AWS Lambda function written in Python to manage EC2 images
The Lambda function "ec2-auto-ami-manager" provides automatic EC2 image (AMI) creation, copy and deletion as backup strategy.
- Automatic image creation configured by EC2 tags
- Automatic image deletion on expiration date
- Automatic cross region image copy
- All or pre-defined aws region verification
- Can run locally outside AWS Lambda
Follow these steps to get your lambda function running.
Add this IAM role. It will be attached to your lambda function.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
You can add via command line
aws iam create-role --role-name lambda-ec2-auto-ami-manager --path /service-role/ --description "Automatic EC2 image creation and deletion" --assume-role-policy-document https://raw.githubusercontent.com/rodrigoluissilva/ec2-auto-ami-manager/master/lambda-role.json
Now you have to attach this policy to allow a few actions to be performed.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DeregisterImage",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:CreateSnapshot",
"ec2:CreateImage",
"ec2:CopyImage",
"ec2:DeleteSnapshot",
"ec2:DescribeRegions",
"ec2:DescribeSnapshots"
],
"Resource": "*"
}
]
}
This can be done via command line
aws iam put-role-policy --role-name lambda-ec2-auto-ami-manager --policy-name ec2-image-manager --policy-document https://raw.githubusercontent.com/rodrigoluissilva/ec2-auto-ami-manager/master/lambda-policy.json
Add a new Lambda function using these options.
Name: ec2-auto-ami-manager Runtime: Python 3.6 Existing Role: service-role/lambda-ec2-auto-ami-manager
Change the timeout to 5 minutes and add some useful description.
Paste the code from the file ec2-auto-ami-manager.py in the Lambda Function Code area.
You can set a test event using the "Scheduled Event" template.
Download the file ec2-auto-ami-manager.py. Rename it to lambda_function.py. Compress it as a zip file.
Get the IAM Role ARN using this command.
aws iam get-role --role-name lambda-ec2-auto-ami-manager
Replace the ARN by the one from the previous command.
aws lambda create-function --region us-east-1 --function-name ec2-auto-ami-manager --description "Automatic EC2 image (AMI) creation and deletion as backup strategy" --zip-file fileb://lambda_function.zip --handler lambda_function.lambda_handler --runtime python3.6 --timeout 300 --role arn:aws:iam::XXXXXXXXXXXX:role/lambda-ec2-auto-ami-manager
This lambda function is triggered by one CloudWatch Event Rule. Run this command to set it to run at 3 am everyday.
aws events put-rule --name ec2-auto-ami-manager --schedule-expression "cron(0 3 * * ? *)" --description "Trigger the ec2-auto-ami-manager function"
Add permission to CloudWatch invoke the Lambda Function. Use the ARN from the previous command.
aws lambda add-permission --function-name ec2-auto-ami-manager --statement-id ec2-auto-ami-manager --action lambda:InvokeFunction --principal events.amazonaws.com --source-arn arn:aws:events:us-east-1:XXXXXXXXXXXX:rule/ec2-auto-ami-manager
Get the Lambda Function ARN with this command.
aws lambda get-function-configuration --function-name ec2-auto-ami-manager
Replace this ARN by the one from the previous command.
aws events put-targets --rule ec2-auto-ami-manager --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:ec2-auto-ami-manager"
The default tag is "scheduler:ec2-auto-ami-creation"
To enable the backup, add this tag and the value following the specific pattern as described bellow.
Key: scheduler:ec2-auto-ami-creation
Value: Enable=Yes;Type=Weekly;When=Tuesday;Retention=2;CopyTags=Yes;CopyTo=us-west-1
The minimum setting for a daily image creation is
Key: scheduler:ec2-auto-ami-creation
Value: Enable=Yes
Parameter | Description | Values |
---|---|---|
Enable | Enable or Disable image auto creation. You need at least this parameter to enable the daily image creation. |
Yes – Enable No – Disable (default) |
Type | How often to take an image. | Always – Will take one image on every execution Daily – One image per day (default) Weekly – One image on the weekday defined on the parameter "When" Monthly – One image on the day defined on the parameter "When" |
When | When this image will be taken Could be one or more values. When=Tuesday When=Sunday, Thursday When=Mon, Sat When=25 When=1, 15 When=1, 10, 20 |
Always and Daily This option is not used Weekly Sun, Mon, ..., Sat Sunday, Monday, ..., Saturday Monthly 1, 2, 3, ..., 31 |
Retention | The number of days to keep the image. | 1, 2, 3, 4, 5, ... (default: 2) |
CopyTags | Copy EC2 tags to the image. | Yes – Copy all EC2 tags No – Don’t copy EC2 tags (default) |
CopyTo | Make a copy of this image to a different region. Could be one or more values. CopyTo=us-east-2 CopyTo=us-east-2, us-west-1 |
ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2 Default: None |
Reboot | Attempts to shutdown and reboot the instance before creating the image. | Yes – Reboot No – Don’t reboot (default) |
You can set a few environment variables to control how the Lambda Function will behave.
Key | Description | Value |
---|---|---|
custom_aws_regions | A list of AWS Regions to be used during the execution time. Could be one or more regions. custom_aws_regions=us-east-1, us-east-2, us-west-1 |
Any valid AWS region. |
custom_tag | Define the tag name to be used. | Any valid tag name. |
default_retention_days | The default retention period in days. | Any valid number of days. |