epam cloud orchestrator. maestro cli admin utility · 2018. 3. 24. · epam cloud orchestrator...
TRANSCRIPT
Legal Notice: This document contains privileged and/or confidential information and may not be disclosed, distributed or
reproduced without the prior written permission of EPAM®.
EPAM Cloud Orchestrator
Maestro CLI Admin Utility
Admin Guide
February 2021
Version 2.6
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 2
CONTENTS
Preface .................................................................................................................................... 8
About this Guide .............................................................................................................. 8
Audience .......................................................................................................................... 8
Structure of the Guide...................................................................................................... 8
Documentation References ............................................................................................. 9
1 Introduction .................................................................................................................... 10
2 General .......................................................................................................................... 11
2.1 Maestro CLI Admin Utility Purpose ........................................................................ 11
2.2 Connecting to Admin Utility .................................................................................... 11
2.3 File Upload ............................................................................................................. 12
3 Maestro CLI Use for Project Management .................................................................... 13
3.1 Refreshing Project Status ...................................................................................... 13
3.2 Migrating Instance to CSA ..................................................................................... 13
3.3 Setting Checkpoint Quota for Project .................................................................... 14
3.4 Setting Volume Quota for Project .......................................................................... 14
3.5 Setting Instance Quota for Project ......................................................................... 15
4 Using Admin Utility ......................................................................................................... 16
4.1 Basic Principles ...................................................................................................... 16
4.2 Maestro CLI Admin Utility Help .............................................................................. 16
4.3 Command Execution .............................................................................................. 18
4.4 Asynchronous Commands ..................................................................................... 19
4.5 Command Output ................................................................................................... 20
5 Command Groups ......................................................................................................... 21
5.1 General .................................................................................................................. 21
5.1.1 SHOW............................................................................................................. 21
5.1.2 SUBSCRIPTION ............................................................................................. 29
5.1.3 ACCOUNT ...................................................................................................... 31
5.1.4 SETTINGS ...................................................................................................... 33
5.1.5 ORCH ............................................................................................................. 44
5.1.6 INIT ................................................................................................................. 53
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 3
5.1.7 INTEGRITY .................................................................................................... 55
5.1.8 CLI .................................................................................................................. 56
5.1.9 STATUS ......................................................................................................... 57
5.2 Security .................................................................................................................. 58
5.2.1 ADMIN ............................................................................................................ 58
5.2.2 PERMISSION ................................................................................................. 62
5.2.3 SECURITY ..................................................................................................... 68
5.2.4 USER .............................................................................................................. 70
5.2.5 LUMINATE ..................................................................................................... 72
5.2.6 QUALYS ......................................................................................................... 74
5.3 Infrastructure .......................................................................................................... 80
5.3.1 ZONE .............................................................................................................. 80
5.3.2 PROJECT ....................................................................................................... 81
5.3.3 INSTANCE ..................................................................................................... 95
5.3.4 VOLUMES ...................................................................................................... 96
5.3.5 IMAGE ............................................................................................................ 96
5.3.6 RESOURCES ................................................................................................. 96
5.3.7 RABBIT ........................................................................................................... 97
5.3.8 RADAR ........................................................................................................... 97
5.4 Billing ...................................................................................................................... 97
5.4.1 BILLING .......................................................................................................... 97
5.4.2 PRICING_POLICY ......................................................................................... 98
5.4.3 TIMELINE ....................................................................................................... 98
5.5 AWS ....................................................................................................................... 99
5.5.1 AWS................................................................................................................ 99
5.5.2 AWS_SECURITY ......................................................................................... 123
5.5.3 AWS_RI ........................................................................................................ 132
5.5.4 AWS_S3 ....................................................................................................... 134
5.5.5 AWS_WORKSPACE .................................................................................... 135
5.5.6 TEMPLATE ................................................................................................... 139
5.6 AZURE ................................................................................................................. 140
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 4
5.6.1 AZURE.......................................................................................................... 140
5.7 GOOGLE .............................................................................................................. 160
5.7.1 GOOGLE ...................................................................................................... 160
5.8 CSA, HP OO, OpenStack (PRIVATE CLOUD) .................................................... 179
5.8.1 CSA .............................................................................................................. 179
5.8.2 HPOO ........................................................................................................... 179
5.8.3 OPEN_STACK ............................................................................................. 180
5.8.4 HARDWARE ................................................................................................. 210
5.8.5 ENTERPRISE ............................................................................................... 210
5.8.6 EXOSCALE .................................................................................................. 210
5.9 PaaS .................................................................................................................... 212
5.9.1 PAAS ............................................................................................................ 212
5.9.2 CHEF ............................................................................................................ 212
5.9.3 DOCKER ...................................................................................................... 212
5.10 TEMP ................................................................................................................... 213
6 Maestro CLI Admin Utility – Use Cases ...................................................................... 214
6.1 AWS – Administration Cases ............................................................................... 214
6.1.1 AWS Zone Creation ...................................................................................... 214
• Zone Creation ............................................................................................... 214
• Zone Virtual Profile Configuration ................................................................ 215
• Adding Machine Images to AWS Zone ........................................................ 216
• Setting Cost Center for AWS Zone .............................................................. 216
6.1.2 Project Activation in AWS ............................................................................. 216
• EC2 Instance Role Configuration ................................................................. 218
• SSO Configuration ........................................................................................ 218
• SSO Roles Configuration ............................................................................. 220
• AWS Policy Management ............................................................................. 220
• IAM Role Group Configuration ..................................................................... 222
• Security Groups Configuration ..................................................................... 223
• Security Groups Backup ............................................................................... 224
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 5
• CloudTrail Service Activation ....................................................................... 225
6.1.3 Access to AWS ............................................................................................. 226
6.1.4 AWS Organizations ...................................................................................... 226
6.1.5 Reserved Instances ...................................................................................... 227
• Displaying Reserved Instances .................................................................... 227
• Modifying Reserved Instances ..................................................................... 227
• Displaying Reserved Instance Offerings ...................................................... 228
• Purchasing Reserved Instances ................................................................... 228
6.2 Microsoft Azure – Administration Cases .............................................................. 230
6.2.1 Azure Zone Creation .................................................................................... 230
• Azure Enrolment Setup ................................................................................ 230
• Zone Creation ............................................................................................... 230
• Setting Cost Center for Azure Zone ............................................................. 231
• Adding Machine Images to Azure Zone ....................................................... 232
6.2.2 Activating a Project in Microsoft Azure ......................................................... 232
• Project Activation .......................................................................................... 232
• Network Configuration .................................................................................. 233
• Configuration Check ..................................................................................... 234
6.3 CSA – Administration cases ................................................................................ 235
6.3.1 CSA Zone Creation ...................................................................................... 235
• CSA Zone Creation ...................................................................................... 235
• Orchestration Instance Assignment to CSA Zone ........................................ 236
• Setting Cost Center for CSA Zone ............................................................... 236
• Adding Shapes to CSA Zone ....................................................................... 237
6.3.1 Activating a Project in CSA .......................................................................... 237
6.3.2 Reimporting Instances to CSA ..................................................................... 238
• CSA Subscription Deletion ........................................................................... 238
• Instance Restoring to CSA ........................................................................... 239
• Subscription Synchronization ....................................................................... 239
6.4 Google Cloud Platform – Administration Cases .................................................. 240
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 6
6.4.1 Google Account Configuration ..................................................................... 240
6.4.2 Google Account Entity in Orchestrator Database ........................................ 240
6.4.3 Adding Google Zones ................................................................................... 241
• Retrieving Google Zones .............................................................................. 242
• Adding Google Zones ................................................................................... 242
• Editing Google Zones ................................................................................... 242
6.4.4 Project Activation in Google Cloud ............................................................... 243
6.4.5 Adding Images in Google Cloud ................................................................... 244
• Retrieving Google Public Images ................................................................. 244
• Adding Google Images ................................................................................. 245
6.4.6 Custom Image Creation in Google Cloud..................................................... 245
6.4.7 Public and Static IPs ..................................................................................... 246
6.4.8 Volumes in Google Cloud ............................................................................. 247
6.4.9 Google IAM Users ........................................................................................ 247
• Temporary Users .......................................................................................... 247
• Ordinary IAM Users ...................................................................................... 248
• System IAM Users ........................................................................................ 249
6.4.10 Other ............................................................................................................. 249
• Init Scripts ..................................................................................................... 249
• Interactive Operations .................................................................................. 249
6.5 OpenStack – Administration Cases ..................................................................... 249
6.5.1 OpenStack Controller Hosts ......................................................................... 249
6.5.2 OpenStack Hosts and Host Aggregates ....................................................... 250
6.5.3 OpenStack Zone Management .................................................................... 250
• Zone Creation ............................................................................................... 250
• Zone Editing ................................................................................................. 252
• Retrieving the List of OpenStack Zones ....................................................... 252
• Orchestration Instance Assignment to OpenStack Zone ............................. 252
• Adding Shapes to OpenStack Zone ............................................................. 253
• Shape Management in OpenStack .............................................................. 254
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 7
• Adding Machine Images to OpenStack Zone ............................................... 254
• Machine Image Management in OpenStack ................................................ 255
• Custom Image Management in OpenStack ................................................. 256
• Push Notifications Configuration .................................................................. 256
• Enabling Notifications ................................................................................... 258
• Pricing Policy Creation for OpenStack Zone ................................................ 258
• Setting Cost Center for OpenStack Zone ..................................................... 259
6.5.1 Project Activation in OpenStack ................................................................... 259
• Personal Projects in OpenStack ................................................................... 260
6.5.2 OpenStack Networking ................................................................................. 260
6.5.3 DNS Name Creation in OpenStack .............................................................. 260
6.5.4 OpenStack Metadata .................................................................................... 261
6.5.5 OpenStack Recycle Bin ................................................................................ 261
• Recycle Bin Creation .................................................................................... 262
• Recycle Bin Management ............................................................................ 262
• Management of Resources in Recycle Bin .................................................. 263
6.5.6 OpenStack Instance State ............................................................................ 263
6.5.7 Other ............................................................................................................. 264
• Volume Errors ............................................................................................... 264
• Shape Change on OpenStack ...................................................................... 264
6.6 Simple User Configuration ................................................................................... 264
6.6.1 User Creation ............................................................................................... 265
6.6.2 User Assignment to Project .......................................................................... 265
6.6.3 Permission Assignment ................................................................................ 266
6.6.4 Permission Update ....................................................................................... 266
Annex A – Admin CLI Commands Usage in Different Virtualization Platforms .................. 268
Annex B – Admin CLI Commands Requiring File Upload ................................................... 270
Annex C – Admin CLI Commands Sending Emails as the Result of Execution ................. 270
Annex D – AWS-Related Collections in Database .............................................................. 271
Table of Figures................................................................................................................... 273
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 8
Version history ..................................................................................................................... 274
PREFACE
ABOUT THIS GUIDE
Maestro CLI Admin Utility Guide is the description of the Admin Utility console, the commands used by
Cloud administrators and their syntax and purpose.
AUDIENCE
This guide is intended for the support and maintenance personnel performing configuration and setup
tasks, maintenance works and assisting users with matters beyond the self-service scope.
STRUCTURE OF THE GUIDE
The guide consists of the following chapters:
Introduction – the brief description of EPAM Orchestrator and its basic concept
General – the description of Maestro CLI Admin Utility purpose and the instructions on connecting to the
Maestro CLI Admin Utility for Windows and Linux operating systems
Maestro CLI Use for Project Management – the description of admin commands existing in Maestro CLI
Using Admin Utility – the description of the basic principles of Maestro CLI Admin Utility usage, the
command string structure and the instructions on using the Maestro CLI Admin Utility help
Command Groups – the list of command groups available in Maestro CLI Admin Utility together with the
brief descriptions of commands within each group
Maestro CLI Admin Utility – Use Cases – the description of several common cases of Maestro CLI Admin
Utility usage with the command examples
Annex A – Admin CLI Commands Usage in Different Virtualization Platforms – the reference table of
commands used for project management in different virtualization platforms
Annex B – Admin CLI Commands Requiring File Upload – the list of commands referring to the content of
previously uploaded files and the description of the file content
Annex C – Admin CLI Commands Sending Emails as the Result of Execution – the list of commands
using email addresses as output for the data obtained as the result of the command execution
Annex D – AWS-Related Collections in Database – the list of collections serving AWS platform with their
descriptions
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 9
DOCUMENTATION REFERENCES
EPAM Orchestration is described in details in a number of documents, focused on different aspects of
Orchestration usage, and on different types of users.
You can find these documents on our Documentation page.
The answers to the most frequently asked questions can be found on the FAQ page.
EPAM Cloud terms and conditions are described in our EPAM Cloud Terms and Conditions. Please take
a look at this document in order to avoid misunderstandings and conflicts that may arise during the
service usage.
The terminology of EPAM Cloud and the related products can be found on the Glossary page.
Please email your comments and feedback to EPAM Cloud Consulting at
[email protected] to help us provide you with documentation that is as clear,
correct and readable as possible.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 10
1 INTRODUCTION
Cloud computing is the computing model in which pooled resources and services are generally available
via the Internet and accessible via self-service portals by dynamic assignment to multiple tenants. Cloud
computing systems are characterized by high elasticity, that is, the ability to scale in or out according to
the customers’ demand. Resource usage is charged on the pay-as-you-go basis, for which purpose cloud
computing systems include monitoring, controlling and reporting functionality.
Cloud services made generally available form a public cloud. The same infrastructure deployed for a
single enterprise only comprises a private cloud. Private clouds operate totally within their own secure
environments. Cloud infrastructure having the features of both public and private cloud joined by a
proprietary or standardized technology is described as hybrid cloud.
EPAM Cloud Orchestrator can be characterized as a hybrid cloud, because, in addition to the private
cloud services, it supports integration with external cloud platforms.
According to Forrester’s Vendor Landscape: Private Cloud Software Solutions report, private cloud
solutions fall into three major categories defined by their implementation method and the administration
tools used: Cloud Platforms, combining physical and virtual resources into IaaS cloud environments,
Standalone Cloud Management Tools, managing virtual resources on the basis of public and private
cloud platforms, and Private Cloud Suites, combining the features of the two categories mentioned
above.
EPAM Cloud Orchestrator belongs to Standard Cloud Management Tools which can be based on one of
virtualization platforms (AWS, Microsoft Azure, HP OO, OpenStack or CSA) and performs cloud
management, monitoring, account billing, access management and support.
According to the Private Cloud Software Reference Architecture described in the above-mentioned
Forrester’s report, the Maestro CLI Admin Utility represents the Admin Portal implemented as a
command-line interface. Together with other cloud management components, the Admin Portal forms the
comprehensive Hybrid Cloud Management Solution.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 11
2 GENERAL
For the purposes of project management in EPAM Cloud, a special tool, Maestro CLI Admin Utility, is
used. In addition, certain project management operations are performed using the commands of Maestro
CLI. This document describes options available both in the dedicated Admin Utility and in the Maestro
CLI.
2.1 MAESTRO CLI ADMIN UTILITY PURPOSE
The Admin Utility is a tool allowing to monitor and maintain the Cloud infrastructure and projects hosted
within, provide support and consulting on the Cloud projects operation and issues which may occur from
time to time.
2.2 CONNECTING TO ADMIN UTILITY
Connection to the Admin Utility is performed via SSH. To set up your connection, generate a keypair with
the or2addkey Maestro CLI Command or any other key generation tool. Once the keypair is generated,
add your domain login ([email protected]) at the end of the public part of the keypair
and send it to Level 3 Support Team, to register a personal account for you.
Connect to Admin Utility:
- Linux:
ssh -i /path/to/your/private.key -p 2001 [email protected]
- Windows:
1. Convert your Private Key:
• Start PuTTYgen
• Click Load. By default, PuTTYgen displays only files with the extension .ppk. To
locate your .pem file, select the option to display files of all types.
Figure 1 – Locating Private Key
• Select your .pem file from the keypair which you specified when launching your
instance then click Open. Click OK to dismiss the confirmation dialog box.
• Click Save private key to save the key in the format acceptable by PuTTY.
PuTTYgen displays a warning about saving the key without a passphrase. Click Yes.
• Specify the same name for the key that you used for the keypair (for example, my-
key-pair). PuTTY automatically adds the .ppk file extension.
2. Start PuTTY (use [email protected] and 2001 port). Add your private key in
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 12
Connection>SSH>Auth.
2.3 FILE UPLOAD
Some commands use content of a file in their performance. In such cases, files have to be uploaded
before the command execution. The files are uploaded using SCP, Secure Copy Protocol. SCP uses
SSH in file transfer. To upload a file, use the following command:
scp -P port -i <path-to-keypair-pem-file> local_file_path host:filename
Files are to be uploaded outside the Maestro Admin Utility, that is, before logging in. When specifying
the local path to the file, make sure you are using the relative pathname and not the absolute
pathname, otherwise the file upload will fail.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 13
3 MAESTRO CLI USE FOR PROJECT MANAGEMENT
Maestro Command Line Interface (CLI) is a tool used to send basic Orchestrator commands via the
command line. Maestro CLI is widely used by the EPAM Cloud user community for virtual machine
management.
For information on setting up Maestro CLI and the required components, logging in and basic usage
guidelines, please refer to the Quick Start Guide.
Access to CLI commands is based on the system of permissions. The project management
(administration) commands are available only to users with the ALL_SYSTEM_OPERATIONS
permission and are hidden from all other users. Currently, the following Admin commands are available:
3.1 REFRESHING PROJECT STATUS
or2-refresh-projects (or2refp)
The command refreshes the status of the specified project or of all projects in the specified region.
CLI Parameters
Parameter name Description Required
--full Show full command output instead of default basic one No
-P, --plain-output Use plain output instead of default table output No
--json Show command output in json format No
-p, --project Project abbreviation in UPSA No
-r, --region Virtualization region Yes
--help Display command help No
Command example:
or2refp –p project –r region
3.2 MIGRATING INSTANCE TO CSA
or2-migrate-csa-instance (or2migcsains)
The command registers the specified instance in CSA.
CLI Parameters
Parameter name Description Required
--full Show full command output instead of default basic one No
-P, --plain-output Use plain output instead of default table output No
--json Show command output in json format No
-p, --project Project abbreviation in UPSA Yes
-r, --region Virtualization region Yes
-m, --image Machine image Yes
-I, --instance-name Instance name Yes
-g, --migration-date Migration date in the yyyy-mm-dd’T’HH format Yes
-s, --shape Instance type Yes
--help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 14
Command example:
or2refp -p project -r region -s shape -i instance_name -m image –g
migration_date
3.3 SETTING CHECKPOINT QUOTA FOR PROJECT
or2-set-project-checkpoint-quota (or2setpchq)
The command defines the maximum number of checkpoints which can be created for the specified
project and region.
CLI Parameters
Parameter name Description Required
--full Show full command output instead of default basic one No
-P, --plain-output Use plain output instead of default table output No
--json Show command output in json format No
-p, --project Project abbreviation in UPSA Yes
-r, --region Virtualization region Yes
-m, --maxCount The number of checkpoints which can be created Yes
--help Display command help No
Command example:
or2setpchq -p project -r region -m checkpoint_count
3.4 SETTING VOLUME QUOTA FOR PROJECT
or2-set-project-volume-quota (or2setpvq)
The command defines the maximum number and size of additional volumes created in the specified
project and region within the specified time interval.
CLI Parameters
Parameter name Description Required
--full Show full command output instead of default basic one No
-P, --plain-output Use plain output instead of default table output No
--json Show command output in json format No
-p, --project Project abbreviation in UPSA Yes
-r, --region Virtualization region Yes
-c, --count The number of volumes which can be created within the
specified time interval Yes
-s, --maxSize Maximum volume size in GB Yes
-t, --time Volume creation interval in hours Yes
--help Display command help No
Command example:
or2setpvq -p project -r region –s max_size –c count –t time_interval
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 15
3.5 SETTING INSTANCE QUOTA FOR PROJECT
or2-set-project-instance-quota (or2setpiq)
The command defines the maximum number of instances created in the specified project and region
within the specified time interval.
CLI Parameters
Parameter name Description Required
--full Show full command output instead of default basic one No
-P, --plain-output Use plain output instead of default table output No
--json Show command output in json format No
-p, --project Project abbreviation in UPSA Yes
-r, --region Virtualization region Yes
-c, --count The number of instances which can be created within the
specified time interval Yes
-t, --time Instance creation interval in hours Yes
--help Display command help No
Command example:
or2setpiq -p project -r region –c count –t time_interval
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 16
4 USING ADMIN UTILITY
4.1 BASIC PRINCIPLES
Maestro CLI Admin Utility operates by executing commands sent via the command line. Each command
consists of the group name, the command name and the arguments.
The group name defines the general area of the command application (e.g. ‘aws’ – commands related to
AWS, ‘project’ – commands related to projects, etc.).
The command name is the actual command string defining the action to be performed (e.g.
‘delete_zone’, ‘grant_access’, etc.)
The arguments define the specific object of the command and/or the values to be set for it (e.g. -p –
project abbreviation in UPSA, -s – shape name, etc.).
For example:
permission add_user -e email
In this example ‘permission’ is the group name of all permission-related commands, ‘add_user’ is the
command name indicating that the command creates a new user and ‘-e email’ is the argument
containing the email of the user to be created.
Please note that in case a parameter is specified incorrectly, the command will not return an error. All
parameters specified before the incorrect one, will be applied. The incorrect parameter and others
following it, will be skipped. In case the applied parameters are enough for the command execution, the
command will be run.
4.2 MAESTRO CLI ADMIN UTILITY HELP
The correct format and the required arguments for each command can be found in the ‘Help’ topics. To
get the complete list of all command groups available in the Maestro CLI Admin Utility, type ‘help’ in the
command line:
Figure 2 – Command groups
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 17
This command returns the alphabetical list of all command groups with their brief description.
To see the commands included in each group, type the group name:
Figure 3 – List of commands in a group
The response will contain the list of all commands in their correct format and the brief explanation of their
purpose and action. The ‘usage’ line shows the valid command syntax.
To get help for a particular command, type the complete command with the -h or --help parameter:
Figure 4 – Command help
The response will contain the list of all possible arguments which can be used in the command. The
mandatory arguments are marked with ‘*’.
Some commands require one of the optional parameters to be used in all cases. In this case, the
command will return an error message if no optional parameter is specified. The error message will
contain the prompt to use one of the optional parameters.
The ‘usage’ line shows the complete syntax of the command including the arguments. Some of the
arguments have a short and a full form which have the same effect.
If an invalid command is sent, the response may indicate the missing or invalid parameter:
Figure 5 – Error message indicating missing parameter
Boolean parameters with only ‘true’ or ‘false’ options are set to ‘false’ by default. To set them to ‘true’
only the argument without any value should be specified, otherwise the command will be rejected with
the ‘command not found’ error message. For example, the orch assign -z region -o OrchestratorID -a
command will be rejected if any value is sent for the -a parameter.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 18
4.3 COMMAND EXECUTION
Some commands in Maestro CLI Admin Utility require the user’s reconfirmation of their intent to execute
the command. When the user types the command string and presses ‘Enter’, the system responds with
the following message: ‘Are you sure you want to perform the operation…? Type “y” or “n”’. The user has
to confirm the operation by typing “y” or abort it by typing “n”.
Such reconfirmation is required, for example, for all ‘activate_project’ commands, the ‘billing lock’,
‘billing unlock’ commands, etc.
Certain other commands require the particular instance to be stopped before the command can be
executed. When the command string is entered, the following message is displayed: ‘The orchestrator
instance should be stopped for performing this operation. Do you want to continue?’ If the user confirms
the operation, the system checks whether the instance has been stopped and proceeds with the
command execution. If the instance has not been stopped, the command is rejected with an error
message.
Instance stopping is required, for example, for all ‘add_zone’ commands, the ‘zone delete’ command,
the commands related to the RabbitMQ server configuration.
If you run a command immediately after stopping the instance, the system may still return the message
prompting to stop it, as the instance status might not be updated yet. In this case allow up to 10 minutes
after the instance stopping to run the command again.
However, to accelerate the process, the reconfirmations can be disabled by switching the system to the
so-called ‘quiet’ mode. In the quiet mode the system does not require command reconfirmation before
execution but executes it immediately. The ‘quiet’ mode is controlled by the ‘quiet on’ and ‘quiet off’
commands:
• quiet on Switches the ‘quiet’ mode on
• quiet off Switches the ‘quiet’ mode off
By default, the ‘quiet’ mode in disabled.
Certain commands requiring password for their execution cannot be run in the ‘quiet’ mode. The
password is not specified as one of the mandatory parameters but is to be entered later, at the system
prompt. If a command is sent in the ‘quiet’ mode, the following error message is displayed: “This
command can’t be running in quiet mode!”. The following commands cannot be used with the ‘quiet’
mode enabled:
• azure add_subscript
• azure_custom add_subscript
• aws add_user
• csa add_zone
• hpoo configvs
• open_stack add_zone
• open_stack notific_config
• permission add_user
• rabbit shovel
• rabbit create_upstream
• settings set_upsa_config
• google add_temp_access_user
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 19
• zone orch_settings
4.4 ASYNCHRONOUS COMMANDS
When a command is executed in Maestro CLI Admin Utility, the CLI is unavailable until the command
execution is complete. However, some commands requiring long time for execution (up to several hours)
are performed in the background while the CLI can be used for other purposes. Such commands are
called asynchronous commands.
When an asynchronous command is executed, its status can be retrieved by the ‘status get’ command. It
shows the command progress or completion together with the data generated during the command
execution. The command syntax is as follows:
status get –g command_group –n command_name
Each asynchronous command can be run only once simultaneously on the same Orchestrator node. If an
asynchronous command has been sent by one of the users, other users cannot send the same command
until the first command instance is completed.
Maestro CLI Admin Utility supports the following asynchronous commands:
• arm check_config Checks ARM configuration
• arm config_project Configures the project for using the ARM API
• arm set_def_groups Applies configuration of Azure security groups
• aws check_config Checks AWS configuration
• aws config_sso Configures AWS SSO
• aws create_account Creates an AWS account via the Organization API
• aws export_billing_data Sets up billing data export
• aws_security set_def_groups Applies configuration of AWS security groups
• billing close_month Closes the billing month.
• billing health_check Checks billing consistency.
• billing send_units_reports Sends business unit reports
• integrity check Checks data integrity.
• csa get_capacity Shows open, close, current values and blocked actions for all CSA regions
• project clean_up Marks instances and volumes as deleted, closes timelines and removes AWS instances usage profiles
• radar aggregate Aggregates Radar data for the specified month
• timeline check_resource Validates all timelines for a resource
• zone delete Marks the specified zone as inactive or deletes it together with all its references.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 20
• open_stack admin_sg Creates or updates, if exists, the configuration for admin project's security group for the specified security mode
• open_stack cross_region_access
Describes, enables or disables cross-region access for the project
4.5 COMMAND OUTPUT
Execution of some commands results in generation of certain data. Such data is delivered to the user
according to the command settings. The command output can be either the SSH console or the email of
the user which is currently logged in.
The command output is defined by the ‘--target' parameter value which has to be set to ‘ssh_console’ or
‘email’. The following commands support the target selection:
• chef get_nodes
• csa check_offerings
• integrity check
• pricing_policy get
• show all_zones
• show all_projects
• subscription show_default
• aws_security check_mfa
• aws_ri describe
At the same time, with certain commands the user can specify whether the generated data is to be
delivered in the plain text format or in the HTML format. To obtain the command output in the HTML
format, the ‘--html' parameter has to be sent in the command. The following commands support HTML
output:
• chef get_nodes
• integrity check
• instance refresh_missing
• volumes refresh_missing
• show all_zones
• show all_projects
• subscription show_default
If no target selection is offered, the HTML file is delivered to the SSH console.
The ‘aws_security get_backup’ and ‘billing health_check’ commands always deliver data to the user’s
email in the HTML format. No output selection is supported.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 21
5 COMMAND GROUPS
The commands implemented in Maestro CLI Admin Utility cover various scenarios and issues occurring
in the everyday work of the Cloud Support Team. However, they can be classified under several
categories according to their application and purpose.
5.1 GENERAL
The ‘General’ category of commands includes the commands related to the basic Orchestrator settings
and functions.
5.1.1 SHOW
The ‘show’ group includes the commands used to display the specified items or lists of items.
We recommend starting your introduction to Maestro CLI Admin Utility with this group of commands, as
they can give you the basic idea of how the Admin Utility works, how the command strings are built and
how the responses are organized. At the same time, these commands return a lot of useful data about
the objects and resources managed by EPAM Orchestrator, their parameters and value formats.
The ‘show’ group includes the following commands:
Command Description
show all_projects Shows brief info about all projects. The list of requested projects can be filtered by zone and region names
show all_regions Shows brief info about all regions
show all_zones Shows brief info about all zones. The list of requested zones can be filtered by regions, virtual type and zone status (active/inactive)
show project Shows configuration for the specific project
show zone Shows configuration for the specific zone
show settings Shows general settings for the whole orchestrator
show audit Retrieves admin audit. Provides info about invocation of the specified commands
show project_dls Shows project DL emails to be included in/excluded from ORG Cloud Users
To see the list of arguments used with the commands of the ‘show’ group, type show [command_name]
-h in the command line.
5.1.1.1 show all_projects
Invoke: show all_projects
Shows brief information about all projects. The list of requested projects can be filtered by zone and
region names.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
-r, --region Virtualization region No
--inactive Show only inactive projects No
--active Show only active projects No
--html Use to get output in HTML format No
--target Parameter to indicate where to display the result of the command. Must be one of [ssh_console, file, email]
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 22
Response Elements
Name Description
Project name Project name
Project code Project code
Zone name Zone name
Region name Region name
Active States whether the project is active
Billable States whether the project is billable
Command Example
The command below retrieves the list of active projects in the specified zone.
show all_projects --active -z zone
Response example
Command Example
show all_projects --active -z zone --target email
You will receive the email with the command execution results.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 23
5.1.1.2 show all_regions
Invoke: show all_regions
Retrieves brief information about all regions.
Admin CLI Parameters
Parameter name Description Required
[-h | --help] Display command help No
Response Elements
Name Description
Name Region name
Type Environment type
Zone count Number of virtual zones available in the region
DNS name prefix DNS prefix used for the zone
Command example
show all_regions
Response example
5.1.1.3 show all_zones
Invoke: show all_zones
Shows brief information about all zones. The list of requested zones can be filtered by regions, virtual
type and zone status (active/inactive).
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region Virtualization region No
-v, --virt Filter by virtualization type No
--inactive Show only inactive zones No
--active Show only active zones No
--html Use to get output in HTML format No
--target Parameter to indicate where to display the result of the command. Must be one of [ssh_console, file, email]
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 24
Response Elements
Name Description
Zone name Zone name
Region name Region name
Virt type Virtual type
Active Show whether the zone is active
Status Show zone status
Node Node name
Command Example
show all_zones -r PROJECT NAME
Response example
Command Example
show all_zones -r PROJECT NAME -t email
You will receive an email with the command execution results.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 25
5.1.1.4 show project
Invoke: show project
Shows configuration for the specific project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
Response Elements
Name Description
Project name Project name
Active Show whether the project is active
Billable Show whether the project is billable
Zone name Zone name
Region Region name
Quotas Show details about quota
Allowed shape Show allowed shapes
Instance quota Show instance quota
Storage volume quota Show volume quota
Autoconfiguration IP whitelist Show autoconfiguration whitelist
Command Example
show project -p PROJECT_NAME -z ZONE_NAME
Response example
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 26
5.1.1.5 show zone
Invoke: show zone Shows configuration for the specific zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Response Elements
Name Description
Zone name Zone name
Virt type Virtual type
Active Show whether the zone is active
Status Show zone status
Command example
show zone -z Zone Name
Response example
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 27
5.1.1.6 show settings
Invoke: show settings
Shows general settings for the whole orchestrator.
Admin CLI Parameters
Parameter name Description Required
[-h | --help] Display command help No
Response Elements
Name Description
Orchestration mode Orchestration mode
Current DB version Show current DB version
Users authorized for testing Show the list of persons authorized for testing
Command example
show settings
Response example
5.1.1.7 show audit
Invoke: show audit
Retrieves admin audit. Provides info about invocation of the specified commands. The command name
should be specified in quotation marks.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-z, --zone Virtualization zone No
-g, --group Command group (e.g. "aws") Yes
-c, --command Command name (e.g. "activate_project") Yes
-f, --from The date to describe from in yyyy-MM-dd'T'HH:mm format (UTC) No
-t, --to The date to describe to in yyyy-MM-dd'T'HH:mm format (UTC) No
-l, --limit Limit of audit events (10 by default) No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 28
Admin CLI Parameters
--target Parameter to indicate where to display the result of the command. Must be one of [ssh_console, file, email]
No
Response Elements
Name Description
Date Date
User email User email
Command name Command name
Parameters Show the list of parameters of the command
Command example
show audit -g group_name -c "command_name"
Response example
5.1.1.8 show project_dls
Invoke: show project_dl
Shows project DL emails to be included in/excluded from ORG Cloud Users.
Admin CLI Parameters
Parameter name Description Required
-h , --help Display command help No
-f , --file File with the list of ORG Cloud Users emails (copy from Outlook) Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 29
5.1.2 SUBSCRIPTION
The ‘subscription’ group includes the commands related to configuration of notification and report
subscriptions. The following commands are available:
Command Description
subscription show_templates Shows subscription templates
subscription show_default Shows default subscriptions
subscription update_default Updates default subscription
subscription update_template Updates subscription template
To see the list of arguments used with the commands of the ‘subscription’ group, type subscription
[command_name] -h in the command line.
5.1.2.1 subscription show_templates
Invoke: subscription show_templates
Shows subscription templates
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --template Template name No
Command example:
subscription show_templates
Response example:
5.1.2.2 subscription show_default
Invoke: subscription show_default
Shows default subscriptions
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --template Template name No
--html Use to get output in html format No
--target Parameter to indicate where display result of command. Must
be one of [ssh_console, file, email] No
Command example:
subscription show_default
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 30
Response example:
5.1.2.3 subscription update_default
Invoke: subscription update_default
Updates default subscription
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --template Template name Yes
-c, --coordinator Send mail to Project Coordinator No
-p, --primary Send mail to Primary Contact No
-s, --secondary Send mail to Secondary Contact No
-u, --username Send mail to User No
-a, --allow Allow customization [true, false] No
Before you get the response, confirm that you want to perform the operation.
Command example:
subscription update_default -t <template_name>
Response example:
5.1.2.4 subscription update_template
Invoke: subscription update_template
Updates subscription template
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --template Template name Yes
-d, --description Template description No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 31
Admin CLI Parameters
-e, --enabled Enabled in system [true, false] No
-v, --visible Visible to user [true, false] No
Before you get the response, confirm that you want to perform the operation.
Command example:
subscription update_template -t <template_name>
Response example:
5.1.3 ACCOUNT
The ‘account’ group includes the commands related to EPAM Orchestrator accounts. The following
commands are available:
Command Description
account subscribe Subscribes emails to the given EO account
account unsubscribe Unsubscribes emails from the given EO account
account add_project_to_customer Adds project to the given customer EO account
To see the list of arguments used with the commands of the ‘account’ group, type account
[command_name] -h in the command line.
5.1.3.1 account subscribe
Invoke: account subscribe
Subscribes emails to the given EO account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email Email to subscribe on EO Account. For several - just repeat Yes
-a, --account-id EO Account id Yes
Command example:
account subscribe -e <[email protected]> -a <account->id
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 32
5.1.3.2 account unsubscribe
Invoke: account unsubscribe
Unsubscribes emails from the given EO account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email Email to unsubscribe from EO Account. For several - just
repeat Yes
-a, --account-id EO Account id Yes
Command example:
account unsubscribe -e <[email protected]> -a <account-id>
Response example:
5.1.3.3 account add_project_to_customer
Invoke: account add_project_to_customer
Adds project to the given customer EO account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --account-id EO account id No
-n, --account-name EO account name No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
account add_project_to_customer -p <project ID>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 33
5.1.4 SETTINGS
The ‘settings’ group includes the commands related to the general system settings. The following
commands are available:
Command Description
settings configure_mail_processing Configures mail processing
settings describe Describes orchestration settings
settings describe_mail_processing Describes mail processing
settings describe_support_mails_receivers Describes support mails receivers
settings edit_test_emails Adds/removes user emails that have access to EO in testing mode
settings epam_metrics Enables or disables EPAM metrics integration
settings get_blacklist Describes blacklist emails
settings get_test_emails Describes emails authorized for testing
settings healthcheck_to Sets health check timeout
settings manage_blacklist Manages blacklist emails
settings manage_emails_authorized_for_m2reporting_testing Adds/removes/describes user emails that authorized for M2 reporting testing
settings manage_prefix_lists_state Enables or disables AWS prefix lists
settings manage_support_mail_receivers Adds and removes receivers for some support reports
settings report_cache Configurates Report Cache
settings set_upsa_config Sets UPSA client configuration
settings switch_m3_key_management Enables or disables M3 mail processing
settings switch_m3_mail_processing Enables or disables M3 mail processing
settings switch_ownership Enables or disables ownership service
settings terraform Enables or disables terraform service
settings upsa Enables or disables UPSA integration
settings zcloud_role Enables or disables UPSA zCloudRole integration
To see the list of arguments used with the commands of the ‘settings’ group, type settings
[command_name] -h in the command line.
5.1.4.1 settings configure_mail_processing
Invoke: settings configure_mail_processing
Configures mail processing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --notificationGroup Notification group. For several groups repeat the parameter: -n
GROUP1 -n GROUP2 Yes
-t, --processing-type Processing type [M2, M2_OVER_M3, M3, DISABLED] Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 34
Command example:
settings configure_mail_processing -n <notification group> -t
<processing-type>
Response example:
5.1.4.2 settings describe
Invoke: settings describe
Describes orchestration settings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
settings describe
Response example:
5.1.4.3 settings describe_mail_processing
Invoke: settings describe_mail_processing
Describes mail processing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 35
Command example:
settings describe_mail_processing
Response example:
5.1.4.4 settings describe_support_mails_receivers
Invoke: settings describe_support_mails_receivers
Describes support mails receivers
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
settings describe_support_mails_receivers
Response example:
5.1.4.5 settings edit_test_emails
Invoke: settings edit_test_emails
Adds/removes user emails that have access to EO in testing mode
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email A list of user emails to add Yes
-r, --remove Use this flag to remove something instead of adding it No
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 36
Command example:
settings edit_test_emails -e [email protected]
Response example:
5.1.4.6 settings epam_metrics
Invoke: settings epam_metrics
Enables or disables EPAM metrics integrationaccount unsubscribe
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable metrics integration No
-d, --disable Disable metrics integration No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings epam_metrics
Response example:
5.1.4.7 settings get_blacklist
Invoke: settings get_blacklist
Describes blacklist emails
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
settings get_blacklist
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 37
5.1.4.8 settings get_test_emails
Invoke: settings get_test_emails
Describes emails authorized for testing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
settings get_test_emails
Response example:
5.1.4.9 settings healthcheck_to
Invoke: settings healthcheck_to
Sets health check timeout
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --timeout Health check timeout in seconds Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
settings healthcheck_to -t <timeout>
Response example:
5.1.4.10 settings manage_blacklist
Invoke: settings manage_blacklist
Manages blacklist emails
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email A list of user emails to add Yes
-r, --remove Use this flag to remove something instead of adding it No
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 38
Command example:
settings manage_blacklist
Response example:
5.1.4.11 settings manage_emails_authorized_for_m2reporting_testing
Invoke: settings manage_emails_authorized_for_m2reporting_testing
Adds/removes/describes user emails that authorized for M2 reporting testing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email A list of user emails to add/remove No
-a, --action Action: add, remove, describe (default action: describe) No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings manage_emails_authorized_for_m2reporting_testing
Response example:
5.1.4.12 settings manage_prefix_lists_state
Invoke: settings manage_prefix_lists_state
Enables or disables AWS prefix lists
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable AWS prefix lists No
-d, --disable Disable AWS prefix lists No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 39
Command example:
settings manage_prefix_lists_state
Response example:
5.1.4.13 settings manage_support_mail_receivers
Invoke: settings manage_support_mail_receivers
Adds and removes receivers for some support reportsaccount unsubscribe
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-I, --title Title of the report: aws_images_healthcheck_report, instance_run_report Yes
-t, --to List of the receivers in 'to' for the report No
-c, --cc List of the 'cc' for the report No
-a, --add Option for adding specified receivers No
-r, --remove Option for removing specified receivers No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings manage_support_mail_receivers -t
Response example:
5.1.4.14 settings report_cache
Invoke: settings report_cache
Configurates Report Cache
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 40
Admin CLI Parameters
-e, --report-cache-enabled
Enable Report Cache boolean No
-d, --report-cache-disabled
Disabled Report Cache boolean No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings report_cache
Response example:
5.1.4.15 settings set_upsa_config
Invoke: settings set_upsa_config
Sets UPSA client configuration settings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-l, --upsa-login Upsa login Yes
--host Upsa host Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
settings set_upsa_config -l <upsa-login> --host <upsa host>
Response example:
5.1.4.16 settings switch_m3_key_management
Invoke: settings switch_m3_key_management
Enables or disables M3 mail processing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable M3 key management No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 41
Admin CLI Parameters
-d, --disable Disable M3 key management No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings switch_m3_key_management
Response example:
5.1.4.17 settings switch_m3_mail_processing
Invoke: settings switch_m3_mail_processing
Enables or disables M3 mail processing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable M3 key management No
-d, --disable Disable M3 key management No
Command example:
settings switch_m3_mail_processing
Response example:
5.1.4.18 settings switch_ownership
Invoke: settings switch_ownership
Enables or disables ownership service
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable ownership service No
-d, --disable Disable ownership service No
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 42
Command example:
settings switch_ownership
Response example:
5.1.4.19 settings terraform
Invoke: settings terraform
Enables or disables terraform service
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable terraform service No
-d, --disable Disable terraform service No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings terraform
Response example:
5.1.4.20 settings upsa
Invoke: settings upsa
Enables or disables UPSA integration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 43
Admin CLI Parameters
-o, --use-off-storage-and-act-directory
Use offline storage and active directory instead of UPSA.
Allowed values: true, false. No
-d, --disable-synchronization
Disable synchronization for projects, users, accounts, etc. from
offline storage, AD or UPSA. Orchestrator will work only with
users from DB. or2acces will be unavailable. Allowed values:
true, false
No
Before you get the response, confirm that you want to perform the operation.
Command example:
settings upsa
Response example:
5.1.4.21 settings zcloud_role
Invoke: settings zcloud_role
Enables or disables UPSA zCloudRole integration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enable Enable UPSA zCloudRole integration No
-d, --disable Disable UPSA zCloudRole integration No
Command example:
settings zcloud_role
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 44
5.1.5 ORCH
The ‘orch’ group includes the commands related to Orchestrator. The following commands are available:
Command Description
orch assign Assigns/unassigns an instance to/from zone
orch assign_cur Assigns/unassigns current instance to/from zone
orch config_healthch Updates healthCheckSettings for instance
orch config_zabbix Updates ZabbixGraphMode configuration for instance
orch dconfig Describes configuration settings from local configuration and database
orch dis_recovery Sets/unsets disaster recovery flag
orch get_instances Gets instances count per node and related zones
orch get_nodes Gets short information about orchestration nodes
orch get_version Get version of application artifacts
orch hardware_devices_integration Manages hardwareDevicesIntegrationSupported flag and hardwareDevicesZoneName
orch integr_service Manages integrationService flag
orch jenkins_service Manages jenkins service flag
orch mob_integr_service Manages mobileFarmIntegrationSupported flag and mobileFarmZoneName
orch switch_mode Switches orchestration modes between Maintenance, Running and Testing
orch set_profile Sets profile for node
Use this command with care, as the Orchestrator mode settings affect entire Orchestrator performance.
To see the list of arguments used with the commands of the ‘orch’ group, type orch [command_name] -
h in the command line.
5.1.5.1 orch assign
Invoke: orch assign
Assigns/unassigns an instance to/from zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID Yes
-z, --zone The list of zones Yes
-u, --unassign Use this flag to unassign orch from zones No
-b, --billing Use this flag to make orch responsible for billing No
-a, --active Use this flag to make orch instance active No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch assign -o <instance_id> -z <zone>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 45
5.1.5.2 orch assign_cur
Invoke: orch assign_cur
Assigns/unassigns current instance to/from zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone The list of zones Yes
-u, --unassign Use this flag to unassign orch from zones No
-b, --billing Use this flag to make orch responsible for billing No
-a, --active Use this flag to make orch instance active No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch assign_cur -z <zone>
Response example:
5.1.5.3 orch config_healthch
Invoke: orch config_healthch
Updates healthCheckSettings for instance
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID Yes
-t, --timeout Updates healthCheckSettings.reportHealthCheckTimeout
value (integer) No
-m, --mongo Updates healthCheckSettings.mongoLatencyThreshold value
(long millis) No
-r, --rabbit Updates healthCheckSettings.rabbitLatencyThreshold value
(long millis) No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 46
Before you get the response, confirm that you want to perform the operation.
Command example:
orch config_healthch -o <instance_id>
Response example:
5.1.5.4 orch config_zabbix
Invoke: orch config_zabbix
Updates ZabbixGraphMode configuration for instance
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID Yes
-p, --proxy Updates zabbixGraphMode.proxy value (true/false) No
-r, --renderer Updates zabbixGraphMode.renderer value (true/false) No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch config_zabbix -o <instance_id>
Response example:
5.1.5.5 orch dconfig
Invoke: orch dconfig
Describes configuration settings from local configuration and database
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-m, --mode Finds orchestrators in specified mode. Must be one of
[running, maintenance, testing] No
--flag Finds the orchestrator which has the provided flag set to true No
-n, --node Finds orchestrator by name No
Command example:
orch dconfig
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 47
Response example:
5.1.5.6 orch dis_recovery
Invoke: orch dis_recovery
Sets/unsets disaster recovery flag
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
--on set flag No
--off unset flag No
Command example:
orch dis_recovery
Response example:
5.1.5.7 orch get_instances
Invoke: orch get_instances
Gets instances count per node and related zones
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID No
Command example:
orch get_instances
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 48
Response example:
5.1.5.8 orch get_nodes
Invoke: orch get_nodes
Gets short information about orchestration nodes
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
orch get_nodes
Response example:
5.1.5.9 orch get_version
Invoke: orch get_version
Get version of application artifacts
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
orch get_version
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 49
Response example:
5.1.5.10 orch hardware_devices_integration
Invoke: orch hardware_devices_integration
Manages hardwareDevicesIntegration Supported flag and hardwareDevicesZoneName
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id Integration Orchestrator instance id(integrationService : true) Yes
-e, --enabled Enabled flag - true or false Yes
-z, --zone Virtualization zone No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch hardware_devices_integration -o <instance id> -z <zone> -e
<value>
Response example:
5.1.5.11 orch integr_service
Invoke: orch integr_service
Manages integrationService flag
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id] An Orchestrator instance ID Yes
-I, --integr IntegrationService flag - true or false Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
orch integr_service -o <instance id> -I <value>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 50
Response example:
5.1.5.12 orch jenkins_service
Invoke: orch jenkins_service
Manages jenkins service flag
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID Yes
-j, --jenkins Jenkins service flag - true or false Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
orch jenkins_service -o <instance id> -j <value>
Response example:
5.1.5.13 orch mob_integr_service
Invoke: orch mob_integr_service
Manages mobileFarmIntegrationSupported flag and mobileFarmZoneName
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id Integration Orchestrator instance id (integrationService : true) Yes
-e, --enabled Enabled flag - true or false Yes
-z, --zone Virtualization zone No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch mob_integr_service -o <instance id> -e <value>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 51
5.1.5.14 orch switch_mode
Invoke: orch switch_mode
Switches orchestration modes between Maintenance, Running and Testing
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-o, --orch-id An Orchestrator instance ID No
-m, --mode Mode to switch to. Possible values [RUNNING, TESTING, MAINTENANCE] Yes
--all To switch mode on all instances No
-I, --ignore-billing-lock To ignore billing lock while changing status to MAINTENANCE No
Before you get the response, confirm that you want to perform the operation.
Command example:
orch switch_mode -m <mode>
Response example:
5.1.5.15 orch set_profile
Invoke: orch set_profile
Sets profile for node
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-b, --billing-node New billing node name No
-m, --mail-node New node for emails processing No
-i, --ip-validation-node
New node for ip validation report No
-q, --qualys-node New node for qualys job processors No
--monitoring-node
New monitoring node No
-u, --ui-node UI node name No
-v, --virt-schedules-
invoker
This node regularly updates AWS IAM users and checks statuses of Azure subscriptions
No
-s, --monitors-schedules
This node will send “Broken schedules” report and set schedules from Schedules collection to PENDING state if they were in PROCESSING state more than two hours
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 52
Admin CLI Parameters
-c, --chef-data-provider
This node caches chef monitoring data and generates "Problems found with Chef monitoring" report
No
-a, --active-node [Set node as active No
-r, --core-operations-scheduler
This flag enables the following core scheduled operations: update Upsa users, update projects and accounts from Upsa, check maestro stacks state, backup mongo, execute user schedule, create email report "User schedule execution report", release expired locks in Locks collection
No
--chef-supported
Enables chef schedule processor, that gathers monitoring data from chef and updates chef roles for zones No
--report-operations-scheduler
Enables report operations scheduler on the node No
--archive-operations-scheduler
Enables scheduled archiving for collection IntegrationEvents, lets you call audit archive operation from JMX
No
--change-owner-processor
Enables
[CHANGE_OWNER_POSTPONED_NOTIFICATION_PROCESSOR,
CHANGE_OWNER_PROCESSOR] job processor on node
No
--run-hardware-instance-processor
Enables [RUN_HARDWARE_INSTANCE_PROCESSOR] job
processor on node No
--terminate-unused-
instances-processor
Enables
[TERMINATE_UNUSED_PERSONAL_INSTANCES_PROCESSOR]
job processor on node
No
--terminate-resources-processor
Enables [TERMINATE_RESOURCES_PROCESSOR] job processor
on node No
--aws-inspector-assessment-run-
processor
Enables
[AWS_INSPECTOR_ASSESSMENT_RUN_JOB_PROCESSOR] job
processor on node
No
--aws-proxy Enables awsProxy calls on the node No
--flag-value * Flag value. Allowed values: [true, false] Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
orch set_profile -b <billing-node> --flag-value <value>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 53
5.1.6 INIT
The ‘init’ group includes the commands related to Orchestrator initialization. The following commands are
available:
Command Description
init config Initializes the OrchestratorConfig collection
init region Initializes the Regions collection
init settings Initializes the OrchestrationSettings collection
init version Initializes the Version collection
The commands of the ‘init’ group type are used without arguments, as their action consists of initializing
the specified collection.
5.1.6.1 init config
Invoke: init config
Initializes the OrchestratorConfig collection
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Before you get the response, confirm that you want to perform the operation.
Command example:
init config
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 54
5.1.6.2 init region
Invoke: init region
Initializes the Regions collection
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region Region name Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
init region -r <region name>
Response example:
5.1.6.3 init settings
Invoke: init settings
Initializes the OrchestrationSettings collection
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Before you get the response, confirm that you want to perform the operation.
Command example:
init settings
Response example:
5.1.6.4 init version
Invoke: init version
Initializes the Version collection
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 55
Command example:
init version
Response example:
5.1.7 INTEGRITY
The ‘integrity’ group includes the ‘integrity check’ command checking the data integrity. The command
also includes the integrity check settings.
Command Description
integrity check Checks data integrity
To see the list of arguments used with the ‘integrity check’ command, type integrity check -h in the
command line.
5.1.7.1 integrity check
Invoke: integrity check
Checks data integrity
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-m, --mode Check mode: [ALL, QUICK (by default), AUDIT, BILLING] No
-q, --show-queries Switch on/off queries No
-d, --show-broken-documents
Switch on/off broken documents No
-v, --verbosity Verbosity level: [WARN (by default), ERROR] No
-c, --checker Checkers ID. Specify this parameter to activate necessary checkers No
--html Use to get output in html format No
--target Parameter to indicate where display result of command. Must
be one of [ssh_console, file, email] No
The command will be executed in the asynchronous mode.
Command example:
integrity check
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 56
Response example:
5.1.8 CLI
The ‘cli’ group includes ‘cli notify’ command notifying the user about CLI update. The ‘cli notify’
command uses no arguments.
Command Description
cli notify Notifies users about recent CLI update
5.1.8.1 cli notify
Invoke: init version
Notifies users about recent CLI update
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
cli notify
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 57
5.1.9 STATUS
The ‘status’ group includes the commands related to command status. The following commands are
available:
Command Description
status get Retrieves current status of the asynchronous commands
status interrupt Interrupts asynchronous command execution if the command supports it
To see the list of arguments used with the commands of the ‘status’ group, type status [command_name]
-h in the command line.
5.1.9.1 status get
Invoke: status get
Retrieves current status of the asynchronous commands
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --group Command group Yes
-n, --name Command name Yes
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Command example:
status get -g <command group> -n <command name>
Response example:
5.1.9.2 status interrupt
Invoke: status interrupt
Interrupts asynchronous command execution if the command supports it
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --group Command group No
-n, --name Command name No
Command example:
status interrupt -g <command group> -n <command name>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 58
Response example:
5.2 SECURITY
The ‘Security’ category includes the commands related to user account management, permission
assignment and mapping, as well as the settings and configuration of Qualys security scanner.
5.2.1 ADMIN
The ‘admin’ group includes commands related to admin user and admin user groups management. The
following commands are available:
Command Description
admin add_group Adds new admin user group
admin add_user Adds new admin user
admin delete_group Deletes admin user group
admin delete_user Deletes admin user
admin describe_group Describes available Admin CLI user groups with allowed and blocked actions
admin get_groups Displays the list of Admin CLI user groups
admin get_users Displays the list of Admin CLI users for the specified group or retrieves info about the user according his email
admin update_group Updates admin user group
admin update_user Updates existing active users
To see the list of arguments used with the commands of‘admin’ group, type admin [command_name] -h
in the command line.
5.2.1.1 admin add_group
Invoke: admin add_group
Adds new admin user group
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --group-name User group name Yes
-a, --allowed-actions Allowed actions in format: <command_group>:<command1>,<command2> or <command_group>:
Yes
-b, --blocked-actions Blocked actions in format: <command_group>:<command1>,<command2>
No
Command example:
admin add_group --group-name <group name> --allowed-actions <group:*>
--blocked-actions <group:command>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 59
5.2.1.2 admin add_user
Invoke: admin add_user
Adds new admin user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email Yes
-k, --public-key User SSH public key Yes
-g, --group Admin user group name Yes
Command example:
admin add_user --email <[email protected]> --group <group name> --
public-key <public key name>
Response example:
5.2.1.3 admin delete_group
Invoke: admin delete_group
Deletes admin user group
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --group-name User group name Yes
Command example:
admin delete_group --group-name <group name>
Response example:
5.2.1.4 admin delete_user
Invoke: admin delete_user
Deletes admin user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email Admin username Yes
Command example:
admin delete_user --email <[email protected]>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 60
Response example:
5.2.1.5 admin describe_group
Invoke: admin describe_group
Describes available Admin CLI user groups with allowed and blocked actions
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --group-name User group name Yes
Command example:
admin describe_group --group-name <group name>
Response example:
5.2.1.6 admin get_groups
Invoke: admin get_groups
Displays the list of Admin CLI user groups
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --all-groups Show all groups. Deleted groups are not displayed by default Yes
Command example:
admin get_groups
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 61
5.2.1.7 admin get_users
Invoke: admin get_users
Displays the list of Admin CLI users for the specified group or retrieves info about the user according his
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email No
-g, --group-name User group name No
-a, --all-users Show all users. Deleted users are not displayed by default Yes
Command example:
admin get_users --email <[email protected]>
Response example:
5.2.1.8 admin update_group
Invoke: admin update_group
Updates admin user group
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --group-name User group name Yes
-a, --allowed-actions Allowed actions in format: <command_group>:<command1>,<command2> or <command_group>:
Yes
-b, --blocked-actions Blocked actions in format: <command_group>:<command1>,<command2>
No
Command example:
admin update_group --group-name <group name> --allowed-actions
<group:*> --blocked-actions <group:command2>
Response example:
5.2.1.9 admin update_user
Invoke: admin update_user
Updates existing active users
Admin CLI Parameters
Parameter name Description Required
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 62
Admin CLI Parameters
-h, --help Display command help No
-e, --email User email Yes
-k, --public-key User SSH public key
-g, --group Admin user group name
Command example:
admin update_user --email <[email protected]> --group <group name>
Response example:
5.2.2 PERMISSION
The ‘permission’ group includes the commands related to user and permission management. The
following commands are available:
Command Description
permission add_group Adds a new permission group with the list of allowed and denied actions. Permission group can be added for the project
permission add_pmc_mapping Adds project role permission group mapping
permission add_user Creates a new autouser
permission add_user_mapping Adds user permission group mapping for the specified user
permission assign Assigns an autouser to a project
permission del_group Removes permission group
permission del_pmc_mapping Removes project role permission group mapping
permission del_user Deletes simple user
permission del_user_mapping Removes user permission group mapping
permission get_perm_groups Gets the list of available actions for the specified group, that can be performed by the user in Maestro CLI
permission get_user_mapping Describes permission group mappings for the specified user
permission prolong_group_mapping
Change expiration date permission group mapping
permission set_user_requestor Sets requestor for a simple user
permission unassign Unassigns an autouser from a project
To see the list of arguments used with the commands of the ‘permission’ group, type permission
[command_name] -h in the command line.
5.2.2.1 permission add_group
Invoke: permission add_group
Adds a new permission group with the list of allowed and denied actions. Permission group can be added
for the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --group Permission group name. Yes
-o, --operation Operation name. For several operation repeat the parameter Yes
-p, --project Project abbreviation in EPAM Cloud No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 63
Command example:
permission add_group --group <group name> --operation <operation name>
--project <project name>
Response example:
5.2.2.2 permission add_pmc_mapping
Invoke: permission add_pmc_mapping
Adds project role permission group mapping
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --role-id Project role id Yes
-g, --group Permission group name. For several groups repeat the parameter
Yes
-p, --project Project abbreviation in EPAM Cloud No
-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] No
Command example:
add_pmc_mapping --role-id <role id> --group <group name>
Response example:
5.2.2.3 permission add_user
Invoke: permission add_user
Creates a new autouser
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-u, --username User full name Yes
-l, --login User login Yes
-r, --requestor Requestor of the simple user No
Command example:
add_user --email <[email protected]> --username <full name> --login
<user login>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 64
5.2.2.4 permission add_user_mapping
Invoke: permission add_user_mapping
Adds user permission group mapping for the specified user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project abbreviation in EPAM Cloud No
-g, --group Permission group name. For several groups repeat the parameter
Yes
-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] No
Command example:
add_user_mapping --email <[email protected]> --group <group name>
Response example:
5.2.2.5 permission assign
Invoke: permission assign
Assigns an autouser to a project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project abbreviation in EPAM Cloud Yes
--force Force operation even for EPAM user No
Command example:
assign --email <[email protected]> --project < project name>
Response example:
5.2.2.6 permission del_group
Invoke: permission del_group
Removes permission group
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --group Permission group name. Yes
-p, --project Project abbreviation in EPAM Cloud No
Command example:
del_group --group <group name> --project <project name>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 65
Response example:
5.2.2.7 permission del_pmc_mapping
Invoke: permission del_pmc_mapping
Removes project role permission group mapping
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --role-id Project role id Yes
-p, --project Project abbreviation in EPAM Cloud No
Command example:
del_pmc_mapping --role-id <role id> --project <project name>
Response example:
5.2.2.8 permission del_user
Invoke: permission del_user
Deletes simple user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
Command example:
del_user --email <[email protected]>
Response example:
5.2.2.9 permission del_user_mapping
Invoke: permission del_user_mapping
Removes user permission group mapping
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project abbreviation in EPAM Cloud No
Command example:
del_user_mapping --email <[email protected]> --project <project name>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 66
Response example:
5.2.2.10 permission get_perm_groups
Invoke: permission get_perm_groups
Gets the list of available actions for the specified group, that can be performed by the user in Maestro CLI
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name Permission group name No
-p, --project Project abbreviation in EPAM Cloud No
Command example:
get_perm_groups --name <permission group name> --project <project
name>
Response example:
5.2.2.11 permission get_user_mapping
Invoke: permission get_user_mapping
Describes permission group mappings for the specified user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address No
-r, --role-id Project role id No
-p, --project Project abbreviation in EPAM Cloud No
Response Elements
Name Description
Permission group names Permission group names
Project Project name
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 67
Response Elements
Name Description
Role ID Role id
Email User email address
Creation date Creation date
Expiration date Expiration date
Command example:
get_user_mapping --role-id <role id> --project <project name>
Response example:
5.2.2.12 permission prolong_group_mapping
Invoke: permission prolong_group_mapping
Changes expiration date permission group mapping
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --role-id Project role id No
-p, --project Project abbreviation in EPAM Cloud No
-e, --email User email address No
-x, --expiration-date Permission expiration date. Valid date format: [yyyy-MM-dd] Yes
Command example:
prolong_group_mapping --role-id <role id> --project <project name> --
expiration-date <expiration date>
Response example:
5.2.2.13 permission set_user_requestor
Invoke: permission set_user_requestor
Sets requestor for a simple user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-r, --requestor Requestor of the simple user Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 68
Command example:
set_user_requestor --email <[email protected]> --requestor
Response example:
5.2.2.14 permission unassign
Invoke: permission unassign
Unassigns an autouser from a project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project abbreviation in EPAM Cloud Yes
--force Force operation even for EPAM user No
Command example:
unassign --email <[email protected]> --project <project name>
Response example:
5.2.3 SECURITY
The ‘security’ group includes the commands related to security management. The following commands
are available:
Command Description
security get_def_group Sends current default security groups configuration
security update_def_group Adds ingress rule to a specified security group
security update_security_cont Updates security contact
security vulnerability_report Sends vulnerability report for single project
To see the list of arguments used with the commands of the ‘security’ group, type security
[command_name] -h in the command line.
5.2.3.1 security get_def_group
Invoke: security get_def_group
Sends current default security groups configuration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --security-group-name
Security group name No
Command example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 69
security get_def_group
Response example:
5.2.3.2 security update_def_group
Invoke: security update_def_group
Adds ingress rule to a specified security group
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --security-group-name
Security group name Yes
-i, --ip-range IPv4 CIDR range to add new rule in a specified security group.
Example: 74.11.192.96/27 Yes
-d, --description Description No
-r, --remove Use this flag to remove something instead of adding it No
Command example:
security update_def_group -g <security-group-name> -i <ip-range>
Response example:
5.2.3.3 security update_security_cont
Invoke: security update_security_cont
Updates security contact
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email Security contact emails. For several emails repeat the parameter: -e EMAIL1 -e EMAIL2 -e EMAIL3
Yes
-p, --phone Security contact phone. Provide a security contact international information phone number including the country code (for example,+1-425-1234567)
No
Command example:
security update_security_cont -e <email>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 70
5.2.3.4 security vulnerability_report
Invoke: security vulnerability_report
Sends vulnerability report for single project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
The command will be executed in the asynchronous mode.
Command example:
security vulnerability_report -p <project>
Response example:
5.2.4 USER
The ‘user’ group includes the commands related to user management. The following commands are
available:
Command Description
user describe Describes the specified user
user import_from_upsa Imports the specified user from UPSA
user prolong_access_token Prolong access token for the autouser
user refresh Refreshes the status of the specified user in EPAM Cloud Orchestrator and activates personal projects if they are not activated
To see the list of arguments used with the commands of the ‘user’ group, type user [command_name] -
h in the command line.
5.2.4.1 user describe
Invoke: user describe
Describes the specified user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
Command example:
describe --email <[email protected]>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 71
5.2.4.2 user import_from_upsa
Invoke: user import_from_upsa
Imports the specified user from UPSA
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
Command example:
import_from_upsa --email <[email protected]>
Response example:
5.2.4.3 user prolong_access_token
Invoke: user prolong_access_token
Prolong access token for the autouser
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-r, --reason Reason to prolong access Yes
-d, --date Date prolong to in format YYYY-MM-DD. Must be in future and not exceed one year from now Yes
Command example:
prolong_access_token --email <[email protected]> --reason <reason>
--date <YYYY-MM-DD>
Response example:
5.2.4.4 user refresh
Invoke: user refresh
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 72
Refreshes the status of the specified user in EPAM Cloud Orchestrator and activates personal projects if
they are not activated
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
Command example:
refresh --email <[email protected]>
Response example:
5.2.5 LUMINATE
The ‘luminate’ group includes the commands related to Luminate configuration. The following commands
are available:
Command Description
luminate add_site Adds Luminate site
luminate setup Sets up Luminate configuration
luminate update_app Update EO Luminate application config
luminate update_settings Updates Luminate settings
To see the list of arguments used with the commands of the ‘luminate’ group, type luminate
[command_name] -h in the command line.
5.2.5.1 luminate add_site
Invoke: luminate add_site
Adds Luminate site
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-s, --site-id Site ID Yes
Command example:
luminate add_site -z <zone> -s <site-id>
Response example:
5.2.5.2 luminate setup
Invoke: luminate setup
Sets up Luminate configuration
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 73
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --client-id Client ID Yes
Command example:
luminate setup -i <client-id>
Response example:
5.2.5.3 luminate update_app
Invoke: luminate update_app
Update EO Luminate application config
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --node Orchestration node Luminate application will point to No
-z, --zone Zone name which Luminate site will used No
Command example:
luminate update_app
Response example:
5.2.5.4 luminate update_settings
Invoke: luminate update_settings
Updates Luminate settings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --node Orchestration node Luminate application will point to No
-z, --zone Zone name which Luminate site will used No
Command example:
luminate update_settings
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 74
5.2.6 QUALYS
The ‘qualys’ group includes the commands related to Qualys platform management. The following
commands are available:
Command Description
qualys add_cv_policy Adds Cloud View policy to Qualys platform
qualys configure_platform Configures Qualys platform
qualys create_connector Creates new Cloud View Connector for the specified project
qualys delete_connector Deletes Cloud View Connector from Qualys for the specified project
qualys get_connector Gets Cloud View Connector from Qualys for the specified project
qualys get_platform Displays Qualys platform configuration
qualys list_cv_policies Lists Cloud View policies in Qualys platform
qualys list_platforms Lists all Qualys platforms
qualys manage_excluded_controls Sets Qualys Cloud View Controls to Qualys Platform as excluded
qualys remove_cv_policy Removes Cloud View policy from Qualys platform
qualys update_platform Updates Qualys platform config
To see the list of arguments used with the commands of the ‘qualys’ group, type qualys
[command_name] -h in the command line
5.2.6.1 qualys add_cv_policy
Invoke: qualys add_cv_policy
Adds Cloud View policy to Qualys platform
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-p, --policy-id Policy id Yes
-t, --policy-title Policy title Yes
-c, --cloud Cloud provider Yes
Command example:
qualys add_cv_policy -i <platform-id> -p <policy-id> -t <policy-
title> -c <cloud>
Response example:
5.2.6.2 qualys configure_platform
Invoke: qualys configure_platform
Configures Qualys platform
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 75
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name Qualys platform name Yes
--api-host Qualys Platform API host (example: qualysapi.qualys.com) Yes
--platform-host Qualys Platform host (example: qualysguard.qualys.com) Yes
--port Platform API port Yes
--protocol Platform API protocol [HTTP, HTTPS] Yes
-l, --login Qualys login Yes
-p, --password Qualys password Yes
--drt, --default-report-template
Default report template Yes
--drf, --default-report-format
Default report format Yes
--default Is default qualys platform No
Command example:
qualys configure_platform -n <qualys platform name> --api-host <value>
-platform-host <value> --port <value> --protocol <value> --drt
<default-report-template> --drf <default-report-format> -l <login>
-p <password>
Response example:
5.2.6.3 qualys create_connector
Invoke: qualys create_connector
Creates new Cloud View Connector for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-c, --cloud Cloud provider Yes
Command example:
qualys create_connector -i <platform-id> -p <project> -c <cloud>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 76
5.2.6.4 qualys delete_connector
Invoke: qualys delete_connector
Deletes Cloud View Connector from Qualys for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-i, --platform-id Qualys platform id Yes
-c, --cloud Cloud provider Yes
Command example:
qualys delete_connector -p <project> -i <platform-id> -c <cloud>
Response example:
5.2.6.5 qualys get_connector
Invoke: qualys get_connector
Gets Cloud View Connector from Qualys for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-c, --cloud Cloud provider Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 77
Command example:
qualys get_connector -p <project> -i <platform-id> -c <cloud>
Response example:
5.2.6.6 qualys get_platform
Invoke: qualys get_platform
Displays Qualys platform configuration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --id Qualys platform id Yes
Command example:
qualys get_platform -id <platform id>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 78
5.2.6.7 qualys list_cv_policies
Invoke: qualys list_cv_policies
Lists Cloud View policies in Qualys platform
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-p, --policy-id Policy id No
-c, --cloud Cloud provider No
Command example:
qualys list_cv_policies -i <platform-id>
Response example:
5.2.6.8 qualys list_platforms
Invoke: qualys list_platforms
Lists all Qualys platforms
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
qualys list_platforms
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 79
5.2.6.9 qualys manage_excluded_controls
Invoke: qualys manage_excluded_controls
Sets Qualys Cloud View Controls to Qualys Platform as excluded
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-c, --control Control Id. For several shapes repeat the parameter: -c CID1 -
c CID2 -c CID3 Yes
-a, --add Use this flag to add excluded controls No
-r, --remove Use this flag to remove excluded controls No
Command example:
qualys manage_excluded_controls -i <platform-id> -c <control>
Response example:
5.2.6.10 qualys remove_cv_policy
Invoke: qualys remove_cv_policy
Removes Cloud View policy from Qualys platform
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --platform-id Qualys platform id Yes
-p, --policy-id Policy id Yes
Command example:
qualys remove_cv_policy -i <platform-id> -p <policy-id>
Response example:
5.2.6.11 qualys update_platform
Invoke: qualys update_platform
Updates Qualys platform config
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --id Qualys platform id Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 80
Admin CLI Parameters
-n, --name Qualys platform name No
--api-host Qualys Platform API host (example: qualysapi.qualys.com) No
--platform-host Qualys Platform host (example: qualysguard.qualys.com) No
--port Platform API port No
--protocol Platform API protocol [HTTP, HTTPS] No
-l, --login Qualys login No
-p, --password Qualys password No
--drt, --default-report-template
Default report template No
--drf, --default-report-format
Default report format No
--default Is default qualys platform No
Command example:
qualys update_platform -id <platform id>
Response example:
5.3 INFRASTRUCTURE
The ‘Infrastructure’ category includes the commands related to different resources existing in EPAM
Cloud and to the overall infrastructure of the system.
5.3.1 ZONE
The ‘zone’ group includes the commands related to zone management. The following commands are
available:
Command Description
zone add Adds a new zone
zone add_location Adds physical location for the specified zone
zone change_status Changes zone in YYYY-MM-DDTHH format
zone conf_service Configures EPAM Cloud Services for the specified zone
zone configure_qualys Configures Qualys properties for the specified zone
zone delete Marks zone as inactive or deletes zone and all references
zone deprecate Deprecates the specified zone. Deprecated zone means that it has limited functionality and will be removed in the nearest future. Usually, zone gets deprecated when it migrates to another region.
zone describe_locations Describes zone locations
zone get_actions Displays actions blocked for the specified zone
zone get_admins Displays the list of administrators for the specified zone
zone get_default_scan_service Displays default scan service for zone
zone get_nonadmin_act Displays actions blocked for non admins
zone get_resources Displays all active resources in the specified zone on email
zone manage_actions Manages actions blocked for the specified zone
zone manage_admins Adds or removes users to the list of administrators of the specified zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 81
zone manage_user_schedules Manages user schedules for a zone
zone non_admins_act Manages actions blocked for non-administrators
zone orch_settings Sets zone orchestration settings
zone set_default_scan_service Sets default scan service for zone
zone set_location Sets zone location
zone set_virt_profile Configures the specified zone
zone switch_mode Manages integrationMode flag
To see the list of arguments used with the commands of the ‘zone’ group, type zone [command_name] -
h in the command line.
5.3.2 PROJECT
The ‘project’ group includes the commands related to project management. The following commands are
available:
Command Description
project activate Activates an project(ENTERPRISE or WORKSPACE) in EPAM Cloud Orchestrator
project activ_dl Activates project DL in AWS
project check_billing_types Checks billing projects types consistency
project clean_up Marks instances and volumes as deleted, closes timelines and removes instances usage profiles
project deactivate Deactivates the specified project
project del_dl Removes project DL in AWS
project del_ip_wl Deletes IP addresses white list for project
project delete Deletes the project
project describe_blacklist Describes blacklist of projects
project get_ip_wl Describes IP addresses white list for the project
project hide Hides the project in the specified zone from UI and CLI
project link Links one project to another and disables quotas for the linked project
project manage_blacklist Adds and removes projects from the blacklist
project set_ac_flag Sets autoconfiguration flag for the project
project set_act_ins_quota Sets up project active instance quota
project set_custom_chef Sets or unsets project's custom chef server
project set_default_owner Sets a default owner for the project. All notifications about orphan resources will be sent to his email.
project set_default_vlan Sets a default VLAN for the specified project and zone. For OpenStack regions only. Do not use command for CSA-type zone.
project set_expiration_date Sets expiration date for a project in specific zone
project set_ip_wl Sets IP addresses white list for the project
project set_personal_quota Sets the quota level for the specified position
project set_quota Sets up monthly project quotas and quota notification plan for the project resources
project set_shapes Sets allowed shapes for the project in the specified zone
project set_type Sets project type
project unhide Unhides the project in the specified zone from UI and CLI
project unlink Breaks links of the specified project
project update_threshold Update threshold size for the project in specified zone
To see the list of arguments used with the commands of the ‘project’ group type project
[command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 82
5.3.2.1 project activate
Invoke: project activate
Activates a project (ENTERPRISE or WORKSPACE) in EPAM Cloud Orchestrator
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone. It supports following zones' types: ENTERPRISE, WORKSPACE Yes
-f, --fake-project Fake project No
Response Elements
Name Description
pmcCode Project code
name Project name
zone Zone name
shapes Shapes
primaryContacts Primary contacts
secondaryContacts Secondary contacts
instanceCreationIntervalHours Instance creation interval described in hours
volumeCreationIntervalHours Volume creation interval described in hours
maxVolumeSizeGb Maximum volume size in Gb
activationDate Activation date
expirationDate Expiration date
subscriptionId Subscription ID
Command example:
activate --project <project name> --zone <zone name>
Response example:
5.3.2.2 project activ_dl
Invoke: project activ_dl
Activates project DL in AWS
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 83
Command example:
activ_dl --project <project name>
Response example:
5.3.2.3 project check_billing_types
Invoke: project check_billing_types
Checks billing projects types consistency
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
check_billing_types
Response example:
5.3.2.4 project clean_up
Invoke: project clean_up
Marks instances and volumes as deleted, closes timelines and removes instances usage profiles
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Single zone or type: EPAM, HARDWARE, AWS, AZURE, GOOGLE
Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-r, --resource-type Resource type: INSTANCE, VOLUME, MACHINE_IMAGE. All if it is empty.
No
Command example:
clean_up --zone <zone name> --project <project name> --resource-type
<resource type+ >
The command will be executed in the asynchronous mode.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 84
Response example:
5.3.2.5 project deactivate
Invoke: project deactivate
Deactivates the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. You can use virt type instead of zone name (only AWS, AZURE, GOOGLE supported) or ALL to deactivate specified project in all zones
Yes
-p, --project Project abbreviation in EPAM Cloud. You can use ALL to deactivate all projects in the specified zone Yes
-r, --no-resources Use this flag to deactivate all projects without active resources in specified zone No
-f, --force Use this flag to ignore project state No
Response Elements
Name Description
pmcCode Project code
zone Zone name
primaryContacts Primary contacts
secondaryContacts Secondary contacts
active Status
activationDate Activation date
expirationDate Expiration date
Command example:
deactivate --zone <zone name> --project <project name>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 85
5.3.2.6 project del_dl
Invoke: project del_dl
Removes project DL in AWS
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
del_dl --project <project name>
Response example:
project del_ip_wl
Invoke: project del_ip_wl
Deletes IP addresses white list for project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-a, --ip-addresses IP addresses list for delete Yes
Command example:
del_ip_wl --project <project name> --zone <zone name> -a <ip
addresses>
Response example:
5.3.2.7 project delete
Invoke: project delete
Deletes the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 86
Command example:
delete --project <project name> --zone <zone name>
Response example:
5.3.2.8 project describe_blacklist
Invoke: project describe_blacklist
Describes blacklist of projects
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
Command example:
describe_blacklist
Response example:
5.3.2.9 project get_ip_wl
Invoke: project get_ip_wl
Describes IP addresses white list for the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
Command example:
get_ip_wl --project <project name> --zone <zone name>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 87
5.3.2.10 project hide
Invoke: project hide
Hides the project in the specified zone from UI and CLI
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
hide --project <project name> --zone <zone name>
Response example:
5.3.2.11 project link
Invoke: project link
Links one project to another and disables quotas for the linked project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in UPSA that should be linked Yes
-l, --link-to Project abbreviation in UPSA to what this project should be linked Yes
-d, --linked-date Project linked date. Valid date format: [yyyy-MM] No
Command example:
link --project <demo-project> --link-to <link>
Response example:
5.3.2.12 project manage_blacklist
Invoke: project manage_blacklist
Adds and removes projects from the blacklist
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in UPSA, multiple parameter Yes
-z, --zone Zone name, multiple parameter No
-a, --add Option for adding specified projects No
-r, --remove Option for removing specified projects No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 88
Command example:
manage_blacklist --project <project name> --<action>
Response example:
5.3.2.13 project set_ac_flag
Invoke: project set_ac_flag
Sets autoconfiguration flag for the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-t, --disableType AutoConfiguration disable type. Allowed values are: [ALL, WINDOWS, LINUX, NONE]. No
-a, --action Manage action, allowed values are: [describe, setup]. By default is describe No
Command example:
set_ac_flag --project <project name> --zone <zone name>
Response example:
5.3.2.14 project set_act_ins_quota
Invoke: project set_act_ins_quota
Sets up project active instance quota
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 89
Admin CLI Parameters
-v, --value New value for active instance quota Yes
--all-personal Option for setup quota for all personal projects No
Command example:
set_act_ins_quota --project <project name> --value <quota value>
Response example:
5.3.2.15 project set_custom_chef
Invoke: project set_custom_chef
Sets or unsets project's custom chef server
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-c, --clear Clear custom chef config No
--host Custom chef's host. host:port or ip:port. i.e. ec2-107-21-220-70.compute-1.amazonaws.com:4000 No
-u, --validation-key-url Chef's validation key URL No
Command example:
set_custom_chef --project <project name> --zone <zone name> --host
<host name>
Response example:
5.3.2.16 project set_default_owner
Invoke: project set_default_owner
Sets a default owner for the project. All notifications about orphan resources will be sent to his email.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-u, --username User full name Yes
Command example:
set_default_owner --project demo-project --username demo-name
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 90
5.3.2.17 project set_default_vlan
Invoke: project set_default_vlan
Sets a default VLAN for the specified project and zone. For OpenStack regions only. Do not use
command for CSA-type zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-v, --vlan Name of the vlan No
Command example:
set_default_vlan --zone <zone name> --project <project name> --vlan
<vlan id>
Response example:
5.3.2.18 project set_expiration_date
Invoke: project set_expiration_date
Sets expiration date for a project in specific zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone. You can use virt type instead of zone name (only AWS, AZURE, GOOGLE supported) or ALL to set expiration date for specified project in all zones
Yes
-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd] Yes
Command example:
set_expiration_date --project <project name> --zone <zone name> --
expiration-date < expiration date yyyy-mm-dd>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 91
5.3.2.19 project set_ip_wl
Invoke: project set_ip_wl
Sets IP addresses white list for the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-a, --ip-addresses IP addresses list Yes
-o, --override Override the existing ip white list No
Command example:
set_ip_wl --project <project name> --zone <zone name> --ip-addresses
<ip addresses>
Response example:
5.3.2.20 project set_personal_quota
Invoke: project set_personal_quota
Sets the quota level for the specified position
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --id Job Function Id Yes
-l, --level Quota level Yes
Command example:
set_personal_quota --id <id> --level <level>
Response example:
5.3.2.21 project set_quota
Invoke: project set_quota
Sets up monthly project quotas and quota notification plan for the project resources
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone No
-t, --type Quota type [ALL, ALL_AWS, ALL_AZURE, ALL_GOOGLE, ALL_EPAM, EACH, EACH_AWS, EACH_AZURE, EACH_GOOGLE, EACH_EPAM, SINGLE (per region)]
Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 92
Admin CLI Parameters
--stop Quota exceed action STOP [true, false] No
--approve, --allow-after-approve
Quota exceed action ALLOW_AFTER_APPROVE [true, false] No
--deny, --deny-run-vm Quota exceed action DENY_RUN_VM [true, false] No
-a, --activate Activates quota No
-d, --deactivate Deactivates quota No
-q, --quota Quota amount - maximum allowed monthly cost for the project in the selected region No
-n, --notification-plan Quota notifications, [90%, 100%] by default. For several notifications repeat the parameter No
Command example:
set_quota --project <project name> --a <activate> --stop <value>
--allow-after-approve <value>--deny-run-vm <value> --type <value>
--quota <value>
Response example:
5.3.2.22 project set_shapes
Invoke: project set_shapes
Sets allowed shapes for the project in the specified zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN Yes
-o, --override Override the existing shapes No
Command example:
set_shapes --project <project name> --zone <zone name> --shape <shape
name>
Response example:
5.3.2.23 project set_type
Invoke: project set_type
Sets project type
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 93
Admin CLI Parameters
-p, --project Project abbreviation in EPAM Cloud Yes
-t, --type Project type: BILLABLE, NOT_BILLABLE, NOT_DEFINED Yes
Command example:
set_type --project <project name> --type <project type>
Response example:
5.3.2.24 project unhide
Invoke: project unhide
Unhides the project in the specified zone from UI and CLI
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
unhide --project <project name>
Response example:
5.3.2.25 project unlink
Invoke: project unlink
Breaks links of the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
unlink --project <project name>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 94
5.3.2.26 project update_threshold
Invoke: project update_threshold
Update threshold size for the project in specified zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-t, --threshold-size New threshold size for project No
Command example:
update_threshold --project <project name> --zone <zone name> --
threshold-size <value>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 95
5.3.3 INSTANCE
The ‘instance’ group includes the commands related to instances. The following commands are
available:
Command Description
instance maintenance Sets or releases the maintenance mode for instance. To set the maintenance mode, just specify '-s/--set' option among with time frame option. To release maintenance mode, omit '-s/--set' option, and specify only project, zone and instance id
instance refresh_missing Finds and marks as deleted all missing instances for the project
To see the list of arguments used with the commands of the ‘instance’ group, type instance
[command_name] -h in the command line.
5.3.3.1 instance maintenance
Invoke: instance maintenance
Sets or releases the maintenance mode for instance. To set the maintenance mode, just specify '-s/--set'
option among with time frame option. To release maintenance mode, omit '-s/--set' option, and specify
only project, zone and instance id
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-i, --instance-id Instance id. Yes
-t, --time-frame Time frame. Presents the end time of maintenance (required only if maintenance mode must be set) No
-s, --set Is maintenance mode must be set. No
Command example:
instance maintenance -p <project> -z <zone> -i <instance-id>
Response example:
5.3.3.2 instance refresh_missing
Invoke: instance refresh_missing
Finds and marks as deleted all missing instances for the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in UPSA. Type 'all' to refresh missing instances on all projects No
-z, --zone Virtualization zone. Use flag all to refresh in all zones Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 96
Admin CLI Parameters
--html Use to get output in html format No
Before you get the response, confirm that you want to perform the operation.
Command example:
instance refresh_missing -z <zone>
Response example:
5.3.4 VOLUMES
The ‘volumes’ group includes the commands related to storage volume management. The following
commands are available:
Command Description
volumes refresh_missing Finds and marks as deleted all missing volumes for the project
volumes set_sys_disks Updates system disk property
To see the list of arguments used with the commands of the ‘volumes’ group, type volumes
[command_name] -h in the command line.
5.3.5 IMAGE
The ‘image’ group includes ‘image hide’ command which manages hiding of PUBLIC/ENTERPRISE
images by image ID (for hiding specified images from user).
Command Description
image hide Manages hiding of PUBLIC/ENTERPRISE images by image ID (for hiding specified images from user)
5.3.6 RESOURCES
The ‘resources’ group includes the ‘resources change_ownership’ command which sets a different
user as the project owner. This command is used when the project owner is dismissed or leaves the
project while their resources remain. In this case the remaining resources can be moved to another user
who should be assigned to the same project. The other command in this group is ‘resources
add_os_client_ar’ which downloads OpenShift client archive to EPAM Orchestrator.
Command Description
resources add_os_client_ar Downloads OpenShift client archive to EO
resources change_ownership Changes resources ownership
To see the list of arguments used with the commands of the ‘resources’ group, type resources [command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 97
5.3.7 RABBIT
The ‘rabbit’ group includes the commands related to the RabbitMQ server configuration. The following
commands are available:
Command Description
rabbit check Checks local RabbitMQ server configuration
rabbit clean Removes redundant queues and exchanges from RabbitMQ server. Please make sure that Orchestrator is stopped.
rabbit config Configures local RabbitMQ server. Please make sure that Orchestrator is stopped.
rabbit create_upstream Creates a new federation upstream parameter. Please make sure that Orchestrator is stopped.
rabbit federate Federates all exchanges with another broker(s), defined in upstream parameters. Please make sure that Orchestrator is stopped.
rabbit shovel Create shovel configuration to move messages from replies queue. Please make sure that Orchestrator is stopped.
rabbit show_upstreams Describes existing federation upstream parameters
To see the list of arguments used with the commands of the ‘rabbit’ group, type rabbit
[command_name] -h in the command line.
5.3.8 RADAR
The ‘radar’ group includes the commands related to zones monitoring. The following commands are
available:
Command Description
radar add_credits Adds credits for the specified cloud to radar. Can be applied only for previous months.
radar aggregate Aggregates radar for the specified month
radar send_report Sends cloud radar report for the specified date
For the arguments used with the commands of the ‘radar’ group type radar [command_name] -h in the
command line.
5.4 BILLING
The ‘Billing’ category includes the commands related to billing configuration and pricing policy in EPAM
Cloud.
5.4.1 BILLING
The ‘billing’ group includes the commands related to billing in EPAM Cloud. The following commands are
available:
Command Description
billing add_services Adds supported service(s)
billing aggregate_yearly_records Aggregates yearly billing records
billing archive_collection Archives outdated documents from collection
billing aws_china Processes China billing report file
billing aws_update_period Describes or changes AWS billing update period
billing azure_api Describes or changes Azure API version
billing cbm_for_account Closes billing month for single account and generates non-sendable report
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 98
billing close_month Closes billing month
billing describe_bss_projects Shows all BSS projects for BSS report type only
billing describe_business_units Shows all business units
billing describe_month Describes billing month
billing download Disables or enables billing updating for the specified provider
billing get_customer Provides customers for the specified projects
billing get_services Describe supported services
billing get_top_accounts_report Sends report for the top 10 expensive EO accounts
billing health_check Checks billing consistency
billing hide_location Hides hardware location from or2price command
billing lock Locks billing
billing manage_bss_projects Adds and removes BSS projects for BSS report type only
billing reset Resets billing for the specified project in the specified Cloud
billing send_sponsor_report Sends sponsors report
billing send_units_reports Sends business unit reports
billing set_adjustment Sets cost adjustments for the specified project
billing set_cost_center Sets cost center name
billing unlock Unlocks billing
billing update_aws_cost_column_name Updates AWS cost column name
billing update_monitoring Updates monitoring data
billing update_reports_config Updates business units reports configuration
billing upload_azure_report Uploads Azure billing report from bucket to MongoDB
To see the list of arguments used with the commands of the ‘billing’ group, type billing
[command_name] -h in the command line.
5.4.2 PRICING_POLICY
The ‘pricing_policy’ group includes the commands related to the pricing policy. The following commands
are available:
Command Description
pricing_policy change_time_unit_to_per_second Updates timeUnit scales and time unit to PER_SECOND for open pricing policy
pricing_policy check Validates and shows pricing policy changes
pricing_policy get Shows pricing policies details as xml file
pricing_policy revert Removes open policy and removes useTo field from previous policy
pricing_policy update Updates pricing policies
To see the list of arguments used with the commands of the ‘pricing_policy’ group, type pricing_policy
[command_name] -h in the command line.
5.4.3 TIMELINE
The ‘timeline’ group includes the commands related to instance billing timelines. The following
commands are available:
Command Description
timeline check_resource Validates all timelines for the resource
timeline close Forcibly closes all timelines for the specified resources
timeline open Forcibly opens timelines for the specified resources
To see the list of arguments used with the commands of the ‘timeline’ group, type timeline
[command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 99
5.5 AWS
The ‘AWS’ category includes the commands related to resource configuration and management on the
AWS platform, as well as to the management of security groups in AWS.
5.5.1 AWS
The ‘aws’ group includes the commands related to the AWS platform. The following commands are
available:
Command Description
aws activ_cloudtrail Activates AWS Cloud Trail service for the project
aws activate_project Activates an AWS project in EPAM Cloud Orchestrator
aws activate_ssm Activates AWS SSM for project
aws add_account Adds AWS account
aws add_az Adds availability zone for the specified AWS region
aws add_group Adds IAM group to the project
aws add_image Adds AWS image
aws add_user Adds a new user
aws add_zone Adds a new AWS zone
aws assoc_inst_prof Associates instance profile
aws assume_role Enables or disables using assume role for the account
aws attach_policy Attaches IAM policy to the IAM entity in DB
aws check_account Checks the AWS account associated with the specified project
aws check_config Checks AWS configuration (including Cloud Trail, Security Groups, default instance role the for project)
aws config_account Configures AWS account
aws config_group Configures IAM group, updates group policy, changes group name (for the Project scope only)
aws config_project Creates basic EPC project configuration
aws config_sso Configures SSO
aws create_account Create AWS account via organization API
aws create_alias Creates an alias for your AWS account
aws create_organization_role Creates custom role for assuming
aws deactiv_cloudtrail Deactivates Cloud Trail on the project
aws del_account Marks AWS account as deleted in the DB or deletes account permanently. Removes AwsOrganizationRoles in both cases.
aws delete_image Deletes image form AWS zone. Assigns status DELETED for the image and does not delete it on AWS side
aws delete_on_termination Sets up deleteOnTermination policy for the project
aws delete_organization_role Deletes role for assuming
aws delete_user Deletes IAM user
aws describe_az Retrieves availability zones for the specified zone
aws describe_groups Describes IAM groups for the project
aws detach_policy Detaches policy from the IAM entity in DB
aws export_cost_and_usage_report Sets up cost and usage report export
aws export_detailed_billing_report Sets up detailed billing report export to the S3 bucket
aws get_accounts Describes existing AWS accounts
aws get_cloudtrail Describes Cloud Trail
aws get_iam_entities Describe available roles
aws get_policies Describes available policies. Gives the name and policy type
aws get_token Returns a set of temporary security credentials
aws list_organization_roles Shows the list of roles for assuming
aws move_account Moves linked account to another paying account
aws remove_az Removes availability zone for the specified AWS region
aws remove_saml Removes SAML provider
aws rename_user Renames IAM user
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 100
aws save_policy Saves IAM policy to DB
aws set_ami_up_desc Set Ami amazonDescriptionTemplate field used to update Linux Ami IDs
aws set_def_role Creates default instance role in AWS account for the specified project
aws sso_add_custom_role Adds custom SSO role for the particular user
aws sso_del_custom_role Deletes custom SSO role for the particular user
aws sso_get_custom_role Gets custom SSO roles
aws sso_manage_access Manages access to AWS SSO, restricts access to the particular roles
aws manage_def_role Manage default instance role in AWS account
aws tag_user Adds or deletes tag for IAM user
aws up_group_policy Uploads group policy from DB to the specified group for the specified AWS accounts
aws up_man_policy Uploads managed policy to the specified AWS accounts
aws update_amis Updates AWS Windows AMIs
aws upload_ssm_document Uploads an SSM document to the DB
To see the list of arguments used with the commands of the ‘aws’ group, type aws [command_name] -h
in the command line.
5.5.1.1 aws active_cloudtrail
Invoke: aws active_cloudtrail
Activates AWS Cloud Trail service for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-b, --bucket-name S3 bucket name No
-l,--log-file-prefix Log file prefix No
5.5.1.2 aws activate_project
Invoke: aws activate_project
Activates an AWS project in EPAM Cloud Orchestrator.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN
Yes
-f, --fake-project Fake project No
-c, --account AWS account name No
-y, --paying-account-name
AWS paying account name. In this case linked account will be chosen from the specified paying account pool.
No
-z, --zone Virtualization zone No
-n, --subnet-id ID of AWS region subnet in which all resources of a project will be created.
No
--all All zones except unreachable. No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 101
Admin CLI Parameters
-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd]. No
--skip-cloud-trail Use this flag to skip cloud trail activation No
Response Elements
Name Description
pmcCode Project code
name Project name
zone Zone name
shapes Shapes
primaryContacts Primary contacts
secondaryContacts Secondary contacts
instanceCreationIntervalHours Instance creation interval described in hours
volumeCreationIntervalHours Volume creation interval described in hours
maxVolumeSizeGb Maximum volume size in Gb
activationDate Activation date
expirationDate Expiration date
subscriptionId Subscription ID
Command example
aws activate_project -p <project> -f -s <shape> -s <shape> -c
<aws_account_name> -z <zone> --skip-cloud-trail
Command response
5.5.1.3 aws activate_ssm
Invoke: aws activate_ssm
Activates AWS SSM for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
aws activate_ssm -p <project> -z <zone>
Command response:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 102
5.5.1.4 aws add_account
Invoke: aws add_account
Adds AWS account.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-c, --access-key AWS access key. Required for reachable accounts. No
-a, --account-id AWS account ID Yes
-s, --secret-key AWS secret key. Required for reachable accounts. No
-t, --type AWS account type. Should be one of: PAYING, LINKED Yes
-f, --bill-from The date to start billing from. Required for reachable PAYING accounts
Yes
-b, --bucket-name AWS bucket name. Required for reachable PAYING accounts No
-l, --log-bucket AWS cloud trail bucket prefix. Required for reachable PAYING accounts
No
-p, --paying-account-name
Paying account name. Required for LINKED accounts No
-u, --unreachable Unreachable account No
Response Elements
Name Description
id Object id in MongoDB
name AWS account name
account AWS account ID
type AWS account type
mostRecentRecordDate The most recent record date
unreachable Show whether the account is unreachable (true/false)
deleted Show whether the account was deleted (true/false)
createdDate Creation date
Command example
aws add_account -a <account_id> -t <account type> -p <paying_account
_name>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 103
5.5.1.5 aws add_az
Invoke: aws add_az
Adds availability zone for the specified AWS region.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
--z, --zone Virtualization zone Yes
-a, --availability-zone AWS availability zone (e.g. us-east-1b) Yes
5.5.1.6 aws add_group
Invoke: aws add_group
Adds IAM group to the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-n, --name Group name Yes
-l, --policy-location Group policy location Yes
5.5.1.7 aws add_image
Invoke: aws add_image
Adds AWS image.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID Yes
-d, --description Image description Yes
-g, --group Image group: [public, enterprise] Yes
-u, --username Default SSH user Yes
-t, --os-type Type of operating system: [Windows, Linux, CoreOS, Fedora CoreOS]. Required with description-template
No
-a. --ami-id AWS image ID. Cannot be used with description-template and all-zones
No
-s, --description-template
AWS description search template. Cannot be used with ami-id No
-v, --virt-profile Name of zone virt profile to associate with, by default x64.hvm No
-z, --zone Virtualization zone No
--all-zones All zones, except unreachable. Cannot be used with ami-id No
--rewrite Rewrite parameters of existing image No
Response Elements
Name Description
Zone Zone name
AWS AMI AWS AMI
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 104
Response Elements
Name Description
Status Show command status
Message Provide additional information
Command example
aws add_image -i Ubuntu16.04_64-bit -d "Ubuntu 16.04 64-bit LTS" -s
"Canonical, Ubuntu, 16.04 LTS, amd64 xenial image build on*" -g public
-t linux -u ubuntu --all-zones --rewrite
Command response
5.5.1.8 aws add_user
Invoke: aws add_user
Adds a new user.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-e, --email User email address Yes
-a, --auto Create auto user No
-r, --creation-reason Short description of creation reason Yes
Response Elements
Name Description
Secret key Secret key
Access key Access key
User name Username
Command example
aws add_user -p <project> -e <[email protected]> -a -r test
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 105
5.5.1.9 aws add_zone
Invoke: aws add_zone
Adds a new AWS zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-l, --location Location (e.g. North Europe) No
--ar, --aws-region AWS region code. (e.g. eu-central-1) Yes
-a, --availability-zone AWS availability zone Yes
--ra, --aws-region-abbreviation
AWS region abbreviation. Required for reachable zones. Use Cost Explorer to find it or visit following link: https://docs.aws.amazon.com/en_us/AmazonS3/latest/dev/aws-usage-report-understand.html
No
-c, --cf-endpoint CF2 endpoint. Required for reachable zones No
-e, --ec-endpoint EC2 endpoint. Required for reachable zones No
-t, --ct-endpoint CT endpoint. Required for reachable zones No
-s, --s-endpoint S3 endpoint. Required for reachable zones No
-w, --cw-endpoint CloudWatch endpoint. Required for reachable zones. No
-z, --zone Virtualization zone Yes
-r, --region Virtualization region Yes
--assign Assigns zone to the currently active node No
--disable-billing-mix-mode
Defines whether this zone supports billing mode No
--unreachable Marks zone as unreachable by the orchestrator No
5.5.1.10 aws assoc_inst_prof
Invoke: aws assoc_inst_prof
Associates instance profile.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--all Applies for all No
5.5.1.11 aws assume_role
Invoke: aws assume_role
Enables or disables using assume role for the account
Admin CLI Parameters
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 106
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-l, --linked-account-name
Linked account name Yes
-a, --activate Flag for activation No
-d, --deactivate Flag for deactivation No
5.5.1.12 aws attach_policy
Invoke: aws attach_policy
Attaches IAM policy to the IAM entity in DB
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --policy AWS policy name Yes
-n, --entity-name AWS IAM entity name Yes
-t, --type AWS IAM entity type. One of: SSO_ROLE Yes
5.5.1.13 aws check_account
Invoke: aws check_account
Checks the AWS account associated with the specified project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-l, --linked-account-name
AWS Linked account name No
5.5.1.14 aws check_config
Invoke: aws check_config
Checks AWS configuration (including Cloud Trail, Security Groups, default instance role the for project).
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--target Parameter to indicate where to display result of the command. Must be one of [ssh_console, file, email]
No
Command example
aws check_config -p <project>
The command will be executed in the asynchronous mode.
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 107
5.5.1.15 aws config_account
Invoke: aws config_account
Configures AWS account.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-l, --linked-account-name
AWS Linked account name No
-p, --project Project abbreviation in EPAM Cloud No
5.5.1.16 aws config_group
Invoke: aws config_group
Configures IAM group, updates group policy, changes group name (for the Project scope only).
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-s, --scope Scope. [DEFAULT, PROJECT]. Default value: DEFAULT No
-n, --name Group name Yes
-l, --policy-location Group policy location No
5.5.1.17 aws config_project
Invoke: aws config_project
Creates basic EPC project configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-c. --account AWS account name Yes
-z, --zone Virtualization zone Yes
-f, --default-common-costs
Default for common costs flag No
-n, --subnet-id ID of AWS region subnet in which all resources of a project will be created.
No
Command example
aws config_project -p <project> -c <aws_account_name> -z <zone>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 108
Command response
5.5.1.18 aws config_sso
Invoke: aws config_sso
Configures SSO.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--all Applies for all No
5.5.1.19 aws create_account
Invoke: aws create_account
Create AWS account via organization API.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --paying-account-name
AWS Paying account name Yes
-e, --email Account email Yes
Command example
aws create_account -p <aws_paying account name> -e [email protected]
The command will be executed in the asynchronous mode.
Command response
5.5.1.20 aws create_alias
Invoke: aws create_alias Creates an alias for your AWS account.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account AWS account name No
-s, --alias AWS account alias No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 109
5.5.1.21 aws create_organization_role
Invoke: aws create_organization_role
Creates custom role for assuming.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --root AWS Account ID that will assume the role Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-l, --policy AWS Managed Policy arn list. For several shapes repeat the parameter: -l arn1 -l arn2 -l arn3
Yes
-n, --name Role name Yes
-d, --description Short description of creation reason Yes
-I, --id External ID No
5.5.1.22 aws deactiv_cloudtrail
Invoke: aws deactiv_cloudtrail
Deactivates Cloud Trail on the project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
5.5.1.23 aws del_account
Invoke: aws del_account
Marks AWS account as deleted in the DB or deletes account permanently. Removes
AwsOrganizationRoles in both cases.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account AWS account name Yes
-p, --delete-permanently
Use this flag to delete AWS account document from DB No
-f, --force Force operation. Only for case when account will be marked as deleted.
No
Command example
aws del_account -a <aws_account_name> -f
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 110
Command response
5.5.1.24 aws delete_image
Invoke: aws delete_image
Deletes image form AWS zone. Assigns status DELETED for the image and does not delete it on AWS
side.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-I, --image-id Image ID Yes
-v, --virt-typ Virtualization type: [HVM, PV] No
-a, --ami AWS image ID No
-z, --zone Virtualization zone No
--all-zones All zones, except unreachable No
5.5.1.25 aws delete_on_termination
Invoke: aws delete_on_termination
Sets up deleteOnTermination policy for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-a, --activate Flag for activation No
-d, --deactivate Flag for deactivation No
5.5.1.26 aws delete_organization_role
Invoke: aws delete_organization_role
Deletes role for assuming.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-n, --name Role name Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 111
5.5.1.27 aws delete_user
Invoke: aws delete_user
Deletes IAM user.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-u, --username Username Yes
-r, --reason Reason Yes
-p, --project Project abbreviation in EPAM Cloud Yes
5.5.1.28 aws describe_az
Invoke: aws describe_az
Retrieves availability zones for the specified zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
--all All zones No
Response Elements
Name Description
Zone name Zone name
Availability zones Availability zones
Command example
aws describe_az -z <zone>
Command response
5.5.1.29 aws describe_groups
Invoke: aws describe_groups
Describes IAM groups for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Command Example
aws describe_groups -p <project>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 112
You will receive the response in JSON format.
5.5.1.30 aws detach_policy
Invoke: aws detach_policy Detaches policy from the IAM entity in DB
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --policy AWS policy name Yes
-n, --entity-name AWS IAM entity name Yes
-t, --type AWS IAM entity type. One of: SSO_ROLE Yes
5.5.1.31 aws export_cost_and_usage_report
Invoke: aws export_cost_and_usage_report
Sets up cost and usage report export.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account-name AWS account name. Example: awsacc-cb2ccd2f Yes
-b, --bucket-name AWS bucket name. Will be created if not exists. Required for activation.
No
-d, --deactivate Flag for deactivation. Activation by default No
5.5.1.32 aws export_detailed_billing_report
Invoke: aws_export_detailed_billing_report
Sets up detailed billing report export to the S3 bucket.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account-name AWS account name. Example: awsacc-cb2ccd2f Yes
-b, --bucket-name AWS bucket name. Will be created if not exists. Required for activation.
No
-z, --zone AWS bucket's zone name. Required for activation No
-t, --archive-type Archive type: zip, gzip. Default: gzip. No
-d, --deactivate Flag for deactivation. Activation by default No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 113
5.5.1.33 aws get_accounts
Invoke: aws_get_accounts
Describes existing AWS accounts.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-t, --type AWS account type. Should be one of: PAYING, LINKED No
-c, --account AWS account name No
-p, --project Project abbreviation in EPAM Cloud. Use 'none' to get accounts in pool
No
Response Elements
Name Description
Account name Account name
Account id Account ID
Account type Account type
Used by Show the project that uses this account
Created date Creation date
Unreachable Show whether the account is unreachable. (true/false)
External id External ID
Command example
aws get_accounts
Command response
5.5.1.34 aws get_cloudtrail
Invoke: aws-get_cloudtrail
Describes Cloud Trail.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 114
Admin CLI Parameters
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone No
Response Elements
Name Description
project Project name
region Region name
trail Trail
bucket Bucket name
logPrefix Log prefix
logValidationEnabled Shows whether log validation is enabled
Command example
aws get_cloudtrail -z <zone> -p <project>
Command response
5.5.1.35 aws get_iam_entities
Invoke: aws get_iam_entities Describe available roles.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name AWS IAM entity name. Will get all entities with general info, if not specified
No
-t, --type AWS IAM entity type. Use for filtering by type or for describing detailed info by name. One of: SSO_ROLE
No
Response Elements
Name Description
name Role name
iamEntityType IAM entity type
scope Scope
Command example
aws get_iam_entities
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 115
5.5.1.36 aws get_policies
Invoke: aws get_policies
Describes available policies. Gives the name and policy type.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name AWS policy name. Policy will be sent to email No
Response Elements
Name Description
name Policy name
type Policy type
Command example
aws get_policies
Response example
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 116
5.5.1.37 aws grant_licenses
Invoke: aws_grant_licenses
Grant AWS Marketplace licenses from Organization Parent to the project account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--all Execute for all active projects No
Command example:
aws_grant_licenses -p <project>
Response example:
5.5.1.38 aws get_token
Invoke: aws_get_token
Returns a set of temporary security credentials.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--a, --account AWS account name No
--json Use this flag to get output as plain JSON No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 117
5.5.1.39 aws list_organization_roles
Invoke: aws list_organization_roles
Shows the list of roles for assuming.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-n, --name Role name No
Response Elements
Name Description
roleName Role name
roleArn Role ARN
projectCode Project code
description Description
externalId External ID
Command example
aws list_organization_roles
Response example
5.5.1.40 aws manage_def_role
Invoke: aws manage_def_role
Manage default instance role in AWS account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Policy action, allowed values are: [DESCRIBE, ATTACH,
DETACH], by default is describe
No
-n, --policy-name The name of policy. Required for actions ATTACH and
DETACH
No
Command example:
aws manage_def_role -a action -n policy-name
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 118
Command response:
5.5.1.41 aws move_account
Invoke: aws_move_account Moves linked account to another paying account.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-l, --linked-account AWS linked account name Yes
-p, --paying-account Target AWS paying account name Yes
5.5.1.42 aws remove_az
Invoke: aws_remove_az
Removes availability zone for the specified AWS region.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-a, --availability-zone AWS availability zone (e.g. us-east-1b) Yes
5.5.1.43 aws remove_saml
Invoke: aws_remove_saml
Removes SAML provider
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
--all Applies for all No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 119
5.5.1.44 aws rename_user
Invoke: aws_rename_user
Renames IAM user.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-u, --username Name of the user to be renamed Yes
-n, --new-username New name of the user Yes
-p, --project Project abbreviation in EPAM Cloud Yes
5.5.1.45 aws save_policy
Invoke: aws save_policy
Saves IAM policy to DB
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name AWS policy name Yes
-f, --file File name. Please be sure that you have placeholders instead
of accounts, buckets names No
-t, --type Type. One of: INLINE, MANAGED, MANAGED_CUSTOM,
ORGANIZATION, S3 Yes
5.5.1.46 aws set_ami_up_desc
Invoke: aws_set_ami_up-desc
Set Ami amazonDescriptionTemplate field used to update Linux Ami IDs.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
-i, --image-id Image ID on EO Yes
-d, --description-template
Amazon description template
No
-c, --clean-up Flag for clean up Amazon description template No
5.5.1.47 aws set_def_role
Invoke: aws set_def_role
Creates default instance role in AWS account for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 120
Admin CLI Parameters
-p, --project Project abbreviation in EPAM Cloud Yes
5.5.1.48 aws sso_add_custom_role
Invoke: aws_sso_add_custom_role
Adds custom SSO role for the particular user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e,--email User email address Yes
-n, --name AWS IAM role name. Use command 'get_iam_entities -t
SSO_ROLE' to see possible options. Yes
-p, --project Project abbreviation in EPAM Cloud Yes
Response example:
5.5.1.49 aws sso_del_custom_role
Invoke: aws_sso_del_custom_role
Deletes custom SSO role for the particular user.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e,--email User email address Yes
-n,--name AWS IAM role name. Use command 'get_iam_entities -t
SSO_ROLE' to see possible options. Yes
-p, --project Project abbreviation in EPAM Cloud Yes
5.5.1.50 aws sso_get_custom_role
Invoke: aws_sso_get_custom_role
Gets custom SSO roles.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e,--email User email address Yes
Command response:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 121
5.5.1.51 aws sso_manage_access
Invoke: aws sso_manage_access
Manages access to AWS SSO, restricts access to the particular roles.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-e,--email User email address Yes
-i, --iam-entity-name AWS IAM role name. Use command 'get_iam_entities -t
SSO_ROLE' to see possible options. No
-a, --action Action type [list(default), create, delete] No
5.5.1.52 aws tag_user
Invoke: aws tag_user
Adds or deletes tag for IAM user.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project * Project abbreviation in EPAM Cloud Yes
-e,--email * User email address Yes
--add Add tag to user No
--delete Delete tag from user No
5.5.1.53 aws up_group_policy
Invoke: aws up_group_policy
Uploads group policy from DB to the specified group for the specified AWS accounts.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name AWS group name No
-a, --account AWS account names for uploading policy. Upload for all
accounts if not set. No
5.5.1.54 aws up_man_policy
Invoke: aws up_man_policy
Uploads managed policy to the specified AWS accounts.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name AWS policy name No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 122
Admin CLI Parameters
-f, --file File name Yes
-a, --account AWS account names for uploading policy. Upload for all
accounts if not specified. Yes
5.5.1.55 aws update_amis
Invoke: aws update_amis
Updates AWS AMIs.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
-t, --os-type OS type. Allowed values are: WINDOWS, LINUX No
Response Elements
Name Description
Zone Zone name
Old ami ID Old ami ID
New ami ID New ami ID
Image amazon description Amazon image description
Command example
aws update_amis
Response example
5.5.1.56 aws upload_ssm_document
Invoke: aws upload_ssm_document
Uploads a SSM document to the DB.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-f, --file-name AWS SSM document file name Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 123
Command example:
aws upload_ssm_document -f <file_name>
Command response:
5.5.2 AWS_SECURITY
The ‘aws_security’ group includes the commands related to the security in AWS. The following
commands are available:
Command Description
aws_security check_mfa Describes users without MFA
aws_security configure_organization_scp Configures organization SCP
aws_security delete_user_mfa_device Deletes user MFA device from IAM
aws_security describe_backups Describes security groups backup information for the project
aws_security describe_keys Lists access keys for the orchestrator user
aws_security describe_sg_resources Describes security group resources
aws_security disable_orchestrator_user Disables the specified orchestrator user in all AWS accounts
aws_security get_backup Gets project security groups backup information Sends the backup configuration of the security groups to email
aws_security lock_organization Sets all AWS accounts in organization to read only mode
aws_security manage_custom_acl Manages Network ACL for the specified project
aws_security manage_prefix_lists Manages prefix lists with db configuration
aws_security manage_sec_groups Manages security groups in AWS account
aws_security reset_user_password_mfa Resets user password and MFA devices
aws_security restore_groups Restores backup configuration for the AWS security group. Before the restoring current backup will be created.
aws_security rotate_keys Rotates access key for the orchestrator user, creates and sets new access key, disables or deletes old access keys.
aws_security save_groups Saves current security groups configuration
aws_security set_def_groups Applies configuration for the AWS security groups
To see the list of arguments used with the commands of the ‘aws_security’ group, type aws_security
[command_name] -h in the command line.
5.5.2.1 aws_security check_mfa
Invoke: aws security check_mfa
Describes users without MFA.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 124
5.5.2.2 aws_security configure_organization_scp
Invoke: aws security configure_organization_scp
Configures organization SCP.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p , --project Project abbreviation in EPAM Cloud No
--all Execute for all active projects No
5.5.2.3 aws_security delete_user_mfa_device
Invoke: aws security delete_user_mfa_device
Deletes user MFA device from IAM.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-e,--email User email address Yes
Response example:
5.5.2.4 aws_security describe_backups
Invoke: aws security describe_backups
Describes security groups backup information for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 125
5.5.2.5 aws_security describe_keys
Invoke: aws security describe_keys
Lists access keys for the orchestrator user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-c , --account AWS account name No
-p , --project Project abbreviation in EPAM Cloud No
--all Execute for all reachable accounts No
Response example:
5.5.2.6 aws_security describe_sg_resources
Invoke: aws_security describe_sg_resources
Describes security group resources
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-g, --group-id Security group id No
-I, --instance Operational instance id No
--describe-rules Describe security group rules No
--describe-unused Describe security groups which are not attached to any network interface
No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 126
5.5.2.7 aws_security disable_orchestrator_user
Invoke: aws security disable_orchestrator_user
Disables the specified orchestrator user in all AWS accounts.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
5.5.2.8 aws_security get_backup
Invoke: aws security get_backup
Gets project security groups backup information. Sends the backup configuration of the security groups to email
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-i, --backup-id Backup id for restoring No
-d, --date The date to restoring from in [yyyy-MM-dd'T'HH, yyyy-MM-dd'T'HH:mm] format (UTC)
No
-l, --label To restore by label No
Response example:
5.5.2.9 aws_security lock_organization
Invoke: aws security lock_organization
Sets all AWS accounts in organization to read only mode.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
5.5.2.10 aws_security manage_custom_acl
Invoke: aws security manage_custom_acl
Manages custom project Network ACL.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
--add Use this flag to add new custom ACL entry No
--delete Use this flag to delete existing custom ACL entry No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 127
Admin CLI Parameters
--egress Use this flag to specify whether the ACL entry is egress.
(Ingress by default) No
-n, --number Rule number. Must be a number in range 1 to 32766 No
-r, --protocol Ip Protocol. Use -1 for All protocols/All ports No
-c, --cidr CIDR block No
-f, --from-port From port No
-t, --to-port To port No
-a, --action Action. Allowed values are: Allow, Deny No
Response example:
5.5.2.11 aws_security manage_prefix_lists
Invoke: aws security manage_prefix_lists
Manages prefix lists with db configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Manage action, allowed values are: setup, describe, check Yes
-z, --zone Virtualization zone No
-m, --max-size Max size No
-s, --security-group Security group name No
Command example:
aws_security manage_prefix_lists -a <action> -z <zone> -m <max-size>
-s <security-group>
5.5.2.12 aws_security manage_sec_groups
Invoke: aws security manage_sec_groups
Manages security groups in AWS account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-n, --group-name Security group name. No
-e, --description Security group description. Required for action CREATE No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 128
Admin CLI Parameters
-a, --action Security group action. Allowed values are [CREATE, DESCRIBE, DELETE, ADD_RULE, DELETE_RULE, LIST_RULES].
No
-s, --security-group-id Security group id. Required for action DELETE, ADD_RULE and DELETE_RULE
No
-v, --vpc-id VPC id. Required for action CREATE, optionally can be used for DESCRIBE action.
No
-r, --protocol Ip protocol. For example, TCP, UDP. Use -1 for all protocols. No
-d, --direction Rule type, allowed values are [inbound, outbound]. No
-o, --port-range The port range (for the TCP and UDP protocols). No
-I, --ip-range IP range. For several ip ranges repeat the parameter: -i 0.0.0.0/0 -i value 1.1.1.1/1
No
-f, --prefix-list-id Prefix list id. For several prefix lists repeat the parameter -f No
-c, --source-group-id The security group id which you can set as destination/source of security group rule. Allowed for action ADD_RULE and DELETE_RULE.
No
-t, --instance Instance id. Applicable for ATTACH and DETACH actions No
--ni, --network-interface-id
Network interface id. Applicable for ATTACH and DETACH actions
No
--tz, --target-zone Target zone name. Parameter is required only for CLONE action
No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Response Elements
Name Description
Security group name Security group name
Security group id Security group id
VPC ID VPC ID
Description Description
Action CREATE
Command example:
manage_sec_groups --project <project> --zone <zone> --action create --
group-name <group name> --description <description> --vpc-id <vpc id>
Response example:
Action DESCRIBE
manage_sec_groups --project <project> --zone <zone>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 129
Action DELETE
Command example:
manage_sec_groups --project <project> --zone <zone> --action delete --
security-group-id <security group id>
Response example:
Action ADD_RULE
Command example:
manage_sec_groups --project <project> --zone <zone> --action add_rule
--security-group-id <security-group id> --direction <direction> --
protocol <protocol> --source-group-id <source group id>
Response example:
Action DELETE_RULE
Command example:
manage_sec_groups --project <project> --zone <zone> --action
delete_rule --security-group-id <security group id> --direction
<direction> --protocol <protocol> --source-group-id <source group id>
Response example:
Action LIST_RULES
Command example:
manage_sec_groups --project <project> --zone <zone> --action
list_rules
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 130
5.5.2.13 aws_security reset_user_password_mfa
Invoke: aws security reset_user_password_mfa
Reset user password and MFA devices
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-e,--email User email address Yes
Response example:
5.5.2.14 aws_security restore_groups
Invoke: aws security restore_groups
Restores backup configuration for aws security group. Before the restoring current backup will be created.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-I, --backup-id Backup id for restoring No
-d, --date The date to restoring from in [yyyy-MM-dd'T'HH, yyyy-MM-dd'T'HH:mm] format (UTC)
No
-l, --label To restore by label No
-z, --zone Virtualization zone No
Response example:
5.5.2.15 aws_security rotate_keys
Invoke: aws security rotate_keys
Rotates access key for orchestrator user. Creates and sets new access key. Disables or deletes old
access keys.
Admin CLI Parameters
Parameter name Description Required
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 131
Admin CLI Parameters
-h, --help Display command help No
-a, --action Action. Allowed values: [create, disable, delete] Yes
-c, --account AWS account name No
-p, --project Project abbreviation in EPAM Cloud No
--all Execute for all reachable accounts No
5.5.2.16 aws_security save_groups
Invoke: aws security save_groups
Saves security groups configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-l, --label To restore by label No
Response example:
5.5.2.17 aws_security set_def_groups
Invoke: aws security set_def_groups
Applies configuration for aws security groups
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
-z, --zone Virtualization zone No
--all-zones Applies for all zones (activated for project) No
--all-projects Applies for all projects in all zones No
-v, --vpc-id Vpc id. If isn't defined, default vpc will be used No
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 132
5.5.3 AWS_RI
The ‘aws_ri’ group includes the commands related to AWS Reserved Instances. The following
commands are available:
Command Description
aws_ri buy Buys Reserved Instances
aws_ri describe Describes Reserved Instances
aws_ri list_offerings Describes Reserved Instance offerings
aws_ri modify Modifies Reserved Instances
To see the list of arguments used with the commands of the ‘aws_ri’ group, type aws_ri
[command_name] -h in the command line.
5.5.3.1 aws_ri buy
Invoke: aws ri buy
Buys Reserved Instances.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-i, --offering-id Offering id. Use 'aws_ri list_offerings' to list possible options Yes
-c, --count Count Yes
Command example:
aws ri buy -i <offering-id> -z <zone> -p <project> --count
Command response:
5.5.3.2 aws_ri describe
Invoke: aws ri describe
Describes Reserved Instances.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-f, --force-update Update info from amazon before describing. Will take a lot of time!
No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 133
Response Elements
Name Description
AWS ID AWS RI ID
Project code Project code
Zone AWS zone
AZ Availability zone
Start date Start date of the reserved instance state
End date End date of the reserved instance state
Count Number of reserved instances
Product description Description of the reserved instance
Shape AWS instance type
Command example:
aws ri describe
Command response:
5.5.3.3 aws_ri list_offerings
Invoke: aws ri list_offerings
Describes Reserved Instance offerings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-t, --instance-type AWS instance type Yes
-o, --os OS. One of the: linux, windows Yes
-s, --scope Scope. One of the: az, region Yes
--all Add marketplace RIs to result No
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 134
5.5.3.4 aws_ri modify
Invoke: aws ri modify
Modifies Reserved Instances
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-I, --ri-id RI id Yes
-c, --target-configuration
Target availability zone name, shape and count. Input format: 'az:shape:count'.
To provide several configurations use this option several times. Example: -c us-west-2a:t2.micro:4.
If you want to use REGION scope use "all' value for 'az'.
Example: -c all:t2.micro:4
Yes
-z, --zone Virtualization zone Yes
5.5.4 AWS_S3
The ‘aws_s3’ group includes the commands related to AWS S3 configuration. The following commands
are available:
Command Description
aws_s3 create_bucket Creates AWS S3 bucket for the specified AWS project
aws_s3 describe_s3_config Describes default AWS S3 configuration
aws_s3 set_s3_config Sets default AWS S3 configuration
To see the list of arguments used with the commands of the ‘aws_s3’ group, type aws_s3
[command_name] -h in the command line.
5.5.4.1 aws_s3 create_bucket
Invoke: aws s3 create_bucket
Creates AWS S3 bucket for the specified AWS project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-b, --bucket-name S3 bucket name Yes
--rn, --expiration-rule-name
Expiration rule name No
-d, --expiration-in-days Expiration in days No
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 135
5.5.4.2 aws_s3 describe_s3_config
Invoke: aws s3 describe_s3_config
Describes default AWS S3 configuration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response example:
5.5.4.3 aws_s3 set_s3_config
Invoke: aws s3 set_s3_config
Sets default AWS S3 configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --default-account Default AWS account name Yes
-b, --default-bucket-name
Default S3 bucket name Yes
--rn, --default-expiration-rule-name
Default expiration rule name No
Response example:
5.5.5 AWS_WORKSPACE
The ‘aws_workspace’ group includes the commands related to workspaces in AWS. The following
commands are available:
Command Description
aws_workspace bundles Manages EO's standard bundles. Managing bundles is allowed only for the single account that supports workspace launch. All adding this way bundles will be available for launch via ESP
aws_workspace launch Launches an AWS Workspace
aws_workspace manage_accounts Manages AWS accounts that support Workspaces
aws_workspace manage_directory Describes or updates directory ID for the specified supported AWS region of the specified AWS account
aws_workspace manage_regions Manages supported AWS regions for specified AWS account
To see the list of arguments used with the commands of the ‘aws_workspace’ group, type
aws_workspace [command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 136
5.5.5.1 aws_workspace bundles
Invoke: aws_workspace bundles
Manages EO's standard bundles. Managing bundles is allowed only for the single account that supports
workspace launch. All adding this way bundles will be available for launch via ESP
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region AWS region name No
-b, --bundle AWS bundle ID No
-o, --os-type OS type. Use it to filter the DESCRIBE result. Allowed values are: LINUX, WINDOWS
No
-m, --compute-type Compute type. Use it to filter the DESCRIBE result No
-c, --action Management action. Allowed values are: ADD, DESCRIBE, DELETE
Yes
Command example:
aws_workspace bundles -c <action>
Response example:
5.5.5.2 aws_workspace launch
Invoke: aws_workspace launch
Launches an AWS Workspace
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-r, --region AWS region Yes
-q, --request Request number Yes
-b, --bundle AWS bundle ID No
-m, --mode Running mode. Available values are: AUTO_STOP, ALWAYS_ON
Yes
-o, --os-type OS type. Available values are: LINUX, WINDOWS No
-c, --compute-type Compute type No
-t, --root-volume Root volume size No
-u, --user-volume User volume size No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 137
Command example:
aws_workspace launch -e <[email protected]> -p <project> -r <region>
-q <request> -m <mode>
Response example:
5.5.5.3 aws_workspace manage_accounts
Invoke: aws_workspace manage_accounts
Manages AWS accounts that support Workspaces
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account AWS account name No
-c, --action Management action. Allowed values are: ADD, DESCRIBE, DISABLE_LAUNCH
Yes
Command example:
aws_workspace manage_accounts -c <action>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 138
5.5.5.4 aws_workspace manage_directory
Invoke: aws_workspace manage_directory
Describes or updates directory ID for the specified supported AWS region of the specified AWS account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account AWS account name No
-r, --region AWS region name No
-d, --directory AWS directory ID of the new directory. Required parameter for UPDATE action
No
-c, --action Management action. Allowed values are: DESCRIBE, UPDATE
Yes
Command example:
aws_workspace manage_directory -c <action>
Response example:
5.5.5.5 aws_workspace manage_regions
Invoke: aws_workspace manage_regions
Manages supported AWS regions for specified AWS account
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --account AWS account name No
-r, --region AWS region name No
-d, --directory AWS directory ID. Optional parameter for ADD action No
-c, --action Management action. Allowed values are: ADD, DESCRIBE, DELETE
Yes
Command example:
aws_workspace manage_regions -c <action>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 139
5.5.6 TEMPLATE
The ‘template’ group includes the ‘template analyze’ command used to perform analysis of the
CloudFormation template from the previously uploaded file. The command displays the human-readable
template description in the response.
Command Description
template analyze Generates description for the template
To see the list of arguments used with the ‘template analyze’ command, type template analyze -h in the
command line.
5.5.6.1 template analyze
Invoke: template analyze
Generates description for the template.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-f, --file File name. Yes
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 140
5.6 AZURE
The ‘azure’ category includes the commands related to resource configuration and management on the
Microsoft Azure platform, as well as to the custom configuration of Azure for specific project
requirements.
5.6.1 AZURE
The ‘azure’ group includes the commands related to Microsoft Azure. The following commands are
available:
Command Description
azure activate_project Activates project in Microsoft Azure
azure add_enrolment Adds a new Microsoft Azure enrolment
azure add_image Adds machine image to be used with ARM API. Images list is available on Azure portal marketplace or from CLI (for more details please use azure help vm image command)
azure add_subscript Adds a new Microsoft Azure subscription
azure add_zone Adds a new Microsoft Azure zone
azure add_zone_alias Adds an alias to existing Microsoft Azure zone
azure analyze_sg Analyzes default security group for extra rules
azure change_credsz Changes Azure tenant's credentials
azure check_config Checks ARM configuration
azure config_project Configures project for using ARM API
azure del_subscript Removes existing Microsoft Azure subscription from EO
azure delete_image Deletes image form Azure zone. Assigns status DELETED for image and does not delete it on Azure
azure get_net_config Retrieves information about network configuration for the specified project(s)
azure get_subscript Describes existing Azure subscriptions
azure get_tenants Describes available tenants for the specified Azure enrollment
azure grant_access Grants access to Azure Portal
azure init_lookup Initially adds ARM resource to EO
azure list_image_versions Lists the VM image versions available in the Azure Marketplace
azure list_offers Lists the VM image offers available in the Azure Marketplace
azure list_publishers Lists the VM image publishers available in the Azure Marketplace
azure list_skus Lists the VM image SKUs available in the Azure Marketplace.
azure manage_currency Updates currency and rate for Microsoft Azure enrolment
azure manage_subscript_status Enables or disables the specified subscription in EO
azure manage_tenants Adds and removes Azure tenants in EO
azure manage_trusted_ip Adds a custom security config for specified project for allowing inbound or outbound connection to/from instances of this project.
azure move_subscript Moves subscription to another directory
azure revoke_access Revokes access to Azure Portal
azure set_def_groups Applies configuration for the default Azure security groups
azure shape_mapping Configures shape mapping for the specified zone
azure share_credit Shares credit among all projects of the given enrolment proportionally to their workload
azure subscript_pool Describes the subscription pool for current available enrollments
azure switch_subscript_tenant Switches subscription tenant to another alias
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 141
5.6.1.1 azure activate_project
Invoke: azure activate_project
Activates project in Microsoft Azure.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN
Yes
-f, --fake-project Fake project No
-z, --zone Virtualization zone No
-u, --subscription-name Subscription name (Azure specific parameter) No
-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd]. No
--all All zones No
Response Elements
Name Description
pmcCode Project code
Name Project name
Zone Virtualization zone
Shapes Shape names
Primary Contacts Primary contacts
Secondary Contacts Secondary contacts
Instance Creation Interval
(Hours) Instance creation interval described in hours
Volume Creation Interval
(Hours) Volume creation interval described in hours
Max Volume Size (GB) Maximum volume size described in GB
Activation Date Start date of the activated project state
Expiration Date End date of the activated project state
Subscription ID Subscription ID
Command example:
azure activate_project -p <project> -s <shape> -z <zone> -u
<subscription name>
Response example:
5.6.1.2 azure add_enrolment
Invoke: azure add_enrolment
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 142
Adds a new Microsoft Azure enrolment
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enrolment-number
Enrolment number Yes
-a, --azure-access-key Usage API access key granted by Enterprise Administrator Yes
-b, --bill-from The date to start billing from in yyyy-MM-dd'T'HH format Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
azure add_enrolment -e <enrolment number> -a <azure access key> -b
<bill from>
Response example:
5.6.1.3 azure add_image
Invoke: azure add_image
Adds machine image to be used with ARM API. Images list is available on Azure portal marketplace or
from CLI (for more details please use azure help vm image command)
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID. Example: Debian8_64-bit, W2012Std Yes
-d, --description Image description. Example: "Debian GNU/Linux 8 64-bit", "Windows Server 2012 Standard Edition"
Yes
-g, --group Image group: [public, enterprise] Yes
-t, --os-type Type of operating system: [windows, linux, coreos, fedora coreos]
Yes
-p, --publisher Image publisher. Example: Canonical, OpenLogic, MicrosoftWindowsServer
Yes
-o, --offer Image offer. Example: UbuntuServer, CentOS, WindowsServer
Yes
-s, --sku Image sku. Example: 14.04.4-LTS, 6.6, 2008-R2-SP1) Yes
-v, --version Image version. Example: 14.04.201604060 Yes
-u, --username Default SSH user Yes
-z, --zone Virtualization zone No
--all-zones All zones No
--rewrite Rewrite parameters of existing image No
Response Elements
Name Description
Zone Virtualization zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 143
Response Elements
Name Description
Status Show command status
Message Provide additional information
Before you get the response, confirm that you want to perform the operation.
Command example:
azure add_image -i <image-id> -d <description> -g <group> -t <os-
type> -p <publisher> -o <offer> -s <sku> -v <version> -u
<username> -z <zone>
Response example:
5.6.1.4 azure add_subscript
Invoke: azure add_subscript
Adds a new Microsoft Azure subscription
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-s, --subscription-id Azure subscription ID (GUID) Yes
-e, --enrolment-number
Enrolment number Yes
-a, --tenant-alias Tenant alias (use it only for reachable subscription) No
-u, --unreachable Marks subscription as unreachable for Orchestrator No
-c, --account-name Account name (Required for unreachable subscriptions. Use it to override tenant account name value for reachable subscriptions)
No
Before you get the response, confirm that you want to perform the operation.
Command example:
azure add_subscript -s <subscription id> -e <enrolment number> -a
<tenant alias>
Response example:
5.6.1.5 azure add_zone
Invoke: azure add_zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 144
Adds a new Microsoft Azure zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region Virtualization region Yes
-z, --zone Virtualization zone Yes
-l, --location Azure location (e.g. North Europe) Yes
-a, --api-name Azure location api name (e.g. northeurope) Yes
--assign Assigns zone to the currently active node No
--disable-billing-mix-mode
Defines whether this zone supports billing mode. If disabled - Billing Engine shows costs based on EO audit only, otherwise EO audit will be integrated(mixed) with costs coming from a cloud provider (e.g. in a form of CSV reports)
No
Before you get the response, confirm that you want to perform the operation.
Command example:
azure add_zone -l <location> -r <region> --assign <true> -z <zone>
-a <api name> --disable-billing-mix-mode <false>
Response example:
5.6.1.6 azure add_zone_alias
Invoke: azure add_zone_alias
Adds an alias to existing Microsoft Azure zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-a, --alias Zone alias (e.g. northeurope for North Europe) Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
azure add_zone_alias -z <zone> -a <alias>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 145
5.6.1.7 azure analyze_sg
Invoke: azure analyze_sg
Analyzes default security group for extra rules
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-s, --subscription Subscription name No
-p, --project Project abbreviation in EPAM Cloud No
Command example:
azure analyze_sg
Response example:
5.6.1.8 azure change_creds
Invoke: azure change_creds
Changes Azure tenant's credentials
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enrolment-number Enrolment number Yes
-a, --alias Azure tenant alias Yes
-i, --client-id Client id No
-k, --client-key Client key No
-c, --account-name Account name No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 146
Before you get the response, confirm that you want to perform the operation.
Command example:
azure change_creds -e <enrolment-number> -a <alias> -i <client-id>
-k <client-key> -c <account-name>
Response example:
5.6.1.9 azure check_config
Invoke: azure check_config
Checks ARM configuration
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
a, --all All subscriptions No
-s, --subscription Subscription name No
-p, --project Project abbreviation in EPAM Cloud No
The command will be executed in the asynchronous mode.
Command example:
azure check_config -p <project>
Response example:
5.6.1.10 azure config_project
Invoke: azure config_project
Configures project for using ARM API
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
--all Perform for all active azure projects flag No
--all-zones Perform for single project in all active azure zones flag No
-p,--project Project abbreviation in EPAM Cloud No
-z,--zone Virtualization zone No
The command will be executed in the asynchronous mode.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 147
Command example:
azure-config_project -p <project> -z <zone>
Response example:
5.6.1.11 azure del_subscript
Invoke: azure del_subscript
Removes existing Microsoft Azure subscription from EPAM Orchestrator
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --name Azure subscription name Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
azure del_subscript -n <subscription name>
Response example:
5.6.1.12 azure delete_image
Invoke: azure delete_image
Deletes image form Azure zone. Assigns status DELETED for image and does not delete it on Azure
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID Yes
-z, --zone Virtualization zone No
--all-zones All zones No
Response Elements
Name Description
Zone Virtualization zone
Status Show command status
Message Provide additional information
Before you get the response, confirm that you want to perform the operation.
Command example:
azure delete_image -i <image id> --all zones
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 148
Response example:
5.6.1.13 azure get_net_config
Invoke: azure get_net_config
Retrieves information about network configuration for the specified project(s)
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project-code Project code to retrieve network configuration for. For several projects repeat the parameter: -p projectName1 -p projectName2 -p projectNameN.
Yes
Response Elements
Name Description
Project Name Project name
Zone Name Virtualization zone name
Configured Provides information about configured action status
Command example:
azure get_net_config -p <project code>
Response example:
5.6.1.14 azure get_subscript
Invoke: azure get_subscript
Describes existing Azure subscriptions
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enrolment-number
Enrolment number to describe subscriptions No
-p, --project Project abbreviation in EPAM Cloud No
-s, --subscription Subscription name No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 149
Response Elements
Name Description
Enrolment Number Enrolment Number
Subscription GUID Azure subscription ID
Tenant Alias Tenant alias
Subscription Name Subscription Name
Account Name Account Name
Used by Show the project that uses this account
Unreachable Unreachable action status
Disabled Disabled action status
Command example:
azure get_subscript -p <project>
Response example:
5.6.1.15 azure get_tenants
Invoke: azure get_tenants
Describes available tenants for the specified Azure enrollment
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enrolment-number
Enrolment number Yes
Response Elements
Name Description
Alias Alias
Tenant ID Tenant ID
Client ID Client ID
Account Name Name of account in Azure
Command example:
azure get_tenants -e <enrolment number>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 150
5.6.1.16 azure grant_access
Invoke: azure grant_access
Grants access to Azure Portal
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p, --project Project code to which the user should have access on Azure Portal
Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
azure grant_access -p <project> -e <[email protected]>
Response example:
5.6.1.17 azure init_lookup
Invoke: azure init_lookup
Initially adds ARM resource to EPAM Orchestrator
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p,--project Project abbreviation in EPAM Cloud Yes
Command example:
azure init_lookup -p <project>
Response example:
5.6.1.18 azure list_image_versions
Invoke: azure list_image_versions
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 151
Lists the VM image versions available in the Azure Marketplace
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --publisher An image publisher name Yes
-o, --offer An image publisher offer Yes
-s, --sku An image publisher sku Yes
Command example:
azure list_image_versions -z <zone> -p <publisher> -o <offer> -s
<sku>
Response example:
5.6.1.19 azure list_offers
Invoke: azure list_offers
Lists the VM image offers available in the Azure Marketplace
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --publisher An image publisher name Yes
Response example:
5.6.1.20 azure list_publishers
Invoke: azure list_publishers
Lists the VM image publishers available in the Azure Marketplace
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 152
Command example:
azure list_publishers -z <zone>
Response example:
5.6.1.21 azure list_skus
Invoke: azure list_skus
Lists the VM image SKUs available in the Azure Marketplace.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --publisher An image publisher name Yes
-o, --offer An image publisher offer Yes
Command example:
azure list_skus -z <zone> -p <publisher> -o <offer>
Response example:
5.6.1.22 azure manage_currency
Invoke: azure manage_currency
Updates currency and rate for Microsoft Azure enrolment
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --enrolment-number
Enrolment number Yes
-a, --action Action: [DESCRIBE, UPDATE] Yes
-y, --year Year No
-m, --month Month No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 153
Admin CLI Parameters
-c, --currency Currency symbol or abbreviation No
-r, --rate Exchange rate. All costs will be multiplied by this rate to get value in the specified currency.
No
-d, --disable Disable rate applying No
Before you get the response, confirm that you want to perform the operation.
Command example:
azure manage_currency -e <enrolment number> -a <action>
Response example:
5.6.1.23 azure manage_subscript_status
Invoke: azure manage_subscript_status
Enables or disables the specified subscription in EPAM Orchestrator
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-s, --subscription Subscription name Yes
-a, --action Subscription change status option. Available action: enable or disable
Yes
Command example:
azure manage_subscript_status -s <subscription> -a <action>
Response example:
5.6.1.24 azure manage_tenants
Invoke: azure manage_tenants
Adds and removes Azure tenants in EPAM Orchestrator
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --alias Azure tenant alias Yes
-e, --enrolment-number
Enrolment number Yes
-t, --tenant Tenant id No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 154
Admin CLI Parameters
-I, --client-id Client id No
-k, --client-key Client key No
-c, --account-name Account name No
--add Option for adding tenant No
--delete Option for deleting tenant No
Before you get the response, confirm that you want to perform the operation.
Command examples:
azure manage_tenants -e <enrolment number> -a <alias> -t <tenant>
-i <client-id> -k <client-key> -c <account-name> --add
azure manage_tenants -e <enrolment number> -a <alias> --delete
Response example:
5.6.1.25 azure manage_trusted_ip
Invoke: azure manage_trusted_ip
Adds a custom security config for specified project for allowing inbound or outbound connection to/from
instances of this project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-a, --action Action type, allowed actions are: ADD, REMOVE and DESCRIBE. If parameter not specified, DESCRIBE action will be executed by default.
No
--sr, --source Source ranges for rule. Specify one or more IP range or parameter 'ANY'. For several ip ranges repeat the parameter: --sr 0.0.0.0/0 --sr 1.1.1.1/1
No
--dr, --destination Destination ranges for rule. Specify one or more IP range or parameter 'ANY'. For several ip ranges repeat the parameter: --dr 0.0.0.0/0 --dr 1.1.1.1/1
No
-r, --protocol Ip protocol. For example TCP, UDP. Use ANY parameter for all protocols
No
-o, --port-range The port range (for the TCP and UDP protocols). For several port ranges repeat the parameter: -o 22-25 -o 30-35. If parameter is not specified - security config for all ports will be created
No
-e, --description Description for security rule No
-d, --direction Rule direction, allowed values are [INGRESS, EGRESS]. No
-n, --name Security rule name. No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 155
Response Elements
Name Description
Project code Project code
Zone name Zone name
Name Security rule name
Protocol Protocol
Direction Direction
Description Description
Port-ranges Port ranges
Source ranges Source ranges
Destination ranges Destination ranges
Before you get the response, confirm that you want to perform the operation.
Action DESCRIBE
Command example:
manage_trusted_ip --project <project name> --zone <zone>
Response example:
Action ADD
Command example:
manage_trusted_ip --project <project name> --zone <zone> --action add
--name <security rule name> --source <source> --destination
<destination> --direction <direction> --protocol <protocol>
Response example:
Action REMOVE
Command example:
manage_trusted_ip --project <project> --zone <zone> --action remove --
name <security rule name>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 156
5.6.1.26
azure move_subscript
Involve: azure move_subscript
Moves subscription to another directory
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-s, --subscription Subscription name Yes
-a, --alias Azure tenant alias Yes
-c, --account-name Account name No
Before you get the response, confirm that you want to perform the operation.
Command example:
azure move_subscript -s <subscription> -a <alias> -c <account-name>
Response example:
5.6.1.27 azure revoke_access
Invoke: azure revoke_access
Revokes access to Azure Portal
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-e, --email User email address Yes
-p,--project Project abbreviation in EPAM Cloud Yes
Before you get the response, confirm that you want to perform the operation.
Command response:
azure revoke_access -e <email> -p <project>
Response example:
5.6.1.28 azure set_def_groups
Invoke: azure set_def_groups
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 157
Applies configuration for the default Azure security groups
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
The command will be executed in the asynchronous mode.
Command example:
azure set_def_groups
Response example:
5.6.1.29
azure shape_mapping
Invoke: azure shape_mapping
Configures shape mapping for the specified zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
--all-zones All zones No
-s, --shape-mapping
Shape mapping pair: epc_shape=foreign_shape.
Use "=" as delimiter. For several mappings repeat the parameter: -s epc_shape1=foreign_shape1 -s epc_shape2=foreign_shape2 -s epc_shapeN=foreign_shapeN. If you use Windows command line, please, encase the -s parameter in quotes i.e. "epc_shape=foreign_shape".
Yes
Command example:
azure shape_mapping --all zones -s <shape mapping>
Response example:
5.6.1.30 azure share_credit
Invoke: azure share_credit
Shares credit among all projects of the given enrolment
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 158
Admin CLI Parameters
-e, --enrolment Enrolment number (e.g. 54168053) Yes
-c, --credit Credit value in USD. SIGN MATTERS! Yes
-d, --description What this credit is given for Yes
-y, --year Year Yes
-m, --month Month (digits from 1 to 12) Yes
Before you get the response, confirm that you want to perform the operation.
Command example:
azure share_credit -e <enrolment number> -c <credit> -d
<description> -m <month> -y <year>
Response example:
5.6.1.31
azure subscript_pool
Invoke: azure subscript_pool
Describes the subscription pool for current available enrollments
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response Elements
Name Description
Enrolment number Virtualization zone
Total Count Total count of subscriptions
In Use Count Count of subscriptions in use
Command example:
azure subscript_pool
Response example:
5.6.1.32 azure switch_subscript_tenant
Invoke: azure switch_subscript_tenant
Switches subscription tenant to another alias
Admin CLI Parameters
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 159
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-s, --subscription Subscription name Yes
-a, --alias Azure tenant alias Yes
-c, --account-name Account name No
Command example:
azure switch_subscript_tenant -s <subscription> -a <alias>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 160
5.7 GOOGLE
The ‘google’ category includes the commands related to resource configuration and management in
Google Cloud Platform.
5.7.1 GOOGLE
The ‘google’ group includes the commands related to Google Cloud Platform. The following commands
are available:
Command Description
google activate_project Activates project in a Google zone
google add_account_system_username Adds system username for the Google account
google add_image Adds Google image
google add_zone Adds new Google zone
google change_password Changes password for user intended for providing temporary access
google check_config Checks Google configuration for the specified project
google config_export_billing_data Configures export Google billing data to BigQuery
google configure_network Configures networking for the project in Google region
google delete_image Deletes image form a Google zone. Assigns status DELETED for the image and does not delete it in Google Cloud.
google describe_instance_firewalls Describes firewall rules which affect specified instance
google edit_zone Edits Google zone settings
google list_accounts Retrieves the list of existing Google accounts
google list_iam_users Retrieves the list of IAM users in the specified project
google list_images Retrieves the list of images in the specified project in the Google region
google list_pr_roles Retrieves the list of applied EPAM Orchestrator custom roles for the Google project
google list_projects Retrieves the list of existing Google projects
google list_zones Retrieves the list of existing Google zones
google manage_acc_user Manages G-Suite users put under EPAM Orchestrator
google manage_alpha_locations Adds or removes an attached zone's alpha locations. Alpha locations are required for billing purpose.
google manage_iam_user Manages IAM users for the specified project
google manage_api Manages Google APIs state
google manage_external_ip
Manages external IP's configuration for specified Google project
google manage_policy Manages existing IAM policies
google manage_role Manages default user project role definition in EPAM Orchestrator
google setup_account Sets up new Google account
google update_acc_configs Updates Google account settings
google update_images Refreshes information about images (family, licenses etc.)
google upload_role Uploads updated default user project role on Google side
To see the list of arguments used with the commands of the ‘google’ group, type google
[command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 161
5.7.1.1 google activate_project
Invoke: google activate_project
Activates project in a Google zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-s, --shape Shape name. For several shapes repeat the parameter: -s
SHAPE1 -s SHAPE2 -s SHAPEN Yes
-f, --fake-project Fake project No
-e, --existing-project-id Existing Google project ID to use. No
-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd]. No
-z, --zone Virtualization zone No
--all All zones No
The command will be executed in the asynchronous mode.
Command example:
google activate_project -p <project> -s <shape> -s <shape> -z
<zone>
Response example:
5.7.1.2 google add_image
Invoke: google add_image
Adds Google image
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID. Example: Ubuntu14.04_64-bit Yes
-d, --description Image description Yes
-g, --group Image group: [public, enterprise] Yes
-t, --os-type Type of operating system: [windows, linux, coreos, fedora coreos] Yes
-p, --google-project-id Google image project ID. See https://cloud.google.com/compute/docs/images for more details
Yes
-u, --username Default SSH user Yes
-n, --google-image-
name Google image name. Cannot be used with image family No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 162
Admin CLI Parameters
-f, --google-image-
family Google image family. Cannot be used with image name No
-z, --zone Virtualization zone No
--all-zones All zones No
--rewrite Rewrite parameters of existing image No
Before you get the response, confirm that you want to perform the operation.
Command example:
google add_image -i <image-id> -d <description> -g <group>
-t <os-type> -p <google project id> -u <username> -n <google
image name>
Response example:
5.7.1.3 google add_zone
Invoke: google add_zone
Adds new Google zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region Virtualization region Yes
-z, --zone Virtualization zone Yes
-a, --account-id Google account ID. For example, account-91b5e7ec Yes
-z, --google-zone-name
Google zone name. For example, us-central1-a or europe-west1-c. For more information refer to https://cloud.google.com/compute/docs/regions-zones/regions-zones
Yes
-l, --location Location (e.g. North Europe) No
--disable-billing-mix-mode Defines whether this zone supports billing mode No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 163
Admin CLI Parameters
-a, --aws-nearest-zone AWS nearest zone. Required for autoconfiguration. No
Before you get the response, confirm that you want to perform the operation.
Command example:
google add_zone -r <region> -z <zone> -a <account-id> -z <google
zone name> -l <location>
Response example:
5.7.1.4 google change_password
Invoke: google change_password
Changes password for user intended for providing temporary access
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-u, --username Google account user. Yes
-p, --password Set custom password or not. If not specified, password will be generated.
No
Command example:
google change_password -u <user> -p <password>
Response example:
5.7.1.5 google check_config
Invoke: google check_config
Checks Google configuration for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud. Can be used multiple times to specify multiple projects
No
--all Execute for all active projects No
The command will be executed in the asynchronous mode.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 164
Command example:
google check_config -p <project>
Response example:
5.7.1.6 google config_export_billing_data
Invoke: google config_export_billing_data
Configures export Google billing data to BigQuery
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-g, --google-account-id
Google COMPUTE account id Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-d, --dataset Dataset name for billing exporting. Will be automatically created if does not exist No
-t, --table Table name. Suffix with month and year will be added for each month. No
-e, --deactivate Flag for deactivation. Activation by default No
Command example:
google config_export_billing_data -g <google account id>
-p <project> -d <data set> -t <table>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 165
Response example:
5.7.1.7 google configure_network
Invoke: google configure_network
Configures networking for the project in Google region
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Command example:
google configure_network -p <project>
Response example:
5.7.1.8 google delete_image
Invoke: google delete_image
Deletes image from a Google zone. Assigns status DELETED for the image and does not delete it in
Google Cloud.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID Yes
-z, --zone Virtualization zone No
--all-zones All zones No
Before you get the response, confirm that you want to perform the operation.
Command example:
google delete_image -i <image-id> -z <zone>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 166
5.7.1.9 google describe_instance_firewalls
Invoke: google describe_instance_firewalls
Describes firewall rules which affect specified instance
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-i, --instance Instance name No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Before you get the response, confirm that you want to perform the operation.
Command example:
google describe_instance_firewalls -p <project> -z <zone>
Response example:
5.7.1.10 google edit_zone
Invoke: google edit_zone
Edits Google zone settings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-a, --aws-nearest-zone
AWS nearest zone. Required for autoconfiguration. Specify
'<null>' to unset. Yes
Command example:
google edit_zone -z <zone> -a <aws-nearest-zone>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 167
5.7.1.11 google list_accounts
Invoke: google list_accounts
Retrieves the list of existing Google accounts
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response Elements
Name Description
Account ID Account ID
Approver Approver email address
Account purpose Account purpose Client ID Client ID Admin project ID Admin project ID
Billing account ID Billing account ID Account Domain Account Domain
Command example:
google list_accounts
Response example:
5.7.1.12 google list_iam_users
Invoke: google list_iam_users
Retrieves the list of IAM users in the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
Response Elements
Name Description
Username Username
Default role Default role
Custom Roles Settings Custom Roles Settings
System System status
Command example:
google list_iam_users -p <project>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 168
Response example:
5.7.1.13 google list_images
Invoke: google list_images
Retrieves the list of images in the specified project in the Google region
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project-id Google project ID to retrieve images from. For example, centos-cloud or coreos-cloud. For the complete projects list refer to https://cloud.google.com/compute/docs/images
Yes
-d, --deprecated Include deprecated images or not. No
Response Elements
Name Description
Name Name of the image
Disk Size (GB) Size of the disk in GB
deprecated Shows if the image is in a deprecated state
Status Shows image status
Command example:
google list_images -p <project>
Response example:
5.7.1.14 google list_pr_roles
Invoke: google list_pr_roles
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 169
Retrieves the list of applied EO custom roles for the Google project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Command example:
google list_pr_roles -p <project>
Response example:
5.7.1.15 google list_projects
Invoke: google list_projects
Retrieves the list of existing Google projects
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
google list_projects
Response example:
5.7.1.16 google list_zones
Invoke: google list_zones
Retrieves the list of existing Google zones
Admin CLI Parameters
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 170
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response Elements
Name Description
Name Zone name
Account ID Account ID
Region name Region name
Availability zone Availability zone
Linked availability zone Linked availability zone
Location Location
Nearest AWS zone Nearest AWS zone
Untracked availability zone Untracked availability zone
Command example:
google list_zones
Response example:
5.7.1.17 google manage_acc_user
Invoke: google manage_acc_user
Manages G-Suite users put under EO
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Manage action. Allowed are: [GET, ADD, SUSPEND, RESUME, REMOVE_FROM_EO]
Yes
-e, --email User email address Yes
Response Elements
Name Description
Username Username
Status Status of the user
First password First password
Last UI access Last UI access
Owner ID Owner ID
Command example:
google manage_acc_user -a <action> -e <email>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 171
Response example:
5.7.1.18 google manage_alpha_locations
Invoke: google manage_alpha_locations
Adds or removes an attached zone's alpha locations. Alpha locations are required for billing purpose.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-c, --action Action: [ADD, DESCRIBE, REMOVE] Yes
-a, --alpha-location Alpha location for billing purposes(e.g. us-central2) No
Before you get the response, confirm that you want to perform the operation.
Command example:
google manage_alpha_locations -z <zone> -c <action> -a <alpha-
location>
Response example:
5.7.1.19
google manage_iam_user
Invoke: google manage_iam_user
Manages IAM users for the specified project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-e, --email User email address Yes
-a, --action Manage action. Allowed are: [ADD, DELETE_ROLE, DELETE_USER] Yes
-r, --reason Short description of action reason No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 172
Admin CLI Parameters
-d, --default-role Default role name. Allowed are: [BasicReadAccess, FullReadAccess, BasicUserAccess, AdminUserAccess] No
-f, --role Full Google role name. No
Before you get the response, confirm that you want to perform the operation.
Command example:
google manage_iam_user -p <project> -e <email> -a<action> -r
<reason>
Response example:
5.7.1.20 google manage_api
Invoke: google manage_api
Manages Google APIs state
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-a, --action Managed action. Allowed values are: [list, describe, enable, disable]
Yes
-n, --name API service name No
The command will be executed in the asynchronous mode.
Command example:
google manage_api -p <project> -a <action>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 173
5.7.1.21 google manage_external_ip
Invoke: google manage_external_ip
Manages external IP's configuration for specified Google project
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-a, --action Action type, allowed actions are ADD, REMOVE and DESCRIBE. If parameter not specified, DESCRIBE will be executed.
No
-w, --network Network name No
-i, --ip-range IP range. For several ip ranges repeat the parameter: -i 0.0.0.0/0 -i value 1.1.1.1/1
No
-d, --direction Direction of the traffic, allowed values are: INGRESS, EGRESS.
No
-n, --name Firewall rule name. Mandatory for ADD and REMOVE actions, optional for DESCRIBE action.
No
--st, --source-tags Source network tags. No
-ss, --source-service-account
Source service account email address No
-tt, --target-tags Target network tags No
-ts, target-service-account
Target service account email address No
-e, --description Description for firewall rule. No
-c, --action-on-match Action for rule on match. Allowed values are: ALLOW and DENY
No
-y, --priority Priority for rule. Priority can be 0 - 65535 No
-r, --protocol-config Configs for protocol and ports. Example -r tcp:1-65536 -r ah -r udp:22,23. Use ALL parameter for all protocols.
No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
Action DESCRIBE
Response Elements
Name Description
Name Project name
Google project ID Google project ID
Network Network
Source tags Source tags
Target tags Target tags
Source service accounts Source service accounts
Target service accounts Target service accounts
IP ranges IP ranges
Direction Direction
Description Description
Allowed Allowed
Denied Denied
Action Action
Priority Priority
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 174
Command example:
manage_external_ip --project <project>
Response example:
Action ADD
Command example:
google manage_external_ip --project <project name> --action add --
network <network> -i <ip range> --direction <direction> --name
<firewall rule name> --sourse-tags <sourse-tags > --target-service-
account <accounts> --description <description> --action-on-match
<allow> --priority <priority> --protocol-config <all>
Response example:
Action REMOVE
Command example:
google manage_external_ip --project <project name> --action remove --
name <firewall rule name>
Response example:
5.7.1.22 google manage_policy
Invoke: google manage_policy
Manages existing IAM policies
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --policy-name Name of default policy No
-g, --google-action Google action. For several actions repeat the parameter: -g ACTION1 -g ACTION2 -g ACTIONN
No
-f, --file-name .csv-file with Google actions to setup. Replace actions in policy.
No
-a, --action Manage action. Allowed are: [UPDATE, GET, LIST] Yes
-d, --delete Remove actions from policy if any No
--target Parameter to indicate where display result of command. Must be one of [ssh_console, file, email]
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 175
Command example:
google manage_policy -n <policy name> -a <action>
Response example:
5.7.1.23 google manage_role
Invoke: google manage_role
Manages default user project role definition in EO
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Manage action. Allowed are: [UPDATE, LIST]. Default: LIST No
-n, --role-name Name of default role. Allowed are: [BasicReadAccess, FullReadAccess, BasicUserAccess, AdminUserAccess] No
-p, --policy Attached policy. For several actions repeat the parameter: -p POLICY1 -p POLICYN No
-d, --delete Remove policy from role No
Command example:
google manage_role -a <action> -n <role name>
Response example:
5.7.1.24 google setup_account
Invoke: google setup_account
Sets up new Google account
Admin CLI Parameters
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 176
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-u, --username Account username ([email protected]) Yes
-i, --client-id Client ID Yes
-p, --purpose Account purpose. Allowed values: COMPUTE, ADMIN_DIRECTORY Yes
--domain Account domain. For example: epam.com Yes
-a, --admin-project-id Admin project ID. Required for COMPUTE accounts No
-b, --billing-account-id Billing account ID. Required for COMPUTE accounts No
-d, --billing-dataset-name
BigQuery billing dataset name No
Response Elements
Name Description
Account ID Account ID
Approver Approver
Account purpose Account purpose
Client ID Client ID
Admin project ID Admin project ID
Billing account ID Billing account ID
Account domain Account domain
Command example:
5.7.1.25 google setup_account -u <username> -i <client-id> -p <purpose>
--domain <domain name> -a <admin-project-id> -b <billing-account-
id>google update_acc_configs
Invoke: google update_acc_configs
Updates Google account settings
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-n, --account-id Existed Account ID (account-xxxxxxxx) Yes
-u, --approver Approver account username ([email protected]) No
-i, --client-id Client ID No
--domain Account domain. For example: epam.com No
-a, --admin-project-id Admin project ID. Required for COMPUTE accounts No
-b, --billing-account-id Billing account ID. Required for COMPUTE accounts No
-d, --billing-dataset-name
BigQuery billing dataset name No
-r, --refresh-token Indicates if the refreshToken regeneration is needed No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 177
Response Elements
Name Description
Account ID Account ID
Approver Approver
Account purpose Account purpose
Client ID Client ID
Admin project ID Admin project ID
Billing account ID Billing account ID
Account domain Account domain
Before you get the response, confirm that you want to perform the operation.
Command example:
google update_acc_configs -n <account-id> -u <username> -i
<client-id> --domain <domain> -a <admin-project-id> -b <billing-
account-id> -r <refresh-token>
Response example:
5.7.1.26 google update_images
Invoke: google update_images
Refreshes information about images (family, licenses etc.)
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone No
Command example:
google update_images -z <zone> Response example:
5.7.1.27 google upload_role
Invoke: google upload_role
Uploads updated default user project role on Google side
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 178
Admin CLI Parameters
-n, --role-name Name of default role. Note, that command will try to upload all, if role not specified. No
--all-projects Upload role to all activated projects No
Before you get the response, confirm that you want to perform the operation.
Command example:
google upload_role -p <project> -n <role name>
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 179
5.8 CSA, HP OO, OPENSTACK (PRIVATE CLOUD)
This category includes the commands related to resource management in CSA, HP OO and OpenStack
virtualization platforms.
5.8.1 CSA
The ‘csa’ group includes the commands related to HP Cloud Services Automation. The following
commands are available:
Command Description
csa activate_project Activates an HP Cloud Services Automation project in EPAM Cloud Orchestrator
csa add_offering Adds a new CSA offering
csa add_ownership Adds HP CSA ownership for the specified zone and instances
csa add_secondary_catalog Adds a CSA secondary catalog
csa add_shape Adds a new CSA shape
csa add_zone Adds a new CSA zone
csa check_offerings Checks CSA offerings
csa config_api Sets HP CSA API userId, catalogId
csa config_image Update image description for the Hardware MAC image
csa del_subscript Deletes HP CSA subscriptions from CSA only
csa fix_old_project Changes CSASubscription requestor (project) if the current project is inactive
csa get_capacity Shows open, close, current values and blocked action for all CSA regions
csa put_under_eo Puts existing HP CSA subscription under EO
csa restore_missing Restores missing EO instances existing in CSA
csa restore_to_csa Restores HP CSA subscriptions from EO to CSA
csa set_capacity Sets open and close values for a single CSA region
csa set_catalog Sets catalog ID to active HP CSA subscriptions in the specified zone
csa sync_from_csa Synchronizes HP CSA subscription fields from CSA to EO
csa vlan_activate Activates a new VLAN for project
To see the list of arguments used with the commands of the ‘csa’ group, type csa [command_name] -h
in the command line.
5.8.2 HPOO
The ‘hpoo’ group includes the commands related to HP Operations Orchestration. The following
commands are available:
Command Description
hpoo activate_project Activates an HP OO project in EPAM Cloud Orchestrator
hpoo add_zone Adds a new HP OO zone
hpoo check_flows Checks that flows are present and valid on HP OO
hpoo config_flow Configures HP OO flow
hpoo config_zone Configures a new HP OO zone
hpoo configvs Configures HP OO VSphere host name/username and password
hpoo get_problem_inst Retrieves the list of instances in starting state or having no IP
hpoo refresh_images Refreshes the list of machine images in EPAM Cloud Orchestrator
hpoo vlan_activate Activates a new VLAN for the project
To see the list of arguments used with the commands of the ‘hpoo’ group, type hpoo [command_name]
-h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 180
5.8.3 OPEN_STACK
The ‘open_stack’ group includes the commands related to the OpenStack virtualization platform. The
following commands are available:
Command Description
open_stack activate_project Activates a project in OpenStack
open_stack activate_zones_personal_project Activates a separate tenant for hosting personal projects' resources in the specified zone.
open_stack add_image Adds an image to the OpenStack Zone
open_stack add_predefined_user Adds a predefined user to the project or to all projects in the specified OpenStack zone
open_stack add_shapes Creates default shapes for an OpenStack zone. For more details see OrchestrationSettings.openStackDefaultShapes
open_stack add_zone Adds a new OpenStack zone
open_stack admin_sg Creates or updates, if exists, the configuration for admin project's security group for the specified security mode
open_stack apply_custom_group Applies custom project security group to the existing VMs
open_stack clean_up_ports Cleans up network ports that are currently not in use on OpenStack
open_stack config_tenant_net Configures tenant limited network
open_stack create_recycle_bin Creates Recycle bin for the OpenStack zone
open_stack cross_project_access Describes, enables or disables cross-project access
open_stack cross_region_access Describes, enables or disables cross-region access for the project
open_stack delete_image Deletes an image from the OpenStack zone. Assigns status DELETED for the image and does not delete it on OpenStack
open_stack delete_project_image Deletes project image on OpenStack and marks it as deleted in DB
open_stack delete_requested_storage Deletes requested storage
open_stack delete_shapes Deletes shapes by flavor ID
open_stack deprecate_shapes Deprecates shapes for the OpenStack zone
open_stack describe_recycle_bin Describes Recycle bin for the OpenStack zone
open_stack edit_recycle_bin Edits Recycle bin properties for the OpenStack zone
open_stack edit_zone Edits OpenStack zone settings
open_stack generate_name Generates a new instance name
open_stack get default_security_mode Gets default security group mode for the zone
open_stack get_default_shapes Retrieves the list of default shape configurations
open_stack get_hosts Retrieves the list of all hosts in the OpenStack zone
open_stack get_images Retrieves the list of all public images available in the zone
open_stack get_quotas Retrieves the list of OpenStack quotas for the project in the specified zone
open_stack get_shapes Retrieves the list of all available/deprecated shapes in the specified zone
open_stack get_windows_admin_password Gets admin password for windows instance
open_stack get_zones Retrieves the list of all active OpenStack zones
open_stack manage_custom_rules Manages custom security group rules
open_stack manage_dns_name Manages instance DNS name on EO
open_stack manage_networking Manages internal identifier of VLAN
open_stack move_to_dmz Moves instance to specified or default project VLAN
open_stack notific_config Configures notifications settings
open_stack refresh_image_lim Checks and updates project image limitations from OpenStack side
open_stack register_requested_storage Registers requested storage
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 181
Command Description
open_stack remove_from_recycle_bin Removes the specified instance from Recycle bin on OpenStack.
open_stack remove_tenant Removes tenants on OpenStack used by the project closed on EO.
open_stack reset_synth_state Resets instance syntheticState identifier stuck in 'CLONING'.
open_stack restore_from_recycle_bin Restores instance from Recycle bin on OpenStack. Specify OpenStack instance id.
open_stack restore_fv_from_eo Restores flavors, absent on OpenStack, but existed in EO DB.
open_stack security_group_extension Manages default security group type extensions
open_stack set_default_security_mode Sets default security group mode for the zone
open_stack set_instance_security_groups Applies project security groups to existing VM
open_stack security_config Describes or updates project security configuration
open_stack set_image_id Sets new ID for the existing image
open_stack set_quota Sets quota for the specified project or for all projects in the specified zone
open_stack setup_networking Sets up networking for all projects in the specified zone (for MANUAL networking mode only)
open_stack up_fv_names Updates OpenStack flavor names according to the current naming policy
open_stack update_network_config Updates network configuration
open_stack vlan_activate Activates a new VLAN for the zone
open_stack vlan_deactivate Removes VLAN configuration
To see the list of arguments used with the commands of the ‘open_stack’ group, type open_stack
[command_name] -h in the command line.
5.8.3.1 open_stack activate_project
Invoke: open_stack activate_project
Activates a project in OpenStack.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-s, --shape Shape name. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2 -s SHAPEN
Yes
-f, --fake-project Fake project No
-x, --expiration-date Project expiration date. Valid date format: [yyyy-MM-dd]. No
-z, --zone Virtualization zone Yes
-n, --network-type Network type: [default, secured, hybrid], by default is the default network type will be applied
No
--st, --security-type
Security type: [private, protected, limited, public, manual], If a security type is not specified, the default one used for the zone will be applied. To see the default security type used for the zone, invoke get_default_security_mode command.
No
Response Elements
Name Description
pmcCode Project code
name Project name
zone Project zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 182
Response Elements
Name Description
primaryContacts Primary contacts
secondaryContacts Secondary contacts
instanceCreationIntervalHours Instance creation interval described in hours
volumeCreationIntervalHours Volume creation interval described in hours
maxVolumeSizeGb Maximum volume size in Gb
activationDate Activation date
expirationDate Expiration date
Command example
open_stack activate_project -p <project_name> -s <shape> -z
<zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response
5.8.3.2 open_stack activate_zones_personal_project
Invoke: open_stack activate_zones_personal_project
Activates a separate tenant for hosting personal projects' resources in the specified zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Command example
open_stack activate_zones_personal_project -z <zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response
5.8.3.3 open_stack add_image
Invoke: open_stack add image
Adds an image to the OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-i, --image-id Image ID Yes
-d, --description Image description Yes
-g, --group Image group: [public, enterprise] Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 183
Admin CLI Parameters
-t, --os-type Type of operating system: [Windows, Linux, CoreOS, Fedora CoreOS]
Yes
-u, --username Default SSH user Yes
-o, --open-stack-image-id
OpenStack image ID No
-z, --zone Virtualization zone No
--all-zones All zones No
--rewrite Rewrite parameters of existing image No
Response Elements
Name Description
Zone Zone name
Status Show command execution status
Message Provide additional information
Command example
open_stack add_image -i <image_id> -d <image_description> -g <group>
-t <os_type> -u <default_ssh_user_name> -o <open_stack_image_id> -z
<zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response.
5.8.3.4 open_stack add_predefined_user
Adds a predefined user to the project or to all projects in the specified OpenStack zone.
Invoke: open_stack add_predefined_user
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-u, --username Username For several users repeat the parameter: -u USERNAME1 -u USERNAME2
Yes
-p, --project Project abbreviation in EPAM Cloud No
Command example
open_stack add_predefined_user -z <zone_name> -p <project> -u
<username>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 184
5.8.3.5 open_stack add_shapes
Invoke: open_stack add_shapes
Creates default shapes for an OpenStack zone.
For more details see OrchestrationSettings.openStackDefaultShapes
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-s, --shape Included shape. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2. If not specified, all available shapes will be added.
No
--see Prints the shapes which will be added No
5.8.3.6 open_stack add_zone
Invoke: open_stack add_zone
Adds a new OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-r, --region Virtualization region Yes
-z, --zone Virtualization zone Yes
-l, --location Location (e.g. North Europe) No
-u, --auth-url Open Stack authentication url Yes
-c, --counter Instance start counter (used for instance name generation) Yes
-a, --admin-name Admin name Yes
-t, --admin-tenant Admin tenant Yes
-m, --networking-mode Networking mode. Allowed values: [AUTO, MANUAL] Yes
--dns, --dns-server DNS server to register VMs on. Can specify several values. Yes
-n, --network-id Network ID Yes
--rn, --region-name OpenStack region name No
--assign Assigns zone to the currently active node No
-d, --docker-only Docker only No
--mtp Servicing host for moveToProject command No
--storage-url Custom storage URL No
5.8.3.7 open_stack admin_sg
Invoke: open_stack admin_sg
Creates or updates, if exists, the configuration for admin project's security group for the specified security
mode.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Zone name. If this parameter is not specified, the command will be executed for all zones
No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 185
Admin CLI Parameters
-s, --security-group-type
Security group type. If this parameter is not specified the command will be executed for all modes. Allowed values are: [private, protected, limited, public, manual, core_v]
No
-a, --action Manage action, allowed values are: [describe, setup]. By default is describe
No
Response Elements
Name Description
zone Zone name
securityMode Security mode
securityGroupName Security group name
securityRuleId Security rule ID
direction Direction
protocol Protocol
portRange Port range
remoteSource Remote source
description Description
The command will be executed in the asynchronous mode.
Command example
open_stack admin_sg -z <zone> -a describe
Command response
5.8.3.8 open_stack apply_custom_group
Invoke: open_stack apply_custom_group
Applies custom project security group to the existing VMs.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
The command will be executed in the asynchronous mode.
Command Example
open_stack apply_custom_group -p <project> -z <zone_name>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 186
Command response
5.8.3.9 open_stack clean_up_ports
Invoke: open_stack clean_up ports
Cleans up network ports that are currently not in use on OpenStack.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-s, --security-group-id Filter project ports by security group No
-d, --delete Delete non-in-use OpenStack ports for project. By default, only describe applicable ports.
No
5.8.3.10 open_stack config_tenant_net
Invoke: open_stack config_tenant_net
Configures tenant limited network.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
--gn, --gateway-network
Gateway Network ID Yes
--tn, --tenant-network-name
Created tenant Network name No
--gs, --gateway-subnet Gateway Subnet ID. Must be specified with --gateway-external-ip parameter.
No
--ip, --gateway-external-ip
Gateway IP address. Must be specified with --gateway-subnet parameter.
No
-c, --cidr Cidr to specify IP ranges for tenant network. Default: 172.25.0.0/24
No
--ha, --highly-available Is network router should be highly available (includes L3 Agent network on router)
No
--dsnat, --disable-snat To disable Source NAT No
Response Elements
Name Description
networkName Network name
networkId Network ID
subnetName Subnet name
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 187
subnetCidr Subnet Cidr
gatewayNetworkId Gateway network ID
gatewayExternalIp Gateway external IP
Command example
open_stack config_tenant_net -p <project> -z <zone-name --gn
<gateway_network_id> --ha --tn <tenant_network_name>
Command response
5.8.3.11 open_stack create_recycle_bin
Invoke: open_stack create_recycle_bin
Creates Recycle bin for the OpenStack zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-t, --ttl Minimum time to live for instance in hours before being moved to recycle bin. By default: 24
No
-d, --days Amount of days for instance to persist in Recycle bin. By default: 7
No
Command example
open_stack create_recycle_bin -z <zone> -d <days>
5.8.3.12 open_stack cross_project_access
Invoke: open_stack cross_project_access
Describes, enables or disables cross-project access
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Manage action, allowed values are: [describe, enable, disable]. By default, is describe No
-s, --source Source project. If you want to allow/disallow access for projects to each other specify them all as a source without specifying the target. Supports several values
No
-t, --target Target project. Supports several values No
The command will be executed in the asynchronous mode.
Command example:
open_stack cross_project_access -t <target> -a <action> -s <source>
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 188
Response example:
5.8.3.13 open_stack cross_region_access
Invoke: open_stack cross_region_access
Describes, enables or disables cross-region access for the project.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-a, --action Manage action, allowed values are: [describe, enable, disable]. By default is describe
No
Response Elements
Name Description
Project Project name
Cross-Region Access status Cross region access status
The command will be executed in the asynchronous mode.
Command example
open_stack cross_region_access -p <project> -a describe
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 189
5.8.3.14 open_stack delete_image
Invoke: open_stack delete_image
Deletes an image from the OpenStack zone. Assigns status DELETED for the image and does not delete
it on OpenStack.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-I, --image-id Image ID Yes
-z, --zone Virtualization zone No
--all-zones, All zones No
Response Elements
Name Description
Zone Zone name
Status Show command execution status
Message Provides additional information
Command example
open_stack delete_image -i <image_id> -z <zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response
5.8.3.15 open_stack delete_project_image
Invoke: open_stack delete_project_image
Deletes project image on OpenStack and marks it as deleted in DB.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-I, --image-id Image ID Yes
Command example
open_stack delete_project_image -z <zone_name> -p <project> -i
<imageID>
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 190
Command response
5.8.3.16 open_stack delete_requested_storage
Invoke: open_stack delete_requested_storage
Deletes requested storage.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-v, --volume-operational-id
Operational volume id No
Command example
open_stack delete_requested_storage -z <zone_name> -v <volume_id> -p
<project>
Before you get the response, confirm that you want to perform the operation.
Command response
5.8.3.17 open_stack delete_shapes
Invoke: open_stack delete_shapes
Deletes shapes by flavor ID.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-f, --flavor OpenStack flavor ID. Use several -f options to provide list of
flavors Yes
5.8.3.18 open_stack deprecate_shapes
Invoke: open_stack deprecate_shapes
Deprecates shapes for the OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-f, --flavor OpenStack flavor ID. If not specified, all available drives will be deprecated.
Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 191
Admin CLI Parameters
-d, --drive-type Filter by disk drive type. If not specified, all available drives will be deprecated.
No
-s, --shape Filter by shapes. For several shapes repeat the parameter: -s SHAPE1 -s SHAPE2. If not specified, all available shapes will be deprecated.
No
--size Filter by disk drive size. If not specified, all available shapes will be deprecated
No
5.8.3.19 open_stack describe_recycle_bin
Invoke: open_stack describe_recycle_bin
Describes Recycle bin for the OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Response Elements
Name Description
projectName OpenStack recycle bin tenant name
instanceMinTtlHours Minimum time to live for instance in hours before being moved to recycle bin
daysForInstanceToPersist Number of days for instance to persist
Instances Number of instances
Info about instances
Id OpenStack instance ID
Name Instance name
Project Project name
Owner Owner’s name
deletedAt Date when the instance was deleted
Command example
open_stack describe_recycle_bin -z <zone_name>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 192
5.8.3.20 open_stack edit_recycle_bin
Invoke: open_stack edit_recycle_bin
Edits Recycle bin properties for the OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-t, --ttl Minimum time to live for instance in hours before being moved to recycle bin. By default: 24
No
-d, --days Amount of days for instance to persist in Recycle bin. By default: 7.
No
Command example
open_stack edit_recycle_bin -d 7 -z <zone_name>
5.8.3.21 open_stack edit_zone
Invoke: open_stack edit_zone
Edits OpenStack zone settings.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-s, --strategy
Zone update strategy. Allowed values: [DESCRIBE,
PUSH_NOTIFICATIONS,
PUSH_NOTIFICATIONS_WITH_DESCRIBE]
No
-r, --resource-placing-policy
Resource placing policy. Allowed values: [DEFAULT,
SAME_HOST] No
--dns-management-settings
DNS names management settings. Allowed values:
[DNS_REGISTER_ENABLE, DNS_REGISTER_DISABLE,
DNS_UNREGISTER_ENABLE, DNS_UNREGISTER_DISABLE]
No
-c, --create-volume-snapshots
Specifies whether operation of creating volume snapshot is
supported No
-t, --storage-threshold Storage capacity threshold. Must be in range [0, 100] No
-m, --telemetry-monitoring-url Specify separate OpenStack telemetry host used for zone No
--storage-url Custom storage URL No
5.8.3.22 open_stack generate_name
Invoke: open_stack generate_name
Generates a new instance name
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 193
Admin CLI Parameters
-z, --zone Virtualization zone Yes
Command example
open_stack generate_name -z <zone_name>
The command response provides new instance name.
5.8.3.23 open_stack get default_security_mode
Invoke: open_stack get_default_security mode
Gets default security group mode for the zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Zone name. If this parameter is not specified, the default security
mode will be described for all zones Yes
Response Elements
Name Description
name Zone name
defaultSecurityMode Default security mode
Command example
open_stack get_default_security_mode -z <zone>
Command response
5.8.3.24 open_stack get_default_shapes
Invoke: open_stack get_default_shapes
Retrieves the list of default shape configurations.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response Elements
Name Description
shape Shape type
cpu Show number of CPUs
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 194
Response Elements
Name Description
ramMb Show megabytes of instance ram
linuxDefaultDiskGb Show the default Linux instance disk size in Gb
windowsDefaultDiskGb Show the default Windows instance disk size in Gb
alternativeDisks Show the alternative disk size in Gb
Command example
open_stack get_default_shapes
Command response
5.8.3.25 open_stack get_hosts
Invoke: open_stack get_hosts
Retrieves the list of all hosts in the OpenStack zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Response Elements
Name Description
name Host name
novaAvailabilityZone Nova availability zone
cinderAvailabilityZone Cinder availability zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 195
Command example
open_stack get_hosts -z <zone_name>
Command response
5.8.3.26 open_stack get_images
Invoke: open_stack get_images
Retrieves the list of all public images available in the zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Response Elements
Name Description
name Image name
id Image ID
osType OS type
Command example
open_stack get_images -z <zone_name>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 196
5.8.3.27 open_stack get_quotas
Invoke: open_stack get_quotas
Retrieves the list of OpenStack quotas for the project in the specified zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
Response Elements
Name Description
projectName Project name
instances Show number of instances allowed for the project in the specified
zone
cores Show number of instance cores allowed for the project
ram Show megabytes of instance ram allowed for the project
volumes Show volumes allowed for the project
volumesGb Show volume gigabytes allowed for the project
snapshots Show volume snapshots allowed for the project
ports Show ports allowed for the project
floatingIps Show floating ports allowed for the project
** -1 stands for the value that has no limitations
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 197
Command Example
open_stack get_quotas -z <zone_name>
Command response
5.8.3.28 open_stack get_shapes
Invoke: open_stack get_shapes
Retrieves the list of all available/deprecated shapes in the specified zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-d, --deprecated Show deprecated shapes No
Response Elements
Name Description
shape Shape name
diskDrive Disk type
flavorId Flavor ID on the OpenStack console
flavorName Flavor name on the OpenStack console
cpu Number of CPU for the shape
ramMb RAM (Mb)
diskGb Disk size (Gb)
revision Revision status
Command example
open_stack get_shapes -z <zone_name>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 198
5.8.3.29 open_stack get_windows_admin_password
Invoke: open_stack get_windows_admin_password
Gets admin password for windows instance.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-I, --instance Instance name Yes
Command example
open_stack get_windows_admin_password -p <project> -z <zone> -i
<instance_id>
Command response
The command response provides Windows admin password.
5.8.3.30 open_stack get_zones
Invoke: open_stack get_zones
Retrieves the list of all active OpenStack zones.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Response Elements
Name Description
name Zone name
networkingType Networking type
resourcePlacingPolicy Resource placing policy on the OpenStack
storageCapacityThreshold Storage Capacity threshold
recycleBin Show whether recycle bin is used
updateStrategy Show the current update strategy
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 199
moveToProject Show whether instances can be moved to other projects
createVolumeSnapshots Show whether volume snapshots can be created
personalProjects Show whether the zone is used for personal projects
telemetryStorageUrl Telemetry storage url
Command example
open_stack get_zones
Command response
5.8.3.31 open_stack manage_custom_rules
Invoke: open_stack manage_custom_rules
Manages custom security group rules.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-a, --action Action: [describe, add, remove], by default is describe No
-d, --direction Direction: [egress, ingress] No
-r, --protocol Ip Protocol. Use -1 for All protocols/All ports No
-I, --ip-range Ip range No
--port-range Single port or port range, for example 25-50 No
--rule-id Custom security rule ID. Use it to remove the rule No
--all Use this flag to describe all rules including EO default rules No
-e, --description Description No
Response Elements
Name Description
securityGroupName Security group name
securityRuleId Security rule ID
direction Direction
protocol Protocol
portRange Port range
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 200
remoteSource Remote resource
description Additional information
Action DESCRIBE
Command example
open_stack manage_custom_rules -p <project> -z <zone_name> -a describe
Command response
Action ADD
Command example
open_stack manage_custom_rules -p <project> -z <zone> -a add
Command response
Action DELETE
Command example
manage_custom_rules --project <project> --zone <zone> --name <name>
--action remove --rule-id <rule id>
Command response
5.8.3.32 open_stack manage_dns_name
Invoke: open_stack manage_dns_name
Manages instance DNS name on EO.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 201
Admin CLI Parameters
-I, --instance-id Instance ID Yes
-n, --dns-name DNS name No
-d, --dns-server-address DNS-server address. No
-t, --dns-record-type NS-record type. Applied for all types if empty. Allowed are:
[A, PTR] No
-a, --action Manage action. Allowed are: [CREATE, IMPORT, UPDATE,
RESET_IMPORT] No
5.8.3.33 open_stack manage_networking
Invoke: open_stack manage_networking
Manages internal identifier of VLAN.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-a, --action Manage action. Allowed values: [DESCRIBE, UPDATE].
Describe by default No
-z, --zone Zone name Yes
-o, --old-id Old network id No
-n, --new-id New network id No
5.8.3.34 open_stack move_to_dmz
Invoke: open_stack move _to_dmz
Moves instance to specified or default project VLAN.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-I, --instance-id Instance ID Yes
-v, --vlan-name VLAN name No
-a, --ip-address IP address for moving instance to DMZ No
-b, --back Move OpenStack server back to Server Network No
Command example
open_stack move_to_dmz -p <project> -z <zone_name> -i <instance id> -b
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 202
5.8.3.35 open_stack notific_config
Invoke: open_stack notific_config
Configures notifications settings.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
--host OpenStack Rabbit host No
-p, --port OpenStack Rabbit port No
-v, --vhost OpenStack Rabbit virt host No
-u, --username OpenStack Rabbit username No
-r, --reply-timeout Reply timeout (millis) No
-n, --min-threads MIN number of threads to listen to notifications No
-x, --max-threads MAX number of threads to listen to notifications No
--nova Custom exchange name for Nova service No
--cinder Custom exchange name for Cinder service No
--glance Custom exchange name for Glance service No
5.8.3.36 open_stack refresh_image_lim
Invoke: open_stack reftesh_image_lim
Checks and updates project image limitations from OpenStack side.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
5.8.3.37 open_stack register_requested_storage
Invoke: open_stack register_requested_storage
Registers requested storage.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-v,--volume-operational-id
Specify id if you want to update existing volume size or price No
-s, --size Size of the storage in GBs No
Command example
open_stack register_requested_storage -z <zone_name> -s 1 -p <project>
Before you get the response, confirm that you want to perform the operation.
Command response.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 203
5.8.3.38 open_stack remove_from_recycle_bin
Invoke: open_stack remove_from_recycle_bin
Removes the specified instance from Recycle bin on OpenStack.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-s, --server-id Server ID Yes
Command example
open_stack remove_from_recycle_bin -s <server_id> -z <zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response.
5.8.3.39 open_stack remove_tenant
Invoke: open_stack remove_tenant
Removes tenants on OpenStack used by the project closed on EO.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
5.8.3.40 open_stack reset_synth_state
Invoke: open_stack reset_synth_state
Resets instance syntheticState identifier stuck in 'CLONING'
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud Yes
-I, --instance-id Instance ID. For several IDs repeat the parameter: -i instanceId1 -i instanceId2 -i instanceIdN.
Yes
-f, --fix Reset syntheticState identifier on EO. No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 204
5.8.3.41 open_stack restore_from_recycle_bin
Invoke: open_stack restore_from_recycle_bin
Restores instance from Recycle bin on OpenStack. Specify OpenStack instance ID.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-p, --project Project abbreviation in EPAM Cloud No
-s, --server-id Server ID Yes
Command Example
open_stack restore_from_recycle_bin -z <zone_name> -p <project> -s
<server_id>
5.8.3.42 open_stack restore_fv_from_eo
Invoke: open_stack restore_fv_from_eo
Restores flavors, absent on OpenStack, but existed in EO DB.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-f, --flavor-id Flavor id, if need to restore the particular flavor No
-u, --update Update flavor names. Otherwise only list changes No
5.8.3.43 open_stack security_group_extension
Invoke: open_stack security_group_extension
Manages default security group type extensions.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
No
-s, --security-group-type
Security group type. Allowed values are: [private, protected, limited, public, manual, core_v]
No
-a, --action Manage action, allowed values are: [describe, add, remove]. By default, is describe
No
-d, --direction Direction: [egress, ingress] No
-r, --protocol Ip Protocol. Use -1 for All protocols/All ports No
-I, --ip-range Ip range No
--port-range Single port or port range, for example 25-50 No
-e, --description Description No
Response Elements
Name Description
zoneName Zone name
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 205
securityGroupType Security group type
direction Direction
port Port
ipRange IP range
description Description
Command example
open_stack security_group_extension -a <action> -z <zone_name>
Command response
5.8.3.44 open_stack set_default_security_mode
Invoke: open_stack set_default_security_mode
Sets default security group mode for the zone
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-s, --security-type Security type: [PRIVATE, PROTECTED, LIMITED, PUBLIC, MANUAL, CORE_V}
No
5.8.3.45 open_stack set_instance_security_groups
Invoke: open_stack set_instance_security_groups
Applies project security groups to existing VM
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-I, --instance-id Instance Id Yes
The command will be executed in the asynchronous mode.
`Command example:
open_stack set_instance_security_groups -p <project> -z <zone> -i
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 206
<instance-id>
Response example:
5.8.3.46 open_stack security_config
Invoke: open_stack security_config
Describes or updates project security configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
No
p, --project Project abbreviation in EPAM Cloud No
-s, --security-mode New security mode to be set for the specified project. Possible values are: [private, protected, limited, public, manual, core_v]
No
The command will be executed in the asynchronous mode.
Command Example
open_stack security_config -p <project> -z <zone_name>
Command response
Execute
status get -g open_stack -n security_config
Command response
5.8.3.47 open_stack set_image_id
Invoke: open_stack set_image_id
Sets new ID for the existing image.
Admin CLI Parameters
Parameter name Description Required
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 207
Admin CLI Parameters
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
Yes
-n, --name Image name Yes
-I, --id New image ID. Yes
Command Example
open_stack set_image_id -z <zone_name> -n <image_name> -i <new_image
id>
5.8.3.48 open_stack set_quota
Invoke: open_stack set_quota
Sets quota for the specified project or for all projects in the specified zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
Yes
-p, --project Project abbreviation in EPAM Cloud No
-c, --cores The number of allowed instance cores No
-r, --ram The amount of allowed instance RAM, in MB No
-I, --instances The number of allowed instances No
V, --volumes The number of allowed volumes No
-g, --volumesGb The total amount of allowed volumes, in GB No
-s, --snapshots The number of allowed snapshots No
-o, --ports The number of allowed ports No
-f, --floatingIps The number of allowed floating IPs No
-u, --unlimitedForAll Applies unlimited quota for all items No
Response Elements
Name Description
projectName Project abbreviation in EPAM Cloud
instances Show number of instances allowed for the project
cores Show number of cores allowed for the project
ram Show megabytes of instance ram allowed for the project
volumes Show megabytes of instance ram allowed per project
volumesGb Show volume gigabytes allowed for the project
snapshots Show volume snapshots allowed for the project
ports Show ports allowed for the project
floatingIps Show floating Ips allowed for the project
** -1 stands for the value that has no limitations
Command example
open_stack set_quota -p <project> -z <zone_name> -i 1 -v 2
Before you get the response, confirm that you want to perform the operation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 208
Command response
5.8.3.49 open_stack setup_networking
Invoke: open_stack setup_networking
Sets up networking for all projects in the specified zone (for MANUAL networking mode only).
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
Yes
-n, --network-id Network ID No
-p, --personal-network-id
Network ID for personal projects. No
5.8.3.50 open_stack up_fv_names
Invoke: open_stack up_fv_names
Updates OpenStack flavor names according to the current naming policy.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone. If not specified, the changes will apply to all zones
Yes
-u, --update Update flavor names. Otherwise only list changes No
Response Elements
Name Description
flavorShape Flavor shape
flavorDiskType Flavor disk type
flavorDiskSize Flavor disk size
flavorId Flavor ID
oldFlavorName Old flavor name
newFlavorName New flavor name
Command example
open_stack up_fv_names -z <zone_name>
Command response
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 209
5.8.3.51 open_stack update_network_config
Invoke: open_stack update_network_config
Updates network configuration.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-p, --project Project abbreviation in EPAM Cloud Yes
-z, --zone Virtualization zone Yes
-n, --network-type Network type: [default, secured, hybrid], by default is default No
Command example
open_stack update_network_config -p <project> -z <zone_name>
Before you get the response, confirm that you want to perform the operation.
Command response
5.8.3.52 open_stack vlan_activate
Invoke: open_stack vlan_activate
Activates a new VLAN for the zone.
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-v, --vlan-name VLAN name Yes
-d, --description VLAN Description. Yes
-p, --project List of Project abbreviations in UPSA No
--dmz Is DMZ VLAN No
--security-group-disabled
Is Project SG Disabled (instances will be launching with 'default'
SG). No
5.8.3.53 open_stack vlan_deactivate
Invoke: open_stack vlan_deactivate
Removes VLAN configuration.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 210
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
-z, --zone Virtualization zone Yes
-v, --vlan-name VLAN name Yes
-d, --description VLAN Description. Yes
-p, --project Project abbreviation in EPAM Cloud No
-f, --force Use this flag to deactivate SDN and related configuration on
OpenStack No
5.8.4 HARDWARE
The ‘hardware’ group includes the commands related to the Hardware resources management. The
following commands are available:
Command Description
hardware activate_project Activates a new HPOO project in EPAM Cloud Orchestrator
hardware add_zone Adds a new Hardware zone
hardware switch_hwu_credit Enables or disables hardware credit for the specified zone
For the arguments used with the commands of the ‘hardware’ group type hardware [command_name] -
h in the command line.
5.8.5 ENTERPRISE
The ‘enterprise’ group includes the commands related to the Enterprise cloud management. The
following commands are available:
Command Description
enterprise activate_project Activates a new project from Enterprise Cloud in EPAM Cloud Orchestrator
enterprise add_zone Adds a new Enterprise zone
enterprise reset_update_data Resets updated data for instances updating
For the arguments used with the commands of the ‘enterprise’ group type enterprise
[command_name] -h in the command line.
5.8.6 EXOSCALE
The ‘exoscale’ group includes the commands related to Exoscale virtualization platform. .
The following commands are available:
Command Description
exoscale activate_project Activate project on Exoscale
exoscale add_account Adds a new Exoscale account
exoscale add_endpoint Adds a new Exoscale API endpoint
exoscale add_image Adds Exoscale image
exoscale add_shapes Adds Exoscale service offerings
exoscale add_zone Add a new Exoscale zone
exoscale check_account Checks the specified Exoscale account
exoscale configure_network Configures networking for the Exoscale project
exoscale list_accounts Describes Exoscale accounts
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 211
exoscale list_endpoints Retrieves the list of Exoscale API endpoints
exoscale list_images Describes the list of Exoscale images
To see the list of arguments used with the commands of the ‘exoscale’ group, type exoscale
[command_name] -h in the command line.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 212
5.9 PAAS
The ‘PaaS’ category includes the commands related to various platform services available in EPAM
Cloud.
5.9.1 PAAS
The ‘paas’ group includes the commands related to platform services management. The following
commands are available:
Command Description
paas delete Removes custom platform service definition and stack template corresponding to it
paas describe Retrieves the list of custom platform service definitions
paas kuber_userdata Manages Kubernetes init scripts to install Kubernetes services on CoreOS-type instances
paas register Registers custom platform service definition
paas restrict Restricts service usage for zone(s)
paas show_restricted Shows restricted services by zone/virt-type/all
paas unrestrict Lifts restrictions for service usage for zone(s)
To see the list of arguments used with the commands of the ‘paas’ group, type paas [command_name] -
h in the command line.
5.9.2 CHEF
The ‘chef’ group includes the commands related to the Chef service. The following commands are
available:
Command Description
chef add_config Adds a new Chef server configuration
chef cleanup Removes Chef nodes (and clients) for the deleted instances
chef delete_server Deletes Chef configuration
chef describe_server Describes Chef server
chef get_nodes Describes Chef nodes and existence of EO instances
chef list_initscript Describes the list of available Chef initial scripts
chef list_servers Describes the list of available Chef configurations
chef update_config Updates existed Chef server configuration
chef update_initscript Updates Chef initial scripts
chef upload_initscript Uploads Chef initial scripts for a new version
chef zone_assign Assigns the specified zone to the specified Chef server
chef zone_unassignUnassing zone from chef server Unassigns the specified zone from the Chef server
To see the list of arguments used with the commands of the ‘chef’ group, type chef [command_name] -
h in the command line.
5.9.3 DOCKER
The ‘docker’ group includes the commands related to the Docker Service. The following commands are
available:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 213
Command Description
docker add_image Creates new Docker enterprise machine image
docker add_repository Creates new Docker enterprise repository
docker del_repository Deletes Docker enterprise repository by its search identifier
docker delete_image Deletes Docker enterprise machine image
docker get_images Retrieves all Docker enterprise machine images
docker get_repositories Retrieves all Docker enterprise repositories
To see the list of arguments used with the commands of the ‘docker’ group, type docker
[command_name] -h in the command line.
5.10 TEMP
The ‘temp’ group includes the temporary commands.
Please do not use them in the normal course of work.
5.10.1.1 temp remove_redundant_firewall
Invoke: temp remove_redundant_firewall
Removes redundant default firewall for all Google projects
Admin CLI Parameters
Parameter name Description Required
-h, --help Display command help No
Command example:
temp remove_redundant_firewall
Response example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 214
6 MAESTRO CLI ADMIN UTILITY – USE CASES
6.1 AWS – ADMINISTRATION CASES
6.1.1 AWS Zone Creation
Virtualization zone creation in AWS consists of the following steps:
--zone
--region
--availability-zone
[--cf-endpoint]
[--ec-endpoint]
[--s-endpoint]
[--cw-endpoint]
[--assign]
[--disable-billing-
mix-mode]
[--unreachable]
Create a New Zone
aws add_zone
--zone
--profile-name
--shape-mapping
Configure Virtual Profile
zone set_virt_profile
--zone
--image-id
--amiid
--description
--group
--virt-profile
--username
Add AMI
aws add_image
--zone
--cost-center-name
Set Cost Center
billing set_cost_center
Figure 6 - AWS zone creation flow
• Zone Creation
To create a new AWS zone, use the following command:
aws add_zone [arguments]
The ‘aws add_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of the virtualization zone to be created. Yes
-r, --region Code of AWS region in which the virtualization zone is to
be created Yes
-a, --availability-zone AWS availability zone in which the virtualization zone is to
be created Yes
-l, --location Location (e.g. North Europe) No
--ar, --aws-region AWS region code (e.g. eu-central-1) Yes
-c, --cf-endpoint CloudFormation endpoint. Required for reachable zones No
-e, --ec-endpoint EC2 endpoint. Required for reachable zones No
-t, --ct-endpoint CloudTrail endpoint. Required for reachable zones No
-s, --s-endpoint S3 endpoint. Required for reachable zones No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 215
-w, --cw-endpoint CloudWatch endpoint. Required for reachable zones No
--assign Assigns zone to the currently active node No
--disable-billing-mix-mode Defines whether the zone supports billing mode No
--unreachable Marks the zone as unreachable by the Orchestrator No
Command Example:
aws add_zone –r us-east-1 –a us-east-1b –z zone_name --ar aws_region
• Zone Virtual Profile Configuration
A virtual profile contains the VM shape mapping between EPAM Cloud and AWS. Configuring a virtual
profile for an AWS zone sets the shapes available for instance creation in such zone and ensures that the
EPC shape selected for a VM corresponds to the correct shape in AWS.
To configure the zone virtual profile, use the following command:
zone set_virt_profile [arguments]
The ‘zone set_virt_profile’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-p, --profile-name Virtual profile name Yes
-s, --shape-mapping
Shape mapping pair: epc_shape=aws_shape. Use "=" as delimiter.
For several mappings repeat the parameter: -s
epc_shape1=aws_shape1
-s epc_shape2=aws_shape2
-s epc_shapeN=aws_shapeN. If using Windows command line,
encase the -s parameter in quotes i.e. "epc_shape=aws_shape"
Yes
Command Example:
zone set_virt_profile –z zone_name –p profile –s MICRO=t2.micro –s SMALL=
t2.small –s MEDIUM=m3.medium
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 216
• Adding Machine Images to AWS Zone
To add machine images which will be available in the AWS zone, use the following command:
aws add_image [arguments]
The ‘aws add_image’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone to which the image is to be added Yes
-i, --imageId Image ID Yes
-a, --amiId Amazon image ID Yes
-d, --description Image description Yes
-g, --group Image group. Valid values: PUBLIC, ENTERPRISE Yes
-v, --virt-profile Name of zone virtual profile to associate the image with Yes
-u, --username Default SSH user Yes
Command Example:
aws add_image -i W2012R2Std -a ami-******* -d ‘Windows Server 2012 R2
Standard Edition' -z zone -g PUBLIC –v profile -u user
• Setting Cost Center for AWS Zone
For the correct billing of the Cloud services for the projects used in the AWS zone, a cost center has to be
assigned to it. To assign a cost center to a new AWS zone, use the following command:
billing set_cost_center [arguments]
The ‘billing cost_center’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of zone Yes
-c, --cost-center-name Name of the cost center to be assigned to the zone Yes
Command Example:
billing set_cost_center -z zone -c cost_center
6.1.2 Project Activation in AWS
In AWS, each project is activated within its LINKED account, one account per project. The Level1.5 Team
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 217
always has a pool of unreserved accounts to use for project activation. New accounts are created
manually by the Level1.5 Team, with account creation sometimes taking up to 24 hours. With the
introduction of AWS Organizations, the option of account creation via API has been implemented.
In addition to the LINKED account, project activation requires a PAYING account to enable consolidated
billing of all LINKED accounts.
When accounts have been configured properly, the project can be activated. In AWS, a project can be
activated in a standard way (by the ‘aws activate_project’ Admin Utility command) or automatically. A
project is activated automatically, if any costs exist for the project in a region where the project is not yet
activated. This can happen, for example, when a project creates resources in a non-activated region via
the AWS console.
The aws activate_project command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-s, --shape Shape name. For several shapes, repeat the parameter Yes
-z, --zone Virtualization zone No
--all All zones (the project will be activated in all existing
AWS zones except unreachable ones) No
-f, --fake-project Fake project flag (indicates a fake project, that is, the
project not existing in UPSA; used for testing purposes) No
-a, --auto-configuration-disabled Flag disabling auto-configuration for the project No
-c, --account AWS account name No
-n, --subnet-id ID of AWS region subnet in which all resources of the
project will be created No
--skip-cloud-trail Flag used to skip CloudTrail activation No
Command Example:
aws activate_project –p project_code –s small –s medium –s large --all
When a project is activated with the ‘aws activate_project’ command, the following actions are
automatically performed on the AWS side:
1. Creation and configuration of the EC2_INSTANCE_ROLE IAM role:
- Creation of the EC2_INSTANCE_ROLE IAM role and configuration of its permissions
- Creation of the Instance Profile
- Association of EC2_INSTANCE_ROLE with Instance Profile
2. SSO configuration:
- Creation of SAML provider for the LINKED account and its upload to AWS
- Creation of roles and their permissions
- Creation of the account alias
3. Creation of a default group for IAM roles and their permissions configuration
4. Security Groups configuration
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 218
5. CloudTrail service configuration
Steps 4 and 5 are performed for each zone.
There may be cases when one or several of the project configuration steps is not performed
automatically. In such situations, the necessary actions can be performed manually. The instructions and
related Admin Utility commands are described below.
• EC2 Instance Role Configuration
Applications running on AWS instances make requests to AWS. Such operations require authorization
with access keys transferred to each such instance. This process can be unified by setting IAM roles for
EC2 instances. The flow is as follows:
- Create IAM role
- Assign permissions to the IAM role
- Specify the role during the instance launch
The instance will request temporary access keys and use them for all requests permitted to the
corresponding role. Roles are stored in the AWSRoles collection. The same document also stores the
trusted policies defining that the ec2.amazonaws.com service can use this role and the actions permitted
to the role (AttachVolume, CreateVolume, CreateTags, S3, etc.) Roles are assigned to instances in
Instance Profiles.
If needed, default instance roles can be added to the project with the following command:
aws set_def_role [arguments]
The ‘aws set_def_role’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
Command Example:
aws set_def_role –p project
For more information, see IAM Roles for Amazon EC2 page in the official AWS documentation.
• SSO Configuration
There are four roles used for SSO. They are stored in the AwsIamEntities collection. A role is selected in
accordance with the user’s project role (see the User Permissions page on Knowledge Base for the full
matrix). The roles include the policies from the AwsIamPolicies.
When a user has to be assigned certain special permissions other than default, use the following
command:
aws sso_add_custom [arguments]
The ‘aws sso_add_custom’ command uses the following arguments:
Command Arguments
Argument Description Required
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 219
-p, --project Project abbreviation in UPSA Yes
-e, --email User’s email address Yes
-n, --name AWS IAM role name. Use the ‘aws get_iam_entities’ command with
the -t SSO_ROLE parameter to view the available options Yes
Command Example:
aws sso_add_custom –p project –e [email protected] –n role_name
To remove a certain SSO role, use the following command:
aws sso_del_custom [arguments]
The ‘aws sso_del_custom’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-e, --email User’s email address Yes
-n, --name AWS IAM role name. Use the ‘aws get_iam_entities’ command with
the -t SSO_ROLE parameter to view the available options Yes
Command Example:
aws sso_del_custom –p project –e [email protected] –n role_name
To configure permissions for a certain user, use the following command:
aws sso_manage_access [arguments]
The ‘aws sso_manage_access’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA No
-e, --email User’s email address Yes
-i, --iam-entity-name AWS IAM default entity name [BasicReadOnly, FullReadOnly, BasicUser, AdminUser]
No
-a, --action Action type. Allowed values: [list, create, delete]. Default: list No
Command Example:
aws sso_manage_access –p project –e [email protected] –i BasicUser
–a create
In this case, user’s permissions are updated by replacing their role with one of the four available roles. If a
user has several roles in several projects, they can choose one of these to authorize in AWS.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 220
• SSO Roles Configuration
For easier use, each AWS account used in EPAM Orchestrator has an alias which is a more human-
friendly string than the AWS account number. For example, account number 9213429384 can have alias
epm-cit2-234. Aliases are unique within the entire AWS. To configure a project AWS account, use the
following command:
aws config_sso [arguments]
The ‘aws config_sso’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA No
--all Applies for all projects No
Command Example:
aws config_sso –p project
To retrieve the list of available SSO roles, use the following command:
aws get_iam_entities [arguments]
The ‘aws get_iam_entities’ command uses the following arguments:
Command Arguments
Argument Description Required
-n, --name AWS IAM entity name. If omitted, all entities with their general info
will be returned No
-t, --type AWS IAM entity type. Allows filtering by type or describing detailed
info by name. Allowed values: SSO_ROLE No
Command Example:
aws get_iam_entities –t SSO_ROLE
• AWS Policy Management
To attach an AWS policy to an SSO role, use the following command:
aws attach_policy [arguments]
The ‘aws attach_policy’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --policy AWS policy name Yes
-n, --name AWS IAM entity name Yes
-t, --type AWS IAM entity type. Allowed values: SSO_ROLE Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 221
Command Example:
aws attach_policy –p policy_name –n entity_name –t SSO_ROLE
To detach an AWS policy from an SSO role, use the following command:
aws detach_policy [arguments]
The ‘aws detach_policy’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --policy AWS policy name Yes
-n, --name AWS IAM entity name Yes
-t, --type AWS IAM entity type. Allowed values: SSO_ROLE Yes
Command Example:
aws detach_policy –p policy_name –n entity_name –t SSO_ROLE
To retrieve the list of available policies, use the following command:
aws get_policies [arguments]
The ‘aws get_policies’ command uses the following arguments:
Command Arguments
Argument Description Required
-n, --name AWS policy name. The policy in JSON format will be sent to the
requesting user’s email No
Command Example:
aws get_policies –n policy_name
To add a new policy, use the following command:
aws save_policy [arguments]
The ‘aws save_policy’ command uses the following arguments:
Command Arguments
Argument Description Required
-n, --name AWS policy name Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 222
-f, --file Path to the file containing the policy* No
-t, --type Policy type. Allowed values: [INLINE, MANAGED, MANAGED_CUSTOM,
S3] Yes
* Make sure that the file contains placeholders for accounts, bucket names, etc.
For default AWS policies, no file upload is required.
Command Example:
aws save_policy –n policy_name –t INLINE –f path_to_file
• IAM Role Group Configuration
The scope of actions allowed to IAM users can be defined by using IAM user groups. One group is
created for each AWS account. The group contains the permissions described in the “orchestrator-
default-admin-group” document in the AWSRoles collection. All IAM users are included in this group.
If necessary, a group policy can be uploaded using the following command:
aws up_group_policy [arguments]
The ‘aws up_group_policy’ command uses the following arguments:
Command Arguments
Argument Description Required
-n, --name AWS group name No
-a, --account AWS account for which the policy is to be uploaded. If omitted, the policy
will be uploaded for all accounts No
Command Example:
aws up_group_policy –n policy_name –a aws_account
To update an existing group, use the following command:
aws config_group [arguments]
The ‘aws config_group’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA No
-s, --scope Scope. Allowed values: [DEFAULT, PROJECT]. Default value: DEFAULT No
-n, --name Group name Yes
-l, --location Group policy location No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 223
Command Example:
aws config_group –p project –n group_name
• Security Groups Configuration
Security groups are stored in the OrchestrationSettings collection. This collection contains 5 security
groups. One of the security groups, default, is not used in AWS configuration.
To configure security groups for AWS, use the following command:
aws_security set_def_groups [arguments]
The ‘aws_security set_def_groups’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA No
-z, --zone Virtualization zone No
--all-zones Applicable for all group activated for the project Yes
--all-projects Applicable for all projects in all zones No
-v, --vpc-id VPC ID. If omitted, the default VPC will be used No
Command Example:
aws_security set_def_groups –p project –n group_name
To update the default security groups in the database, use the following command:
security update_def_group [arguments]
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 224
The ‘security update_def_group’ command uses the following arguments:
Command Arguments
Argument Description Required
-g, --security-group-name Security group name Yes
-i,--ip-range IPv4 CIDR range to add a new rule to the specified security
group. For example: 74.11.192.96/27 Yes
-r, --remove Flag used to remove an item instead of adding No
Command Example:
security update_def_group –g group_name –i 74.11.192.96/27
Security groups are updated in the database and then applied to AWS. When an update operation is
repeated, the existing groups and the correct rules are not deleted but are matched to the groups in the
OrchestrationSettings collection. This is done to prevent incorrect configuration of resources using such
groups.
• Security Groups Backup
Security groups are backed up by schedule or manually using the following command:
aws_security save_groups [arguments]
The ‘aws_security save_groups’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-l, --label Restore groups by label No
Command Example:
aws_security save_groups –p project
Also, backups are created automatically during security groups update.
To restore the security groups from backup, use the following command:
aws_security restore_groups [arguments]
The ‘aws_security restore_groups’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-i, --backup-id Backup ID to restore from No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 225
-d, --date Date to restore from in the yyyy-MM-dd'T'HH format (UTC) No
-l, --label Restore groups by label No
-z, --zone Virtualization zone No
Command Example:
aws_security restore_groups –p project –i backup_id
To view the existing backups for a project, use the following command:
aws_security describe_backups [arguments]
The ‘aws_security describe_backups’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
Command Example:
aws_security describe_backups –p project
• CloudTrail Service Activation
For each project, the CloudTrail service must be activated and configured in all zones. CloudTrail should
be configured to direct all logs to the S3 bucket of the root account (currently, the PAYING epmc-clo
account). For that purpose, the permissions for the new account are added to the policy of the parent
PAYING account’s S3 bucket. Afterwards, the child account can store logs in the parent account bucket.
If the CloudTrail service is not activated for a project, activate it using the following command:
aws activ_cloudtrail [arguments]
The aws activ_cloudtrail command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-z, --zone Virtualization zone Yes
-b, --bucket-name S3 bucket name No
-l, --log-file-prefix Log file prefix No
Command Example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 226
aws activ_cloudtrail –p project –z zone –b bucket_name
To view the CloudTrail configuration for a project, use the following command:
aws get_cloudtrail [arguments]
The aws activ_cloudtrail command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-z, --zone Virtualization zone No
Command Example:
aws get_cloudtrail –p project –z zone
6.1.3 Access to AWS
There are three methods of getting access to AWS:
- Via AWS SSO. In this case, the user is assigned one of the four roles stored in the
AwsIamEntities collection
- Using the or2awsmc Maestro CLI command. In this case, the user is assigned the
permissions of the FEDERATED_USER_ROLE stored in the AWSRoles collection. If the
user is a member of the EPM-CSUP project, such user is by default assigned administrator
permissions according to the CLOUD_SUPPORT_ROLE stored in the AWSRoles collection.
If the user belongs to the ALL_OPERATIONS user group in EPAM Orchestrator, such user
can access the AWS console under any project.
- Through the IAM user. In this case, the user is subject to the restrictions of the default group
for IAM users GROUP_ROLE stored in the AWSRoles collection.
6.1.4 AWS Organizations
AWS Organizations support multiple AWS accounts management on the basis of policies. The AWS
Organizations service allows creating Organization Units and assign certain policies to them. AWS
Organizations offer the following features:
- Automatic account creation. If new accounts are included in the existing Organization Units,
their policies will be automatically applied to the new accounts
- Accounts can be joined into Organization Units on the billable/non-billable principle which
allows monitoring costs
- Reserved Instances can be bought for certain Organization Units, thus reducing the internal
project costs
For more details on AWS Organizations, see the What is AWS Organizations? page in the AWS
documentation.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 227
6.1.5 Reserved Instances
Reserved instances allow significantly reducing the infrastructure costs. They are reserved at fixed prices
for a period of one year or more. A reserved instance is assigned to a random VM of the specified type
within an organization. When the VM is stopped, the reserved instance is transferred to another VM of the
same type.
The following actions are supported for reserved instances:
- An instance reserved for a region can be modified to be reserved for an availability zone, and
vice versa
- A reserved instance size can be changed (for Linux instances only). For example, one
c2.micro instance can be replaced with two c2.nano instances.
• Displaying Reserved Instances
To view the list of reserved instances, use the following command:
aws_ri describe [arguments]
The ‘aws_ri describe’ command uses the following arguments:
Command Arguments
Argument Description Required
-f, --force-update Update info from Amazon before retrieving the data. May take long
time! No
--target Parameter defining where the output is to be displayed. Allowed
values: [ssh_console, file, email]. Default: ssh_console No
The command returns the list of all available reserved instances:
• Modifying Reserved Instances
To modify reserved instances, use the following command:
aws_ri modify [arguments]
The ‘aws_ri modify’ command uses the following arguments:
Command Arguments
Argument Description Required
-i, --ri-id ID of the reserved instance Yes
-c, --target-configuration
Target reserved instance configuration consisting of the
availability zone name, instance shape and count. Input
format: az:shape:count. For example: us-west-2a:t2.micro:4.
To apply reserved instances at the REGION level, use ‘all’ for
availability zone. To set several configurations, repeat the
parameter
Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 228
-z, --zone Virtualization zone Yes
Command Example:
aws_ri modify -i 3e26582b-4713-4c0c-983e-9a8f07fdad59 -c all:m4.xlarge:6 -c
all:m4.large:2 -z AWS-EUCENTRAL
This command changes 7 m4.xlarge reserved instances from the screenshot above to 6 m4.xlarge and 2
m4.xlarge instances.
For more information on reserved instances modification, see the Modifying Standard Reserved
Instances page in the AWS documentation.
• Displaying Reserved Instance Offerings
To view the list of reserved instances available for purchase, use the following command:
aws_ri list_offerings [arguments]
The ‘aws_ri list_offerings’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-z, --zone Virtualization zone Yes
-t, --instance-type AWS instance type Yes
-o, --os Operating system. Allowed values: [linux, windows] Yes
-s, --scope Scope. Allowed values: [az, region] Yes
--all Add marketplace reserved instances to the result No
Command Example:
aws_ri list_offerings –p project –z zone –t m4.xlarge –o linux –s region
The command output may contain reserved instances offered for sale by other users. Such instances can
be purchased for less than one year.
• Purchasing Reserved Instances
To buy reserved instances from the list returned by the ‘aws_ri list_offerings’ command, use the following
command:
aws_ri buy [arguments]
The ‘aws_ri buy’ command uses the following arguments:
Command Arguments
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 229
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-z, --zone Virtualization zone Yes
-i, --offering-id Offering ID. Use the output of the ‘aws_ri list_offerings’ command for
possible options Yes
-c, --count Instance count Yes
Command Example:
aws_ri buy –p project –z zone –i offering_id –c 5
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 230
6.2 MICROSOFT AZURE – ADMINISTRATION CASES
6.2.1 Azure Zone Creation
The typical Azure zone creation flow is as follows:
--enrollment-number
--azure-image-name
--bill-from
--tenant
--client-id
--client-key
Setup Azure Enrollment
azure add_enrollment
--zone
--location
--assign
[--disable-billing-
mix-mode]
Create a New Zone
azure add_zone
--zone
--cost-center-name
Set Cost Center
billing cost_center
--zone
--image-id
--azure-image-name
--description
--group
--os-type
--size
--username
Add Machine Images
azure add_image
Figure 7 - Azure zone creation flow
Each step is described in details below.
• Azure Enrolment Setup
Microsoft Azure provides its Cloud services on the basis of commitment under the Enterprise Agreement,
the so-called enrolment. In order to create a zone in Azure and activate projects within such zone, the
Azure enrolment details should be specified.
To add the Azure enrolment, use the following command:
azure add_enrolment [arguments]
The ‘azure add_enrolment’ command uses the following arguments:
Command Arguments
Argument Description Required
-e, --enrolment-number Enrolment ID Yes
-a, --azure-image-name Usage API access key received from the Enterprise
Administrator Yes
-b, --bill-from The date to start billing from in yyyy-MM-dd'T'HH format Yes
-t, --tenant Tenant ID Yes
-i, --client-id Client ID Yes
-k, --client-key Client key Yes
Command Example:
azure add_enrolment -e enrolment_number -a API_key -b 2016-04-01T00 –t
tenand_id –i client_id –k client_key
• Zone Creation
To create a new Azure zone, use the following command:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 231
azure add_zone [arguments]
The ‘azure add_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of the virtualization zone to be created. The zone
name should contain the ‘AZURE’ pattern Yes
-l, --location Azure location Yes
--assign Assigns zone to the currently active node No
--disable-billing-mix-mode
Defines whether the zone supports billing mode. If disabled, the Billing Engine shows costs based on EO audit only, otherwise EO audit will be integrated (mixed) with costs received from the cloud provider (e.g. in a form of CSV reports)
No
Command Example:
azure add_zone --assign -l "North Europe" -z AZURE-NEU
• Setting Cost Center for Azure Zone
For the correct billing of the Cloud services for the projects used in the Azure zone, a cost center has to
be assigned to it. To assign a cost center to a new Azure zone, use the following command:
billing set_cost_center [arguments]
The ‘billing cost_center’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of zone Yes
-c, --cost-center-name Name of the cost center to be assigned to the zone Yes
Command Example:
billing set_cost_center -z zone -c cost_center
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 232
• Adding Machine Images to Azure Zone
To add machine images which will be available in the Azure zone, use the following command:
azure add_image [arguments]
The ‘azure add_image’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone to which the image is to be added Yes
-i, --image-id Image id (e.g. Ubuntu10.04_32-bit) Yes
-a, --azure-image-name
Azure image name
(e.g. 0c0083a6d9a24f2d91800e52cad83950__Zulu-1.7.0_55-
0714-Win-GA)
Yes
-d, --description VM image description Yes
-g, --group Image group. Valid values: PUBLIC, ENTERPRISE Yes
-o, --os-type Type of operating system. Valid values: WINDOWS, LINUX Yes
-s, --size Machine image size in GB Yes
-u, --username Default SSH user Yes
Command Example:
azure add_image -i OracleLinux7_64-bit -a
c290a6b031d841e09f2da759bbabe71f__Oracle-Linux-7 -d 'Oracle Linux 7 64-bit'
-z zone -g PUBLIC -o LINUX -s 1 -u user
6.2.2 Activating a Project in Microsoft Azure
To activate a project in Azure, you need only the commands belonging to the azure group. The diagram
below shows the typical flow for this case:
--project
--shape
[--zone]
[--all]
[--fake-project]
[--auto-configuration-
disabled]
[--subscription-namel]
Activate Project
azure activate_project
--project
[--zone]
Configure Network
azure config_network
--project
Check Configuration
azure get_net_config
Each step is described in details below.
• Project Activation
To activate a project in Microsoft Azure, use the following command:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 233
azure activate_project [arguments]
The azure activate_project command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project PMC code Yes
-s, --shape Shape name. For several shapes, repeat the parameter Yes
-z, --zone Virtualization zone No
--all All zones (the project will be activated in all existing
Azure zones) No
-f, --fake-project Fake project flag (indicates a fake project, that is, the
project not existing in UPSA; used for testing purposes) No
-a, --auto-configuration-disabled Flag disabling auto-configuration for the project No
-u, --subscription-name Azure subscription name No
Command example:
azure activate_project –p project_code –s MICRO –s SMALL –s LARGE --all
• Network Configuration
When a project is activated, a network security group has to be configured for each zone in which the
project is activated. The network security groups define the rules allowing or denying access instances in
the virtual network.
To configure the network security groups for the project, use the following command:
azure config_network [arguments]
The azure config_network command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-z, --zone
Virtualization zone. When no zones are specified, the network
security groups will be configured for all zones in which the project
has been activated.
No
The ‘azure config_network’ command will create virtual networks and network security groups for all
zones in which the project is activated and set the rules for them.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 234
Figure 8 – Network configuration
• Configuration Check
To check the Azure network configuration of the project, use the following command:
azure get_net_config –p project_code
The command returns the list of zones configured for the project and their status:
Figure 9 – Configuration of Azure zones
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 235
6.3 CSA – ADMINISTRATION CASES
6.3.1 CSA Zone Creation
A CSA virtualization zone is served by the CSA Portal and has to be configured with the CSA settings
applicable to such CSA portal.
The typical CSA zone creation flow is as follows:
--region
--zone
--csa-user
--url
--csp-user
--organization
--catalog
[--location]
[--hardware]
Create a New Zone
csa add_zone
--orch-id
--zone
[--unassign]
[--billing]
[--active]
Assign Orchestration Instance
orch assign
--zone
--cost-center-name
Set Cost Center
billing set_cost_center
--zone
--shape
--cpu
--ram
Add Shapes
csa add_shape
Figure 10 - CSA zone creation flow
Each step is described in details below.
• CSA Zone Creation
To create a new CSA Orchestration zone, use the following command:
csa add_zone [arguments]
The ‘csa add_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-r, --region Virtualization region in which the new zone is to be created Yes
-z, --zone Name of the virtualization zone to be created Yes
-c, --csa-user Name of the user to access the CSA portal Yes
-u, --url URL to the CSA portal which will manage this region Yes
-s, --csp-user Name of the CSP (Cloud Subscription Portal) user Yes
-o, --organization Name of the CSA Organization for this region Yes
-a, --catalog Name of the CSA Catalog for this region Yes
-l, --location Physical location of the new zone No
--hardware Flag setting the region as hardware No
The ‘csa add_zone’ command requires a password for execution. After the command is sent, the system
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 236
prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.
Command Example:
csa add_zone -z zone -r region -u csa_url -c csa_user -a catalog
-o organization -s csp_user
• Orchestration Instance Assignment to CSA Zone
When a new zone has been created, it has to be associated with an Orchestration instance for correct
integration in the EPAM Orchestrator and proper service of the resources hosted in such zone.
To assign an Orchestration instance to the newly-created zone, use the following command:
orch assign [arguments]
The ‘orch assign’ command uses the following arguments:
Command Arguments
Argument Description Required
-o, --orch-id Orchestrator instance ID Yes
-z, --zone Name of zone Yes
-u, --unassign Flag used to unassign a previously assigned zone No
-b, --billing Flag used to set the Orchestrator instance responsible for the zone
billing No
-a, --active Flag used to set the Orchestrator instance as active No
Command Example:
orch assign -z zone -o instance_id -a
• Setting Cost Center for CSA Zone
For the correct billing of the Cloud services for the projects used in the CSA zone, a cost center has to be
assigned to it. To assign a cost center to a new CSA Orchestration zone, use the following command:
billing set_cost_center [arguments]
The ‘billing cost_center’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of zone Yes
-c, --cost-center-name Name of the cost center to be assigned to the zone Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 237
Command Example:
billing set_cost_center -z zone -c cost_center
• Adding Shapes to CSA Zone
A new zone is created with no VM shapes available in it. For the projects to be activated in a zone,
shapes have to be added. Once shapes are added and configured, projects can be activated only with
the shapes available in the zone. If a project requires a shape not available in the zone, the shape has to
be added to the zone first.
To add a shape to a CSA zone, use the following command:
csa add_shape [arguments]
The ‘csa add_shape’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone to which the shape is to be added Yes
-s, --shape CSA shape name Yes
-c, --cpu Number of CSA CPUs available in the shape Yes
-r, --ram Volume of CSA RAM available in the shape Yes
Command Example:
csa add_shape -z zone –s small –c 1 –r 1740
To add a shape to a particular project, use the ‘or2-set-shapes’ Maestro CLI command.
6.3.1 Activating a Project in CSA
In CSA, projects are activated using just one Admin Utility command:
csa activate_project [arguments]
The ‘csa activate_project’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-s, --shape Shape name. For several shapes, repeat the parameter Yes
-z, --zone Virtualization zone Yes
-f, --fake-project Fake project flag (indicates a fake project, that is, the
project not existing in UPSA; used for testing purposes) No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 238
-a, --auto-configuration-disabled Flag disabling auto-configuration for the project No
Command Example:
csa activate_project –p project_code –s small –s medium –s large –z zone
6.3.2 Reimporting Instances to CSA
If CSA offerings have changes, instances have to be reimported to CSA, so that the offerings are properly
updated and the updated data is applied. In such case, CSA subscriptions of instances are deleted and
then restored again. After synchronization, the subscription data is updated.
The flow of instance reimporting is as follows:
--zone
--instance
Delete CSA Subscription
csa del_subscript
--zone
--instance
Restore Instance to CSA
csa restore_to_csa
--zone
--instance
Synchronize Subscriptions
csa sync_from_csa
Each step is described in details below.
• CSA Subscription Deletion
To delete the existing CSA subscriptions from instances in a certain zone, use the following command:
csa del_subscript [arguments]
The ‘csa del_subscript’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-i, --instance Instance ID(s) Yes
Command Example:
csa del_subscript –z zone –i instance
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 239
• Instance Restoring to CSA
When the CSA subscriptions have been deleted, the instances have to be restored to CSA again for the
updated subscriptions to apply. To restore instances to CSA, use the following command:
csa restore_to_csa [arguments]
The ‘csa restore_to_csa’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-i, --instance Instance ID(s) Yes
Command Example:
csa restore_to_csa –z zone –i instance
• Subscription Synchronization
After the subscriptions have been restored, their fields have to be synchronized between CSA and EPAM
Orchestrator.
Before proceeding with synchronization, check that the updated subscriptions are active.
To synchronize CSA subscription fields, use the following command:
csa sync_from_csa [arguments]
The ‘csa sync_from_csa’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-i, --instance Instance ID(s) Yes
Command Example:
csa sync_from_csa –z zone –i instance
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 240
6.4 GOOGLE CLOUD PLATFORM – ADMINISTRATION CASES
This section describes the flows to be used in configuring infrastructure in the Google Cloud Platform as
access to it.
6.4.1 Google Account Configuration
Google Cloud Platform is available for all users with Google accounts. To provide access to Google
Cloud Platform, use the API Manager to allow access from your Google account.
When the access has been granted, create your first project on the Google console. This project will
be the base project for all subsequent ones and the billing account, the API access permissions and IAM
user administration will be associated with this project.
For your base project, different credentials (OAuth 2.0 Client IDs of the Other type) need to be
created for two Google account entities in the database (see below). Before generating the credentials,
create the OAuth Consent Screen (fill in only the required fields).
For the base project, use activate the following APIs required for Orchestrator operation using the API
Manager on the Google console:
➢ Google Cloud Billing API
➢ Admin SDK
➢ Google Compute Engine API
➢ Google Cloud Resource Manager API
6.4.2 Google Account Entity in Orchestrator Database
To enable working with Google Cloud Platform, two account entities should be generated – for using
the Compute API and for using the Admin Directory API (IAM user administration). Such organization
allows separating the account management depending on the operation type. Each entity requires a
separate set of credentials to be created in the base project on the Google console.
Important: do not create credentials for other projects in the account, it will block Google API requests
performance by the Orchestrator under the project.
To create a Google account entity in the Orchestrator database use the following command:
google setup_account [arguments]
The ‘google setup_account’ command uses the following arguments:
Command Arguments
Argument Description Required
-u, --username Account username ([email protected]) Yes
-i, --client-id Client ID* Yes
-p, --purpose Purpose of the account. Allowed values: COMPUTE,
ADMIN_DIRECTORY Yes
-a, --admin-project-id Admin project ID. Required for COMPUTE accounts No
-b, --billing-account-id Billing project ID. Required for COMPUTE accounts No
-d, --billing-dataset-name BigQuery billing dataset name No
*For the -i (--client-id) parameter value, use the value from the credentials earlier generated in the base
account.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 241
Command Example:
google setup_account –u username –i client_id –p ADMIN_DIRECTORY
Figure 11 - Google account setup
The command is executed with simultaneous interactive operations in the browser. Enter the
clientSecret from the generated credentials into the API Manager of the base project, then, after the
clientSecret has been successfully validated, the Admin Utility console will display a link. Paste the link
into your browser and copy the token which will be displayed. Paste the token into your Admin Utility
console.
After the account creation, run the mongo refresh_config command in the DB utility, otherwise
Orchestrator may work incorrectly.
How Google API authorization works:
- Authorization is performed by the accessToken issued by Google and valid for 1 hour
- The Orchestrator performs authorization by processing the 401 response code received for its
request to the Google API
- When the 401 code is received, the Orchestrator sends a request for a token using the
refreshToken and clientId. Note that there is a limit of 600 accessTokens to be used
simultaneously in Google.
- refreshToken, cliendId and accessToken are stored in the same document in the
GoogleAccounts collection in the database (see
https://developers.google.com/identity/protocols/OAuth2 for details).
6.4.3 Adding Google Zones
Google Cloud, unlike AWS, is project-centered, which causes certain specifics of Google projects and
zones organization and processing by Orchestrator.
The zone configuration flow is as follows:
View zones
google list_zones
--region
--zone
--account-id
--google-zone-name
--location
--disable-billing-mix-mode
--aws-nearest-zone
Add zone
google add_zone
--zone
--aws-nearest-zone
Edit zone
google edit_zone
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 242
Each step is described in details below.
• Retrieving Google Zones
Before integrating Google zones into Orchestrator, run the following command to see the list of zones
available via the Google console:
google list_zones
The ‘google list_zones’ command uses no arguments.
If a zone has already been added to Orchestrator, it will show its name from the Orchestrator
database in the ‘name’ field. For zones not yet added to Orchestrator, the ‘name’ field will show
“untracked”.
• Adding Google Zones
Run the following command to add the zone:
google add_zone [arguments]
The ‘google add_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-r, --region Virtualization region* Yes
-z, --zone Virtualization zone** Yes
-a, --account-id Google account ID. Format example: account-91b5e7ec Yes
-Z, --google-zone-name
Google zone name. Format example: us-central1-a. For
the complete list of zones, visit the Regions and Zones
page
Yes
-l, --location Location (for example, North Europe) No
--disable-billing-mix-mode The flag defining whether the zone supports billing mode No
-A, --aws-nearest-zone AWS nearest zone (required for autoconfiguration)*** No
* The region must be added manually, as there is no Admin Utility command for that purpose. The region
is to be added once before adding the first Google zone, and afterwards the EPAM-GOOGLE region will
appear in the Orchestrator’s Regions collection in the database.
** The zone name to be used in Orchestrator
*** The nearest AWS zone is specified for the autoconfiguration data to be retrieved from the AWS S3
bucket in the zone nearest to the Google zone
Command Example:
google add_zone –r EPAM-GOOGLE –z zone_name –a google_account –Z us-
central1-a
• Editing Google Zones
If you need to change or delete the AWS zone associated with the Google zone, use the ‘google
edit_zone’ command:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 243
google edit_zone [arguments]
The ‘google edit_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-a, --aws-nearest-zone AWS nearest zone (required for autoconfiguration). Send
‘null’ to remove the value. Yes
Command Example:
google edit_zone –z zone_name –a null
6.4.4 Project Activation in Google Cloud
In Google Cloud, projects are activated by their abbreviations in UPSA. To activate a project, use the
following command:
google activate_project [arguments]
The ‘google activate_project’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-s, --shape
Name of the shape to be activated for the project. For
several shapes, repeat the parameter: -s shape1, -s
shape2, -s shapeN
Yes
-a, --auto-configuration-disabled Flag defining that auto-configuration is disabled or
enabled No
-f, --fake-project Fake project No
-e, --existing-project-id Existing Google project ID to use* No
-z, --zone Virtualization zone** No
--all All zones** No
* The ‘existing-project-id’ parameter is used to continue project activation when a project created in the
Google console manually should be associated with the project representation in EPAM Orchestrator and
UPSA
** Send either a specific zone or ‘--all'. If you activate a project with the ‘--all' flag, it will be activated in all
available Google Cloud zones
Command Example:
google activate_project –p project_id –s small –s mini --all
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 244
Figure 12 - Project activation in Google Cloud
The command execution is interactive and requires activation of Google Compute Engine API for the
newly-created project. This is done via the Google console and enables EPAM Orchestrator to send
requests to Google Cloud.
The base project should not be associated with any UPSA project.
If during project activation, an error message saying that billing and Google Cloud Billing API are not
activated for the base project, make sure you have completed all steps of base project configuration flow.
During activation, the following configuration actions are performed:
- the project is automatically connected to a Billing account common for the entire Google account
- a common network is created for the project allowing all project instances to access each other
via an internal network
- necessary internal subnets are created (one for each Google availability zone)
- firewall rules for subnet IPs specified in securityGroups in the OrchestrationSettings collection in
the database (orchestrator-default-firewall) are established.
6.4.5 Adding Images in Google Cloud
• Retrieving Google Public Images
In Google Cloud, public images are associated with public projects listed on the Images page. A
separate project corresponds to each OS type. To view the images available for a specific project, use
public project names and run the following Admin Utility command:
google list_images [arguments]
The ‘google list_images’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project-id Google project ID to retrieve images from. For example, centos-
cloud or coreos-cloud Yes
-d, --deprecated Flag defining whether deprecated images are to be included No
Command Example:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 245
google list_images –p project_id
• Adding Google Images
To add an image, use the following command:
google add_image [arguments]
The ‘google add_image’ command uses the following arguments:
Command Arguments
Argument Description Required
-i, --image-id Image ID. For example, Ubuntu14.04_64-bit* Yes
-N, --google-image-name Google image name** Yes
-P, --google-project-id Google image project ID** Yes
-d, --description Image description Yes
-t, --os-type Type of the operating system (Windows, Linux) Yes
-z, --zone Virtualization zone Yes
-g, --group Image group (public, enterprise) Yes
-u, --username Default SSH user*** Yes
* Use image name corresponding to the common EPAM Orchestrator image mapping
** Specify Google image name and the ID of the public project from which the image will be retrieved
*** Specify the login under which the instance will be accessed with an SSH key
Command Example:
google add_image –i imade_ID –N google_image_name –P google_project_id –d
image_description –t os_type –z zone –g group –u username
6.4.6 Custom Image Creation in Google Cloud
Google Cloud creates custom images from system volume snapshots, therefore, storing a machine image
with attached volumes requires a series of actions. Here we recommend creating tasks and subtasks as
using task processing tools.
A task of creating an image from an instance with attached volumes consists of the following subtasks:
- Creation of a system volume snapshot
- Creation of a volume from the snapshot
- Creation of an image from the volume
- Deletion of the created volume
- Creation of snapshots of the attached volumes (can run simultaneously with system volume
operations)
As the result, there is a project Google image and snapshots of the attached volumes.
Resource creation from such image also involves several subtasks:
- Instance run from the custom image
- Creation of volumes from the stored snapshots and their attachment to the launched instance
Such custom images can only be used in EPAM Orchestrator, because if an instance is launched from
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 246
the custom image via the Google console, the instance will be started with no non-system volumes
attached. The image size includes not only system volume data but also the data of the attached volume
snapshots.
Note that the snapshots of attached volumes are part of the image and if either of them is deleted via the
Google console, the snapshot size will be deducted from the image size and the instance launched from
the image will not have the volume corresponding to the deleted snapshot.
Also, in Google Cloud resources belong to a project, therefore, creation of a custom project image causes
duplicates of the Google MachineImage entity for all Google zones in the Orchestrator database (the
MachineImages collection). Similarly, when an image is deleted, duplicates for all Google zones are
deleted as well.
6.4.7 Public and Static IPs
By default, Google Cloud assigns public IPs to instances upon launch, however, these IPs may change
with each start-stop operation. Google documentation refers to them as to “ephemeral” external IP
addresses.
For cases when it is important that an instance keeps the same IP address, Google Cloud supports
reserved static IPs.
In EPAM Orchestrator, a static IP is allocated with the following sequence of Maestro CLI commands:
1. Allocation of a static IP to the project and region:
or2alsip -p project -r region
2. Assignment of a static IP to the instance:
or2assip -p project -r region -i instance_id -a ip_address
Static IP assignment is performed as the following series of subtasks:
- Removal of the default public IP from the instance
- Waiting for the default public IP removal to complete
- Assignment of the configuration of public access to the instance with a static IP
- Waiting for the static IP assignment to complete
Due to the complexity of the flow, the command performance may take longer than with other cloud
providers. Also, the probability of failure is higher.
The reverse process of a static IP disassociation is performed with the following Maestro CLI command:
or2dissip -p project -r region -a ip_address
IP disassociation is also a process involving several subtasks:
- Removal of the static IP from the instance
- Waiting for the static IP removal to complete
- Assignment of the configuration of public access to the instance with the default public IP
- Waiting for the default public IP assignment to complete
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 247
6.4.8 Volumes in Google Cloud
In Google Cloud, system volumes are created together with the corresponding instances and receive IDs
fully matching those of the instance. At the same time, EPAM Orchestrator will show system volumes with
have their unique IDs. For non-system volumes, the Google console will show names matching such
volume IDs in EPAM Orchestrator.
Attach/detach volume operations are fully supported.
6.4.9 Google IAM Users
EPAM Orchestrator distinguishes two main types of users – temporary users and permanent IAM users.
This system requires certain adaptation for Google Cloud, as Google has no such classification.
• Temporary Users
Temporary access to Google Management Console is granted with the following command:
or2goomc
In this case, temporary access to the Google console is granted via a special user pool
(GoogleAccountUsers collection in the database), the names of such users always start with
SpecialEPM-CSUP*. When the or2goomc command is sent, EPAM Orchestrator searches for a free
SpecialEPM-CSUP* user in the pool, changes its status to IN_USE and allocates a new password to be
provided to the end user via email.
All temporary access permissions are reset every day at 12:00 a.m.
To add a temporary user to the pool, use the following Admin Utility command:
google add_temp_access_user [arguments]
The ‘google add_temp_access_user’ command uses the following arguments:
Command Arguments
Argument Description Required
-u, --username Email of the Google user Yes
Command Example:
google add_temp_access_user –u user_email
To retrieve the list of all existing temporary users, use the following command:
google list_temp_access_users
The ‘google list_temp_access_users’ command uses no arguments.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 248
• Ordinary IAM Users
The number of IAM users is limited to 100 per project.
To add a Google IAM user, use the following command:
google add_iam_user [arguments]
The ‘google add_iam_user’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-e, --email User’s email address Yes
-r, --creation-reason Short description of the IAM user creation reason Yes
Command Example:
google add_iam_user –p project_ID -e user_email –r creation_reason
To retrieve the list of all existing ordinary IAM users, use the following command:
google list_iam_users [arguments]
The ‘google list_iam_users’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
Command Example:
google list_iam_users –p project_ID
Additionally, you can use the following Maestro CLI command to view the list of all ordinary IAM users:
or2iam [arguments]
The ‘google list_iam_users’ command uses the following arguments:
Command Arguments
Argument Description Required
-a, --action Action to perform. Allowed valued: [describe, delete, setOwner]. Default:
describe No
-e, --email Owner’s email for the ‘-a setOwner’ action No
-p, --project Project abbreviation in UPSA Yes
--reason IAM user deletion reason for the ‘-a delete’ action No
-t, --type IAM user type. Allowed values: [aws, google] No
-u, --user-name IAM user name No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 249
Command Example:
or2iam –p project_ID –t google
• System IAM Users
All system IAM users are stored in the GoogleAccounts collection in the Compute account
(systemIamUserName field). The google list_iam-users Admin Utility command retrieves all IAM users,
both ordinary and system, while or2iam Maestro CLI command lists only ordinary users.
System IAM uses are created with the ‘owner’ permissions while ordinary IAM users and temporary users
have the ‘editor’ permissions which are narrower than “owner’.
To create a system IAM user, use the following command:
google add_account_system_username [arguments]
The ‘google list_iam_users’ command uses the following arguments:
Command Arguments
Argument Description Required
-u, --username System user name (user’s EPAM email) Yes
Command Example:
google add_account_system_username –u username
All IAM users operations are synchronized with the Google console at 3:15 a.m. UTC.
6.4.10 Other
• Init Scripts
In Google Cloud, the init script runs with each OS start, therefore, for Google Cloud special init scripts
have been created and stored in the OrchestrationSettings collection of the database in the
googleLinuxNativeScript’ and ‘googleWindowsNativeScript’ fields.
• Interactive Operations
During interactive operations requiring simultaneous actions in the browser, Admin Utility may sometimes
return invalid hyperlinks, especially, for API activation. We recommend searching for the correct
hyperlinks in the API Manager if the Admin Utility returns an invalid link repeatedly.
6.5 OPENSTACK – ADMINISTRATION CASES
6.5.1 OpenStack Controller Hosts
OpenStack virtualizator is controller-based, with each controller corresponding to an OpenStack zone in
EPAM Orchestrator. The controller by default contains an admin project (tenant) and is intended to create
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 250
a network to host all instances launched by the controller (that is, within the corresponding EPAM
Orchestrator zone). The controller also creates admin credentials (login/password) for the Orchestrator to
access OpenStack API.
Direct access to the controller via the native UI, in addition to the login/password combination, may also
require the domain which always has the “default” value.
6.5.2 OpenStack Hosts and Host Aggregates
Each controller has a number of hosts used to allocate resources to launched instances and created
storage volumes. Each host is assigned an availability zone which is used when instances and system or
attached volumes are created on the same host. There may be cases when a volume cannot be attached
to a running instance if the host resources are insufficient. In this case, OpenStack prevents volume
creation (contrary to CSA where the instance can move to a different host together with all related
resources). Hosts may differ not only by capacity but also by the supported storage type (SSD/HDD).
Hosts are joined into aggregates by the supported storage type (SSD support information is included in
the aggregate metadata). Aggregates are used to filter resource creation requests depending on the
storage type. The filter also acts as load balancer distributing the load among the hosts within aggregates
depending on the current utilization rate.
6.5.3 OpenStack Zone Management
The typical OpenStack zone creation flow is as follows:
--zone
--image-id
--open-stack-image-id
--description
--group
--username
Add Images
open_stack add_image
--zone
--shape
--flavor
Add Shapes
open_stack add_shape
--orch-id
--zone
[--unassign]
[--billing]
[--active]
Assign Orchestration Instance
orch assign
--zone
--auth-url
--instance-name-prefix
--counter
[--assign]
--admin-name
--admin-tenant
--external-gateway
Add Zone
open_stack add_zone
--zone
--cost-center-name
Set Cost Center
billing
set_cost_center
--zone
[--enable]
[--disable]
[--queues]
Enable Notifications
open_stack
notific_switcher
--zone
[--host] [--port]
[--vhost] [--mport]
[--username]
[--reply-timeout]
[--shutdown-timeout]
[--min-threads]
[--max-threads]
Configure Notifications
open_stack
notific_config
--file
[--skip-warnings]
[--skip-changes]
Create Pricing Policy
pricing _policy get
[--target]
pricing_policy update
Figure 13 - OpenStack zone creation
Each step is described in details below.
• Zone Creation
An OpenStack zone is the controller’s entity in EPAM Orchestrator storing the controller data used by
EPAM Orchestrator (link to the controller, access information, tenant information).
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 251
To create a new OpenStack zone, use the following command:
open_stack add_zone [arguments]
The ‘open_stack add_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-r, --region Virtualization region Yes
-z, --zone Name of the virtualization zone to be used in EPAM
Orchestrator (case-sensitive) Yes
-u, --auth-url
OpenStack authentication URL for domain authorization to
resources. The authorization server is one of the OpenStack
services and can be reached at the
[http:<controller_IP>:5000/v1] endpoint
Yes
-I, --location Location (e.g. North Europe) No
-c, --counter Instance start counter (used for instance name generation) Yes
--assign Assigns zone to the currently active node No
-a, --admin-name Admin name to be used for API calls Yes
-t, --admin-tenant Admin tenant Yes
-m, --networking-mode Networking mode. Allowed values: [AUTO, MANUAL] Yes
--dns, --dns-server DNS server on which VMs will be registered. Several DNS servers can be specified.
Yes
-n, --network-id ID of the network created on the controller earlier Yes
--rn, --region-name OpenStack region name (to be used when a host serves several regions. EPAM Orchestrator zone entity will be associated with the specified region)
No
-d, --docker-only Docker only (to be used when the zone is a dedicated zone for Docker/Kubernetes services deployed on CoreOS)
No
--mtp Servicing host for the moveToProject command No
The ‘open_stack add_zone’ command requires a password for execution. After the command is sent,
the system prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.
Command Example:
open_stack add_zone -z zone_name -u http://<server_hostname:port>/v2.0 -r
region -l location -c 001 -a admin -t admin -m networking_mode –dns
dns_server
The mongo refresh_config command of the DB Utility does not hide admin user credentials and URLs
for authorization and additional servers (this does not refer to zones migrated from CSA).
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 252
• Zone Editing
To edit an OpenStack zone, use the following command:
open_stack edit_zone [arguments]
The ‘open_stack edit_zone’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of the virtualization zone to be used in EPAM
Orchestrator (case-sensitive) Yes
-s, --strategy
Zone update strategy. Allowed values: [DESCRIBE,
PUSH_NOTIFICATIONS,
PUSH_NOTIFICATIONS_WITH_DESCRIBE]
No
-d, --disk-drive Default storage type. Allowed values: [HDD, SSD]. We recommend using the type supported by the majority of hosts.
No
-r, --resource-placing-
policy
Resource placing policy. Allowed values: [DEFAULT, SAME_HOST]. Defines whether instances should be placed on the same host as the volumes attached to them. The SAME_HOST value is the preferred setting.
No
-c, --create-volume-
snapshots Defines whether the operation of volume snapshot creation is supported
No
-t, --storage-threshold Storage capacity threshold. Must be in the range of [0, 100] No
Command Example:
open_stack edit_zone -z zone_name –s DESCRIBE -d SSD –r SAME_HOSTS –t 100
• Retrieving the List of OpenStack Zones
To retrieve the list of OpenStack zones existing in EPAM Orchestrator, use the following command:
open_stack get_zones
The ‘open_stack get_zones’ command uses no arguments.
• Orchestration Instance Assignment to OpenStack Zone
When a new zone has been created, it has to be associated with an Orchestration instance for correct
integration in the EPAM Orchestrator and proper service of the resources hosted in such zone.
To assign an Orchestration instance to the newly-created zone, use the following command:
orch assign [arguments]
The ‘orch assign’ command uses the following arguments:
Command Arguments
Argument Description Required
-o, --orch-id Orchestrator instance ID Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 253
-z, --zone Name of zone Yes
-u, --unassign Flag used to unassign a previously assigned zone No
-b, --billing Flag used to set the Orchestrator instance responsible for the zone
billing No
-a, --active Flag used to set the Orchestrator instance as active No
Command Example:
orch assign -z zone_name -o instance_id -a
• Adding Shapes to OpenStack Zone
A new zone is created with no VM shapes available in it. For the projects to be activated in a zone,
shapes have to be added. Once shapes are added and configured, projects can be activated only with
the shapes available in the zone. If a project requires a shape not available in the zone, the shape has to
be added to the zone first.
OpenStack refers to shapes as “flavors” and distinguishes them not only by the CPU/RAM combination,
but also by the storage type (SSD or HDD), OS type (Linux, Windows) and the system volume size.
Shape names are combined from several parameters, one of them always being the EPAM Orchestrator
shape name. The name may also contain the volume size and the indicator of the storage type (ssd) or
operating system (lin for Linux).
When an instance is launched with a certain shape, the flavor selection is influenced by the specified
shape, image and the zone configuration. The image defines the operating system, and if the storage
type is specified – the corresponding flavor will be used, otherwise, a default flavor will be selected in
accordance with the zone configuration.
To add a shape to an OpenStack zone, use the following command:
open_stack add_shapes [arguments]
The ‘open_stack add_shapes’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone where shapes are to be added Yes
-s, --shape
Shape name. For several shapes, repeat the parameter: -s SHAPE1 -
s SHAPE2. If not specified, all available shapes will be added. Only
the shapes not yet added to the zone will be added by the command
No
-d, --drive-type Disk drive type. For several disk drives, repeat the parameter: -d SSD
-d HDD. If not specified, all available drives will be added No
-t, --os-type
Operating System type (e.g. WINDOWS, LINUX). For several OS
types, repeat the parameter. If not specified, all available OS types
will be added
No
--see Print the shapes to be added No
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 254
Note that the --see flag blocks the shape addition operation and only prints the list of shapes to be added.
Command Example:
open_stack add_shapes -z zone –s small –t linux –d hdd
• Shape Management in OpenStack
To view the default shapes existing in OpenStack, use the following command
open_stack get_default_shapes [arguments]
The ‘open_stack get_default_shapes’ command uses no arguments.
To view the shapes available in a certain OpenStack zone, use the following command
open_stack get_shapes [arguments]
The ‘open_stack get_shapes’ command uses the following arguments.
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone Yes
To delete shapes from a certain OpenStack zone, use the following command
open_stack delete_shapes [arguments]
The ‘open_stack delete_shapes’ command uses the following arguments.
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone Yes
-f, --flavor OpenStack flavor ID. Repeat the option to delete several flavors Yes
When flavors are updated by the OpenStack controller, their identifiers change which requires flavor
updates in EPAM Orchestrator. This is done by means of the ‘revision’ field in the flavor collection in the
EPAM Orchestrator database. The field is updated with the flavor update date; in this case, the flavor will
still be used to describe the existing resources but will not be used to create new ones. For a new flavor
identifier, the OpenStack controller generates a new document with the ‘revision’ field set to ‘latest’. All
new instances launched by EPAM Orchestrator will use the flavors with ‘revision’ set to ‘latest.
• Adding Machine Images to OpenStack Zone
To add machine images which will be available in the OpenStack zone, use the following command:
open_stack add_image [arguments]
The ‘open_stack add_image’ command uses the following arguments:
Command Arguments
Argument Description Required
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 255
-z, --zone Name of virtualization zone to which the image is to be
added Yes
-i, --image-id Image id (e.g. Ubuntu14.04_64-bit) Yes
-o, --open-stack-image-id OpenStack image ID Yes
-d, --description VM image description Yes
-g, --group Image group. Valid values: PUBLIC, ENTERPRISE Yes
-u, --username Default SSH user Yes
-t, --os-type Type of operating system (windows, linux) Yes
Command Example:
open_stack add_image -i Ubuntu14.04_64-bit -o openstack_image -d
"Ubuntu14.04 64-bit LTS" -z zone_name -g PUBLIC -u user –t linux
• Machine Image Management in OpenStack
When an image is updated on the OpenStack controller, the image identifier changes. Identifiers
synchronization between the OpenStack controller and EPAM Orchestrator is performed by schedule at
1:00 a.m. UTC. Identifiers can also be updated via jmx on the EPAM Orchestrator Web UI or with the
following Admin Utility command:
open_stack set_image_id [arguments]
The ‘open_stack set_image_id’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone Yes
-n, --name Image name Yes
-i, --id New image ID Yes
Command Example:
open_stack set_image_id -n Ubuntu14.04_64-bit -z zone_name –i image_id
To retrieve the list of images existing in EPAM Orchestrator for the specified zone, use the following
command:
open_stack get_images [arguments]
The ‘open_stack get_images’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 256
Command Example:
open_stack get_images -z zone_name
To delete an image from a zone by its OpenStack ID, use the following command:
open_stack delete_image [arguments]
The ‘open_stack delete_image’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of virtualization zone Yes
-i, --image-id Image ID Yes
Command Example:
open_stack delete_image -z zone_name –i image_id
• Custom Image Management in OpenStack
In OpenStack, an image does not store data of the attached volumes. Therefore, in EPAM Orchestrator,
the MachineImages collection in the database stores the data of the snapshots of attached volumes
together with the image data. The snapshot data is stored in the ‘volumeSnapshotInfoSet’ field.
Note that the storage sequence influences the sequence of volume creation and attachment to the
instance launched from the custom image.
Also, to enable creation of custom images from instances with attached volumes, run the ‘open_stack
edit_zone’ command with the -c, --create-volume-snapshots flag, as by default this option is disabled.
• Push Notifications Configuration
OpenStack supports the Push Notifications functionality allowing EPAM Orchestrator to respond to
changes and to perform synchronizations quicker.
Push notifications are sent via the RabbitMQ messenger service. The OpenStack controller sends
messages about various events related to resource state changes to the RabbitMQ server. In its turn,
EPAM Orchestrator can monitor pre-defined message queues storing messages from the OpenStack
controller and thus getting the change data immediately.
If push notifications are disabled, synchronization is performed by scheduled describe requests to the
server. The request frequency depends on the resource (on the average, every 2-5 minutes).
Push notifications are configured with the following command:
open_stack notific_config [arguments]
The ‘open_stack notific_config’ command uses the following arguments:
Command Arguments
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 257
Argument Description Required
-z, --zone Virtualization zone Yes
--host OpenStack Rabbit host* No
-p, --port OpenStack Rabbit port* No
-m, --mport OpenStack Rabbit Management port** No
-v, --vhost OpenStack Rabbit virtual host*** No
-u, --username OpenStack Rabbit username under which EPAM Orchestrator
will monitor messages on the RabbitMQ host No
-r, --reply-timeout Reply timeout (in milliseconds)**** No
-s, --shutdown-timeout Shutdown timeout (in milliseconds)***** No
-n, --min-threads Minimum number of threads to monitor notifications****** No
-x, --max-threads Maximum number of threads to monitor notifications****** No
--nova Custom exchange name for Nova service******* No
--cinder Custom exchange name for Cinder service******* No
--glance Custom exchange name for Glance service******* No
* RabbitMQ host and port for push notifications
** Currently not used as the management plugin is usually disabled on RabbitMQ server deployed together
with the OpenStack controller
*** Usually the default virtual host is used (“/”)
**** Not used
***** The shutdown timeout setting is used to terminate the amqp-listeners container
****** The recommended thread number is up to 30. The minimum setting defines the constant number of
notification handling threads while the maximum setting limits their number
******* Custom exchange key names for the corresponding OpenStack services on RabbitMQ
The ‘open_stack notific_config’ command requires a password for execution. After the command is
sent, the system prompts for the password. Therefore, this command cannot be sent in the ‘quiet’ mode.
Command Example:
open_stack notific_config -z zone_name --host <server_hostname> -p 5672 -v
"/" -u readonly -s 30000 -n 2 -x 6
Before enabling push notifications, run the ‘open_stack edit_zone’ command with the -s, --strategy
parameter set to “PUSH_NOTIFICATIONS_WITH_DESCRIBE”, as this setting will not disable scheduled
requests for resource synchronization with EPAM Orchestrator which is a more fault-tolerant
configuration.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 258
• Enabling Notifications
To enable the notification service for the OpenStack zone, use the following command:
open_stack notific_switcher [arguments]
The ‘open_stack notific_switcher’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-e, --enable Enable notifications No
-d, --disable Disable notifications No
-q, --queues Configure OS RabbitMQ queues No
Before enabling or disabling the notification service, configure its settings using the
‘open_stack notific_config’ command.
Command Example:
open_stack notific_switcher -e -q -z zone_name
• Pricing Policy Creation for OpenStack Zone
Billing of the Cloud services is based on a pricing policy.
To view an existing pricing policy, use the following command:
pricing_policy get [--target]
where the --target parameter indicates how the data is to be delivered. Valid values: ssh_console,
email.
To update the pricing policy, use the following command:
pricing_policy update [arguments]
The ‘pricing_policy update’ command uses the following arguments:
Command Arguments
Argument Description Required
-f, --file File name* Yes
-w, --skip-warnings Skip warnings No
-c, --skip-changes Skip changes No
*This command requires file upload.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 259
Command Example:
pricing_policy update –f file_name
• Setting Cost Center for OpenStack Zone
For the correct billing of the Cloud services for the projects used in the OpenStack zone, a cost center
has to be assigned to it. To assign a cost center to a new OpenStack zone, use the following command:
billing set_cost_center [arguments]
The ‘billing cost_center’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Name of zone Yes
-c, --cost-center-name Name of the cost center to be assigned to the zone Yes
Command Example:
billing set_cost_center -z zone -c cost_center
6.5.1 Project
Activation in
OpenStack
To activate a project in an OpenStack-based region, use the following command:
open_stack activate_project [arguments]
The ‘open_stack activate_project’ command uses the following arguments:
Command Arguments
Argument Description Required
-p, --project Project abbreviation in UPSA Yes
-s, --shape Shape name. For several shapes, repeat the parameter:
-s shape1 -s shape2 -s shapeN Yes
-z, --zone Virtualization zone Yes
-f, --fake-project Fake project flag (indicates a fake project, that is, the
project not existing in UPSA; used for testing purposes) No
-a, --auto-configuration-disabled Flag disabling auto-configuration for the project No
Command Example:
open_stack activate_project -p project -z zone -s SMALL –s MEDIUM –s LARGE
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 260
After the command execution, projects are created on the OpenStack controller according to the pattern
consisting of:
- The name of the node executing the command
- The name of the zone sent in the command
- The project name
During the command execution, default security groups are configured. For each project a separate
security group is created with rules not limiting the access for the following protocols: udp, tcp, icmp.
If a project is activated in a zone with networking mode (-m, --networking-mode) set to ‘MANUAL’, a
separate network with subnet 172.25.0.0/24 is created (the same subnet is used for all projects in zones
with the MANUAL networking mode).
• Personal Projects in OpenStack
To activate personal project support for a particular OpenStack zone, use the following command:
open_stack activate_zones_personal_project [arguments]
The ‘open_stack activate_zones_personal_project’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
As the result of the command execution, a project under the name “PERSONAL” is activated on the
OpenStack controller. All resources launched under personal projects will be assigned to that project.
6.5.2 OpenStack Networking
When a zone is created, its networking mode (-m, --networking-mode) is set to one of the following
values: AUTO or MANUAL. The mode is defined by the OpenStack controller.
The MANUAL mode is an older option which is currently in the process of deprecation. In the MANUAL
mode, for each project a separate hard-coded network is created in the zone. When an instance is
launched, a public static IP is generated and then assigned to the instance. Afterwards, the DNS name is
registered. Private IP addresses are generated from the hard-coded network created for the project in the
172.25.0.0/24 subnet.
The AUTO mode is more advanced and widely used. Such controllers support only one default network
for all projects activated on the controller. Private IP addresses for all instances launched on the controller
are generated within that network. Public IP addresses are generated in EPAM subnets with IP
addresses being public within the EPAM network.
6.5.3 DNS Name Creation in OpenStack
In OpenStack, each zone is created with specification of a DNS server (one or several). EPAM
Orchestrator accesses such server(s) to register DNS names of instances launched in OpenStack zones.
Depending on the platform, requests to the DNS server can be made through one of the two utilities:
- nsupdate – an utility for Linux orchestrators. DNS name is added as follows:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 261
nsupdate -g
> server <dns-server IP>
> zone epam.com
> update add <dns-name> <registration lifetime> A <instance IP>
> send
> quit
The same utility is used to delete a DNS name from the server:
nsupdate -g
> server <dns-server IP>
> zone epam.com
> update delete <dns-name> A
> send
> quit
- Dnscmd – a utility for Windows. DNS name is added as follows:
dnscmd ServerName /RecordAdd DNSZoneName HostName RecordType IPAddress
This utility does not support DNS name deletion, therefore, names are to be deleted manually.
Access to the DNS server is done via special tickets generated through the kinit utility.
The DNS name generation utility is selected by setting one of the profiles [nsupdate-dns-creation,
dnscmd-dns-creation]. Also, set [dnscmd.location, nsupdate.location] in the ‘properties’ files for EPAM
Orchestrator to discover the utilities.
6.5.4 OpenStack Metadata
Most of the resources created on OpenStack controllers have metadata. Instance metadata stores
instance access information and the instance requestor’s identification data. Also, metadata logs instance
migration from another project (mtp-action). The mtp-action parameter is set during the or2mtp Maestro
CLI command, at the same time, the projectId field in the database used by the OpenStack controller is
updated.
Instance flavors (shapes) also have metadata generated during flavor addition to EPAM Orchestrator.
Both host metadata and flavor metadata are used to direct the resource creation request to the most
suitable host.
System volumes are associated with the corresponding instances by the controller’s response to the
instance launch. The response contains the availability zone in which the system volume will be created.
6.5.5 OpenStack Recycle Bin
The Recycle Bin feature allows restoring recently terminated resources. Recycle Bin is, in fact, a project
activated on the OpenStack controller serving the entire zone.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 262
• Recycle Bin Creation
To create a Recycle Bin, use the following command:
open_stack create_recycle_bin [arguments]
The ‘open_stack create_recycle_bin’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-t, --ttl Minimum time to live for instance in hours before being moved to recycle
bin. Default: 24 No
-d, --days Number of days for the instance to remain in the Recycle Bin. Default: 7 No
Command Example:
open_stack create_recycle_bin –z zone -t 24 –d 7
• Recycle Bin Management
To edit a Recycle Bin, use the following command:
open_stack edit_recycle_bin [arguments]
The ‘open_stack edit_recycle_bin’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-t, --ttl Minimum time to live for instance in hours before being moved to recycle
bin. Default: 24 No
-d, --days Number of days for the instance to remain in the Recycle Bin. Default: 7 No
Command Example:
open_stack edit_recycle_bin –z zone -t 48 –d 5
The ‘open_stack edit_recycle_bin’ command allows updating the -t, --ttl and -d, --days parameters.
The -z, --zone parameter is sent to identify the zone in which the Recycle Bin has to be modified.
To describe a Recycle Bin, use the following command:
open_stack describe_recycle_bin [arguments]
The ‘open_stack describe_recycle_bin’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 263
Command Example:
open_stack describe_recycle_bin –z zone
The command returns the Recycle Bin settings in the selected zone and lists the resources currently
stored in it.
• Management of Resources in Recycle Bin
To restore an instance from the Recycle Bin, use the following command:
open_stack restore_from_recycle_bin [arguments]
The ‘open_stack restore_from_recycle_bin’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-s, --server-id ID of the instance to be restored. Instance IDs to be used are instance
IDs on the OpenStack controller. Yes
-p, --project Project abbreviation in UPSA* No
* The -p, --project parameter allows restoring the instance in a different project activated in the same zone.
Command Example:
open_stack restore_from_recycle_bin –z zone –s instance_id
To remove an instance from the Recycle Bin, use the following command:
open_stack remove_from_recycle_bin [arguments]
The ‘open_stack remove_from_recycle_bin’ command uses the following arguments:
Command Arguments
Argument Description Required
-z, --zone Virtualization zone Yes
-s, --server-id ID of the instance to be restored. Instance IDs to be used are instance
IDs on the OpenStack controller. Yes
Command Example:
open_stack remove_from_recycle_bin –z zone –s instance_id
To terminate an instance without placing it into the Recycle Bin, it has to be terminated via the Maestro
CLI with the --permanently option:
or2kill –p project_id –r region –i instance_id --permanently
6.5.6 OpenStack Instance State
OpenStack controller and EPAM Orchestrator determine instance state differently. To resolve this
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 264
difference, EPAM Orchestrator supports special mapping using the following three parameters of the
controller:
- Instance state
- Current task running on the instance
- Power state
Combinations of these parameters are mapped to EPAM Orchestrator instance states.
Sometimes, OpenStack controller may produce new combinations. In this case, after two-sided
consultations with OpenStack support and approval of the updates, the new combination is added to the
EPAM Orchestrator mapping which is part of the code.
6.5.7 Other
• Volume Errors
In case of a volume error on the OpenStack controller, EPAM Orchestrator updates the volume state to
‘error’, because the controller returns an empty response (unlike the response on the instance which
contains the reason) not allowing to identify the failure reason. In this case, the Level 1.5 Team will be
notified.
• Shape Change on OpenStack
Instance shape is changed with the or2chshape (or2-change-shape) Maestro CLI command. In
OpenStack regions, this command execution consists of the following subtasks:
- Validation of the shape change request
- Shape change confirmation
- Waiting for the corresponding flavor replacement
6.6 SIMPLE USER CONFIGURATION
Is cases when there is a necessity to provide access to a user whose credentials cannot be obtained from
UPSA for some reason (for example, for a customer representative), a simple user should be created in
Orchestrator
The user configuration flow is as follows:
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 265
--username
--login
--requestor
Create a User
permission add_user
--project
Assign the user to the project
permission assign
--project
--group
Assign permission groups
permission add_user_mapping
--project
Clear permission groups
permission del_user_mapping
Each step is described in details below:
6.6.1 User Creation
To create a new user in EPAM Cloud, use the following command:
permission add_user [arguments]
The ‘permission add_user’ command uses the following arguments:
Command Arguments
Argument Description Required
-e, --email User’s email Yes
-u, --username User’s full name Yes
-l, --login User’s login Yes
-r, --requestor Email of the requestor of the simple user account No
Command Example:
permission add_user –e [email protected] -u Firstname
Lastname -l [email protected]
6.6.2 User Assignment to Project
After the simple user has been created, it should be assigned to a project with the following command:
permission assign [arguments]
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 266
The ‘permission assign’ command uses the following arguments:
Command Arguments
Argument Description Required
-e, --email User’s email Yes
-p, --project Project abbreviation in UPSA Yes
Command Example:
permission assign -e [email protected] -p project
6.6.3 Permission Assignment
A simple user should be assigned one or more permission groups defining their access to the
Orchestrator functions:
permission add_user_mapping [arguments]
The ‘permission add_user_mapping’ command uses the following arguments:
Command Arguments
Argument Description Required
-e, --email User’s email Yes
-p, --project Project abbreviation in UPSA No
-g, --group Permission group name. For several groups repeat the parameter Yes
Command Example:
permission add_user_mapping -p project –e [email protected]
–g permission_group
If the ‘--project' parameter is not specified, the user will be assigned permissions applicable to the entire
EPAM Cloud.
6.6.4 Permission Update
If the user’s permissions have to be updated according to any changes in their project role, the existing
permission groups have to be deleted using the following command:
permission del_user_mapping [arguments]
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 267
The ‘permission del_user_mapping’ command uses the following arguments:
Command Arguments
Argument Description Required
-e, --email User’s email Yes
-p, --project Project abbreviation in UPSA No
Command Example:
permission del_user_mapping -p project –e [email protected]
The ‘permission del_user_mapping’ command deletes all permission groups assigned to the user
within the project. After all permission groups have been deleted, run the ‘permission
add_user_mapping’ command to assign new permission groups.
If you try to add permission groups without deleting the existing user mapping, the command will return
an error. Make sure you run the ‘permission del_user_mapping’ command first.
User permissions will be refreshed within 30 minutes, and afterwards the credentials (login, username
and CLI password) can be passed on to the external user. The user will be able to access Cloud UI with
their login and domain password and Maestro CLI with their login and the password created by the
support team.
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 268
ANNEX A – ADMIN CLI COMMANDS USAGE IN DIFFERENT
VIRTUALIZATION PLATFORMS
Platform / Command Group
Command aws azure csa hpoo open_stack
add_image X X X
add_zone X X X X X
add_shape X
add_shapes X
add_group X
config_group X
describe_groups X
add_account X
check_account X
get_accounts X
activate_project X X X X X
config_project X
active_project_dl X
del_project_dl X
add_subscript X
del_subscript X X
get_subscript X
subscript_pool X
add_enrolment X
grant_access X
revoke_access X
share_credit X
add_trusted_ip X
del_trusted_ip X
add_zone_alias
config_network X
get_net_config X
add_ownership X
active_cloudtrail X
get_cloudtrail X
put_under_eo X
set_catalog X
sync_from_csa X
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 269
restore_to_csa X
add_offering X
check_offerings X
vlan_activate X X
config_api X
restore_missing X
check_flows X
configvs X
refresh_images X
get_problem_inst X
notific_config X
notific_switcher X
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 270
ANNEX B – ADMIN CLI COMMANDS REQUIRING FILE
UPLOAD
Command File
settings add_key SSH public key
csa put_under_eo File containing commands. File format: -z zone -i instance -o
offeringName -s shape.
Only one command per line is allowed
pricing_policy update File containing the pricing policy
pricing_policy check File containing the pricing policy
show project_dls File containing the list of ORG Cloud User emails (copied from
Microsoft Outlook)
template analyze File containing the CloudFormation template to be analyzed
aws up_man_policy File containing the AWS policy
aws save_policy File containing the AWS policy
billing aws_china Previously uploaded CSV file containing the report
chef add_config The command requires uploading three files:
- Validation pem file
- Authentication file
- Chef server certification file
ANNEX C – ADMIN CLI COMMANDS SENDING EMAILS AS
THE RESULT OF EXECUTION
Command Email content
billing health_check Billing consistency report
billing aws_china
chef describe_server Chef server data
chef get_nodes Data of Chef nodes and existing EO instances
cli notify Notification of CLI update
integrity check Integrity check report
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 271
pricing_policy get Pricing policy data
show all_zones Brief information of all zones
show all_projects Brief information of all projects
subscription show_default List of default subscriptions to notifications and reports
aws_security get_backup Backup configuration of the security groups
aws_security check_mfa List of users with no MFA configured
aws check_config AWS configuration data
aws get_policies AWS policy description
aws_ri describe List of AWS reserved instances
csa check_offerings CSA offering information
ANNEX D – AWS-RELATED COLLECTIONS IN DATABASE
Collection Content
AWSAccounts Contains all AWS accounts. This collection stores both PAYING
account and associated LINKED accounts. Each account has
the account, accessKey and secretKey fields. They are used by
EPAM Orchestrator to make requests to AWS within a project.
AWSRoles Currently contains 4 documents each describing a particular
role/group:
EC2_INSTANCE_ROLE – IAM role for Amazon EC2
GROUP_ROLE – default role used for all project IAM users.
This group is created during project activation with the
corresponding policies. All IAM users belong to this group
FEDERATED_USER_ROLE – used when a user accesses
AWS via the or2awsmc Maestro CLI command
CLOUD_SUPPORT_ROLE – used when a user being a EPM-
CSUP project member accesses AWS via the or2awsmc
Maestro CLI command. This role allows all actions
AwsIamEntities Contains roles for SSO configuration. Users accessing AWS via
AWS SSO are assigned roles according to their project roles
AwsIamPolicies Contains AWS policies for roles/groups/services, etc. For
example, SSO roles from the AwsIamEntities collection use
policies from AwsIamPolicies
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 272
AwsIamUsers Contains all IAM users created both via EPAM Orchestrator and
AWS. Users data is synchronized once every week
AwsSSOUserMappings Contains specific permission settings for users of AWS SSO
AwsIamEntityProhibitionMapping Contains restrictions for specific users within specific SSO roles
AwsSecurityGroupsBackup Scheduled backups of security groups. The collection contains
links to security group files
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 273
TABLE OF FIGURES
Figure 1 – Locating Private Key .................................................................................................................. 11
Figure 2 – Command groups ....................................................................................................................... 16
Figure 3 – List of commands in a group ...................................................................................................... 17
Figure 4 – Command help ........................................................................................................................... 17
Figure 5 – Error message indicating missing parameter ............................................................................ 17
Figure 6 - AWS zone creation flow ............................................................................................................ 214
Figure 7 - Azure zone creation flow .......................................................................................................... 230
Figure 8 – Network configuration .............................................................................................................. 234
Figure 9 – Configuration of Azure zones ................................................................................................... 234
Figure 10 - CSA zone creation flow .......................................................................................................... 235
Figure 11 - Google account setup ............................................................................................................. 241
Figure 12 - Project activation in Google Cloud .......................................................................................... 244
Figure 13 - OpenStack zone creation ....................................................................................................... 250
EPAM Cloud Orchestrator. Maestro CLI Admin Utility
EPAM PUBLIC 274
VERSION HISTORY
Version Date Summary
2.6 February, 2021 Added detailed description of the following groups of commands:
“Subscription”, ”Account”, ”Settings”, “Orch”, “INIT”, “Integrity”, “CLI”,
“Status”, “Security”, “Luminate”, “Qualys” and “Instance”.
Added detailed description of the “AWS_Workspaces” group
command, temp remove_redundant_firewall, google
describe_instance_firewalls, aws grant_licenses and aws_security
describe_sg_resources commands.
Updated parameters of aws_security manage_sec_groups, google
manage_external_ip and settings upsa commands.
2.5 December, 2020 Added detailed description of the “Admin”, ”User”, ”Permission” and
“Project” group commands
2.4 October, 2020 Added detailed description of the “Azure” and “Google” group
commands
Removed information about Nessus
2.3 September, 2020 Added detailed description of the “AWS” group commands
2.2 August 5, 2020 Added detailed description of the “OpenStack” group commands
2.1 June 27, 2020 Updated the list of commands Added detailed description of the
“Show” group
2.0.2 March 20, 2018 Added a ‘user prolong_access_token’ command to prolong simple
user account access expiration
2.0.1 November 30, 2017 Information about MSQ3 removed
2.0 September 9, 2017 Document revised, Use Cases section rearranged with use cases
grouped by virtualizer
1.0.4 January 11, 2017 Section describing admin Maestro CLI commands added
1.0.3 December 16, 2016 Classification changed from Confidential to Public, approved by
Dzmitry Pliushch
1.0.2 November 4, 2016 Added aws_security check_mfa command description
1.0.1 September 3, 2016 Added delete_user to aws group.
Added incorrect parameters warning to the Basic Principles section.
1.0 April 10, 2016 First published