feat: isolated volume resource; data backup via lifecycle manager policy

Author: g-otn

cloud-init/cloud-init.yml

@@ -3,19 +3,29 @@ packages:
   - htop
   - docker
 
+bootcmd:
+  # cloud-init runs before EBS volume mount (sometimes?), so we have to wait. See https://stackoverflow.com/a/77868589/11138267
+  - echo "$(date --rfc-3339=ns) | Waiting for EBS volume device to be available"
+  - echo "$(lsblk)"
+  - timeout 30s sh -c 'while [ ! -e ${device_name} ]; do sleep 1; done'
+  - echo "$(date --rfc-3339=ns) | Device found"
+  - echo "$(lsblk)"
+
 timezone: ${timezone}
 
 device_aliases: { "minecraft_data": "${device_name}" }
 disk_setup:
   minecraft_data:
     table_type: gpt
     layout: true
+    overwrite: true
 
 fs_setup:
   - device: minecraft_data
     label: Minecraft
     filesystem: xfs
     partition: any
+    overwrite: true
 
 mounts:
   - [
@@ -27,32 +37,6 @@ mounts:
       "2",
     ]
 
-runcmd:
-  - systemctl daemon-reload
-  # Finish Duck DNS setup
-  - systemctl enable duck.service
-  - systemctl start duck.service
-  # Manually install Docker Compose plugin
-  - mkdir -p /usr/local/lib/docker/cli-plugins
-  - [
-      curl,
-      -SL,
-      "https://github.com/docker/compose/releases/download/v2.27.1/docker-compose-linux-aarch64",
-      -o,
-      /usr/local/lib/docker/cli-plugins/docker-compose,
-    ]
-  - chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
-  # Finish Docker setup
-  - usermod -a -G docker ec2-user # Allow docker commands without sudo
-  - systemctl enable docker
-  - systemctl start docker
-  # Initialize Minecraft server
-  - chown ec2-user:ec2-user -R ${minecraft_data_path} # Fix permissions
-  - systemctl enable minecraft
-  - systemctl start minecraft
-  - systemctl enable minecraft_shutdown.timer
-  - systemctl start minecraft_shutdown.timer
-
 write_files:
   # Duck DNS files
   - path: /home/ec2-user/duck.sh
@@ -92,3 +76,31 @@ write_files:
     defer: true
     encoding: base64
     content: ${minecraft_shutdown_timer_file_content_b64}
+
+runcmd:
+  - lsblk
+  - cat /etc/fstab
+  - systemctl daemon-reload
+  # Finish Duck DNS setup
+  - systemctl enable duck.service
+  - systemctl start duck.service
+  # Manually install Docker Compose plugin
+  - mkdir -p /usr/local/lib/docker/cli-plugins
+  - [
+      curl,
+      -SL,
+      "https://github.com/docker/compose/releases/download/v2.27.1/docker-compose-linux-aarch64",
+      -o,
+      /usr/local/lib/docker/cli-plugins/docker-compose,
+    ]
+  - chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
+  # Finish Docker setup
+  - usermod -a -G docker ec2-user # Allow docker commands without sudo
+  - systemctl enable docker
+  - systemctl start docker
+  # Initialize Minecraft server
+  - chown ec2-user:ec2-user -R ${minecraft_data_path} # Fix permissions
+  - systemctl enable minecraft
+  - systemctl start minecraft
+  - systemctl enable minecraft_shutdown.timer
+  - systemctl start minecraft_shutdown.timer

dlm.tf

@@ -0,0 +1,87 @@
+data "aws_iam_policy_document" "assume_role_dlm" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["dlm.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+data "aws_iam_policy_document" "dlm_lifecycle" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "ec2:CreateSnapshot",
+      "ec2:CreateSnapshots",
+      "ec2:DeleteSnapshot",
+      "ec2:DescribeInstances",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeSnapshots",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["ec2:CreateTags"]
+    resources = ["arn:aws:ec2:*::snapshot/*"]
+  }
+}
+
+// ---
+
+resource "aws_iam_role" "dlm_lifecycle_role" {
+  name                = "${local.title_PascalCase}-AWSDataLifecycleManagerServiceRole"
+  assume_role_policy  = data.aws_iam_policy_document.assume_role_dlm.json
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRole"]
+}
+
+resource "aws_iam_role_policy" "dlm_lifecycle" {
+  name   = "${local.title_PascalCase}-LifecycleRole"
+  role   = aws_iam_role.dlm_lifecycle_role.id
+  policy = data.aws_iam_policy_document.dlm_lifecycle.json
+}
+
+resource "aws_dlm_lifecycle_policy" "backup_minecraft_data" {
+  description        = "Takes daily snapshots of Minecraft data EBS volumes and retains them for two weeks"
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = ["VOLUME"]
+
+    schedule {
+      name = "Last 7 days"
+
+      create_rule {
+        interval      = 24
+        interval_unit = "HOURS"
+        times         = ["07:12"]
+      }
+
+      retain_rule {
+        count = 7
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM"
+      }
+
+      copy_tags = true
+    }
+
+    target_tags = {
+      "minecraft-spot-discord:data-volume" = true
+    }
+  }
+
+  tags = {
+    Name = "${local.title} Backup Lifecycle Policy"
+  }
+}

ec2.tf

@@ -79,30 +79,28 @@ resource "aws_key_pair" "ec2_spot_instance" {
   public_key = var.instance_key_pair_public_key
 }
 
-# resource "aws_ebs_volume" "minecraft" {
-#   availability_zone = var.subnet_az
-#   type              = "gp3"
-#   size              = var.minecraft_data_volume_size
-#   iops              = 3000
-#   throughput        = 125
-
-#   tags = {
-#     Name = "${local.title} Minecraft Data Volume"
-#     "minecraft-spot-discord:created-at" : time_static.ebs_creation_date.rfc3339
-#   }
-
-#   # lifecycle {
-#   #   prevent_destroy = true
-#   # }
-# }
-
-# resource "aws_volume_attachment" "attach_minecraft_data_to_instance" {
-#   device_name = local.device_name
-#   volume_id   = aws_ebs_volume.minecraft.id
-#   instance_id = module.ec2_spot_instance.spot_instance_id
-
-#   stop_instance_before_detaching = true
-# }
+resource "aws_ebs_volume" "minecraft" {
+  availability_zone = var.subnet_az
+  type              = "gp3"
+  size              = var.minecraft_data_volume_size
+  iops              = 3000
+  throughput        = 125
+
+  final_snapshot = true
+
+  tags = {
+    Name = "${local.title} Minecraft Data Volume"
+    "minecraft-spot-discord:data-volume" : true
+  }
+}
+
+resource "aws_volume_attachment" "attach_minecraft_data_to_instance" {
+  device_name = local.device_name
+  volume_id   = aws_ebs_volume.minecraft.id
+  instance_id = module.ec2_spot_instance.spot_instance_id
+
+  stop_instance_before_detaching = true
+}
 
 module "ec2_spot_instance" {
   source  = "terraform-aws-modules/ec2-instance/aws"
@@ -120,36 +118,23 @@ module "ec2_spot_instance" {
   subnet_id                   = module.vpc.public_subnets[0]
   associate_public_ip_address = true
 
-  monitoring = true
-  key_name   = aws_key_pair.ec2_spot_instance.key_name
+  # monitoring = true
+  key_name = aws_key_pair.ec2_spot_instance.key_name
 
   spot_instance_interruption_behavior = "stop"
 
   user_data = local.ec2_user_data
 
   enable_volume_tags = false
-  ebs_block_device = [{
-    volume_type = "gp3"
-    volume_size = var.minecraft_data_volume_size
-    iops        = 3000
-    throughput  = 125
-
-    device_name           = local.device_name
-    delete_on_termination = false
-
-    tags = {
-      Name = "${local.title} Minecraft Data Volume"
-    }
-  }]
 
   // Due to bug in the provider, spot instances and its root volumes are not being tagged automatically
   # instance_tags = { Name = "${local.title} Spot Instance" }
   # enable_volume_tags = false
-  # root_block_device = [{
-  #   tags = {
-  #     Name = "${local.title} Root Volume"
-  #   }
-  # }]
+  root_block_device = [{
+    tags = {
+      Name = "${local.title} Root Volume"
+    }
+  }]
   tags = {
     Name = "${local.title} Spot Instance Request"
   }

lambda/manage-instance/index.ts

@@ -7,12 +7,8 @@ import {
 } from '@aws-sdk/client-ec2';
 import type { Handler, SNSEvent } from 'aws-lambda';
 import { captureAWSv3Client } from 'aws-xray-sdk-core';
-import {
-  InteractionResponseType,
-  RESTPatchAPIInteractionOriginalResponseJSONBody,
-  type RESTPostAPIInteractionCallbackJSONBody,
-} from 'discord-api-types/v10';
 import { captureFetchGlobal } from 'aws-xray-sdk-fetch';
+import { RESTPatchAPIInteractionOriginalResponseJSONBody } from 'discord-api-types/v10';
 
 // comment for debugging bundle
 //!
@@ -73,9 +69,13 @@ const sendEC2Command = async (instanceId: string, command: string) => {
 
           return (
             `Addresses:\n` +
-            `- **\`${PublicIpAddress}:${MINECRAFT_PORT}\`**\n` +
-            `- \`${PublicDnsName}:${MINECRAFT_PORT}\`\n` +
-            `- \`${DUCKDNS_DOMAIN}.duckdns.org:${MINECRAFT_PORT}\``
+            (PublicIpAddress
+              ? `- **\`${PublicIpAddress}:${MINECRAFT_PORT}\`**\n`
+              : '') +
+            (PublicDnsName
+              ? `- \`${PublicDnsName}:${MINECRAFT_PORT}\`\n`
+              : '') +
+            `- \`${DUCKDNS_DOMAIN}.duckdns.org:${MINECRAFT_PORT}\` (Dynamic)`
           );
         });
     default:

variables.tf

@@ -117,14 +117,14 @@ variable "minecraft_compose_ports" {
 variable "minecraft_compose_environment" {
   type = map(string)
   default = {
-    "INIT_MEMORY" : "6000M"
-    "MAX_MEMORY" : "6000M"
+    "INIT_MEMORY" : "5900M"
+    "MAX_MEMORY" : "5900M"
   }
 }
 
 variable "minecraft_compose_limits" {
   type = map(string)
   default = {
-    memory : "7500mb"
+    memory : "7400mb"
   }
 }