If you’ve been following our blog, you would know how we love to talk about advances in technology and ensure that our readers get the most out of reading our posts.
This is the thing about being a tech enthusiast, we start to believe in what sufficiently advanced technology can do; it becomes indistinguishable from magic. Technology feeds on technology, technology makes technology possible.
Without much ado, let me put forth another informative piece, to help you get sorted with automating AMI backups and cleanup. In our earlier post, we discussed a key limitation when it comes to working with EC2 tags:
“The process works very well for all standalone instances unless the instance terminates. In cases where you might have a load balancer serving many instances, the tag attached to one instance may terminate for some reason, therefore, not creating the AMI. However, there’s a workaround using ELBs. It fetches all the load balancers with pre-defined tags (Backup for example), puts them in an array and passes them through a loop, before picking one instance attached to it, to create the AMI.”
Now going forward, in this blog-post, let us take you through the steps involved in automating the AMI backups and cleanups using AWS Lambda for ELB tags.
Side Note: Above steps are quite similar to the previous blog but here we are focusing on the functionalities for ELB tags.
Login to your AWS Management console, Go to Services, and click on IAM under Security & Identity.
In IAM Dashboard, Click on Roles, and Create New Role with the Role Name: lamda-ec2-elb-ami-role; Select Role Type in AWS Service Roles as AWS Lambda then proceed to create a role. Go to Policies tab; click Create Policy and select Create your own policy (you can name the policy as lamda-ec2-elb-ami-policy). Paste the content (additional permission to ELB) of the following JSON in Policy Document, and click on Create Policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elb:*",
"Resource": "*"
}
]
}Select the created policy, click on Policy Actions and Attach to select the role already created – lamda-ec2-elb-ami-role and click on Attach Policy.We have just created a role for which we have allowed permissions to ELB, EC2 instances and view logs in Cloudwatch:
…and here’s the IAM Role (lamda-ec2-elb-ami-role) with the attached policy (lamda-ec2-elb-ami-policy)
Now that we have created a role and a policy, we’ll have to create the first function that allows us to backup by picking anyone instance from the attached (AWS) instances to ELB in our account, which has a "Backup" key tag. We don’t have to indicate a value here.
Here’s how the AMI backup script works:
So here’s how you can create your first function. Go to Services, Lambda, and click Create a Lambda Function:
Login to your AWS Management console, Go to Services, and click on Lambda under Compute.
Click Next and Create Function.
While creating lambda function, make sure to choose the IAM role created earlier (lamda-ec2-elb-ami-role) and have specified sufficient memory and timeout configurations.
Having successfully created the AMI using the previous function, we need to now remove them when not needed anymore.
Here’s how the AMI cleanup script works:
Using the same steps as before, create the function (lambdaAMIcleanup) by following the steps.
You will end up with something like this:
So, you have 2 working functions that will backup AMI and remove those when "DeleteOn" specifies. And now, it’s time to automate using the Event sources feature from Lambda.
We need to run at least once a day both. Login to your AWS Management console, Go to Services, and click on Lambda under Compute.
Note that the schedule time is shown in in UTC format – something like this:
Lambda AMI Backup Function scheduled to run at 18:45 UTC or 12.15AM IST and Lambda AMI Cleanup Function scheduled to run at 19:30 UTC or 12.45AM IST every day.
You can now see the rules under Services >> Management Tools >> CloudWatch >> Rules; after you create the schedule:
Having created AMI backup and cleanup functions and scheduling them, now it’s time to create a tag for the load balancers with a tag-key Backup with no value and Retention with retention days.
Login to your AWS Management console, Go to Services, and click on EC2 under Compute.
Here, tag-key “Backup” is used to identify the instance of load balancer for which the AMI has to be created and tag-key “Retention” with value “4” ensures that we retain AMI for 4 days and delete after 4 days. If the Retention tag is not used then, by default, it retains for 7 days.
Now you can see the AMI created with tag-key “DeleteOn” with deletion date.
This AMI will delete on the date shown in Value, only when there is a successful AMI created for that day.
That’s it! We’ve successfully used AWS Lambda to automate AMI backups and cleanups for ELB tags.
Easy? Isn't it? If you still face any challenge, drop a comment below and we would be more than happy to assist you further. If you have any feedback or insights to share with us, we’re just a click away.
Till then, Happy Innovating!
Nagarjuna D. N is System Administrator with BluePi Consulting.
