Starting targeted instances during a maintenance window?

0

I have a small resource group (5 instances), and there's a weekly script I would like to run on all 5 of them. They start automatically when their users need to interact with them, and stop automatically when idle for 30 minutes. (Similar to a Cloud9 IDE environment, but not managed by Cloud9.) The maintenance window is scheduled for a time when they would all be stopped. There is no reliable time when I know for sure that they would all be running.

When the weekly maintenance window rolls around, I would like SSM to start the instances, run the shell script on them, and then stop them. I thought I had managed it, by creating a maintenance window with three tasks:

  • Priority 10: AUTOMATION task using the AWS-StartEC2Instance document
  • Priority 20: RUN_COMMAND task using the AWS-RunShellScript document
  • Priority 30: AUTOMATION task using the AWS-StopEC2Instance document

All three tasks specify the resource group as the target, and {{RESOURCE_ID}} as the InstanceId parameter.

The problem is that each task only runs on instances that are already running when the maintenance window starts, which would seem to make the AWS-StartEC2Instance automation kind of pointless. When there are no instances running, each task has a status of No invocations to execute.

I could certainly use an EventBridge rule with a Lambda to make sure the instances are up and running, and then just have the RunShellScript task in the maintenance window. But the use case I described above seems like it would be a no-brainer easy thing to accomplish, so I'm concerned I'm just missing something simple. Any suggestions?

mbklein
asked a year ago659 views
2 Answers
0

Hello mbklein,

Thank you for reaching out with your query.

Below are the common possible reasons for this issue:

  • No defined maintenance window targets
  • No resource id is present.
  • When required policies are not correct.

For tasks which require unique identifiers for input. if there are no targets, the task will report back that there are no invocations to execute, as there were no inputs.

To troubleshoot the issue, I performed this scenario in my internal lab and was able to successfully perform below mentioned tasks.

AUTOMATION task using the AWS-StartEC2Instance document

RUN_COMMAND task using the AWS-RunShellScript document

AUTOMATION task using the AWS-StopEC2Instance document

Please refer to the steps I performed below:

Scenario1: When instances are already in stopped state

  • Create a tag for your instance i.e. (Name = Department Value = Dev)
  • Create a Resource Group [1], for group type select "Tag based"
  • For resource types select "AWS::EC2::Instance"
  • Next select the tag key (Department) and value (Dev)

After the Resource Group is created, you can create a Maintenance Window and register the target with the Maintenance Window

  • On Maintenance Window go to “Actions” > “Register targets”
  • Select "Choose a resource group"
  • Select the Resource group you created earlier
  • Then click on “Register Target”
  • Then click on "Actions" dropdown ->"Register Automation task
  • Next under Automation document-> "AWS-StartEC2Instance"
  • Under Targets choose "Selecting registered target groups" and then select the Windows target ID
  • For Input parameters > "InstanceIDs" input parameter, Add all instance IDs separated by comma which you have mentioned in resource group. for example : i-abc********, i-def********
  • For Input parameters > "AutomationAssumeRole" input parameter, input the role that you have configured for Automation

Below is the AutomationAssumeRole policy I used in my lab: AutomationAssumeRole:

Trust Entity


{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com " }, "Action": "sts:AssumeRole" } ] }

Inline Permission Policy:


{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeInstanceStatus" ], "Resource": "*" } ] }

For IAM service role :

  • To create IAM service role, Please follow below steps
  1. Go on IAM Dashboard and click on create Roles
  2. Under "Select trusted entity" click on "Custom trust policy" and add below mentioned policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com ", "ssm.amazonaws.com " ] }, "Action": "sts:AssumeRole" } ] }

  1. Click on next
  2. In Permissions add below three policies

Note: a) and b) are AWS Managed policies. You can easily search for them but for c) you need to create inline policy

a) AmazonSSMMaintenanceWindowRole b) AmazonSSMFullAccess c) IAMPassRolePolicy: For IAMPassRolePolicy add below mentioned inline policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "ssm.amazonaws.com " } } } ] }

You can also follow the AWS video tutorial to know more about Maintenance windows or IAM service role. [+]https://www.youtube.com/watch?v=aR02m1Xsz1E&t=113s

  • Please repeat above steps for AWS-StopEC2Instance document and AWS-RunShellScript document.

Scenario 2: When Instances are already in running state

The above steps allowed me to successfully execute all the three above mentioned document in a Maintenance Window in both the scenarios.

Additionally, After following above steps if issue still exists then I would request you to open a case under our support team for further troubleshooting as we need to check all the associated resources to troubleshoot it further.

References

[1] https://docs.aws.amazon.com/ARG/latest/userguide/resource-groups.html

AWS
SUPPORT ENGINEER
answered a year ago
  • Thank you for these steps. I notice there's one incomplete sentence that looks kind of important:

    For Input parameters > "InstanceIDs" input parameter

    What is the value that's supposed to go in the InstanceIDs input parameter when targeting a resource group?

0

Thank you for pointing this out. Add all instance IDs separated by comma which you have mentioned in resource group. for example : i-abc********, i-def********

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions