I have different EC2 instances trying to access RDS instance. I want to upfront set RDS instance 'canonical name' within configuration file so that after deployment I don't need to make any changes to configuration files.
I have following questions:
Is there anyway, one can assign canonical name to a RDS instance within cloudformation template?
If above is not possible, can I setup dependency chain between EC2 creation and RDS instance (i.e. create RDS instance first, query it's name/ip and than create EC2 instance)
Thx
The canonical name of an RDS instance will always be generated automatically by AWS, however the naming scheme is consistent. The format of the name is:
<instance_name>.<arbitrary_string>.<region>.rds.amazonaws.com
The arbitrary_string section of the name is a string that uniquely identifies your AWS account. All RDS instances created within your account will use the same string identifier, so just grab that section from an existing RDS instance and you can piece together the full name based on the name you give the database and the region you launch it in.
If you want to have an easy to read/remember DNS name then you can always use Route 53 to assign another name as an alias to this.
Related
I am trying to create a read replica of an rds database in a different region via terraform. I am able to achieve via the AWS console, however when applying through Terraform (0.14.10) the apply fails with the following:
Error: Error creating DB Instance: InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in vpc-xxx and the EC2 security group is in vpc-yyy
TF block:
resource "aws_db_instance" "replica" {
count = var.enable_peering_read_replica ? 1 : 0
name = db-replica
identifier = db-replica
replicate_source_db = source-db
instance_class = "db.t3.small"
apply_immediately = true
publicly_accessible = false
skip_final_snapshot = true
vpc_security_group_ids = [aws_security_group.peering_sg.id]
}
For the replicate_source_db I have used the arn and the db name, but still get the same error.
This is a tricky one and made me suffer a lot. Even when there are many threads similar to this one around there, none of them led me to the complete solution.
The full explanation is the following. There are two possible scenarios:
The database replica will be created in the same region as the source database.
The database replica will be created in a different region than the source database.
Scenario 2 is the point of this post and it's the one I was trying to cover too. These are the facts:
For replicate_source_db, specify a valid DB instance ARN. AWS Doc.
db_subnet_group_name: The DB instance will be created in the VPC associated with the DB subnet group. If unspecified, it will be created in the default VPC, or in EC2 Classic, if available. When working with read replicas, it should be specified only if the source database specifies an instance in another AWS Region. db_instance module doc
And last but not least, even with the above options correctly set the read replica is created in the default VPC. Why? The answer is that there is another configuration that is crucial to achieving the desired goal, cross_region_replica. The default value of this property is false and it was the cause of all my confusion. We need to set it to true.
For a complete set of examples that really work, check Same region example and Different region example
The error msg is clear: Your DB and the security group are in different VPCs. This means that you can't associate them. Your security group aws_security_group.peering_sg.id (definition not shown) must be in the same VPC as your DB.
I am trying to list down all the EC2 instances with its IAM role attached using boto3 in python3. But I don't find any method to get the IAM role attached to existing EC2 instance. is there any method in boto3 to do that ?
When I describe an Instance, It has a key name IamInstanceProfile. That contains instance profile id and arn of the iam instance profile. I don't find name of IAM instance profile or any other info about IAM roles attached to it. I tried to use instance profile id to describe instance profile, But it seems to describe an instance profile, we need name of instance profile (not the id).
Can someone help on this ? I might be missing something.
Thanks
When we describe EC2 instance, We get IamInstanceProfile key which has Arn and id.
Arn has IamInstanceProfile name attached to it.
Arn': 'arn:aws:iam::1234567890:instance-profile/instanceprofileOrRolename'
This name can be used for further operation like get role description or listing policies attached to role.
Thanks
You can get the metadata of an EC2 instance by making an HTTP call to http://169.254.169.254/latest/meta-data/ from the instance.
In your case, you may want to navigate to http://169.254.169.254/latest/meta-data/iam/security-credentials to get the IAM role attached to the instance.
EC2 Instance Metadata
You can call IAM list_instance_profiles(), and then filter the results by the ARN or ID from EC2 describe_instances() result. This response will contain Roles for given instance profile.
Boto3 IAM documentation
I am creating an EMR cluster using the aws_emr_cluster resource in terraform.
I need to get access to the instance ID of the underlying EC2 hardware, specifically the MASTER node.
It does not appear in the attributes and neither when I perform an terraform show
The data definitely exists and is available in AWS.
Does anyone know how I can get at this value and how to do it it using terraform?
You won't be able to access the nodes (EC2 Instances) in an EMR Cluster through terraform. It is the same case for AutoScaling Groups too.
If terraform includes EMR or ASG nodes, state file will be changed everytime a change happens in EMR/ASG. So, storing the instance information won't be ideal for terraform.
Instead, you can use AWS SDK/CLI/boto3 to see them.
Thanks.
I am using the boto3 Python3 module provided by AWS. I'm able to extract the security key name and the various tags associated with an EC2 instance. Unfortunately, none of that information tells me who created the instance.
Is there a way to use AWS IAM to see what active instances were created by a user?
I'm trying to create a table in a local instance of DynamoDB using PowerShell cmdlets. In VS AWS Explorer I created a DDB instance and bound it to port:10000. Right after that, the new DB was created where name is KEYID_us-east-1.db
In the PS script, I'm setting up the AWS context and the table to create it in eu-central-1 region. Despite this, the new table is created in us-east-1 db, so the PS cmdlet ignored my region settings and used default one.
In the mean time, when I specify a different region in NodeJS, but the same endpoint that I use in PS script, after accessing the db, the new DB appears with region that I specified.
Why does this happen?
Please refer the "Notes" section on the below link. Looks like the local dynamodb instance use the region to create the database file. However, the local instance is not using the region effectively in the same way as AWS remote dynamodb instance.
"Bullet Point : 2 - The values that you supply for the AWS access key and the Region are only used to name the database file."
https://aws.amazon.com/blogs/aws/dynamodb-local-for-desktop-development/