Automatically provision AWS EBS volumes from snapshots
Project description
Automatically provision and attach AWS EBS volumes to instances
Installation
Run pip install ebs-snatcher, or python ./setup.py
Purpose
This tool allows AWS instances to self-sufficiently provision or takeover EBS volumes for data storage. It was created to support stateful database instances that should be able to join a replication group autonomously, while making use of snapshots to start from a recent state, instead of scratch.
Process
ebs-snatcher will attempt to provision an EBS volume with the minimal possible effort for a target instance, considering that both must reside in the same availability zone. Suitable volumes and snapshots are identified by tag key-value pairs, such that different types of volumes can be managed by calling the program multiple times.
In order of preference, the choices are:
Keep using any volumes already attached to the instance
Find an existing but available volume in the same AZ as the instance, and attach it to the instance
Create a new volume from a suitable snapshot, and attach it
Create a new volume from scratch, and attach it
Identifying volumes and snapshots
Volumes and snapshots will only be considered for usage if they match the set of tags specified by the --volume-id-tag and --snapshot-search-tag arguments, respectively. They take the form of key=value pairs, and can be specified multiple times, in which case the conditions are combined in AND fashion.
Extra tags that are not used for selection can be specified with --volume-extra-tags (also in key=value format).
Attachment device selection
After a volume is provisioned, it needs to be attached to the instance and assigned a device name in the operating system. The desired name can be specified with the --attach-device argument, or it can be set to auto to start from the AWS default of /dev/sdf (earlier devices are “reserved” for instance-store volumes).
If an attachment attempt fails due to the name already being in use, and it matches known Linux disk names (/dev/(sd|xvd)[a-z]+), the next name in order will be picked and retried, in alphabetical order. The sequence starts as:
sda, sdb, ..., sdz, sdaa, ..., sdaz, sdba, ...
Volume creation
Volume creation settings are exposed as command line arguments, corresponding to the AWS API parameters, with a few observations:
The Encrypt and KMSKeyId options are combined into the --encrypt-kms-key-id argument. Providing it will enable encryption, and omitting it will disable it
Volume size will be silently ignored when creating from a snapshot, as the volume will always have the same size as the snapshot
Output
When no errors are found, the command will exit with status 0, and print a JSON document in stdout, containing at least the following keys:
- volume_id:
ID of the EBS volume that has been attached to the instance
- attached_device:
Path of the device assigned to the volume. Note that this might not match exactly the device name visible inside the instance. For example, modern Linux kernel versions use /dev/xvd* even if /dev/sd* is specified
- result:
One of present, attached or created, indicating the change in volume state (or lack thereof)
- src_snapshot_id:
Contains the snapshot ID used to provision the volume it result is created. Is null otherwise, or if the volume was created from scratch
In both cases log messages are printed to stderr.
IAM Permissions
Permissions to list volumes, snapshots and instances, to create volumes and to attach volumes to instances are necessary for ebs-snatcher to work. They should be granted to instances using IAM roles. The simplest policy allows complete access to all of those actions. It is much easier to handle, but very broad:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EBSSnatcherAll",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:CreateVolume",
"ec2:AttachVolume"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
It is possible to ensure all managed volumes and instances have some chosen tags, as long as those same tags are passed to ebs-snatcher. An example policy to achieve it follows. Before using it, replace:
db-volume-type and cassandra with the desired tags for volumes
db-instance-type and cassandra with the desired tags for instances (which must have been already assigned)
<REGION> and <ACCOUNT-ID> with your own AWS account information
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EBSSnatcherDescribe",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "EBSSnatcherCreateVolume",
"Action": [
"ec2:CreateVolume"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/db-volume-type": "cassandra"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "EBSSnatcherCreateVolumeTags",
"Action": [
"ec2:CreateTags"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateVolume"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:volume/*"
},
{
"Sid": "EBSSnatcherAttachVolumeVolume",
"Action": [
"ec2:AttachVolume"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/db-volume-type": "cassandra"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:volume/*"
},
{
"Sid": "EBSSnatcherAttachVolumeInstance",
"Action": [
"ec2:AttachVolume"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/db-instance-type": "cassandra"
}
},
"Resource": "arn:aws:ec2:<REGION>:<ACCOUNT-ID>:instance/*"
}
]
}
Future enhancements
Generate minimal IAM policies programatically
Pull instance information from the local metadata store (remove the need for DescribeInstances permissions)
Usage
usage: ebs-snatcher [-h] --instance-id ID --volume-id-tag KEY=VALUE --volume-size GB --snapshot-search-tag KEY=VALUE --attach-device PATH|auto [--volume-extra-tag KEY=VALUE] [--encrypt-kms-key-id KEY-ID] [--volume-type TYPE] [--volume-iops COUNT] Automatically provision AWS EBS volumes from snapshots optional arguments: -h, --help show this help message and exit --instance-id ID Instance ID to attach volumes to --volume-id-tag KEY=VALUE Tag used to identify desired volumes. Will be used to search currently attached volumes to determine if a new one is needed and applied to new volumes. Can be provided multiple times, in which case tags will be combined as an AND condition. --volume-size GB Size to assign to newly created volumes, in GBs. --snapshot-search-tag KEY=VALUE Tag used to identify snapshots to create new volumes from.Can be provided multiple times, in which case tags will be combined as an AND condition. --attach-device PATH|auto Name of device to use when attaching a volume, such as "/dev/sdb". Can also be set to "auto", in which case sequential device names starting from /dev/sdb will be tried until attaching succeeeds --volume-extra-tag KEY=VALUE Extra tags to be applied to newly create volumes, but which are not used for identification . --encrypt-kms-key-id KEY-ID Enable encryption and use the given KMS key ID for newly created volumes --volume-type TYPE Volume type to use for newly created volumes --volume-iops COUNT Number of provisioned I/O operations to assign to newly created volumes. Make sure to choose an appropriate volume type to match.
License (MIT)
Copyright (C) 2017 Cobli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ebs_snatcher-0.2.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 04a6ba912f1ed2ef3999a2bfdda9e97889e080b12c5d1c7e536f34f5fb1f96aa |
|
MD5 | 3300e8298fbeadd2d7ef1d73c8a16fb5 |
|
BLAKE2b-256 | 5acdfd5047eeddfb43e44adcc4e56e38893e094836a90698d2ee9ecd86f4fa03 |