1. Accelerator Upgrade Guide(link)
1.1. General Upgrade Considerations(link)
- Due to some breaking dependency issues, customers can only upgrade to v1.3.8 or above (older releases continue to function, but cannot be installed).
- While an upgrade path is planned, customers with a standalone Accelerator installation can upgrade to v1.5.x but need to continue with a standalone installation until the Control Tower upgrade option becomes available.
- Always compare your configuration file with the config file from the release you are upgrading to in order to validate new or changed parameters or changes in parameter types / formats.
- do NOT update to the latest firewall AMI - see the last bullet in section 1.8. Other Operational Considerations of the installation guide
- do NOT update the
organization-admin-role- see item 2 in section 1.3.7. Other - do NOT update account-keys (i.e. existing installations cannot change the internal values to
managementfrommaster) - do NOT make changes outside those required for the upgrade (those stated in the release notes or found through the comparison with the sample config file(s)). Customers wishing to change existing Accelerator configuration should either do so before their upgrade, ensuring a clean/successful state machine execution, or after a successful upgrade.
- The Accelerator name and prefix CANNOT be changed after the initial installation
- Customers which customized any of the Accelerator provided default configuration files (SCPs, rsyslog config, ssm-documents, iam-policies, etc.) must manually merge the latest Accelerator provided updates with deployed customizations:
- it is important customers assess the new defaults and integrate them into their custom configuration, or Accelerator functionality could break or Accelerator deployed features may be unprotected from modification
- if customers don't take action, we continue to utilize the deployed customized files (without the latest updates)
- The below release specific considerations need to be cumulatively applied (an upgrade from v1.2.3 to v1.2.5 requires you to follow both v1.2.4 and v1.2.5 considerations)
1.2. Release Specific Upgrade Considerations:(link)
- Upgrades to
v1.5.1-a and abovefromv1.5.0orv1.5.1:- Do not add the parameter:
"ssm-inventory-collection": trueto OUs or accounts which already have SSM Inventory configured or the state machine will fail - Follow the standard upgrade steps detailed in section 1.3 below
- Do not add the parameter:
v1.5.1was replaced by v1.5.1-a and is no longer supported for new installs or upgrades- Upgrades to
v1.5.0andv1.5.1-a and abovefromv1.3.8 through v1.3.9:- We recommend upgrading directly to v1.5.1-a
- Due to the size and complexity of this upgrade, we require all customers to upgrade to
v1.3.8 or abovebefore beginning this upgrade - While v1.5.0 supports Control Tower for NEW installs, existing Accelerator customers CANNOT add Control Tower to their existing installations at this time (planned enhancement for 22H1)
- Attempts to install Control Tower on top of the Accelerator will corrupt your environment (both Control Tower and the Accelerator need minor enhancements to enable)
- The v1.5.x custom upgrade guide can be found here
- Upgrades to
v1.3.9 and abovefromv1.3.8-b and below:- All interface endpoints containing a period must be removed from the config.json file either before or during the upgrade process
- i.e. ecr.dkr, ecr.api, transfer.server, sagemaker.api, sagemaker.runtime in the full config.json example
- If you remove them on a pre-upgrade State Machine execution, you can put them back during the upgrade, if you remove them during the upgrade, you can put them back post upgrade.
- All interface endpoints containing a period must be removed from the config.json file either before or during the upgrade process
-
Upgrades to
v1.3.3 and abovefromv1.3.2 and below:- Requires mandatory config file schema changes as documented in the release notes.
- These updates cause the config file change validation to fail and require running the state machine with the following input to override the validation checks on impacted fields:
{"scope": "FULL", "mode": "APPLY", "configOverrides": {"ov-ou-vpc": true, "ov-ou-subnet": true, "ov-acct-vpc": true }} - Tightens VPC interface endpoint security group permissions and enables customization. If you use VPC interface endpoints that requires ports/protocols other than TCP/443 (such as email-smtp), you must customize your config file as described here
- These updates cause the config file change validation to fail and require running the state machine with the following input to override the validation checks on impacted fields:
- Requires mandatory config file schema changes as documented in the release notes.
-
Upgrades from
v1.3.0 and below:- Please review the
Release Specific Upgrade Considerationsfrom ASEA v1.5.0 or below, they were removed from this release.
- Please review the
1.3. Summary of Upgrade Steps (all versions except v1.5.0)(link)
- Login to your Organization Management (root) AWS account with administrative privileges
- Either: a) Ensure a valid Github token is stored in secrets manager (per the installation guide), or b) Ensure the latest release is in a valid branch of CodeCommit in the Organization Management account
- Review and implement any relevant tasks noted in the General Upgrade Considerations section above
- Update the config file in CodeCommit with new parameters and updated parameter types based on the version you are upgrading to (this is important as features are iterating rapidly)
- An automated script is available to help convert config files to the new v1.5.0 format
- Compare your running config file with the sample config file from the latest release
- Review the
Config file changessection of the release notes for all Accelerator versions since your current deployed release
- If you customized any of the other Accelerator default config files by overriding them in your S3 input bucket, merge the latest defaults with your customizations before beginning your upgrade
- Download the latest installer template (
AcceleratorInstallerXYZ.template.jsonorAcceleratorInstallerXXX-CodeCommit.template.json) from theAssetssection of the latest release - Do NOT accidentally select the
ASEA-InitialSetupCloudFormation stack below - If you are replacing your GitHub Token:
- Take note of the
AcceleratorName,AcceleratorPrefix,ConfigS3BucketandNotificationEmailvalues from the Parameters tab of your deployed Installer CloudFormation stack (ASEA-what-you-provided) - Delete the Installer CloudFormation stack (
ASEA-what-you-provided) - Redeploy the Installer CloudFormation stack using the template downloaded in step 6, providing the values you just documented (changes to
AcceleratorNameorAcceleratorPrefixare not supported) - The pipeline will automatically run and trigger the upgraded state machine
- Take note of the
-
If you are using a pre-existing GitHub token, or installing from CodeCommit:
- Update the Installer CloudFormation stack using the template downloaded in step 5, updating the
GithubBranchto the latest release (eg.release/v1.5.1-a)- Go to AWS CloudFormation and select the stack:
ASEA-what-you-provided - Select Update, select Replace current template, Select Upload a template file
- Select Choose File and select the template you downloaded in step 6 (
AcceleratorInstallerXYZ.template.jsonorAcceleratorInstallerXXX-CodeCommit.template.json) - Select Next, Update
GithubBranchparameter torelease/vX.Y.Zwhere X.Y.Z represents the latest release - Click Next, Next, I acknowledge, Update
- Wait for the CloudFormation stack to update (
Update_Completestatus) (Requires manual refresh)
- Go to AWS CloudFormation and select the stack:
- Go To Code Pipeline and Release the ASEA-InstallerPipeline
- Update the Installer CloudFormation stack using the template downloaded in step 5, updating the