-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shell Script: script to automate modification of EBS GP2 volumes to GP3 in EC2 service #5631
Closed
Closed
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
1b1b4b5
Create README.md
razguru e9cb033
Uploaded main scripts - gp2 to gp3 modification
razguru c9cb895
Update gp2_gp3_migration.sh
razguru 187a297
Delete ebs/README.md
razguru 38fb186
Create README.md
razguru d7b776a
Create IAM_permission.txt
razguru e6d83f8
Update README.md
razguru 8958c9a
Update README.md
razguru File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "VisualEditor0", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ec2:ModifyVolume", | ||
"ec2:DescribeVolumes", | ||
"ec2:DescribeVolumesModifications", | ||
"ec2:DescribeVolumeStatus", | ||
"ec2:DescribeTags", | ||
"ec2:CreateTags", | ||
"ec2:DescribeRegions", | ||
"ec2:DescribeSnapshots", | ||
"ec2:CreateSnapshot", | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,185 @@ | ||
# Discover EBS volumes type GP2 and modify them to type GP3 with/without snapshot | ||
|
||
This example demonstrates how to modify EBS volume type GP2 to GP3 across a given region or all regions where customer has workload. It can auto scan all GP2 volumes or read the volume_ids input from any .text file in case modification needed only on user provided volumes. | ||
Elastic volumes supports online modification of EBS volume type GP2 to GP3, it does not bring any outage to instance. | ||
|
||
Files | ||
|
||
gp2_gp3_migration.sh - main script to perform modification | ||
gp2_gp3_migration_progress.sh - side script to track progress of modification triggered by main script | ||
|
||
|
||
Purpose | ||
|
||
The main script file contains the several function that perform the following tasks based on parameters used with the script : | ||
|
||
- Discover and create list of all GP2, GP3, io1, io2 volumes in any single region or all regions. | ||
|
||
- Modify listed GP2 volumes from a file with or without snapshot. | ||
|
||
- Discover all GP2 volumes in a region and modify all of them with or without snapshot. | ||
|
||
- Discover all GP2 volumes in all regions and modify all of them with or without snapshot. | ||
|
||
- Perform any of the above action on cross accounts where AWS configuration profile, IAM role and permissions are already setup. | ||
|
||
Prerequisites | ||
|
||
- An Amazon Web Services (AWS) account. | ||
- AWS CLI setup - [Install AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/installing.html) | ||
- IAM policy/role that allows to perform volume discovery, modification and snapshot creation - Refer: IAM_permission.txt). | ||
- Configuration profile for cross account access - refer second part of this README 'Scale the execution across accounts' | ||
|
||
|
||
Script execution | ||
|
||
- To create list of all GP2, GP3, io1, io2 volumes in any single region or all regions :: gp2_gp3_migration.sh --region <region_name>/all discover no-snapshot | ||
|
||
- To migrate listed GP2 volumes from a file w/o snapshot :: gp2_gp3_migration.sh --region <region_name> <volume_list_file.txt> no-snapshot | ||
|
||
- To migrate listed GP2 volumes from a file with snapshot :: gp2_gp3_migration.sh --region <region_name> <volume_list_file.txt> snapshot | ||
|
||
- To migrate all GP2 volumes in a region w/o snapshot :: gp2_gp3_migration.sh --region <region_name> migrate no-snapshot | ||
|
||
- To migrate all GP2 volumes in a region with snapshot :: gp2_gp3_migration.sh --region <region_name> migrate snapshot | ||
|
||
- To migrate all GP2 volumes across all regions w/o snapshot :: gp2_gp3_migration.sh --region all migrate no-snapshot | ||
|
||
- To migrate all GP2 volumes across all regions with snapshot :: gp2_gp3_migration.sh --region all migrate snapshot | ||
|
||
- To perform any of the above action on cross accounts where IAM role, permission and profile is already setup, add last 2 parameters --profile <profile_name> | ||
|
||
- To track the progress of volume modification :: gp2_gp3_migration_progress.sh <gp2_vol_id.txt> <region_name> | ||
|
||
Note - snapshot created by this script will have description: "Pre GP3 migration" and tag: key=state, value=pre-gp3 | ||
|
||
|
||
# Scale the execution across accounts | ||
|
||
We can scale the execution of this script across accounts by setting the configuration and credentials for all member's account and trigger assume role by selecting the account's profile from one executer account . | ||
|
||
|
||
Install the AWS CLI if not already done preferably on an EC2 instance in any account that will trigger automation action on all member accounts. To set up your default CLI credentials, you should gather the AWS access key and secret key for your script runner user, create an IAM user and then run the aws configure command. You will be prompted for 4 inputs (replace the placeholder keys with your user’s keys). | ||
|
||
|
||
AWS access key ID [None]: <YOUR_AWS_ACCESS_KEY> | ||
AWS secret access key [None]: <YOUR_AWS_SECRET_KEY> | ||
Default region name [None]: us-west-1 | ||
Default output format [None]: json | ||
|
||
The AWS CLI organizes configuration and credentials into two separate files found in the home directory of your operating system. They are separated to isolate your credentials from the less sensitive configuration options of region and output. | ||
|
||
~/.aws/config | ||
[default] | ||
region = us-west-1 | ||
output = json | ||
Additional Information | ||
|
||
~/.aws/credentials | ||
[default] | ||
aws_access_key_id = <YOUR_AWS_ACCESS_KEY> | ||
aws_secret_access_key = <YOUR_AWS_SECRET_KEY> | ||
|
||
As you can see, the CLI has created these two files and identified them with [default]. Now we will be using the CLI’s ability to assume a role as per named profiles of all member accounts. | ||
|
||
Reference doc : [Configuration and Credential File Settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) | ||
|
||
Setup - | ||
|
||
-- Assuming a user created in above step in executer account is ec2-ebs-modify-user, make note of its arn that will be used in next steps. | ||
|
||
-- Now create an IAM role in all member accounts with a trust policy to allow sts:AssumeRole action to be assumed by our user ec2-ebs-modify-user from executer account. | ||
|
||
-- This IAM role must have the following IAM policy to allow certain permissions in order to achieve the volume modification. | ||
|
||
IAM Role : cross-account-modify-vol | ||
|
||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "VisualEditor0", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"ec2:ModifyVolume", | ||
"ec2:DescribeVolumes", | ||
"ec2:DescribeVolumesModifications", | ||
"ec2:DescribeVolumeStatus", | ||
"ec2:DescribeTags", | ||
"ec2:CreateTags", | ||
"ec2:DescribeRegions", | ||
"ec2:CreateVolume", | ||
"ec2:DescribeSnapshots", | ||
"ec2:CreateSnapshot" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} | ||
|
||
|
||
IAM policy : ec2-ebs-modify-policy | ||
|
||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"AWS": "arn:aws:iam::999999999999:user/ec2-ebs-modify-user" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
Trust relationship : Pls update the highlighted placeholder as per you user arn from mgmt account. | ||
|
||
-- Make note of IAM roles created in member's accounts. | ||
|
||
-- Now add/update the IAM policy of IAM user "ec2-ebs-modify-user" in executer account where we will allow our user to assume the roles created in memeber's accounts. | ||
|
||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "VisualEditor0", | ||
"Effect": "Allow", | ||
"Action": "sts:AssumeRole", | ||
"Resource": [ | ||
"arn:aws:iam::333333333333:role/cross-account-modify-vol", | ||
"arn:aws:iam::444444444444:role/cross-account-modify-vol", | ||
"arn:aws:iam::555555555555:role/cross-account-modify-vol", | ||
] | ||
} | ||
] | ||
} | ||
|
||
-- Setup profile for all your member accounts - | ||
|
||
aws configure set profile.333333333333.role_arn arn:aws:iam::333333333333role/cross-account-modify-vol | ||
|
||
aws configure set profile.333333333333.source_profile default | ||
|
||
aws configure set profile.444444444444.role_arn arn:aws:iam::444444444444:role/cross-account-modify-vol | ||
|
||
aws configure set profile.444444444444.source_profile default | ||
|
||
aws configure set profile.555555555555.role_arn arn:aws:iam::5555555555555:role/cross-account-modify-vol | ||
|
||
aws configure set profile.555555555555.source_profile default | ||
|
||
-- Create a list of account numbers to be used in our script, assuming all account numbers are listed in account_list | ||
|
||
-- Now call the script as per you use case with for loop to execute on all accounts listed in our account_list based on the profile setup. | ||
|
||
Sample commands : | ||
|
||
for a in `cat account_list`; do /home/gp2_gp3_migration.sh --region all discover no-snapshot --profile $a; done | ||
for a in `cat account_list`; do /home/gp2_gp3_migration.sh --region all migrate snapshot --profile $a; done | ||
bash gp2_gp3_migration.sh --region all migrate no-snapshot --profile <account no / profile name as per your setup> | ||
|
||
|
||
|
||
As an AWS best practice, grant this code least privilege, or only the permissions required to perform a task. For more information, see Grant Least Privilege in the AWS Identity and Access Management (IAM) User Guide. | ||
This code has not been tested in all AWS Regions. Some AWS services are available only in specific Regions. For more information, see Service Endpoints and Quotas in the AWS General Reference Guide. | ||
Running this code can result in charges to your AWS account. It's your responsibility to ensure that any resources created by this script are removed when you are done with them. |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Recommended: rename file to JSON to match data type.