Thursday, 4 June 2015

Enforce tags - Stop cloud sprawl

To ensure that cloud sprawl does not occur only business approved instances should be created. A business approved instance has tag service with approved service name. 

 When an instance is started it must have this tag otherwise it will be automatically stopped and administrator will be notified. Here is such a simple pseudo code which runs every 3 minutes:

  • List instances
  • Check service tags 
  • Stop nonconfirming instances, email report

lock=/var/log/tagenforcer.lock
(
approvedservices="service1 service2 service3"
email=cloudsupportteam@company.com
instances=/tmp/ec2instances
nonconforming=/tmp/ec2nonconforming
report=/tmp/ec2nonconforming-report
log=/var/log/tagenforcer.log

flock -x -w 10 200 || exit 1

 s=`echo $approvedservices | sed -e 's/ /,|,/g' | sed -e 's/^/,/' | sed -e 's/$/,/'`

aws ec2 describe-instances | jq -r  '.Reservations[].Instances[] | (.Tags | map(.value=.Value | .key=.Key) | from_entries) as $tags | "\(.InstanceId)#\(.InstanceType)#\(.PrivateIpAddress)#\(.PublicIpAddress)#\(.PublicDnsName)#\(.State.Name)#\(.Platform)#\(.LaunchTime)#\(.VpcId)#\(.SubnetId)#\(.Placement.AvailabilityZone)#\(.KeyName)#\(.ImageId)#\(.VirtualizationType)#\(.Monitoring.State)#\(.BlockDeviceMappings[0].Ebs.VolumeId)#\(.BlockDeviceMappings[1].Ebs.VolumeId)#\(.BlockDeviceMappings[2].Ebs.VolumeId)#\(.BlockDeviceMappings[3].Ebs.VolumeId)#\(.BlockDeviceMappings[4].Ebs.VolumeId)#\(.BlockDeviceMappings[5].Ebs.VolumeId)#\(.BlockDeviceMappings[6].Ebs.VolumeId)#\(.BlockDeviceMappings[7].Ebs.VolumeId)#\(.BlockDeviceMappings[8].Ebs.VolumeId)#\(.BlockDeviceMappings[9].Ebs.VolumeId)#\(.SecurityGroups[0].GroupId)#\(.SecurityGroups[1].GroupId)#\(.SecurityGroups[2].GroupId)#\(.SecurityGroups[3].GroupId)#\(.SecurityGroups[4].GroupId)#\($tags.Name)#\($tags.Product)#\($tags.Bu)#\($tags.Environment)#\($tags.Owner)#\($tags.Cc)#\($tags.Service)#\($tags["aws:cloudformation:stack-name"])"'  2>/dev/null |  tr ',' ';' | tr '#' ',' > $instances

egrep -v "$s" $instances > $nonconforming
for i in `cat $nonconforming |  grep "running" | cut -d',' -f1`
do
    echo "Instance: $i, Date:`date`"
    grep $i $instances 
    echo "Stopping instance due to nonconforming service tag:"
    aws ec2 stop-instances --instance-ids $i
exit=$?; echo "Exit code: $exit"
done > $report
if [ -s $report ]
then
cat $report | mailx -s "Tag enforcer stopped instance(s) `date`" $email
fi
cat $report >> $log
200>$lock

at

No comments:

Post a Comment