rem ========================================================= rem rem Creates Lambda function to update child resources from rem parent resource tags based on sync_tag_keys array. rem rem Supports ec2 volume, snapshot, eni, eip rem rem Cloudwatch Event Rule is created to trigger function when rem ec2 tag updates occur. rem rem SNS topic is created to send email notification on tag rem update. rem rem ========================================================= rem ========================================================= rem Update the following variables to match your environment rem ========================================================= set aws_profile=MY-AWS-PROFILE set aws_default_region=us-east-1 set aws_accountid=000000000000 set aws_nameprefix=synctags set aws_synctagkeys=[\"Name\", \"BillingCode\", \"Application\", \"Environment\"] set aws_notifyemail=ME@EMAIL.COM set aws_functiontest_instanceid=i-00000000000000000 rem ========================================================= rem Terraform configuration variables rem ========================================================= set TF_VAR_aws_profile=%aws_profile% set TF_VAR_aws_default_region=%aws_default_region% rem If using Terraform Cloud for remote state management rem update your org and workspace values, see rem https://app.terraform.io set TF_VAR_terraform_cloud_org=MY-ORG set TF_VAR_terraform_cloud_workspace=my-workspace rem ========================================================= rem Use terraform apply to view plan and apply changes rem ========================================================= rem Determine if terraform cloud is being used and configure environment del backend.hcl backend.tf if not "%TF_VAR_terraform_cloud_org%" == "MY-ORG" ( echo organization = "%TF_VAR_terraform_cloud_org%" > backend.hcl echo workspaces { name = "%TF_VAR_terraform_cloud_workspace%" } >> backend.hcl echo terraform { > backend.tf echo backend "remote" {} >> backend.tf echo } >> backend.tf set TF_VAR_terraform_backend_remote=true terraform init -backend-config=backend.hcl ) else ( set TF_VAR_terraform_backend_remote=false terraform init ) echo terraform_backend_remote=%TF_VAR_terraform_backend_remote% > synctags.auto.tfvars echo resource_name_prefix="%aws_nameprefix%" >> synctags.auto.tfvars echo sync_tag_keys="%aws_synctagkeys%" >> synctags.auto.tfvars echo notification_email="%aws_notifyemail%" >> synctags.auto.tfvars terraform apply rem ========================================================= rem Call function with test event to test match and no rem match conditions. Review Cloutwatch LogGroup\LogStream rem ========================================================= rem NoMatch - should receive "info: no matching changed tags" in log stream aws lambda invoke --function-name %aws_nameprefix%-event-handler --payload "{ \"version\": \"0\", \"id\": \"bddcf1d6-0251-35a1-aab0-adc1fb47c11c\", \"detail-type\": \"Tag Change on Resource\", \"source\": \"aws.tag\", \"account\": \"%aws_accountid%\", \"time\": \"2018-09-18T20:41:38Z\", \"region\": \"%aws_default_region%\", \"resources\": [ \"arn:aws:ec2:%aws_default_region%:%aws_accountid%:instance/%aws_functiontest_instanceid%\" ], \"detail\": { \"changed-tag-keys\": [ \"a-new-key\", \"an-updated-key\", \"a-deleted-key\" ], \"service\": \"ec2\", \"resource-type\": \"instance\", \"version\": 3, \"tags\": { \"a-new-key\": \"tag-value-on-new-key-just-added\", \"an-updated-key\": \"tag-value-was-just-changed\", \"an-unchanged-key\": \"tag-value-still-the-same\" } }}" out rem Match - will receive notification email and "success: updated child resource tags for instance" in log stream aws lambda invoke --function-name %aws_nameprefix%-event-handler --payload "{ \"version\": \"0\", \"id\": \"bddcf1d6-0251-35a1-aab0-adc1fb47c11c\", \"detail-type\": \"Tag Change on Resource\", \"source\": \"aws.tag\", \"account\": \"%aws_accountid%\", \"time\": \"2018-09-18T20:41:38Z\", \"region\": \"%aws_default_region%\", \"resources\": [ \"arn:aws:ec2:%aws_default_region%:%aws_accountid%:instance/%aws_functiontest_instanceid%\" ], \"detail\": { \"changed-tag-keys\": [ \"BillingCode\", \"an-updated-key\", \"a-deleted-key\" ], \"service\": \"ec2\", \"resource-type\": \"instance\", \"version\": 3, \"tags\": { \"a-new-key\": \"tag-value-on-new-key-just-added\", \"an-updated-key\": \"tag-value-was-just-changed\", \"an-unchanged-key\": \"tag-value-still-the-same\" } }}" out rem ========================================================= rem Create test events for console testing of Lambda function rem https://aws.amazon.com/blogs/compute/improved-testing-on-the-aws-lambda-console/ rem ========================================================= rem MatchTestEvent echo { > matchtestevent.tmp echo "version": "0", >> matchtestevent.tmp echo "id": "bddcf1d6-0251-35a1-aab0-adc1fb47c11c", >> matchtestevent.tmp echo "detail-type": "Tag Change on Resource", >> matchtestevent.tmp echo "source": "aws.tag", >> matchtestevent.tmp echo "account": "%aws_accountid%", >> matchtestevent.tmp echo "time": "2018-09-18T20:41:38Z", >> matchtestevent.tmp echo "region": "%aws_default_region%", >> matchtestevent.tmp echo "resources": ["arn:aws:ec2:%aws_default_region%:%aws_accountid%:instance/%aws_functiontest_instanceid%" ], >> matchtestevent.tmp echo "detail": { >> matchtestevent.tmp echo "changed-tag-keys": [ "BillingCode", "an-updated-key", "a-deleted-key" ], >> matchtestevent.tmp echo "service": "ec2", >> matchtestevent.tmp echo "resource-type": "instance", >> matchtestevent.tmp echo "version": 3, >> matchtestevent.tmp echo "tags": { "a-new-key": "tag-value-on-new-key-just-added", "an-updated-key": "tag-value-was-just-changed", "an-unchanged-key": "tag-value-still-the-same" } >> matchtestevent.tmp echo } >> matchtestevent.tmp echo } >> matchtestevent.tmp notepad matchtestevent.tmp rem NoMatchTestEvent echo { > nomatchtestevent.tmp echo "version": "0", >> nomatchtestevent.tmp echo "id": "bddcf1d6-0251-35a1-aab0-adc1fb47c11c", >> nomatchtestevent.tmp echo "detail-type": "Tag Change on Resource", >> nomatchtestevent.tmp echo "source": "aws.tag", >> nomatchtestevent.tmp echo "account": "%aws_accountid%", >> nomatchtestevent.tmp echo "time": "2018-09-18T20:41:38Z", >> nomatchtestevent.tmp echo "region": "%aws_default_region%", >> nomatchtestevent.tmp echo "resources": [ "arn:aws:ec2:%aws_default_region%:%aws_accountid%:instance/%aws_functiontest_instanceid%" ], >> nomatchtestevent.tmp echo "detail": { >> nomatchtestevent.tmp echo "changed-tag-keys": ["a-new-key", "an-updated-key", "a-deleted-key" ], >> nomatchtestevent.tmp echo "service": "ec2", >> nomatchtestevent.tmp echo "resource-type": "instance", >> nomatchtestevent.tmp echo "version": 3, >> nomatchtestevent.tmp echo "tags": { "a-new-key": "tag-value-on-new-key-just-added", "an-updated-key": "tag-value-was-just-changed", "an-unchanged-key": "tag-value-still-the-same" } >> nomatchtestevent.tmp echo } >> nomatchtestevent.tmp echo } >> nomatchtestevent.tmp notepad nomatchtestevent.tmp rem ========================================================= rem Remove all resources rem ========================================================= rem Topic subscription cannot be terraform destroyed so use cli to remove aws sns list-subscriptions-by-topic --topic-arn arn:aws:sns:%aws_default_region%:%aws_accountid%:%aws_nameprefix%-topic --no-paginate --output text --query "Subscriptions[]["SubscriptionArn"]" > snstopicsubarn.tmp set /p snstopicsubarn=