Idea
Imagine that every day you and your coworkers need to create a lot of resources on AWS for work. So how to simplify the process of managing, operating, and tracking usage costs? One of the popular methods is tagging. Not everyone can remember having to tag resources upon initialization. Thus, tagging of resources is the optimal solution for minimizing admin-overhead.
Check out the article below presented by Mr. Le Hai Dang and Mr. Do Thanh Tung – Solutions Architect of VTI Cloud.
Tagging solutions overview
-
User initializes resources on AWS. In this example will be the initialization of EC2 Instance with EBS Volume.
-
AWS CloudTrail will log the API event.
-
EventBridge will trigger a Lambda function, for example, event: RunInstance.
-
Lambda function will be responsible for tagging resources.
When the Lambda function is successfully triggered by the initialization resource, it will tag the resource with:
-
IAM User và Assume Role:
-
Key: Owner
-
Value: [email protected]
-
-
Root User:
-
Key: Owner
-
Value: Root
-
Installation Steps
Let’s first go through some of the services that you need to use in this article. Most of them are the core services that AWS provides such as CloudTrail, EventBridge (an extremely “genuine” upgrade version of CloudWatch Events), Lambda or IAM policy, …
1. CloudTrail: Trail (Multi-region)
AWS CloudTrail works as a supervisor. All actions on AWS accounts are logged by CloudTrail as events. Trail is a setting that helps you handle events. For example: saving to S3, encrypted with AWS KMS,…
First, you need to have Trail to detect and respond to API events when creating resources. Trail can be easily created on the AWS Console, refer here.
With the successful setup, EC2 RunInstances API will give you a lot of information such as the time to create eventTime resource, the id of the newly created EC2 instanceID, the userID of the resource creator principalId.
Learn more about AWS CloudTrail.
2. Lambda function
AWS Lambda referred to as Function as a Service (FaaS), is a serverless service for programmers who don’t care about infrastructure when running applications. True to the Function definition, Lambda only runs when called.
To create a Lambda function, log in to AWS Console, select Lambda, and tick Create Function. We will create a Lambda function with a Runtime Python 3.8. Copy the code is available in GitHub Repo.
Scroll down to Basic settings and edit Timeout to 60s and Memory to 128MB.
Remember to click Save 🙂
3. Authorize the Lambda function
In the Lambda interface click on the Permission tab, there will be an item Execution role. Click on Role name that will direct you through the IAM tab. Here we will add an inline policy, select the JSON tab, and paste the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
The above policy will allow the Lambda function to find the instance volume and tagging both the EC2 instance and the instance volume. Click Review policy, enter a name, and Create policy.
4. Trigger Lambda function from AWS EventBridge
AWS EventBridge provides real-time data flow (events, …) from your own applications, and routes that data to targets like AWS Lambda.
In this section, we will use EventBridge to trigger the Lambda function.
Select Create rule. In this section, you need to define a pattern according to the steps below:
-
Select Event pattern.
-
In Event matching pattern, select Pre-defined pattern.
-
Next, in Service provider and Service name, select AWS and EC2.
-
In event type, select AWS API Call via CloudTrail.
-
Finally, select Specific operation, here you enter RunInstance.
Learn more about AWS EventBridge.
5. Results and things to note
After successful implementation of the above steps, the setup is complete, you can completely create an EC2 instance and wait for Lambda to tag itself in the instance you just created.
Note:
-
With this approach, only instances created after the installation of the Lambda function can be tagged automatically.
-
You need to enable Multi-region on CloudTrail for this solution to work across all regions.
-
CloudTrail takes some time (up to 1 hour) until EventBridge starts calling (invoke) Lambda function.
Above is how VTI Cloud has applied to be able to control initialization resources on AWS. In addition, it is possible to add an Instance Scheduler solution to your Lambda function to automatically launch and pause EC2 and RDS instances by working hours to maximize costs.
Cost of services
About VTI Cloud
VTI Cloud is an Advanced Consulting Partner of AWS Vietnam with a team of over 50+ AWS certified solution engineers. With the desire to support customers in the journey of digital transformation and migration to the AWS cloud, VTI Cloud is proud to be a pioneer in consulting solutions, developing software, and deploying AWS infrastructure to customers in Vietnam and Japan.
Building safe, high-performance, flexible, and cost-effective architectures for customers is VTI Cloud’s leading mission in enterprise technology mission.
