This repository has been archived by the owner on Mar 24, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 171
/
Copy pathec2_tags.py
136 lines (106 loc) · 3.8 KB
/
ec2_tags.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# -*- coding: utf-8 -*-
"""
ec2_tags.py - exports all EC2 tags in an 'ec2_tags' grain and splits 'Role' tag
into a list on 'ec2_roles' grain.
To use it:
1. Place ec2_tags.py in <salt_root>/_grains/
2. Make sure boto version >= 2.8.0
3. There are four ways of supplying AWS credentials used to fetch instance tags:
i. Define them in AWS_CREDENTIALS below
ii. Define AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables
iii. Provide them in the minion config like this:
ec2_tags:
aws:
access_key: ABC123
secret_key: abc123
iv. Use IAM instance roles, the following policy will work:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1429127179000",
"Effect": "Allow",
"Action": [
"ec2:DescribeTags"
],
"Resource": [
"*"
]
}
]
}
4. Test it
$ salt '*' saltutil.sync_grains
$ salt '*' grains.get ec2_tags
$ salt '*' grains.get ec2_roles
Author: Emil Stenqvist <emsten@gmail.com>
Licensed under Apache License (https://raw.github.com/saltstack/salt/develop/LICENSE)
(Inspired by https://github.com/dginther/ec2-tags-salt-grain)
"""
from __future__ import absolute_import
import os
import logging
from salt.utils.versions import StrictVersion
import boto.ec2
import boto.utils
log = logging.getLogger(__name__)
AWS_CREDENTIALS = {
'access_key': None,
'secret_key': None,
}
def _get_instance_info():
identity = boto.utils.get_instance_identity()['document']
return identity['instanceId'], identity['region']
def _on_ec2():
m = boto.utils.get_instance_metadata(timeout=0.1, num_retries=1)
return bool(m)
def _get_credentials():
creds = AWS_CREDENTIALS.copy()
# Minion config
if '__opts__' in globals():
conf = __opts__.get('ec2_tags', {})
aws = conf.get('aws', {})
if aws.get('access_key') and aws.get('secret_key'):
creds.update(aws)
# 3. Get from environment
access_key = os.environ.get('AWS_ACCESS_KEY') or os.environ.get('AWS_ACCESS_KEY_ID')
secret_key = os.environ.get('AWS_SECRET_KEY') or os.environ.get('AWS_SECRET_ACCESS_KEY')
if access_key and secret_key:
creds.update(dict(access_key=access_key, secret_key=secret_key))
return creds
def ec2_tags():
boto_version = StrictVersion(boto.__version__)
required_boto_version = StrictVersion('2.8.0')
if boto_version < required_boto_version:
log.error("Installed boto version %s < %s, can't find ec2_tags",
boto_version, required_boto_version)
return None
if not _on_ec2():
log.info("Not an EC2 instance, skipping")
return None
instance_id, region = _get_instance_info()
credentials = _get_credentials()
# Connect to EC2 and parse the Roles tags for this instance
try:
conn = boto.ec2.connect_to_region(
region,
aws_access_key_id=credentials['access_key'],
aws_secret_access_key=credentials['secret_key'],
)
except Exception as e:
log.error("Could not get AWS connection: %s", e)
return None
ec2_tags = {}
try:
tags = conn.get_all_tags(filters={'resource-type': 'instance',
'resource-id': instance_id})
for tag in tags:
ec2_tags[tag.name] = tag.value
except Exception as e:
log.error("Couldn't retrieve instance tags: %s", e)
return None
ret = dict(ec2_tags=ec2_tags)
# Provide ec2_tags_roles functionality
if 'Roles' in ec2_tags:
ret['ec2_roles'] = ec2_tags['Roles'].split(',')
return ret