Release Notes 4.3 (2401+2401.1)
5 months ago by Alpha Mukhopadhyay
June 24, 2024
FinOps
FinOps Maturity Assessment Name Change
- To eliminate the risk of overlap and avoid confusion with Assessments reports created by executing best practices and controls, the report name FinOps Maturity Assessment – Detailed has been changed to FinOps Governance Review - Detailed and the report name FinOps Maturity Assessment - Executive Summary has been changed to FinOps Governance Review – Executive Summary.
Consolidated Charges with Markup Report Name Change
- To more accurately reflect the capabilities of this report, the report name Consolidated Charges with Markup Report has been changed to Consolidated Charges with Markup/Discount Report.
Daily Cost Report Enhancements
- Updated the visualization of the cost data in Azure, AWS, GCP, and OCI Daily Cost Reports.
- After selecting the tenant, the bar chart will now show the aggregated amount of all the cloud account(s) vertically.
- Dates will be visible for the period being selected.
Monthly Cost by Cloud Account Report Enhancements
- Added up to one year of data visibility (based on data availability) as an option in the report (previously only 6 months data was available).
- Added a monthly spend cost trend option at the tenant level.
- If an AWS management account is selected, the report will now only show the cost of that management account’s resources.
- Scheduling is now enabled for this report, with “Months” as the dynamic variable and the following options available for users to select from:
- Current Month
- Previous Month
- Last 6 Months
- Last 12 Months
- Introduced Markup Slicer to differentiate the cost between markup and unblended.
Multi-Cloud Cost Trend Report Enhancement
- The Multi-Cloud Cost Trend Report has been updated to display the top 5 Product Categories along with actual cost over the last two months as comparison, instead of the top 15 Product Categories and an aggregated cost amount.
Cost Anomaly Revamp
- Cost impact definition has been simplified. Now, cost impact is calculated as the difference between predicted and actual cost.
- Several backend improvements were applied to present accurate data to the user.
Remediation Feature Control through RBAC
- Remediation RBAC has been cleaned up for consistency; Remediation actions for Cost Optimization recommendations and Budget actions are only available for certain admin roles.
- All other roles can view the remediations and submit them for approval to an integrated ITSM tool.
- Applicable roles who can perform this operation are FinOps Admin, Account Admin, and Tenant Admin.
- For ITSM ServiceNow, the approval workflow is supported only for AWS, Azure, and GCP - RightSizing only.
New and/or Updated FinOps User Roles
- As part of RBAC cleanup, user role names have been added/updated for FinOps. Refer to the table for a list of the available roles.
Role Title | Description |
---|---|
Account Admin | Complete access to all functions including user & roles management. |
FinOps Admin | Access to all FinOps functions. |
Consumer | Access to manage SSO related actions. |
Delegation Admin | Access to delegate FinOps functions to other users. |
FinOps Lite Contributor | Minimal access to enable FinOps functions. |
FinOps Partner Service Admin | Full access to CSP and EA management functions. |
FinOps Practitioner | Access to manage and enable FinOps functions. |
Provider Admin | Access to provide FinOps based functions to other users to govern and manage. |
Tenant Admin | Full access to tenant management functions. |
FinOps Reader | Read-only access to all product pages with respect to FinOps modules. |
SecOps
New Role: SecOps Lite
- Users with the SecOps Lite role can access the following modules:
- Account Governance (for onboarding accounts)
- Security Posture
- Security Dashboard
New/Updated SecOps User Roles
- As part of RBAC cleanup, user role names have been added/updated for SecOps (Security + Compliance). Refer to the table for a list of the available roles.
Role Title | Description |
---|---|
Compliance Admin | Full access to all compliance management functions. |
Compliance Member | Access to manage compliance management functions. |
Account Admin | Complete access to all functions including user & roles management. |
SecOps Admin | Access to all SecOps functions. This is a combination of Security Admin and Compliance Admin roles. |
Consumer | Access to manage SSO related actions. |
Delegation Admin | Access to delegate SecOps functions to other users. |
Provider Admin | Access to provide SecOps based functions to other users to govern and manage. |
Tenant Admin | Full access to tenant management functions. |
Security Admin | Full access to all security management functions. |
SecOps Lite | Minimal access to enable SecOps functions. |
Security Member | Access to manage security management functions. |
SecOps Reader | Read-only access to all product pages with respect to SecOps modules. |
Compliance Notification Integration
- Users can configure notifications for cloud accounts.
- Post-completion of Compliance assessment execution of any global standard for that cloud account, a notification will be triggered for the configured email/webhook on the summary of the execution.
Compliance Schedule Enhancements
- Compliance Schedule now has filters for Cloud Account, Compliance Standard, and Recurrence.
- Search now lists all the columns displayed including Schedule Name, Compliance Standard, Cloud Account, and Recurrence.
Compliance Assessment Report by Region Enhancements
- Added Region field to filter violated resources.
- If a policy has resources in the region with violations, then that policy is violated for that region, and if a control has at least one policy violated, then the control is violated. This can help provide Compliance Status of a cloud account at a region level.
CloudOps
Additional Scope Option for Monitoring and Alerts
- New scope added for AWS and Azure clouds that can be used while creating or updating templates. For AWS, the option Region, and for Azure, the option Resource Group have been added newly.
- If the user marks region scope template as default, then for any newly discovered resources under the selected cloud account, this takes the highest priority.
- If the metrics are differentiated through tags, then users can prioritize the metrics based on tags.
- Cloud account template with region/resource group and tag-based combination takes the highest priority. Refer to the following list that shows the order of precedence:
- Cloud account template with region/resource group
- Cloud account tag-based templates
- Cloud account template
- Tenant based template with tag
- Tenant based template without tag
- Account based template with tag
- Account based template without tag
Custom Metrics for CloudWatch Agent
- Users can now edit custom metrics for resources that are already available within the system, rather than having to delete and re-create them to apply custom metrics.
- Existing metrics can also be edited to include new resources.
- If the resources of custom metrics need to be synced immediately and users cannot wait for the auto-sync to happen (once every 12 hours), then a manual sync option is also now available. Manual sync can be triggered by users to sync the new resources.
JSON Format Support for Terraform
- Users now have the choice to choose from .JSON (.json) or Terraform (.tf) format to save and commit their Terraform template parameters.
New/Updated CloudOps Roles
- As part of RBAC cleanup, user role names have been added/updated for CloudOps. Refer to the table for a list of the available roles.
Role Title | Description |
---|---|
Account Admin | Complete access to all functions including user & roles management. |
CloudOps Admin | Access to all CloudOps functions. |
Consumer | Access to manage SSO related actions. |
Delegation Admin | Access to delegate CloudOps functions to other users. |
Provider Admin | Access to provide CloudOps based function to other users to govern and manage. |
Tenant Admin | Full access to tenant management functions. |
CloudOps Member | Access to manage cloud operations management functions. |
CloudOps Reader | Read-only access to all product pages with respect to CloudOps modules. |
RDS Event Notification Support
- RDS event subscription is supported for:
- DB_Cluster
- Parameter_Groups
- DB_Snapshots
- DBClusterSnapshot
- DB_SecurityGroups
Monitoring Template Status
- Users can now view accurate metric statistics for the selected monitoring template.
Azure Service Health Monitoring
- Monitoring and alert notifications, along with ServiceNow incidents through the platform, are available for integration for all Azure health services.
Added Tag Filter for Azure Inventory Reports
- Added a Tag filter to some Azure Inventory reports, allowing users to select specific, managed, or unmanaged cloud inventory resources based on the defined tags and gain greater flexibility in customizing views based on their specific requirements. The following reports now have the Tag filter available:
- Azure Utilization Based on Metrics
- Azure Resource Health
- Azure Newly Added Resource
New Report – Deleted Resource Report
- Added a new Deleted Resource Report that shows the data of deleted cloud resource for the selected cloud account(s).
Assessments
UX Design Updates
- UX improvements have been applied to align with the platform’s new design system in order to provide a better user experience.
Assessment Filter for List Workload and List Assessment Pages
- Users can apply and save filters as Views that are applied on a particular page.
- Users can select the saved views to load the filters with ease. Filters are specific to user and tenant context, so each user can have their own views saved for the same page.
Add AWS Partner ID
- Users will now be able to update AWS Partner ID while creating an Assessment and can sync with AWS.
Configurable Auto-Assessment (For Onboarding)
- Users will have an option to trigger auto-assessments as part of the Account Governance settings during cloud account onboarding only if the configuration is enabled by them.
- By default, the configuration to trigger auto-assessments after cloud account onboarding is always disabled.
New/Updated Assessments Roles
- As part of RBAC cleanup, user role names have been added/updated for Assessments. Refer to the table for a list of the available roles.
Role Title | Description |
---|---|
Account Admin | Complete access to all functions including user & roles management. |
Assessment Admin | Full access to assessment trigger and reports visibility. |
Consumer | Access to manage SSO related actions. |
Delegation Admin | Access to delegate Assessment functions to other users. |
Provider Admin | Access to provide Assessment based functions to other users to govern and manage. |
Tenant Admin | Full access to tenant management functions. |
Assessment Member | Access to read and manage assessment reports with limited access. |
Assessment Reader | Read-only access to Assessment reports. |
Assessment Approver | Able to approve and manage Assessment reports. |
Workload Owner | Access to setup and manage workloads. |
Core
Account Governance Dashboard and Enhancements
- The Account Governance landing page and dashboard has been majorly re-designed to improve the user experience and add a slew of additional functionalities, as described below.
- This page also now includes Cloud Providers and Integrated Tools as sub-menus.
- Unified Status & Governance Settings Page – Find all status and governance settings conveniently located in one unified page:
- Cloud Account Onboarding Status: Track the onboarding status of a cloud account and get insights on failures, as well as access to help docs to fix any reported issues.
- Feature Status: Stay informed about the statuses of different product-level features once onboarding is completed.
- Processing Status & Re-run: Monitor the processing status and re-run tasks as needed for optimal performance.
- Governance Configuration Settings: Easily configure governance settings to meet your specific requirements.
- Intuitive New UI with Cloud Provider Tabs, Insights Cards, and Enhanced Table View
- Implemented a re-designed user interface and access to only specific cloud provider tabs when onboarding respective cloud accounts for more efficient navigation and a seamless user experience.
- Insights Cards provide call-to-action filters, facilitating streamlined data visualization in the Account Governance dashboard.
- The enhanced table view will provide updated fields for comprehensive cloud account management with dynamic query filters:
- Dynamic Query Filter: Easily filter data dynamically with our query filter feature.
- Custom Tags Option: Tailor your experience with customizable tags.
New Cloud Account Onboarding Flows
- Cloud Account Onboarding Step-by-Step Flow:
- Introduced a new step-by-step flow to guide users through the cloud account onboarding journey, facilitating easy navigation between pages.
- New cloud account onboarding flows have been created for the following cloud account types:
- AWS Management Account
- AWS Member Account
- Azure Enterprise Agreement Account
- Azure Microsoft Partner Agreement (CSP Direct) Account
- Azure Subscription Account
- GCP Cloud Billing Account
- GCP Linked Project Account
- GCP Parent Billing Account
- OCI Tenancy
- Enhanced Governance Configuration:
- Improved governance configuration settings to offer greater flexibility and control.
- Prerequisites Page for Access Permissions:
- Implemented a dedicated Prerequisites page/step as part of the new cloud account onboarding flow to offer comprehensive guidance on setting up the right access permissions as per user requirements.
- This page enhances clarity and ensures users have the necessary access permissions configured correctly before proceeding further.
- In-Page Help Videos:
- Integrated informative help videos directly within relevant pages to assist users in understanding complex concepts or processes and enhance the user experience.
- Auto-Populated Cloud Account Name:
- Cloud account aliases are automatically populated from the cloud provider side, reducing manual entry and ensuring accuracy.
- Optional Additional Settings:
- Made certain settings optional, allowing users to expedite the onboarding process by defaulting or configuring fields after cloud account onboarding.
- This flexibility accelerates the onboarding process while still providing users with the option to fine-tune settings as needed.
Integrated Tools Dashboard and Onboarding
- Users can now onboard integrated tools under Settings (Settings > Integrated Tools).
- The Integrated Tools dashboard, which displays onboarded integrated tool accounts, has had a major re-design and is now located under the Account Governance dashboard page (Governance > Account Governance > Integrated Tools).
- The new Integrated Tools dashboard features the following noteworthy changes:
- Enhanced UI to improve user experience.
- New onboarding flows added for tool accounts.
- Two tabs for Manage Tools Accounts and Tools Dashboard, which display an overview of all onboarded tool accounts and tool-specific dashboard views, respectively.
Integrated Tool Options Available
-
The following integrated tools will be available to onboard as part of phase one in release 4.3 - 2401:
Tool Group Tool Name Tool Version ITSM ServiceNow – Configuration Management & Incident Management Washington DC ITSM Zoho ServiceDesk Support any version Configuration Management Azure_Devops Support any version Monitoring Azure_Security_Graph Support any version Monitoring Azure_Sentinel Support any version Monitoring App_Insights Support any version Source Code Management GitHub Support any version Vulnerability Assessment Tenable_Nessus Support any version
-
The following integrated tools will be deprecated as part of release 4.3 – 2401:
Tool Group Tool Name Application SkypeForBusiness Application Canvas-LMS Baremetal Cobbler Configuration Management Chef Monitoring sFlow-RT Monitoring CloudFlare Monitoring Hyperic_HQ Monitoring PRTG Monitoring Anomaly_Detector NFV Vyatta_vRouter Patch Management Spacewalk SDN OpenDayLight
Product Bundles
-
Updated product bundles are included in this release with the following products included:
New Bundle Name Products Included FinOps FinOps SecOps SecOps Assessment Assessment Governance FinOps, SecOps, CloudOps Governance+ FinOps, SecOps, CloudOps, Assessments
Role Template Details
-
There are some existing roles that have been migrated to equivalent roles or new roles. Refer to the following list for details:
Existing Roles New Roles Cost Admin FinOps Admin Ops Member CloudOps Member Finance FinOps Practitioner Finance Member FinOps Practitioner FinOps Engg Lead FinOps Practitioner FinOps Executive FinOps Practitioner FinOps IT Finance Manager FinOps Practitioner FinOps Procurement FinOps Practitioner FinOps Product Owner FinOps Practitioner Partner Service Member FinOps Partner Service Admin Security Lite SecOps Lite FinOps Lite Contributor FinOps Lite Ops Admin CloudOps Admin
Tag Governance Enhancements
- Users with different roles can now create baselines.
- Role-based view/edit actions are available for baselines.
- Support added for partial posture generation. Users can trigger partial posture generation based on their role and permissions.
Tag Governance – Support for Additional GCP Resource Types
- Support for the following GCP resource types has been added for in Tag Governance:
- Cloud DNS
- VPC
- Memory Store
- File Store
- Cloud Deployment Manager
- Cloud Composer
- Artifact Registry
- Storage Disks
- Logging
- Certificate Authority Service
- Cloud Healthcare API
- Cloud Key Management Service
- Dataproc
- Data Fusion
Account Info Page Updates
- On the Account page, under the Settings menu option, users can now view basic account information for the logged in user, including two new fields:
- Product Bundle: Displays the product bundle that has been created by the Account Master.
- Product(s): Displays the product(s) offered by the bundle.
Share Report Feature Enhancement in Analytics Report
- While sharing analytics reports, users can now apply additional account filters while sending the email. This will help provide granular details.
- The recipient of the report with applied filters will only see the restricted data.
- The recipient of the report will be able to change data in the filters (filter is enabled).
- UX improvements have been made to align with the platform’s new design system to provide a better user experience.
Share View Feature in Analytics Report
- Users can share a report view via an email by entering email address(es). This will enable broader access to customized insights from views without requiring them to create it again for all users.
- The recipient of the report with a view applied will only see the restricted data.
- The recipient of the report will not be able to change data in the filters (filter is disabled).
RBAC – View and Read
- Moving forward, users will not see the View option displayed in the actions for role policies, instead they will only see Read as the sole option which will provide them an option to read and view the pages.
Cloud Account Offboarding
- Users can delete the account completely from the platform if the account is no longer required.
- When an account is in Inactive state, data processing is stopped for such accounts.
- The Delete action moves the data to archived state and the transient or temp data associated to the account will be hard deleted.
Email Address Configuration Post Onboarding
- New users will have to manually configure the email notifications section to receive notifications.
- Existing users will receive email notifications for their cloud accounts without having to manually configure it in the notifications section.
Azure Bastions Service Integration
- Added Azure Bastions service integration for the following:
- Inventory
- Alerts
- Activity
- Management Actions
- Tagging Governance
- Utilization Metrics
- Relationship Enabled
Sync Logs for ServiceNow CMDB
- Users can now view sync log details after enabling CMDB for ServiceNow integrations (sync logs will be enabled by default).
- The CMDB sync logs can be used for trace-back and troubleshooting purposes.
CMDB – Configuration Export
- To configure resources under the resource hierarchy, users can use the export option and then use external APIs to configure the CMDB. This is an interim solution and will save the tedious effort of configuring resources.
Incidents for Different Assignment Groups
- While onboarding ServiceNow accounts, mapping of incidents for assignment groups can be made based on Cloud Provider, Product Category, Resource Type, and Resource.
- After the configuration is made for an assignment group, users can reconfigure the same mapping for other resources, excluding the resources that were configured earlier.
- Users can edit, view, and delete the saved attributes.
Dynamic Field Value for Incident Integration
- Dynamic field mapping to be supported while integrating incidents with ServiceNow.
- While creating an incident, the configuration item CMDB Sys ID can be mapped with an alarm in the resource location and involves mapping of resource to Compute Engine, BigQuery, etc.
CMDB – Additional Support
- All the CMDB support details related to GCP services are available now.
Multiple Alarms Suppression
- Users can now suppress alerts from native tools by disabling alert configuration rules, preventing the creation of any ITSM tickets.
Mismatch in Inventory and Tagging Governance
- The resource count mismatch between Inventory and Tagging Governance has been fixed for AWS, Azure, and GCP cloud providers.
Bugs Fixed
- A full list of bug fixes will be provided in the official release.
FinOps Bug Fixes
- Cost Optimizer: Fixed issue where confirmation email was not being sent after remediate actions failed in ServiceNow after being submitted for approval.
- Optimize Rate: Fixed an issue where Azure Hybrid Benefit showed as disabled in the settings when it was actually enabled.
- Cost Posture: Fixed an issue where some tag key(s)/value(s) were missing when selecting the top 10 tags.
- Cost Posture: Fixed an issue where irrelevant reports were being shown when the Tenant View was selected.
- Markup & Discounts: Fixed an issue where the cost shown in the Day field is wrong and the calculated cost did not match the cost shown in Cost Posture section.
- Markup & Discounts: Fixed an issue where the Forecast Cost was showing as $0 when enabling Markup & Discounts.
External APIs
- To see the external APIs which have been added, modified, and removed in this release, refer to the following:
- To see all the available external APIs, refer to: https://docs.corestack.io/reference/authtoken
Known Issues
The APIs below are not working as expected. We will try to fix it before the next release:
- RBAC – Show Menu: Templates and Product bundles related policies will now have an additional action called Show Menu, which when selected will enable the users to show the particular menu option on the page even when Read is selected. The users still have the privilege to not choose Show Menu and just take up Read if they do not wish to see the menu shown (this option is a temporary fix, and we will move away from the Show Menu option to encompass only the Read option in the upcoming releases).
- RBAC – Navigation Menu Accessible to Tenants: Users with multiple tenants, each with different roles assigned, will now see the left navigation menu for all the roles if any one of the tenants has a role granting access to all the pages (such as Account Admin or Tenant Admin). In this scenario, even tenants with the lowest level of permissions will now be able to see the menus they previously didn't have access to. However, if they attempt to access a menu that is still inaccessible to them, they will automatically revert to the permissions of the tenant that has access to that menu.
- On the Executive Dashboard, if users select the parent accounts for GCP, EA, and CSP cloud providers in the Cloud Account drop-down filter, then they can see null data for all widgets. Users can view actual data through ED-posture parity.
- RBAC: When a user creates a custom role and tries to onboard an account using that role, it will not be listed in the Account Governance dashboard, The work around is that the user must go back to the custom role and edit it to add the service account after which they will see it listed.
- Azure EA: We request that users ensure any individual Subscriptions that are part of the Azure EA root account have not already been onboarded when onboarding the Azure EA root account. If you want all Subscriptions to be part of the Azure EA root account after onboarding it, please remove any individual Subscription first, then onboard the Azure EA root account. If an individual Subscription has already been onboarded and is not required to be part of the EA root account, you can still onboard the EA root account without mapping the Subscription to it. Please note that individual Subscriptions show PAYG costs, while Subscriptions onboarded under the EA root will reflect costs according to rates applied in the EA root account.
- Azure Real Time Threats: Post real- time threat configuration, the real- time threat data is not getting updated on Threat Posture after threat occurrence. The threat data will get updated as part of the periodic sync on posture.
- Idle Recommendation: Post this release, the Idle Recommendation page (Cost > Cost Optimizer > Optimize Usage > Manage Idle) will continue to display the static threshold values from the platform-defined thresholds, rather than the customized threshold values used by the users for resources across AWS, Azure, GCP, and OCI. This issue is applicable only for Instances/Virtual Machines.
- Account Governance: While switching from one tenant to another with the Delegation Admin role, users can view the Account Governance page without any error message being displayed. Ideally, an error message should be displayed while the Delegation Admin role is trying to view the Account Governance page.
- Feature Settings: For accounts that have the CloudOps and SecOps products enabled during onboarding, the CloudOps and SecOps tabs in the Cloud Account Governance page will not show settings for Azure Sentinel and Tenable Nessus tools. In order for the user to add tool accounts, they would need to go to the Settings menu and edit the tool account details to make any changes.
- On the Cloud Account Governance page, no option for alert configuration is available for the FinOps product.
- Region Selection: While onboarding AWS cloud accounts by selecting a specific region, users sometimes get a permission error even though they have the right permissions for that region.