Add EventBridge rules to route ASG lifecycle events to the SSM automations

keithduncan · keithduncan · commit aa1deb98ea09 · 2021-11-22T16:56:28.000+10:00
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -1119,6 +1119,29 @@ Resources:
         ScaleOutForWaitingJobs: !Ref ScaleOutForWaitingJobs
         DisableScaleIn: "false"
 
+  EventBridgeRuleRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: events.amazonaws.com
+            Action: sts:AssumeRole
+      Policies:
+        - PolicyName: StartSsmAutomation
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: ssm:StartAutomationExecution
+                Resource:
+                  - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${BootHookAutomation}:$DEFAULT
+                  - !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${ShutdownHookAutomation}:$DEFAULT
+              - Effect: Allow
+                Action: iam:PassRole
+                Resource: !GetAtt AutomationRole.Arn
+
   AutomationRole:
     Type: AWS::IAM::Role
     Properties:
@@ -1157,6 +1180,26 @@ Resources:
       # them
       HeartbeatTimeout: 300
 
+  BootHookRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: !Sub Run the boot time AWS SSM Automation for ${BootHook}
+      EventPattern:
+        source:
+          - aws.autoscaling
+        detail-type:
+          - "EC2 Instance-launch Lifecycle Action"
+        detail:
+          AutoScalingGroupName: !Ref AgentAutoScaleGroup
+      Targets:
+        - Arn: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${BootHookAutomation}:$DEFAULT
+          RoleArn: !GetAtt EventBridgeRuleRole.Arn
+          Id: TargetSsmAutomation
+          InputTransformer:
+            InputPathsMap:
+              instanceid: "$.detail.EC2InstanceId"
+            InputTemplate: "{\"InstanceId\":[<instanceid>]}"
+
   BootHookAutomation:
     Type: AWS::SSM::Document
     Properties:
@@ -1205,6 +1248,26 @@ Resources:
       HeartbeatTimeout: 3600
       DefaultResult: CONTINUE
 
+  ShutdownHookRule:
+    Type: AWS::Events::Rule
+    Properties:
+      Description: !Sub Run the shutdown time AWS SSM Automation for ${ShutdownHook}
+      EventPattern:
+        source:
+          - aws.autoscaling
+        detail-type:
+          - "EC2 Instance-terminate Lifecycle Action"
+        detail:
+          AutoScalingGroupName: !Ref AgentAutoScaleGroup
+      Targets:
+        - Arn: !Sub arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:automation-definition/${BootHookAutomation}:$DEFAULT
+          RoleArn: !GetAtt EventBridgeRuleRole.Arn
+          Id: TargetSsmAutomation
+          InputTransformer:
+            InputPathsMap:
+              instanceid: "$.detail.EC2InstanceId"
+            InputTemplate: "{\"InstanceId\":[<instanceid>]}"
+
   ShutdownHookAutomation:
     Type: AWS::SSM::Document
     Properties:
