Change/Add Name of Managed Instance after Activation in Systems Manager - amazon-web-services

I have been setting up Amazon EC2 Systems Manager in order to manage our Windows patch management setup. All looking good so far as we can get the on premises servers listed in the console using the activation.
I have activated the following servers on the same activation (without entering a name as part of the activation). As I have now around 5 managed instances on there they have no name. In the MI section I can see the computer name but when it comes to the run command or to do anything I am only able to see the instance ID.
AWS ECS Systems Manager - Managed Instances, need to be able to set the name
How can I go back and update the name for these managed instances? Don't really have to add each server on a seperate individual activation again?
Thanks

You can set the name of your managed instances by setting the Name tag on the instance. At the moment you have to use the AWS CLI or the AWS PowerShell tools to do this, but once done you'll see the name in the console.
You can find the AWS CLI documentation here: http://docs.aws.amazon.com/cli/latest/reference/ssm/add-tags-to-resource.html
> aws ssm add-tags-to-resource --resource-type ManagedInstance --resource-id <your managed instance id> --tags Key=Name,Value=<instance name<
Hope this helps.

Related

Is the AWS CLI missing data for the "ec2 describe-instancess" method?

As of the date of this question I'm using the most recent version of the AWS CLI (2.4.6) running on macOS. According to the v2 docs the Instances that are returned should include properties like InstanceLifecycle, Licenses, MetadataOptions -> PlatformDetails and several others that are missing for me. While I'm getting back most data, some fields are absent... I've tried this is two separate AWS accounts and I have admin IAM creds that I'm using locally, why does the aws ec2 describe-instances call not return all of the fields listed in the docs?
Not all outputs is available for every ec2 instance, it depends on the way of provisioning of your ec2 instances.
Ex:
InstanceLifecycle: is exclusive if you provisioned the ec2 instance as spot instance or reserved one.
Licenses: If you used BYOL when provisioning EC2 (Bring your own license)
Extra.. The docs describe every possible output from querying ec2 api endpoint, but it depends on the different parameters of your provisioned ec2 instance.
For example, try to provision a spot instance, and query the instance lifecycle.

EC2 Instances to Automatically join AD hosted in EC2

I'd like to know if there is an approach to automatically join an EC2 instance (launched via ElasticBeantalk) to an Active Directory already hosted in an EC2 Windows Server.
Following this document below I could see that is possible using AD Connector or AWS Simple AD (either will give a "directoryId)," but in my case, the AD already is hosted in an EC2.
https://aws.amazon.com/blogs/security/how-to-configure-your-ec2-instances-to-automatically-join-a-microsoft-active-directory-domain/
You can do it by following the same path - but instead of relying to the default SSM document for Managed AD, you should create a custom one.
In it, you can omit the directory id and rely on DNS name / IP address of your EC2 AD and respective domain name, username and password with which you join.
This approach is partially described in the following blog post. It has an actual SSM document as a CloudFormation stack which you can use as a base.
In order to fully automate it you can create an Amazon EventBridge rule that will be looking for EC2 Launch instance events and has SSM Run Command as a target (Run Command can start your custom SSM document). There are some dedicated Beanstalk events that may be useful in this regard as well.

How to add some new code to an existing EC2 instance

Bear with me, what I am requesting may be impossible. I am a AWS noob.
So I am going to describe to you the situation I am in...
I am doing a freelance gig and was essentially handed the keys to AWS. That is, I was handed the root user login credentials for the AWS account that powers this website.
Now there are 3 EC2 instances. One of the instances is a linux box that, from what I am being told, is running a Django Python backend.
My new "service" if you will must exist within this instance.
How do I introduce new source code into this instance? Is there a way to pull down the existing source code that lives within it?
I am not be helped by any existing/previous developers so I am kind of just handed the AWS credentials and have no idea where to start.
Is this even possible. That is, is it possible to pull the source code from an EC2 instance and/or modify the code? How do I do this?
EC2 instances are just virtual machines. So you can use SSH/SCP/SFTP files to and from. You can use the AWS CLI tools to copy stuff from S3. Dealers choice...
Now to get into this instance... If you look in the web console you can find its IP(s), what the security groups (firewall rules), and the key pair name. Hopefully they gave you the keys. You need these to SSH in.
You'll also want to check to make sure there's a security group applied that has SSH open. Hopefully only to your IP :)
If you don't have the keys you'll have to create an AMI image of the instance so you can create a new one with a key pair you do have.
Amazon has a set of tools for you in Amazon CodeSuite.
The tool used for "deploying" the code is Amazon CodeDeploy. By using this service you install an agent onto your host, then when triggered it will pull down an artifact of a code base and install it matching hosts. You can even specify additional commands through the hook system.
But you also want to trigger this to happen, maybe even automatically? CodeDeploy can be orchestrated using the CodePipeline tool.

Amazon EC2 get tag from CLI - no credentials

The metadata URL from Amazon gives a lot of data but lags tag information. I tried to combine a bunch of different commands and eventually got to the describe-tags CLI command. The problem is that while I can get the Instance ID and the Region easily enough, I cannot get values for tags without dropping credentials onto the box.
I get the following error:
Unable to locate credentials. You can configure credentials by running "aws configure".
The basic command I wind up executing is:
aws ec2 describe-tags --region us-east-1 --filters "Name=resource-id,Values=SOME_ID"
The process I follow is this:
Create an instance with a predefined application on it
Image the instance
Spin up various instances using the image via the Amazon AWS API programmatically
Tag the instances that get spun up with pieces of critical data
Attempt to read the tags from the application
Any way to get around the credentials issue? I figure that the local machine would have access to its own tag metadata without signing in but that doesn't appear to be the case.
If there's no way to get around it, are there any suggestions to pass in the data to the VM without sitting around and waiting for it to start up?
I really don't want to write a process that sits around waiting for the EC2 to finish spinning up, SSH in and then pass in the critical data myself. The data changes on-the-fly and can change between instances that I fire up in order to handle various events.
I would create your EC2 instances with IAM roles for EC2. You don't need to do anything fancy and the credentials are then available on the box. It's easy to restrict the role down to do only what you need.

Is using AWS SDK to launch an instance and aws cli to manage it a good approach?

I've just started with AWS and I have some questions.
First, I followed the official documentation on how to launch an instance using AWS SDK for JAVA like this:
AmazonEC2 Client = new AmazonEC2Client(awsCreds);
CreateSecurityGroupRequest csgr = new CreateSecurityGroupRequest();
csgr.withGroupName("Azzouz_group").withDescription("My security group");
IpPermission ipPermission = new IpPermission();
ipPermission.withIpRanges("0.0.0.0/0").withIpProtocol("tcp");
AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeSecurityGroupIngressRequest.withGroupName("Azzouz_group").withIpPermissions(ipPermission);
RunInstancesRequest runInstancesRequest = new RunInstancesRequest();
runInstancesRequest.withImageId("ami-4b814f22")
.withInstanceType("m1.small")
.withMinCount(1)
.withMaxCount(1)
.withKeyName("azzouz_key")
.withSecurityGroups("Azzouz_group");
RunInstancesResult runInstancesResult = Client.runInstances(runInstancesRequest);
RunInstancesResult runInstancesResult = Client.runInstances(runInstancesRequest);
String instanceId = runInstancesResult.getReservation().getInstances().get(0).getInstanceId();
I didn't use the CreateKeyPairRequest part because I want to upload my public key to amazon so when I try to ssh into into I don't have to add -i path/to/key.pem and I have only to mention the key name in my java code ("azzouz_key") , in the next lines, $USER contains azzouz_key:
keypair=$USER # just a name
publickeyfile=$HOME/.ssh/id_rsa.pub
regions=$(aws ec2 describe-regions \
--output text \
--query 'Regions[*].RegionName')
for region in $regions; do
echo $region
aws ec2 import-key-pair \
--region "$region" \
--key-name "$keypair" \
--public-key-material "file://$publickeyfile"
done
what I want now is connect to the instance and automate some stuff. So I 'm heading to make a call to a shell from inside the java code, the script gets an instance id as a parameter, then gets the ip adress ( using aws ec2 describe-instances ), ssh into it and do some stuff.
I wanted to authorize ssh connection to the instance from any ip just as a start(0.0.0.0/0) and I'm not sure if this is what I'm supposed to do.
So, my question is: Is this the best approach?! Should I just use the aws cli to create and manage the instance?! Does just mentioning just the key pair name fits with the mechanism of uploading the public ssh key to amazon?!
Please, I'm just starting, I'm an intern and I dont yet have an access to an amazon account so I can test my work. I'm just working all of this in my mind. THANK YOU VERY MUCH!
my advice is to setup an account on AWS and start using the AWS free tier options.
All in all, it is there and it is for free (just pay attention on what you launch or use in the service).
Apart of that, your question about how to authorize connections over SSH from everywhere, this is done over security groups (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html)
About what is the best option, this really depends on you.
If you need to launch 2 instances in your life on AWS, then the console is good enough. If you want to orchestrate your hybrid setup, then probably your way is the best.
CLI is an excellent solution for daily operations too.
In simple words, there is not best way or a good or bad approach. It all depends on your needs.
I hope this helps somehow.
Automation is a huge topics.If you want to extend AWS automation using script, Before touching the API/SDK, first, you must design your own AWS resources tags naming.
Tags naming is an implicit ways to reference to AWS resource without explicitly specify the resource-id(e.g. VPC id, EC2-id ,interface-id,etc). In addition, for resource such as EC2 that doesn't allow immediate use of tag during creation, you need to study usage of "client-token".
AWS CLI allow you to do lots of automation, however, to manipulate response result, you need shell script skill to manipulate them. I suggest you pick the AWS SDK language that you are familiar with.
Cloud configuration management tools(there is limited support from tools like Ansible, saltstack,puppet) can be the next step, if you plan to extend the whole source deployment, server configuration.
You may want to consider starting off with Infrastructure as Code. Cloud Formation with Code Pipeline will ensure automated and consistent environment launches and makes you highly valuable in the marketplace.
Both can be launched and managed via the awscli. As your capabilities and the complexity of your IaC increase it may be worth looking into Terraform due to the modularity available compared to CloudFormation.