AWS EC2 health codebundle #3

saurabh3460 · 2024-12-11T09:04:27Z

This code bundle contains task to check for old AWS EC2 instances in AWS account in specified region.

…s in runbook

…s health cb

…arse_ebs_results fuc in in Core.py

saurabh3460 · 2024-12-18T07:26:20Z

Tested with age 2min = 0.00139

cc @stewartshea

codebundles/aws-c7n-ec2-health/sli.robot

stewartshea · 2024-12-18T11:27:09Z

codebundles/aws-c7n-ec2-health/sli.robot

+    ...    cmd=custodian run -r ${AWS_REGION} --output-dir ${OUTPUT_DIR}/aws-c7n-ec2-health ${CURDIR}/old-ec2-instances.yaml --cache-period 0
+    ...    secret__aws_access_key_id=${AWS_ACCESS_KEY_ID}
+    ...    secret__aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}
+    ${count}=     RW.CLI.Run Cli


This likely is more complicated that it needs to be. Why evaluate a 1 or a 0 when this is a single check - the total count is a fine metric to push, and then SLI alerts can be configured as needed. This only makes sense as a 1 or a 0 if you want to perform an aggregate score across multiple tasks. Do you plan on adding more tasks?

next code bundle like AutoScaling Group - Verify ASGs have valid configurations comes under EC2 instance so I was thinking to include in this EC2 health codebundle

stewartshea · 2024-12-18T11:28:11Z

codebundles/aws-c7n-ec2-health/runbook.robot

+
+
+*** Tasks ***
+List old AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}` 


I think we need more than one task here to evaluate "AWS EC2 Health" - otherwise this is just a codebundle that is focused on "AWS EC2 Age" - let's come up with a few more tasks.

Also, what is the idea behind this task? It seems normal for a user to have a "running" instance older than "60 days"... are the defaults here appropriate? Are we checking the right thing? One task might be to look for EC2 instances that are not in a running state and older than a specific age. Another task might be to look for instances that need a refresh (e.g. running over a certain age, since it implies a lack of patch/update?).

Yes, because sometimes instances get patched and restart, and if an instance is quite old, it becomes difficult to patch since it will require numerous updates. This means that old instances can indicate unpatchable systems.

and yes agree we can also look for stopped instances as well that too make sense.

stewartshea · 2024-12-18T11:34:50Z

@saurabh3460 I've added a few comments which we can discuss - this was not a thorough review, as I think we need to think through the purpose of this codebundle a little more before a full review can be performed.

saurabh3460 · 2024-12-19T14:53:14Z

tested unpatched and unused tasks:

let me know if next steps looks ok

saurabh3460 and others added 30 commits November 20, 2024 17:14

add codebundles/aws-c7n-ebs-health/sli.robot

63adb4f

add c7n ebs policies

7a205bd

add script to create test infra

9ee4894

added runbook.robot with List Unattached EBS Volumes task

b86124b

Merge branch 'runwhen-contrib:main' into main

e1bd6e0

added parse_ebs_results func in Core.py

774460f

change name of unused-ebs-snapshots policy

9d5dd28

change secret__aws_account_id -> secret__aws_access_key_id

3dd7314

updated create/delete snapshot script in .test

b9505d0

added List Unused EBS Snapshots and List Unencrypted EBS Volumes task…

aa77f67

…s in runbook

add runwhen generation rule and template yaml

780854e

clean cc lib

3455556

replace ebs test script with terraform

ecc92ff

remove volume check and add encrypted false in ebs.tf

cfb684b

added taskfile in ebs health codebundle

e9f4513

add account_id in ebs gen rule qualifiers

6102c59

add check-rwp-config task in ebs cb test's taskfile

4c59821

update ebs cb test README

90b306b

add encrypted filed in ebs tf file

7f81bd3

add suite variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in eb…

9602af8

…s health cb

add rw-cli-keywords dependency in requirements.txt

becadf9

fix sli locations filed in both ebs and s3 cb

37fd8b7

update Author in sli

5672dc9

fix Add Issue and change AWS_ACCOUNT_NAME -> AWS_ACCOUNT_ID

53c55bc

ebs Taskfile: add custom field and terraform/cb.secret

406e2fd

ebs sli: fix score logic

b0d6153

ebs runbook: update next steps string and task title

4580a3b

EBS CB: fix typo and update image url in templates

d7fce89

update intervalSeconds 300 -> 600

59c5463

EBS CB: update Metadata and thresholds defaults 1->0

d1caa2e

saurabh3460 added 8 commits December 13, 2024 11:45

added generate_policy, find_value_recursive func and ec2 support in p…

d16b95e

…arse_ebs_results fuc in in Core.py

added GenerationRules and SLx templates

637a5fc

EC2 CB: added runbook

c162e63

EC2 CB: added sli.robot

667b8e1

ec2 cb: intervalSeconds 300 -> 600

2310372

ec2 cb: updated Metadata and issue statments in runbook.robot

e089330

ec2 cb: updated Metadata and default in sli.robot

ea708b5

ec2 cb: fix score logic

beebae3

saurabh3460 force-pushed the ec2 branch 2 times, most recently from 3652218 to 35e139c Compare December 18, 2024 06:49

saurabh3460 added 6 commits December 18, 2024 12:48

ec2 cb: add README.md files

875b071

ec2 cb: add vpc resource in test terraform

279b553

ec2 cb: update sli.yaml

00be7ae

ec2 cb: update doc section in sli.robot

2c3e6fa

ec2 cb: update doc and clean runbook.robot

f0f818c

ec2 cb: update spec.alias and spec.asMeasuredBy in slx.yaml

0c65a84

saurabh3460 force-pushed the ec2 branch from 35e139c to 0c65a84 Compare December 18, 2024 07:23

stewartshea reviewed Dec 18, 2024

View reviewed changes

codebundles/aws-c7n-ec2-health/sli.robot Outdated Show resolved Hide resolved

stewartshea reviewed Dec 18, 2024

View reviewed changes

ec2 cb: added unpatched and unused cloudcustodian policies

b1befae

saurabh3460 force-pushed the ec2 branch from 0011355 to 45aa523 Compare December 19, 2024 14:49

saurabh3460 added 4 commits December 23, 2024 16:35

ebs cb: update tasks in runbook.robot

fa9b73e

ec2 cb: update rw templates

cb46b27

ec2 cb: update root README.md SLI section

a19f13a

ebs cb: update tasks in sli.robot

f404f62

saurabh3460 force-pushed the ec2 branch from 6de4329 to f404f62 Compare December 23, 2024 11:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AWS EC2 health codebundle #3

AWS EC2 health codebundle #3

saurabh3460 commented Dec 11, 2024

saurabh3460 commented Dec 18, 2024

stewartshea Dec 18, 2024

saurabh3460 Dec 18, 2024

stewartshea Dec 18, 2024

stewartshea Dec 18, 2024

saurabh3460 Dec 18, 2024 •

edited

Loading

saurabh3460 Dec 18, 2024

stewartshea commented Dec 18, 2024

saurabh3460 commented Dec 19, 2024



		* Tasks *
		List old AWS EC2 instances in AWS Region `${AWS_REGION}` in AWS account `${AWS_ACCOUNT_ID}`

AWS EC2 health codebundle #3

Are you sure you want to change the base?

AWS EC2 health codebundle #3

Conversation

saurabh3460 commented Dec 11, 2024

saurabh3460 commented Dec 18, 2024

stewartshea Dec 18, 2024

Choose a reason for hiding this comment

saurabh3460 Dec 18, 2024

Choose a reason for hiding this comment

stewartshea Dec 18, 2024

Choose a reason for hiding this comment

stewartshea Dec 18, 2024

Choose a reason for hiding this comment

saurabh3460 Dec 18, 2024 • edited Loading

Choose a reason for hiding this comment

saurabh3460 Dec 18, 2024

Choose a reason for hiding this comment

stewartshea commented Dec 18, 2024

saurabh3460 commented Dec 19, 2024

saurabh3460 Dec 18, 2024 •

edited

Loading