Example 2: Scripted runbook
This example runbook addresses the following scenario. Emily is a Systems Engineer at AnyCompany Consultants, LLC. She previously created two runbooks that are used in a parent-child relationship to patch groups of Amazon Elastic Compute Cloud (Amazon EC2) instances that host primary and secondary databases. Applications access these databases 24 hours a day, so one of the database instances must always be available.
Based on this requirement, she built a solution that patches the instances in
stages using the AWS-RunPatchBaseline
Systems Manager (SSM) document. By
using this SSM document, her colleagues can review the associated patch
compliance information after the patching operation completes.
The primary group of database instances are patched first, followed by the secondary group of database instances. Also, to avoid incurring additional costs by leaving instances running that were previously stopped, Emily made sure that the automation returned the patched instances to their original state before the patching occurred. Emily used tags that are associated with the primary and secondary groups of database instances to identify which instances should be patched in her desired order.
Her existing automated solution works, but she wants to improve her solution if possible. To help with the maintenance of the runbook content and to ease troubleshooting efforts, she would like to condense the automation into a single runbook and simplify the number of input parameters. Also, she would like to avoid creating multiple child automations.
After Emily reviews the available automation actions, she determines that she
can improve her solution by using the aws:executeScript
action to
run her custom Python scripts. She now begins authoring the content for the
runbook as follows:
-
First, she provides values for the schema and description of the runbook, and defines the input parameters for the parent runbook.
By using the
AutomationAssumeRole
parameter, Emily and her colleagues can use an existing IAM role that allows Automation to perform the actions in the runbook on their behalf. Unlike Example 1, theAutomationAssumeRole
parameter is now required rather than optional. Because this runbook includesaws:executeScript
actions, an AWS Identity and Access Management (IAM) service role (or assume role) is always required. This requirement is necessary because some of the Python scripts specified for the actions call AWS API operations.Emily uses the
PrimaryPatchGroupTag
andSecondaryPatchGroupTag
parameters to specify the tags associated with the primary and secondary group of database instances that will be patched. To simplify the required input parameters, she decides to useStringMap
parameters rather than using multipleString
parameters as she used in the Example 1 runbook. Optionally, theOperation
,RebootOption
, andSnapshotId
parameters can be used to provide values to document parameters forAWS-RunPatchBaseline
. To prevent invalid values from being provided to those document parameters, she defines theallowedValues
as needed. -
With the top-level elements defined, Emily proceeds with authoring the actions that make up the
mainSteps
of the runbook. The first step gathers the IDs of all instances associated with the tag specified in thePrimaryPatchGroupTag
parameter and outputs aStringMap
parameter containing the instance ID and the current state of the instance. The output of this action is used in later actions.Note that the
script
input parameter isn't supported for JSON runbooks. JSON runbooks must provide script content using theattachment
input parameter. -
Emily uses the output from the previous action in another
aws:executeScript
action to verify all instances associated with the tag specified in thePrimaryPatchGroupTag
parameter are in arunning
state.If the instance state is already
running
orshutting-down
, the script continues to loop through the remaining instances.If the instance state is
stopping
, the script polls for the instance to reach thestopped
state and starts the instance.If the instance state is
stopped
, the script starts the instance. -
Emily verifies that all instances associated with the tag specified in the
PrimaryPatchGroupTag
parameter were started or already in arunning
state. Then she uses another script to verify that all instances, including those that were started in the previous action, have reached therunning
state. -
Emily uses two more scripts to return individual
String
values of the key and value of the tag specified in thePrimaryPatchGroupTag
parameter. The values returned by these actions allows her to provide values directly to theTargets
parameter for theAWS-RunPatchBaseline
document. The automation then proceeds with patching the instance with theAWS-RunPatchBaseline
document using theaws:runCommand
action. -
After the patching operation completes, Emily wants the automation to return the target instances associated with the tag specified in the
PrimaryPatchGroupTag
parameter to the same state they were before the automation started. She does this by again using the output from the first action in a script. Based on the original state of the target instance, if the instance was previously in any state other thanrunning
, the instance is stopped. Otherwise, if the instance state isrunning
, the script continues to loop through the remaining instances. -
The patching operation is completed for the instances associated with the tag specified in the
PrimaryPatchGroupTag
parameter. Now Emily duplicates all of the previous actions in her runbook content to target the instances associated with the tag specified in theSecondaryPatchGroupTag
parameter. -
Emily reviews the completed scripted runbook content and creates the runbook in the same AWS account and AWS Region as the target instances. Now she's ready to test her runbook to make sure the automation operates as desired before implementing it into her production environment. The following is the completed scripted runbook content.
For more information about the automation actions used in this example, see the Systems Manager Automation actions reference.