the OpenStack zone

open_stack edit_zone Edits OpenStack zone settings

open_stack generate_name Generates a new instance name

open_stack get default_security_mode Gets default security group mode for the zone

open_stack get_default_shapes Retrieves the list of default shape configurations

open_stack get_hosts Retrieves the list of all hosts in the OpenStack zone

open_stack get_images Retrieves the list of all public images available in the zone

open_stack get_quotas Retrieves the list of OpenStack quotas for the project in the specified zone

open_stack get_shapes Retrieves the list of all available/deprecated shapes in the specified zone

open_stack get_windows_admin_password Gets admin password for windows instance

open_stack get_zones Retrieves the list of all active OpenStack zones

open_stack manage_custom_rules Manages custom security group rules

open_stack manage_dns_name Manages instance DNS name on EO

open_stack manage_networking Manages internal identifier of VLAN

open_stack move_to_dmz Moves instance to specified or default project VLAN

open_stack notific_config Configures notifications settings

open_stack refresh_image_lim Checks and updates project image limitations from OpenStack side

open_stack register_requested_storage Registers requested storage


EPAM PUBLIC 181

Command Description

open_stack remove_from_recycle_bin Removes the specified instance from Recycle bin on OpenStack.

open_stack remove_tenant Removes tenants on OpenStack used by the project closed on EO.

open_stack reset_synth_state Resets instance syntheticState identifier stuck in 'CLONING'.

open_stack restore_from_recycle_bin Restores instance from Recycle bin on OpenStack. Specify OpenStack instance id.

open_stack restore_fv_from_eo Restores flavors, absent on OpenStack, but existed in EO DB.

open_stack security_group_extension Manages default security group type extensions

open_stack set_default_security_mode Sets default security group mode for the zone

open_stack set_instance_security_groups Applies project security groups to existing VM

open_stack security_config Describes or updates project security configuration

open_stack set_image_id Sets new ID for the existing image

open_stack set_quota Sets quota for the specified project or for all projects in the specified zone

open_stack setup_networking Sets up networking for all projects in the specified zone (for MANUAL networking mode only)

open_stack up_fv_names Updates OpenStack flavor names according to the current naming policy

open_stack update_network_config Updates network configuration

open_stack vlan_activate Activates a new VLAN for the zone

open_stack vlan_deactivate Removes VLAN configuration

To see the list of arguments used with the commands of the ‘open_stack’ group, type open_stack


5.8.3.1 open_stack activate_project

Invoke: open_stack activate_project

Activates a project in OpenStack.






Yes




-n, --network-type Network type: [default, secured, hybrid], by default is the default network type will be applied

No

--st, --security-type

Security type: [private, protected, limited, public, manual], If a security type is not specified, the default one used for the zone will be applied. To see the default security type used for the zone, invoke get_default_security_mode command.

No

Response Elements

Name Description


name Project name

zone Project zone


EPAM PUBLIC 182

Response Elements

Name Description








Command example

open_stack activate_project -p <project_name> -s <shape> -z

<zone_name>


Command response

5.8.3.2 open_stack activate_zones_personal_project

Invoke: open_stack activate_zones_personal_project

Activates a separate tenant for hosting personal projects' resources in the specified zone.





Command example

open_stack activate_zones_personal_project -z <zone_name>


Command response

5.8.3.3 open_stack add_image

Invoke: open_stack add image

Adds an image to the OpenStack zone.








EPAM PUBLIC 183


-t, --os-type Type of operating system: [Windows, Linux, CoreOS, Fedora CoreOS]

Yes


-o, --open-stack-image-id

OpenStack image ID No




Response Elements

Name Description

Zone Zone name

Status Show command execution status


Command example

open_stack add_image -i <image_id> -d <image_description> -g <group>

-t <os_type> -u <default_ssh_user_name> -o <open_stack_image_id> -z

<zone_name>


Command response.

5.8.3.4 open_stack add_predefined_user

Adds a predefined user to the project or to all projects in the specified OpenStack zone.

Invoke: open_stack add_predefined_user





-u, --username Username For several users repeat the parameter: -u USERNAME1 -u USERNAME2

Yes


Command example

open_stack add_predefined_user -z <zone_name> -p <project> -u

<username>

Command response


EPAM PUBLIC 184

5.8.3.5 open_stack add_shapes

Invoke: open_stack add_shapes

Creates default shapes for an OpenStack zone.

For more details see OrchestrationSettings.openStackDefaultShapes





-s, --shape Included shape. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2. If not specified, all available shapes will be added.

No

--see Prints the shapes which will be added No

5.8.3.6 open_stack add_zone

Invoke: open_stack add_zone

Adds a new OpenStack zone.







-u, --auth-url Open Stack authentication url Yes

-c, --counter Instance start counter (used for instance name generation) Yes

-a, --admin-name Admin name Yes

-t, --admin-tenant Admin tenant Yes

-m, --networking-mode Networking mode. Allowed values: [AUTO, MANUAL] Yes

--dns, --dns-server DNS server to register VMs on. Can specify several values. Yes

-n, --network-id Network ID Yes

--rn, --region-name OpenStack region name No


-d, --docker-only Docker only No

--mtp Servicing host for moveToProject command No

--storage-url Custom storage URL No

5.8.3.7 open_stack admin_sg

Invoke: open_stack admin_sg

Creates or updates, if exists, the configuration for admin project's security group for the specified security

mode.




-z, --zone Zone name. If this parameter is not specified, the command will be executed for all zones

No


EPAM PUBLIC 185


-s, --security-group-type

Security group type. If this parameter is not specified the command will be executed for all modes. Allowed values are: [private, protected, limited, public, manual, core_v]

No

-a, --action Manage action, allowed values are: [describe, setup]. By default is describe

No

Response Elements

Name Description

zone Zone name

securityMode Security mode

securityGroupName Security group name

securityRuleId Security rule ID

direction Direction

protocol Protocol

portRange Port range

remoteSource Remote source



Command example

open_stack admin_sg -z <zone> -a describe

Command response

5.8.3.8 open_stack apply_custom_group

Invoke: open_stack apply_custom_group

Applies custom project security group to the existing VMs.







Command Example

open_stack apply_custom_group -p <project> -z <zone_name>


EPAM PUBLIC 186

Command response

5.8.3.9 open_stack clean_up_ports

Invoke: open_stack clean_up ports

Cleans up network ports that are currently not in use on OpenStack.






-s, --security-group-id Filter project ports by security group No

-d, --delete Delete non-in-use OpenStack ports for project. By default, only describe applicable ports.

No

5.8.3.10 open_stack config_tenant_net

Invoke: open_stack config_tenant_net

Configures tenant limited network.






--gn, --gateway-network

Gateway Network ID Yes

--tn, --tenant-network-name

Created tenant Network name No

--gs, --gateway-subnet Gateway Subnet ID. Must be specified with --gateway-external-ip parameter.

No

--ip, --gateway-external-ip

Gateway IP address. Must be specified with --gateway-subnet parameter.

No

-c, --cidr Cidr to specify IP ranges for tenant network. Default: 172.25.0.0/24

No

--ha, --highly-available Is network router should be highly available (includes L3 Agent network on router)

No

--dsnat, --disable-snat To disable Source NAT No

Response Elements

Name Description

networkName Network name

networkId Network ID

subnetName Subnet name


EPAM PUBLIC 187

subnetCidr Subnet Cidr

gatewayNetworkId Gateway network ID

gatewayExternalIp Gateway external IP

Command example

open_stack config_tenant_net -p <project> -z <zone-name --gn

<gateway_network_id> --ha --tn <tenant_network_name>

Command response

5.8.3.11 open_stack create_recycle_bin

Invoke: open_stack create_recycle_bin

Creates Recycle bin for the OpenStack zone





-t, --ttl Minimum time to live for instance in hours before being moved to recycle bin. By default: 24

No

-d, --days Amount of days for instance to persist in Recycle bin. By default: 7

No

Command example

open_stack create_recycle_bin -z <zone> -d <days>

5.8.3.12 open_stack cross_project_access

Invoke: open_stack cross_project_access

Describes, enables or disables cross-project access




-a, --action Manage action, allowed values are: [describe, enable, disable]. By default, is describe No

-s, --source Source project. If you want to allow/disallow access for projects to each other specify them all as a source without specifying the target. Supports several values

No

-t, --target Target project. Supports several values No


Command example:

open_stack cross_project_access -t <target> -a <action> -s <source>


EPAM PUBLIC 188

Response example:

5.8.3.13 open_stack cross_region_access

Invoke: open_stack cross_region_access

Describes, enables or disables cross-region access for the project.





-a, --action Manage action, allowed values are: [describe, enable, disable]. By default is describe

No

Response Elements

Name Description


Cross-Region Access status Cross region access status


Command example

open_stack cross_region_access -p <project> -a describe

Command response


EPAM PUBLIC 189

5.8.3.14 open_stack delete_image

Invoke: open_stack delete_image

Deletes an image from the OpenStack zone. Assigns status DELETED for the image and does not delete

it on OpenStack.






--all-zones, All zones No

Response Elements

Name Description

Zone Zone name

Status Show command execution status

Message Provides additional information

Command example

open_stack delete_image -i <image_id> -z <zone_name>


Command response

5.8.3.15 open_stack delete_project_image

Invoke: open_stack delete_project_image

Deletes project image on OpenStack and marks it as deleted in DB.







Command example

open_stack delete_project_image -z <zone_name> -p <project> -i

<imageID>



EPAM PUBLIC 190

Command response

5.8.3.16 open_stack delete_requested_storage

Invoke: open_stack delete_requested_storage

Deletes requested storage.






-v, --volume-operational-id

Operational volume id No

Command example

open_stack delete_requested_storage -z <zone_name> -v <volume_id> -p

<project>


Command response

5.8.3.17 open_stack delete_shapes

Invoke: open_stack delete_shapes

Deletes shapes by flavor ID.





-f, --flavor OpenStack flavor ID. Use several -f options to provide list of

flavors Yes

5.8.3.18 open_stack deprecate_shapes

Invoke: open_stack deprecate_shapes

Deprecates shapes for the OpenStack zone.





-f, --flavor OpenStack flavor ID. If not specified, all available drives will be deprecated.

Yes


EPAM PUBLIC 191


-d, --drive-type Filter by disk drive type. If not specified, all available drives will be deprecated.

No

-s, --shape Filter by shapes. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2. If not specified, all available shapes will be deprecated.

No

--size Filter by disk drive size. If not specified, all available shapes will be deprecated

No

5.8.3.19 open_stack describe_recycle_bin

Invoke: open_stack describe_recycle_bin

Describes Recycle bin for the OpenStack zone.





Response Elements

Name Description

projectName OpenStack recycle bin tenant name

instanceMinTtlHours Minimum time to live for instance in hours before being moved to recycle bin

daysForInstanceToPersist Number of days for instance to persist

Instances Number of instances

Info about instances

Id OpenStack instance ID

Name Instance name


Owner Owner’s name

deletedAt Date when the instance was deleted

Command example

open_stack describe_recycle_bin -z <zone_name>

Command response


EPAM PUBLIC 192

5.8.3.20 open_stack edit_recycle_bin

Invoke: open_stack edit_recycle_bin

Edits Recycle bin properties for the OpenStack zone.





-t, --ttl Minimum time to live for instance in hours before being moved to recycle bin. By default: 24

No

-d, --days Amount of days for instance to persist in Recycle bin. By default: 7.

No

Command example

open_stack edit_recycle_bin -d 7 -z <zone_name>

5.8.3.21 open_stack edit_zone

Invoke: open_stack edit_zone

Edits OpenStack zone settings.





-s, --strategy

Zone update strategy. Allowed values: [DESCRIBE,

PUSH_NOTIFICATIONS,

PUSH_NOTIFICATIONS_WITH_DESCRIBE]

No

-r, --resource-placing-policy

Resource placing policy. Allowed values: [DEFAULT,

SAME_HOST] No

--dns-management-settings

DNS names management settings. Allowed values:

[DNS_REGISTER_ENABLE, DNS_REGISTER_DISABLE,

DNS_UNREGISTER_ENABLE, DNS_UNREGISTER_DISABLE]

No

-c, --create-volume-snapshots

Specifies whether operation of creating volume snapshot is

supported No

-t, --storage-threshold Storage capacity threshold. Must be in range [0, 100] No

-m, --telemetry-monitoring-url Specify separate OpenStack telemetry host used for zone No

--storage-url Custom storage URL No

5.8.3.22 open_stack generate_name

Invoke: open_stack generate_name

Generates a new instance name





EPAM PUBLIC 193



Command example

open_stack generate_name -z <zone_name>

The command response provides new instance name.

5.8.3.23 open_stack get default_security_mode

Invoke: open_stack get_default_security mode

Gets default security group mode for the zone.




-z, --zone Zone name. If this parameter is not specified, the default security

mode will be described for all zones Yes

Response Elements

Name Description

name Zone name

defaultSecurityMode Default security mode

Command example

open_stack get_default_security_mode -z <zone>

Command response

5.8.3.24 open_stack get_default_shapes

Invoke: open_stack get_default_shapes

Retrieves the list of default shape configurations.




Response Elements

Name Description

shape Shape type

cpu Show number of CPUs


EPAM PUBLIC 194

Response Elements

Name Description

ramMb Show megabytes of instance ram

linuxDefaultDiskGb Show the default Linux instance disk size in Gb

windowsDefaultDiskGb Show the default Windows instance disk size in Gb

alternativeDisks Show the alternative disk size in Gb

Command example

open_stack get_default_shapes

Command response

5.8.3.25 open_stack get_hosts

Invoke: open_stack get_hosts

Retrieves the list of all hosts in the OpenStack zone.





Response Elements

Name Description

name Host name

novaAvailabilityZone Nova availability zone

cinderAvailabilityZone Cinder availability zone


EPAM PUBLIC 195

Command example

open_stack get_hosts -z <zone_name>

Command response

5.8.3.26 open_stack get_images

Invoke: open_stack get_images

Retrieves the list of all public images available in the zone.





Response Elements

Name Description

name Image name

id Image ID

osType OS type

Command example

open_stack get_images -z <zone_name>

Command response


EPAM PUBLIC 196

5.8.3.27 open_stack get_quotas

Invoke: open_stack get_quotas

Retrieves the list of OpenStack quotas for the project in the specified zone.





Response Elements

Name Description

projectName Project name

instances Show number of instances allowed for the project in the specified

zone

cores Show number of instance cores allowed for the project

ram Show megabytes of instance ram allowed for the project

volumes Show volumes allowed for the project

volumesGb Show volume gigabytes allowed for the project

snapshots Show volume snapshots allowed for the project

ports Show ports allowed for the project

floatingIps Show floating ports allowed for the project

** -1 stands for the value that has no limitations


EPAM PUBLIC 197

Command Example

open_stack get_quotas -z <zone_name>

Command response

5.8.3.28 open_stack get_shapes

Invoke: open_stack get_shapes

Retrieves the list of all available/deprecated shapes in the specified zone.





-d, --deprecated Show deprecated shapes No

Response Elements

Name Description

shape Shape name

diskDrive Disk type

flavorId Flavor ID on the OpenStack console

flavorName Flavor name on the OpenStack console

cpu Number of CPU for the shape

ramMb RAM (Mb)

diskGb Disk size (Gb)

revision Revision status

Command example

open_stack get_shapes -z <zone_name>

Command response


EPAM PUBLIC 198

5.8.3.29 open_stack get_windows_admin_password

Invoke: open_stack get_windows_admin_password

Gets admin password for windows instance.






-I, --instance Instance name Yes

Command example

open_stack get_windows_admin_password -p <project> -z <zone> -i

<instance_id>

Command response

The command response provides Windows admin password.

5.8.3.30 open_stack get_zones

Invoke: open_stack get_zones

Retrieves the list of all active OpenStack zones.




Response Elements

Name Description

name Zone name

networkingType Networking type

resourcePlacingPolicy Resource placing policy on the OpenStack

storageCapacityThreshold Storage Capacity threshold

recycleBin Show whether recycle bin is used

updateStrategy Show the current update strategy


EPAM PUBLIC 199

moveToProject Show whether instances can be moved to other projects

createVolumeSnapshots Show whether volume snapshots can be created

personalProjects Show whether the zone is used for personal projects

telemetryStorageUrl Telemetry storage url

Command example

open_stack get_zones

Command response

5.8.3.31 open_stack manage_custom_rules

Invoke: open_stack manage_custom_rules

Manages custom security group rules.






-a, --action Action: [describe, add, remove], by default is describe No

-d, --direction Direction: [egress, ingress] No


-I, --ip-range Ip range No

--port-range Single port or port range, for example 25-50 No

--rule-id Custom security rule ID. Use it to remove the rule No

--all Use this flag to describe all rules including EO default rules No

-e, --description Description No

Response Elements

Name Description

securityGroupName Security group name

securityRuleId Security rule ID

direction Direction

protocol Protocol

portRange Port range


EPAM PUBLIC 200

remoteSource Remote resource

description Additional information

Action DESCRIBE

Command example

open_stack manage_custom_rules -p <project> -z <zone_name> -a describe

Command response

Action ADD

Command example

open_stack manage_custom_rules -p <project> -z <zone> -a add

Command response

Action DELETE

Command example

manage_custom_rules --project <project> --zone <zone> --name <name>

--action remove --rule-id <rule id>

Command response

5.8.3.32 open_stack manage_dns_name

Invoke: open_stack manage_dns_name

Manages instance DNS name on EO.







EPAM PUBLIC 201


-I, --instance-id Instance ID Yes

-n, --dns-name DNS name No

-d, --dns-server-address DNS-server address. No

-t, --dns-record-type NS-record type. Applied for all types if empty. Allowed are:

[A, PTR] No

-a, --action Manage action. Allowed are: [CREATE, IMPORT, UPDATE,

RESET_IMPORT] No

5.8.3.33 open_stack manage_networking

Invoke: open_stack manage_networking

Manages internal identifier of VLAN.




-a, --action Manage action. Allowed values: [DESCRIBE, UPDATE].

Describe by default No

-z, --zone Zone name Yes

-o, --old-id Old network id No

-n, --new-id New network id No

5.8.3.34 open_stack move_to_dmz

Invoke: open_stack move _to_dmz

Moves instance to specified or default project VLAN.






-I, --instance-id Instance ID Yes

-v, --vlan-name VLAN name No

-a, --ip-address IP address for moving instance to DMZ No

-b, --back Move OpenStack server back to Server Network No

Command example

open_stack move_to_dmz -p <project> -z <zone_name> -i <instance id> -b

Command response


EPAM PUBLIC 202

5.8.3.35 open_stack notific_config

Invoke: open_stack notific_config

Configures notifications settings.





--host OpenStack Rabbit host No

-p, --port OpenStack Rabbit port No

-v, --vhost OpenStack Rabbit virt host No

-u, --username OpenStack Rabbit username No

-r, --reply-timeout Reply timeout (millis) No

-n, --min-threads MIN number of threads to listen to notifications No

-x, --max-threads MAX number of threads to listen to notifications No

--nova Custom exchange name for Nova service No

--cinder Custom exchange name for Cinder service No

--glance Custom exchange name for Glance service No

5.8.3.36 open_stack refresh_image_lim

Invoke: open_stack reftesh_image_lim

Checks and updates project image limitations from OpenStack side.






5.8.3.37 open_stack register_requested_storage

Invoke: open_stack register_requested_storage

Registers requested storage.






-v,--volume-operational-id

Specify id if you want to update existing volume size or price No

-s, --size Size of the storage in GBs No

Command example

open_stack register_requested_storage -z <zone_name> -s 1 -p <project>


Command response.


EPAM PUBLIC 203

5.8.3.38 open_stack remove_from_recycle_bin

Invoke: open_stack remove_from_recycle_bin

Removes the specified instance from Recycle bin on OpenStack.





-s, --server-id Server ID Yes

Command example

open_stack remove_from_recycle_bin -s <server_id> -z <zone_name>


Command response.

5.8.3.39 open_stack remove_tenant

Invoke: open_stack remove_tenant

Removes tenants on OpenStack used by the project closed on EO.






5.8.3.40 open_stack reset_synth_state

Invoke: open_stack reset_synth_state

Resets instance syntheticState identifier stuck in 'CLONING'






-I, --instance-id Instance ID. For several IDs repeat the parameter: -i instanceId1 -i instanceId2 -i instanceIdN.

Yes

-f, --fix Reset syntheticState identifier on EO. No


EPAM PUBLIC 204

5.8.3.41 open_stack restore_from_recycle_bin

Invoke: open_stack restore_from_recycle_bin

Restores instance from Recycle bin on OpenStack. Specify OpenStack instance ID.






-s, --server-id Server ID Yes

Command Example

open_stack restore_from_recycle_bin -z <zone_name> -p <project> -s

<server_id>

5.8.3.42 open_stack restore_fv_from_eo

Invoke: open_stack restore_fv_from_eo

Restores flavors, absent on OpenStack, but existed in EO DB.





-f, --flavor-id Flavor id, if need to restore the particular flavor No

-u, --update Update flavor names. Otherwise only list changes No

5.8.3.43 open_stack security_group_extension

Invoke: open_stack security_group_extension

Manages default security group type extensions.




-z, --zone Virtualization zone. If not specified, the changes will apply to all zones

No

-s, --security-group-type

Security group type. Allowed values are: [private, protected, limited, public, manual, core_v]

No

-a, --action Manage action, allowed values are: [describe, add, remove]. By default, is describe

No

-d, --direction Direction: [egress, ingress] No


-I, --ip-range Ip range No

--port-range Single port or port range, for example 25-50 No

-e, --description Description No

Response Elements

Name Description

zoneName Zone name


EPAM PUBLIC 205

securityGroupType Security group type

direction Direction

port Port

ipRange IP range


Command example

open_stack security_group_extension -a <action> -z <zone_name>

Command response

5.8.3.44 open_stack set_default_security_mode

Invoke: open_stack set_default_security_mode

Sets default security group mode for the zone





-s, --security-type Security type: [PRIVATE, PROTECTED, LIMITED, PUBLIC, MANUAL, CORE_V}

No

5.8.3.45 open_stack set_instance_security_groups

Invoke: open_stack set_instance_security_groups

Applies project security groups to existing VM






-I, --instance-id Instance Id Yes


`Command example:

open_stack set_instance_security_groups -p <project> -z <zone> -i


EPAM PUBLIC 206

<instance-id>

Response example:

5.8.3.46 open_stack security_config

Invoke: open_stack security_config

Describes or updates project security configuration.





No

p, --project Project abbreviation in EPAM Cloud No

-s, --security-mode New security mode to be set for the specified project. Possible values are: [private, protected, limited, public, manual, core_v]

No


Command Example

open_stack security_config -p <project> -z <zone_name>

Command response

Execute

status get -g open_stack -n security_config

Command response

5.8.3.47 open_stack set_image_id

Invoke: open_stack set_image_id

Sets new ID for the existing image.




EPAM PUBLIC 207




Yes

-n, --name Image name Yes

-I, --id New image ID. Yes

Command Example

open_stack set_image_id -z <zone_name> -n <image_name> -i <new_image

id>

5.8.3.48 open_stack set_quota

Invoke: open_stack set_quota

Sets quota for the specified project or for all projects in the specified zone.





Yes


-c, --cores The number of allowed instance cores No

-r, --ram The amount of allowed instance RAM, in MB No

-I, --instances The number of allowed instances No

V, --volumes The number of allowed volumes No

-g, --volumesGb The total amount of allowed volumes, in GB No

-s, --snapshots The number of allowed snapshots No

-o, --ports The number of allowed ports No

-f, --floatingIps The number of allowed floating IPs No

-u, --unlimitedForAll Applies unlimited quota for all items No

Response Elements

Name Description

projectName Project abbreviation in EPAM Cloud

instances Show number of instances allowed for the project

cores Show number of cores allowed for the project

ram Show megabytes of instance ram allowed for the project

volumes Show megabytes of instance ram allowed per project

volumesGb Show volume gigabytes allowed for the project

snapshots Show volume snapshots allowed for the project

ports Show ports allowed for the project

floatingIps Show floating Ips allowed for the project

** -1 stands for the value that has no limitations

Command example

open_stack set_quota -p <project> -z <zone_name> -i 1 -v 2



EPAM PUBLIC 208

Command response

5.8.3.49 open_stack setup_networking

Invoke: open_stack setup_networking

Sets up networking for all projects in the specified zone (for MANUAL networking mode only).





Yes

-n, --network-id Network ID No

-p, --personal-network-id

Network ID for personal projects. No

5.8.3.50 open_stack up_fv_names

Invoke: open_stack up_fv_names

Updates OpenStack flavor names according to the current naming policy.





Yes

-u, --update Update flavor names. Otherwise only list changes No

Response Elements

Name Description

flavorShape Flavor shape

flavorDiskType Flavor disk type

flavorDiskSize Flavor disk size

flavorId Flavor ID

oldFlavorName Old flavor name

newFlavorName New flavor name

Command example

open_stack up_fv_names -z <zone_name>

Command response


EPAM PUBLIC 209

5.8.3.51 open_stack update_network_config

Invoke: open_stack update_network_config

Updates network configuration.






-n, --network-type Network type: [default, secured, hybrid], by default is default No

Command example

open_stack update_network_config -p <project> -z <zone_name>


Command response

5.8.3.52 open_stack vlan_activate

Invoke: open_stack vlan_activate

Activates a new VLAN for the zone.





-v, --vlan-name VLAN name Yes

-d, --description VLAN Description. Yes

-p, --project List of Project abbreviations in UPSA No

--dmz Is DMZ VLAN No

--security-group-disabled

Is Project SG Disabled (instances will be launching with 'default'

SG). No

5.8.3.53 open_stack vlan_deactivate

Invoke: open_stack vlan_deactivate

Removes VLAN configuration.


EPAM PUBLIC 210





-v, --vlan-name VLAN name Yes

-d, --description VLAN Description. Yes


-f, --force Use this flag to deactivate SDN and related configuration on

OpenStack No

5.8.4 HARDWARE

The ‘hardware’ group includes the commands related to the Hardware resources management. The


Command Description

hardware activate_project Activates a new HPOO project in EPAM Cloud Orchestrator

hardware add_zone Adds a new Hardware zone

hardware switch_hwu_credit Enables or disables hardware credit for the specified zone

For the arguments used with the commands of the ‘hardware’ group type hardware [command_name] -


5.8.5 ENTERPRISE

The ‘enterprise’ group includes the commands related to the Enterprise cloud management. The


Command Description

enterprise activate_project Activates a new project from Enterprise Cloud in EPAM Cloud Orchestrator

enterprise add_zone Adds a new Enterprise zone

enterprise reset_update_data Resets updated data for instances updating

For the arguments used with the commands of the ‘enterprise’ group type enterprise


5.8.6 EXOSCALE

The ‘exoscale’ group includes the commands related to Exoscale virtualization platform. .

The following commands are available:

Command Description

exoscale activate_project Activate project on Exoscale

exoscale add_account Adds a new Exoscale account

exoscale add_endpoint Adds a new Exoscale API endpoint

exoscale add_image Adds Exoscale image

exoscale add_shapes Adds Exoscale service offerings

exoscale add_zone Add a new Exoscale zone

exoscale check_account Checks the specified Exoscale account

exoscale configure_network Configures networking for the Exoscale project

exoscale list_accounts Describes Exoscale accounts


EPAM PUBLIC 211

exoscale list_endpoints Retrieves the list of Exoscale API endpoints

exoscale list_images Describes the list of Exoscale images

To see the list of arguments used with the commands of the ‘exoscale’ group, type exoscale



EPAM PUBLIC 212

5.9 PAAS

The ‘PaaS’ category includes the commands related to various platform services available in EPAM

Cloud.

5.9.1 PAAS

The ‘paas’ group includes the commands related to platform services management. The following


Command Description

paas delete Removes custom platform service definition and stack template corresponding to it

paas describe Retrieves the list of custom platform service definitions

paas kuber_userdata Manages Kubernetes init scripts to install Kubernetes services on CoreOS-type instances

paas register Registers custom platform service definition

paas restrict Restricts service usage for zone(s)

paas show_restricted Shows restricted services by zone/virt-type/all

paas unrestrict Lifts restrictions for service usage for zone(s)

To see the list of arguments used with the commands of the ‘paas’ group, type paas [command_name] -


5.9.2 CHEF

The ‘chef’ group includes the commands related to the Chef service. The following commands are

available:

Command Description

chef add_config Adds a new Chef server configuration

chef cleanup Removes Chef nodes (and clients) for the deleted instances

chef delete_server Deletes Chef configuration

chef describe_server Describes Chef server

chef get_nodes Describes Chef nodes and existence of EO instances

chef list_initscript Describes the list of available Chef initial scripts

chef list_servers Describes the list of available Chef configurations

chef update_config Updates existed Chef server configuration

chef update_initscript Updates Chef initial scripts

chef upload_initscript Uploads Chef initial scripts for a new version

chef zone_assign Assigns the specified zone to the specified Chef server

chef zone_unassignUnassing zone from chef server Unassigns the specified zone from the Chef server

To see the list of arguments used with the commands of the ‘chef’ group, type chef [command_name] -


5.9.3 DOCKER

The ‘docker’ group includes the commands related to the Docker Service. The following commands are

available:


EPAM PUBLIC 213

Command Description

docker add_image Creates new Docker enterprise machine image

docker add_repository Creates new Docker enterprise repository

docker del_repository Deletes Docker enterprise repository by its search identifier

docker delete_image Deletes Docker enterprise machine image

docker get_images Retrieves all Docker enterprise machine images

docker get_repositories Retrieves all Docker enterprise repositories

To see the list of arguments used with the commands of the ‘docker’ group, type docker


5.10 TEMP

The ‘temp’ group includes the temporary commands.

Please do not use them in the normal course of work.

5.10.1.1 temp remove_redundant_firewall

Invoke: temp remove_redundant_firewall

Removes redundant default firewall for all Google projects




Command example:

temp remove_redundant_firewall

Response example:


EPAM PUBLIC 214

6 MAESTRO CLI ADMIN UTILITY – USE CASES

6.1 AWS – ADMINISTRATION CASES

6.1.1 AWS Zone Creation

Virtualization zone creation in AWS consists of the following steps:

--zone

--region

--availability-zone

[--cf-endpoint]

[--ec-endpoint]

[--s-endpoint]

[--cw-endpoint]

[--assign]

[--disable-billing-

mix-mode]

[--unreachable]

Create a New Zone

aws add_zone

--zone

--profile-name

--shape-mapping

Configure Virtual Profile

zone set_virt_profile

--zone

--image-id

--amiid

--description

--group

--virt-profile

--username

Add AMI

aws add_image

--zone

--cost-center-name

Set Cost Center

billing set_cost_center

Figure 6 - AWS zone creation flow

• Zone Creation

To create a new AWS zone, use the following command:

aws add_zone [arguments]

The ‘aws add_zone’ command uses the following arguments:

Command Arguments

Argument Description Required

-z, --zone Name of the virtualization zone to be created. Yes

-r, --region Code of AWS region in which the virtualization zone is to

be created Yes

-a, --availability-zone AWS availability zone in which the virtualization zone is to

be created Yes


--ar, --aws-region AWS region code (e.g. eu-central-1) Yes

-c, --cf-endpoint CloudFormation endpoint. Required for reachable zones No

-e, --ec-endpoint EC2 endpoint. Required for reachable zones No

-t, --ct-endpoint CloudTrail endpoint. Required for reachable zones No

-s, --s-endpoint S3 endpoint. Required for reachable zones No

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones


EPAM PUBLIC 215

-w, --cw-endpoint CloudWatch endpoint. Required for reachable zones No


--disable-billing-mix-mode Defines whether the zone supports billing mode No

--unreachable Marks the zone as unreachable by the Orchestrator No

Command Example:

aws add_zone –r us-east-1 –a us-east-1b –z zone_name --ar aws_region

• Zone Virtual Profile Configuration

A virtual profile contains the VM shape mapping between EPAM Cloud and AWS. Configuring a virtual

profile for an AWS zone sets the shapes available for instance creation in such zone and ensures that the

EPC shape selected for a VM corresponds to the correct shape in AWS.

To configure the zone virtual profile, use the following command:

zone set_virt_profile [arguments]

The ‘zone set_virt_profile’ command uses the following arguments:

Command Arguments



-p, --profile-name Virtual profile name Yes

-s, --shape-mapping

Shape mapping pair: epc_shape=aws_shape. Use "=" as delimiter.

For several mappings repeat the parameter: -s

epc_shape1=aws_shape1

-s epc_shape2=aws_shape2

-s epc_shapeN=aws_shapeN. If using Windows command line,

encase the -s parameter in quotes i.e. "epc_shape=aws_shape"

Yes

Command Example:

zone set_virt_profile –z zone_name –p profile –s MICRO=t2.micro –s SMALL=

t2.small –s MEDIUM=m3.medium


EPAM PUBLIC 216

• Adding Machine Images to AWS Zone

To add machine images which will be available in the AWS zone, use the following command:

aws add_image [arguments]

The ‘aws add_image’ command uses the following arguments:

Command Arguments


-z, --zone Name of virtualization zone to which the image is to be added Yes

-i, --imageId Image ID Yes

-a, --amiId Amazon image ID Yes


-g, --group Image group. Valid values: PUBLIC, ENTERPRISE Yes

-v, --virt-profile Name of zone virtual profile to associate the image with Yes


Command Example:

aws add_image -i W2012R2Std -a ami-******* -d ‘Windows Server 2012 R2

Standard Edition' -z zone -g PUBLIC –v profile -u user

• Setting Cost Center for AWS Zone

For the correct billing of the Cloud services for the projects used in the AWS zone, a cost center has to be

assigned to it. To assign a cost center to a new AWS zone, use the following command:

billing set_cost_center [arguments]

The ‘billing cost_center’ command uses the following arguments:

Command Arguments


-z, --zone Name of zone Yes

-c, --cost-center-name Name of the cost center to be assigned to the zone Yes

Command Example:

billing set_cost_center -z zone -c cost_center

6.1.2 Project Activation in AWS

In AWS, each project is activated within its LINKED account, one account per project. The Level1.5 Team


EPAM PUBLIC 217

always has a pool of unreserved accounts to use for project activation. New accounts are created

manually by the Level1.5 Team, with account creation sometimes taking up to 24 hours. With the

introduction of AWS Organizations, the option of account creation via API has been implemented.

In addition to the LINKED account, project activation requires a PAYING account to enable consolidated

billing of all LINKED accounts.

When accounts have been configured properly, the project can be activated. In AWS, a project can be

activated in a standard way (by the ‘aws activate_project’ Admin Utility command) or automatically. A

project is activated automatically, if any costs exist for the project in a region where the project is not yet

activated. This can happen, for example, when a project creates resources in a non-activated region via

the AWS console.

The aws activate_project command uses the following arguments:

Command Arguments



-s, --shape Shape name. For several shapes, repeat the parameter Yes


--all All zones (the project will be activated in all existing

AWS zones except unreachable ones) No

-f, --fake-project Fake project flag (indicates a fake project, that is, the

project not existing in UPSA; used for testing purposes) No

-a, --auto-configuration-disabled Flag disabling auto-configuration for the project No


-n, --subnet-id ID of AWS region subnet in which all resources of the

project will be created No

--skip-cloud-trail Flag used to skip CloudTrail activation No

Command Example:

aws activate_project –p project_code –s small –s medium –s large --all

When a project is activated with the ‘aws activate_project’ command, the following actions are

automatically performed on the AWS side:

1. Creation and configuration of the EC2_INSTANCE_ROLE IAM role:

- Creation of the EC2_INSTANCE_ROLE IAM role and configuration of its permissions

- Creation of the Instance Profile

- Association of EC2_INSTANCE_ROLE with Instance Profile

2. SSO configuration:

- Creation of SAML provider for the LINKED account and its upload to AWS

- Creation of roles and their permissions

- Creation of the account alias

3. Creation of a default group for IAM roles and their permissions configuration

4. Security Groups configuration


EPAM PUBLIC 218

5. CloudTrail service configuration

Steps 4 and 5 are performed for each zone.

There may be cases when one or several of the project configuration steps is not performed

automatically. In such situations, the necessary actions can be performed manually. The instructions and

related Admin Utility commands are described below.

• EC2 Instance Role Configuration

Applications running on AWS instances make requests to AWS. Such operations require authorization

with access keys transferred to each such instance. This process can be unified by setting IAM roles for

EC2 instances. The flow is as follows:

- Create IAM role

- Assign permissions to the IAM role

- Specify the role during the instance launch

The instance will request temporary access keys and use them for all requests permitted to the

corresponding role. Roles are stored in the AWSRoles collection. The same document also stores the

trusted policies defining that the ec2.amazonaws.com service can use this role and the actions permitted

to the role (AttachVolume, CreateVolume, CreateTags, S3, etc.) Roles are assigned to instances in

Instance Profiles.

If needed, default instance roles can be added to the project with the following command:

aws set_def_role [arguments]

The ‘aws set_def_role’ command uses the following arguments:

Command Arguments



Command Example:

aws set_def_role –p project

For more information, see IAM Roles for Amazon EC2 page in the official AWS documentation.

• SSO Configuration

There are four roles used for SSO. They are stored in the AwsIamEntities collection. A role is selected in

accordance with the user’s project role (see the User Permissions page on Knowledge Base for the full

matrix). The roles include the policies from the AwsIamPolicies.

When a user has to be assigned certain special permissions other than default, use the following

command:

aws sso_add_custom [arguments]

The ‘aws sso_add_custom’ command uses the following arguments:

Command Arguments


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

https://kb.epam.com/display/EPMCITFAQ/User+Permissions#UserPermissions-UserGroups


EPAM PUBLIC 219


-e, --email User’s email address Yes

-n, --name AWS IAM role name. Use the ‘aws get_iam_entities’ command with

the -t SSO_ROLE parameter to view the available options Yes

Command Example:

aws sso_add_custom –p project –e [email protected] –n role_name

To remove a certain SSO role, use the following command:

aws sso_del_custom [arguments]

The ‘aws sso_del_custom’ command uses the following arguments:

Command Arguments




-n, --name AWS IAM role name. Use the ‘aws get_iam_entities’ command with

the -t SSO_ROLE parameter to view the available options Yes

Command Example:

aws sso_del_custom –p project –e [email protected] –n role_name

To configure permissions for a certain user, use the following command:

aws sso_manage_access [arguments]

The ‘aws sso_manage_access’ command uses the following arguments:

Command Arguments




-i, --iam-entity-name AWS IAM default entity name [BasicReadOnly, FullReadOnly, BasicUser, AdminUser]

No

-a, --action Action type. Allowed values: [list, create, delete]. Default: list No

Command Example:

aws sso_manage_access –p project –e [email protected] –i BasicUser

–a create

In this case, user’s permissions are updated by replacing their role with one of the four available roles. If a

user has several roles in several projects, they can choose one of these to authorize in AWS.


EPAM PUBLIC 220

• SSO Roles Configuration

For easier use, each AWS account used in EPAM Orchestrator has an alias which is a more human-

friendly string than the AWS account number. For example, account number 9213429384 can have alias

epm-cit2-234. Aliases are unique within the entire AWS. To configure a project AWS account, use the

following command:

aws config_sso [arguments]

The ‘aws config_sso’ command uses the following arguments:

Command Arguments



--all Applies for all projects No

Command Example:

aws config_sso –p project

To retrieve the list of available SSO roles, use the following command:

aws get_iam_entities [arguments]

The ‘aws get_iam_entities’ command uses the following arguments:

Command Arguments


-n, --name AWS IAM entity name. If omitted, all entities with their general info

will be returned No

-t, --type AWS IAM entity type. Allows filtering by type or describing detailed

info by name. Allowed values: SSO_ROLE No

Command Example:

aws get_iam_entities –t SSO_ROLE

• AWS Policy Management

To attach an AWS policy to an SSO role, use the following command:

aws attach_policy [arguments]

The ‘aws attach_policy’ command uses the following arguments:

Command Arguments



-n, --name AWS IAM entity name Yes

-t, --type AWS IAM entity type. Allowed values: SSO_ROLE Yes


EPAM PUBLIC 221

Command Example:

aws attach_policy –p policy_name –n entity_name –t SSO_ROLE

To detach an AWS policy from an SSO role, use the following command:

aws detach_policy [arguments]

The ‘aws detach_policy’ command uses the following arguments:

Command Arguments



-n, --name AWS IAM entity name Yes

-t, --type AWS IAM entity type. Allowed values: SSO_ROLE Yes

Command Example:

aws detach_policy –p policy_name –n entity_name –t SSO_ROLE

To retrieve the list of available policies, use the following command:

aws get_policies [arguments]

The ‘aws get_policies’ command uses the following arguments:

Command Arguments


-n, --name AWS policy name. The policy in JSON format will be sent to the

requesting user’s email No

Command Example:

aws get_policies –n policy_name

To add a new policy, use the following command:

aws save_policy [arguments]

The ‘aws save_policy’ command uses the following arguments:

Command Arguments


-n, --name AWS policy name Yes


EPAM PUBLIC 222

-f, --file Path to the file containing the policy* No

-t, --type Policy type. Allowed values: [INLINE, MANAGED, MANAGED_CUSTOM,

S3] Yes

* Make sure that the file contains placeholders for accounts, bucket names, etc.

For default AWS policies, no file upload is required.

Command Example:

aws save_policy –n policy_name –t INLINE –f path_to_file

• IAM Role Group Configuration

The scope of actions allowed to IAM users can be defined by using IAM user groups. One group is

created for each AWS account. The group contains the permissions described in the “orchestrator-

default-admin-group” document in the AWSRoles collection. All IAM users are included in this group.

If necessary, a group policy can be uploaded using the following command:

aws up_group_policy [arguments]

The ‘aws up_group_policy’ command uses the following arguments:

Command Arguments


-n, --name AWS group name No

-a, --account AWS account for which the policy is to be uploaded. If omitted, the policy

will be uploaded for all accounts No

Command Example:

aws up_group_policy –n policy_name –a aws_account

To update an existing group, use the following command:

aws config_group [arguments]

The ‘aws config_group’ command uses the following arguments:

Command Arguments



-s, --scope Scope. Allowed values: [DEFAULT, PROJECT]. Default value: DEFAULT No


-l, --location Group policy location No


EPAM PUBLIC 223

Command Example:

aws config_group –p project –n group_name

• Security Groups Configuration

Security groups are stored in the OrchestrationSettings collection. This collection contains 5 security

groups. One of the security groups, default, is not used in AWS configuration.

To configure security groups for AWS, use the following command:

aws_security set_def_groups [arguments]

The ‘aws_security set_def_groups’ command uses the following arguments:

Command Arguments




--all-zones Applicable for all group activated for the project Yes

--all-projects Applicable for all projects in all zones No

-v, --vpc-id VPC ID. If omitted, the default VPC will be used No

Command Example:

aws_security set_def_groups –p project –n group_name

To update the default security groups in the database, use the following command:

security update_def_group [arguments]


EPAM PUBLIC 224

The ‘security update_def_group’ command uses the following arguments:

Command Arguments


-g, --security-group-name Security group name Yes

-i,--ip-range IPv4 CIDR range to add a new rule to the specified security

group. For example: 74.11.192.96/27 Yes

-r, --remove Flag used to remove an item instead of adding No

Command Example:

security update_def_group –g group_name –i 74.11.192.96/27

Security groups are updated in the database and then applied to AWS. When an update operation is

repeated, the existing groups and the correct rules are not deleted but are matched to the groups in the

OrchestrationSettings collection. This is done to prevent incorrect configuration of resources using such

groups.

• Security Groups Backup

Security groups are backed up by schedule or manually using the following command:

aws_security save_groups [arguments]

The ‘aws_security save_groups’ command uses the following arguments:

Command Arguments



-l, --label Restore groups by label No

Command Example:

aws_security save_groups –p project

Also, backups are created automatically during security groups update.

To restore the security groups from backup, use the following command:

aws_security restore_groups [arguments]

The ‘aws_security restore_groups’ command uses the following arguments:

Command Arguments



-i, --backup-id Backup ID to restore from No


EPAM PUBLIC 225

-d, --date Date to restore from in the yyyy-MM-dd'T'HH format (UTC) No

-l, --label Restore groups by label No


Command Example:

aws_security restore_groups –p project –i backup_id

To view the existing backups for a project, use the following command:

aws_security describe_backups [arguments]

The ‘aws_security describe_backups’ command uses the following arguments:

Command Arguments



Command Example:

aws_security describe_backups –p project

• CloudTrail Service Activation

For each project, the CloudTrail service must be activated and configured in all zones. CloudTrail should

be configured to direct all logs to the S3 bucket of the root account (currently, the PAYING epmc-clo

account). For that purpose, the permissions for the new account are added to the policy of the parent

PAYING account’s S3 bucket. Afterwards, the child account can store logs in the parent account bucket.

If the CloudTrail service is not activated for a project, activate it using the following command:

aws activ_cloudtrail [arguments]

The aws activ_cloudtrail command uses the following arguments:

Command Arguments




-b, --bucket-name S3 bucket name No

-l, --log-file-prefix Log file prefix No

Command Example:


EPAM PUBLIC 226

aws activ_cloudtrail –p project –z zone –b bucket_name

To view the CloudTrail configuration for a project, use the following command:

aws get_cloudtrail [arguments]

The aws activ_cloudtrail command uses the following arguments:

Command Arguments




Command Example:

aws get_cloudtrail –p project –z zone

6.1.3 Access to AWS

There are three methods of getting access to AWS:

- Via AWS SSO. In this case, the user is assigned one of the four roles stored in the

AwsIamEntities collection

- Using the or2awsmc Maestro CLI command. In this case, the user is assigned the

permissions of the FEDERATED_USER_ROLE stored in the AWSRoles collection. If the

user is a member of the EPM-CSUP project, such user is by default assigned administrator

permissions according to the CLOUD_SUPPORT_ROLE stored in the AWSRoles collection.

If the user belongs to the ALL_OPERATIONS user group in EPAM Orchestrator, such user

can access the AWS console under any project.

- Through the IAM user. In this case, the user is subject to the restrictions of the default group

for IAM users GROUP_ROLE stored in the AWSRoles collection.

6.1.4 AWS Organizations

AWS Organizations support multiple AWS accounts management on the basis of policies. The AWS

Organizations service allows creating Organization Units and assign certain policies to them. AWS

Organizations offer the following features:

- Automatic account creation. If new accounts are included in the existing Organization Units,

their policies will be automatically applied to the new accounts

- Accounts can be joined into Organization Units on the billable/non-billable principle which

allows monitoring costs

- Reserved Instances can be bought for certain Organization Units, thus reducing the internal

project costs

For more details on AWS Organizations, see the What is AWS Organizations? page in the AWS

documentation.

http://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html


EPAM PUBLIC 227

6.1.5 Reserved Instances

Reserved instances allow significantly reducing the infrastructure costs. They are reserved at fixed prices

for a period of one year or more. A reserved instance is assigned to a random VM of the specified type

within an organization. When the VM is stopped, the reserved instance is transferred to another VM of the

same type.

The following actions are supported for reserved instances:

- An instance reserved for a region can be modified to be reserved for an availability zone, and

vice versa

- A reserved instance size can be changed (for Linux instances only). For example, one

c2.micro instance can be replaced with two c2.nano instances.

• Displaying Reserved Instances

To view the list of reserved instances, use the following command:

aws_ri describe [arguments]

The ‘aws_ri describe’ command uses the following arguments:

Command Arguments


-f, --force-update Update info from Amazon before retrieving the data. May take long

time! No

--target Parameter defining where the output is to be displayed. Allowed

values: [ssh_console, file, email]. Default: ssh_console No

The command returns the list of all available reserved instances:

• Modifying Reserved Instances

To modify reserved instances, use the following command:

aws_ri modify [arguments]

The ‘aws_ri modify’ command uses the following arguments:

Command Arguments


-i, --ri-id ID of the reserved instance Yes

-c, --target-configuration

Target reserved instance configuration consisting of the

availability zone name, instance shape and count. Input

format: az:shape:count. For example: us-west-2a:t2.micro:4.

To apply reserved instances at the REGION level, use ‘all’ for

availability zone. To set several configurations, repeat the

parameter

Yes


EPAM PUBLIC 228


Command Example:

aws_ri modify -i 3e26582b-4713-4c0c-983e-9a8f07fdad59 -c all:m4.xlarge:6 -c

all:m4.large:2 -z AWS-EUCENTRAL

This command changes 7 m4.xlarge reserved instances from the screenshot above to 6 m4.xlarge and 2

m4.xlarge instances.

For more information on reserved instances modification, see the Modifying Standard Reserved

Instances page in the AWS documentation.

• Displaying Reserved Instance Offerings

To view the list of reserved instances available for purchase, use the following command:

aws_ri list_offerings [arguments]

The ‘aws_ri list_offerings’ command uses the following arguments:

Command Arguments




-t, --instance-type AWS instance type Yes

-o, --os Operating system. Allowed values: [linux, windows] Yes

-s, --scope Scope. Allowed values: [az, region] Yes

--all Add marketplace reserved instances to the result No

Command Example:

aws_ri list_offerings –p project –z zone –t m4.xlarge –o linux –s region

The command output may contain reserved instances offered for sale by other users. Such instances can

be purchased for less than one year.

• Purchasing Reserved Instances

To buy reserved instances from the list returned by the ‘aws_ri list_offerings’ command, use the following

command:

aws_ri buy [arguments]

The ‘aws_ri buy’ command uses the following arguments:

Command Arguments

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html#ri-modification-instancemove

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html#ri-modification-instancemove


EPAM PUBLIC 229




-i, --offering-id Offering ID. Use the output of the ‘aws_ri list_offerings’ command for

possible options Yes

-c, --count Instance count Yes

Command Example:

aws_ri buy –p project –z zone –i offering_id –c 5


EPAM PUBLIC 230

6.2 MICROSOFT AZURE – ADMINISTRATION CASES

6.2.1 Azure Zone Creation

The typical Azure zone creation flow is as follows:

--enrollment-number

--azure-image-name

--bill-from

--tenant

--client-id

--client-key

Setup Azure Enrollment

azure add_enrollment

--zone

--location

--assign

[--disable-billing-

mix-mode]

Create a New Zone

azure add_zone

--zone

--cost-center-name

Set Cost Center

billing cost_center

--zone

--image-id

--azure-image-name

--description

--group

--os-type

--size

--username

Add Machine Images

azure add_image

Figure 7 - Azure zone creation flow

Each step is described in details below.

• Azure Enrolment Setup

Microsoft Azure provides its Cloud services on the basis of commitment under the Enterprise Agreement,

the so-called enrolment. In order to create a zone in Azure and activate projects within such zone, the

Azure enrolment details should be specified.

To add the Azure enrolment, use the following command:

azure add_enrolment [arguments]

The ‘azure add_enrolment’ command uses the following arguments:

Command Arguments


-e, --enrolment-number Enrolment ID Yes

-a, --azure-image-name Usage API access key received from the Enterprise

Administrator Yes

-b, --bill-from The date to start billing from in yyyy-MM-dd'T'HH format Yes

-t, --tenant Tenant ID Yes


-k, --client-key Client key Yes

Command Example:

azure add_enrolment -e enrolment_number -a API_key -b 2016-04-01T00 –t

tenand_id –i client_id –k client_key

• Zone Creation

To create a new Azure zone, use the following command:


EPAM PUBLIC 231

azure add_zone [arguments]

The ‘azure add_zone’ command uses the following arguments:

Command Arguments


-z, --zone Name of the virtualization zone to be created. The zone

name should contain the ‘AZURE’ pattern Yes

-l, --location Azure location Yes



Defines whether the zone supports billing mode. If disabled, the Billing Engine shows costs based on EO audit only, otherwise EO audit will be integrated (mixed) with costs received from the cloud provider (e.g. in a form of CSV reports)

No

Command Example:

azure add_zone --assign -l "North Europe" -z AZURE-NEU

• Setting Cost Center for Azure Zone

For the correct billing of the Cloud services for the projects used in the Azure zone, a cost center has to

be assigned to it. To assign a cost center to a new Azure zone, use the following command:



Command Arguments




Command Example:



EPAM PUBLIC 232

• Adding Machine Images to Azure Zone

To add machine images which will be available in the Azure zone, use the following command:

azure add_image [arguments]

The ‘azure add_image’ command uses the following arguments:

Command Arguments


-z, --zone Name of virtualization zone to which the image is to be added Yes

-i, --image-id Image id (e.g. Ubuntu10.04_32-bit) Yes

-a, --azure-image-name

Azure image name

(e.g. 0c0083a6d9a24f2d91800e52cad83950__Zulu-1.7.0_55-

0714-Win-GA)

Yes

-d, --description VM image description Yes


-o, --os-type Type of operating system. Valid values: WINDOWS, LINUX Yes

-s, --size Machine image size in GB Yes


Command Example:

azure add_image -i OracleLinux7_64-bit -a

c290a6b031d841e09f2da759bbabe71f__Oracle-Linux-7 -d 'Oracle Linux 7 64-bit'

-z zone -g PUBLIC -o LINUX -s 1 -u user

6.2.2 Activating a Project in Microsoft Azure

To activate a project in Azure, you need only the commands belonging to the azure group. The diagram

below shows the typical flow for this case:

--project

--shape

[--zone]

[--all]

[--fake-project]

[--auto-configuration-

disabled]

[--subscription-namel]

Activate Project

azure activate_project

--project

[--zone]

Configure Network

azure config_network

--project

Check Configuration

azure get_net_config


• Project Activation

To activate a project in Microsoft Azure, use the following command:


EPAM PUBLIC 233

azure activate_project [arguments]

The azure activate_project command uses the following arguments:

Command Arguments


-p, --project Project PMC code Yes



--all All zones (the project will be activated in all existing

Azure zones) No




-u, --subscription-name Azure subscription name No

Command example:

azure activate_project –p project_code –s MICRO –s SMALL –s LARGE --all

• Network Configuration

When a project is activated, a network security group has to be configured for each zone in which the

project is activated. The network security groups define the rules allowing or denying access instances in

the virtual network.

To configure the network security groups for the project, use the following command:

azure config_network [arguments]

The azure config_network command uses the following arguments:

Command Arguments



-z, --zone

Virtualization zone. When no zones are specified, the network

security groups will be configured for all zones in which the project

has been activated.

No

The ‘azure config_network’ command will create virtual networks and network security groups for all

zones in which the project is activated and set the rules for them.

https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/


EPAM PUBLIC 234

Figure 8 – Network configuration

• Configuration Check

To check the Azure network configuration of the project, use the following command:

azure get_net_config –p project_code

The command returns the list of zones configured for the project and their status:

Figure 9 – Configuration of Azure zones


EPAM PUBLIC 235

6.3 CSA – ADMINISTRATION CASES

6.3.1 CSA Zone Creation

A CSA virtualization zone is served by the CSA Portal and has to be configured with the CSA settings

applicable to such CSA portal.

The typical CSA zone creation flow is as follows:

--region

--zone

--csa-user

--url

--csp-user

--organization

--catalog

[--location]

[--hardware]

Create a New Zone

csa add_zone

--orch-id

--zone

[--unassign]

[--billing]

[--active]

Assign Orchestration Instance

orch assign

--zone

--cost-center-name

Set Cost Center

billing set_cost_center

--zone

--shape

--cpu

--ram

Add Shapes

csa add_shape

Figure 10 - CSA zone creation flow


• CSA Zone Creation

To create a new CSA Orchestration zone, use the following command:

csa add_zone [arguments]

The ‘csa add_zone’ command uses the following arguments:

Command Arguments


-r, --region Virtualization region in which the new zone is to be created Yes

-z, --zone Name of the virtualization zone to be created Yes

-c, --csa-user Name of the user to access the CSA portal Yes

-u, --url URL to the CSA portal which will manage this region Yes

-s, --csp-user Name of the CSP (Cloud Subscription Portal) user Yes

-o, --organization Name of the CSA Organization for this region Yes

-a, --catalog Name of the CSA Catalog for this region Yes

-l, --location Physical location of the new zone No

--hardware Flag setting the region as hardware No

The ‘csa add_zone’ command requires a password for execution. After the command is sent, the system


EPAM PUBLIC 236

prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.

Command Example:

csa add_zone -z zone -r region -u csa_url -c csa_user -a catalog

-o organization -s csp_user

• Orchestration Instance Assignment to CSA Zone

When a new zone has been created, it has to be associated with an Orchestration instance for correct

integration in the EPAM Orchestrator and proper service of the resources hosted in such zone.

To assign an Orchestration instance to the newly-created zone, use the following command:

orch assign [arguments]

The ‘orch assign’ command uses the following arguments:

Command Arguments


-o, --orch-id Orchestrator instance ID Yes


-u, --unassign Flag used to unassign a previously assigned zone No

-b, --billing Flag used to set the Orchestrator instance responsible for the zone

billing No

-a, --active Flag used to set the Orchestrator instance as active No

Command Example:

orch assign -z zone -o instance_id -a

• Setting Cost Center for CSA Zone

For the correct billing of the Cloud services for the projects used in the CSA zone, a cost center has to be

assigned to it. To assign a cost center to a new CSA Orchestration zone, use the following command:



Command Arguments





EPAM PUBLIC 237

Command Example:


• Adding Shapes to CSA Zone

A new zone is created with no VM shapes available in it. For the projects to be activated in a zone,

shapes have to be added. Once shapes are added and configured, projects can be activated only with

the shapes available in the zone. If a project requires a shape not available in the zone, the shape has to

be added to the zone first.

To add a shape to a CSA zone, use the following command:

csa add_shape [arguments]

The ‘csa add_shape’ command uses the following arguments:

Command Arguments


-z, --zone Name of virtualization zone to which the shape is to be added Yes

-s, --shape CSA shape name Yes

-c, --cpu Number of CSA CPUs available in the shape Yes

-r, --ram Volume of CSA RAM available in the shape Yes

Command Example:

csa add_shape -z zone –s small –c 1 –r 1740

To add a shape to a particular project, use the ‘or2-set-shapes’ Maestro CLI command.

6.3.1 Activating a Project in CSA

In CSA, projects are activated using just one Admin Utility command:

csa activate_project [arguments]

The ‘csa activate_project’ command uses the following arguments:

Command Arguments








EPAM PUBLIC 238


Command Example:

csa activate_project –p project_code –s small –s medium –s large –z zone

6.3.2 Reimporting Instances to CSA

If CSA offerings have changes, instances have to be reimported to CSA, so that the offerings are properly

updated and the updated data is applied. In such case, CSA subscriptions of instances are deleted and

then restored again. After synchronization, the subscription data is updated.

The flow of instance reimporting is as follows:

--zone

--instance

Delete CSA Subscription

csa del_subscript

--zone

--instance

Restore Instance to CSA

csa restore_to_csa

--zone

--instance

Synchronize Subscriptions

csa sync_from_csa


• CSA Subscription Deletion

To delete the existing CSA subscriptions from instances in a certain zone, use the following command:

csa del_subscript [arguments]

The ‘csa del_subscript’ command uses the following arguments:

Command Arguments



-i, --instance Instance ID(s) Yes

Command Example:

csa del_subscript –z zone –i instance


EPAM PUBLIC 239

• Instance Restoring to CSA

When the CSA subscriptions have been deleted, the instances have to be restored to CSA again for the

updated subscriptions to apply. To restore instances to CSA, use the following command:

csa restore_to_csa [arguments]

The ‘csa restore_to_csa’ command uses the following arguments:

Command Arguments




Command Example:

csa restore_to_csa –z zone –i instance

• Subscription Synchronization

After the subscriptions have been restored, their fields have to be synchronized between CSA and EPAM

Orchestrator.

Before proceeding with synchronization, check that the updated subscriptions are active.

To synchronize CSA subscription fields, use the following command:

csa sync_from_csa [arguments]

The ‘csa sync_from_csa’ command uses the following arguments:

Command Arguments




Command Example:

csa sync_from_csa –z zone –i instance


EPAM PUBLIC 240

6.4 GOOGLE CLOUD PLATFORM – ADMINISTRATION CASES

This section describes the flows to be used in configuring infrastructure in the Google Cloud Platform as

access to it.

6.4.1 Google Account Configuration

Google Cloud Platform is available for all users with Google accounts. To provide access to Google

Cloud Platform, use the API Manager to allow access from your Google account.

When the access has been granted, create your first project on the Google console. This project will

be the base project for all subsequent ones and the billing account, the API access permissions and IAM

user administration will be associated with this project.

For your base project, different credentials (OAuth 2.0 Client IDs of the Other type) need to be

created for two Google account entities in the database (see below). Before generating the credentials,

create the OAuth Consent Screen (fill in only the required fields).

For the base project, use activate the following APIs required for Orchestrator operation using the API

Manager on the Google console:

➢ Google Cloud Billing API

➢ Admin SDK

➢ Google Compute Engine API

➢ Google Cloud Resource Manager API

6.4.2 Google Account Entity in Orchestrator Database

To enable working with Google Cloud Platform, two account entities should be generated – for using

the Compute API and for using the Admin Directory API (IAM user administration). Such organization

allows separating the account management depending on the operation type. Each entity requires a

separate set of credentials to be created in the base project on the Google console.

Important: do not create credentials for other projects in the account, it will block Google API requests

performance by the Orchestrator under the project.

To create a Google account entity in the Orchestrator database use the following command:

google setup_account [arguments]

The ‘google setup_account’ command uses the following arguments:

Command Arguments


-u, --username Account username ([email protected]) Yes

-i, --client-id Client ID* Yes

-p, --purpose Purpose of the account. Allowed values: COMPUTE,

ADMIN_DIRECTORY Yes


-b, --billing-account-id Billing project ID. Required for COMPUTE accounts No

-d, --billing-dataset-name BigQuery billing dataset name No

*For the -i (--client-id) parameter value, use the value from the credentials earlier generated in the base

account.

https://console.developers.google.com/

https://console.cloud.google.com/apis/api/cloudbilling.googleapis.com/overview?project=natural-choir-174812

https://console.cloud.google.com/apis/api/admin.googleapis.com/overview?project=natural-choir-174812

https://console.cloud.google.com/apis/api/compute.googleapis.com/overview?project=natural-choir-174812

https://console.cloud.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=natural-choir-174812



EPAM PUBLIC 241

Command Example:

google setup_account –u username –i client_id –p ADMIN_DIRECTORY

Figure 11 - Google account setup

The command is executed with simultaneous interactive operations in the browser. Enter the

clientSecret from the generated credentials into the API Manager of the base project, then, after the

clientSecret has been successfully validated, the Admin Utility console will display a link. Paste the link

into your browser and copy the token which will be displayed. Paste the token into your Admin Utility

console.

After the account creation, run the mongo refresh_config command in the DB utility, otherwise

Orchestrator may work incorrectly.

How Google API authorization works:

- Authorization is performed by the accessToken issued by Google and valid for 1 hour

- The Orchestrator performs authorization by processing the 401 response code received for its

request to the Google API

- When the 401 code is received, the Orchestrator sends a request for a token using the

refreshToken and clientId. Note that there is a limit of 600 accessTokens to be used

simultaneously in Google.

- refreshToken, cliendId and accessToken are stored in the same document in the

GoogleAccounts collection in the database (see

https://developers.google.com/identity/protocols/OAuth2 for details).

6.4.3 Adding Google Zones

Google Cloud, unlike AWS, is project-centered, which causes certain specifics of Google projects and

zones organization and processing by Orchestrator.

The zone configuration flow is as follows:

View zones

google list_zones

--region

--zone

--account-id

--google-zone-name

--location


--aws-nearest-zone

Add zone

google add_zone

--zone

--aws-nearest-zone

Edit zone

google edit_zone

https://developers.google.com/identity/protocols/OAuth2


EPAM PUBLIC 242


• Retrieving Google Zones

Before integrating Google zones into Orchestrator, run the following command to see the list of zones

available via the Google console:

google list_zones

The ‘google list_zones’ command uses no arguments.

If a zone has already been added to Orchestrator, it will show its name from the Orchestrator

database in the ‘name’ field. For zones not yet added to Orchestrator, the ‘name’ field will show

“untracked”.

• Adding Google Zones

Run the following command to add the zone:

google add_zone [arguments]

The ‘google add_zone’ command uses the following arguments:

Command Arguments


-r, --region Virtualization region* Yes

-z, --zone Virtualization zone** Yes

-a, --account-id Google account ID. Format example: account-91b5e7ec Yes

-Z, --google-zone-name

Google zone name. Format example: us-central1-a. For

the complete list of zones, visit the Regions and Zones

page

Yes

-l, --location Location (for example, North Europe) No

--disable-billing-mix-mode The flag defining whether the zone supports billing mode No

-A, --aws-nearest-zone AWS nearest zone (required for autoconfiguration)*** No

* The region must be added manually, as there is no Admin Utility command for that purpose. The region

is to be added once before adding the first Google zone, and afterwards the EPAM-GOOGLE region will

appear in the Orchestrator’s Regions collection in the database.

** The zone name to be used in Orchestrator

*** The nearest AWS zone is specified for the autoconfiguration data to be retrieved from the AWS S3

bucket in the zone nearest to the Google zone

Command Example:

google add_zone –r EPAM-GOOGLE –z zone_name –a google_account –Z us-

central1-a

• Editing Google Zones

If you need to change or delete the AWS zone associated with the Google zone, use the ‘google

edit_zone’ command:



EPAM PUBLIC 243

google edit_zone [arguments]

The ‘google edit_zone’ command uses the following arguments:

Command Arguments



-a, --aws-nearest-zone AWS nearest zone (required for autoconfiguration). Send

‘null’ to remove the value. Yes

Command Example:

google edit_zone –z zone_name –a null

6.4.4 Project Activation in Google Cloud

In Google Cloud, projects are activated by their abbreviations in UPSA. To activate a project, use the

following command:

google activate_project [arguments]

The ‘google activate_project’ command uses the following arguments:

Command Arguments



-s, --shape

Name of the shape to be activated for the project. For

several shapes, repeat the parameter: -s shape1, -s

shape2, -s shapeN

Yes

-a, --auto-configuration-disabled Flag defining that auto-configuration is disabled or

enabled No


-e, --existing-project-id Existing Google project ID to use* No

-z, --zone Virtualization zone** No

--all All zones** No

* The ‘existing-project-id’ parameter is used to continue project activation when a project created in the

Google console manually should be associated with the project representation in EPAM Orchestrator and

UPSA

** Send either a specific zone or ‘--all'. If you activate a project with the ‘--all' flag, it will be activated in all

available Google Cloud zones

Command Example:

google activate_project –p project_id –s small –s mini --all


EPAM PUBLIC 244

Figure 12 - Project activation in Google Cloud

The command execution is interactive and requires activation of Google Compute Engine API for the

newly-created project. This is done via the Google console and enables EPAM Orchestrator to send

requests to Google Cloud.

The base project should not be associated with any UPSA project.

If during project activation, an error message saying that billing and Google Cloud Billing API are not

activated for the base project, make sure you have completed all steps of base project configuration flow.

During activation, the following configuration actions are performed:

- the project is automatically connected to a Billing account common for the entire Google account

- a common network is created for the project allowing all project instances to access each other

via an internal network

- necessary internal subnets are created (one for each Google availability zone)

- firewall rules for subnet IPs specified in securityGroups in the OrchestrationSettings collection in

the database (orchestrator-default-firewall) are established.

6.4.5 Adding Images in Google Cloud

• Retrieving Google Public Images

In Google Cloud, public images are associated with public projects listed on the Images page. A

separate project corresponds to each OS type. To view the images available for a specific project, use

public project names and run the following Admin Utility command:

google list_images [arguments]

The ‘google list_images’ command uses the following arguments:

Command Arguments


-p, --project-id Google project ID to retrieve images from. For example, centos-

cloud or coreos-cloud Yes

-d, --deprecated Flag defining whether deprecated images are to be included No

Command Example:

https://console.cloud.google.com/apis/api/compute.googleapis.com/overview?project=natural-choir-174812



EPAM PUBLIC 245

google list_images –p project_id

• Adding Google Images

To add an image, use the following command:

google add_image [arguments]

The ‘google add_image’ command uses the following arguments:

Command Arguments


-i, --image-id Image ID. For example, Ubuntu14.04_64-bit* Yes

-N, --google-image-name Google image name** Yes

-P, --google-project-id Google image project ID** Yes


-t, --os-type Type of the operating system (Windows, Linux) Yes


-g, --group Image group (public, enterprise) Yes

-u, --username Default SSH user*** Yes

* Use image name corresponding to the common EPAM Orchestrator image mapping

** Specify Google image name and the ID of the public project from which the image will be retrieved

*** Specify the login under which the instance will be accessed with an SSH key

Command Example:

google add_image –i imade_ID –N google_image_name –P google_project_id –d

image_description –t os_type –z zone –g group –u username

6.4.6 Custom Image Creation in Google Cloud

Google Cloud creates custom images from system volume snapshots, therefore, storing a machine image

with attached volumes requires a series of actions. Here we recommend creating tasks and subtasks as

using task processing tools.

A task of creating an image from an instance with attached volumes consists of the following subtasks:

- Creation of a system volume snapshot

- Creation of a volume from the snapshot

- Creation of an image from the volume

- Deletion of the created volume

- Creation of snapshots of the attached volumes (can run simultaneously with system volume

operations)

As the result, there is a project Google image and snapshots of the attached volumes.

Resource creation from such image also involves several subtasks:

- Instance run from the custom image

- Creation of volumes from the stored snapshots and their attachment to the launched instance

Such custom images can only be used in EPAM Orchestrator, because if an instance is launched from


EPAM PUBLIC 246

the custom image via the Google console, the instance will be started with no non-system volumes

attached. The image size includes not only system volume data but also the data of the attached volume

snapshots.

Note that the snapshots of attached volumes are part of the image and if either of them is deleted via the

Google console, the snapshot size will be deducted from the image size and the instance launched from

the image will not have the volume corresponding to the deleted snapshot.

Also, in Google Cloud resources belong to a project, therefore, creation of a custom project image causes

duplicates of the Google MachineImage entity for all Google zones in the Orchestrator database (the

MachineImages collection). Similarly, when an image is deleted, duplicates for all Google zones are

deleted as well.

6.4.7 Public and Static IPs

By default, Google Cloud assigns public IPs to instances upon launch, however, these IPs may change

with each start-stop operation. Google documentation refers to them as to “ephemeral” external IP

addresses.

For cases when it is important that an instance keeps the same IP address, Google Cloud supports

reserved static IPs.

In EPAM Orchestrator, a static IP is allocated with the following sequence of Maestro CLI commands:

1. Allocation of a static IP to the project and region:

or2alsip -p project -r region

2. Assignment of a static IP to the instance:

or2assip -p project -r region -i instance_id -a ip_address

Static IP assignment is performed as the following series of subtasks:

- Removal of the default public IP from the instance

- Waiting for the default public IP removal to complete

- Assignment of the configuration of public access to the instance with a static IP

- Waiting for the static IP assignment to complete

Due to the complexity of the flow, the command performance may take longer than with other cloud

providers. Also, the probability of failure is higher.

The reverse process of a static IP disassociation is performed with the following Maestro CLI command:

or2dissip -p project -r region -a ip_address

IP disassociation is also a process involving several subtasks:

- Removal of the static IP from the instance

- Waiting for the static IP removal to complete

- Assignment of the configuration of public access to the instance with the default public IP

- Waiting for the default public IP assignment to complete


EPAM PUBLIC 247

6.4.8 Volumes in Google Cloud

In Google Cloud, system volumes are created together with the corresponding instances and receive IDs

fully matching those of the instance. At the same time, EPAM Orchestrator will show system volumes with

have their unique IDs. For non-system volumes, the Google console will show names matching such

volume IDs in EPAM Orchestrator.

Attach/detach volume operations are fully supported.

6.4.9 Google IAM Users

EPAM Orchestrator distinguishes two main types of users – temporary users and permanent IAM users.

This system requires certain adaptation for Google Cloud, as Google has no such classification.

• Temporary Users

Temporary access to Google Management Console is granted with the following command:

or2goomc

In this case, temporary access to the Google console is granted via a special user pool

(GoogleAccountUsers collection in the database), the names of such users always start with

SpecialEPM-CSUP*. When the or2goomc command is sent, EPAM Orchestrator searches for a free

SpecialEPM-CSUP* user in the pool, changes its status to IN_USE and allocates a new password to be

provided to the end user via email.

All temporary access permissions are reset every day at 12:00 a.m.

To add a temporary user to the pool, use the following Admin Utility command:

google add_temp_access_user [arguments]

The ‘google add_temp_access_user’ command uses the following arguments:

Command Arguments


-u, --username Email of the Google user Yes

Command Example:

google add_temp_access_user –u user_email

To retrieve the list of all existing temporary users, use the following command:

google list_temp_access_users

The ‘google list_temp_access_users’ command uses no arguments.


EPAM PUBLIC 248

• Ordinary IAM Users

The number of IAM users is limited to 100 per project.

To add a Google IAM user, use the following command:

google add_iam_user [arguments]

The ‘google add_iam_user’ command uses the following arguments:

Command Arguments




-r, --creation-reason Short description of the IAM user creation reason Yes

Command Example:

google add_iam_user –p project_ID -e user_email –r creation_reason

To retrieve the list of all existing ordinary IAM users, use the following command:

google list_iam_users [arguments]

The ‘google list_iam_users’ command uses the following arguments:

Command Arguments



Command Example:

google list_iam_users –p project_ID

Additionally, you can use the following Maestro CLI command to view the list of all ordinary IAM users:

or2iam [arguments]


Command Arguments


-a, --action Action to perform. Allowed valued: [describe, delete, setOwner]. Default:

describe No

-e, --email Owner’s email for the ‘-a setOwner’ action No


--reason IAM user deletion reason for the ‘-a delete’ action No

-t, --type IAM user type. Allowed values: [aws, google] No

-u, --user-name IAM user name No


EPAM PUBLIC 249

Command Example:

or2iam –p project_ID –t google

• System IAM Users

All system IAM users are stored in the GoogleAccounts collection in the Compute account

(systemIamUserName field). The google list_iam-users Admin Utility command retrieves all IAM users,

both ordinary and system, while or2iam Maestro CLI command lists only ordinary users.

System IAM uses are created with the ‘owner’ permissions while ordinary IAM users and temporary users

have the ‘editor’ permissions which are narrower than “owner’.

To create a system IAM user, use the following command:

google add_account_system_username [arguments]


Command Arguments


-u, --username System user name (user’s EPAM email) Yes

Command Example:

google add_account_system_username –u username

All IAM users operations are synchronized with the Google console at 3:15 a.m. UTC.

6.4.10 Other

• Init Scripts

In Google Cloud, the init script runs with each OS start, therefore, for Google Cloud special init scripts

have been created and stored in the OrchestrationSettings collection of the database in the

googleLinuxNativeScript’ and ‘googleWindowsNativeScript’ fields.

• Interactive Operations

During interactive operations requiring simultaneous actions in the browser, Admin Utility may sometimes

return invalid hyperlinks, especially, for API activation. We recommend searching for the correct

hyperlinks in the API Manager if the Admin Utility returns an invalid link repeatedly.

6.5 OPENSTACK – ADMINISTRATION CASES

6.5.1 OpenStack Controller Hosts

OpenStack virtualizator is controller-based, with each controller corresponding to an OpenStack zone in

EPAM Orchestrator. The controller by default contains an admin project (tenant) and is intended to create


EPAM PUBLIC 250

a network to host all instances launched by the controller (that is, within the corresponding EPAM

Orchestrator zone). The controller also creates admin credentials (login/password) for the Orchestrator to

access OpenStack API.

Direct access to the controller via the native UI, in addition to the login/password combination, may also

require the domain which always has the “default” value.

6.5.2 OpenStack Hosts and Host Aggregates

Each controller has a number of hosts used to allocate resources to launched instances and created

storage volumes. Each host is assigned an availability zone which is used when instances and system or

attached volumes are created on the same host. There may be cases when a volume cannot be attached

to a running instance if the host resources are insufficient. In this case, OpenStack prevents volume

creation (contrary to CSA where the instance can move to a different host together with all related

resources). Hosts may differ not only by capacity but also by the supported storage type (SSD/HDD).

Hosts are joined into aggregates by the supported storage type (SSD support information is included in

the aggregate metadata). Aggregates are used to filter resource creation requests depending on the

storage type. The filter also acts as load balancer distributing the load among the hosts within aggregates

depending on the current utilization rate.

6.5.3 OpenStack Zone Management

The typical OpenStack zone creation flow is as follows:

--zone

--image-id

--open-stack-image-id

--description

--group

--username

Add Images

open_stack add_image

--zone

--shape

--flavor

Add Shapes

open_stack add_shape

--orch-id

--zone

[--unassign]

[--billing]

[--active]

Assign Orchestration Instance

orch assign

--zone

--auth-url

--instance-name-prefix

--counter

[--assign]

--admin-name

--admin-tenant

--external-gateway

Add Zone

open_stack add_zone

--zone

--cost-center-name

Set Cost Center

billing

set_cost_center

--zone

[--enable]

[--disable]

[--queues]

Enable Notifications

open_stack

notific_switcher

--zone

[--host] [--port]

[--vhost] [--mport]

[--username]

[--reply-timeout]

[--shutdown-timeout]

[--min-threads]

[--max-threads]

Configure Notifications

open_stack

notific_config

--file

[--skip-warnings]

[--skip-changes]

Create Pricing Policy

pricing _policy get

[--target]

pricing_policy update

Figure 13 - OpenStack zone creation


• Zone Creation

An OpenStack zone is the controller’s entity in EPAM Orchestrator storing the controller data used by

EPAM Orchestrator (link to the controller, access information, tenant information).


EPAM PUBLIC 251

To create a new OpenStack zone, use the following command:

open_stack add_zone [arguments]

The ‘open_stack add_zone’ command uses the following arguments:

Command Arguments



-z, --zone Name of the virtualization zone to be used in EPAM

Orchestrator (case-sensitive) Yes

-u, --auth-url

OpenStack authentication URL for domain authorization to

resources. The authorization server is one of the OpenStack

services and can be reached at the

[http:<controller_IP>:5000/v1] endpoint

Yes

-I, --location Location (e.g. North Europe) No

-c, --counter Instance start counter (used for instance name generation) Yes


-a, --admin-name Admin name to be used for API calls Yes

-t, --admin-tenant Admin tenant Yes

-m, --networking-mode Networking mode. Allowed values: [AUTO, MANUAL] Yes

--dns, --dns-server DNS server on which VMs will be registered. Several DNS servers can be specified.

Yes

-n, --network-id ID of the network created on the controller earlier Yes

--rn, --region-name OpenStack region name (to be used when a host serves several regions. EPAM Orchestrator zone entity will be associated with the specified region)

No

-d, --docker-only Docker only (to be used when the zone is a dedicated zone for Docker/Kubernetes services deployed on CoreOS)

No

--mtp Servicing host for the moveToProject command No

The ‘open_stack add_zone’ command requires a password for execution. After the command is sent,

the system prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.

Command Example:

open_stack add_zone -z zone_name -u http://<server_hostname:port>/v2.0 -r

region -l location -c 001 -a admin -t admin -m networking_mode –dns

dns_server

The mongo refresh_config command of the DB Utility does not hide admin user credentials and URLs

for authorization and additional servers (this does not refer to zones migrated from CSA).


EPAM PUBLIC 252

• Zone Editing

To edit an OpenStack zone, use the following command:

open_stack edit_zone [arguments]

The ‘open_stack edit_zone’ command uses the following arguments:

Command Arguments


-z, --zone Name of the virtualization zone to be used in EPAM

Orchestrator (case-sensitive) Yes

-s, --strategy

Zone update strategy. Allowed values: [DESCRIBE,

PUSH_NOTIFICATIONS,

PUSH_NOTIFICATIONS_WITH_DESCRIBE]

No

-d, --disk-drive Default storage type. Allowed values: [HDD, SSD]. We recommend using the type supported by the majority of hosts.

No

-r, --resource-placing-

policy

Resource placing policy. Allowed values: [DEFAULT, SAME_HOST]. Defines whether instances should be placed on the same host as the volumes attached to them. The SAME_HOST value is the preferred setting.

No

-c, --create-volume-

snapshots Defines whether the operation of volume snapshot creation is supported

No

-t, --storage-threshold Storage capacity threshold. Must be in the range of [0, 100] No

Command Example:

open_stack edit_zone -z zone_name –s DESCRIBE -d SSD –r SAME_HOSTS –t 100

• Retrieving the List of OpenStack Zones

To retrieve the list of OpenStack zones existing in EPAM Orchestrator, use the following command:

open_stack get_zones

The ‘open_stack get_zones’ command uses no arguments.

• Orchestration Instance Assignment to OpenStack Zone

When a new zone has been created, it has to be associated with an Orchestration instance for correct

integration in the EPAM Orchestrator and proper service of the resources hosted in such zone.

To assign an Orchestration instance to the newly-created zone, use the following command:

orch assign [arguments]

The ‘orch assign’ command uses the following arguments:

Command Arguments


-o, --orch-id Orchestrator instance ID Yes


EPAM PUBLIC 253


-u, --unassign Flag used to unassign a previously assigned zone No

-b, --billing Flag used to set the Orchestrator instance responsible for the zone

billing No

-a, --active Flag used to set the Orchestrator instance as active No

Command Example:

orch assign -z zone_name -o instance_id -a

• Adding Shapes to OpenStack Zone

A new zone is created with no VM shapes available in it. For the projects to be activated in a zone,

shapes have to be added. Once shapes are added and configured, projects can be activated only with

the shapes available in the zone. If a project requires a shape not available in the zone, the shape has to

be added to the zone first.

OpenStack refers to shapes as “flavors” and distinguishes them not only by the CPU/RAM combination,

but also by the storage type (SSD or HDD), OS type (Linux, Windows) and the system volume size.

Shape names are combined from several parameters, one of them always being the EPAM Orchestrator

shape name. The name may also contain the volume size and the indicator of the storage type (ssd) or

operating system (lin for Linux).

When an instance is launched with a certain shape, the flavor selection is influenced by the specified

shape, image and the zone configuration. The image defines the operating system, and if the storage

type is specified – the corresponding flavor will be used, otherwise, a default flavor will be selected in

accordance with the zone configuration.

To add a shape to an OpenStack zone, use the following command:

open_stack add_shapes [arguments]

The ‘open_stack add_shapes’ command uses the following arguments:

Command Arguments


-z, --zone Name of virtualization zone where shapes are to be added Yes

-s, --shape

Shape name. For several shapes, repeat the parameter: -s SHAPE1 -

s SHAPE2. If not specified, all available shapes will be added. Only

the shapes not yet added to the zone will be added by the command

No

-d, --drive-type Disk drive type. For several disk drives, repeat the parameter: -d SSD

-d HDD. If not specified, all available drives will be added No

-t, --os-type

Operating System type (e.g. WINDOWS, LINUX). For several OS

types, repeat the parameter. If not specified, all available OS types

will be added

No

--see Print the shapes to be added No


EPAM PUBLIC 254

Note that the --see flag blocks the shape addition operation and only prints the list of shapes to be added.

Command Example:

open_stack add_shapes -z zone –s small –t linux –d hdd

• Shape Management in OpenStack

To view the default shapes existing in OpenStack, use the following command

open_stack get_default_shapes [arguments]

The ‘open_stack get_default_shapes’ command uses no arguments.

To view the shapes available in a certain OpenStack zone, use the following command

open_stack get_shapes [arguments]

The ‘open_stack get_shapes’ command uses the following arguments.

Command Arguments


-z, --zone Name of virtualization zone Yes

To delete shapes from a certain OpenStack zone, use the following command

open_stack delete_shapes [arguments]

The ‘open_stack delete_shapes’ command uses the following arguments.

Command Arguments



-f, --flavor OpenStack flavor ID. Repeat the option to delete several flavors Yes

When flavors are updated by the OpenStack controller, their identifiers change which requires flavor

updates in EPAM Orchestrator. This is done by means of the ‘revision’ field in the flavor collection in the

EPAM Orchestrator database. The field is updated with the flavor update date; in this case, the flavor will

still be used to describe the existing resources but will not be used to create new ones. For a new flavor

identifier, the OpenStack controller generates a new document with the ‘revision’ field set to ‘latest’. All

new instances launched by EPAM Orchestrator will use the flavors with ‘revision’ set to ‘latest.

• Adding Machine Images to OpenStack Zone

To add machine images which will be available in the OpenStack zone, use the following command:

open_stack add_image [arguments]

The ‘open_stack add_image’ command uses the following arguments:

Command Arguments



EPAM PUBLIC 255

-z, --zone Name of virtualization zone to which the image is to be

added Yes

-i, --image-id Image id (e.g. Ubuntu14.04_64-bit) Yes

-o, --open-stack-image-id OpenStack image ID Yes

-d, --description VM image description Yes



-t, --os-type Type of operating system (windows, linux) Yes

Command Example:

open_stack add_image -i Ubuntu14.04_64-bit -o openstack_image -d

"Ubuntu14.04 64-bit LTS" -z zone_name -g PUBLIC -u user –t linux

• Machine Image Management in OpenStack

When an image is updated on the OpenStack controller, the image identifier changes. Identifiers

synchronization between the OpenStack controller and EPAM Orchestrator is performed by schedule at

1:00 a.m. UTC. Identifiers can also be updated via jmx on the EPAM Orchestrator Web UI or with the

following Admin Utility command:

open_stack set_image_id [arguments]

The ‘open_stack set_image_id’ command uses the following arguments:

Command Arguments



-n, --name Image name Yes

-i, --id New image ID Yes

Command Example:

open_stack set_image_id -n Ubuntu14.04_64-bit -z zone_name –i image_id

To retrieve the list of images existing in EPAM Orchestrator for the specified zone, use the following

command:

open_stack get_images [arguments]

The ‘open_stack get_images’ command uses the following arguments:

Command Arguments




EPAM PUBLIC 256

Command Example:

open_stack get_images -z zone_name

To delete an image from a zone by its OpenStack ID, use the following command:

open_stack delete_image [arguments]

The ‘open_stack delete_image’ command uses the following arguments:

Command Arguments




Command Example:

open_stack delete_image -z zone_name –i image_id

• Custom Image Management in OpenStack

In OpenStack, an image does not store data of the attached volumes. Therefore, in EPAM Orchestrator,

the MachineImages collection in the database stores the data of the snapshots of attached volumes

together with the image data. The snapshot data is stored in the ‘volumeSnapshotInfoSet’ field.

Note that the storage sequence influences the sequence of volume creation and attachment to the

instance launched from the custom image.

Also, to enable creation of custom images from instances with attached volumes, run the ‘open_stack

edit_zone’ command with the -c, --create-volume-snapshots flag, as by default this option is disabled.

• Push Notifications Configuration

OpenStack supports the Push Notifications functionality allowing EPAM Orchestrator to respond to

changes and to perform synchronizations quicker.

Push notifications are sent via the RabbitMQ messenger service. The OpenStack controller sends

messages about various events related to resource state changes to the RabbitMQ server. In its turn,

EPAM Orchestrator can monitor pre-defined message queues storing messages from the OpenStack

controller and thus getting the change data immediately.

If push notifications are disabled, synchronization is performed by scheduled describe requests to the

server. The request frequency depends on the resource (on the average, every 2-5 minutes).

Push notifications are configured with the following command:

open_stack notific_config [arguments]

The ‘open_stack notific_config’ command uses the following arguments:

Command Arguments


EPAM PUBLIC 257



--host OpenStack Rabbit host* No

-p, --port OpenStack Rabbit port* No

-m, --mport OpenStack Rabbit Management port** No

-v, --vhost OpenStack Rabbit virtual host*** No

-u, --username OpenStack Rabbit username under which EPAM Orchestrator

will monitor messages on the RabbitMQ host No

-r, --reply-timeout Reply timeout (in milliseconds)**** No

-s, --shutdown-timeout Shutdown timeout (in milliseconds)***** No

-n, --min-threads Minimum number of threads to monitor notifications****** No

-x, --max-threads Maximum number of threads to monitor notifications****** No

--nova Custom exchange name for Nova service******* No

--cinder Custom exchange name for Cinder service******* No

--glance Custom exchange name for Glance service******* No

* RabbitMQ host and port for push notifications

** Currently not used as the management plugin is usually disabled on RabbitMQ server deployed together

with the OpenStack controller

*** Usually the default virtual host is used (“/”)

**** Not used

***** The shutdown timeout setting is used to terminate the amqp-listeners container

****** The recommended thread number is up to 30. The minimum setting defines the constant number of

notification handling threads while the maximum setting limits their number

******* Custom exchange key names for the corresponding OpenStack services on RabbitMQ

The ‘open_stack notific_config’ command requires a password for execution. After the command is

sent, the system prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.

Command Example:

open_stack notific_config -z zone_name --host <server_hostname> -p 5672 -v

"/" -u readonly -s 30000 -n 2 -x 6

Before enabling push notifications, run the ‘open_stack edit_zone’ command with the -s, --strategy

parameter set to “PUSH_NOTIFICATIONS_WITH_DESCRIBE”, as this setting will not disable scheduled

requests for resource synchronization with EPAM Orchestrator which is a more fault-tolerant

configuration.


EPAM PUBLIC 258

• Enabling Notifications

To enable the notification service for the OpenStack zone, use the following command:

open_stack notific_switcher [arguments]

The ‘open_stack notific_switcher’ command uses the following arguments:

Command Arguments



-e, --enable Enable notifications No

-d, --disable Disable notifications No

-q, --queues Configure OS RabbitMQ queues No

Before enabling or disabling the notification service, configure its settings using the

‘open_stack notific_config’ command.

Command Example:

open_stack notific_switcher -e -q -z zone_name

• Pricing Policy Creation for OpenStack Zone

Billing of the Cloud services is based on a pricing policy.

To view an existing pricing policy, use the following command:

pricing_policy get [--target]

where the --target parameter indicates how the data is to be delivered. Valid values: ssh_console,

email.

To update the pricing policy, use the following command:

pricing_policy update [arguments]

The ‘pricing_policy update’ command uses the following arguments:

Command Arguments


-f, --file File name* Yes

-w, --skip-warnings Skip warnings No

-c, --skip-changes Skip changes No

*This command requires file upload.


EPAM PUBLIC 259

Command Example:

pricing_policy update –f file_name

• Setting Cost Center for OpenStack Zone

For the correct billing of the Cloud services for the projects used in the OpenStack zone, a cost center

has to be assigned to it. To assign a cost center to a new OpenStack zone, use the following command:



Command Arguments




Command Example:


6.5.1 Project

Activation in

OpenStack

To activate a project in an OpenStack-based region, use the following command:

open_stack activate_project [arguments]

The ‘open_stack activate_project’ command uses the following arguments:

Command Arguments



-s, --shape Shape name. For several shapes, repeat the parameter:

-s shape1 -s shape2 -s shapeN Yes





Command Example:

open_stack activate_project -p project -z zone -s SMALL –s MEDIUM –s LARGE


EPAM PUBLIC 260

After the command execution, projects are created on the OpenStack controller according to the pattern

consisting of:

- The name of the node executing the command

- The name of the zone sent in the command

- The project name

During the command execution, default security groups are configured. For each project a separate

security group is created with rules not limiting the access for the following protocols: udp, tcp, icmp.

If a project is activated in a zone with networking mode (-m, --networking-mode) set to ‘MANUAL’, a

separate network with subnet 172.25.0.0/24 is created (the same subnet is used for all projects in zones

with the MANUAL networking mode).

• Personal Projects in OpenStack

To activate personal project support for a particular OpenStack zone, use the following command:

open_stack activate_zones_personal_project [arguments]

The ‘open_stack activate_zones_personal_project’ command uses the following arguments:

Command Arguments



As the result of the command execution, a project under the name “PERSONAL” is activated on the

OpenStack controller. All resources launched under personal projects will be assigned to that project.

6.5.2 OpenStack Networking

When a zone is created, its networking mode (-m, --networking-mode) is set to one of the following

values: AUTO or MANUAL. The mode is defined by the OpenStack controller.

The MANUAL mode is an older option which is currently in the process of deprecation. In the MANUAL

mode, for each project a separate hard-coded network is created in the zone. When an instance is

launched, a public static IP is generated and then assigned to the instance. Afterwards, the DNS name is

registered. Private IP addresses are generated from the hard-coded network created for the project in the

172.25.0.0/24 subnet.

The AUTO mode is more advanced and widely used. Such controllers support only one default network

for all projects activated on the controller. Private IP addresses for all instances launched on the controller

are generated within that network. Public IP addresses are generated in EPAM subnets with IP

addresses being public within the EPAM network.

6.5.3 DNS Name Creation in OpenStack

In OpenStack, each zone is created with specification of a DNS server (one or several). EPAM

Orchestrator accesses such server(s) to register DNS names of instances launched in OpenStack zones.

Depending on the platform, requests to the DNS server can be made through one of the two utilities:

- nsupdate – an utility for Linux orchestrators. DNS name is added as follows:


EPAM PUBLIC 261

nsupdate -g

> server <dns-server IP>

> zone epam.com

> update add <dns-name> <registration lifetime> A <instance IP>

> send

> quit

The same utility is used to delete a DNS name from the server:

nsupdate -g

> server <dns-server IP>

> zone epam.com

> update delete <dns-name> A

> send

> quit

- Dnscmd – a utility for Windows. DNS name is added as follows:

dnscmd ServerName /RecordAdd DNSZoneName HostName RecordType IPAddress

This utility does not support DNS name deletion, therefore, names are to be deleted manually.

Access to the DNS server is done via special tickets generated through the kinit utility.

The DNS name generation utility is selected by setting one of the profiles [nsupdate-dns-creation,

dnscmd-dns-creation]. Also, set [dnscmd.location, nsupdate.location] in the ‘properties’ files for EPAM

Orchestrator to discover the utilities.

6.5.4 OpenStack Metadata

Most of the resources created on OpenStack controllers have metadata. Instance metadata stores

instance access information and the instance requestor’s identification data. Also, metadata logs instance

migration from another project (mtp-action). The mtp-action parameter is set during the or2mtp Maestro

CLI command, at the same time, the projectId field in the database used by the OpenStack controller is

updated.

Instance flavors (shapes) also have metadata generated during flavor addition to EPAM Orchestrator.

Both host metadata and flavor metadata are used to direct the resource creation request to the most

suitable host.

System volumes are associated with the corresponding instances by the controller’s response to the

instance launch. The response contains the availability zone in which the system volume will be created.

6.5.5 OpenStack Recycle Bin

The Recycle Bin feature allows restoring recently terminated resources. Recycle Bin is, in fact, a project

activated on the OpenStack controller serving the entire zone.


EPAM PUBLIC 262

• Recycle Bin Creation

To create a Recycle Bin, use the following command:

open_stack create_recycle_bin [arguments]

The ‘open_stack create_recycle_bin’ command uses the following arguments:

Command Arguments



-t, --ttl Minimum time to live for instance in hours before being moved to recycle

bin. Default: 24 No

-d, --days Number of days for the instance to remain in the Recycle Bin. Default: 7 No

Command Example:

open_stack create_recycle_bin –z zone -t 24 –d 7

• Recycle Bin Management

To edit a Recycle Bin, use the following command:

open_stack edit_recycle_bin [arguments]

The ‘open_stack edit_recycle_bin’ command uses the following arguments:

Command Arguments



-t, --ttl Minimum time to live for instance in hours before being moved to recycle

bin. Default: 24 No

-d, --days Number of days for the instance to remain in the Recycle Bin. Default: 7 No

Command Example:

open_stack edit_recycle_bin –z zone -t 48 –d 5

The ‘open_stack edit_recycle_bin’ command allows updating the -t, --ttl and -d, --days parameters.

The -z, --zone parameter is sent to identify the zone in which the Recycle Bin has to be modified.

To describe a Recycle Bin, use the following command:

open_stack describe_recycle_bin [arguments]

The ‘open_stack describe_recycle_bin’ command uses the following arguments:

Command Arguments




EPAM PUBLIC 263

Command Example:

open_stack describe_recycle_bin –z zone

The command returns the Recycle Bin settings in the selected zone and lists the resources currently

stored in it.

• Management of Resources in Recycle Bin

To restore an instance from the Recycle Bin, use the following command:

open_stack restore_from_recycle_bin [arguments]

The ‘open_stack restore_from_recycle_bin’ command uses the following arguments:

Command Arguments



-s, --server-id ID of the instance to be restored. Instance IDs to be used are instance

IDs on the OpenStack controller. Yes

-p, --project Project abbreviation in UPSA* No

* The -p, --project parameter allows restoring the instance in a different project activated in the same zone.

Command Example:

open_stack restore_from_recycle_bin –z zone –s instance_id

To remove an instance from the Recycle Bin, use the following command:

open_stack remove_from_recycle_bin [arguments]

The ‘open_stack remove_from_recycle_bin’ command uses the following arguments:

Command Arguments



-s, --server-id ID of the instance to be restored. Instance IDs to be used are instance

IDs on the OpenStack controller. Yes

Command Example:

open_stack remove_from_recycle_bin –z zone –s instance_id

To terminate an instance without placing it into the Recycle Bin, it has to be terminated via the Maestro

CLI with the --permanently option:

or2kill –p project_id –r region –i instance_id --permanently

6.5.6 OpenStack Instance State

OpenStack controller and EPAM Orchestrator determine instance state differently. To resolve this


EPAM PUBLIC 264

difference, EPAM Orchestrator supports special mapping using the following three parameters of the

controller:

- Instance state

- Current task running on the instance

- Power state

Combinations of these parameters are mapped to EPAM Orchestrator instance states.

Sometimes, OpenStack controller may produce new combinations. In this case, after two-sided

consultations with OpenStack support and approval of the updates, the new combination is added to the

EPAM Orchestrator mapping which is part of the code.

6.5.7 Other

• Volume Errors

In case of a volume error on the OpenStack controller, EPAM Orchestrator updates the volume state to

‘error’, because the controller returns an empty response (unlike the response on the instance which

contains the reason) not allowing to identify the failure reason. In this case, the Level 1.5 Team will be

notified.

• Shape Change on OpenStack

Instance shape is changed with the or2chshape (or2-change-shape) Maestro CLI command. In

OpenStack regions, this command execution consists of the following subtasks:

- Validation of the shape change request

- Shape change confirmation

- Waiting for the corresponding flavor replacement

6.6 SIMPLE USER CONFIGURATION

Is cases when there is a necessity to provide access to a user whose credentials cannot be obtained from

UPSA for some reason (for example, for a customer representative), a simple user should be created in

Orchestrator

The user configuration flow is as follows:


EPAM PUBLIC 265

--email

--username

--login

--requestor

Create a User

permission add_user

--email

--project

Assign the user to the project

permission assign

--email

--project

--group

Assign permission groups

permission add_user_mapping

--email

--project

Clear permission groups

permission del_user_mapping

Each step is described in details below:

6.6.1 User Creation

To create a new user in EPAM Cloud, use the following command:

permission add_user [arguments]

The ‘permission add_user’ command uses the following arguments:

Command Arguments


-e, --email User’s email Yes

-u, --username User’s full name Yes

-l, --login User’s login Yes

-r, --requestor Email of the requestor of the simple user account No

Command Example:

permission add_user –e [email protected] -u Firstname

Lastname -l [email protected]

6.6.2 User Assignment to Project

After the simple user has been created, it should be assigned to a project with the following command:

permission assign [arguments]


EPAM PUBLIC 266

The ‘permission assign’ command uses the following arguments:

Command Arguments




Command Example:

permission assign -e [email protected] -p project

6.6.3 Permission Assignment

A simple user should be assigned one or more permission groups defining their access to the

Orchestrator functions:

permission add_user_mapping [arguments]

The ‘permission add_user_mapping’ command uses the following arguments:

Command Arguments




-g, --group Permission group name. For several groups repeat the parameter Yes

Command Example:

permission add_user_mapping -p project –e [email protected]

–g permission_group

If the ‘--project' parameter is not specified, the user will be assigned permissions applicable to the entire

EPAM Cloud.

6.6.4 Permission Update

If the user’s permissions have to be updated according to any changes in their project role, the existing

permission groups have to be deleted using the following command:

permission del_user_mapping [arguments]


EPAM PUBLIC 267

The ‘permission del_user_mapping’ command uses the following arguments:

Command Arguments




Command Example:

permission del_user_mapping -p project –e [email protected]

The ‘permission del_user_mapping’ command deletes all permission groups assigned to the user

within the project. After all permission groups have been deleted, run the ‘permission

add_user_mapping’ command to assign new permission groups.

If you try to add permission groups without deleting the existing user mapping, the command will return

an error. Make sure you run the ‘permission del_user_mapping’ command first.

User permissions will be refreshed within 30 minutes, and afterwards the credentials (login, username

and CLI password) can be passed on to the external user. The user will be able to access Cloud UI with

their login and domain password and Maestro CLI with their login and the password created by the

support team.


EPAM PUBLIC 268

ANNEX A – ADMIN CLI COMMANDS USAGE IN DIFFERENT

VIRTUALIZATION PLATFORMS

Platform / Command Group

Command aws azure csa hpoo open_stack

add_image X X X

add_zone X X X X X

add_shape X

add_shapes X

add_group X

config_group X

describe_groups X

add_account X

check_account X

get_accounts X

activate_project X X X X X

config_project X

active_project_dl X

del_project_dl X

add_subscript X

del_subscript X X

get_subscript X

subscript_pool X

add_enrolment X

grant_access X

revoke_access X

share_credit X

add_trusted_ip X

del_trusted_ip X

add_zone_alias

config_network X

get_net_config X

add_ownership X

active_cloudtrail X

get_cloudtrail X

put_under_eo X

set_catalog X

sync_from_csa X


EPAM PUBLIC 269

restore_to_csa X

add_offering X

check_offerings X

vlan_activate X X

config_api X

restore_missing X

check_flows X

configvs X

refresh_images X

get_problem_inst X

notific_config X

notific_switcher X


EPAM PUBLIC 270

ANNEX B – ADMIN CLI COMMANDS REQUIRING FILE

UPLOAD

Command File

settings add_key SSH public key

csa put_under_eo File containing commands. File format: -z zone -i instance -o

offeringName -s shape.

Only one command per line is allowed

pricing_policy update File containing the pricing policy

pricing_policy check File containing the pricing policy

show project_dls File containing the list of ORG Cloud User emails (copied from

Microsoft Outlook)

template analyze File containing the CloudFormation template to be analyzed

aws up_man_policy File containing the AWS policy

aws save_policy File containing the AWS policy

billing aws_china Previously uploaded CSV file containing the report

chef add_config The command requires uploading three files:

- Validation pem file

- Authentication file

- Chef server certification file

ANNEX C – ADMIN CLI COMMANDS SENDING EMAILS AS

THE RESULT OF EXECUTION

Command Email content

billing health_check Billing consistency report

billing aws_china

chef describe_server Chef server data

chef get_nodes Data of Chef nodes and existing EO instances

cli notify Notification of CLI update

integrity check Integrity check report


EPAM PUBLIC 271

pricing_policy get Pricing policy data

show all_zones Brief information of all zones

show all_projects Brief information of all projects

subscription show_default List of default subscriptions to notifications and reports

aws_security get_backup Backup configuration of the security groups

aws_security check_mfa List of users with no MFA configured

aws check_config AWS configuration data

aws get_policies AWS policy description

aws_ri describe List of AWS reserved instances

csa check_offerings CSA offering information

ANNEX D – AWS-RELATED COLLECTIONS IN DATABASE

Collection Content

AWSAccounts Contains all AWS accounts. This collection stores both PAYING

account and associated LINKED accounts. Each account has

the account, accessKey and secretKey fields. They are used by

EPAM Orchestrator to make requests to AWS within a project.

AWSRoles Currently contains 4 documents each describing a particular

role/group:

EC2_INSTANCE_ROLE – IAM role for Amazon EC2

GROUP_ROLE – default role used for all project IAM users.

This group is created during project activation with the

corresponding policies. All IAM users belong to this group

FEDERATED_USER_ROLE – used when a user accesses

AWS via the or2awsmc Maestro CLI command

CLOUD_SUPPORT_ROLE – used when a user being a EPM-

CSUP project member accesses AWS via the or2awsmc

Maestro CLI command. This role allows all actions

AwsIamEntities Contains roles for SSO configuration. Users accessing AWS via

AWS SSO are assigned roles according to their project roles

AwsIamPolicies Contains AWS policies for roles/groups/services, etc. For

example, SSO roles from the AwsIamEntities collection use

policies from AwsIamPolicies


EPAM PUBLIC 272

AwsIamUsers Contains all IAM users created both via EPAM Orchestrator and

AWS. Users data is synchronized once every week

AwsSSOUserMappings Contains specific permission settings for users of AWS SSO

AwsIamEntityProhibitionMapping Contains restrictions for specific users within specific SSO roles

AwsSecurityGroupsBackup Scheduled backups of security groups. The collection contains

links to security group files


EPAM PUBLIC 273

TABLE OF FIGURES

Figure 1 – Locating Private Key .................................................................................................................. 11

Figure 2 – Command groups ....................................................................................................................... 16

Figure 3 – List of commands in a group ...................................................................................................... 17

Figure 4 – Command help ........................................................................................................................... 17

Figure 5 – Error message indicating missing parameter ............................................................................ 17

Figure 6 - AWS zone creation flow ............................................................................................................ 214

Figure 7 - Azure zone creation flow .......................................................................................................... 230

Figure 8 – Network configuration .............................................................................................................. 234

Figure 9 – Configuration of Azure zones ................................................................................................... 234

Figure 10 - CSA zone creation flow .......................................................................................................... 235

Figure 11 - Google account setup ............................................................................................................. 241

Figure 12 - Project activation in Google Cloud .......................................................................................... 244

Figure 13 - OpenStack zone creation ....................................................................................................... 250


EPAM PUBLIC 274

VERSION HISTORY

Version Date Summary

2.6 February, 2021 Added detailed description of the following groups of commands:

“Subscription”, ”Account”, ”Settings”, “Orch”, “INIT”, “Integrity”, “CLI”,

“Status”, “Security”, “Luminate”, “Qualys” and “Instance”.

Added detailed description of the “AWS_Workspaces” group

command, temp remove_redundant_firewall, google

describe_instance_firewalls, aws grant_licenses and aws_security

describe_sg_resources commands.

Updated parameters of aws_security manage_sec_groups, google

manage_external_ip and settings upsa commands.

2.5 December, 2020 Added detailed description of the “Admin”, ”User”, ”Permission” and

“Project” group commands

2.4 October, 2020 Added detailed description of the “Azure” and “Google” group

commands

Removed information about Nessus

2.3 September, 2020 Added detailed description of the “AWS” group commands

2.2 August 5, 2020 Added detailed description of the “OpenStack” group commands

2.1 June 27, 2020 Updated the list of commands Added detailed description of the

“Show” group

2.0.2 March 20, 2018 Added a ‘user prolong_access_token’ command to prolong simple

user account access expiration

2.0.1 November 30, 2017 Information about MSQ3 removed

2.0 September 9, 2017 Document revised, Use Cases section rearranged with use cases

grouped by virtualizer

1.0.4 January 11, 2017 Section describing admin Maestro CLI commands added

1.0.3 December 16, 2016 Classification changed from Confidential to Public, approved by

Dzmitry Pliushch

1.0.2 November 4, 2016 Added aws_security check_mfa command description

1.0.1 September 3, 2016 Added delete_user to aws group.

Added incorrect parameters warning to the Basic Principles section.

1.0 April 10, 2016 First published

Documents

EPAM Cloud Orchestrator. Maestro CLI Admin Utility · 2018. 3. 24. · EPAM Cloud Orchestrator Maestro CLI Admin Utility Admin Guide March 2018 Version 2.0.2. ... single enterprise