AWS Lambda function written in Python to manage EC2 images (AMI) providing automatic creation, copy and deletion as backup strategy
AWS Lambda function written in Python to manage EC2 images
The Lambda function “ec2-auto-ami-manager“ provides automatic EC2 image (AMI) creation, copy and deletion as backup strategy.
Follow these steps to get your lambda function running.
Add this IAM role. It will be attached to your lambda function.
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"}]}
You can add via command line
aws iam create-role --role-name lambda-ec2-auto-ami-manager --path /service-role/ --description "Automatic EC2 image creation and deletion" --assume-role-policy-document https://raw.githubusercontent.com/rodrigoluissilva/ec2-auto-ami-manager/master/lambda-role.json
Now you have to attach this policy to allow a few actions to be performed.
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["logs:CreateLogStream","logs:CreateLogGroup","logs:PutLogEvents"],"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"},{"Effect": "Allow","Action": ["ec2:DescribeImages","ec2:DeregisterImage","ec2:DescribeInstances","ec2:CreateTags","ec2:CreateSnapshot","ec2:CreateImage","ec2:CopyImage","ec2:DeleteSnapshot","ec2:DescribeRegions","ec2:DescribeSnapshots"],"Resource": "*"}]}
This can be done via command line
aws iam put-role-policy --role-name lambda-ec2-auto-ami-manager --policy-name ec2-image-manager --policy-document https://raw.githubusercontent.com/rodrigoluissilva/ec2-auto-ami-manager/master/lambda-policy.json
Add a new Lambda function using these options.
Name: ec2-auto-ami-manager
Runtime: Python 3.6
Existing Role: service-role/lambda-ec2-auto-ami-manager
Change the timeout to 5 minutes and add some useful description.
Paste the code from the file ec2-auto-ami-manager.py in the Lambda Function Code area.
You can set a test event using the “Scheduled Event“ template.
Download the file ec2-auto-ami-manager.py.
Rename it to lambda_function.py.
Compress it as a zip file.
Get the IAM Role ARN using this command.
aws iam get-role --role-name lambda-ec2-auto-ami-manager
Replace the ARN by the one from the previous command.
aws lambda create-function --region us-east-1 --function-name ec2-auto-ami-manager --description "Automatic EC2 image (AMI) creation and deletion as backup strategy" --zip-file fileb://lambda_function.zip --handler lambda_function.lambda_handler --runtime python3.6 --timeout 300 --role arn:aws:iam::XXXXXXXXXXXX:role/lambda-ec2-auto-ami-manager
This lambda function is triggered by one CloudWatch Event Rule.
Run this command to set it to run at 3 am everyday.
aws events put-rule --name ec2-auto-ami-manager --schedule-expression "cron(0 3 * * ? *)" --description "Trigger the ec2-auto-ami-manager function"
Add permission to CloudWatch invoke the Lambda Function.
Use the ARN from the previous command.
aws lambda add-permission --function-name ec2-auto-ami-manager --statement-id ec2-auto-ami-manager --action lambda:InvokeFunction --principal events.amazonaws.com --source-arn arn:aws:events:us-east-1:XXXXXXXXXXXX:rule/ec2-auto-ami-manager
Get the Lambda Function ARN with this command.
aws lambda get-function-configuration --function-name ec2-auto-ami-manager
Replace this ARN by the one from the previous command.
aws events put-targets --rule ec2-auto-ami-manager --targets "Id"="1","Arn"="arn:aws:lambda:us-east-1:XXXXXXXXXXXX:function:ec2-auto-ami-manager"
The default tag is “scheduler:ec2-auto-ami-creation“
To enable the backup, add this tag and the value following the specific pattern as described bellow.
Key: scheduler:ec2-auto-ami-creation
Value: Enable=Yes;Type=Weekly;When=Tuesday;Retention=2;CopyTags=Yes;CopyTo=us-west-1
The minimum setting for a daily image creation is
Key: scheduler:ec2-auto-ami-creation
Value: Enable=Yes
| Parameter | Description | Values |
|---|---|---|
| Enable | Enable or Disable image auto creation. You need at least this parameter to enable the daily image creation. |
Yes – Enable No – Disable (default) |
| Type | How often to take an image. | Always – Will take one image on every execution Daily – One image per day (default) Weekly – One image on the weekday defined on the parameter “When” Monthly – One image on the day defined on the parameter “When” |
| When | When this image will be taken Could be one or more values. When=Tuesday When=Sunday, Thursday When=Mon, Sat When=25 When=1, 15 When=1, 10, 20 |
Always and Daily This option is not used Weekly Sun, Mon, …, Sat Sunday, Monday, …, Saturday Monthly 1, 2, 3, …, 31 |
| Retention | The number of days to keep the image. | 1, 2, 3, 4, 5, … (default: 2) |
| CopyTags | Copy EC2 tags to the image. | Yes – Copy all EC2 tags No – Don’t copy EC2 tags (default) |
| CopyTo | Make a copy of this image to a different region. Could be one or more values. CopyTo=us-east-2 CopyTo=us-east-2, us-west-1 |
ap-south-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-2, ap-northeast-1, sa-east-1, ca-central-1, ap-southeast-1, ap-southeast-2, eu-central-1, us-east-1, us-east-2, us-west-1, us-west-2 Default: None |
| Reboot | Attempts to shutdown and reboot the instance before creating the image. | Yes – Reboot No – Don’t reboot (default) |
You can set a few environment variables to control how the Lambda Function will behave.
| Key | Description | Value |
|---|---|---|
| custom_aws_regions | A list of AWS Regions to be used during the execution time. Could be one or more regions. custom_aws_regions=us-east-1, us-east-2, us-west-1 |
Any valid AWS region. |
| custom_tag | Define the tag name to be used. | Any valid tag name. |
| default_retention_days | The default retention period in days. | Any valid number of days. |