Instância AWS Spot com função AIM e grupo de segurança

Se você precisar temporariamente de uma instância na AWS, pode optar por uma instância local para minimizar seus custos. Aqui está um script ruby ​​para solicitar uma instância spot, atribuir função AIM concedendo acesso de leitura a um bucket S3 e Grupo de segurança para permitir SSH na instância.

require 'aws-sdk'
require
'base64'

def request_spot_instance
ec2
= AWS::EC2.new(:ec2_endpoint => "ec2.ap-southeast-2.amazonaws.com")
iam
= AWS::IAM.new

sg
= create_security_group(ec2)
ip_arn
= create_instance_profile(iam)

spot_request
= {
spot_price
: "0.0101",
instance_count
: 1,
launch_specification
: {
image_id
: 'ami-3b4bd301',
key_name
: 'my-keypair',
instance_type
: 'm3.medium',
security_groups
: [sg.name],
user_data
: Base64.encode64('#!/bin/bashnecho "Initialising instance"'),
placement
: {
availability_zone
: "ap-southeast-2a"
},
iam_instance_profile
: {
arn
: ip_arn
},
block_device_mappings
: [{
device_name
: "/dev/sda1",
ebs
: {
volume_size
: 30
}
}]
}
}

response
= ec2.client.request_spot_instances(spot_request)
end

Encontre ou crie o grupo de segurança

def create_security_group(ec2)
sg_name
= "MySecurityGroup"

ec2
.security_groups.each do |sg|
return sg if sg.name.eql?(sg_name)
end

sg
= ec2.security_groups.create(sg_name)
sg
.authorize_ingress(:tcp, 22, '0.0.0.0/0')
sg

end

Encontre ou crie o perfil da instância e a função AIM

def create_instance_profile(iam)
role_name
= "S3Role"
instance_profile_name
= "S3InstanceProfile"

iam
.client.list_instance_profiles[:instance_profiles].each do |ip|
return ip[:arn] if ip[:instance_profile_name].eql? instance_profile_name
end

policy
= AWS::IAM::Policy.new
policy
.allow(:actions => ["s3:Get*","s3:List*"], :resources => 'arn:aws:s3:::myBucket*')

assume_role_policy_document
= '{"Version":"2008-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}'

iam
.client.create_role(
:role_name => role_name,
:assume_role_policy_document => assume_role_policy_document)

iam
.client.put_role_policy(
:role_name => role_name,
:policy_name => "AccessMyBucket",
:policy_document => policy.to_json)

resp
= iam.client.create_instance_profile(
:instance_profile_name => instance_profile_name)
profile_arn
= resp[:instance_profile][:arn]

iam
.client.add_role_to_instance_profile(
:instance_profile_name => instance_profile_name,
:role_name => role_name)

profile_arn

end