Initial Version

Author: kcantrel

Management-Utilities/auto_set_fsxn_auto_grow/README.md

@@ -0,0 +1,102 @@
+# Automatically Set Auto Size mode to Grow on FSx for NetApp ONTAP Volumes
+
+## Introduction
+This project helps to mitigate the issue of not being able to set the auto size mode to
+'grow' when creating a FSxN volume from the AWS console or API. It does this by providing
+a Lambda function that will set the mode for you, and instructions on how to set up a
+CloudWatch event to trigger the Lambda function whenever a volume is created. With this
+combination it ensures that all volumes are effectively created with the auto size mode
+set to 'grow'.
+
+## Set Up
+There are just a few things you have to do to set this up:
+
+### Create a role for the Lambda function
+The Lambda function doesn't leverage that many AWS services, so only a few permissions are required:
+
+
+| Permission              | Minimal Scope     |  Notes 
+|:------------------------|:----------------|:----------------|
+| Allow:logs:CreateLogGroup | arn:aws:logs:<LAMBDA_REGION>:<ACCOUNT_ID>:* | This is required so you can get logs from the Lambda function. |
+| Allow:logs:CreateLogStream<BR>Allow:logs:PutLogEvents | arn:aws:logs:<LAMBDA_REGION>:<ACCOUNT_ID>:/aws/lambda/<LAMBDA_FUNCTION_NAME>:* | This is required so you can get logs from the Lambda function. |
+| Allow:secretsmanager:GetSecretValue | <ARN_OF_SECRET_WITHIN_SECRETS_MANAGER> | This is required so the Lambda function can get the credentials for the FSxN file system. |
+| Allow:fsx:DescribeFileSystems<BR>Allow:fsx:DescribeVolumes | * | You can't limit these API. They are required to get information regarding the file system and volumes. |
+| Allow:ec2:CreateNetworkInterface<BR>Allow:ec2:DeleteNetworkInterface<BR>Allow:ec2:DescribeNetworkInterfaces | * | Since the Lambda function is going to run within your VPC, it has to be able to create a network interface to communicate with the FSxn file system API. |
+
+### Create AWS Endpoints
+Since the Lambda function will be configured to run within the VPC that contains the FSxN
+file system, so it can issue API calls against it, there will need to be AWS endpoints so
+the Lambda function can access some of the AWS service. If you have a Transit Gateway setup
+that allows access to the Internet, you may not have to create these endpoints, otherwise, the
+following endpoints will need to be created, and attached to the VPC and subnets that the
+FSxN file system is attached to.
+
+- FSx
+- SecretsManager
+
+### Create the Lambda Function
+Create a Lambda function with the following parameters:
+
+- Authored from scratch
+- Uses the Python runtime
+- Set the permissions to the role created above.
+- Enable VPC. Found under the Advanced Settings
+  - Attached to the VPC that contains the FSxN file system
+  - Attached to the Subnets that contain the FSxN file system.
+  - Attached a security group that allows access from any IP within the two subnets.
+
+After you create the function, you will be able to insert the code included with this 
+projrectinto the code box. Once you have inserted the code, modify the "secretsTable"
+array to provide the secrets name, and the keys for the username as password for each
+of the FSxN File Systems that you want to manage with this script. Also, set the
+secretsManagerRegion variable to the region where your secrets are stored.
+
+Once you have updated the program, click on the "Deploy" button.
+
+Next, click on the Configuration tab, then General and set the timeout to 10 seconds.
+
+### Create an Event Bridge Rule (a.k.a. Cloud Watch Event) that will trigger when a FSx Volume is created
+Once on the "Event Bridge" page, click on Rules on the left add side. From there click
+on Create Rule. Give the rule a name, and make sure to put the rule on the "Default" bus.
+Finally select "Rule with an event pattern" and click Next.
+
+Select "other" as the event source, skip pass the "Sample Event" section, and click on
+"Custom pattern (JSON editor)" under the Creation Method. Paste the following in the
+Edit Event Pattern text box:
+```json
+{
+  "detail-type": [
+    "AWS API Call via CloudTrail"
+  ],
+  "detail": {
+    "eventSource": [
+      "fsx.amazonaws.com"
+    ],
+    "eventName": [
+      "CreateVolume"
+    ]
+  }
+}
+```
+
+Click Next. This next page will allow you to select the Lambda function you created above.
+Just take the defaults for the remaining pages and click on "Create Rule."
+
+This point every time a volume is created the Lambda function will be called, and it will
+set the auto size mode to "grow".
+
+## Author Information
+
+This repository is maintained by the contributors listed on [GitHub](https://github.com/NetApp/FSx-ONTAP-samples-scripts/graphs/contributors).
+
+## License
+
+Licensed under the Apache License, Version 2.0 (the "License").
+
+You may obtain a copy of the License at [apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0).
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an _"AS IS"_ basis, without WARRANTIES or conditions of any kind, either express or implied.
+
+See the License for the specific language governing permissions and limitations under the License.
+
+© 2024 NetApp, Inc. All Rights Reserved.

Management-Utilities/auto_set_fsxn_auto_grow/set_fsxn_volume_auto_grow.py

@@ -0,0 +1,158 @@
+################################################################################
+# THIS SOFTWARE IS PROVIDED BY NETAPP "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL NETAPP BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR'
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+################################################################################
+
+################################################################################
+# This Lambda function is used to set the auto size feature to 'grow' on a
+# volume that was created in an AWS FSx for NetApp ONTAP file system. It is
+# expected to be triggered by a CloudWatch event that is generated when a
+# volume is created. The function uses the ONTAP API to set the auto size
+# mode to 'grow' on the volume therefore it most run within the VPC where the
+# FSx for ONTAP file system is located.
+################################################################################
+
+import json
+import time
+import urllib3
+from urllib3.util import Retry
+import logging
+import botocore
+import boto3
+#
+# Create a table of secret names and keys for the username and password for each of the FSxIds.
+secretsTable = [
+        {"id": "fs-0e8d9172fa545ef3b", "secretName": "mon-fsxn-credentials", "usernameKey": "mon-fsxn-username", "passwordKey": "mon-fsxn-password"},
+        {"id": "fs-020de2687bd98ccf7", "secretName": "mon-fsxn-credentials", "usernameKey": "mon-fsxn-username", "passwordKey": "mon-fsxn-password"},
+        {"id": "fs-07bcb7ad84ac75e43", "secretName": "mon-fsxn-credentials", "usernameKey": "mon-fsxn-username", "passwordKey": "mon-fsxn-password"},
+        {"id": "fs-077b5ff41951c57b2", "secretName": "mon-fsxn-credentials", "usernameKey": "mon-fsxn-username", "passwordKey": "mon-fsxn-password"}
+    ]
+#
+# Set the region where the secrets are stored.
+secretsManagerRegion="us-west-2"
+
+################################################################################
+# This function is used to obtain the username and password from AWS's Secrets
+# Manager for the fsxnId passed in. It returns empty strings if it can't
+# find the credentials.
+################################################################################
+def getCredentials(secretsManagerClient, fsxnId):
+
+    for secretItem in secretsTable:
+        if secretItem['id'] == fsxnId:
+            secretsInfo = secretsManagerClient.get_secret_value(SecretId=secretItem['secretName'])
+            secrets = json.loads(secretsInfo['SecretString'])
+            username = secrets[secretItem['usernameKey']]
+            password = secrets[secretItem['passwordKey']]
+            return (username, password)
+    return ("", "")
+
+################################################################################
+# This function returns the UUID of the volume that has the ARN passed in. It
+# tries a few times, sleeping 1 second between attempts, since the UUID
+# doesn't exist until the volume has been created on the ONTAP side.
+# It returns an empty string if the ARN is not found.
+################################################################################
+def getVolumeUUID(fsxClient, volumeId, volumeARN):
+
+    global logger
+
+    cnt = 0
+    while cnt < 3:
+        awsVolume = fsxClient.describe_volumes(VolumeIds=[volumeId])['Volumes'][0]
+        if awsVolume['ResourceARN'] == volumeARN:
+            return awsVolume['OntapConfiguration']['UUID']
+        logger.debug(f'Looping, getting the UUID {cnt}')
+        cnt += 1
+        time.sleep(1)
+
+    return ""
+
+################################################################################
+################################################################################
+def lambda_handler(event, context):
+
+    global logger
+    #
+    # Set up "logging" to appropriately display messages. It can be set it up
+    # to send messages to a syslog server.
+    logging.basicConfig(datefmt='%Y-%m-%d_%H:%M:%S', format='%(asctime)s:%(name)s:%(levelname)s:%(message)s', encoding='utf-8')
+    logger = logging.getLogger("scan_create_sm_relationships")
+#    logger.setLevel(logging.DEBUG)
+    logger.setLevel(logging.INFO)
+    #
+    # Set the logging level higher for these noisy modules to mute thier messages.
+    logging.getLogger("botocore").setLevel(logging.WARNING)
+    logging.getLogger("boto3").setLevel(logging.WARNING)
+    logging.getLogger("urllib3").setLevel(logging.WARNING)
+    #
+    # Create a Secrets Manager client.
+    session = boto3.session.Session()
+    secretsManagerClient = session.client(service_name='secretsmanager', region_name=secretsManagerRegion)
+    #
+    # Disable warning about connecting to servers with self-signed SSL certificates.
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    #
+    # Set the https retries to 1.
+    retries = Retry(total=None, connect=1, read=1, redirect=10, status=0, other=0)  # pylint: disable=E1123
+    http = urllib3.PoolManager(cert_reqs='CERT_NONE', retries=retries)
+    #
+    # Get the FSxN ID, region, volume name, volume ID, and volume ARN from the CloudWatch event.
+    fsxId      = event['detail']['responseElements']['volume']['fileSystemId']
+    regionName = event['detail']['awsRegion']
+    volumeName = event['detail']['requestParameters']['name']
+    volumeId   = event['detail']['responseElements']['volume']['volumeId']
+    volumeARN  = event['detail']['responseElements']['volume']['resourceARN']
+    if fsxId == "" or regionName == "" or volumeId == "" or volumeName == "" or volumeARN == "":
+        message = f"Couldn't obtain the fsxId, region, volume name, volume ID or volume ARN from the CloudWatch evevnt."
+        logger.critcal(message)
+        raise Exception(mmessage)
+
+    logger.debug(f'Data from CloudWatch event: FSxID={fsxId}, Region={regionName}, VolumeName={volumeName}, volumeId={volumeId}.')
+    #
+    # Get the username and password for the FSxN ID.
+    (username, password) = getCredentials(secretsManagerClient, fsxId)
+    if username == "" or password == "":
+        message = f'No credentials for FSxN ID: {fsxId}.'
+        logger.critical(message)
+        raise Exception(message)
+    #
+    # Build a header that is used for all the ONTAP API requests.
+    auth = urllib3.make_headers(basic_auth=f'{username}:{password}')
+    headers = { **auth }
+    #
+    # Get the management IP of the FSxN file system.
+    fsxClient = boto3.client('fsx', region_name = regionName)
+    fs = fsxClient.describe_file_systems(FileSystemIds = [fsxId])['FileSystems'][0]
+    fsxnIp = fs['OntapConfiguration']['Endpoints']['Management']['IpAddresses'][0]
+    if fsxnIp == "":
+        message = f"Can't find manament IP for FSxN file system with an ID of '{fsxId}'."
+        logger.critical(message)
+        raise Exception(message)
+
+    volumeUUID = getVolumeUUID(fsxClient, volumeId, volumeARN)
+    if volumeUUID == "":
+        message = f"Can't find the volumeUUID based on the volume ARN {volumeARN}."
+        logger.critical(message)
+        raise Exception(message)
+    #
+    # Set the auto grow feature.
+    try:
+        endpoint = f'https://{fsxnIp}/api/storage/volumes/{volumeUUID}'
+        data = '{"autosize": {"mode": "grow"}}'
+        logger.debug(f'Trying {endpoint} with {data}.')
+        response = http.request('PATCH', endpoint, headers=headers, timeout=5.0, body=data)
+        if response.status >= 200 and response.status <= 299:
+            logger.info(f"Updated the auto grow flag for volume name {volumeName}.")
+        else:
+            logger.error(f'API call to {endpoint} failed. HTTP status code: {response.status}.')
+    except Exception as err:
+        logger.critical(f'Failed to issue API against {fsxnIp}. The error messages received: "{err}".')