cloud engineer
Here’s how to launch a LightSail instance using Terraform. Create a main.tf file.
terraform { required_providers { aws = { version = >= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lightsail_instance" "yourinstance" { name = "yourinstance" availability_zone = "us-east-1a" blueprint_id = "amazon_linux_2" bundle_id = "nano_2_0" } |
terraform { required_providers { aws = { version = >= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_lightsail_instance" "yourinstance" { name = "yourinstance" availability_zone = "us-east-1a" blueprint_id = "amazon_linux_2" bundle_id = "nano_2_0" }
To launch, run the following Terraform commands.
terraform init terraform apply |
terraform init terraform apply
Here’s how to build an EFS file system using Terraform. Create a main.tf file.
terraform { required_providers { aws = { version = ">= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_efs_file_system" "efs-test" { creation_token = "efs-test" performance_mode = "generalPurpose" throughput_mode = "bursting" encrypted = "true" tags = { Name = "efs-test" } } resource "aws_efs_mount_target" "efs-mt-example" { file_system_id = aws_efs_file_system.efs-test.id subnet_id = "subnet-xxxxxxxxxxxxxxxxx" security_groups = ["sg-xxxxxxxxxxxxxxxxxx"] } |
terraform { required_providers { aws = { version = ">= 3.22.0" source = "hashicorp/aws" } } } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_efs_file_system" "efs-test" { creation_token = "efs-test" performance_mode = "generalPurpose" throughput_mode = "bursting" encrypted = "true" tags = { Name = "efs-test" } } resource "aws_efs_mount_target" "efs-mt-example" { file_system_id = aws_efs_file_system.efs-test.id subnet_id = "subnet-xxxxxxxxxxxxxxxxx" security_groups = ["sg-xxxxxxxxxxxxxxxxxx"] }
To launch, run terraform.
terraform init terraform apply |
terraform init terraform apply
Here’s a script that scans all EFS systems in several AWS accounts and regions and randomly assigns backup tags to EFS systems that are missing backup tags. This is assuming EFS is using AWS Backup service using tags to apply backup policies. If there are no backup tags, an EFS gets assigned a randomly picked backup policy.
#!/bin/bash # log file output="test.log" tmpfil="temp.txt" # empty file > $output # set random array arr[0]="efs-0000" arr[1]="efs-0400" arr[2]="efs-0800" arr[3]="efs-1200" arr[4]="efs-1600" arr[5]="efs-2000" rand=$[ $RANDOM %6 ] backup=${arr[$rand]} # set accounts and regions declare -a account=("default" "one" "two" "three" "four" "five") declare -a region=("us-east-1" "us-east-2" "us-west-1" "us-west-2") for i in "${account[@]}"; do echo "===================" >> $output echo $i >> $output echo "===================" >> $output for j in "${region[@]}"; do echo $j >> $output aws efs describe-file-systems \ --query "FileSystems[*].[FileSystemId,Tags[?Key=='aws-backup']|[0].Value]" \ --profile $i \ --region $j \ --output text > $tmpfil while read -r id tag; do if [[ $tag == "" ]]; then aws efs tag-resource \ --resource-id $id \ --tags Key="aws-backup",Value=${arr[$rand]} \ --profile $i \ --region $j >> $output echo "Added backup tag $backup to $id" >> $output elif [[ $tag == "no-backup" ]]; then echo "Backup tag is already set to no-backup on $id." >> $output else echo "No backup tag changes applied to $id." >> $output fi done < $tmpfil done done rm $tmpfil |
#!/bin/bash # log file output="test.log" tmpfil="temp.txt" # empty file > $output # set random array arr[0]="efs-0000" arr[1]="efs-0400" arr[2]="efs-0800" arr[3]="efs-1200" arr[4]="efs-1600" arr[5]="efs-2000" rand=$[ $RANDOM %6 ] backup=${arr[$rand]} # set accounts and regions declare -a account=("default" "one" "two" "three" "four" "five") declare -a region=("us-east-1" "us-east-2" "us-west-1" "us-west-2") for i in "${account[@]}"; do echo "===================" >> $output echo $i >> $output echo "===================" >> $output for j in "${region[@]}"; do echo $j >> $output aws efs describe-file-systems \ --query "FileSystems[*].[FileSystemId,Tags[?Key=='aws-backup']|[0].Value]" \ --profile $i \ --region $j \ --output text > $tmpfil while read -r id tag; do if [[ $tag == "" ]]; then aws efs tag-resource \ --resource-id $id \ --tags Key="aws-backup",Value=${arr[$rand]} \ --profile $i \ --region $j >> $output echo "Added backup tag $backup to $id" >> $output elif [[ $tag == "no-backup" ]]; then echo "Backup tag is already set to no-backup on $id." >> $output else echo "No backup tag changes applied to $id." >> $output fi done < $tmpfil done done rm $tmpfil
The AWS CLI has a not so well-known comparison operator called “contains” which can be used to filter or query the output of your results. In this example, we want to show only instances that were not terminated.
Here’s a query containing “?!contains().”
aws ec2 describe-instances \ --query 'Reservations[*].Instances[?!contains(State.Name, `terminated`)].{Instance:InstanceId}' --output text |
aws ec2 describe-instances \ --query 'Reservations[*].Instances[?!contains(State.Name, `terminated`)].{Instance:InstanceId}' --output text
After you created a backup vault, it’s time to create a backup plan. Here are a few examples.
aws backup create-backup-plan \ --cli-input-json file://backup-plan.json \ --profile default \ --region us-east-1 |
aws backup create-backup-plan \ --cli-input-json file://backup-plan.json \ --profile default \ --region us-east-1
File: backup-plan.json
{ "BackupPlan": { "BackupPlanName": "efs-0123", "Rules": [ { "RuleName": "efs-0123", "TargetBackupVaultName": "efs-vault", "ScheduleExpression": "cron(0 0 ? * * *)", "StartWindowMinutes": 60, "CompletionWindowMinutes": 10080, "Lifecycle": { "DeleteAfterDays": 7 } } ] } } |
{ "BackupPlan": { "BackupPlanName": "efs-0123", "Rules": [ { "RuleName": "efs-0123", "TargetBackupVaultName": "efs-vault", "ScheduleExpression": "cron(0 0 ? * * *)", "StartWindowMinutes": 60, "CompletionWindowMinutes": 10080, "Lifecycle": { "DeleteAfterDays": 7 } } ] } }
Finally, create a backup selection.
aws backup create-backup-selection \ --backup-plan-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx \ --cli-input-json file://backup-selection.json \ --profile poc \ --region us-east-1 |
aws backup create-backup-selection \ --backup-plan-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx \ --cli-input-json file://backup-selection.json \ --profile poc \ --region us-east-1
File: backup-selection.json
{ "BackupSelection": { "SelectionName": "efs-0123", "IamRoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/AWSBackupDefaultServiceRole", "Resources": [], "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "aws-backup", "ConditionValue": "efs-0123" } ] } } |
{ "BackupSelection": { "SelectionName": "efs-0123", "IamRoleArn": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/AWSBackupDefaultServiceRole", "Resources": [], "ListOfTags": [ { "ConditionType": "STRINGEQUALS", "ConditionKey": "aws-backup", "ConditionValue": "efs-0123" } ] } }