This pack uses boto3 actions in StackStorm dynamically. It has the following features:
- Uses boto3 configurations. Find more information on boto3 configuration in boto3 documentation.
- Ability to run cross region actions.
- Ability to run cross account actions.
AWS and Stackstorm, up and running.
Boto3 contains detailed documentation and examples on each service. See more about available services here: http://boto3.readthedocs.io/en/latest/reference/services/index.html
-
Install the AWS_boto3 pack:
# Install AWS st2 pack install aws_boto3 # Check it st2 action list -p aws_boto3
This pack currently has no configuration (See issue #4).
The simplest way to configure and test boto3 is to use awscli
.
pip install awscli
aws configure
aws ec2 describe-vpcs --region "eu-west-1"
Or you can pass aws_access_key_id
and aws_secret_access_key
in as parameters to assume_role
along with optional
MFA parameters.
Then go ahead and install aws pack and then aws_boto3.boto3action
is ready to use, without additional configurations.
st2 run aws_boto3.boto3action service="ec2" action_name="describe_vpcs" region="us-west-1"
Let’s assume there is a boto3 profile name production
. Use it like this:
st2 run aws_boto3.boto3action service="ec2" action_name="describe_vpcs" region="us-west-1" env="AWS_PROFILE=production"
See the Boto3 documentation for more information on profiles.
st2 run aws_boto3.boto3action service="autoscaling" region="us-east-1" action_name="set_desired_capacity" params='{"AutoScalingGroupName": "my_asg","DesiredCapacity": 2}'
Create an EC2 instance with defined keypair, subnet and security group:
st2 run aws_boto3.create_instance \
region=us-east-1 \
ImageId=ami-1234abcd \
KeyName=deployment-key \
SubnetId=subnet-5678efef \
SecurityGroupIds='["sg-dcba9100"]'
Create an instance and assign tags:
st2 run --auto-dict aws_boto3.create_instance \
ImageId=ami-1234abcd \
Tags=Name:my-instance \
Tags=Owner:[email protected]
Create an VPC and a single subnet, run the following command:
st2 run aws_boto3.create_vpc \
cidr_block="172.18.0.0/16" \
region="eu-west-1" \
availability_zone="us-west-2b" \
subnet_cidr_block="172.18.0.0/24"
Let’s assume we have two aws accounts. First aws account (123456
) is already configured to use boto3. The second aws
account (456789
) has a IAM
role st2_role
assigned to the ST2 instance. We can assume this role, then
use create_vpc
workflow to create vpc in aws account 456789.
st2 run aws_boto3.create_vpc \
role_arn="arn:aws:iam:456789:role/st2_role" \
cidr_block="172.18.0.0/16" \
region="eu-west-1" \
availability_zone="eu-west-1a" \
subnet_cidr_block="172.18.0.0/24"
If you have your own IAM account (oliver
) in 123456
and are allowed to switch roles to st2_role
within
account 456789
(plus and have exported variables for AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
) you
could run the following command to create a VPC:
st2 run aws_boto3.create_vpc_assume_role role_arn="arn:aws:iam::456789:role/st2_role" \
region="eu-west-1" cidr_block="172.18.0.0/16" availability_zone="eu-west-1a" subnet_cidr_block="172.18.0.0/24" \
aws_access_key_id="${AWS_ACCESS_KEY_ID}" aws_secret_access_key="${AWS_SECRET_ACCESS_KEY}" \
serial_number="arn:aws:iam::123456:mfa/oliver" use_mfa=True token_code=123456