Everytime an EC2 instance gets created, I want to run a script on that instance. I understand this could be done using the user_data parameter but some of these instances get created manually so people may forget to fill in that parameter sometimes. I want to rely on something automatic instead.
I figured to do it with EventBridge, catch an event that would indicate me that an instance has been created then trigger a lambda that would run the script. But when looking in the documentation I couldn't find any event that would relate to "EC2 created", see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/monitoring-instance-state-changes.html.
Any idea how to get this done?
Create an EventBridge rule with the following pattern to catch the event:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
}
and configure the target of the rule to be an AWS lambda function. Configure the lambda to parse the event and invoke an SSM run command against the instance.
In my case I have an EventBridge Rule with the following detail:
{
"detail-type": ["EC2 Instance State-change Notification"],
"detail": {
"state": ["running"]
},
"source": ["aws.ec2"]
}
And my target is a lambda function that runs an SSM document on that instance.
Related
I was trying to get a notification, it doesn't matter how as though via email, sms, etc. The notification shouldn't be for state-changes only, which I have already done. Instead, I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
Is this possible?
I have been working with Amazon EventBridge rules, but I only get captured when is stopped, terminated or running.
I'd like to be notified when a EIP is disassociated, either network interface or volume is detached, or something bearing on affecting the Ec2 itself.
If you want to be notified of a specific event, such as when an EIP is disassociated, I would recommend you use EventBridge with a CloudTrail pattern (in this case, for the DisassociateAddress event).
If you want to be notified of any changes to the EC2 instance, I would recommend you use Config.
So, I figured it out as you said it #paolo. Basically, I have looked for the event on CloudTrail, and match it on Eventbridge; however, I had to do all the Event Patterns separately as follows to make them work.
For the detach network which is attach to the instance I want to monitor:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["DetachNetworkInterface"],
"requestParameters": {"attachmentId": ["eni-attach-0671ffxxx10bxxx46"]}
}
And for the instance status
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": [
"RunInstances",
"StartInstances",
"StopInstances",
"TerminateInstances"
],
"requestParameters": {
"instancesSet": {
"items": {"instanceId": ["i-09513xxxd3xxxa04"]}
}
}
}
And so on for AIM roles, DetachVolumes, ModifyNetworkInterface, etc.
EventBridge/CloudTrail pass the below json string to my lambda function when the results get too long.
Is there anyway to view the responseElements like paginators or NextToken?
"responseElements":{
"omitted":true,
"originalSize":175918,
"reason":"responseElements too large"
}
I'm using the following EventBridge pattern
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["RunInstances"]
}
}
This is a limitation of CloudTrail, so at this time it's not be possible to pass that information from CloudTrail if it exceeds 100KB.
Potential work-around that may be useful to others with this message is to create an EventBridge rule to track EC2 instance state changes. So instead of monitoring the api call runinstances look for instances changing into the state running triggering from that as this should have a smaller response.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatch-Events-tutorial-CloudWatch-Logs.html
I have a Lambda function that I want to take action on a transit gateway when a new VPC is created, or when a VPC is updated. I've used CloudWatch Events for similar triggers in the past (such as when an EC2 instance was terminated) and was hoping to do something similar for this use case. What I've found is that VPC is not listed as one of the services available in Events, and the CloudTrail trail I have configured doesn't appear to be catching CreateVpc or DeleteVpc events, so I'm not sure that using the CloudTrail event pattern is possible either.
I was hoping to use an event similar to what's below, but have not had any luck -
{
"source": ["aws.cloudtrail"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["cloudtrail.amazonaws.com"],
"eventName": ["CreateVpc"]
}
}
Is it possible to catch a CreateVpc event for use as a Lambda trigger?
doesn't appear to be catching CreateVpc or DeleteVpc events
You have to double check your trail setup. CreateVpc and DeleteVpc are for sure captured by the CloudTrial.
However, it may be problem with your rule. The source should be aws.ec2:
{
"source": ["aws.ec2"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["ec2.amazonaws.com"],
"eventName": ["CreateVpc"]
}
}
I have a lambda function in Python that I want to invoke whenever a new s3 bucket is created. I want to create a custom event trigger to invoke it. What would be the best way to go ahead implementing this.
You can create a cloudwatch rule (see below) that triggers when a bucket is created or deleted and launches a lambda as its target.
In Cloud watch create rule > Choose
Service Name: Simple Storage Service s3
Event type: Bucket Level Operations
and select Specific Operations, specifying CreateBucket (and DeleteBucket) if you need it.
This will produce "custom" code similar to below.
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"source": [
"aws.s3"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"CreateBucket",
"DeleteBucket"
]
}
}
I could answer here, but have a look on this: How to Execute Lambda Functions on S3 Event Triggers
Hello You can monitor new bucket creation from AWS Config or AWS Cloud Trail services and call Lambda function for such event.
I need to create AMI when a instance is terminated/shuts down to back it up. I setup a CloudWatch rule on EC2 Instance State Changed event to create AMI via SSM Run Command (Target document is AWS-RunShellScript(Linux)). It works fine, if I provide a hardcoded instance id to command parameter.
/home/ec2-user/createImage.sh i-123456
This rule needs to be applied to all instances. I need to get instance-id dynamically from source and send it to target. I tried Input Transformer but its not getting the data from source. Dynamic parameters like {{variable Name}} also not working. Any suggestions.
Thanks.
You can configure an Amazon CloudWatch Events rule:
You can have the rule trigger an AWS Lambda function that triggers the snapshot. When the Lambda function is triggered, the following information is passed to the function:
{
"version": "0",
"id": "01345791-08ce-baaf-78f5-437aca50f13c",
"detail-type": "EC2 Instance State-change Notification",
"source": "aws.ec2",
"account": "123456789012",
"time": "2017-09-12T00:28:55Z",
"region": "ap-southeast-2",
"resources": [
"arn:aws:ec2:ap-southeast-2:123456789012:instance/i-0cf605453b22f703e"
],
"detail": {
"instance-id": "i-0cf605453b22f703e",
"state": "stopped"
}
}
Note that the Instance ID is passed with the message, so you can use this in the CreateSnapshot command within the Lambda function.
Thanks John. I setup a Lambda function as a target in CloudWatch and successfully tested it. This link has the code to create AMI.