Tim by Taloflow

Welcome to Tim's documentation

Taloflow Infra Monitor, or Tim, is a DevOps product to help technical teams drastically reduce their cloud management overhead. Tim helps reduce MTTR on cost incidents, and encourages better release planning and more efficient cloud architecture.

Get Started    

Advanced Integration (Manual)

Learn how to connect Tim to your AWS account. Tim connects to your AWS account through IAM Roles. You'll also need to turn on hourly AWS Expense Reports and forward CloudWatch events to Tim.

Permissions

Taloflow's AWS account will talk to your account through IAM Roles that limit what Tim has access to. Here are some things you should know about the Roles we require:

  • Tim does not become a User within your AWS account.
  • The Role is not authorized to add or modify any code.
  • Tim's event listener is registered to yours so we can listen to specific events.
  • The Role itself is an identity that has the required permissions.
  • The Role is not authorized to read data or even the log files.
  • The Role is not authorized to perform actions.
  • The Cost Report Tim accesses can be limited to a sub account by following these additional steps.

Access Setup

Step 1: Create a AWS Cost and Usage Report

Billing authorization prerequisite

If you lack access to AWS Billing, please ask your AWS administrator to do this for you or ask them to change the permissions for your account before moving on:

  1. In the IAM Console, go to Users in the left navigation pane.
  2. Click on the individual's account
  3. In the next screen, select the tab Attach existing policies directly
  4. Search or filter for Billing permissions, and select and apply it to the individual's account
  • Sign in to the AWS Management Console and open the Billing and Cost Management console.
  • In the navigation pane to the left, choose Cost & Usage Reports under Cost Management in the left panel.
  • Click Create report.
  • Give your Cost Report a name. For example, general-cost-report
  • Make sure that both Include resource IDs and Data refresh settings are both checked.
  • Click Next
Create report content

Create report content

  • Under Delivery options, select the S3 bucket where your Cost Reports currently reside and click Verify OR Create a new bucket if you do not currently have one for the Cost Report.
  • If you get a prompt to add a Default Bucket Policy, accept it.

Please ensure you create a top level bucket

Please ensure that you create a new top level bucket for your Cost Reports and that you don't nest a Cost Reports Folder inside another existing folder in your S3 Bucket.

Please write down the name of your S3 bucket somewhere - you'll need it later.

  • We recommend you create a path prefix in the next field. For example, main.
  • Please ensure that you've selected Hourly, GZIP and Create New Report Version in the options.
  • Click Next
Delivery options page

Delivery options page

  • In the following page, please make note of the Report path prefix. Ignore what's between the last two slashes. In our example, the appropriate prefix is main/general-cost-report/.
  • Once noted down, click Review and Complete.

Please write down the Report path prefix - you'll need it later.

Finding the Cost Report Path

Finding the Cost Report Path

Step 2: Create an IAM Role for Tim

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the IAM console, choose Roles.
  • Click Create role.
Create role

Create role

  • For the type of Trusted Entity, select Another AWS Account
  • Under Account ID, add Tim's AWS account ID: 845897643164
  • Check off the option for Require external ID and enter tim-ext-id (You can use any ext ID, except your Role setup keys and External IDs cannot have $ or # in them)
  • Click Next: Permissions

Please write down the name of your Role setup key / External ID somewhere - you'll need it later.

Add Tim as a Trusted Entity

Add Tim as a Trusted Entity

  • In the next screen, click on Create policy. This should open a new browser tab. Please make sure to keep both browser tabs open.
  • In the new browser tab, select the JSON tab, and copy and paste the following JSON snippet into the JSON field and make the following changes:
  • Make sure that you replace [INSERT-BUCKET-NAME] in the two areas where it appears in the JSON script with the name of the S3 bucket where your Expense Reports are sent to. For example, costreportbucket2. (Please make sure that the square brackets are removed)
  • And, replace [INSERT-ACCOUNT-ID] with your AWS Account ID in the one place it occurs. Your AWS Account ID can be found here. For example, 158436883414.

Please write down the name of your AWS Account ID somewhere - you'll need it later.

{
    "Version": "2012-10-17",
    "Statement": [
        {
    
            "Sid": "TaloflowS3xExpenseBucket0",
            "Effect": "Allow",
            "Action": [
            
                "s3:GetObject",
                
                "s3:ListBucket"
                
            ],
            "Resource": ["arn:aws:s3:::[INSERT-BUCKET-NAME]",
                        "arn:aws:s3:::[INSERT-BUCKET-NAME]/*"]
        },
   {
            
            "Sid" :"TaloflowCostAndUsageMetrics0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:List*",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        },
   {
           
            "Sid" :"TaloflowResourceInformationMetrics0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:Describe*",
                "ec2:Describe*",
                "ec2:DescribeInstanceStatus",
                "sns:Get*",
                "sns:List*"
            ],
            "Resource": "*"
        },

 {
         
            "Sid" :"TaloflowAutoSetupRuleForEventMapping",
            "Effect": "Allow",
            "Action": [
              
                 "events:EnableRule",
                 "events:DisableRule",
               
                "events:PutEvents"
 
            ],
            "Resource": [
              "arn:aws:events:us-east-1:845897643164:event-bus/default"            ]
        },
        {
           
            "Sid": "IAMPassRoleForCloudWatchEvents",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::[INSERT-ACCOUNT-ID]:role/InvokeTaloflowEventBusRole"
        },
        {
           
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/events.amazonaws.com/AWSServiceRoleForCloudWatchEvents*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "events.amazonaws.com"
                }
            }
        },
        {
          
            "Sid": "TaloflowPricing000",
            "Action": [
                "pricing:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
    {
           
            "Sid": "TaloflowTagging000",
            "Action" : [
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "tag:GetResources",
                "tag:AddResourceTags",
                "tag:RemoveResourceTags",
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Replace [your-bucket-name] and [AccountID] in the JSON

Please ensure that you're replacing the placeholder bucket name (found twice) with your own bucket, and replace the placeholder for the Account ID (found once) with your AWS Account ID. Otherwise you'll be met with a failed legacy parsing error in the following step.

  • Click Review policy
  • In the following screen, give the Policy this name: taloflowInstructionProcessorPolicy
  • Scroll down and click Create policy
Create Instruction Processor Policy

Create Instruction Processor Policy

Invalid policy name

Please ensure that there are no spaces before or after the policy names you add.

  • Now, switch back to the Roles browser tab you had open.
  • Under Attach permissions policies please search for the taloflowInstructionProcessorPolicy we just created and make sure it's selected or checked off. If it doesn't show up, please click the refresh button above the table's top right corner and new options should appear.
  • Click Next: Tags to move onto the Review page
Attached permissions policies

Attached permissions policies

  • For the Role name field, please give the role the name taloflowInstructionProcessorRole
  • Click Create role
Create Instruction Processor Role

Create Instruction Processor Role

Step 3: Finding the Instruction Processor Role ARN

  • Click on Roles in the left navigation pane of IAM console and click on the hyperlink for your newly created taloflowInstructionProcessorRole
  • In the Role overview page, please make note of the Role ARN

Please write down the name of the Instruction Processor Role ARN somewhere - you'll need it later.

Finding the Role ARN

Finding the Role ARN

Step 4: Add a Second IAM Role for Tim

  • Sign in to the AWS Management Console and open the IAM console.
  • In the navigation pane of the console, choose Roles and then choose Create role.
  • This time, choose the AWS service role type.
  • Scroll to the bottom, and select CloudWatch Events
  • Under Select your use case, click on CloudWatch Events so that it's highlighted in blue.
  • Then, you can click on Next: Permissions, Next: Tags, and then Next: Review
Select CloudWatch Events (twice)

Select CloudWatch Events (twice)

  • In the Review page, give the Role the name taloflowInvokeEventBusRole (making sure there are no spaces before or after)
  • Click Create role
Create Event Bus Role

Create Event Bus Role

  • Under the Roles page, search for and click the hyperlink for the newly created taloflowInvokeEventBusRole
  • Click on Add inline policy
  • Select the JSON tab, and copy and paste the following JSON snippet into the JSON field (you will not need to make any changes)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "events:PutEvents",
            "Resource": "arn:aws:events:*:845897643164:event-bus/default"
        }
    ]
}
  • Click Review policy
  • In the following screen, give the Policy this name: taloflowInvokeEventBusPolicy
  • Scroll down and click Create policy

Step 5: Edit the S3 Default Bucket Policy

  • Sign in to the AWS Management Console, and click on the Services tab in the top navigation bar.
  • Search for and select S3 from the menu.
  • In the S3 page, click on the bucket with the Cost Report. (the one you selected in Step 1)
  • Click Permissions, and then Bucket Policy, and click Edit Policy
  • Paste the JSON statement below to modify the existing Policy (you are modifying the default policy added in Step 1) and replace [INSERT-BUCKET-NAME] and [INSERT-ACCOUNT-ID] with the bucket name for this bucket and your Account ID.

Inserting modification into existing bucket policy

Please ensure that you paste the JSON statement below into the existing bucket policy right after the penultimate curly bracket " } " so it's still enclosed within the regular bracket " ] "

,{
           "Sid": "Stmt1540642168130",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::[INSERT-ACCOUNT-ID]:role/taloflowInstructionProcessorRole"
           },
           "Action": ["s3:GetObject","s3:ListBucket"],
           "Resource": ["arn:aws:s3:::[INSERT-BUCKET-NAME]/*",
           "arn:aws:s3:::[INSERT-BUCKET-NAME]"
           ]
       }

Please write down the name of the S3 bucket region for the bucket somewhere (e.g.: US East 1 - US East (N. Virginia) ) - you'll need it later.

Recommended: Assign a Lifecycle Policy of 5 days to your S3 Bucket

By default, Taloflow stores your past reports so that less recent reports (more than 5 days old) do not increase your bill for S3.

Read more

Step 6: Forward CloudWatch events to Tim

You will need to setup your AWS account to forward CloudWatch events to Tim's AWS account. The information forwarded are the EC2 events, including instance IDs and whether the instances are on or off.

  • Click on the Services tab in the top navigation bar for the AWS console
  • Search for and click CloudWatch
  • Click on Rules under Events in the left navigation pane and then click Create rule
  • Under Event Source, make sure that Event Pattern is the selected option.
  • Click Edit in the Event Pattern Preview text area and copy and paste the following snippet into the pop up text area and click Save.
{
  "source": [
    "aws.ec2"
  ],
  "detail-type": [
    "EC2 Instance State-change Notification"
  ]
}
  • To the right of the screen, click Add target
  • In the drop-down selector, scroll down and select Event bus in another AWS account
  • In the Account ID field, add Tim's AWS account ID: 845897643164
  • Just below, please select Use existing role
  • Under Use existing role search and select the taloflowInvokeEventBusRole you created earlier.
  • Scroll down and click Configure details to move onto the next page.
Create Event Bus Rule

Create Event Bus Rule

  • Please give the Rule the name taloflowInvokeEventBusRule and click Create rule

Step 7: Share setup information with Taloflow

Once you've completed the above steps, please share the following with Tim: tim@taloflow.ai

Required Information
Example

Role ARN for the InstructionProcessorRole

arn:aws:iam::629404546125:role/taloflowInstructionProcessorRole

S3 Bucket Name

costreportbucket2

Cost Report Directory

main/general-cost-report/

AWS Account ID

629404546125

AWS Region

us-east-1 or N. Virginia

Role setup key / External ID

tim-ext-id

To find the AWS Region that Tim needs, please make sure you are using the region of the S3 bucket where the Cost Report is delivered.

Once you've shared the above, the Taloflow team will set up your account and confirm when you can get started!

Advanced Integration (Manual)


Learn how to connect Tim to your AWS account. Tim connects to your AWS account through IAM Roles. You'll also need to turn on hourly AWS Expense Reports and forward CloudWatch events to Tim.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.