AWS Systems Manager Change Manager, a capability of AWS Systems Manager, is an enterprise change management framework for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure. With Change Manager, you can use preapproved change templates to help automate change processes for your resources and help avoid unintentional results when making operational changes.
Change templates can be helpful during audits to show how standard changes are made. Here are some use cases:
- To stop a non-production environment for a workload over the weekend.
- To replace production EC2 instances from an updated AMI that is at required patch levels, making production instances secure and compliant.
- To release new software version by using deployment methods like blue/green.
In this blog post, we’ll show how you can create a preapproved change template to stop an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Before you begin
Quick Setup helps you configure frequently used AWS services and features across your organization. You can use Quick Setup to set up Change Manager.
Create a change template to stop an EC2 instance
1. Sign in to the AWS Management Console and open the Systems Manager console at https://console.aws.amazon.com/systems-manager/.
2. In the left navigation pane, expand Change Management, and then choose Change Manager.
3. On the Change Manager page, choose Settings, and then choose Edit.
Figure 1: Settings tab
4. In Best practices, under Change templates, the Require template review and approval before use option is enabled by default. Under Change requests, choose Create an Amazon SNS topic. For more information, see Creating Amazon SNS Topic in the Amazon Simple Notification Service developer guide.
Figure 2: Best practices
5. In Template reviewers, choose Add.
6. In Select IAM approvers, choose an IAM user or group, and then choose Add approvers. Scroll to the bottom of the Settings page, and then choose Save.
Figure 3: Select IAM approvers
7. On the Change Manager page, choose Create template.
8. On the Create change template page, enter a name for your template (for example, TemplateCreationBlog).
Figure 4: Create change template
9. In Change template details, do the following:
- For Description, enter a brief explanation of how the change template you are creating is to be used (in this example, To create a template for stopping EC2 instances.)
- For Change template type, choose Standard change template. The other option, an emergency change template, is used for situations when a change must be made even if changes are otherwise blocked by an event in the calendar used by Change Calendar.
- The Runbook options section is used to specify the runbooks that users can choose from when they’re creating a change request. In this example, choose Select a single runbook.
- For Runbook, choose the names and versions of the runbooks that users can choose from for their change requests. In this example, choose AWS-StopEC2Instance.
Figure 5: Change template details
10. In Template information, provide details related to this change template, and then choose Show preview. Figure 6 shows some sample questions to help you complete this section.
Figure 6: Template information
11. In Change request approvals, under First-level approvals, click Add approver, and then choose Template specified approvers. On Select IAM approvers, choose the Users tab or the Groups tab, and then choose Add approvers.
Figure 7: Change request approvals
12. The options under Amazon SNS topic for approval notifications allow you to specify the SNS topic to use to notify approvers that a change request is ready for their review. In this example, choose Select an existing SNS topic.
13. To add an additional level of approvers, in Change request approvals, choose Add approval level and repeat step 11. In this post, we are using first-level approvals only. (See Figure 8.)
Figure 8: Amazon SNS topic and Add approval level
14. You can use the Monitoring section to enter a CloudWatch alarm to monitor the progress of runbook workflows that are based on this template. In this blog post, we’re not using monitoring.
15. In Notifications, choose the SNS topic that will be used to notify the template reviewer. In this example, choose Select an existing SNS topic.
Figure 9: Notifications
16. (Optional) In Tags, enter one or more tag key-value pairs to the change template, and then choose Add tag. In this example, for the first tag, for Key, enter environment. For Value, enter production. For the second tag, for Key, enter Weekend shutdown. For Value, enter true.
Figure 10: Tags
17. Choose Save and Preview, and then choose Submit for review.
18. Choose the Templates tab to view your change template request. You’ll see in Figure 11 that it has a status of Pending review.
Figure 11: TemplateCreationBlog with Pending review status
19. This pending request is now in the reviewers’ account waiting for their approval. Sign in as a reviewer. On the Templates tab, choose the change template request.
20. Verify that the change template request is correct, and then choose Approve. If the change template needs any modification, you can choose Reject.
Figure 12: Approve TemplateCreationBlog
21. In Approve change template, enter approval comments, and then choose Approve.
Figure 13: Approve change template
22. On the Templates tab, you can now see the TemplateCreationBlog template has a status of Approved.
Figure 14: Approved change template
In this blog post, we showed you how to create and approve a change template request. You can use the approved templates to create change requests. For more information, see Creating change requests in the AWS Systems Manager User Guide.
About the authors
Snehal Nahar is a Senior Technical Account Manager based in Charlotte, North Carolina. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games, and watching TV.
Yagya Vir Singh is a Senior Technical Account Manager based in Nashville, Tennessee. He is passionate about AWS technologies and loves to help customers achieve their goals. Outside of the office, he loves to be with his friends and family and spend time outdoors.