This is a short project that automate specific EC2 instances based on EC2 tags
2.Create AWS Codecommit Repository
This project to use AWS Backup service to bakup EC2 instances automatically Every day.
We will Backup only EC2 instances With tag Backup:true, Instances with tag Backup:false will not be backed up.
There is an AWS codecommit repository contain a JSON file that have a list of EC2 instances IDs and the value of tag true or false, and any change to this JSON file will automatically update the tags of EC2 instances.
Create AWS codeCommit repository with name tagged-instanes.
To create an AWS codecommit repository you can do it with:
-
AWS console: Create an AWS CodeCommit repository
-
AWS CLI: follow steps below 👇
- Make sure that you have configured the AWS CLI with the your AWS account :
aws configure- specify the name of your repository-I'll name it
tagged-instanesand discription for it and run this command:
aws codecommit create-repository --repository-name tagged-instanes --repository-description "this repo contain a list of EC2 instances"- Add
instances.jsonfile to your repository contains the list of EC2 IDs and the value of Backup tag like this:
{ "EC2 instance ID":"True or false" }
Two AWS Lambda finctions created in this project, we need to give them the right permission to do the job
- First Role attached to The
LambdaFunction that readinstances.jsonfile and update EC2 tags. so we need two policy:
-
codecommit GetFile : to read file from codecommit repo.
-
ec2 CreateTags and list instances : to create or update tag of EC2 instances.
Role name: read-tag-ec2
IAM JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateTags",
"codecommit:GetFile"
],
"Resource": "*"
}
]
}
- Second Role attached to The
LambdaFunction that read Tags of all EC2 instances and backup EC2 instances With tagBackup:true.
We need three policy:
- EC2 list instances: list instances to check the tags.
- Backup: to start backup job.
- IAM PassRole: allow lambda to pass IAM role to AWS Backup More information about passRole
Role name: backup-ec2
IAM JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:DescribeInstances",
"backup:StartBackupJob"
],
"Resource": "*"
}
]
}
Last Role that Role will passed from Lambda function to AWS backup.
Create New Role With name Attached-backup with policy AWSBackupServiceRolePolicyForBackup.
This lambda function Triggered after any modification (after Commit) and read this instances.json and Update tags of EC2 instances.
- Create Lambda function and copy the code from
read-tag.py, ChangerepositoryNameandfilePathto names that you wrote. - Attach
read-tag-ec2Role to this function, ChangeResourceArnandIamRoleArnto valid value. - Create an AWS CodeCommit trigger for an AWS Lambda function. Example: click here
This lambda function creates backup of EC2 instances based on its tags
- Create Lambda function and copy the code from
backup-ec2.py. - Attach
backup-ec2Role to this function.
Backup EC2 Lambda Function will invoked once every day.
- create AWS eventBridge rule to schedule cron job to run every day with name: runEveryDay.
Using AWS CLI:
aws events put-rule --schedule-expression "rate(1 day)" --event-bus-name default --name DailyLambdaJob
- Add Backup EC2 Lambda Function as a terget to runEveryDay Rule.
Using AWS CLI:
aws events put-targets --rule DailyLambdaJob --targets "Id"="1","Arn"="Lambda function ARN"