There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo. # Code examples for AWS CLI with Bash script The following code examples show you how to use the AWS Command Line Interface with Bash script with AWS. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Some services contain additional example categories that show how to leverage libraries or functions specific to the service. **More resources** + ** [AWS CLI with Bash script Developer Guide ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) ** – More about using Bash with AWS. + ** [AWS Developer Center ](https://aws.amazon.com/developer/code-examples/?awsf.sdk-code-examples-programming-language=programming-language%23bash) ** – Code examples that you can filter by category or full-text search. + ** [AWS SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) ** – GitHub repo with complete code in preferred languages. Includes instructions for setting up and running the code. **Topics** + [API Gateway](bash_2_api-gateway_code_examples.md) + [Athena](bash_2_athena_code_examples.md) + [AWS Batch](bash_2_batch_code_examples.md) + [AWS Cloud Map](bash_2_servicediscovery_code_examples.md) + [CloudFormation](bash_2_cloudformation_code_examples.md) + [CloudFront](bash_2_cloudfront_code_examples.md) + [CloudWatch](bash_2_cloudwatch_code_examples.md) + [CloudWatch Logs](bash_2_cloudwatch-logs_code_examples.md) + [Amazon Cognito Identity Provider](bash_2_cognito-identity-provider_code_examples.md) + [AWS Config](bash_2_config-service_code_examples.md) + [Amazon Connect](bash_2_connect_code_examples.md) + [Direct Connect](bash_2_direct-connect_code_examples.md) + [Amazon DocumentDB](bash_2_docdb_code_examples.md) + [DynamoDB](bash_2_dynamodb_code_examples.md) + [Amazon EC2](bash_2_ec2_code_examples.md) + [Amazon ECR](bash_2_ecr_code_examples.md) + [Amazon ECS](bash_2_ecs_code_examples.md) + [Amazon EKS](bash_2_eks_code_examples.md) + [Elastic Load Balancing - Version 2](bash_2_elastic-load-balancing-v2_code_examples.md) + [ElastiCache](bash_2_elasticache_code_examples.md) + [Amazon EMR](bash_2_emr_code_examples.md) + [OpenSearch Service](bash_2_opensearch_code_examples.md) + [AWS FIS](bash_2_fis_code_examples.md) + [AWS Glue](bash_2_glue_code_examples.md) + [HealthImaging](bash_2_medical-imaging_code_examples.md) + [IAM](bash_2_iam_code_examples.md) + [AWS IoT](bash_2_iot_code_examples.md) + [AWS KMS](bash_2_kms_code_examples.md) + [Lambda](bash_2_lambda_code_examples.md) + [Lightsail](bash_2_lightsail_code_examples.md) + [Amazon Managed Grafana](bash_2_grafana_code_examples.md) + [MediaConnect](bash_2_mediaconnect_code_examples.md) + [Amazon MSK](bash_2_kafka_code_examples.md) + [Neptune](bash_2_neptune_code_examples.md) + [AWS Payment Cryptography](bash_2_payment-cryptography_code_examples.md) + [Amazon Pinpoint](bash_2_pinpoint_code_examples.md) + [Amazon Polly](bash_2_polly_code_examples.md) + [Amazon RDS](bash_2_rds_code_examples.md) + [Amazon Redshift](bash_2_redshift_code_examples.md) + [Amazon S3](bash_2_s3_code_examples.md) + [SageMaker AI](bash_2_sagemaker_code_examples.md) + [Secrets Manager](bash_2_secrets-manager_code_examples.md) + [Amazon SES](bash_2_ses_code_examples.md) + [Amazon SNS](bash_2_sns_code_examples.md) + [Step Functions](bash_2_sfn_code_examples.md) + [AWS STS](bash_2_sts_code_examples.md) + [Support](bash_2_support_code_examples.md) + [Systems Manager](bash_2_ssm_code_examples.md) + [Amazon Textract](bash_2_textract_code_examples.md) + [VPC Lattice](bash_2_vpc-lattice_code_examples.md) + [AWS WAFV2](bash_2_wafv2_code_examples.md) + [WorkSpaces](bash_2_workspaces_code_examples.md) # API Gateway examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with API Gateway. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Create a REST API with Lambda proxy integration The following code example shows how to: + Create an IAM role for Lambda execution + Create and deploy a Lambda function + Create a REST API + Configure Lambda proxy integration + Deploy and test the API + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/087-apigateway-lambda-integration) repository. ``` #!/bin/bash # Simple API Gateway Lambda Integration Script # This script creates a REST API with Lambda proxy integration # Generate random identifiers FUNCTION_NAME="GetStartedLambdaProxyIntegration-$(openssl rand -hex 4)" ROLE_NAME="GetStartedLambdaBasicExecutionRole-$(openssl rand -hex 4)" API_NAME="LambdaProxyAPI-$(openssl rand -hex 4)" # Get AWS account info ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) REGION=$(aws configure get region || echo "us-east-1") echo "Creating Lambda function code..." # Create Lambda function code cat > lambda_function.py << 'EOF' import json def lambda_handler(event, context): print(event) greeter = 'World' try: if (event['queryStringParameters']) and (event['queryStringParameters']['greeter']) and ( event['queryStringParameters']['greeter'] is not None): greeter = event['queryStringParameters']['greeter'] except KeyError: print('No greeter') try: if (event['multiValueHeaders']) and (event['multiValueHeaders']['greeter']) and ( event['multiValueHeaders']['greeter'] is not None): greeter = " and ".join(event['multiValueHeaders']['greeter']) except KeyError: print('No greeter') try: if (event['headers']) and (event['headers']['greeter']) and ( event['headers']['greeter'] is not None): greeter = event['headers']['greeter'] except KeyError: print('No greeter') if (event['body']) and (event['body'] is not None): body = json.loads(event['body']) try: if (body['greeter']) and (body['greeter'] is not None): greeter = body['greeter'] except KeyError: print('No greeter') res = { "statusCode": 200, "headers": { "Content-Type": "*/*" }, "body": "Hello, " + greeter + "!" } return res EOF # Create deployment package zip function.zip lambda_function.py echo "Creating IAM role..." # Create IAM trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json # Attach execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Wait for role propagation sleep 15 echo "Creating Lambda function..." # Create Lambda function aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime python3.9 \ --role "arn:aws:iam::$ACCOUNT_ID:role/$ROLE_NAME" \ --handler lambda_function.lambda_handler \ --zip-file fileb://function.zip echo "Creating API Gateway..." # Create REST API aws apigateway create-rest-api \ --name "$API_NAME" \ --endpoint-configuration types=REGIONAL # Get API ID API_ID=$(aws apigateway get-rest-apis --query "items[?name=='$API_NAME'].id" --output text) # Get root resource ID ROOT_RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query 'items[?path==`/`].id' --output text) # Create helloworld resource aws apigateway create-resource \ --rest-api-id "$API_ID" \ --parent-id "$ROOT_RESOURCE_ID" \ --path-part helloworld # Get resource ID RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query "items[?pathPart=='helloworld'].id" --output text) # Create ANY method aws apigateway put-method \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --authorization-type NONE # Set up Lambda proxy integration LAMBDA_URI="arn:aws:apigateway:$REGION:lambda:path/2015-03-31/functions/arn:aws:lambda:$REGION:$ACCOUNT_ID:function:$FUNCTION_NAME/invocations" aws apigateway put-integration \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --type AWS_PROXY \ --integration-http-method POST \ --uri "$LAMBDA_URI" # Grant API Gateway permission to invoke Lambda SOURCE_ARN="arn:aws:execute-api:$REGION:$ACCOUNT_ID:$API_ID/*/*" aws lambda add-permission \ --function-name "$FUNCTION_NAME" \ --statement-id "apigateway-invoke-$(openssl rand -hex 4)" \ --action lambda:InvokeFunction \ --principal apigateway.amazonaws.com \ --source-arn "$SOURCE_ARN" # Deploy API aws apigateway create-deployment \ --rest-api-id "$API_ID" \ --stage-name test echo "Testing API..." # Test the API INVOKE_URL="https://$API_ID.execute-api.$REGION.amazonaws.com/test/helloworld" echo "API URL: $INVOKE_URL" # Test with query parameter echo "Testing with query parameter:" curl -X GET "$INVOKE_URL?greeter=John" echo "" # Test with header echo "Testing with header:" curl -X GET "$INVOKE_URL" \ -H 'content-type: application/json' \ -H 'greeter: John' echo "" # Test with body echo "Testing with POST body:" curl -X POST "$INVOKE_URL" \ -H 'content-type: application/json' \ -d '{ "greeter": "John" }' echo "" echo "Tutorial completed! API is available at: $INVOKE_URL" # Cleanup echo "Cleaning up resources..." # Delete API aws apigateway delete-rest-api --rest-api-id "$API_ID" # Delete Lambda function aws lambda delete-function --function-name "$FUNCTION_NAME" # Detach policy and delete role aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" # Clean up local files rm -f lambda_function.py function.zip trust-policy.json echo "Cleanup completed!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddPermission](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/AddPermission) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateDeployment](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateDeployment) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateResource](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateResource) + [CreateRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateRestApi) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/DeleteRestApi) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetResources](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetResources) + [GetRestApis](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetRestApis) + [PutIntegration](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutIntegration) + [PutMethod](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutMethod) # Athena examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Athena. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon Athena The following code example shows how to: + Create an S3 bucket for query results + Create a database + Create a table + Run a query + Create and use named queries + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/061-amazon-athena-gs) repository. ``` #!/bin/bash # Amazon Athena Getting Started Script # This script demonstrates how to use Amazon Athena with AWS CLI # It creates a database, table, runs queries, and manages named queries # Set up logging LOG_FILE="athena-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Athena Getting Started Tutorial..." echo "Logging to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" if [ -n "$NAMED_QUERY_ID" ]; then echo "- Named Query: $NAMED_QUERY_ID" fi if [ -n "$DATABASE_NAME" ]; then echo "- Database: $DATABASE_NAME" if [ -n "$TABLE_NAME" ]; then echo "- Table: $TABLE_NAME in $DATABASE_NAME" fi fi if [ -n "$S3_BUCKET" ]; then echo "- S3 Bucket: $S3_BUCKET" fi echo "Exiting..." exit 1 } # Generate a random identifier for S3 bucket RANDOM_ID=$(openssl rand -hex 6) S3_BUCKET="athena-${RANDOM_ID}" DATABASE_NAME="mydatabase" TABLE_NAME="cloudfront_logs" # Get the current AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No AWS region found in configuration, defaulting to $AWS_REGION" fi echo "Using AWS Region: $AWS_REGION" # Create S3 bucket for Athena query results echo "Creating S3 bucket for Athena query results: $S3_BUCKET" CREATE_BUCKET_RESULT=$(aws s3 mb "s3://$S3_BUCKET" 2>&1) if echo "$CREATE_BUCKET_RESULT" | grep -i "error"; then handle_error "Failed to create S3 bucket: $CREATE_BUCKET_RESULT" fi echo "$CREATE_BUCKET_RESULT" # Step 1: Create a database echo "Step 1: Creating Athena database: $DATABASE_NAME" CREATE_DB_RESULT=$(aws athena start-query-execution \ --query-string "CREATE DATABASE IF NOT EXISTS $DATABASE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$CREATE_DB_RESULT" | grep -i "error"; then handle_error "Failed to create database: $CREATE_DB_RESULT" fi QUERY_ID=$(echo "$CREATE_DB_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Database creation query ID: $QUERY_ID" # Wait for database creation to complete echo "Waiting for database creation to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Database creation completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Database creation failed with status: $QUERY_STATUS" fi echo "Database creation in progress, status: $QUERY_STATUS" sleep 2 done # Verify the database was created echo "Verifying database creation..." LIST_DB_RESULT=$(aws athena list-databases --catalog-name AwsDataCatalog 2>&1) if echo "$LIST_DB_RESULT" | grep -i "error"; then handle_error "Failed to list databases: $LIST_DB_RESULT" fi echo "$LIST_DB_RESULT" # Step 2: Create a table echo "Step 2: Creating Athena table: $TABLE_NAME" # Replace the region placeholder in the S3 location CREATE_TABLE_QUERY="CREATE EXTERNAL TABLE IF NOT EXISTS $DATABASE_NAME.$TABLE_NAME ( \`Date\` DATE, Time STRING, Location STRING, Bytes INT, RequestIP STRING, Method STRING, Host STRING, Uri STRING, Status INT, Referrer STRING, os STRING, Browser STRING, BrowserVersion STRING ) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe' WITH SERDEPROPERTIES ( \"input.regex\" = \"^(?!#)([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+[^\\\\(]+[\\\\(]([^\\\\;]+).*\\\\%20([^\\\\/]+)[\\\\/](.*)$\" ) LOCATION 's3://athena-examples-us-east-1/cloudfront/plaintext/';" CREATE_TABLE_RESULT=$(aws athena start-query-execution \ --query-string "$CREATE_TABLE_QUERY" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$CREATE_TABLE_RESULT" | grep -i "error"; then handle_error "Failed to create table: $CREATE_TABLE_RESULT" fi QUERY_ID=$(echo "$CREATE_TABLE_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Table creation query ID: $QUERY_ID" # Wait for table creation to complete echo "Waiting for table creation to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Table creation completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Table creation failed with status: $QUERY_STATUS" fi echo "Table creation in progress, status: $QUERY_STATUS" sleep 2 done # Verify the table was created echo "Verifying table creation..." LIST_TABLE_RESULT=$(aws athena list-table-metadata \ --catalog-name AwsDataCatalog \ --database-name "$DATABASE_NAME" 2>&1) if echo "$LIST_TABLE_RESULT" | grep -i "error"; then handle_error "Failed to list tables: $LIST_TABLE_RESULT" fi echo "$LIST_TABLE_RESULT" # Step 3: Query data echo "Step 3: Running a query on the table..." QUERY="SELECT os, COUNT(*) count FROM $DATABASE_NAME.$TABLE_NAME WHERE date BETWEEN date '2014-07-05' AND date '2014-08-05' GROUP BY os" QUERY_RESULT=$(aws athena start-query-execution \ --query-string "$QUERY" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$QUERY_RESULT" | grep -i "error"; then handle_error "Failed to run query: $QUERY_RESULT" fi QUERY_ID=$(echo "$QUERY_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Query execution ID: $QUERY_ID" # Wait for query to complete echo "Waiting for query to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Query completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Query failed with status: $QUERY_STATUS" fi echo "Query in progress, status: $QUERY_STATUS" sleep 2 done # Get query results echo "Getting query results..." RESULTS=$(aws athena get-query-results --query-execution-id "$QUERY_ID" 2>&1) if echo "$RESULTS" | grep -i "error"; then handle_error "Failed to get query results: $RESULTS" fi echo "$RESULTS" # Download results from S3 echo "Downloading query results from S3..." S3_PATH=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.ResultConfiguration.OutputLocation" --output text 2>&1) if echo "$S3_PATH" | grep -i "error"; then handle_error "Failed to get S3 path for results: $S3_PATH" fi DOWNLOAD_RESULT=$(aws s3 cp "$S3_PATH" "./query-results.csv" 2>&1) if echo "$DOWNLOAD_RESULT" | grep -i "error"; then handle_error "Failed to download query results: $DOWNLOAD_RESULT" fi echo "Query results downloaded to query-results.csv" # Step 4: Create a named query echo "Step 4: Creating a named query..." NAMED_QUERY_RESULT=$(aws athena create-named-query \ --name "OS Count Query" \ --description "Count of operating systems in CloudFront logs" \ --database "$DATABASE_NAME" \ --query-string "$QUERY" 2>&1) if echo "$NAMED_QUERY_RESULT" | grep -i "error"; then handle_error "Failed to create named query: $NAMED_QUERY_RESULT" fi NAMED_QUERY_ID=$(echo "$NAMED_QUERY_RESULT" | grep -o '"NamedQueryId": "[^"]*' | cut -d'"' -f4) echo "Named query created with ID: $NAMED_QUERY_ID" # List named queries echo "Listing named queries..." LIST_QUERIES_RESULT=$(aws athena list-named-queries 2>&1) if echo "$LIST_QUERIES_RESULT" | grep -i "error"; then handle_error "Failed to list named queries: $LIST_QUERIES_RESULT" fi echo "$LIST_QUERIES_RESULT" # Get the named query details echo "Getting named query details..." GET_QUERY_RESULT=$(aws athena get-named-query --named-query-id "$NAMED_QUERY_ID" 2>&1) if echo "$GET_QUERY_RESULT" | grep -i "error"; then handle_error "Failed to get named query: $GET_QUERY_RESULT" fi echo "$GET_QUERY_RESULT" # Execute the named query echo "Executing the named query..." QUERY_STRING=$(aws athena get-named-query --named-query-id "$NAMED_QUERY_ID" --query "NamedQuery.QueryString" --output text 2>&1) if echo "$QUERY_STRING" | grep -i "error"; then handle_error "Failed to get query string: $QUERY_STRING" fi EXEC_RESULT=$(aws athena start-query-execution \ --query-string "$QUERY_STRING" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$EXEC_RESULT" | grep -i "error"; then handle_error "Failed to execute named query: $EXEC_RESULT" fi QUERY_ID=$(echo "$EXEC_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Named query execution ID: $QUERY_ID" # Wait for named query to complete echo "Waiting for named query execution to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Named query execution completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Named query execution failed with status: $QUERY_STATUS" fi echo "Named query execution in progress, status: $QUERY_STATUS" sleep 2 done # Summary of resources created echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "- S3 Bucket: $S3_BUCKET" echo "- Database: $DATABASE_NAME" echo "- Table: $TABLE_NAME" echo "- Named Query: $NAMED_QUERY_ID" echo "- Query results saved to: query-results.csv" echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup..." # Delete named query echo "Deleting named query: $NAMED_QUERY_ID" DELETE_QUERY_RESULT=$(aws athena delete-named-query --named-query-id "$NAMED_QUERY_ID" 2>&1) if echo "$DELETE_QUERY_RESULT" | grep -i "error"; then echo "Warning: Failed to delete named query: $DELETE_QUERY_RESULT" else echo "Named query deleted successfully." fi # Drop table echo "Dropping table: $TABLE_NAME" DROP_TABLE_RESULT=$(aws athena start-query-execution \ --query-string "DROP TABLE IF EXISTS $DATABASE_NAME.$TABLE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$DROP_TABLE_RESULT" | grep -i "error"; then echo "Warning: Failed to drop table: $DROP_TABLE_RESULT" else QUERY_ID=$(echo "$DROP_TABLE_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Waiting for table deletion to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Table dropped successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then echo "Warning: Table deletion failed with status: $QUERY_STATUS" break fi echo "Table deletion in progress, status: $QUERY_STATUS" sleep 2 done fi # Drop database echo "Dropping database: $DATABASE_NAME" DROP_DB_RESULT=$(aws athena start-query-execution \ --query-string "DROP DATABASE IF EXISTS $DATABASE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$DROP_DB_RESULT" | grep -i "error"; then echo "Warning: Failed to drop database: $DROP_DB_RESULT" else QUERY_ID=$(echo "$DROP_DB_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Waiting for database deletion to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Database dropped successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then echo "Warning: Database deletion failed with status: $QUERY_STATUS" break fi echo "Database deletion in progress, status: $QUERY_STATUS" sleep 2 done fi # Empty and delete S3 bucket echo "Emptying S3 bucket: $S3_BUCKET" EMPTY_BUCKET_RESULT=$(aws s3 rm "s3://$S3_BUCKET" --recursive 2>&1) if echo "$EMPTY_BUCKET_RESULT" | grep -i "error"; then echo "Warning: Failed to empty S3 bucket: $EMPTY_BUCKET_RESULT" else echo "S3 bucket emptied successfully." fi echo "Deleting S3 bucket: $S3_BUCKET" DELETE_BUCKET_RESULT=$(aws s3 rb "s3://$S3_BUCKET" 2>&1) if echo "$DELETE_BUCKET_RESULT" | grep -i "error"; then echo "Warning: Failed to delete S3 bucket: $DELETE_BUCKET_RESULT" else echo "S3 bucket deleted successfully." fi echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." fi echo "Tutorial completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [Cp](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Cp) + [CreateNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/CreateNamedQuery) + [DeleteNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/DeleteNamedQuery) + [GetNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetNamedQuery) + [GetQueryExecution](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetQueryExecution) + [GetQueryResults](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetQueryResults) + [ListDatabases](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListDatabases) + [ListNamedQueries](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListNamedQueries) + [ListTableMetadata](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListTableMetadata) + [Mb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Mb) + [Rb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rb) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartQueryExecution](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/StartQueryExecution) # AWS Batch examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS Batch. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Batch and Fargate The following code example shows how to: + Create an IAM execution role + Create a compute environment + Create a job queue + Create a job definition + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/011-getting-started-batch-fargate) repository. ``` #!/bin/bash # AWS Batch Fargate Getting Started Script - Fixed Version # This script demonstrates creating AWS Batch resources with Fargate orchestration # set -e # Exit on any error # Configuration SCRIPT_NAME="batch-fargate-tutorial" LOG_FILE="${SCRIPT_NAME}-$(date +%Y%m%d-%H%M%S).log" RANDOM_SUFFIX=$(openssl rand -hex 6) COMPUTE_ENV_NAME="batch-fargate-compute-${RANDOM_SUFFIX}" JOB_QUEUE_NAME="batch-fargate-queue-${RANDOM_SUFFIX}" JOB_DEF_NAME="batch-fargate-jobdef-${RANDOM_SUFFIX}" JOB_NAME="batch-hello-world-${RANDOM_SUFFIX}" ROLE_NAME="BatchEcsTaskExecutionRole-${RANDOM_SUFFIX}" TRUST_POLICY_FILE="batch-trust-policy-${RANDOM_SUFFIX}.json" # Array to track created resources for cleanup CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources created so far..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to wait for resource to be ready wait_for_compute_env() { local env_name=$1 log "Waiting for compute environment $env_name to be VALID..." while true; do local status=$(aws batch describe-compute-environments \ --compute-environments "$env_name" \ --query 'computeEnvironments[0].status' \ --output text 2>/dev/null || echo "NOT_FOUND") if [ "$status" = "VALID" ]; then log "Compute environment $env_name is ready" break elif [ "$status" = "INVALID" ] || [ "$status" = "NOT_FOUND" ]; then log "ERROR: Compute environment $env_name failed to create properly" return 1 fi log "Compute environment status: $status. Waiting 10 seconds..." sleep 10 done } # Function to wait for job queue to be ready wait_for_job_queue() { local queue_name=$1 log "Waiting for job queue $queue_name to be VALID..." while true; do local state=$(aws batch describe-job-queues \ --job-queues "$queue_name" \ --query 'jobQueues[0].state' \ --output text 2>/dev/null || echo "NOT_FOUND") if [ "$state" = "ENABLED" ]; then log "Job queue $queue_name is ready" break elif [ "$state" = "DISABLED" ] || [ "$state" = "NOT_FOUND" ]; then log "ERROR: Job queue $queue_name failed to create properly" return 1 fi log "Job queue state: $state. Waiting 10 seconds..." sleep 10 done } # Function to wait for job completion wait_for_job() { local job_id=$1 log "Waiting for job $job_id to complete..." while true; do local status=$(aws batch describe-jobs \ --jobs "$job_id" \ --query 'jobs[0].status' \ --output text 2>/dev/null || echo "NOT_FOUND") if [ "$status" = "SUCCEEDED" ]; then log "Job $job_id completed successfully" break elif [ "$status" = "FAILED" ]; then log "ERROR: Job $job_id failed" return 1 fi log "Job status: $status. Waiting 30 seconds..." sleep 30 done } # FIXED: Added function to wait for resource state before deletion wait_for_resource_state() { local resource_type=$1 local resource_name=$2 local expected_state=$3 local max_attempts=30 local attempt=0 log "Waiting for $resource_type $resource_name to reach state: $expected_state" while [ $attempt -lt $max_attempts ]; do local current_state="" case $resource_type in "JOB_QUEUE") current_state=$(aws batch describe-job-queues \ --job-queues "$resource_name" \ --query 'jobQueues[0].state' \ --output text 2>/dev/null || echo "NOT_FOUND") ;; "COMPUTE_ENV") current_state=$(aws batch describe-compute-environments \ --compute-environments "$resource_name" \ --query 'computeEnvironments[0].status' \ --output text 2>/dev/null || echo "NOT_FOUND") ;; esac if [ "$current_state" = "$expected_state" ]; then log "$resource_type $resource_name is now in state: $expected_state" return 0 fi log "$resource_type $resource_name state: $current_state (waiting for $expected_state)" sleep 10 ((attempt++)) done log "WARNING: $resource_type $resource_name did not reach expected state after $max_attempts attempts" return 1 } # Cleanup function cleanup_resources() { log "Starting cleanup of created resources..." # Clean up in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do local resource="${CREATED_RESOURCES[i]}" local resource_type=$(echo "$resource" | cut -d: -f1) local resource_name=$(echo "$resource" | cut -d: -f2) log "Cleaning up $resource_type: $resource_name" case $resource_type in "JOB_QUEUE") # FIXED: Validate state before deletion aws batch update-job-queue --job-queue "$resource_name" --state DISABLED 2>/dev/null || true wait_for_resource_state "JOB_QUEUE" "$resource_name" "DISABLED" || true aws batch delete-job-queue --job-queue "$resource_name" 2>/dev/null || true ;; "COMPUTE_ENV") # FIXED: Validate state before deletion aws batch update-compute-environment --compute-environment "$resource_name" --state DISABLED 2>/dev/null || true wait_for_resource_state "COMPUTE_ENV" "$resource_name" "DISABLED" || true aws batch delete-compute-environment --compute-environment "$resource_name" 2>/dev/null || true ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_name" 2>/dev/null || true ;; "FILE") rm -f "$resource_name" 2>/dev/null || true ;; esac done log "Cleanup completed" } # Main script execution main() { log "Starting AWS Batch Fargate tutorial script - Fixed Version" log "Log file: $LOG_FILE" # Get AWS account ID log "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Account ID: $ACCOUNT_ID" # Get default VPC and subnets log "Getting default VPC and subnets..." DEFAULT_VPC=$(aws ec2 describe-vpcs \ --filters "Name=is-default,Values=true" \ --query 'Vpcs[0].VpcId' \ --output text) if [ "$DEFAULT_VPC" = "None" ] || [ "$DEFAULT_VPC" = "null" ]; then log "ERROR: No default VPC found. Please create a VPC first." exit 1 fi log "Default VPC: $DEFAULT_VPC" # Get subnets in the default VPC SUBNETS=$(aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=$DEFAULT_VPC" \ --query 'Subnets[*].SubnetId' \ --output text) if [ -z "$SUBNETS" ]; then log "ERROR: No subnets found in default VPC" exit 1 fi # Convert tab/space-separated subnets to JSON array format SUBNET_ARRAY=$(echo "$SUBNETS" | tr '\t ' '\n' | sed 's/^/"/;s/$/"/' | paste -sd ',' -) log "Subnets: $SUBNETS" log "Subnet array: [$SUBNET_ARRAY]" # Get default security group for the VPC DEFAULT_SG=$(aws ec2 describe-security-groups \ --filters "Name=vpc-id,Values=$DEFAULT_VPC" "Name=group-name,Values=default" \ --query 'SecurityGroups[0].GroupId' \ --output text) if [ "$DEFAULT_SG" = "None" ] || [ "$DEFAULT_SG" = "null" ]; then log "ERROR: No default security group found in VPC" exit 1 fi log "Default security group: $DEFAULT_SG" # Step 1: Create IAM execution role log "Step 1: Creating IAM execution role..." # Create trust policy document cat > "$TRUST_POLICY_FILE" << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF CREATED_RESOURCES+=("FILE:$TRUST_POLICY_FILE") # Create the role aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "file://$TRUST_POLICY_FILE" CREATED_RESOURCES+=("IAM_ROLE:$ROLE_NAME") # Attach policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" log "IAM role created: $ROLE_NAME" # FIXED: Wait for IAM role propagation log "Waiting for IAM role propagation (15 seconds)..." sleep 15 # Step 2: Create compute environment log "Step 2: Creating Fargate compute environment..." aws batch create-compute-environment \ --compute-environment-name "$COMPUTE_ENV_NAME" \ --type MANAGED \ --state ENABLED \ --compute-resources "{ \"type\": \"FARGATE\", \"maxvCpus\": 256, \"subnets\": [$SUBNET_ARRAY], \"securityGroupIds\": [\"$DEFAULT_SG\"] }" CREATED_RESOURCES+=("COMPUTE_ENV:$COMPUTE_ENV_NAME") # Wait for compute environment to be ready wait_for_compute_env "$COMPUTE_ENV_NAME" # Step 3: Create job queue log "Step 3: Creating job queue..." aws batch create-job-queue \ --job-queue-name "$JOB_QUEUE_NAME" \ --state ENABLED \ --priority 900 \ --compute-environment-order order=1,computeEnvironment="$COMPUTE_ENV_NAME" CREATED_RESOURCES+=("JOB_QUEUE:$JOB_QUEUE_NAME") # Wait for job queue to be ready wait_for_job_queue "$JOB_QUEUE_NAME" # Step 4: Create job definition log "Step 4: Creating job definition..." aws batch register-job-definition \ --job-definition-name "$JOB_DEF_NAME" \ --type container \ --platform-capabilities FARGATE \ --container-properties "{ \"image\": \"busybox\", \"resourceRequirements\": [ {\"type\": \"VCPU\", \"value\": \"0.25\"}, {\"type\": \"MEMORY\", \"value\": \"512\"} ], \"command\": [\"echo\", \"hello world\"], \"networkConfiguration\": { \"assignPublicIp\": \"ENABLED\" }, \"executionRoleArn\": \"arn:aws:iam::${ACCOUNT_ID}:role/${ROLE_NAME}\" }" log "Job definition created: $JOB_DEF_NAME" # Step 5: Submit job log "Step 5: Submitting job..." JOB_ID=$(aws batch submit-job \ --job-name "$JOB_NAME" \ --job-queue "$JOB_QUEUE_NAME" \ --job-definition "$JOB_DEF_NAME" \ --query 'jobId' \ --output text) log "Job submitted with ID: $JOB_ID" # Step 6: Wait for job completion and view output log "Step 6: Waiting for job completion..." wait_for_job "$JOB_ID" # Get log stream name log "Getting job logs..." LOG_STREAM=$(aws batch describe-jobs \ --jobs "$JOB_ID" \ --query 'jobs[0].attempts[0].taskProperties.containers[0].logStreamName' \ --output text) if [ "$LOG_STREAM" != "None" ] && [ "$LOG_STREAM" != "null" ]; then log "Log stream: $LOG_STREAM" log "Job output:" aws logs get-log-events \ --log-group-name "/aws/batch/job" \ --log-stream-name "$LOG_STREAM" \ --query 'events[*].message' \ --output text | tee -a "$LOG_FILE" else log "No log stream available for job" fi log "Tutorial completed successfully!" # Show created resources echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up manually later." echo "To clean up manually, run the following commands:" echo "aws batch update-job-queue --job-queue $JOB_QUEUE_NAME --state DISABLED" echo "aws batch delete-job-queue --job-queue $JOB_QUEUE_NAME" echo "aws batch update-compute-environment --compute-environment $COMPUTE_ENV_NAME --state DISABLED" echo "aws batch delete-compute-environment --compute-environment $COMPUTE_ENV_NAME" echo "aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" echo "aws iam delete-role --role-name $ROLE_NAME" fi } # Run main function main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateComputeEnvironment](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/CreateComputeEnvironment) + [CreateJobQueue](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/CreateJobQueue) + [DeleteComputeEnvironment](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/DeleteComputeEnvironment) + [DeleteJobQueue](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/DeleteJobQueue) + [DescribeComputeEnvironments](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/DescribeComputeEnvironments) + [DescribeJobQueues](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/DescribeJobQueues) + [DescribeJobs](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/DescribeJobs) + [RegisterJobDefinition](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/RegisterJobDefinition) + [SubmitJob](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/SubmitJob) + [UpdateComputeEnvironment](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/UpdateComputeEnvironment) + [UpdateJobQueue](https://docs.aws.amazon.com/goto/aws-cli/batch-2016-08-10/UpdateJobQueue) # AWS Cloud Map examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS Cloud Map. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Cloud Map custom attributes The following code example shows how to: + Create an Cloud Map namespace + Create a DynamoDB table + Create an Cloud Map data service and register the DynamoDB table + Create an IAM role for Lambda functions + Create the Lambda function to write data + Create an Cloud Map app service and register the Lambda write function + Create the Lambda function to read data **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/004-cloudmap-custom-attributes) repository. ``` #!/bin/bash # AWS Cloud Map Tutorial Script # This script demonstrates how to use AWS Cloud Map for service discovery with custom attributes # Set up logging LOG_FILE="cloudmap-tutorial.log" echo "AWS Cloud Map Tutorial Script" > $LOG_FILE echo "Started at $(date)" >> $LOG_FILE # Array to track created resources for cleanup CREATED_RESOURCES=() # Function to log commands and their output log_cmd() { echo "$ $1" | tee -a $LOG_FILE eval "$1" | tee -a $LOG_FILE } # Function to handle errors handle_error() { local LINE=$1 echo "An error occurred at line $LINE" | tee -a $LOG_FILE echo "Resources created so far:" | tee -a $LOG_FILE for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" | tee -a $LOG_FILE done echo "Attempting to clean up resources..." | tee -a $LOG_FILE cleanup exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Helper function to wait for Cloud Map operations to complete wait_for_operation() { local OPERATION_ID=$1 local TIMEOUT=300 # 5 minutes timeout local START_TIME=$(date +%s) while true; do local STATUS=$(aws servicediscovery get-operation --operation-id $OPERATION_ID --query 'Operation.Status' --output text) if [ "$STATUS" == "SUCCESS" ]; then echo "Operation completed successfully" | tee -a $LOG_FILE break elif [ "$STATUS" == "FAIL" ]; then echo "Operation failed" | tee -a $LOG_FILE return 1 fi local CURRENT_TIME=$(date +%s) if [ $((CURRENT_TIME - START_TIME)) -gt $TIMEOUT ]; then echo "Operation timed out" | tee -a $LOG_FILE return 1 fi sleep 5 done return 0 } # Function to clean up resources cleanup() { echo "Cleaning up resources..." | tee -a $LOG_FILE # Reverse the order of created resources for proper deletion for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" echo "Deleting $resource..." | tee -a $LOG_FILE if [[ $resource == "instance:"* ]]; then # Extract service ID and instance ID SERVICE_ID=$(echo $resource | cut -d':' -f2) INSTANCE_ID=$(echo $resource | cut -d':' -f3) # Check if instance exists before trying to deregister INSTANCE_EXISTS=$(aws servicediscovery list-instances --service-id $SERVICE_ID --query "Instances[?Id=='$INSTANCE_ID'].Id" --output text 2>/dev/null || echo "") if [[ -n "$INSTANCE_EXISTS" ]]; then OPERATION_ID=$(aws servicediscovery deregister-instance --service-id $SERVICE_ID --instance-id $INSTANCE_ID --query 'OperationId' --output text) # Wait for deregistration to complete echo "Waiting for instance deregistration to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID else echo "Instance $INSTANCE_ID already deregistered" | tee -a $LOG_FILE fi elif [[ $resource == "lambda:"* ]]; then # Extract function name FUNCTION_NAME=$(echo $resource | cut -d':' -f2) aws lambda delete-function --function-name $FUNCTION_NAME elif [[ $resource == "role:"* ]]; then # Extract role name ROLE_NAME=$(echo $resource | cut -d':' -f2) # Detach all policies first for POLICY_ARN in $(aws iam list-attached-role-policies --role-name $ROLE_NAME --query 'AttachedPolicies[*].PolicyArn' --output text); do aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn $POLICY_ARN done # Delete the role aws iam delete-role --role-name $ROLE_NAME elif [[ $resource == "dynamodb:"* ]]; then # Extract table name TABLE_NAME=$(echo $resource | cut -d':' -f2) aws dynamodb delete-table --table-name $TABLE_NAME # Wait for table deletion to complete echo "Waiting for DynamoDB table deletion to complete..." | tee -a $LOG_FILE aws dynamodb wait table-not-exists --table-name $TABLE_NAME fi done # Handle services separately to ensure all instances are deregistered first for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" if [[ $resource == "service:"* ]]; then # Extract service ID SERVICE_ID=$(echo $resource | cut -d':' -f2) echo "Deleting service $SERVICE_ID..." | tee -a $LOG_FILE # Make sure all instances are deregistered INSTANCES=$(aws servicediscovery list-instances --service-id $SERVICE_ID --query 'Instances[*].Id' --output text) if [[ -n "$INSTANCES" ]]; then echo "Service still has instances. Waiting before deletion..." | tee -a $LOG_FILE sleep 10 fi # Try to delete the service aws servicediscovery delete-service --id $SERVICE_ID sleep 5 fi done # Handle namespaces last to ensure all services are deleted first for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" if [[ $resource == "namespace:"* ]]; then # Extract namespace ID NAMESPACE_ID=$(echo $resource | cut -d':' -f2) echo "Deleting namespace $NAMESPACE_ID..." | tee -a $LOG_FILE # Check if namespace still has services SERVICES=$(aws servicediscovery list-services --filters "Name=NAMESPACE_ID,Values=$NAMESPACE_ID,Condition=EQ" --query 'Services[*].Id' --output text) if [[ -n "$SERVICES" ]]; then echo "Namespace still has services. Deleting them first..." | tee -a $LOG_FILE for SERVICE_ID in $SERVICES; do echo "Deleting service $SERVICE_ID..." | tee -a $LOG_FILE aws servicediscovery delete-service --id $SERVICE_ID done sleep 5 fi # Try to delete the namespace OPERATION_ID=$(aws servicediscovery delete-namespace --id $NAMESPACE_ID --query 'OperationId' --output text 2>/dev/null || echo "") if [[ -n "$OPERATION_ID" ]]; then echo "Waiting for namespace deletion to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID else echo "Failed to delete namespace or namespace already deleted" | tee -a $LOG_FILE fi fi done echo "Cleanup complete" | tee -a $LOG_FILE } # Step 1: Create an AWS Cloud Map namespace echo "Step 1: Creating AWS Cloud Map namespace..." | tee -a $LOG_FILE # Check if namespace already exists NAMESPACE_ID=$(aws servicediscovery list-namespaces --query "Namespaces[?Name=='cloudmap-tutorial'].Id" --output text) if [[ -z "$NAMESPACE_ID" || "$NAMESPACE_ID" == "None" ]]; then log_cmd "aws servicediscovery create-http-namespace --name cloudmap-tutorial --creator-request-id namespace-request" OPERATION_ID=$(aws servicediscovery create-http-namespace --name cloudmap-tutorial --creator-request-id namespace-request --query 'OperationId' --output text) # Wait for namespace creation to complete echo "Waiting for namespace creation to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID # Get the namespace ID NAMESPACE_ID=$(aws servicediscovery list-namespaces --query "Namespaces[?Name=='cloudmap-tutorial'].Id" --output text) echo "Namespace created with ID: $NAMESPACE_ID" | tee -a $LOG_FILE else echo "Namespace cloudmap-tutorial already exists with ID: $NAMESPACE_ID" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("namespace:$NAMESPACE_ID") # Step 2: Create a DynamoDB table echo "Step 2: Creating DynamoDB table..." | tee -a $LOG_FILE # Check if table already exists TABLE_EXISTS=$(aws dynamodb describe-table --table-name cloudmap 2>&1 || echo "NOT_EXISTS") if [[ $TABLE_EXISTS == *"ResourceNotFoundException"* || $TABLE_EXISTS == "NOT_EXISTS" ]]; then log_cmd "aws dynamodb create-table --table-name cloudmap --attribute-definitions AttributeName=id,AttributeType=S --key-schema AttributeName=id,KeyType=HASH --billing-mode PAY_PER_REQUEST" # Wait for DynamoDB table to become active echo "Waiting for DynamoDB table to become active..." | tee -a $LOG_FILE aws dynamodb wait table-exists --table-name cloudmap else echo "DynamoDB table cloudmap already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("dynamodb:cloudmap") # Step 3: Create an AWS Cloud Map data service echo "Step 3: Creating AWS Cloud Map data service..." | tee -a $LOG_FILE # Get all services in the namespace echo "Listing all services in namespace $NAMESPACE_ID..." | tee -a $LOG_FILE SERVICES=$(aws servicediscovery list-services --filters "Name=NAMESPACE_ID,Values=$NAMESPACE_ID,Condition=EQ" --query 'Services[*].[Id,Name]' --output text) echo "Services found: $SERVICES" | tee -a $LOG_FILE # Check if data service already exists DATA_SERVICE_ID="" while read -r id name || [[ -n "$id" ]]; do echo "Checking service: ID=$id, Name=$name" | tee -a $LOG_FILE if [[ "$name" == "data-service" ]]; then DATA_SERVICE_ID="$id" break fi done <<< "$SERVICES" if [[ -z "$DATA_SERVICE_ID" ]]; then echo "Data service does not exist, creating it..." | tee -a $LOG_FILE # Create the service and capture the ID directly echo "$ aws servicediscovery create-service --name data-service --namespace-id $NAMESPACE_ID --creator-request-id data-service-request" | tee -a $LOG_FILE CREATE_OUTPUT=$(aws servicediscovery create-service --name data-service --namespace-id $NAMESPACE_ID --creator-request-id data-service-request) echo "$CREATE_OUTPUT" | tee -a $LOG_FILE # Extract the service ID using AWS CLI query DATA_SERVICE_ID=$(aws servicediscovery list-services --filters "Name=NAMESPACE_ID,Values=$NAMESPACE_ID,Condition=EQ" --query "Services[?Name=='data-service'].Id" --output text) echo "Data service created with ID: $DATA_SERVICE_ID" | tee -a $LOG_FILE else echo "Data service already exists with ID: $DATA_SERVICE_ID" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("service:$DATA_SERVICE_ID") # Register DynamoDB table as a service instance echo "Registering DynamoDB table as a service instance..." | tee -a $LOG_FILE # Check if instance already exists INSTANCE_EXISTS=$(aws servicediscovery list-instances --service-id $DATA_SERVICE_ID --query "Instances[?Id=='data-instance'].Id" --output text) if [[ -z "$INSTANCE_EXISTS" ]]; then log_cmd "aws servicediscovery register-instance --service-id $DATA_SERVICE_ID --instance-id data-instance --attributes tablename=cloudmap,region=$(aws configure get region)" OPERATION_ID=$(aws servicediscovery register-instance --service-id $DATA_SERVICE_ID --instance-id data-instance --attributes tablename=cloudmap,region=$(aws configure get region) --query 'OperationId' --output text) # Wait for instance registration to complete echo "Waiting for instance registration to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID else echo "Instance data-instance already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("instance:$DATA_SERVICE_ID:data-instance") # Step 4: Create an IAM role for Lambda echo "Step 4: Creating IAM role for Lambda..." | tee -a $LOG_FILE # Create a trust policy for Lambda cat > lambda-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Check if role already exists echo "Checking if IAM role already exists..." | tee -a $LOG_FILE ROLE_EXISTS=$(aws iam get-role --role-name cloudmap-tutorial-role 2>&1 || echo "NOT_EXISTS") if [[ $ROLE_EXISTS == *"NoSuchEntity"* || $ROLE_EXISTS == "NOT_EXISTS" ]]; then log_cmd "aws iam create-role --role-name cloudmap-tutorial-role --assume-role-policy-document file://lambda-trust-policy.json" else echo "Role cloudmap-tutorial-role already exists, using existing role" | tee -a $LOG_FILE fi # FIXED: Create a custom policy with least privilege instead of using PowerUserAccess cat > cloudmap-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:GetItem", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:*:*:table/cloudmap" }, { "Effect": "Allow", "Action": [ "servicediscovery:DiscoverInstances" ], "Resource": "*" } ] } EOF # Check if policy already exists POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='CloudMapTutorialPolicy'].Arn" --output text) if [[ -z "$POLICY_ARN" ]]; then echo "Creating CloudMapTutorialPolicy..." | tee -a $LOG_FILE echo "$ aws iam create-policy --policy-name CloudMapTutorialPolicy --policy-document file://cloudmap-policy.json" | tee -a $LOG_FILE CREATE_OUTPUT=$(aws iam create-policy --policy-name CloudMapTutorialPolicy --policy-document file://cloudmap-policy.json) echo "$CREATE_OUTPUT" | tee -a $LOG_FILE POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='CloudMapTutorialPolicy'].Arn" --output text) else echo "Policy CloudMapTutorialPolicy already exists with ARN: $POLICY_ARN" | tee -a $LOG_FILE fi echo "$ aws iam attach-role-policy --role-name cloudmap-tutorial-role --policy-arn $POLICY_ARN" | tee -a $LOG_FILE aws iam attach-role-policy --role-name cloudmap-tutorial-role --policy-arn $POLICY_ARN | tee -a $LOG_FILE echo "$ aws iam attach-role-policy --role-name cloudmap-tutorial-role --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" | tee -a $LOG_FILE aws iam attach-role-policy --role-name cloudmap-tutorial-role --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole | tee -a $LOG_FILE # Wait for role to propagate echo "Waiting for IAM role to propagate..." | tee -a $LOG_FILE sleep 10 ROLE_ARN=$(aws iam get-role --role-name cloudmap-tutorial-role --query 'Role.Arn' --output text) CREATED_RESOURCES+=("role:cloudmap-tutorial-role") # Step 5: Create an AWS Cloud Map app service echo "Step 5: Creating AWS Cloud Map app service..." | tee -a $LOG_FILE # Get all services in the namespace SERVICES=$(aws servicediscovery list-services --filters "Name=NAMESPACE_ID,Values=$NAMESPACE_ID,Condition=EQ" --query 'Services[*].[Id,Name]' --output text) # Check if app service already exists APP_SERVICE_ID="" while read -r id name || [[ -n "$id" ]]; do if [[ "$name" == "app-service" ]]; then APP_SERVICE_ID="$id" break fi done <<< "$SERVICES" if [[ -z "$APP_SERVICE_ID" ]]; then echo "App service does not exist, creating it..." | tee -a $LOG_FILE # Create the service and capture the ID directly echo "$ aws servicediscovery create-service --name app-service --namespace-id $NAMESPACE_ID --creator-request-id app-service-request" | tee -a $LOG_FILE CREATE_OUTPUT=$(aws servicediscovery create-service --name app-service --namespace-id $NAMESPACE_ID --creator-request-id app-service-request) echo "$CREATE_OUTPUT" | tee -a $LOG_FILE # Extract the service ID using AWS CLI query APP_SERVICE_ID=$(aws servicediscovery list-services --filters "Name=NAMESPACE_ID,Values=$NAMESPACE_ID,Condition=EQ" --query "Services[?Name=='app-service'].Id" --output text) echo "App service created with ID: $APP_SERVICE_ID" | tee -a $LOG_FILE else echo "App service already exists with ID: $APP_SERVICE_ID" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("service:$APP_SERVICE_ID") # Step 6: Create a Lambda function to write data echo "Step 6: Creating Lambda function to write data..." | tee -a $LOG_FILE # Create Lambda function code cat > writefunction.py << EOF import boto3 import json import random def lambda_handler(event, context): # Use AWS Cloud Map to discover the DynamoDB table serviceclient = boto3.client('servicediscovery') # Discover the data service instance response = serviceclient.discover_instances( NamespaceName='cloudmap-tutorial', ServiceName='data-service' ) # Extract table name and region from the instance attributes tablename = response['Instances'][0]['Attributes']['tablename'] region = response['Instances'][0]['Attributes']['region'] # Create DynamoDB client in the specified region dynamodb = boto3.resource('dynamodb', region_name=region) table = dynamodb.Table(tablename) # Write data to the table table.put_item( Item={ 'id': str(random.randint(1,100)), 'todo': event } ) return { 'statusCode': 200, 'body': json.dumps('Data written successfully!') } EOF # Zip the function code log_cmd "zip writefunction.zip writefunction.py" # Create the Lambda function FUNCTION_EXISTS=$(aws lambda list-functions --query "Functions[?FunctionName=='writefunction'].FunctionName" --output text) if [[ -z "$FUNCTION_EXISTS" ]]; then log_cmd "aws lambda create-function --function-name writefunction --runtime python3.12 --role $ROLE_ARN --handler writefunction.lambda_handler --zip-file fileb://writefunction.zip --architectures x86_64" # Wait for the Lambda function to be active before updating echo "Waiting for Lambda function to become active..." | tee -a $LOG_FILE function_state="Pending" while [ "$function_state" == "Pending" ]; do sleep 5 function_state=$(aws lambda get-function --function-name writefunction --query 'Configuration.State' --output text) echo "Current function state: $function_state" | tee -a $LOG_FILE done # Update the function timeout log_cmd "aws lambda update-function-configuration --function-name writefunction --timeout 5" else echo "Lambda function writefunction already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("lambda:writefunction") # Step 7: Register the Lambda write function as an AWS Cloud Map service instance echo "Step 7: Registering Lambda write function as a service instance..." | tee -a $LOG_FILE # Check if instance already exists INSTANCE_EXISTS=$(aws servicediscovery list-instances --service-id $APP_SERVICE_ID --query "Instances[?Id=='write-instance'].Id" --output text) if [[ -z "$INSTANCE_EXISTS" ]]; then log_cmd "aws servicediscovery register-instance --service-id $APP_SERVICE_ID --instance-id write-instance --attributes action=write,functionname=writefunction" OPERATION_ID=$(aws servicediscovery register-instance --service-id $APP_SERVICE_ID --instance-id write-instance --attributes action=write,functionname=writefunction --query 'OperationId' --output text) # Wait for instance registration to complete echo "Waiting for write instance registration to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID else echo "Instance write-instance already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("instance:$APP_SERVICE_ID:write-instance") # Step 8: Create a Lambda function to read data echo "Step 8: Creating Lambda function to read data..." | tee -a $LOG_FILE # Create Lambda function code cat > readfunction.py << EOF import boto3 import json def lambda_handler(event, context): # Use AWS Cloud Map to discover the DynamoDB table serviceclient = boto3.client('servicediscovery') # Discover the data service instance response = serviceclient.discover_instances( NamespaceName='cloudmap-tutorial', ServiceName='data-service' ) # Extract table name and region from the instance attributes tablename = response['Instances'][0]['Attributes']['tablename'] region = response['Instances'][0]['Attributes']['region'] # Create DynamoDB client in the specified region dynamodb = boto3.resource('dynamodb', region_name=region) table = dynamodb.Table(tablename) # Read data from the table response = table.scan() return { 'statusCode': 200, 'body': json.dumps(response['Items']) } EOF # Zip the function code log_cmd "zip readfunction.zip readfunction.py" # Create the Lambda function FUNCTION_EXISTS=$(aws lambda list-functions --query "Functions[?FunctionName=='readfunction'].FunctionName" --output text) if [[ -z "$FUNCTION_EXISTS" ]]; then log_cmd "aws lambda create-function --function-name readfunction --runtime python3.12 --role $ROLE_ARN --handler readfunction.lambda_handler --zip-file fileb://readfunction.zip --architectures x86_64" # Wait for the Lambda function to be active before updating echo "Waiting for Lambda function to become active..." | tee -a $LOG_FILE function_state="Pending" while [ "$function_state" == "Pending" ]; do sleep 5 function_state=$(aws lambda get-function --function-name readfunction --query 'Configuration.State' --output text) echo "Current function state: $function_state" | tee -a $LOG_FILE done # Update the function timeout log_cmd "aws lambda update-function-configuration --function-name readfunction --timeout 5" else echo "Lambda function readfunction already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("lambda:readfunction") # Step 9: Register the Lambda read function as an AWS Cloud Map service instance echo "Step 9: Registering Lambda read function as a service instance..." | tee -a $LOG_FILE # Check if instance already exists INSTANCE_EXISTS=$(aws servicediscovery list-instances --service-id $APP_SERVICE_ID --query "Instances[?Id=='read-instance'].Id" --output text) if [[ -z "$INSTANCE_EXISTS" ]]; then log_cmd "aws servicediscovery register-instance --service-id $APP_SERVICE_ID --instance-id read-instance --attributes action=read,functionname=readfunction" OPERATION_ID=$(aws servicediscovery register-instance --service-id $APP_SERVICE_ID --instance-id read-instance --attributes action=read,functionname=readfunction --query 'OperationId' --output text) # Wait for read instance registration to complete echo "Waiting for read instance registration to complete..." | tee -a $LOG_FILE wait_for_operation $OPERATION_ID else echo "Instance read-instance already exists" | tee -a $LOG_FILE fi CREATED_RESOURCES+=("instance:$APP_SERVICE_ID:read-instance") # Step 10: Create Python clients to interact with the services echo "Step 10: Creating Python clients..." | tee -a $LOG_FILE cat > writeclient.py << EOF import boto3 serviceclient = boto3.client('servicediscovery') response = serviceclient.discover_instances(NamespaceName='cloudmap-tutorial', ServiceName='app-service', QueryParameters={ 'action': 'write' }) functionname = response["Instances"][0]["Attributes"]["functionname"] lambdaclient = boto3.client('lambda') resp = lambdaclient.invoke(FunctionName=functionname, Payload='"This is a test data"') print(resp["Payload"].read()) EOF cat > readclient.py << EOF import boto3 serviceclient = boto3.client('servicediscovery') response = serviceclient.discover_instances(NamespaceName='cloudmap-tutorial', ServiceName='app-service', QueryParameters={ 'action': 'read' }) functionname = response["Instances"][0]["Attributes"]["functionname"] lambdaclient = boto3.client('lambda') resp = lambdaclient.invoke(FunctionName=functionname, InvocationType='RequestResponse') print(resp["Payload"].read()) EOF echo "Running write client..." | tee -a $LOG_FILE log_cmd "python3 writeclient.py" echo "Running read client..." | tee -a $LOG_FILE log_cmd "python3 readclient.py" # Step 11: Clean up resources echo "Resources created:" | tee -a $LOG_FILE for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" | tee -a $LOG_FILE done echo "" | tee -a $LOG_FILE echo "==========================================" | tee -a $LOG_FILE echo "CLEANUP CONFIRMATION" | tee -a $LOG_FILE echo "==========================================" | tee -a $LOG_FILE echo "Do you want to clean up all created resources? (y/n): " | tee -a $LOG_FILE read -r CLEANUP_CONFIRM if [[ $CLEANUP_CONFIRM == "y" || $CLEANUP_CONFIRM == "Y" ]]; then cleanup else echo "Resources were not cleaned up. You can manually clean them up later." | tee -a $LOG_FILE fi echo "Script completed at $(date)" | tee -a $LOG_FILE ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateHttpNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/CreateHttpNamespace) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/CreateService) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterInstance](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeregisterInstance) + [GetOperation](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/GetOperation) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [RegisterInstance](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/RegisterInstance) ### Cloud Map service discovery The following code example shows how to: + Create a public DNS namespace with Route 53 hosted zone integration + Create services discoverable via DNS queries and API calls + Register service instances with different discovery configurations + Discover services using both DNS queries and Cloud Map API + Verify service discovery using dig command and API calls + Clean up resources in proper order (instances, services, namespace) **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/010-cloudmap-service-discovery) repository. ``` #!/bin/bash # AWS Cloud Map Private Namespace Tutorial Script # This script demonstrates how to use AWS Cloud Map for service discovery # with DNS queries and API calls # Exit on error set -e # Configuration REGION="us-east-2" NAMESPACE_NAME="cloudmap-tutorial.com" LOG_FILE="cloudmap-tutorial.log" CREATOR_REQUEST_ID=$(date +%s) # Function to log messages log() { local message="$1" echo "$(date '+%Y-%m-%d %H:%M:%S') - $message" | tee -a "$LOG_FILE" } # Function to check operation status check_operation() { local operation_id="$1" local status="" log "Checking operation status for $operation_id..." while [[ "$status" != "SUCCESS" ]]; do sleep 5 status=$(aws servicediscovery get-operation \ --operation-id "$operation_id" \ --region "$REGION" \ --query "Operation.Status" \ --output text) log "Operation status: $status" if [[ "$status" == "FAIL" ]]; then log "Operation failed. Exiting." exit 1 fi done log "Operation completed successfully." } # Function to clean up resources cleanup() { log "Starting cleanup process..." if [[ -n "$FIRST_INSTANCE_ID" ]]; then log "Deregistering first service instance..." aws servicediscovery deregister-instance \ --service-id "$PUBLIC_SERVICE_ID" \ --instance-id "$FIRST_INSTANCE_ID" \ --region "$REGION" || log "Failed to deregister first instance" fi if [[ -n "$SECOND_INSTANCE_ID" ]]; then log "Deregistering second service instance..." aws servicediscovery deregister-instance \ --service-id "$BACKEND_SERVICE_ID" \ --instance-id "$SECOND_INSTANCE_ID" \ --region "$REGION" || log "Failed to deregister second instance" fi if [[ -n "$PUBLIC_SERVICE_ID" ]]; then log "Deleting public service..." aws servicediscovery delete-service \ --id "$PUBLIC_SERVICE_ID" \ --region "$REGION" || log "Failed to delete public service" fi if [[ -n "$BACKEND_SERVICE_ID" ]]; then log "Deleting backend service..." aws servicediscovery delete-service \ --id "$BACKEND_SERVICE_ID" \ --region "$REGION" || log "Failed to delete backend service" fi if [[ -n "$NAMESPACE_ID" ]]; then log "Deleting namespace..." aws servicediscovery delete-namespace \ --id "$NAMESPACE_ID" \ --region "$REGION" || log "Failed to delete namespace" fi log "Cleanup completed." } # Set up trap for cleanup on script exit trap cleanup EXIT INT TERM # Initialize log file > "$LOG_FILE" log "Starting AWS Cloud Map tutorial script" # Step 1: Create an AWS Cloud Map namespace log "Creating AWS Cloud Map namespace: $NAMESPACE_NAME" OPERATION_RESULT=$(aws servicediscovery create-public-dns-namespace \ --name "$NAMESPACE_NAME" \ --creator-request-id "cloudmap-tutorial-$CREATOR_REQUEST_ID" \ --region "$REGION") OPERATION_ID=$(echo "$OPERATION_RESULT" | jq -r '.OperationId') log "Namespace creation initiated. Operation ID: $OPERATION_ID" # Check operation status check_operation "$OPERATION_ID" # Get the namespace ID log "Getting namespace ID..." NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --region "$REGION" \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" \ --output text) log "Namespace ID: $NAMESPACE_ID" # Get the hosted zone ID log "Getting Route 53 hosted zone ID..." HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name \ --dns-name "$NAMESPACE_NAME" \ --query "HostedZones[0].Id" \ --output text | sed 's|/hostedzone/||') log "Hosted Zone ID: $HOSTED_ZONE_ID" # Step 2: Create the AWS Cloud Map services log "Creating public service..." PUBLIC_SERVICE_RESULT=$(aws servicediscovery create-service \ --name "public-service" \ --namespace-id "$NAMESPACE_ID" \ --dns-config "RoutingPolicy=MULTIVALUE,DnsRecords=[{Type=A,TTL=300}]" \ --region "$REGION") PUBLIC_SERVICE_ID=$(echo "$PUBLIC_SERVICE_RESULT" | jq -r '.Service.Id') log "Public service created. Service ID: $PUBLIC_SERVICE_ID" log "Creating backend service..." BACKEND_SERVICE_RESULT=$(aws servicediscovery create-service \ --name "backend-service" \ --namespace-id "$NAMESPACE_ID" \ --type "HTTP" \ --region "$REGION") BACKEND_SERVICE_ID=$(echo "$BACKEND_SERVICE_RESULT" | jq -r '.Service.Id') log "Backend service created. Service ID: $BACKEND_SERVICE_ID" # Step 3: Register the AWS Cloud Map service instances log "Registering first service instance..." FIRST_INSTANCE_RESULT=$(aws servicediscovery register-instance \ --service-id "$PUBLIC_SERVICE_ID" \ --instance-id "first" \ --attributes "AWS_INSTANCE_IPV4=192.168.2.1" \ --region "$REGION") FIRST_INSTANCE_ID="first" FIRST_OPERATION_ID=$(echo "$FIRST_INSTANCE_RESULT" | jq -r '.OperationId') log "First instance registration initiated. Operation ID: $FIRST_OPERATION_ID" # Check operation status check_operation "$FIRST_OPERATION_ID" log "Registering second service instance..." SECOND_INSTANCE_RESULT=$(aws servicediscovery register-instance \ --service-id "$BACKEND_SERVICE_ID" \ --instance-id "second" \ --attributes "service-name=backend" \ --region "$REGION") SECOND_INSTANCE_ID="second" SECOND_OPERATION_ID=$(echo "$SECOND_INSTANCE_RESULT" | jq -r '.OperationId') log "Second instance registration initiated. Operation ID: $SECOND_OPERATION_ID" # Check operation status check_operation "$SECOND_OPERATION_ID" # Step 4: Discover the AWS Cloud Map service instances log "Getting Route 53 name servers..." NAME_SERVERS=$(aws route53 get-hosted-zone \ --id "$HOSTED_ZONE_ID" \ --query "DelegationSet.NameServers[0]" \ --output text) log "Name server: $NAME_SERVERS" log "Using dig to query DNS records (this will be simulated)..." log "Command: dig @$NAME_SERVERS public-service.$NAMESPACE_NAME" log "Expected output would show: public-service.$NAMESPACE_NAME. 300 IN A 192.168.2.1" log "Using AWS CLI to discover backend service instances..." DISCOVER_RESULT=$(aws servicediscovery discover-instances \ --namespace-name "$NAMESPACE_NAME" \ --service-name "backend-service" \ --region "$REGION") log "Discovery result: $(echo "$DISCOVER_RESULT" | jq -c '.')" # Display created resources log "Resources created:" log "- Namespace: $NAMESPACE_NAME (ID: $NAMESPACE_ID)" log "- Public Service: public-service (ID: $PUBLIC_SERVICE_ID)" log "- Backend Service: backend-service (ID: $BACKEND_SERVICE_ID)" log "- Service Instance: first (Service: public-service)" log "- Service Instance: second (Service: backend-service)" # Ask user if they want to clean up resources read -p "Do you want to clean up all created resources? (y/n): " CLEANUP_RESPONSE if [[ "$CLEANUP_RESPONSE" == "y" || "$CLEANUP_RESPONSE" == "Y" ]]; then log "User confirmed cleanup. Proceeding with resource deletion." # Cleanup function will be called automatically on exit else log "User chose not to clean up resources. Exiting without cleanup." trap - EXIT exit 0 fi ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreatePublicDnsNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/CreatePublicDnsNamespace) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/CreateService) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterInstance](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeregisterInstance) + [DiscoverInstances](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DiscoverInstances) + [GetOperation](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/GetOperation) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [RegisterInstance](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/RegisterInstance) ### Configure Amazon ECS Service Connect The following code example shows how to: + Create the VPC infrastructure + Set up logging + Create the ECS cluster + Configure IAM roles + Create the service with Service Connect + Verify the deployment + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. ``` #!/bin/bash # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC # This script creates an ECS cluster with Service Connect and deploys an nginx service # Uses the default VPC to avoid VPC limits set -e # Exit on any error # Configuration SCRIPT_NAME="ECS Service Connect Tutorial" LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} if [ -z "$REGION" ]; then echo "ERROR: No AWS region configured." echo "Set one with: aws configure set region us-east-1" exit 1 fi ENV_PREFIX="tutorial" CLUSTER_NAME="${ENV_PREFIX}-cluster" NAMESPACE_NAME="service-connect" # Generate random suffix for unique resource names RANDOM_SUFFIX=$(openssl rand -hex 6) # Arrays to track created resources for cleanup declare -a CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to add resource to tracking array track_resource() { CREATED_RESOURCES+=("$1") log "Tracking resource: $1" } # Function to check if command output contains actual errors check_for_errors() { local output="$1" local command_name="$2" # Check for specific AWS CLI error patterns, not just any occurrence of "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then log "ERROR in $command_name: $output" return 1 fi return 0 } # Function to get AWS account ID get_account_id() { ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Using AWS Account ID: $ACCOUNT_ID" } # Function to wait for resources to be ready wait_for_resource() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") log "Waiting for cluster $resource_id to be active..." local attempt=1 local max_attempts=30 while [ $attempt -le $max_attempts ]; do local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) if [ "$status" = "ACTIVE" ]; then log "Cluster is now active" return 0 fi log "Cluster status: $status (attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done log "ERROR: Cluster did not become active within expected time" return 1 ;; "service") log "Waiting for service $resource_id to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" ;; "nat-gateway") log "Waiting for NAT Gateway $resource_id to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" ;; esac } # Function to use default VPC infrastructure setup_default_vpc_infrastructure() { log "Using default VPC infrastructure..." # Get default VPC VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then log "ERROR: No default VPC found. Please create a default VPC first." exit 1 fi log "Using default VPC: $VPC_ID" # Get default subnets SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) SUBNET_ARRAY=($SUBNETS) if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" exit 1 fi PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" # Create security group for ECS tasks SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ --description "Security group for ECS Service Connect tutorial" \ --vpc-id "$VPC_ID" 2>&1) check_for_errors "$SG_OUTPUT" "create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) track_resource "SG:$SECURITY_GROUP_ID" log "Created security group: $SECURITY_GROUP_ID" # Add inbound rules to security group aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true log "Default VPC infrastructure setup completed" } # Function to create CloudWatch log groups create_log_groups() { log "Creating CloudWatch log groups..." # Create log group for nginx container aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-nginx created" track_resource "LOG_GROUP:/ecs/service-connect-nginx" else log "Log group /ecs/service-connect-nginx already exists" fi } # Create log group for service connect proxy aws logs create-log-group --log-group-name "/ecs/service-connect-proxy" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-proxy created" track_resource "LOG_GROUP:/ecs/service-connect-proxy" else log "Log group /ecs/service-connect-proxy already exists" fi } } # Function to create ECS cluster with Service Connect create_ecs_cluster() { log "Creating ECS cluster with Service Connect..." CLUSTER_OUTPUT=$(aws ecs create-cluster \ --cluster-name "$CLUSTER_NAME" \ --service-connect-defaults namespace="$NAMESPACE_NAME" \ --tags key=Environment,value=tutorial 2>&1) check_for_errors "$CLUSTER_OUTPUT" "create-cluster" track_resource "CLUSTER:$CLUSTER_NAME" log "Created ECS cluster: $CLUSTER_NAME" wait_for_resource "cluster" "$CLUSTER_NAME" # Track the Service Connect namespace that gets created # Wait a moment for the namespace to be created sleep 5 NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_ID" && "$NAMESPACE_ID" != "None" ]]; then track_resource "NAMESPACE:$NAMESPACE_ID" log "Service Connect namespace created: $NAMESPACE_ID" fi } # Function to create IAM roles create_iam_roles() { log "Creating IAM roles..." # Check if ecsTaskExecutionRole exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then log "IAM role ecsTaskExecutionRole exists" else log "Creating ecsTaskExecutionRole..." aws iam create-role \ --role-name ecsTaskExecutionRole \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' >/dev/null 2>&1 aws iam attach-role-policy \ --role-name ecsTaskExecutionRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1 track_resource "ROLE:ecsTaskExecutionRole" log "Created ecsTaskExecutionRole" sleep 10 fi # Check if ecsTaskRole exists, create if not if aws iam get-role --role-name ecsTaskRole >/dev/null 2>&1; then log "IAM role ecsTaskRole exists" else log "IAM role ecsTaskRole does not exist, will create it" # Create trust policy for ECS tasks cat > /tmp/ecs-task-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name ecsTaskRole \ --assume-role-policy-document file:///tmp/ecs-task-trust-policy.json >/dev/null track_resource "IAM_ROLE:ecsTaskRole" log "Created ecsTaskRole" # Wait for role to be available sleep 10 fi } # Function to create task definition create_task_definition() { log "Creating task definition..." # Create task definition JSON cat > /tmp/task-definition.json << EOF { "family": "service-connect-nginx", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole", "taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskRole", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "portMappings": [ { "containerPort": 80, "protocol": "tcp", "name": "nginx-port" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-nginx", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs" } } } ] } EOF TASK_DEF_OUTPUT=$(aws ecs register-task-definition --cli-input-json file:///tmp/task-definition.json 2>&1) check_for_errors "$TASK_DEF_OUTPUT" "register-task-definition" TASK_DEF_ARN=$(echo "$TASK_DEF_OUTPUT" | grep -o '"taskDefinitionArn": "[^"]*"' | cut -d'"' -f4) track_resource "TASK_DEF:service-connect-nginx" log "Created task definition: $TASK_DEF_ARN" # Clean up temporary file rm -f /tmp/task-definition.json } # Function to create ECS service with Service Connect create_ecs_service() { log "Creating ECS service with Service Connect..." # Create service definition JSON cat > /tmp/service-definition.json << EOF { "serviceName": "service-connect-nginx-service", "cluster": "${CLUSTER_NAME}", "taskDefinition": "service-connect-nginx", "desiredCount": 1, "launchType": "FARGATE", "networkConfiguration": { "awsvpcConfiguration": { "subnets": ["${PUBLIC_SUBNET1}", "${PUBLIC_SUBNET2}"], "securityGroups": ["${SECURITY_GROUP_ID}"], "assignPublicIp": "ENABLED" } }, "serviceConnectConfiguration": { "enabled": true, "namespace": "${NAMESPACE_NAME}", "services": [ { "portName": "nginx-port", "discoveryName": "nginx", "clientAliases": [ { "port": 80, "dnsName": "nginx" } ] } ], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-proxy", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs-service-connect" } } }, "tags": [ { "key": "Environment", "value": "tutorial" } ] } EOF SERVICE_OUTPUT=$(aws ecs create-service --cli-input-json file:///tmp/service-definition.json 2>&1) check_for_errors "$SERVICE_OUTPUT" "create-service" track_resource "SERVICE:service-connect-nginx-service" log "Created ECS service: service-connect-nginx-service" wait_for_resource "service" "service-connect-nginx-service" # Clean up temporary file rm -f /tmp/service-definition.json } # Function to verify deployment verify_deployment() { log "Verifying deployment..." # Check service status SERVICE_STATUS=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].status' --output text) log "Service status: $SERVICE_STATUS" # Check running tasks RUNNING_COUNT=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].runningCount' --output text) log "Running tasks: $RUNNING_COUNT" # Get task ARN TASK_ARN=$(aws ecs list-tasks \ --cluster "$CLUSTER_NAME" \ --service-name "service-connect-nginx-service" \ --query 'taskArns[0]' --output text) if [[ "$TASK_ARN" != "None" && -n "$TASK_ARN" ]]; then log "Task ARN: $TASK_ARN" # Try to get task IP address TASK_IP=$(aws ecs describe-tasks \ --cluster "$CLUSTER_NAME" \ --tasks "$TASK_ARN" \ --query 'tasks[0].attachments[0].details[?name==`privateIPv4Address`].value' \ --output text 2>/dev/null || echo "") if [[ -n "$TASK_IP" && "$TASK_IP" != "None" ]]; then log "Task IP address: $TASK_IP" else log "Could not retrieve task IP address" fi fi # Check Service Connect namespace NAMESPACE_STATUS=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_STATUS" && "$NAMESPACE_STATUS" != "None" ]]; then log "Service Connect namespace '$NAMESPACE_NAME' is active" else log "Service Connect namespace '$NAMESPACE_NAME' not found or not active" fi # Display Service Connect configuration log "Service Connect configuration:" aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].serviceConnectConfiguration' 2>/dev/null || true } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" echo "" } # Function to cleanup resources cleanup_resources() { log "Starting cleanup process..." # Delete resources in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) log "Cleaning up $resource_type: $resource_id" case "$resource_type" in "SERVICE") aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id" aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id" ;; "TASK_DEF") TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null) for arn in $TASK_DEF_ARNS; do aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true done ;; "ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "CLUSTER") aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id" ;; "SG") for attempt in 1 2 3 4 5; do if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then break fi log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..." sleep 30 done ;; "LOG_GROUP") aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id" ;; "NAMESPACE") # First, delete any services in the namespace NAMESPACE_SERVICES=$(aws servicediscovery list-services \ --filters Name=NAMESPACE_ID,Values="$resource_id" \ --query 'Services[].Id' --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_SERVICES" && "$NAMESPACE_SERVICES" != "None" ]]; then for service_id in $NAMESPACE_SERVICES; do aws servicediscovery delete-service --id "$service_id" >/dev/null 2>&1 || true sleep 2 done fi # Then delete the namespace aws servicediscovery delete-namespace --id "$resource_id" >/dev/null 2>&1 || true ;; esac sleep 2 # Brief pause between deletions done # Clean up temporary files rm -f /tmp/ecs-task-trust-policy.json rm -f /tmp/task-definition.json rm -f /tmp/service-definition.json log "Cleanup completed" } # Main execution main() { log "Starting $SCRIPT_NAME v4 (Default VPC)" log "Region: $REGION" log "Log file: $LOG_FILE" # Get AWS account ID get_account_id # Setup infrastructure using default VPC setup_default_vpc_infrastructure # Create CloudWatch log groups create_log_groups # Create ECS cluster create_ecs_cluster # Create IAM roles create_iam_roles # Create task definition create_task_definition # Create ECS service create_ecs_service # Verify deployment verify_deployment log "Tutorial completed successfully!" # Display created resources display_resources # Ask user if they want to clean up echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up later by running the cleanup function." echo "" echo "To clean up resources later, you can use the AWS CLI commands or the AWS Management Console." echo "Remember to delete resources in the correct order to avoid dependency issues." fi } # Make script executable and run chmod +x "$0" main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/CreateLogGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeClusters) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) # CloudFormation examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with CloudFormation. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating your first CloudFormation stack The following code example shows how to: + Create a CloudFormation template + Test the web server + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/021-cloudformation-gs) repository. ``` #!/bin/bash # CloudFormation Getting Started Script # This script creates a CloudFormation stack with a web server and security group, # monitors the stack creation, and provides cleanup options. # Set up logging LOG_FILE="cloudformation-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "AWS CloudFormation Getting Started Tutorial" echo "===================================================" echo "This script will create a CloudFormation stack with:" echo "- An EC2 instance running a simple web server" echo "- A security group allowing HTTP access from your IP" echo "" echo "Starting at: $(date)" echo "" # Function to clean up resources cleanup() { echo "" echo "===================================================" echo "CLEANING UP RESOURCES" echo "===================================================" if [ -n "$STACK_NAME" ]; then echo "Deleting CloudFormation stack: $STACK_NAME" aws cloudformation delete-stack --stack-name "$STACK_NAME" echo "Waiting for stack deletion to complete..." aws cloudformation wait stack-delete-complete --stack-name "$STACK_NAME" echo "Stack deletion complete." fi if [ -f "$TEMPLATE_FILE" ]; then echo "Removing local template file: $TEMPLATE_FILE" rm -f "$TEMPLATE_FILE" fi echo "Cleanup completed at: $(date)" } # Function to handle errors handle_error() { echo "" echo "===================================================" echo "ERROR: $1" echo "===================================================" echo "Resources created before error:" if [ -n "$STACK_NAME" ]; then echo "- CloudFormation stack: $STACK_NAME" fi echo "" echo "Would you like to clean up these resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup else echo "Resources were not cleaned up. You may need to delete them manually." fi exit 1 } # Set up trap for script interruption trap 'handle_error "Script interrupted"' INT TERM # Generate a unique stack name STACK_NAME="MyTestStack" TEMPLATE_FILE="webserver-template.yaml" # Step 1: Create the CloudFormation template file echo "Creating CloudFormation template file: $TEMPLATE_FILE" cat > "$TEMPLATE_FILE" << 'EOF' AWSTemplateFormatVersion: 2010-09-09 Description: CloudFormation Template for WebServer with Security Group and EC2 Instance Parameters: LatestAmiId: Description: The latest Amazon Linux 2 AMI from the Parameter Store Type: 'AWS::SSM::Parameter::Value' Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' InstanceType: Description: WebServer EC2 instance type Type: String Default: t2.micro AllowedValues: - t3.micro - t2.micro ConstraintDescription: must be a valid EC2 instance type. MyIP: Description: Your IP address in CIDR format (e.g. 203.0.113.1/32). Type: String MinLength: '9' MaxLength: '18' Default: 0.0.0.0/0 AllowedPattern: '^(\d{1,3}\.){3}\d{1,3}/\d{1,2}$' ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. Resources: WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow HTTP access via my IP address SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: !Ref MyIP WebServer: Type: AWS::EC2::Instance Properties: ImageId: !Ref LatestAmiId InstanceType: !Ref InstanceType SecurityGroupIds: - !Ref WebServerSecurityGroup UserData: !Base64 | #!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd echo "

Hello World!

" > /var/www/html/index.html Outputs: WebsiteURL: Value: !Join - '' - - http:// - !GetAtt WebServer.PublicDnsName Description: Website URL EOF if [ ! -f "$TEMPLATE_FILE" ]; then handle_error "Failed to create template file" fi # Step 2: Validate the template echo "" echo "Validating CloudFormation template..." VALIDATION_RESULT=$(aws cloudformation validate-template --template-body "file://$TEMPLATE_FILE" 2>&1) if [ $? -ne 0 ]; then handle_error "Template validation failed: $VALIDATION_RESULT" fi echo "Template validation successful." # Step 3: Get the user's public IP address echo "" echo "Retrieving your public IP address..." MY_IP=$(curl -s https://checkip.amazonaws.com) if [ -z "$MY_IP" ]; then handle_error "Failed to retrieve public IP address" fi MY_IP="${MY_IP}/32" echo "Your public IP address: $MY_IP" # Step 4: Create the CloudFormation stack echo "" echo "Creating CloudFormation stack: $STACK_NAME" echo "This will create an EC2 instance and security group." CREATE_RESULT=$(aws cloudformation create-stack \ --stack-name "$STACK_NAME" \ --template-body "file://$TEMPLATE_FILE" \ --parameters \ ParameterKey=InstanceType,ParameterValue=t2.micro \ ParameterKey=MyIP,ParameterValue="$MY_IP" \ --output text 2>&1) if [ $? -ne 0 ]; then handle_error "Stack creation failed: $CREATE_RESULT" fi STACK_ID=$(echo "$CREATE_RESULT" | tr -d '\r\n') echo "Stack creation initiated. Stack ID: $STACK_ID" # Step 5: Monitor stack creation echo "" echo "Monitoring stack creation..." echo "This may take a few minutes." # Wait for stack creation to complete aws cloudformation wait stack-create-complete --stack-name "$STACK_NAME" if [ $? -ne 0 ]; then # Check if the stack exists and get its status STACK_STATUS=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].StackStatus" --output text 2>/dev/null) if [ $? -ne 0 ] || [ "$STACK_STATUS" == "ROLLBACK_COMPLETE" ] || [ "$STACK_STATUS" == "ROLLBACK_IN_PROGRESS" ]; then handle_error "Stack creation failed. Status: $STACK_STATUS" fi fi echo "Stack creation completed successfully." # Step 6: List stack resources echo "" echo "Resources created by the stack:" aws cloudformation list-stack-resources --stack-name "$STACK_NAME" --query "StackResourceSummaries[*].{LogicalID:LogicalResourceId, Type:ResourceType, Status:ResourceStatus}" --output table # Step 7: Get stack outputs echo "" echo "Stack outputs:" OUTPUTS=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs" --output json) if [ $? -ne 0 ]; then handle_error "Failed to retrieve stack outputs" fi # Extract the WebsiteURL WEBSITE_URL=$(aws cloudformation describe-stacks --stack-name "$STACK_NAME" --query "Stacks[0].Outputs[?OutputKey=='WebsiteURL'].OutputValue" --output text) if [ -z "$WEBSITE_URL" ]; then handle_error "Failed to extract WebsiteURL from stack outputs" fi echo "WebsiteURL: $WEBSITE_URL" echo "" echo "You can access the web server by opening the above URL in your browser." echo "You should see a simple 'Hello World!' message." # Step 8: Test the connection via CLI echo "" echo "Testing connection to the web server..." HTTP_RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "$WEBSITE_URL") if [ "$HTTP_RESPONSE" == "200" ]; then echo "Connection successful! HTTP status code: $HTTP_RESPONSE" else echo "Warning: Connection test returned HTTP status code: $HTTP_RESPONSE" echo "The web server might not be ready yet or there might be connectivity issues." fi # Step 9: Prompt for cleanup echo "" echo "===================================================" echo "CLEANUP CONFIRMATION" echo "===================================================" echo "Resources created:" echo "- CloudFormation stack: $STACK_NAME" echo " - EC2 instance" echo " - Security group" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup else echo "" echo "Resources were not cleaned up. You can delete them later with:" echo "aws cloudformation delete-stack --stack-name $STACK_NAME" echo "" echo "Note: You may be charged for AWS resources as long as they exist." fi echo "" echo "===================================================" echo "Tutorial completed at: $(date)" echo "Log file: $LOG_FILE" echo "===================================================" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/CreateStack) + [DeleteStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DeleteStack) + [DescribeStacks](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DescribeStacks) + [ListStackResources](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/ListStackResources) + [ValidateTemplate](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/ValidateTemplate) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/Wait) ### Getting started with Amazon EKS The following code example shows how to: + Create a VPC for your EKS cluster + Create IAM roles for your EKS cluster + Create your EKS cluster + Configure kubectl to communicate with your cluster + Create a managed node group + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/034-eks-gs) repository. ``` #!/bin/bash # Amazon EKS Cluster Creation Script (v2) # This script creates an Amazon EKS cluster with a managed node group using the AWS CLI # Set up logging LOG_FILE="eks-cluster-creation-v2.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon EKS cluster creation script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Error handling function handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check command success check_command() { if [ $? -ne 0 ] || echo "$1" | grep -i "error" > /dev/null; then handle_error "$1" fi } # Function to check if kubectl is installed check_kubectl() { if ! command -v kubectl &> /dev/null; then echo "WARNING: kubectl is not installed or not in your PATH." echo "" echo "To install kubectl, follow these instructions based on your operating system:" echo "" echo "For Linux:" echo " 1. Download the latest release:" echo " curl -LO \"https://dl.k8s.io/release/\$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"" echo "" echo " 2. Make the kubectl binary executable:" echo " chmod +x ./kubectl" echo "" echo " 3. Move the binary to your PATH:" echo " sudo mv ./kubectl /usr/local/bin/kubectl" echo "" echo "For macOS:" echo " 1. Using Homebrew:" echo " brew install kubectl" echo " or" echo " 2. Using curl:" echo " curl -LO \"https://dl.k8s.io/release/\$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/amd64/kubectl\"" echo " chmod +x ./kubectl" echo " sudo mv ./kubectl /usr/local/bin/kubectl" echo "" echo "For Windows:" echo " 1. Using curl:" echo " curl -LO \"https://dl.k8s.io/release/v1.28.0/bin/windows/amd64/kubectl.exe\"" echo " Add the binary to your PATH" echo " or" echo " 2. Using Chocolatey:" echo " choco install kubernetes-cli" echo "" echo "After installation, verify with: kubectl version --client" echo "" return 1 fi return 0 } # Generate a random identifier for resource names RANDOM_ID=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | fold -w 6 | head -n 1) STACK_NAME="eks-vpc-stack-${RANDOM_ID}" CLUSTER_NAME="eks-cluster-${RANDOM_ID}" NODEGROUP_NAME="eks-nodegroup-${RANDOM_ID}" CLUSTER_ROLE_NAME="EKSClusterRole-${RANDOM_ID}" NODE_ROLE_NAME="EKSNodeRole-${RANDOM_ID}" echo "Using the following resource names:" echo "- VPC Stack: $STACK_NAME" echo "- EKS Cluster: $CLUSTER_NAME" echo "- Node Group: $NODEGROUP_NAME" echo "- Cluster IAM Role: $CLUSTER_ROLE_NAME" echo "- Node IAM Role: $NODE_ROLE_NAME" # Array to track created resources for cleanup declare -a CREATED_RESOURCES # Function to clean up resources cleanup_resources() { echo "Cleaning up resources in reverse order..." # Check if node group exists and delete it if aws eks list-nodegroups --cluster-name "$CLUSTER_NAME" --query "nodegroups[?contains(@,'$NODEGROUP_NAME')]" --output text 2>/dev/null | grep -q "$NODEGROUP_NAME"; then echo "Deleting node group: $NODEGROUP_NAME" aws eks delete-nodegroup --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" echo "Waiting for node group deletion to complete..." aws eks wait nodegroup-deleted --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" echo "Node group deleted successfully." fi # Check if cluster exists and delete it if aws eks describe-cluster --name "$CLUSTER_NAME" 2>/dev/null; then echo "Deleting cluster: $CLUSTER_NAME" aws eks delete-cluster --name "$CLUSTER_NAME" echo "Waiting for cluster deletion to complete (this may take several minutes)..." aws eks wait cluster-deleted --name "$CLUSTER_NAME" echo "Cluster deleted successfully." fi # Check if CloudFormation stack exists and delete it if aws cloudformation describe-stacks --stack-name "$STACK_NAME" 2>/dev/null; then echo "Deleting CloudFormation stack: $STACK_NAME" aws cloudformation delete-stack --stack-name "$STACK_NAME" echo "Waiting for CloudFormation stack deletion to complete..." aws cloudformation wait stack-delete-complete --stack-name "$STACK_NAME" echo "CloudFormation stack deleted successfully." fi # Clean up IAM roles if aws iam get-role --role-name "$NODE_ROLE_NAME" 2>/dev/null; then echo "Detaching policies from node role: $NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy --role-name "$NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly --role-name "$NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --role-name "$NODE_ROLE_NAME" echo "Deleting node role: $NODE_ROLE_NAME" aws iam delete-role --role-name "$NODE_ROLE_NAME" echo "Node role deleted successfully." fi if aws iam get-role --role-name "$CLUSTER_ROLE_NAME" 2>/dev/null; then echo "Detaching policies from cluster role: $CLUSTER_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --role-name "$CLUSTER_ROLE_NAME" echo "Deleting cluster role: $CLUSTER_ROLE_NAME" aws iam delete-role --role-name "$CLUSTER_ROLE_NAME" echo "Cluster role deleted successfully." fi echo "Cleanup complete." } # Trap to ensure cleanup on script exit trap 'echo "Script interrupted. Cleaning up resources..."; cleanup_resources; exit 1' SIGINT SIGTERM # Verify AWS CLI configuration echo "Verifying AWS CLI configuration..." AWS_ACCOUNT_INFO=$(aws sts get-caller-identity) check_command "$AWS_ACCOUNT_INFO" echo "AWS CLI is properly configured." # Step 1: Create VPC using CloudFormation echo "Step 1: Creating VPC with CloudFormation..." echo "Creating CloudFormation stack: $STACK_NAME" # Create the CloudFormation stack CF_CREATE_OUTPUT=$(aws cloudformation create-stack \ --stack-name "$STACK_NAME" \ --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml) check_command "$CF_CREATE_OUTPUT" CREATED_RESOURCES+=("CloudFormation Stack: $STACK_NAME") echo "Waiting for CloudFormation stack to complete (this may take a few minutes)..." aws cloudformation wait stack-create-complete --stack-name "$STACK_NAME" if [ $? -ne 0 ]; then handle_error "CloudFormation stack creation failed" fi echo "CloudFormation stack created successfully." # Step 2: Create IAM roles for EKS echo "Step 2: Creating IAM roles for EKS..." # Create cluster role trust policy echo "Creating cluster role trust policy..." cat > eks-cluster-role-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create cluster role echo "Creating cluster IAM role: $CLUSTER_ROLE_NAME" CLUSTER_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$CLUSTER_ROLE_NAME" \ --assume-role-policy-document file://"eks-cluster-role-trust-policy.json") check_command "$CLUSTER_ROLE_OUTPUT" CREATED_RESOURCES+=("IAM Role: $CLUSTER_ROLE_NAME") # Attach policy to cluster role echo "Attaching EKS cluster policy to role..." ATTACH_CLUSTER_POLICY_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ --role-name "$CLUSTER_ROLE_NAME") check_command "$ATTACH_CLUSTER_POLICY_OUTPUT" # Create node role trust policy echo "Creating node role trust policy..." cat > node-role-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create node role echo "Creating node IAM role: $NODE_ROLE_NAME" NODE_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$NODE_ROLE_NAME" \ --assume-role-policy-document file://"node-role-trust-policy.json") check_command "$NODE_ROLE_OUTPUT" CREATED_RESOURCES+=("IAM Role: $NODE_ROLE_NAME") # Attach policies to node role echo "Attaching EKS node policies to role..." ATTACH_NODE_POLICY1_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY1_OUTPUT" ATTACH_NODE_POLICY2_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY2_OUTPUT" ATTACH_NODE_POLICY3_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY3_OUTPUT" # Step 3: Get VPC and subnet information echo "Step 3: Getting VPC and subnet information..." VPC_ID=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='VpcId'].OutputValue" \ --output text) if [ -z "$VPC_ID" ]; then handle_error "Failed to get VPC ID from CloudFormation stack" fi echo "VPC ID: $VPC_ID" SUBNET_IDS=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='SubnetIds'].OutputValue" \ --output text) if [ -z "$SUBNET_IDS" ]; then handle_error "Failed to get Subnet IDs from CloudFormation stack" fi echo "Subnet IDs: $SUBNET_IDS" SECURITY_GROUP_ID=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='SecurityGroups'].OutputValue" \ --output text) if [ -z "$SECURITY_GROUP_ID" ]; then handle_error "Failed to get Security Group ID from CloudFormation stack" fi echo "Security Group ID: $SECURITY_GROUP_ID" # Step 4: Create EKS cluster echo "Step 4: Creating EKS cluster: $CLUSTER_NAME" CLUSTER_ROLE_ARN=$(aws iam get-role --role-name "$CLUSTER_ROLE_NAME" --query "Role.Arn" --output text) if [ -z "$CLUSTER_ROLE_ARN" ]; then handle_error "Failed to get Cluster Role ARN" fi echo "Creating EKS cluster (this will take 10-15 minutes)..." CREATE_CLUSTER_OUTPUT=$(aws eks create-cluster \ --name "$CLUSTER_NAME" \ --role-arn "$CLUSTER_ROLE_ARN" \ --resources-vpc-config subnetIds="$SUBNET_IDS",securityGroupIds="$SECURITY_GROUP_ID") check_command "$CREATE_CLUSTER_OUTPUT" CREATED_RESOURCES+=("EKS Cluster: $CLUSTER_NAME") echo "Waiting for EKS cluster to become active (this may take 10-15 minutes)..." aws eks wait cluster-active --name "$CLUSTER_NAME" if [ $? -ne 0 ]; then handle_error "Cluster creation failed or timed out" fi echo "EKS cluster is now active." # Step 5: Configure kubectl echo "Step 5: Configuring kubectl to communicate with the cluster..." # Check if kubectl is installed if ! check_kubectl; then echo "Will skip kubectl configuration steps but continue with the script." echo "You can manually configure kubectl later with: aws eks update-kubeconfig --name \"$CLUSTER_NAME\"" else UPDATE_KUBECONFIG_OUTPUT=$(aws eks update-kubeconfig --name "$CLUSTER_NAME") check_command "$UPDATE_KUBECONFIG_OUTPUT" echo "kubectl configured successfully." # Test kubectl configuration echo "Testing kubectl configuration..." KUBECTL_TEST_OUTPUT=$(kubectl get svc 2>&1) if [ $? -ne 0 ]; then echo "Warning: kubectl configuration test failed. This might be due to permissions or network issues." echo "Error details: $KUBECTL_TEST_OUTPUT" echo "Continuing with script execution..." else echo "$KUBECTL_TEST_OUTPUT" echo "kubectl configuration test successful." fi fi # Step 6: Create managed node group echo "Step 6: Creating managed node group: $NODEGROUP_NAME" NODE_ROLE_ARN=$(aws iam get-role --role-name "$NODE_ROLE_NAME" --query "Role.Arn" --output text) if [ -z "$NODE_ROLE_ARN" ]; then handle_error "Failed to get Node Role ARN" fi # Convert comma-separated subnet IDs to space-separated for the create-nodegroup command SUBNET_IDS_ARRAY=(${SUBNET_IDS//,/ }) echo "Creating managed node group (this will take 5-10 minutes)..." CREATE_NODEGROUP_OUTPUT=$(aws eks create-nodegroup \ --cluster-name "$CLUSTER_NAME" \ --nodegroup-name "$NODEGROUP_NAME" \ --node-role "$NODE_ROLE_ARN" \ --subnets "${SUBNET_IDS_ARRAY[@]}") check_command "$CREATE_NODEGROUP_OUTPUT" CREATED_RESOURCES+=("EKS Node Group: $NODEGROUP_NAME") echo "Waiting for node group to become active (this may take 5-10 minutes)..." aws eks wait nodegroup-active --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" if [ $? -ne 0 ]; then handle_error "Node group creation failed or timed out" fi echo "Node group is now active." # Step 7: Verify nodes echo "Step 7: Verifying nodes..." echo "Waiting for nodes to register with the cluster (this may take a few minutes)..." sleep 60 # Give nodes more time to register # Check if kubectl is installed before attempting to use it if ! check_kubectl; then echo "Cannot verify nodes without kubectl. Skipping this step." echo "You can manually verify nodes after installing kubectl with: kubectl get nodes" else NODES_OUTPUT=$(kubectl get nodes 2>&1) if [ $? -ne 0 ]; then echo "Warning: Unable to get nodes. This might be due to permissions or the nodes are still registering." echo "Error details: $NODES_OUTPUT" echo "Continuing with script execution..." else echo "$NODES_OUTPUT" echo "Nodes verified successfully." fi fi # Step 8: View resources echo "Step 8: Viewing cluster resources..." echo "Cluster information:" CLUSTER_INFO=$(aws eks describe-cluster --name "$CLUSTER_NAME") echo "$CLUSTER_INFO" echo "Node group information:" NODEGROUP_INFO=$(aws eks describe-nodegroup --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME") echo "$NODEGROUP_INFO" echo "Kubernetes resources:" if ! check_kubectl; then echo "Cannot list Kubernetes resources without kubectl. Skipping this step." echo "You can manually list resources after installing kubectl with: kubectl get all --all-namespaces" else KUBE_RESOURCES=$(kubectl get all --all-namespaces 2>&1) if [ $? -ne 0 ]; then echo "Warning: Unable to get Kubernetes resources. This might be due to permissions." echo "Error details: $KUBE_RESOURCES" echo "Continuing with script execution..." else echo "$KUBE_RESOURCES" fi fi # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then cleanup_resources else echo "Resources will not be cleaned up. You can manually clean them up later." echo "To clean up resources, run the following commands:" echo "1. Delete node group: aws eks delete-nodegroup --cluster-name $CLUSTER_NAME --nodegroup-name $NODEGROUP_NAME" echo "2. Wait for node group deletion: aws eks wait nodegroup-deleted --cluster-name $CLUSTER_NAME --nodegroup-name $NODEGROUP_NAME" echo "3. Delete cluster: aws eks delete-cluster --name $CLUSTER_NAME" echo "4. Wait for cluster deletion: aws eks wait cluster-deleted --name $CLUSTER_NAME" echo "5. Delete CloudFormation stack: aws cloudformation delete-stack --stack-name $STACK_NAME" echo "6. Detach and delete IAM roles for the node group and cluster" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/CreateCluster) + [CreateNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/CreateNodegroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/CreateStack) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DeleteCluster) + [DeleteNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DeleteNodegroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DeleteStack) + [DescribeCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DescribeCluster) + [DescribeNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DescribeNodegroup) + [DescribeStacks](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DescribeStacks) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNodegroups](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/ListNodegroups) + [UpdateKubeconfig](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/UpdateKubeconfig) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/Wait) # CloudFront examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with CloudFront. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Get started with a basic CloudFront distribution The following code example shows how to: + Create an Amazon S3 bucket + Upload content to the bucket + Create a CloudFront distribution with OAC + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/005-cloudfront-gettingstarted) repository. ``` #!/bin/bash # CloudFront Getting Started Tutorial Script # This script creates an S3 bucket, uploads sample content, creates a CloudFront distribution with OAC, # and demonstrates how to access content through CloudFront. # Set up logging LOG_FILE="cloudfront-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting CloudFront Getting Started Tutorial at $(date)" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created before error:" if [ -n "$BUCKET_NAME" ]; then echo "- S3 Bucket: $BUCKET_NAME" fi if [ -n "$OAC_ID" ]; then echo "- CloudFront Origin Access Control: $OAC_ID" fi if [ -n "$DISTRIBUTION_ID" ]; then echo "- CloudFront Distribution: $DISTRIBUTION_ID" fi echo "Attempting to clean up resources..." cleanup exit 1 } # Function to clean up resources cleanup() { echo "Cleaning up resources..." if [ -n "$DISTRIBUTION_ID" ]; then echo "Disabling CloudFront distribution $DISTRIBUTION_ID..." # Get the current configuration and ETag ETAG=$(aws cloudfront get-distribution-config --id "$DISTRIBUTION_ID" --query 'ETag' --output text) if [ $? -ne 0 ]; then echo "Failed to get distribution config. Continuing with cleanup..." else # Create a modified configuration with Enabled=false aws cloudfront get-distribution-config --id "$DISTRIBUTION_ID" | \ jq '.DistributionConfig.Enabled = false' > temp_disabled_config.json # Update the distribution to disable it aws cloudfront update-distribution \ --id "$DISTRIBUTION_ID" \ --distribution-config file://<(jq '.DistributionConfig' temp_disabled_config.json) \ --if-match "$ETAG" if [ $? -ne 0 ]; then echo "Failed to disable distribution. Continuing with cleanup..." else echo "Waiting for distribution to be disabled (this may take several minutes)..." aws cloudfront wait distribution-deployed --id "$DISTRIBUTION_ID" # Delete the distribution ETAG=$(aws cloudfront get-distribution-config --id "$DISTRIBUTION_ID" --query 'ETag' --output text) aws cloudfront delete-distribution --id "$DISTRIBUTION_ID" --if-match "$ETAG" if [ $? -ne 0 ]; then echo "Failed to delete distribution. You may need to delete it manually." else echo "CloudFront distribution deleted." fi fi fi fi if [ -n "$OAC_ID" ]; then echo "Deleting Origin Access Control $OAC_ID..." OAC_ETAG=$(aws cloudfront get-origin-access-control --id "$OAC_ID" --query 'ETag' --output text 2>/dev/null) if [ $? -ne 0 ]; then echo "Failed to get Origin Access Control ETag. You may need to delete it manually." else aws cloudfront delete-origin-access-control --id "$OAC_ID" --if-match "$OAC_ETAG" if [ $? -ne 0 ]; then echo "Failed to delete Origin Access Control. You may need to delete it manually." else echo "Origin Access Control deleted." fi fi fi if [ -n "$BUCKET_NAME" ]; then echo "Deleting S3 bucket $BUCKET_NAME and its contents..." aws s3 rm "s3://$BUCKET_NAME" --recursive if [ $? -ne 0 ]; then echo "Failed to remove bucket contents. Continuing with bucket deletion..." fi aws s3 rb "s3://$BUCKET_NAME" if [ $? -ne 0 ]; then echo "Failed to delete bucket. You may need to delete it manually." else echo "S3 bucket deleted." fi fi # Clean up temporary files rm -f temp_disabled_config.json rm -rf temp_content } # Generate a random identifier for the bucket name RANDOM_ID=$(openssl rand -hex 6) BUCKET_NAME="cloudfront-${RANDOM_ID}" echo "Using bucket name: $BUCKET_NAME" # Create a temporary directory for content TEMP_DIR="temp_content" mkdir -p "$TEMP_DIR/css" if [ $? -ne 0 ]; then handle_error "Failed to create temporary directory" fi # Step 1: Create an S3 bucket echo "Creating S3 bucket: $BUCKET_NAME" aws s3 mb "s3://$BUCKET_NAME" if [ $? -ne 0 ]; then handle_error "Failed to create S3 bucket" fi # Step 2: Create sample content echo "Creating sample content..." cat > "$TEMP_DIR/index.html" << 'EOF' Hello World

Hello world!

EOF cat > "$TEMP_DIR/css/styles.css" << 'EOF' body { font-family: Arial, sans-serif; margin: 40px; background-color: #f5f5f5; } h1 { color: #333; text-align: center; } EOF # Step 3: Upload content to the S3 bucket echo "Uploading content to S3 bucket..." aws s3 cp "$TEMP_DIR/" "s3://$BUCKET_NAME/" --recursive if [ $? -ne 0 ]; then handle_error "Failed to upload content to S3 bucket" fi # Step 4: Create Origin Access Control echo "Creating Origin Access Control..." OAC_RESPONSE=$(aws cloudfront create-origin-access-control \ --origin-access-control-config Name="oac-for-$BUCKET_NAME",SigningProtocol=sigv4,SigningBehavior=always,OriginAccessControlOriginType=s3) if [ $? -ne 0 ]; then handle_error "Failed to create Origin Access Control" fi OAC_ID=$(echo "$OAC_RESPONSE" | jq -r '.OriginAccessControl.Id') echo "Created Origin Access Control with ID: $OAC_ID" # Step 5: Create CloudFront distribution echo "Creating CloudFront distribution..." # Get AWS account ID for bucket policy ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text) if [ $? -ne 0 ]; then handle_error "Failed to get AWS account ID" fi # Create distribution configuration cat > distribution-config.json << EOF { "CallerReference": "cli-tutorial-$(date +%s)", "Origins": { "Quantity": 1, "Items": [ { "Id": "S3-$BUCKET_NAME", "DomainName": "$BUCKET_NAME.s3.amazonaws.com", "S3OriginConfig": { "OriginAccessIdentity": "" }, "OriginAccessControlId": "$OAC_ID" } ] }, "DefaultCacheBehavior": { "TargetOriginId": "S3-$BUCKET_NAME", "ViewerProtocolPolicy": "redirect-to-https", "AllowedMethods": { "Quantity": 2, "Items": ["GET", "HEAD"], "CachedMethods": { "Quantity": 2, "Items": ["GET", "HEAD"] } }, "DefaultTTL": 86400, "MinTTL": 0, "MaxTTL": 31536000, "Compress": true, "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" } } }, "Comment": "CloudFront distribution for tutorial", "Enabled": true, "WebACLId": "" } EOF DIST_RESPONSE=$(aws cloudfront create-distribution --distribution-config file://distribution-config.json) if [ $? -ne 0 ]; then handle_error "Failed to create CloudFront distribution" fi DISTRIBUTION_ID=$(echo "$DIST_RESPONSE" | jq -r '.Distribution.Id') DOMAIN_NAME=$(echo "$DIST_RESPONSE" | jq -r '.Distribution.DomainName') echo "Created CloudFront distribution with ID: $DISTRIBUTION_ID" echo "CloudFront domain name: $DOMAIN_NAME" # Step 6: Update S3 bucket policy echo "Updating S3 bucket policy..." cat > bucket-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowCloudFrontServicePrincipal", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::$BUCKET_NAME/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::$ACCOUNT_ID:distribution/$DISTRIBUTION_ID" } } } ] } EOF aws s3api put-bucket-policy --bucket "$BUCKET_NAME" --policy file://bucket-policy.json if [ $? -ne 0 ]; then handle_error "Failed to update S3 bucket policy" fi # Step 7: Wait for distribution to deploy echo "Waiting for CloudFront distribution to deploy (this may take 5-10 minutes)..." aws cloudfront wait distribution-deployed --id "$DISTRIBUTION_ID" if [ $? -ne 0 ]; then echo "Warning: Distribution deployment wait timed out. The distribution may still be deploying." else echo "CloudFront distribution is now deployed." fi # Step 8: Display access information echo "" echo "===== CloudFront Distribution Setup Complete =====" echo "You can access your content at: https://$DOMAIN_NAME/index.html" echo "" echo "Resources created:" echo "- S3 Bucket: $BUCKET_NAME" echo "- CloudFront Origin Access Control: $OAC_ID" echo "- CloudFront Distribution: $DISTRIBUTION_ID" echo "" # Ask user if they want to clean up resources read -p "Do you want to clean up all resources created by this script? (y/n): " CLEANUP_RESPONSE if [[ "$CLEANUP_RESPONSE" =~ ^[Yy] ]]; then cleanup echo "All resources have been cleaned up." else echo "Resources will not be cleaned up. You can manually delete them later." echo "To access your content, visit: https://$DOMAIN_NAME/index.html" fi echo "Tutorial completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateDistribution](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/CreateDistribution) + [CreateOriginAccessControl](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/CreateOriginAccessControl) + [DeleteDistribution](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/DeleteDistribution) + [DeleteOriginAccessControl](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/DeleteOriginAccessControl) + [GetDistribution](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/GetDistribution) + [GetDistributionConfig](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/GetDistributionConfig) + [GetOriginAccessControl](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/GetOriginAccessControl) + [UpdateDistribution](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/UpdateDistribution) + [WaitDistributionDeployed](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/WaitDistributionDeployed) ### Getting started with WAF The following code example shows how to: + Create a web ACL + Add a string match rule + Add managed rules + Configure logging + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/052-aws-waf-gs) repository. ``` #!/bin/bash # AWS WAF Getting Started Script # This script creates a Web ACL with a string match rule and AWS Managed Rules, # associates it with a CloudFront distribution, and then cleans up all resources. # Set up logging LOG_FILE="waf-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "AWS WAF Getting Started Tutorial" echo "===================================================" echo "This script will create AWS WAF resources and associate" echo "them with a CloudFront distribution." echo "" # Maximum number of retries for operations MAX_RETRIES=3 # Function to handle errors handle_error() { echo "ERROR: $1" echo "Check the log file for details: $LOG_FILE" cleanup_resources exit 1 } # Function to check command success check_command() { if echo "$1" | grep -i "error" > /dev/null; then handle_error "$2: $1" fi } # Function to clean up resources cleanup_resources() { echo "" echo "===================================================" echo "CLEANING UP RESOURCES" echo "===================================================" if [ -n "$DISTRIBUTION_ID" ] && [ -n "$WEB_ACL_ARN" ]; then echo "Disassociating Web ACL from CloudFront distribution..." DISASSOCIATE_RESULT=$(aws wafv2 disassociate-web-acl \ --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \ --region us-east-1 2>&1) if echo "$DISASSOCIATE_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to disassociate Web ACL: $DISASSOCIATE_RESULT" else echo "Web ACL disassociated successfully." fi fi if [ -n "$WEB_ACL_ID" ] && [ -n "$WEB_ACL_NAME" ]; then echo "Deleting Web ACL..." # Get the latest lock token before deletion GET_RESULT=$(aws wafv2 get-web-acl \ --name "$WEB_ACL_NAME" \ --scope CLOUDFRONT \ --id "$WEB_ACL_ID" \ --region us-east-1 2>&1) if echo "$GET_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to get Web ACL for deletion: $GET_RESULT" echo "You may need to manually delete the Web ACL using the AWS Console." else LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) if [ -n "$LATEST_TOKEN" ]; then DELETE_RESULT=$(aws wafv2 delete-web-acl \ --name "$WEB_ACL_NAME" \ --scope CLOUDFRONT \ --id "$WEB_ACL_ID" \ --lock-token "$LATEST_TOKEN" \ --region us-east-1 2>&1) if echo "$DELETE_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to delete Web ACL: $DELETE_RESULT" echo "You may need to manually delete the Web ACL using the AWS Console." else echo "Web ACL deleted successfully." fi else echo "Warning: Could not extract lock token for deletion. You may need to manually delete the Web ACL." fi fi fi echo "Cleanup process completed." } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) WEB_ACL_NAME="MyWebACL-${RANDOM_ID}" METRIC_NAME="MyWebACLMetrics-${RANDOM_ID}" echo "Using Web ACL name: $WEB_ACL_NAME" # Step 1: Create a Web ACL echo "" echo "===================================================" echo "STEP 1: Creating Web ACL" echo "===================================================" CREATE_RESULT=$(aws wafv2 create-web-acl \ --name "$WEB_ACL_NAME" \ --scope "CLOUDFRONT" \ --default-action Allow={} \ --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=$METRIC_NAME" \ --region us-east-1 2>&1) check_command "$CREATE_RESULT" "Failed to create Web ACL" # Extract Web ACL ID, ARN, and Lock Token from the Summary object WEB_ACL_ID=$(echo "$CREATE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) WEB_ACL_ARN=$(echo "$CREATE_RESULT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4) LOCK_TOKEN=$(echo "$CREATE_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) if [ -z "$WEB_ACL_ID" ]; then handle_error "Failed to extract Web ACL ID" fi if [ -z "$LOCK_TOKEN" ]; then handle_error "Failed to extract Lock Token" fi echo "Web ACL created successfully with ID: $WEB_ACL_ID" echo "Lock Token: $LOCK_TOKEN" # Step 2: Add a String Match Rule echo "" echo "===================================================" echo "STEP 2: Adding String Match Rule" echo "===================================================" # Try to update with retries for ((i=1; i<=MAX_RETRIES; i++)); do echo "Attempt $i to add string match rule..." # Get the latest lock token before updating GET_RESULT=$(aws wafv2 get-web-acl \ --name "$WEB_ACL_NAME" \ --scope CLOUDFRONT \ --id "$WEB_ACL_ID" \ --region us-east-1 2>&1) if echo "$GET_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to get Web ACL for update: $GET_RESULT" if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to get Web ACL after $MAX_RETRIES attempts" fi sleep 2 continue fi LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) if [ -z "$LATEST_TOKEN" ]; then echo "Warning: Could not extract lock token for update" if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to extract lock token after $MAX_RETRIES attempts" fi sleep 2 continue fi echo "Using lock token: $LATEST_TOKEN" UPDATE_RESULT=$(aws wafv2 update-web-acl \ --name "$WEB_ACL_NAME" \ --scope "CLOUDFRONT" \ --id "$WEB_ACL_ID" \ --lock-token "$LATEST_TOKEN" \ --default-action Allow={} \ --rules '[{ "Name": "UserAgentRule", "Priority": 0, "Statement": { "ByteMatchStatement": { "SearchString": "MyAgent", "FieldToMatch": { "SingleHeader": { "Name": "user-agent" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } }, "Action": { "Count": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "UserAgentRuleMetric" } }]' \ --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=$METRIC_NAME" \ --region us-east-1 2>&1) if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then echo "Optimistic lock exception encountered. Will retry with new lock token." if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to add string match rule after $MAX_RETRIES attempts: $UPDATE_RESULT" fi sleep 2 continue elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then handle_error "Failed to add string match rule: $UPDATE_RESULT" else # Success echo "String match rule added successfully." break fi done # Step 3: Add AWS Managed Rules echo "" echo "===================================================" echo "STEP 3: Adding AWS Managed Rules" echo "===================================================" # Try to update with retries for ((i=1; i<=MAX_RETRIES; i++)); do echo "Attempt $i to add AWS Managed Rules..." # Get the latest lock token before updating GET_RESULT=$(aws wafv2 get-web-acl \ --name "$WEB_ACL_NAME" \ --scope CLOUDFRONT \ --id "$WEB_ACL_ID" \ --region us-east-1 2>&1) if echo "$GET_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to get Web ACL for update: $GET_RESULT" if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to get Web ACL after $MAX_RETRIES attempts" fi sleep 2 continue fi LATEST_TOKEN=$(echo "$GET_RESULT" | grep -o '"LockToken": "[^"]*' | cut -d'"' -f4) if [ -z "$LATEST_TOKEN" ]; then echo "Warning: Could not extract lock token for update" if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to extract lock token after $MAX_RETRIES attempts" fi sleep 2 continue fi echo "Using lock token: $LATEST_TOKEN" UPDATE_RESULT=$(aws wafv2 update-web-acl \ --name "$WEB_ACL_NAME" \ --scope "CLOUDFRONT" \ --id "$WEB_ACL_ID" \ --lock-token "$LATEST_TOKEN" \ --default-action Allow={} \ --rules '[{ "Name": "UserAgentRule", "Priority": 0, "Statement": { "ByteMatchStatement": { "SearchString": "MyAgent", "FieldToMatch": { "SingleHeader": { "Name": "user-agent" } }, "TextTransformations": [ { "Priority": 0, "Type": "NONE" } ], "PositionalConstraint": "EXACTLY" } }, "Action": { "Count": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "UserAgentRuleMetric" } }, { "Name": "AWS-AWSManagedRulesCommonRuleSet", "Priority": 1, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet", "ExcludedRules": [] } }, "OverrideAction": { "Count": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "AWS-AWSManagedRulesCommonRuleSet" } }]' \ --visibility-config "SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=$METRIC_NAME" \ --region us-east-1 2>&1) if echo "$UPDATE_RESULT" | grep -i "WAFOptimisticLockException" > /dev/null; then echo "Optimistic lock exception encountered. Will retry with new lock token." if [ "$i" -eq "$MAX_RETRIES" ]; then handle_error "Failed to add AWS Managed Rules after $MAX_RETRIES attempts: $UPDATE_RESULT" fi sleep 2 continue elif echo "$UPDATE_RESULT" | grep -i "error" > /dev/null; then handle_error "Failed to add AWS Managed Rules: $UPDATE_RESULT" else # Success echo "AWS Managed Rules added successfully." break fi done # Step 4: List CloudFront distributions echo "" echo "===================================================" echo "STEP 4: Listing CloudFront Distributions" echo "===================================================" CF_RESULT=$(aws cloudfront list-distributions --query "DistributionList.Items[*].{Id:Id,DomainName:DomainName}" --output table 2>&1) if echo "$CF_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to list CloudFront distributions: $CF_RESULT" echo "Continuing without CloudFront association." else echo "$CF_RESULT" # Ask user to select a CloudFront distribution echo "" echo "===================================================" echo "STEP 5: Associate Web ACL with CloudFront Distribution" echo "===================================================" echo "Enter the ID of the CloudFront distribution to associate with the Web ACL:" echo "(If you don't have a CloudFront distribution, press Enter to skip this step)" read -r DISTRIBUTION_ID if [ -n "$DISTRIBUTION_ID" ]; then ASSOCIATE_RESULT=$(aws wafv2 associate-web-acl \ --web-acl-arn "$WEB_ACL_ARN" \ --resource-arn "arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID" \ --region us-east-1 2>&1) if echo "$ASSOCIATE_RESULT" | grep -i "error" > /dev/null; then echo "Warning: Failed to associate Web ACL with CloudFront distribution: $ASSOCIATE_RESULT" echo "Continuing without CloudFront association." DISTRIBUTION_ID="" else echo "Web ACL associated with CloudFront distribution successfully." fi else echo "Skipping association with CloudFront distribution." fi fi # Display summary of created resources echo "" echo "===================================================" echo "RESOURCE SUMMARY" echo "===================================================" echo "Web ACL Name: $WEB_ACL_NAME" echo "Web ACL ID: $WEB_ACL_ID" echo "Web ACL ARN: $WEB_ACL_ARN" if [ -n "$DISTRIBUTION_ID" ]; then echo "Associated CloudFront Distribution: $DISTRIBUTION_ID" fi echo "" # Ask user if they want to clean up resources echo "===================================================" echo "CLEANUP CONFIRMATION" echo "===================================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then cleanup_resources else echo "" echo "Resources have NOT been cleaned up. You can manually clean them up later." echo "To clean up resources manually, run the following commands:" if [ -n "$DISTRIBUTION_ID" ]; then echo "aws wafv2 disassociate-web-acl --resource-arn \"arn:aws:cloudfront::$(aws sts get-caller-identity --query Account --output text):distribution/$DISTRIBUTION_ID\" --region us-east-1" fi echo "aws wafv2 delete-web-acl --name \"$WEB_ACL_NAME\" --scope CLOUDFRONT --id \"$WEB_ACL_ID\" --lock-token \"\" --region us-east-1" echo "" echo "To get the latest lock token, run:" echo "aws wafv2 get-web-acl --name \"$WEB_ACL_NAME\" --scope CLOUDFRONT --id \"$WEB_ACL_ID\" --region us-east-1" fi echo "" echo "===================================================" echo "Tutorial completed!" echo "===================================================" echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AssociateWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/AssociateWebAcl) + [CreateWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/CreateWebAcl) + [DeleteWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/DeleteWebAcl) + [DisassociateWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/DisassociateWebAcl) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/GetWebAcl) + [ListDistributions](https://docs.aws.amazon.com/goto/aws-cli/cloudfront-2020-05-31/ListDistributions) + [UpdateWebAcl](https://docs.aws.amazon.com/goto/aws-cli/wafv2-2019-07-29/UpdateWebAcl) # CloudWatch examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with CloudWatch. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating a CloudWatch dashboard with function name as a variable The following code example shows how to: + Create a CloudWatch dashboard + Add Lambda metrics widgets with a function name variable + Verify the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/031-cloudwatch-dynamicdash) repository. ``` #!/bin/bash # Script to create a CloudWatch dashboard with Lambda function name as a variable # This script creates a CloudWatch dashboard that allows you to switch between different Lambda functions # Set up logging LOG_FILE="cloudwatch-dashboard-script.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "$(date): Starting CloudWatch dashboard creation script" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" echo "- CloudWatch Dashboard: LambdaMetricsDashboard" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "An error occurred. Do you want to clean up the created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later." fi exit 1 } # Check if AWS CLI is installed and configured echo "Checking AWS CLI configuration..." aws sts get-caller-identity > /dev/null 2>&1 if [ $? -ne 0 ]; then handle_error "AWS CLI is not properly configured. Please configure it with 'aws configure' and try again." fi # Get the current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No region found in AWS config, defaulting to $REGION" fi echo "Using region: $REGION" # Check if there are any Lambda functions in the account echo "Checking for Lambda functions..." LAMBDA_FUNCTIONS=$(aws lambda list-functions --query "Functions[*].FunctionName" --output text) if [ -z "$LAMBDA_FUNCTIONS" ]; then echo "No Lambda functions found in your account. Creating a simple test function..." # Create a temporary directory for Lambda function code TEMP_DIR=$(mktemp -d) # Create a simple Lambda function cat > "$TEMP_DIR/index.js" << EOF exports.handler = async (event) => { console.log('Event:', JSON.stringify(event, null, 2)); return { statusCode: 200, body: JSON.stringify('Hello from Lambda!'), }; }; EOF # Zip the function code cd "$TEMP_DIR" || handle_error "Failed to change to temporary directory" zip -q function.zip index.js # Create a role for the Lambda function ROLE_NAME="LambdaDashboardTestRole" ROLE_ARN=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' \ --query "Role.Arn" \ --output text) if [ $? -ne 0 ]; then handle_error "Failed to create IAM role for Lambda function" fi echo "Waiting for role to be available..." sleep 10 # Attach basic Lambda execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to attach policy to IAM role" fi # Create the Lambda function FUNCTION_NAME="DashboardTestFunction" aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime nodejs18.x \ --role "$ROLE_ARN" \ --handler index.handler \ --zip-file fileb://function.zip if [ $? -ne 0 ]; then aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to create Lambda function" fi # Invoke the function to generate some metrics echo "Invoking Lambda function to generate metrics..." for i in {1..5}; do aws lambda invoke --function-name "$FUNCTION_NAME" --payload '{}' /dev/null > /dev/null sleep 1 done # Clean up temporary directory cd - > /dev/null rm -rf "$TEMP_DIR" # Set the function name for the dashboard DEFAULT_FUNCTION="$FUNCTION_NAME" else # Use the first Lambda function as default DEFAULT_FUNCTION=$(echo "$LAMBDA_FUNCTIONS" | awk '{print $1}') echo "Found Lambda functions. Using $DEFAULT_FUNCTION as default." fi # Create a dashboard with Lambda metrics and a function name variable echo "Creating CloudWatch dashboard with Lambda function name variable..." # Create a JSON file for the dashboard body cat > dashboard-body.json << EOF { "widgets": [ { "type": "metric", "x": 0, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Invocations", "FunctionName", "\${FunctionName}" ], [ ".", "Errors", ".", "." ], [ ".", "Throttles", ".", "." ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Lambda Function Metrics for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 0, "y": 6, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Duration", "FunctionName", "\${FunctionName}", { "stat": "Average" } ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Duration for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 12, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "ConcurrentExecutions", "FunctionName", "\${FunctionName}" ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Concurrent Executions for \${FunctionName}", "period": 300 } } ], "periodOverride": "auto", "variables": [ { "type": "property", "id": "FunctionName", "property": "FunctionName", "label": "Lambda Function", "inputType": "select", "values": [ { "value": "$DEFAULT_FUNCTION", "label": "$DEFAULT_FUNCTION" } ] } ] } EOF # Create the dashboard using the JSON file DASHBOARD_RESULT=$(aws cloudwatch put-dashboard --dashboard-name LambdaMetricsDashboard --dashboard-body file://dashboard-body.json) DASHBOARD_EXIT_CODE=$? # Check if there was a fatal error if [ $DASHBOARD_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to create CloudWatch dashboard." fi # Display any validation messages but continue if [[ "$DASHBOARD_RESULT" == *"DashboardValidationMessages"* ]]; then echo "Dashboard created with validation messages:" echo "$DASHBOARD_RESULT" echo "These validation messages are warnings and the dashboard should still function." else echo "Dashboard created successfully!" fi # Verify the dashboard was created echo "Verifying dashboard creation..." DASHBOARD_INFO=$(aws cloudwatch get-dashboard --dashboard-name LambdaMetricsDashboard) DASHBOARD_INFO_EXIT_CODE=$? if [ $DASHBOARD_INFO_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to verify dashboard creation." fi echo "Dashboard verification successful!" echo "Dashboard details:" echo "$DASHBOARD_INFO" # List all dashboards to confirm echo "Listing all dashboards:" DASHBOARDS=$(aws cloudwatch list-dashboards) DASHBOARDS_EXIT_CODE=$? if [ $DASHBOARDS_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to list dashboards." fi echo "$DASHBOARDS" # Show instructions for accessing the dashboard echo "" echo "Dashboard created successfully! To access it:" echo "1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/" echo "2. In the navigation pane, choose Dashboards" echo "3. Select LambdaMetricsDashboard" echo "4. You should see a dropdown menu labeled 'Lambda Function' at the top of the dashboard" echo "5. Use this dropdown to select different Lambda functions and see their metrics" echo "" # Create a list of resources for cleanup RESOURCES=("- CloudWatch Dashboard: LambdaMetricsDashboard") if [ -n "${FUNCTION_NAME:-}" ]; then RESOURCES+=("- Lambda Function: $FUNCTION_NAME") RESOURCES+=("- IAM Role: $ROLE_NAME") fi # Prompt for cleanup echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" for resource in "${RESOURCES[@]}"; do echo "$resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the dashboard aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard if [ $? -ne 0 ]; then echo "WARNING: Failed to delete dashboard. You may need to delete it manually." else echo "Dashboard deleted successfully." fi # If we created a Lambda function, delete it and its role if [ -n "${FUNCTION_NAME:-}" ]; then echo "Deleting Lambda function..." aws lambda delete-function --function-name "$FUNCTION_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete Lambda function. You may need to delete it manually." else echo "Lambda function deleted successfully." fi echo "Detaching role policy..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then echo "WARNING: Failed to detach role policy. You may need to detach it manually." else echo "Role policy detached successfully." fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete IAM role. You may need to delete it manually." else echo "IAM role deleted successfully." fi fi # Clean up the JSON file rm -f dashboard-body.json echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later with:" echo "aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard" if [ -n "${FUNCTION_NAME:-}" ]; then echo "aws lambda delete-function --function-name $FUNCTION_NAME" echo "aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "aws iam delete-role --role-name $ROLE_NAME" fi fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [ListDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/ListDashboards) + [ListFunctions](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/ListFunctions) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) ### Run CPU stress tests on EC2 instances using FIS The following code example shows how to: + Create IAM roles + Create a CloudWatch alarm + Create an experiment template + Run the experiment + Verify the results + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/069-aws-fault-injection-service-gs) repository. ``` #!/bin/bash # AWS FIS CPU Stress Test Tutorial Script # This script automates the steps in the AWS FIS CPU stress test tutorial # approach using epoch time calculations that work across all Linux distributions # Set up logging LOG_FILE="fis-tutorial-$(date +%Y%m%d-%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS FIS CPU Stress Test Tutorial Script" echo "Logging to $LOG_FILE" echo "==============================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then # Ignore specific expected errors if [[ "$cmd" == *"aws fis get-experiment"* ]] && [[ "$output" == *"ConfigurationFailure"* ]]; then echo "Note: Experiment failed due to configuration issue. This is expected in some cases." return 0 fi echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Cleaning up resources..." if [ -n "$EXPERIMENT_ID" ]; then echo "Stopping experiment $EXPERIMENT_ID if running..." aws fis stop-experiment --id "$EXPERIMENT_ID" 2>/dev/null || true fi if [ -n "$TEMPLATE_ID" ]; then echo "Deleting experiment template $TEMPLATE_ID..." aws fis delete-experiment-template --id "$TEMPLATE_ID" || true fi if [ -n "$INSTANCE_ID" ]; then echo "Terminating EC2 instance $INSTANCE_ID..." aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" || true fi if [ -n "$ALARM_NAME" ]; then echo "Deleting CloudWatch alarm $ALARM_NAME..." aws cloudwatch delete-alarms --alarm-names "$ALARM_NAME" || true fi if [ -n "$INSTANCE_PROFILE_NAME" ]; then echo "Removing role from instance profile..." aws iam remove-role-from-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" --role-name "$EC2_ROLE_NAME" || true echo "Deleting instance profile..." aws iam delete-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" || true fi if [ -n "$FIS_ROLE_NAME" ]; then echo "Deleting FIS role policy..." aws iam delete-role-policy --role-name "$FIS_ROLE_NAME" --policy-name "$FIS_POLICY_NAME" || true echo "Deleting FIS role..." aws iam delete-role --role-name "$FIS_ROLE_NAME" || true fi if [ -n "$EC2_ROLE_NAME" ]; then echo "Detaching policy from EC2 role..." aws iam detach-role-policy --role-name "$EC2_ROLE_NAME" --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" || true echo "Deleting EC2 role..." aws iam delete-role --role-name "$EC2_ROLE_NAME" || true fi echo "Cleanup completed." } # Generate unique identifiers for resources TIMESTAMP=$(date +%Y%m%d%H%M%S) FIS_ROLE_NAME="FISRole-${TIMESTAMP}" FIS_POLICY_NAME="FISPolicy-${TIMESTAMP}" EC2_ROLE_NAME="EC2SSMRole-${TIMESTAMP}" INSTANCE_PROFILE_NAME="EC2SSMProfile-${TIMESTAMP}" ALARM_NAME="FIS-CPU-Alarm-${TIMESTAMP}" # Track created resources CREATED_RESOURCES=() echo "Step 1: Creating IAM role for AWS FIS" # Create trust policy file for AWS FIS cat > fis-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "fis.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role for FIS echo "Creating IAM role $FIS_ROLE_NAME for AWS FIS..." FIS_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$FIS_ROLE_NAME" \ --assume-role-policy-document file://fis-trust-policy.json) check_error "$FIS_ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $FIS_ROLE_NAME") # Create policy document for SSM actions cat > fis-ssm-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:ListCommands", "ssm:ListCommandInvocations" ], "Resource": "*" } ] } EOF # Attach policy to the role echo "Attaching policy $FIS_POLICY_NAME to role $FIS_ROLE_NAME..." FIS_POLICY_OUTPUT=$(aws iam put-role-policy \ --role-name "$FIS_ROLE_NAME" \ --policy-name "$FIS_POLICY_NAME" \ --policy-document file://fis-ssm-policy.json) check_error "$FIS_POLICY_OUTPUT" "aws iam put-role-policy" CREATED_RESOURCES+=("IAM Policy: $FIS_POLICY_NAME attached to $FIS_ROLE_NAME") echo "Step 2: Creating IAM role for EC2 instance with SSM permissions" # Create trust policy file for EC2 cat > ec2-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role for EC2 echo "Creating IAM role $EC2_ROLE_NAME for EC2 instance..." EC2_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$EC2_ROLE_NAME" \ --assume-role-policy-document file://ec2-trust-policy.json) check_error "$EC2_ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $EC2_ROLE_NAME") # Attach SSM policy to the EC2 role echo "Attaching AmazonSSMManagedInstanceCore policy to role $EC2_ROLE_NAME..." EC2_POLICY_OUTPUT=$(aws iam attach-role-policy \ --role-name "$EC2_ROLE_NAME" \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore) check_error "$EC2_POLICY_OUTPUT" "aws iam attach-role-policy" CREATED_RESOURCES+=("IAM Policy: AmazonSSMManagedInstanceCore attached to $EC2_ROLE_NAME") # Create instance profile echo "Creating instance profile $INSTANCE_PROFILE_NAME..." PROFILE_OUTPUT=$(aws iam create-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME") check_error "$PROFILE_OUTPUT" "aws iam create-instance-profile" CREATED_RESOURCES+=("IAM Instance Profile: $INSTANCE_PROFILE_NAME") # Add role to instance profile echo "Adding role $EC2_ROLE_NAME to instance profile $INSTANCE_PROFILE_NAME..." ADD_ROLE_OUTPUT=$(aws iam add-role-to-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$EC2_ROLE_NAME") check_error "$ADD_ROLE_OUTPUT" "aws iam add-role-to-instance-profile" # Wait for role to propagate echo "Waiting for IAM role to propagate..." sleep 10 echo "Step 3: Launching EC2 instance" # Get the latest Amazon Linux 2 AMI ID echo "Finding latest Amazon Linux 2 AMI..." AMI_ID=$(aws ec2 describe-images \ --owners amazon \ --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" \ --query "sort_by(Images, &CreationDate)[-1].ImageId" \ --output text) check_error "$AMI_ID" "aws ec2 describe-images" echo "Using AMI: $AMI_ID" # Launch EC2 instance echo "Launching EC2 instance with AMI $AMI_ID..." INSTANCE_OUTPUT=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --instance-type t2.micro \ --iam-instance-profile Name="$INSTANCE_PROFILE_NAME" \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=FIS-Test-Instance}]') check_error "$INSTANCE_OUTPUT" "aws ec2 run-instances" # Get instance ID INSTANCE_ID=$(echo "$INSTANCE_OUTPUT" | grep -i "InstanceId" | head -1 | awk -F'"' '{print $4}') if [ -z "$INSTANCE_ID" ]; then echo "Failed to get instance ID" cleanup_on_error exit 1 fi echo "Launched instance: $INSTANCE_ID" CREATED_RESOURCES+=("EC2 Instance: $INSTANCE_ID") # Enable detailed monitoring echo "Enabling detailed monitoring for instance $INSTANCE_ID..." MONITOR_OUTPUT=$(aws ec2 monitor-instances --instance-ids "$INSTANCE_ID") check_error "$MONITOR_OUTPUT" "aws ec2 monitor-instances" # Wait for instance to be running and status checks to pass echo "Waiting for instance to be ready..." aws ec2 wait instance-running --instance-ids "$INSTANCE_ID" aws ec2 wait instance-status-ok --instance-ids "$INSTANCE_ID" echo "Instance is ready" echo "Step 4: Creating CloudWatch alarm for CPU utilization" # Create CloudWatch alarm echo "Creating CloudWatch alarm $ALARM_NAME..." ALARM_OUTPUT=$(aws cloudwatch put-metric-alarm \ --alarm-name "$ALARM_NAME" \ --alarm-description "Alarm when CPU exceeds 50%" \ --metric-name CPUUtilization \ --namespace AWS/EC2 \ --statistic Maximum \ --period 60 \ --threshold 50 \ --comparison-operator GreaterThanOrEqualToThreshold \ --dimensions "Name=InstanceId,Value=$INSTANCE_ID" \ --evaluation-periods 1) check_error "$ALARM_OUTPUT" "aws cloudwatch put-metric-alarm" CREATED_RESOURCES+=("CloudWatch Alarm: $ALARM_NAME") # Get the alarm ARN echo "Getting CloudWatch alarm ARN..." ALARM_ARN_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") check_error "$ALARM_ARN_OUTPUT" "aws cloudwatch describe-alarms" ALARM_ARN=$(echo "$ALARM_ARN_OUTPUT" | grep -i "AlarmArn" | head -1 | awk -F'"' '{print $4}') if [ -z "$ALARM_ARN" ]; then echo "Failed to get alarm ARN" cleanup_on_error exit 1 fi echo "Alarm ARN: $ALARM_ARN" # Wait for the alarm to initialize and reach OK state echo "Waiting for CloudWatch alarm to initialize (60 seconds)..." sleep 60 # Check alarm state echo "Checking alarm state..." ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") ALARM_STATE=$(echo "$ALARM_STATE_OUTPUT" | grep -i "StateValue" | head -1 | awk -F'"' '{print $4}') echo "Current alarm state: $ALARM_STATE" # If alarm is not in OK state, wait longer or generate some baseline metrics if [ "$ALARM_STATE" != "OK" ]; then echo "Alarm not in OK state. Waiting for alarm to stabilize (additional 60 seconds)..." sleep 60 # Check alarm state again ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") ALARM_STATE=$(echo "$ALARM_STATE_OUTPUT" | grep -i "StateValue" | head -1 | awk -F'"' '{print $4}') echo "Updated alarm state: $ALARM_STATE" if [ "$ALARM_STATE" != "OK" ]; then echo "Warning: Alarm still not in OK state. Experiment may fail to start." fi fi echo "Step 5: Creating AWS FIS experiment template" # Get the IAM role ARN echo "Getting IAM role ARN for $FIS_ROLE_NAME..." ROLE_ARN_OUTPUT=$(aws iam get-role \ --role-name "$FIS_ROLE_NAME") check_error "$ROLE_ARN_OUTPUT" "aws iam get-role" ROLE_ARN=$(echo "$ROLE_ARN_OUTPUT" | grep -i "Arn" | head -1 | awk -F'"' '{print $4}') if [ -z "$ROLE_ARN" ]; then echo "Failed to get role ARN" cleanup_on_error exit 1 fi echo "Role ARN: $ROLE_ARN" # Get account ID and region ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" # Default to us-east-1 if region not set fi INSTANCE_ARN="arn:aws:ec2:${REGION}:${ACCOUNT_ID}:instance/${INSTANCE_ID}" echo "Instance ARN: $INSTANCE_ARN" # Create experiment template - Fixed JSON escaping issue cat > experiment-template.json << EOF { "description": "Test CPU stress predefined SSM document", "targets": { "testInstance": { "resourceType": "aws:ec2:instance", "resourceArns": ["$INSTANCE_ARN"], "selectionMode": "ALL" } }, "actions": { "runCpuStress": { "actionId": "aws:ssm:send-command", "parameters": { "documentArn": "arn:aws:ssm:$REGION::document/AWSFIS-Run-CPU-Stress", "documentParameters": "{\"DurationSeconds\":\"120\"}", "duration": "PT5M" }, "targets": { "Instances": "testInstance" } } }, "stopConditions": [ { "source": "aws:cloudwatch:alarm", "value": "$ALARM_ARN" } ], "roleArn": "$ROLE_ARN", "tags": { "Name": "FIS-CPU-Stress-Experiment" } } EOF # Create experiment template echo "Creating AWS FIS experiment template..." TEMPLATE_OUTPUT=$(aws fis create-experiment-template --cli-input-json file://experiment-template.json) check_error "$TEMPLATE_OUTPUT" "aws fis create-experiment-template" TEMPLATE_ID=$(echo "$TEMPLATE_OUTPUT" | grep -i "id" | head -1 | awk -F'"' '{print $4}') if [ -z "$TEMPLATE_ID" ]; then echo "Failed to get template ID" cleanup_on_error exit 1 fi echo "Experiment template created with ID: $TEMPLATE_ID" CREATED_RESOURCES+=("FIS Experiment Template: $TEMPLATE_ID") echo "Step 6: Starting the experiment" # Start the experiment echo "Starting AWS FIS experiment using template $TEMPLATE_ID..." EXPERIMENT_OUTPUT=$(aws fis start-experiment \ --experiment-template-id "$TEMPLATE_ID" \ --tags '{"Name": "FIS-CPU-Stress-Run"}') check_error "$EXPERIMENT_OUTPUT" "aws fis start-experiment" EXPERIMENT_ID=$(echo "$EXPERIMENT_OUTPUT" | grep -i "id" | head -1 | awk -F'"' '{print $4}') if [ -z "$EXPERIMENT_ID" ]; then echo "Failed to get experiment ID" cleanup_on_error exit 1 fi echo "Experiment started with ID: $EXPERIMENT_ID" CREATED_RESOURCES+=("FIS Experiment: $EXPERIMENT_ID") echo "Step 7: Tracking experiment progress" # Track experiment progress echo "Tracking experiment progress..." MAX_CHECKS=30 CHECK_COUNT=0 EXPERIMENT_STATE="" while [ $CHECK_COUNT -lt $MAX_CHECKS ]; do EXPERIMENT_INFO=$(aws fis get-experiment --id "$EXPERIMENT_ID") # Don't check for errors here, as we expect some experiments to fail EXPERIMENT_STATE=$(echo "$EXPERIMENT_INFO" | grep -i "status" | head -1 | awk -F'"' '{print $4}') echo "Experiment state: $EXPERIMENT_STATE" if [ "$EXPERIMENT_STATE" == "completed" ] || [ "$EXPERIMENT_STATE" == "stopped" ] || [ "$EXPERIMENT_STATE" == "failed" ]; then # Show the reason for the state REASON=$(echo "$EXPERIMENT_INFO" | grep -i "reason" | head -1 | awk -F'"' '{print $4}') if [ -n "$REASON" ]; then echo "Reason: $REASON" fi break fi echo "Waiting 10 seconds before checking again..." sleep 10 CHECK_COUNT=$((CHECK_COUNT + 1)) done if [ $CHECK_COUNT -eq $MAX_CHECKS ]; then echo "Experiment is taking longer than expected. You can check its status later using:" echo "aws fis get-experiment --id $EXPERIMENT_ID" fi echo "Step 8: Verifying experiment results" # Check CloudWatch alarm state echo "Checking CloudWatch alarm state..." ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms --alarm-names "$ALARM_NAME") check_error "$ALARM_STATE_OUTPUT" "aws cloudwatch describe-alarms" echo "$ALARM_STATE_OUTPUT" # Get CPU utilization metrics echo "Getting CPU utilization metrics..." END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # FIXED: Cross-platform compatible way to calculate time 10 minutes ago # This approach uses epoch seconds and basic arithmetic which works on all Linux distributions CURRENT_EPOCH=$(date +%s) TEN_MINUTES_AGO_EPOCH=$((CURRENT_EPOCH - 600)) START_TIME=$(date -u -d "@$TEN_MINUTES_AGO_EPOCH" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || date -u -r "$TEN_MINUTES_AGO_EPOCH" +"%Y-%m-%dT%H:%M:%SZ") # Create metric query file cat > metric-query.json << EOF [ { "Id": "cpu", "MetricStat": { "Metric": { "Namespace": "AWS/EC2", "MetricName": "CPUUtilization", "Dimensions": [ { "Name": "InstanceId", "Value": "$INSTANCE_ID" } ] }, "Period": 60, "Stat": "Maximum" } } ] EOF METRICS_OUTPUT=$(aws cloudwatch get-metric-data \ --start-time "$START_TIME" \ --end-time "$END_TIME" \ --metric-data-queries file://metric-query.json) check_error "$METRICS_OUTPUT" "aws cloudwatch get-metric-data" echo "CPU Utilization Metrics:" echo "$METRICS_OUTPUT" # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Stop experiment if still running if [ "$EXPERIMENT_STATE" != "completed" ] && [ "$EXPERIMENT_STATE" != "stopped" ] && [ "$EXPERIMENT_STATE" != "failed" ]; then echo "Stopping experiment $EXPERIMENT_ID..." STOP_OUTPUT=$(aws fis stop-experiment --id "$EXPERIMENT_ID") check_error "$STOP_OUTPUT" "aws fis stop-experiment" echo "Waiting for experiment to stop..." sleep 10 fi # Delete experiment template echo "Deleting experiment template $TEMPLATE_ID..." DELETE_TEMPLATE_OUTPUT=$(aws fis delete-experiment-template --id "$TEMPLATE_ID") check_error "$DELETE_TEMPLATE_OUTPUT" "aws fis delete-experiment-template" # Delete CloudWatch alarm echo "Deleting CloudWatch alarm $ALARM_NAME..." DELETE_ALARM_OUTPUT=$(aws cloudwatch delete-alarms --alarm-names "$ALARM_NAME") check_error "$DELETE_ALARM_OUTPUT" "aws cloudwatch delete-alarms" # Terminate EC2 instance echo "Terminating EC2 instance $INSTANCE_ID..." TERMINATE_OUTPUT=$(aws ec2 terminate-instances --instance-ids "$INSTANCE_ID") check_error "$TERMINATE_OUTPUT" "aws ec2 terminate-instances" echo "Waiting for instance to terminate..." aws ec2 wait instance-terminated --instance-ids "$INSTANCE_ID" # Clean up IAM resources echo "Removing role from instance profile..." REMOVE_ROLE_OUTPUT=$(aws iam remove-role-from-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$EC2_ROLE_NAME") check_error "$REMOVE_ROLE_OUTPUT" "aws iam remove-role-from-instance-profile" echo "Deleting instance profile..." DELETE_PROFILE_OUTPUT=$(aws iam delete-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME") check_error "$DELETE_PROFILE_OUTPUT" "aws iam delete-instance-profile" echo "Deleting FIS role policy..." DELETE_POLICY_OUTPUT=$(aws iam delete-role-policy \ --role-name "$FIS_ROLE_NAME" \ --policy-name "$FIS_POLICY_NAME") check_error "$DELETE_POLICY_OUTPUT" "aws iam delete-role-policy" echo "Detaching policy from EC2 role..." DETACH_POLICY_OUTPUT=$(aws iam detach-role-policy \ --role-name "$EC2_ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore") check_error "$DETACH_POLICY_OUTPUT" "aws iam detach-role-policy" echo "Deleting FIS role..." DELETE_FIS_ROLE_OUTPUT=$(aws iam delete-role \ --role-name "$FIS_ROLE_NAME") check_error "$DELETE_FIS_ROLE_OUTPUT" "aws iam delete-role" echo "Deleting EC2 role..." DELETE_EC2_ROLE_OUTPUT=$(aws iam delete-role \ --role-name "$EC2_ROLE_NAME") check_error "$DELETE_EC2_ROLE_OUTPUT" "aws iam delete-role" # Clean up temporary files echo "Cleaning up temporary files..." rm -f fis-trust-policy.json ec2-trust-policy.json fis-ssm-policy.json experiment-template.json metric-query.json echo "Cleanup completed successfully." else echo "Cleanup skipped. Resources will remain in your AWS account." echo "You can manually clean up the resources listed above." fi echo "" echo "Script execution completed." echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddRoleToInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AddRoleToInstanceProfile) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateExperimentTemplate](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/CreateExperimentTemplate) + [CreateInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateInstanceProfile) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteAlarms](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteAlarms) + [DeleteExperimentTemplate](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/DeleteExperimentTemplate) + [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteInstanceProfile) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DescribeAlarms](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DescribeAlarms) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/GetExperiment) + [GetMetricData](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetMetricData) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [MonitorInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/MonitorInstances) + [PutMetricAlarm](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutMetricAlarm) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/RemoveRoleFromInstanceProfile) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [StartExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/StartExperiment) + [StopExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/StopExperiment) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) ### Using property variables in CloudWatch dashboards to monitor multiple Lambda functions The following code example shows how to: + Create Lambda functions for monitoring + Create a CloudWatch dashboard + Add a property variable to the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/032-cloudwatch-streams) repository. ``` #!/bin/bash # CloudWatch Dashboard with Lambda Function Variable Script # This script creates a CloudWatch dashboard with a property variable for Lambda function names # Set up logging LOG_FILE="cloudwatch-dashboard-script-v4.log" echo "Starting script execution at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "$(date): Running command: $1" >> "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [ $cmd_status -ne 0 ] || echo "$cmd_output" | grep -i "error" > /dev/null; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" echo "Command output: $cmd_output" | tee -a "$LOG_FILE" cleanup_resources exit 1 fi } # Function to clean up resources cleanup_resources() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP PROCESS" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" if [ -n "$DASHBOARD_NAME" ]; then echo "Deleting CloudWatch dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" log_cmd "aws cloudwatch delete-dashboards --dashboard-names \"$DASHBOARD_NAME\"" fi if [ -n "$LAMBDA_FUNCTION1" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION1\"" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION2\"" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policy from role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam detach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "Deleting IAM role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam delete-role --role-name \"$ROLE_NAME\"" fi echo "Cleanup completed." | tee -a "$LOG_FILE" } # Function to prompt for cleanup confirmation confirm_cleanup() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP CONFIRMATION" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "The following resources were created:" | tee -a "$LOG_FILE" echo "- CloudWatch Dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" if [ -n "$LAMBDA_FUNCTION1" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME" | tee -a "$LOG_FILE" fi echo "" | tee -a "$LOG_FILE" echo "Do you want to clean up all created resources? (y/n): " | tee -a "$LOG_FILE" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "Resources were not cleaned up. You can manually delete them later." | tee -a "$LOG_FILE" fi } # Get AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No region found in AWS config, defaulting to $AWS_REGION" | tee -a "$LOG_FILE" else echo "Using AWS region: $AWS_REGION" | tee -a "$LOG_FILE" fi # Generate unique identifiers RANDOM_ID=$(openssl rand -hex 6) DASHBOARD_NAME="LambdaMetricsDashboard-${RANDOM_ID}" LAMBDA_FUNCTION1="TestFunction1-${RANDOM_ID}" LAMBDA_FUNCTION2="TestFunction2-${RANDOM_ID}" ROLE_NAME="LambdaExecutionRole-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" | tee -a "$LOG_FILE" echo "Dashboard name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda function names: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "IAM role name: $ROLE_NAME" | tee -a "$LOG_FILE" # Create IAM role for Lambda functions echo "Creating IAM role for Lambda..." | tee -a "$LOG_FILE" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "$TRUST_POLICY" > trust-policy.json ROLE_OUTPUT=$(log_cmd "aws iam create-role --role-name \"$ROLE_NAME\" --assume-role-policy-document file://trust-policy.json --output json") check_error "$ROLE_OUTPUT" $? "Failed to create IAM role" ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" | tee -a "$LOG_FILE" # Attach Lambda basic execution policy to the role echo "Attaching Lambda execution policy to role..." | tee -a "$LOG_FILE" POLICY_OUTPUT=$(log_cmd "aws iam attach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") check_error "$POLICY_OUTPUT" $? "Failed to attach policy to role" # Wait for role to propagate echo "Waiting for IAM role to propagate..." | tee -a "$LOG_FILE" sleep 10 # Create simple Python Lambda function code echo "Creating Lambda function code..." | tee -a "$LOG_FILE" cat > lambda_function.py << 'EOF' def handler(event, context): print("Lambda function executed successfully") return { 'statusCode': 200, 'body': 'Success' } EOF # Zip the Lambda function code log_cmd "zip -j lambda_function.zip lambda_function.py" # Create first Lambda function echo "Creating first Lambda function: $LAMBDA_FUNCTION1..." | tee -a "$LOG_FILE" LAMBDA1_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION1\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA1_OUTPUT" $? "Failed to create first Lambda function" # Create second Lambda function echo "Creating second Lambda function: $LAMBDA_FUNCTION2..." | tee -a "$LOG_FILE" LAMBDA2_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION2\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA2_OUTPUT" $? "Failed to create second Lambda function" # Invoke Lambda functions to generate some metrics echo "Invoking Lambda functions to generate metrics..." | tee -a "$LOG_FILE" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION1\" --payload '{}' /dev/null" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION2\" --payload '{}' /dev/null" # Create CloudWatch dashboard with property variable echo "Creating CloudWatch dashboard with property variable..." | tee -a "$LOG_FILE" # Create a simpler dashboard with a property variable # This approach uses a more basic dashboard structure that's known to work with the CloudWatch API DASHBOARD_BODY=$(cat < Variables > Create a variable" | tee -a "$LOG_FILE" echo "4. Choose Property variable" | tee -a "$LOG_FILE" echo "5. For Property that the variable changes, choose FunctionName" | tee -a "$LOG_FILE" echo "6. For Input type, choose Select menu (dropdown)" | tee -a "$LOG_FILE" echo "7. Choose Use the results of a metric search" | tee -a "$LOG_FILE" echo "8. Choose Pre-built queries > Lambda > Errors" | tee -a "$LOG_FILE" echo "9. Choose By Function Name and then choose Search" | tee -a "$LOG_FILE" echo "10. (Optional) Configure any secondary settings as desired" | tee -a "$LOG_FILE" echo "11. Choose Add variable" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "The dashboard has been created and can be accessed at:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" # Verify dashboard creation echo "Verifying dashboard creation..." | tee -a "$LOG_FILE" VERIFY_OUTPUT=$(log_cmd "aws cloudwatch get-dashboard --dashboard-name \"$DASHBOARD_NAME\"") check_error "$VERIFY_OUTPUT" $? "Failed to verify dashboard creation" echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "DASHBOARD CREATED SUCCESSFULLY" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "Dashboard Name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda Functions: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "You can view your dashboard in the CloudWatch console:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" # Prompt for cleanup confirm_cleanup echo "Script completed successfully." | tee -a "$LOG_FILE" exit 0 ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) # CloudWatch Logs examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with CloudWatch Logs. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Configure Amazon ECS Service Connect The following code example shows how to: + Create the VPC infrastructure + Set up logging + Create the ECS cluster + Configure IAM roles + Create the service with Service Connect + Verify the deployment + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. ``` #!/bin/bash # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC # This script creates an ECS cluster with Service Connect and deploys an nginx service # Uses the default VPC to avoid VPC limits set -e # Exit on any error # Configuration SCRIPT_NAME="ECS Service Connect Tutorial" LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} if [ -z "$REGION" ]; then echo "ERROR: No AWS region configured." echo "Set one with: aws configure set region us-east-1" exit 1 fi ENV_PREFIX="tutorial" CLUSTER_NAME="${ENV_PREFIX}-cluster" NAMESPACE_NAME="service-connect" # Generate random suffix for unique resource names RANDOM_SUFFIX=$(openssl rand -hex 6) # Arrays to track created resources for cleanup declare -a CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to add resource to tracking array track_resource() { CREATED_RESOURCES+=("$1") log "Tracking resource: $1" } # Function to check if command output contains actual errors check_for_errors() { local output="$1" local command_name="$2" # Check for specific AWS CLI error patterns, not just any occurrence of "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then log "ERROR in $command_name: $output" return 1 fi return 0 } # Function to get AWS account ID get_account_id() { ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Using AWS Account ID: $ACCOUNT_ID" } # Function to wait for resources to be ready wait_for_resource() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") log "Waiting for cluster $resource_id to be active..." local attempt=1 local max_attempts=30 while [ $attempt -le $max_attempts ]; do local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) if [ "$status" = "ACTIVE" ]; then log "Cluster is now active" return 0 fi log "Cluster status: $status (attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done log "ERROR: Cluster did not become active within expected time" return 1 ;; "service") log "Waiting for service $resource_id to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" ;; "nat-gateway") log "Waiting for NAT Gateway $resource_id to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" ;; esac } # Function to use default VPC infrastructure setup_default_vpc_infrastructure() { log "Using default VPC infrastructure..." # Get default VPC VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then log "ERROR: No default VPC found. Please create a default VPC first." exit 1 fi log "Using default VPC: $VPC_ID" # Get default subnets SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) SUBNET_ARRAY=($SUBNETS) if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" exit 1 fi PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" # Create security group for ECS tasks SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ --description "Security group for ECS Service Connect tutorial" \ --vpc-id "$VPC_ID" 2>&1) check_for_errors "$SG_OUTPUT" "create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) track_resource "SG:$SECURITY_GROUP_ID" log "Created security group: $SECURITY_GROUP_ID" # Add inbound rules to security group aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true log "Default VPC infrastructure setup completed" } # Function to create CloudWatch log groups create_log_groups() { log "Creating CloudWatch log groups..." # Create log group for nginx container aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-nginx created" track_resource "LOG_GROUP:/ecs/service-connect-nginx" else log "Log group /ecs/service-connect-nginx already exists" fi } # Create log group for service connect proxy aws logs create-log-group --log-group-name "/ecs/service-connect-proxy" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-proxy created" track_resource "LOG_GROUP:/ecs/service-connect-proxy" else log "Log group /ecs/service-connect-proxy already exists" fi } } # Function to create ECS cluster with Service Connect create_ecs_cluster() { log "Creating ECS cluster with Service Connect..." CLUSTER_OUTPUT=$(aws ecs create-cluster \ --cluster-name "$CLUSTER_NAME" \ --service-connect-defaults namespace="$NAMESPACE_NAME" \ --tags key=Environment,value=tutorial 2>&1) check_for_errors "$CLUSTER_OUTPUT" "create-cluster" track_resource "CLUSTER:$CLUSTER_NAME" log "Created ECS cluster: $CLUSTER_NAME" wait_for_resource "cluster" "$CLUSTER_NAME" # Track the Service Connect namespace that gets created # Wait a moment for the namespace to be created sleep 5 NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_ID" && "$NAMESPACE_ID" != "None" ]]; then track_resource "NAMESPACE:$NAMESPACE_ID" log "Service Connect namespace created: $NAMESPACE_ID" fi } # Function to create IAM roles create_iam_roles() { log "Creating IAM roles..." # Check if ecsTaskExecutionRole exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then log "IAM role ecsTaskExecutionRole exists" else log "Creating ecsTaskExecutionRole..." aws iam create-role \ --role-name ecsTaskExecutionRole \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' >/dev/null 2>&1 aws iam attach-role-policy \ --role-name ecsTaskExecutionRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1 track_resource "ROLE:ecsTaskExecutionRole" log "Created ecsTaskExecutionRole" sleep 10 fi # Check if ecsTaskRole exists, create if not if aws iam get-role --role-name ecsTaskRole >/dev/null 2>&1; then log "IAM role ecsTaskRole exists" else log "IAM role ecsTaskRole does not exist, will create it" # Create trust policy for ECS tasks cat > /tmp/ecs-task-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name ecsTaskRole \ --assume-role-policy-document file:///tmp/ecs-task-trust-policy.json >/dev/null track_resource "IAM_ROLE:ecsTaskRole" log "Created ecsTaskRole" # Wait for role to be available sleep 10 fi } # Function to create task definition create_task_definition() { log "Creating task definition..." # Create task definition JSON cat > /tmp/task-definition.json << EOF { "family": "service-connect-nginx", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole", "taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskRole", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "portMappings": [ { "containerPort": 80, "protocol": "tcp", "name": "nginx-port" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-nginx", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs" } } } ] } EOF TASK_DEF_OUTPUT=$(aws ecs register-task-definition --cli-input-json file:///tmp/task-definition.json 2>&1) check_for_errors "$TASK_DEF_OUTPUT" "register-task-definition" TASK_DEF_ARN=$(echo "$TASK_DEF_OUTPUT" | grep -o '"taskDefinitionArn": "[^"]*"' | cut -d'"' -f4) track_resource "TASK_DEF:service-connect-nginx" log "Created task definition: $TASK_DEF_ARN" # Clean up temporary file rm -f /tmp/task-definition.json } # Function to create ECS service with Service Connect create_ecs_service() { log "Creating ECS service with Service Connect..." # Create service definition JSON cat > /tmp/service-definition.json << EOF { "serviceName": "service-connect-nginx-service", "cluster": "${CLUSTER_NAME}", "taskDefinition": "service-connect-nginx", "desiredCount": 1, "launchType": "FARGATE", "networkConfiguration": { "awsvpcConfiguration": { "subnets": ["${PUBLIC_SUBNET1}", "${PUBLIC_SUBNET2}"], "securityGroups": ["${SECURITY_GROUP_ID}"], "assignPublicIp": "ENABLED" } }, "serviceConnectConfiguration": { "enabled": true, "namespace": "${NAMESPACE_NAME}", "services": [ { "portName": "nginx-port", "discoveryName": "nginx", "clientAliases": [ { "port": 80, "dnsName": "nginx" } ] } ], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-proxy", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs-service-connect" } } }, "tags": [ { "key": "Environment", "value": "tutorial" } ] } EOF SERVICE_OUTPUT=$(aws ecs create-service --cli-input-json file:///tmp/service-definition.json 2>&1) check_for_errors "$SERVICE_OUTPUT" "create-service" track_resource "SERVICE:service-connect-nginx-service" log "Created ECS service: service-connect-nginx-service" wait_for_resource "service" "service-connect-nginx-service" # Clean up temporary file rm -f /tmp/service-definition.json } # Function to verify deployment verify_deployment() { log "Verifying deployment..." # Check service status SERVICE_STATUS=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].status' --output text) log "Service status: $SERVICE_STATUS" # Check running tasks RUNNING_COUNT=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].runningCount' --output text) log "Running tasks: $RUNNING_COUNT" # Get task ARN TASK_ARN=$(aws ecs list-tasks \ --cluster "$CLUSTER_NAME" \ --service-name "service-connect-nginx-service" \ --query 'taskArns[0]' --output text) if [[ "$TASK_ARN" != "None" && -n "$TASK_ARN" ]]; then log "Task ARN: $TASK_ARN" # Try to get task IP address TASK_IP=$(aws ecs describe-tasks \ --cluster "$CLUSTER_NAME" \ --tasks "$TASK_ARN" \ --query 'tasks[0].attachments[0].details[?name==`privateIPv4Address`].value' \ --output text 2>/dev/null || echo "") if [[ -n "$TASK_IP" && "$TASK_IP" != "None" ]]; then log "Task IP address: $TASK_IP" else log "Could not retrieve task IP address" fi fi # Check Service Connect namespace NAMESPACE_STATUS=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_STATUS" && "$NAMESPACE_STATUS" != "None" ]]; then log "Service Connect namespace '$NAMESPACE_NAME' is active" else log "Service Connect namespace '$NAMESPACE_NAME' not found or not active" fi # Display Service Connect configuration log "Service Connect configuration:" aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].serviceConnectConfiguration' 2>/dev/null || true } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" echo "" } # Function to cleanup resources cleanup_resources() { log "Starting cleanup process..." # Delete resources in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) log "Cleaning up $resource_type: $resource_id" case "$resource_type" in "SERVICE") aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id" aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id" ;; "TASK_DEF") TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null) for arn in $TASK_DEF_ARNS; do aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true done ;; "ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "CLUSTER") aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id" ;; "SG") for attempt in 1 2 3 4 5; do if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then break fi log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..." sleep 30 done ;; "LOG_GROUP") aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id" ;; "NAMESPACE") # First, delete any services in the namespace NAMESPACE_SERVICES=$(aws servicediscovery list-services \ --filters Name=NAMESPACE_ID,Values="$resource_id" \ --query 'Services[].Id' --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_SERVICES" && "$NAMESPACE_SERVICES" != "None" ]]; then for service_id in $NAMESPACE_SERVICES; do aws servicediscovery delete-service --id "$service_id" >/dev/null 2>&1 || true sleep 2 done fi # Then delete the namespace aws servicediscovery delete-namespace --id "$resource_id" >/dev/null 2>&1 || true ;; esac sleep 2 # Brief pause between deletions done # Clean up temporary files rm -f /tmp/ecs-task-trust-policy.json rm -f /tmp/task-definition.json rm -f /tmp/service-definition.json log "Cleanup completed" } # Main execution main() { log "Starting $SCRIPT_NAME v4 (Default VPC)" log "Region: $REGION" log "Log file: $LOG_FILE" # Get AWS account ID get_account_id # Setup infrastructure using default VPC setup_default_vpc_infrastructure # Create CloudWatch log groups create_log_groups # Create ECS cluster create_ecs_cluster # Create IAM roles create_iam_roles # Create task definition create_task_definition # Create ECS service create_ecs_service # Verify deployment verify_deployment log "Tutorial completed successfully!" # Display created resources display_resources # Ask user if they want to clean up echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up later by running the cleanup function." echo "" echo "To clean up resources later, you can use the AWS CLI commands or the AWS Management Console." echo "Remember to delete resources in the correct order to avoid dependency issues." fi } # Make script executable and run chmod +x "$0" main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/CreateLogGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeClusters) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) ### Creating your first Lambda function The following code example shows how to: + Create an IAM role for Lambda + Create function code + Create a Lambda function + Test your Lambda function + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/019-lambda-gettingstarted) repository. ``` #!/bin/bash # AWS Lambda - Create Your First Function # This script creates a Lambda function, invokes it with a test event, # views CloudWatch logs, and cleans up all resources. # # Source: https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html # # Resources created: # - IAM role (Lambda execution role with basic logging permissions) # - Lambda function (Python 3.13 or Node.js 22.x runtime) # - CloudWatch log group (created automatically by Lambda on invocation) set -eE ############################################################################### # Setup ############################################################################### UNIQUE_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) FUNCTION_NAME="my-lambda-function-${UNIQUE_ID}" ROLE_NAME="lambda-execution-role-${UNIQUE_ID}" LOG_GROUP_NAME="/aws/lambda/${FUNCTION_NAME}" TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/lambda-gettingstarted.log" exec > >(tee -a "$LOG_FILE") 2>&1 declare -a CREATED_RESOURCES ############################################################################### # Helper functions ############################################################################### cleanup_resources() { # Disable error trap to prevent recursion during cleanup trap - ERR set +eE echo "" echo "Cleaning up resources..." echo "" for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do local RESOURCE="${CREATED_RESOURCES[$i]}" local TYPE="${RESOURCE%%:*}" local NAME="${RESOURCE#*:}" case "$TYPE" in log-group) echo "Deleting CloudWatch log group: ${NAME}" aws logs delete-log-group \ --log-group-name "$NAME" 2>&1 || echo " WARNING: Could not delete log group ${NAME}." ;; lambda-function) echo "Deleting Lambda function: ${NAME}" aws lambda delete-function \ --function-name "$NAME" 2>&1 || echo " WARNING: Could not delete Lambda function ${NAME}." echo " Waiting for function deletion to complete..." local DELETE_WAIT=0 while aws lambda get-function --function-name "$NAME" > /dev/null 2>&1; do sleep 2 DELETE_WAIT=$((DELETE_WAIT + 2)) if [ "$DELETE_WAIT" -ge 60 ]; then echo " WARNING: Timed out waiting for function deletion." break fi done ;; iam-role-policy) local ROLE_PART="${NAME%%|*}" local POLICY_PART="${NAME#*|}" echo "Detaching policy from role: ${ROLE_PART}" aws iam detach-role-policy \ --role-name "$ROLE_PART" \ --policy-arn "$POLICY_PART" 2>&1 || echo " WARNING: Could not detach policy from role ${ROLE_PART}." ;; iam-role) echo "Deleting IAM role: ${NAME}" aws iam delete-role \ --role-name "$NAME" 2>&1 || echo " WARNING: Could not delete IAM role ${NAME}." ;; esac done if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi echo "" echo "Cleanup complete." } handle_error() { echo "" echo "===========================================" echo "ERROR: Script failed at $1" echo "===========================================" echo "" if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then echo "Attempting to clean up ${#CREATED_RESOURCES[@]} resource(s)..." cleanup_resources fi exit 1 } trap 'handle_error "line $LINENO"' ERR wait_for_resource() { local DESCRIPTION="$1" local COMMAND="$2" local TARGET_VALUE="$3" local TIMEOUT=300 local ELAPSED=0 local INTERVAL=5 echo "Waiting for ${DESCRIPTION}..." while true; do local RESULT RESULT=$(eval "$COMMAND" 2>&1) || true if echo "$RESULT" | grep -q "$TARGET_VALUE"; then echo " ${DESCRIPTION} is ready." return 0 fi if [ "$ELAPSED" -ge "$TIMEOUT" ]; then echo "ERROR: Timed out waiting for ${DESCRIPTION} after ${TIMEOUT} seconds." return 1 fi sleep "$INTERVAL" ELAPSED=$((ELAPSED + INTERVAL)) done } ############################################################################### # Region pre-check ############################################################################### CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured." echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION." exit 1 fi ############################################################################### # Runtime selection ############################################################################### echo "" echo "===========================================" echo "AWS Lambda - Create Your First Function" echo "===========================================" echo "" echo "Select a runtime for your Lambda function:" echo " 1) Python 3.13" echo " 2) Node.js 22.x" echo "" echo "Enter your choice (1 or 2): " read -r RUNTIME_CHOICE case "$RUNTIME_CHOICE" in 1) RUNTIME="python3.13" HANDLER="lambda_function.lambda_handler" CODE_FILE="lambda_function.py" cat > "${TEMP_DIR}/${CODE_FILE}" << 'PYTHON_EOF' import json import logging logger = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): length = event['length'] width = event['width'] area = calculate_area(length, width) print(f'The area is {area}') logger.info(f'CloudWatch logs group: {context.log_group_name}') return json.dumps({'area': area}) def calculate_area(length, width): return length * width PYTHON_EOF echo "Selected runtime: Python 3.13" ;; 2) RUNTIME="nodejs22.x" HANDLER="index.handler" CODE_FILE="index.mjs" cat > "${TEMP_DIR}/${CODE_FILE}" << 'NODEJS_EOF' export const handler = async (event, context) => { const area = event.length * event.width; console.log(`The area is ${area}`); console.log('CloudWatch log group: ', context.logGroupName); return JSON.stringify({area}); }; NODEJS_EOF echo "Selected runtime: Node.js 22.x" ;; *) echo "ERROR: Invalid choice. Please enter 1 or 2." exit 1 ;; esac ############################################################################### # Step 1: Create IAM execution role ############################################################################### echo "" echo "===========================================" echo "Step 1: Create IAM execution role" echo "===========================================" echo "" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "Creating IAM role: ${ROLE_NAME}" ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" \ --query 'Role.Arn' \ --output text 2>&1) echo "$ROLE_OUTPUT" ROLE_ARN="$ROLE_OUTPUT" CREATED_RESOURCES+=("iam-role:${ROLE_NAME}") echo "Role ARN: ${ROLE_ARN}" echo "" echo "Attaching AWSLambdaBasicExecutionRole policy..." aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 2>&1 CREATED_RESOURCES+=("iam-role-policy:${ROLE_NAME}|arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") echo "Policy attached." # IAM roles can take a few seconds to propagate echo "Waiting for IAM role to propagate..." sleep 10 ############################################################################### # Step 2: Create Lambda function ############################################################################### echo "" echo "===========================================" echo "Step 2: Create Lambda function" echo "===========================================" echo "" echo "Creating deployment package..." ORIGINAL_DIR=$(pwd) cd "$TEMP_DIR" zip -j function.zip "$CODE_FILE" > /dev/null 2>&1 cd "$ORIGINAL_DIR" echo "Creating Lambda function: ${FUNCTION_NAME}" echo " Runtime: ${RUNTIME}" echo " Handler: ${HANDLER}" echo "" CREATE_OUTPUT=$(aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime "$RUNTIME" \ --role "$ROLE_ARN" \ --handler "$HANDLER" \ --architectures x86_64 \ --zip-file "fileb://${TEMP_DIR}/function.zip" \ --query '[FunctionName, FunctionArn, Runtime, State]' \ --output text 2>&1) echo "$CREATE_OUTPUT" CREATED_RESOURCES+=("lambda-function:${FUNCTION_NAME}") wait_for_resource "Lambda function to become Active" \ "aws lambda get-function-configuration --function-name ${FUNCTION_NAME} --query State --output text" \ "Active" ############################################################################### # Step 3: Invoke the function ############################################################################### echo "" echo "===========================================" echo "Step 3: Invoke the function" echo "===========================================" echo "" TEST_EVENT='{"length": 6, "width": 7}' echo "Invoking function with test event: ${TEST_EVENT}" echo "" echo "$TEST_EVENT" > "${TEMP_DIR}/test-event.json" INVOKE_OUTPUT=$(aws lambda invoke \ --function-name "$FUNCTION_NAME" \ --payload "fileb://${TEMP_DIR}/test-event.json" \ --cli-read-timeout 30 \ "${TEMP_DIR}/response.json" 2>&1) echo "$INVOKE_OUTPUT" RESPONSE=$(cat "${TEMP_DIR}/response.json") echo "" echo "Function response: ${RESPONSE}" echo "" if echo "$INVOKE_OUTPUT" | grep -qi "functionerror"; then echo "WARNING: Function returned an error." fi ############################################################################### # Step 4: View CloudWatch logs ############################################################################### echo "" echo "===========================================" echo "Step 4: View CloudWatch Logs" echo "===========================================" echo "" echo "Log group: ${LOG_GROUP_NAME}" echo "" echo "Waiting for CloudWatch logs to be available..." LOG_STREAMS="" for i in $(seq 1 6); do LOG_STREAMS=$(aws logs describe-log-streams \ --log-group-name "$LOG_GROUP_NAME" \ --order-by LastEventTime \ --descending \ --query 'logStreams[0].logStreamName' \ --output text 2>/dev/null) || true if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then break fi LOG_STREAMS="" sleep 5 done if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then echo "Latest log stream: ${LOG_STREAMS}" echo "" echo "--- Log events ---" LOG_EVENTS=$(aws logs get-log-events \ --log-group-name "$LOG_GROUP_NAME" \ --log-stream-name "$LOG_STREAMS" \ --query 'events[].message' \ --output text 2>&1) || true echo "$LOG_EVENTS" echo "--- End of log events ---" else echo "No log streams found yet. Logs may take a moment to appear." echo "You can view them in the CloudWatch console:" echo " Log group: ${LOG_GROUP_NAME}" fi CREATED_RESOURCES+=("log-group:${LOG_GROUP_NAME}") ############################################################################### # Summary and cleanup ############################################################################### echo "" echo "===========================================" echo "SUMMARY" echo "===========================================" echo "" echo "Resources created:" echo " IAM role: ${ROLE_NAME}" echo " Lambda function: ${FUNCTION_NAME}" echo " CloudWatch logs: ${LOG_GROUP_NAME}" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Delete the Lambda function" echo " aws lambda delete-function --function-name ${FUNCTION_NAME}" echo "" echo " # Delete the CloudWatch log group" echo " aws logs delete-log-group --log-group-name ${LOG_GROUP_NAME}" echo "" echo " # Detach the policy and delete the IAM role" echo " aws iam detach-role-policy --role-name ${ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo " aws iam delete-role --role-name ${ROLE_NAME}" echo "" if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi fi echo "" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeLogStreams](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DescribeLogStreams) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunction) + [GetFunctionConfiguration](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunctionConfiguration) + [GetLogEvents](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/GetLogEvents) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) # Amazon Cognito Identity Provider examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Cognito Identity Provider. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon Cognito user pools The following code example shows how to: + Create a user pool + Create an app client + Set up a domain for your user pool + Create a user as an administrator + Enable self-registration + List users in the user pool + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/066-amazon-cognito-gs) repository. ``` #!/bin/bash # Amazon Cognito User Pools Getting Started Script # This script creates and configures an Amazon Cognito user pool with an app client # Set up logging LOG_FILE="cognito-user-pool-setup.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Cognito User Pool setup script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$DOMAIN_NAME" ] && [ -n "$USER_POOL_ID" ]; then echo "Deleting user pool domain: $DOMAIN_NAME" aws cognito-idp delete-user-pool-domain --user-pool-id "$USER_POOL_ID" --domain "$DOMAIN_NAME" fi if [ -n "$USER_POOL_ID" ]; then echo "Deleting user pool: $USER_POOL_ID" aws cognito-idp delete-user-pool --user-pool-id "$USER_POOL_ID" fi } # Get the current AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" # Default region if not configured fi echo "Using AWS Region: $AWS_REGION" # Generate random identifier for resource names RANDOM_ID=$(openssl rand -hex 6) USER_POOL_NAME="MyUserPool-${RANDOM_ID}" APP_CLIENT_NAME="MyAppClient-${RANDOM_ID}" DOMAIN_NAME="my-auth-domain-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" echo "User pool name: $USER_POOL_NAME" echo "App client name: $APP_CLIENT_NAME" echo "Domain name: $DOMAIN_NAME" # Step 1: Create a User Pool echo "Creating user pool..." USER_POOL_OUTPUT=$(aws cognito-idp create-user-pool \ --pool-name "$USER_POOL_NAME" \ --auto-verified-attributes email \ --username-attributes email \ --policies '{"PasswordPolicy":{"MinimumLength":8,"RequireUppercase":true,"RequireLowercase":true,"RequireNumbers":true,"RequireSymbols":false}}' \ --schema '[{"Name":"email","Required":true,"Mutable":true}]' \ --mfa-configuration OFF) check_error "$USER_POOL_OUTPUT" "create-user-pool" # Extract the User Pool ID USER_POOL_ID=$(echo "$USER_POOL_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) if [ -z "$USER_POOL_ID" ]; then echo "Failed to extract User Pool ID" exit 1 fi echo "User Pool created with ID: $USER_POOL_ID" # Wait for user pool to be ready echo "Waiting for user pool to be ready..." sleep 5 # Step 2: Create an App Client echo "Creating app client..." APP_CLIENT_OUTPUT=$(aws cognito-idp create-user-pool-client \ --user-pool-id "$USER_POOL_ID" \ --client-name "$APP_CLIENT_NAME" \ --no-generate-secret \ --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH \ --callback-urls '["https://localhost:3000/callback"]') check_error "$APP_CLIENT_OUTPUT" "create-user-pool-client" # Extract the Client ID CLIENT_ID=$(echo "$APP_CLIENT_OUTPUT" | grep -o '"ClientId": "[^"]*' | cut -d'"' -f4) if [ -z "$CLIENT_ID" ]; then echo "Failed to extract Client ID" cleanup_on_error exit 1 fi echo "App Client created with ID: $CLIENT_ID" # Step 3: Set Up a Domain for Your User Pool echo "Setting up user pool domain..." DOMAIN_OUTPUT=$(aws cognito-idp create-user-pool-domain \ --user-pool-id "$USER_POOL_ID" \ --domain "$DOMAIN_NAME") check_error "$DOMAIN_OUTPUT" "create-user-pool-domain" echo "Domain created: $DOMAIN_NAME.auth.$AWS_REGION.amazoncognito.com" # Step 4: View User Pool Details echo "Retrieving user pool details..." USER_POOL_DETAILS=$(aws cognito-idp describe-user-pool \ --user-pool-id "$USER_POOL_ID") check_error "$USER_POOL_DETAILS" "describe-user-pool" echo "User Pool details retrieved successfully" # Step 5: View App Client Details echo "Retrieving app client details..." APP_CLIENT_DETAILS=$(aws cognito-idp describe-user-pool-client \ --user-pool-id "$USER_POOL_ID" \ --client-id "$CLIENT_ID") check_error "$APP_CLIENT_DETAILS" "describe-user-pool-client" echo "App Client details retrieved successfully" # Step 6: Create a User (Admin) echo "Creating admin user..." ADMIN_USER_EMAIL="admin@example.com" ADMIN_USER_OUTPUT=$(aws cognito-idp admin-create-user \ --user-pool-id "$USER_POOL_ID" \ --username "$ADMIN_USER_EMAIL" \ --user-attributes Name=email,Value="$ADMIN_USER_EMAIL" Name=email_verified,Value=true \ --temporary-password "Temp123!") check_error "$ADMIN_USER_OUTPUT" "admin-create-user" echo "Admin user created: $ADMIN_USER_EMAIL" # Step 7: Self-Registration echo "Demonstrating self-registration..." USER_EMAIL="user@example.com" SIGNUP_OUTPUT=$(aws cognito-idp sign-up \ --client-id "$CLIENT_ID" \ --username "$USER_EMAIL" \ --password "Password123!" \ --user-attributes Name=email,Value="$USER_EMAIL") check_error "$SIGNUP_OUTPUT" "sign-up" echo "User signed up: $USER_EMAIL" echo "A confirmation code would be sent to the user's email in a real scenario" echo "" echo "===================================================" echo "IMPORTANT: In a real scenario, the user would receive" echo "a confirmation code via email. For this demo, we'll" echo "use admin-confirm-sign-up instead." echo "===================================================" echo "" # Step 8: Confirm User Registration (using admin privileges for demo) echo "Confirming user registration (admin method)..." CONFIRM_OUTPUT=$(aws cognito-idp admin-confirm-sign-up \ --user-pool-id "$USER_POOL_ID" \ --username "$USER_EMAIL") check_error "$CONFIRM_OUTPUT" "admin-confirm-sign-up" echo "User confirmed: $USER_EMAIL" # Step 9: Authenticate a User echo "Authenticating user..." AUTH_OUTPUT=$(aws cognito-idp initiate-auth \ --client-id "$CLIENT_ID" \ --auth-flow USER_PASSWORD_AUTH \ --auth-parameters USERNAME="$USER_EMAIL",PASSWORD="Password123!") check_error "$AUTH_OUTPUT" "initiate-auth" echo "User authenticated successfully" # Step 10: List Users in the User Pool echo "Listing users in the user pool..." USERS_OUTPUT=$(aws cognito-idp list-users \ --user-pool-id "$USER_POOL_ID") check_error "$USERS_OUTPUT" "list-users" echo "Users listed successfully" # Display summary of created resources echo "" echo "===================================================" echo "RESOURCE SUMMARY" echo "===================================================" echo "User Pool ID: $USER_POOL_ID" echo "User Pool Name: $USER_POOL_NAME" echo "App Client ID: $CLIENT_ID" echo "App Client Name: $APP_CLIENT_NAME" echo "Domain: $DOMAIN_NAME.auth.$AWS_REGION.amazoncognito.com" echo "Admin User: $ADMIN_USER_EMAIL" echo "Regular User: $USER_EMAIL" echo "===================================================" echo "" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Step 11: Clean Up Resources echo "Deleting user pool domain..." DELETE_DOMAIN_OUTPUT=$(aws cognito-idp delete-user-pool-domain \ --user-pool-id "$USER_POOL_ID" \ --domain "$DOMAIN_NAME") check_error "$DELETE_DOMAIN_OUTPUT" "delete-user-pool-domain" echo "Domain deleted successfully" # Wait for domain deletion to complete echo "Waiting for domain deletion to complete..." sleep 5 echo "Deleting user pool (this will also delete the app client)..." DELETE_POOL_OUTPUT=$(aws cognito-idp delete-user-pool \ --user-pool-id "$USER_POOL_ID") check_error "$DELETE_POOL_OUTPUT" "delete-user-pool" echo "User pool deleted successfully" echo "All resources have been cleaned up" else echo "Resources will not be deleted. You can manually delete them later." echo "To delete the resources manually, use the following commands:" echo "aws cognito-idp delete-user-pool-domain --user-pool-id $USER_POOL_ID --domain $DOMAIN_NAME" echo "aws cognito-idp delete-user-pool --user-pool-id $USER_POOL_ID" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AdminConfirmSignUp](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/AdminConfirmSignUp) + [AdminCreateUser](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/AdminCreateUser) + [CreateUserPool](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/CreateUserPool) + [CreateUserPoolClient](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/CreateUserPoolClient) + [CreateUserPoolDomain](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/CreateUserPoolDomain) + [DeleteUserPool](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/DeleteUserPool) + [DeleteUserPoolDomain](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/DeleteUserPoolDomain) + [DescribeUserPool](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/DescribeUserPool) + [DescribeUserPoolClient](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/DescribeUserPoolClient) + [InitiateAuth](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/InitiateAuth) + [ListUsers](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/ListUsers) + [SignUp](https://docs.aws.amazon.com/goto/aws-cli/cognito-idp-2016-04-18/SignUp) # AWS Config examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS Config. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Config The following code example shows how to: + Create an Amazon S3 bucket + Create an Amazon SNS topic + Create an IAM role for Config + Set up the Config configuration recorder + Set up the Config delivery channel + Start the configuration recorder + Verify the Config setup **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/053-aws-config-gs) repository. ``` #!/bin/bash # AWS Config Setup Script (v2) # This script sets up AWS Config with the AWS CLI # Error handling set -e LOGFILE="aws-config-setup-v2.log" touch $LOGFILE exec > >(tee -a $LOGFILE) exec 2>&1 # Function to handle errors handle_error() { echo "ERROR: An error occurred at line $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Set trap for error handling trap 'handle_error $LINENO' ERR # Function to generate random identifier generate_random_id() { echo $(openssl rand -hex 6) } # Function to check if command was successful check_command() { if echo "$1" | grep -i "error" > /dev/null; then echo "ERROR: $1" return 1 fi return 0 } # Function to clean up resources cleanup_resources() { if [ -n "$CONFIG_RECORDER_NAME" ]; then echo "Stopping configuration recorder..." aws configservice stop-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi # Check if we created a new delivery channel before trying to delete it if [ -n "$DELIVERY_CHANNEL_NAME" ] && [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Deleting delivery channel..." aws configservice delete-delivery-channel --delivery-channel-name "$DELIVERY_CHANNEL_NAME" 2>/dev/null || true fi if [ -n "$CONFIG_RECORDER_NAME" ] && [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Deleting configuration recorder..." aws configservice delete-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi if [ -n "$ROLE_NAME" ]; then if [ -n "$POLICY_NAME" ]; then echo "Detaching custom policy from role..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" 2>/dev/null || true fi if [ -n "$MANAGED_POLICY_ARN" ]; then echo "Detaching managed policy from role..." aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN" 2>/dev/null || true fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null || true fi if [ -n "$SNS_TOPIC_ARN" ]; then echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$SNS_TOPIC_ARN" 2>/dev/null || true fi if [ -n "$S3_BUCKET_NAME" ]; then echo "Emptying S3 bucket..." aws s3 rm "s3://$S3_BUCKET_NAME" --recursive 2>/dev/null || true echo "Deleting S3 bucket..." aws s3api delete-bucket --bucket "$S3_BUCKET_NAME" 2>/dev/null || true fi } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" echo "S3 Bucket: $S3_BUCKET_NAME" echo "SNS Topic ARN: $SNS_TOPIC_ARN" echo "IAM Role: $ROLE_NAME" if [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Configuration Recorder: $CONFIG_RECORDER_NAME (newly created)" else echo "Configuration Recorder: $CONFIG_RECORDER_NAME (existing)" fi if [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (newly created)" else echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (existing)" fi echo "===========================================" } # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) if [ -z "$ACCOUNT_ID" ]; then echo "ERROR: Failed to get AWS account ID" exit 1 fi echo "AWS Account ID: $ACCOUNT_ID" # Generate random identifier for resources RANDOM_ID=$(generate_random_id) echo "Generated random identifier: $RANDOM_ID" # Step 1: Create an S3 bucket S3_BUCKET_NAME="configservice-${RANDOM_ID}" echo "Creating S3 bucket: $S3_BUCKET_NAME" # Get the current region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured fi echo "Using AWS Region: $AWS_REGION" # Create bucket with appropriate command based on region if [ "$AWS_REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME") else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" --create-bucket-configuration LocationConstraint="$AWS_REGION") fi check_command "$BUCKET_RESULT" echo "S3 bucket created: $S3_BUCKET_NAME" # Block public access for the bucket aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" echo "Public access blocked for bucket" # Step 2: Create an SNS topic TOPIC_NAME="config-topic-${RANDOM_ID}" echo "Creating SNS topic: $TOPIC_NAME" SNS_RESULT=$(aws sns create-topic --name "$TOPIC_NAME") check_command "$SNS_RESULT" SNS_TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o 'arn:aws:sns:[^"]*') echo "SNS topic created: $SNS_TOPIC_ARN" # Step 3: Create an IAM role for AWS Config ROLE_NAME="config-role-${RANDOM_ID}" POLICY_NAME="config-delivery-permissions" MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" echo "Creating trust policy document..." cat > config-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://config-trust-policy.json) check_command "$ROLE_RESULT" ROLE_ARN=$(echo "$ROLE_RESULT" | grep -o 'arn:aws:iam::[^"]*' | head -1) echo "IAM role created: $ROLE_ARN" echo "Attaching AWS managed policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN") check_command "$ATTACH_RESULT" echo "AWS managed policy attached" echo "Creating custom policy document for S3 and SNS access..." cat > config-delivery-permissions.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/*", "Condition": { "StringLike": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "${SNS_TOPIC_ARN}" } ] } EOF echo "Attaching custom policy to role..." POLICY_RESULT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" --policy-document file://config-delivery-permissions.json) check_command "$POLICY_RESULT" echo "Custom policy attached" # Wait for IAM role to propagate echo "Waiting for IAM role to propagate (15 seconds)..." sleep 15 # Step 4: Check if configuration recorder already exists CONFIG_RECORDER_NAME="default" CREATED_NEW_CONFIG_RECORDER="false" echo "Checking for existing configuration recorder..." EXISTING_RECORDERS=$(aws configservice describe-configuration-recorders 2>/dev/null || echo "") if echo "$EXISTING_RECORDERS" | grep -q "name"; then echo "Configuration recorder already exists. Will update it." # Get the name of the existing recorder CONFIG_RECORDER_NAME=$(echo "$EXISTING_RECORDERS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing configuration recorder: $CONFIG_RECORDER_NAME" else echo "No existing configuration recorder found. Will create a new one." CREATED_NEW_CONFIG_RECORDER="true" fi echo "Creating configuration recorder configuration..." cat > configurationRecorder.json << EOF { "name": "${CONFIG_RECORDER_NAME}", "roleARN": "${ROLE_ARN}", "recordingMode": { "recordingFrequency": "CONTINUOUS" } } EOF echo "Creating recording group configuration..." cat > recordingGroup.json << EOF { "allSupported": true, "includeGlobalResourceTypes": true } EOF echo "Setting up configuration recorder..." RECORDER_RESULT=$(aws configservice put-configuration-recorder --configuration-recorder file://configurationRecorder.json --recording-group file://recordingGroup.json) check_command "$RECORDER_RESULT" echo "Configuration recorder set up" # Step 5: Check if delivery channel already exists DELIVERY_CHANNEL_NAME="default" CREATED_NEW_DELIVERY_CHANNEL="false" echo "Checking for existing delivery channel..." EXISTING_CHANNELS=$(aws configservice describe-delivery-channels 2>/dev/null || echo "") if echo "$EXISTING_CHANNELS" | grep -q "name"; then echo "Delivery channel already exists." # Get the name of the existing channel DELIVERY_CHANNEL_NAME=$(echo "$EXISTING_CHANNELS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing delivery channel: $DELIVERY_CHANNEL_NAME" # Update the existing delivery channel echo "Creating delivery channel configuration for update..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Updating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel updated" else echo "No existing delivery channel found. Will create a new one." CREATED_NEW_DELIVERY_CHANNEL="true" echo "Creating delivery channel configuration..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Creating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel created" fi # Step 6: Start the configuration recorder echo "Checking configuration recorder status..." RECORDER_STATUS=$(aws configservice describe-configuration-recorder-status 2>/dev/null || echo "") if echo "$RECORDER_STATUS" | grep -q '"recording": true'; then echo "Configuration recorder is already running." else echo "Starting configuration recorder..." START_RESULT=$(aws configservice start-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME") check_command "$START_RESULT" echo "Configuration recorder started" fi # Step 7: Verify the AWS Config setup echo "Verifying delivery channel..." VERIFY_CHANNEL=$(aws configservice describe-delivery-channels) check_command "$VERIFY_CHANNEL" echo "$VERIFY_CHANNEL" echo "Verifying configuration recorder..." VERIFY_RECORDER=$(aws configservice describe-configuration-recorders) check_command "$VERIFY_RECORDER" echo "$VERIFY_RECORDER" echo "Verifying configuration recorder status..." VERIFY_STATUS=$(aws configservice describe-configuration-recorder-status) check_command "$VERIFY_STATUS" echo "$VERIFY_STATUS" # Display created resources display_resources # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "Cleanup completed." else echo "Resources will not be cleaned up. You can manually clean them up later." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteConfigurationRecorder) + [DeleteDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteDeliveryChannel) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorderStatus) + [DescribeConfigurationRecorders](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorders) + [DescribeDeliveryChannels](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeDeliveryChannels) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [PutConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutConfigurationRecorder) + [PutDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutDeliveryChannel) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StartConfigurationRecorder) + [StopConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StopConfigurationRecorder) # Amazon Connect examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Connect. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating an Amazon Connect instance The following code example shows how to: + Create an Amazon Connect instance + Configure an administrator user + Configure telephony options + Set up a phone number + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/027-connect-gs) repository. ``` #!/bin/bash # Script to create an Amazon Connect instance using AWS CLI # This script follows the steps in the Amazon Connect instance creation tutorial # Set up logging LOG_FILE="connect-instance-creation.log" echo "Starting Amazon Connect instance creation at $(date)" > "$LOG_FILE" # Set default region AWS_REGION="us-west-2" echo "Using AWS region: $AWS_REGION" | tee -a "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "$(date): Running command: $1" >> "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [[ $cmd_status -ne 0 || "$cmd_output" =~ [Ee][Rr][Rr][Oo][Rr] ]]; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" return 1 fi return 0 } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." | tee -a "$LOG_FILE" if [[ -n "$INSTANCE_ID" ]]; then echo "Deleting Amazon Connect instance: $INSTANCE_ID" | tee -a "$LOG_FILE" log_cmd "aws connect delete-instance --instance-id $INSTANCE_ID --region $AWS_REGION" fi echo "Cleanup completed. See $LOG_FILE for details." | tee -a "$LOG_FILE" } # Function to wait for instance to be fully active wait_for_instance() { local instance_id="$1" local max_attempts=30 local attempt=1 echo "Waiting for instance $instance_id to become fully active..." | tee -a "$LOG_FILE" while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt of $max_attempts: Checking instance status..." | tee -a "$LOG_FILE" # Try to describe the instance local result=$(log_cmd "aws connect describe-instance --instance-id $instance_id --region $AWS_REGION --output json") # Check if the command was successful and instance status is ACTIVE if [[ $? -eq 0 && "$result" =~ "ACTIVE" ]]; then echo "Instance is now fully active and ready to use." | tee -a "$LOG_FILE" return 0 fi echo "Instance not fully active yet. Waiting 30 seconds before next check..." | tee -a "$LOG_FILE" sleep 30 ((attempt++)) done echo "Timed out waiting for instance to become fully active." | tee -a "$LOG_FILE" return 1 } # Function to check and handle existing instances check_existing_instances() { echo "Checking for existing Amazon Connect instances..." | tee -a "$LOG_FILE" local instances=$(log_cmd "aws connect list-instances --region $AWS_REGION --output json") if [[ $? -ne 0 ]]; then echo "ERROR: Failed to list existing instances" | tee -a "$LOG_FILE" return 1 fi # Check if there are any instances local instance_count=$(echo "$instances" | grep -o '"Id":' | wc -l) if [[ $instance_count -gt 0 ]]; then echo "Found $instance_count existing Amazon Connect instance(s)" | tee -a "$LOG_FILE" echo "$instances" | grep -A 1 '"Id":' | tee -a "$LOG_FILE" echo "" echo "===========================================" echo "EXISTING INSTANCES FOUND" echo "===========================================" echo "Found $instance_count existing Amazon Connect instance(s)." echo "Do you want to delete these instances to free up quota? (y/n): " read -r DELETE_CHOICE if [[ "$DELETE_CHOICE" =~ ^[Yy] ]]; then echo "Deleting existing instances..." | tee -a "$LOG_FILE" # Extract instance IDs and delete each one local instance_ids=($(echo "$instances" | grep -o '"Id": "[^"]*' | cut -d'"' -f4)) for id in "${instance_ids[@]}"; do echo "Deleting instance: $id" | tee -a "$LOG_FILE" log_cmd "aws connect delete-instance --instance-id $id --region $AWS_REGION" if [[ $? -ne 0 ]]; then echo "WARNING: Failed to delete instance $id" | tee -a "$LOG_FILE" else echo "Successfully deleted instance $id" | tee -a "$LOG_FILE" fi # Wait a bit between deletions sleep 5 done echo "Waiting for deletions to complete..." | tee -a "$LOG_FILE" sleep 30 else echo "Keeping existing instances. Script may fail if quota is reached." | tee -a "$LOG_FILE" fi else echo "No existing Amazon Connect instances found" | tee -a "$LOG_FILE" fi return 0 } # Check for existing instances before proceeding check_existing_instances # Generate a random instance alias to avoid naming conflicts INSTANCE_ALIAS="connect-instance-$(openssl rand -hex 6)" echo "Using instance alias: $INSTANCE_ALIAS" | tee -a "$LOG_FILE" # Step 1: Create Amazon Connect instance echo "Step 1: Creating Amazon Connect instance..." | tee -a "$LOG_FILE" INSTANCE_RESULT=$(log_cmd "aws connect create-instance --identity-management-type CONNECT_MANAGED --instance-alias $INSTANCE_ALIAS --inbound-calls-enabled --outbound-calls-enabled --region $AWS_REGION --output json") if ! check_error "$INSTANCE_RESULT" $? "Failed to create Amazon Connect instance"; then # Check if the error is due to quota limit if [[ "$INSTANCE_RESULT" =~ "ServiceQuotaExceededException" || "$INSTANCE_RESULT" =~ "Quota limit reached" ]]; then echo "Quota limit reached for Amazon Connect instances. Please delete existing instances or request a quota increase." | tee -a "$LOG_FILE" fi cleanup_on_error exit 1 fi # Extract instance ID from the result INSTANCE_ID=$(echo "$INSTANCE_RESULT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) INSTANCE_ARN=$(echo "$INSTANCE_RESULT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) if [[ -z "$INSTANCE_ID" ]]; then echo "ERROR: Failed to extract instance ID from the result" | tee -a "$LOG_FILE" exit 1 fi echo "Successfully created Amazon Connect instance with ID: $INSTANCE_ID" | tee -a "$LOG_FILE" echo "Instance ARN: $INSTANCE_ARN" | tee -a "$LOG_FILE" # Wait for the instance to be fully created and active if ! wait_for_instance "$INSTANCE_ID"; then echo "ERROR: Instance did not become fully active within the timeout period" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi # Step 2: Get security profiles to find the Admin profile ID echo "Step 2: Getting security profiles..." | tee -a "$LOG_FILE" SECURITY_PROFILES=$(log_cmd "aws connect list-security-profiles --instance-id $INSTANCE_ID --region $AWS_REGION --output json") if ! check_error "$SECURITY_PROFILES" $? "Failed to list security profiles"; then cleanup_on_error exit 1 fi # Save security profiles to a temporary file for easier processing TEMP_FILE=$(mktemp) echo "$SECURITY_PROFILES" > "$TEMP_FILE" # Extract Admin security profile ID using grep and awk ADMIN_PROFILE_ID="" while IFS= read -r line; do if [[ "$line" =~ \"Name\":\ \"Admin\" ]]; then # Found the Admin profile, now get the ID from previous lines ADMIN_PROFILE_ID=$(grep -B 2 "$line" "$TEMP_FILE" | grep -o '"Id": "[^"]*' | head -1 | cut -d'"' -f4) break fi done < "$TEMP_FILE" # Clean up rm -f "$TEMP_FILE" if [[ -z "$ADMIN_PROFILE_ID" ]]; then echo "ERROR: Failed to find Admin security profile ID" | tee -a "$LOG_FILE" echo "Available security profiles:" | tee -a "$LOG_FILE" echo "$SECURITY_PROFILES" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi echo "Found Admin security profile ID: $ADMIN_PROFILE_ID" | tee -a "$LOG_FILE" # Step 3: Get routing profiles to find a default routing profile ID echo "Step 3: Getting routing profiles..." | tee -a "$LOG_FILE" ROUTING_PROFILES=$(log_cmd "aws connect list-routing-profiles --instance-id $INSTANCE_ID --region $AWS_REGION --output json") if ! check_error "$ROUTING_PROFILES" $? "Failed to list routing profiles"; then cleanup_on_error exit 1 fi # Extract the first routing profile ID ROUTING_PROFILE_ID=$(echo "$ROUTING_PROFILES" | grep -o '"Id": "[^"]*' | head -1 | cut -d'"' -f4) if [[ -z "$ROUTING_PROFILE_ID" ]]; then echo "ERROR: Failed to find a routing profile ID" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi echo "Found routing profile ID: $ROUTING_PROFILE_ID" | tee -a "$LOG_FILE" # Step 4: Create an admin user echo "Step 4: Creating admin user..." | tee -a "$LOG_FILE" # Generate a secure password ADMIN_PASSWORD="Connect$(openssl rand -base64 12)" USER_RESULT=$(log_cmd "aws connect create-user --instance-id $INSTANCE_ID --username admin --password \"$ADMIN_PASSWORD\" --identity-info FirstName=Admin,LastName=User,Email=admin@example.com --phone-config PhoneType=DESK_PHONE,AutoAccept=true,AfterContactWorkTimeLimit=30,DeskPhoneNumber=+12065550100 --security-profile-ids $ADMIN_PROFILE_ID --routing-profile-id $ROUTING_PROFILE_ID --region $AWS_REGION --output json") if ! check_error "$USER_RESULT" $? "Failed to create admin user"; then cleanup_on_error exit 1 fi # Extract user ID USER_ID=$(echo "$USER_RESULT" | grep -o '"UserId": "[^"]*\|"Id": "[^"]*' | head -1 | cut -d'"' -f4) if [[ -z "$USER_ID" ]]; then echo "ERROR: Failed to extract user ID from the result" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi echo "Successfully created admin user with ID: $USER_ID" | tee -a "$LOG_FILE" echo "Admin password: $ADMIN_PASSWORD" | tee -a "$LOG_FILE" # Step 5: Configure telephony options echo "Step 5: Configuring telephony options..." | tee -a "$LOG_FILE" # Enable early media EARLY_MEDIA_RESULT=$(log_cmd "aws connect update-instance-attribute --instance-id $INSTANCE_ID --attribute-type EARLY_MEDIA --value true --region $AWS_REGION") if ! check_error "$EARLY_MEDIA_RESULT" $? "Failed to enable early media"; then cleanup_on_error exit 1 fi # Enable multi-party calls and enhanced monitoring for voice MULTI_PARTY_RESULT=$(log_cmd "aws connect update-instance-attribute --instance-id $INSTANCE_ID --attribute-type MULTI_PARTY_CONFERENCE --value true --region $AWS_REGION") if ! check_error "$MULTI_PARTY_RESULT" $? "Failed to enable multi-party calls"; then cleanup_on_error exit 1 fi # Enable multi-party chats and enhanced monitoring for chat MULTI_PARTY_CHAT_RESULT=$(log_cmd "aws connect update-instance-attribute --instance-id $INSTANCE_ID --attribute-type MULTI_PARTY_CHAT_CONFERENCE --value true --region $AWS_REGION") if ! check_error "$MULTI_PARTY_CHAT_RESULT" $? "Failed to enable multi-party chats"; then cleanup_on_error exit 1 fi echo "Successfully configured telephony options" | tee -a "$LOG_FILE" # Step 6: View storage configurations echo "Step 6: Viewing storage configurations..." | tee -a "$LOG_FILE" # List storage configurations for chat transcripts STORAGE_CONFIGS=$(log_cmd "aws connect list-instance-storage-configs --instance-id $INSTANCE_ID --resource-type CHAT_TRANSCRIPTS --region $AWS_REGION --output json") if ! check_error "$STORAGE_CONFIGS" $? "Failed to list storage configurations"; then cleanup_on_error exit 1 fi echo "Successfully retrieved storage configurations" | tee -a "$LOG_FILE" # Step 7: Verify instance details echo "Step 7: Verifying instance details..." | tee -a "$LOG_FILE" INSTANCE_DETAILS=$(log_cmd "aws connect describe-instance --instance-id $INSTANCE_ID --region $AWS_REGION --output json") if ! check_error "$INSTANCE_DETAILS" $? "Failed to describe instance"; then cleanup_on_error exit 1 fi echo "Successfully verified instance details" | tee -a "$LOG_FILE" # Step 8: Search for available phone numbers (optional) echo "Step 8: Searching for available phone numbers..." | tee -a "$LOG_FILE" PHONE_NUMBERS=$(log_cmd "aws connect search-available-phone-numbers --target-arn $INSTANCE_ARN --phone-number-type TOLL_FREE --phone-number-country-code US --max-results 5 --region $AWS_REGION --output json") if ! check_error "$PHONE_NUMBERS" $? "Failed to search for available phone numbers"; then cleanup_on_error exit 1 fi # Extract the first phone number if available PHONE_NUMBER=$(echo "$PHONE_NUMBERS" | grep -o '"PhoneNumber": "[^"]*' | head -1 | cut -d'"' -f4) if [[ -n "$PHONE_NUMBER" ]]; then echo "Found available phone number: $PHONE_NUMBER" | tee -a "$LOG_FILE" # Ask if the user wants to claim the phone number echo "" echo "===========================================" echo "CLAIM PHONE NUMBER" echo "===========================================" echo "Do you want to claim the available phone number $PHONE_NUMBER? (y/n): " read -r CLAIM_CHOICE if [[ "$CLAIM_CHOICE" =~ ^[Yy] ]]; then echo "Claiming phone number..." | tee -a "$LOG_FILE" CLAIM_RESULT=$(log_cmd "aws connect claim-phone-number --target-arn $INSTANCE_ARN --phone-number $PHONE_NUMBER --region $AWS_REGION --output json") if ! check_error "$CLAIM_RESULT" $? "Failed to claim phone number"; then echo "WARNING: Failed to claim phone number, but continuing with script" | tee -a "$LOG_FILE" else echo "Successfully claimed phone number" | tee -a "$LOG_FILE" # Extract the phone number ID from the claim result PHONE_NUMBER_ID=$(echo "$CLAIM_RESULT" | grep -o '"PhoneNumberId": "[^"]*' | cut -d'"' -f4) fi else echo "Skipping phone number claim" | tee -a "$LOG_FILE" fi else echo "No available phone numbers found" | tee -a "$LOG_FILE" fi # Display summary of created resources echo "" echo "===========================================" echo "RESOURCE SUMMARY" echo "===========================================" echo "Amazon Connect Instance ID: $INSTANCE_ID" echo "Amazon Connect Instance ARN: $INSTANCE_ARN" echo "Admin User ID: $USER_ID" echo "Admin Username: admin" echo "Admin Password: $ADMIN_PASSWORD" if [[ -n "$PHONE_NUMBER" && "$CLAIM_CHOICE" =~ ^[Yy] ]]; then echo "Claimed Phone Number: $PHONE_NUMBER" if [[ -n "$PHONE_NUMBER_ID" ]]; then echo "Claimed Phone Number ID: $PHONE_NUMBER_ID" fi fi echo "===========================================" echo "" # Ask if the user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Starting cleanup..." | tee -a "$LOG_FILE" # Release claimed phone number if applicable if [[ -n "$PHONE_NUMBER_ID" && "$CLAIM_CHOICE" =~ ^[Yy] ]]; then echo "Releasing phone number: $PHONE_NUMBER_ID" | tee -a "$LOG_FILE" RELEASE_RESULT=$(log_cmd "aws connect release-phone-number --phone-number-id $PHONE_NUMBER_ID --region $AWS_REGION") if ! check_error "$RELEASE_RESULT" $? "Failed to release phone number"; then echo "WARNING: Failed to release phone number" | tee -a "$LOG_FILE" else echo "Successfully released phone number" | tee -a "$LOG_FILE" fi echo "Waiting for phone number release to complete..." | tee -a "$LOG_FILE" sleep 10 fi # Delete the Amazon Connect instance (this will also delete all associated resources) echo "Deleting Amazon Connect instance: $INSTANCE_ID" | tee -a "$LOG_FILE" DELETE_RESULT=$(log_cmd "aws connect delete-instance --instance-id $INSTANCE_ID --region $AWS_REGION") if ! check_error "$DELETE_RESULT" $? "Failed to delete instance"; then echo "WARNING: Failed to delete instance" | tee -a "$LOG_FILE" else echo "Successfully deleted instance" | tee -a "$LOG_FILE" fi echo "Cleanup completed. All resources have been deleted." | tee -a "$LOG_FILE" else echo "Cleanup skipped. Resources will remain in your AWS account." | tee -a "$LOG_FILE" fi echo "Script completed successfully. See $LOG_FILE for details." | tee -a "$LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [ClaimPhoneNumber](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ClaimPhoneNumber) + [CreateInstance](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/CreateInstance) + [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/CreateUser) + [DeleteInstance](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/DeleteInstance) + [DescribeInstance](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/DescribeInstance) + [ListInstanceStorageConfigs](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ListInstanceStorageConfigs) + [ListInstances](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ListInstances) + [ListRoutingProfiles](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ListRoutingProfiles) + [ListSecurityProfiles](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ListSecurityProfiles) + [ReleasePhoneNumber](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/ReleasePhoneNumber) + [SearchAvailablePhoneNumbers](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/SearchAvailablePhoneNumbers) + [UpdateInstanceAttribute](https://docs.aws.amazon.com/goto/aws-cli/connect-2017-08-08/UpdateInstanceAttribute) # Direct Connect examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Direct Connect. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Get started with Aws Direct Connect The following code example shows how to: + Use ec2 CreateVpnGateway + Use ec2 DeleteVpnGateway + Use ec2 DescribeVpnGateways + Use directconnect CreateConnection + Use directconnect CreatePrivateVirtualInterface + Use directconnect DeleteConnection **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/051-aws-direct-connect-gs) repository. ``` #!/bin/bash # AWS Direct Connect Connection Management Script - Version 6 # This script demonstrates how to create and manage AWS Direct Connect connections using the AWS CLI # This version includes fixes for user input handling and better error reporting # Set up logging LOG_FILE="directconnect-script.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "$(date): Starting AWS Direct Connect script v6" # Function to check for errors in command output check_error() { local output=$1 local command=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $command" echo "Output: $output" cleanup_resources exit 1 fi } # Function to wait for VGW to be available wait_for_vgw() { local vgw_id=$1 local max_attempts=30 local attempt=1 echo "Waiting for virtual private gateway $vgw_id to become available..." while [ $attempt -le $max_attempts ]; do VGW_STATE=$(aws ec2 describe-vpn-gateways --vpn-gateway-ids "$vgw_id" --query 'VpnGateways[0].State' --output text) if [ "$VGW_STATE" == "available" ]; then echo "Virtual private gateway is now available" return 0 elif [ "$VGW_STATE" == "failed" ]; then echo "Virtual private gateway failed to become available" return 1 fi echo "Attempt $attempt/$max_attempts: VGW state is $VGW_STATE, waiting 10 seconds..." sleep 10 attempt=$((attempt + 1)) done echo "Timeout waiting for VGW to become available" return 1 } # Function to wait for connection to be available wait_for_connection() { local connection_id=$1 local max_attempts=60 local attempt=1 echo "Waiting for connection $connection_id to become available..." echo "Note: This can take 30+ minutes in production as AWS provisions the physical connection" while [ $attempt -le $max_attempts ]; do CONNECTION_STATE=$(aws directconnect describe-connections --connection-id "$connection_id" --query 'connections[0].connectionState' --output text) if [ "$CONNECTION_STATE" == "available" ]; then echo "Connection is now available" return 0 elif [ "$CONNECTION_STATE" == "rejected" ] || [ "$CONNECTION_STATE" == "deleted" ]; then echo "Connection failed with state: $CONNECTION_STATE" return 1 fi echo "Attempt $attempt/$max_attempts: Connection state is $CONNECTION_STATE, waiting 30 seconds..." sleep 30 attempt=$((attempt + 1)) done echo "Timeout waiting for connection to become available" return 1 } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Delete virtual interfaces if they exist if [ -n "$PRIVATE_VIF_ID" ]; then echo "Deleting private virtual interface: $PRIVATE_VIF_ID" aws directconnect delete-virtual-interface --virtual-interface-id "$PRIVATE_VIF_ID" fi if [ -n "$PUBLIC_VIF_ID" ]; then echo "Deleting public virtual interface: $PUBLIC_VIF_ID" aws directconnect delete-virtual-interface --virtual-interface-id "$PUBLIC_VIF_ID" fi # Delete connection if it exists if [ -n "$CONNECTION_ID" ]; then echo "Deleting connection: $CONNECTION_ID" aws directconnect delete-connection --connection-id "$CONNECTION_ID" fi # Delete VGW if it exists if [ -n "$VGW_ID" ]; then echo "Deleting virtual private gateway: $VGW_ID" aws ec2 delete-vpn-gateway --vpn-gateway-id "$VGW_ID" fi } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 6) CONNECTION_NAME="DxConn-${RANDOM_ID}" # Step 1: List available Direct Connect locations echo "Listing available Direct Connect locations..." LOCATIONS_OUTPUT=$(aws directconnect describe-locations) check_error "$LOCATIONS_OUTPUT" "describe-locations" echo "$LOCATIONS_OUTPUT" # Extract the first location code for demonstration purposes LOCATION_CODE=$(aws directconnect describe-locations --query 'locations[0].locationCode' --output text) if [ -z "$LOCATION_CODE" ] || [ "$LOCATION_CODE" == "None" ]; then echo "Error: Could not extract location code from the output." exit 1 fi echo "Using location: $LOCATION_CODE" # Step 2: Create a dedicated connection echo "Creating a dedicated connection at location $LOCATION_CODE with bandwidth 1Gbps..." CONNECTION_OUTPUT=$(aws directconnect create-connection \ --location "$LOCATION_CODE" \ --bandwidth "1Gbps" \ --connection-name "$CONNECTION_NAME") check_error "$CONNECTION_OUTPUT" "create-connection" echo "$CONNECTION_OUTPUT" # Extract connection ID directly from the output CONNECTION_ID=$(echo "$CONNECTION_OUTPUT" | grep -o '"connectionId": "[^"]*' | cut -d'"' -f4) if [ -z "$CONNECTION_ID" ]; then echo "Error: Could not extract connection ID from the output." exit 1 fi echo "Connection created with ID: $CONNECTION_ID" # Step 3: Describe the connection echo "Retrieving connection details..." DESCRIBE_OUTPUT=$(aws directconnect describe-connections --connection-id "$CONNECTION_ID") check_error "$DESCRIBE_OUTPUT" "describe-connections" echo "$DESCRIBE_OUTPUT" # Step 4: Update the connection name NEW_CONNECTION_NAME="${CONNECTION_NAME}-updated" echo "Updating connection name to $NEW_CONNECTION_NAME..." UPDATE_OUTPUT=$(aws directconnect update-connection \ --connection-id "$CONNECTION_ID" \ --connection-name "$NEW_CONNECTION_NAME") check_error "$UPDATE_OUTPUT" "update-connection" echo "$UPDATE_OUTPUT" # Step 5: Check if we can download the LOA-CFA # Note: In a real scenario, the LOA-CFA might not be immediately available echo "Attempting to download the LOA-CFA (this may not be available yet)..." LOA_OUTPUT=$(aws directconnect describe-loa --connection-id "$CONNECTION_ID" 2>&1) if echo "$LOA_OUTPUT" | grep -i "error" > /dev/null; then echo "LOA-CFA not available yet. This is expected for newly created connections." echo "The LOA-CFA will be available once AWS begins provisioning your connection." else LOA_CONTENT=$(echo "$LOA_OUTPUT" | grep -o '"loaContent": "[^"]*' | cut -d'"' -f4) echo "$LOA_CONTENT" | base64 --decode > "loa-cfa-${CONNECTION_ID}.pdf" echo "LOA-CFA downloaded to loa-cfa-${CONNECTION_ID}.pdf" fi # Step 6: Create a virtual private gateway (required for private virtual interface) echo "Creating a virtual private gateway..." VGW_OUTPUT=$(aws ec2 create-vpn-gateway --type ipsec.1) check_error "$VGW_OUTPUT" "create-vpn-gateway" echo "$VGW_OUTPUT" # Extract VGW ID directly from the output VGW_ID=$(echo "$VGW_OUTPUT" | grep -o '"VpnGatewayId": "[^"]*' | cut -d'"' -f4) if [ -z "$VGW_ID" ]; then echo "Error: Could not extract VPN gateway ID from the output." exit 1 fi echo "Virtual private gateway created with ID: $VGW_ID" # Wait for VGW to become available if ! wait_for_vgw "$VGW_ID"; then echo "Failed to wait for VGW to become available. Skipping virtual interface creation." VIF_CREATION_SKIPPED=true else VIF_CREATION_SKIPPED=false fi # Step 7: Create a private virtual interface (only if VGW is available) if [ "$VIF_CREATION_SKIPPED" = false ]; then echo "Creating a private virtual interface..." PRIVATE_VIF_OUTPUT=$(aws directconnect create-private-virtual-interface \ --connection-id "$CONNECTION_ID" \ --new-private-virtual-interface '{ "virtualInterfaceName": "PrivateVIF-'"$RANDOM_ID"'", "vlan": 100, "asn": 65000, "authKey": "'"$RANDOM_ID"'key", "amazonAddress": "192.168.1.1/30", "customerAddress": "192.168.1.2/30", "addressFamily": "ipv4", "virtualGatewayId": "'"$VGW_ID"'" }' 2>&1) if echo "$PRIVATE_VIF_OUTPUT" | grep -i "error" > /dev/null; then echo "Could not create private virtual interface. This is expected if the connection is not yet available." echo "Error: $PRIVATE_VIF_OUTPUT" PRIVATE_VIF_ID="" else echo "$PRIVATE_VIF_OUTPUT" PRIVATE_VIF_ID=$(echo "$PRIVATE_VIF_OUTPUT" | grep -o '"virtualInterfaceId": "[^"]*' | cut -d'"' -f4) echo "Private virtual interface created with ID: $PRIVATE_VIF_ID" fi else echo "Skipping private virtual interface creation due to VGW not being available" PRIVATE_VIF_ID="" fi # Step 8: Check connection state and provide guidance for public virtual interface CONNECTION_STATE=$(aws directconnect describe-connections --connection-id "$CONNECTION_ID" --query 'connections[0].connectionState' --output text) echo "Current connection state: $CONNECTION_STATE" if [ "$CONNECTION_STATE" != "available" ]; then echo "" echo "===========================================" echo "CONNECTION NOT YET AVAILABLE" echo "===========================================" echo "The connection is in '$CONNECTION_STATE' state." echo "In production, you would:" echo "1. Wait for AWS to provision the connection (can take 30+ minutes)" echo "2. Download the LOA-CFA when available" echo "3. Provide the LOA-CFA to your network provider for cross-connect" echo "4. Create virtual interfaces once connection is 'available'" echo "" # Ask if user wants to wait for connection to become available echo "" echo "===========================================" echo "CONNECTION WAIT CONFIRMATION" echo "===========================================" echo -n "Do you want to wait for the connection to become available? (y/n): " read -r WAIT_CHOICE if [[ "$WAIT_CHOICE" =~ ^[Yy]$ ]]; then if wait_for_connection "$CONNECTION_ID"; then echo "Connection is now available! You could now create virtual interfaces." else echo "Connection did not become available within the timeout period." fi else echo "Skipping wait for connection availability." fi else echo "Connection is available! Virtual interfaces can be created." fi # Step 9: List all virtual interfaces echo "Listing all virtual interfaces..." VIF_LIST_OUTPUT=$(aws directconnect describe-virtual-interfaces) check_error "$VIF_LIST_OUTPUT" "describe-virtual-interfaces" echo "$VIF_LIST_OUTPUT" # Step 10: Display important information about production usage echo "" echo "===========================================" echo "IMPORTANT PRODUCTION NOTES" echo "===========================================" echo "1. Direct Connect connections take time to be provisioned by AWS" echo "2. You cannot create virtual interfaces until the connection is 'available'" echo "3. For public virtual interfaces, you must own the public IP addresses" echo "4. LOA-CFA (Letter of Authorization) is needed for cross-connect at the facility" echo "5. This demo creates resources that incur costs (~\$300/month for 1Gbps)" echo "6. Always test connectivity before putting into production" echo "" # Step 11: Ask user if they want to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo -n "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually delete them later." echo "" echo "Created resources:" echo "- Connection ID: $CONNECTION_ID" if [ -n "$PRIVATE_VIF_ID" ]; then echo "- Private Virtual Interface ID: $PRIVATE_VIF_ID" fi if [ -n "$PUBLIC_VIF_ID" ]; then echo "- Public Virtual Interface ID: $PUBLIC_VIF_ID" fi echo "- Virtual Private Gateway ID: $VGW_ID" echo "" echo "Manual cleanup commands:" echo "aws directconnect delete-connection --connection-id $CONNECTION_ID" echo "aws ec2 delete-vpn-gateway --vpn-gateway-id $VGW_ID" echo "" echo "Remember: Direct Connect resources incur ongoing costs!" fi echo "$(date): Script completed" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateConnection](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/CreateConnection) + [CreatePrivateVirtualInterface](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/CreatePrivateVirtualInterface) + [CreateVpnGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpnGateway) + [DeleteConnection](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DeleteConnection) + [DeleteVirtualInterface](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DeleteVirtualInterface) + [DeleteVpnGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpnGateway) + [DescribeConnections](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DescribeConnections) + [DescribeLoa](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DescribeLoa) + [DescribeLocations](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DescribeLocations) + [DescribeVirtualInterfaces](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/DescribeVirtualInterfaces) + [DescribeVpnGateways](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpnGateways) + [UpdateConnection](https://docs.aws.amazon.com/goto/aws-cli/direct-connect-2012-10-25/UpdateConnection) # Amazon DocumentDB examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon DocumentDB. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon DocumentDB The following code example shows how to: + Create a DB subnet group + Create a DocumentDB cluster + Create a DocumentDB instance + Configure security and connectivity + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/025-documentdb-gs) repository. ``` #!/bin/bash # Amazon DocumentDB - Getting Started # This script creates a DocumentDB cluster with encrypted storage, stores the # master password in Secrets Manager, and displays connection information. set -eE ############################################################################### # Configuration ############################################################################### SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) CLUSTER_ID="docdb-gs-${SUFFIX}" INSTANCE_ID="${CLUSTER_ID}-inst" SUBNET_GROUP_NAME="docdb-subnet-${SUFFIX}" SECRET_NAME="docdb-secret-${SUFFIX}" MASTER_USER="docdbadmin" ENGINE_VERSION="5.0.0" INSTANCE_CLASS="db.t3.medium" DOCDB_PORT=27017 WAIT_TIMEOUT=900 TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/documentdb-gs.log" CREATED_RESOURCES=() ############################################################################### # Logging ############################################################################### exec > >(tee -a "$LOG_FILE") 2>&1 echo "Log file: $LOG_FILE" echo "" ############################################################################### # Region pre-check ############################################################################### CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured." echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION." exit 1 fi REGION="${AWS_REGION:-${AWS_DEFAULT_REGION:-$CONFIGURED_REGION}}" echo "Using region: $REGION" echo "" ############################################################################### # Error handler ############################################################################### handle_error() { echo "" echo "===========================================" echo "ERROR at $1" echo "===========================================" echo "" if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then echo "Resources created before error:" for r in "${CREATED_RESOURCES[@]}"; do echo " - $r" done echo "" echo "Attempting cleanup..." cleanup_resources fi rm -rf "$TEMP_DIR" exit 1 } trap 'handle_error "line $LINENO"' ERR ############################################################################### # Wait function ############################################################################### wait_for_status() { local resource_type="$1" local resource_id="$2" local target_status="$3" local timeout="${4:-$WAIT_TIMEOUT}" local elapsed=0 local interval=30 echo "Waiting for $resource_type '$resource_id' to reach '$target_status'..." while true; do local current_status="" if [ "$resource_type" = "cluster" ]; then current_status=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$resource_id" \ --query "DBClusters[0].Status" --output text 2>&1) elif [ "$resource_type" = "instance" ]; then current_status=$(aws docdb describe-db-instances \ --db-instance-identifier "$resource_id" \ --query "DBInstances[0].DBInstanceStatus" --output text 2>&1) fi if echo "$current_status" | grep -iq "error"; then echo "ERROR checking status: $current_status" return 1 fi echo " Status: $current_status ($elapsed/${timeout}s)" if [ "$current_status" = "$target_status" ]; then echo " $resource_type '$resource_id' is now '$target_status'." return 0 fi if [ "$elapsed" -ge "$timeout" ]; then echo "ERROR: Timed out after ${timeout}s waiting for $resource_type '$resource_id'." return 1 fi sleep "$interval" elapsed=$((elapsed + interval)) done } ############################################################################### # Wait for deletion ############################################################################### wait_for_deletion() { local resource_type="$1" local resource_id="$2" local timeout="${3:-$WAIT_TIMEOUT}" local elapsed=0 local interval=30 echo "Waiting for $resource_type '$resource_id' to be deleted..." while true; do local result="" if [ "$resource_type" = "cluster" ]; then result=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$resource_id" \ --query "DBClusters[0].Status" --output text 2>&1) || true elif [ "$resource_type" = "instance" ]; then result=$(aws docdb describe-db-instances \ --db-instance-identifier "$resource_id" \ --query "DBInstances[0].DBInstanceStatus" --output text 2>&1) || true fi if echo "$result" | grep -iq "DBClusterNotFoundFault\|DBInstanceNotFound\|not found"; then echo " $resource_type '$resource_id' deleted." return 0 fi echo " Still deleting... ($elapsed/${timeout}s)" if [ "$elapsed" -ge "$timeout" ]; then echo "WARNING: Timed out waiting for $resource_type '$resource_id' deletion." return 1 fi sleep "$interval" elapsed=$((elapsed + interval)) done } ############################################################################### # Cleanup ############################################################################### cleanup_resources() { echo "" echo "Cleaning up resources..." echo "" # Revoke security group ingress rule if [ -n "${SG_ID:-}" ] && [ -n "${MY_IP:-}" ]; then echo "Revoking security group ingress rule..." aws ec2 revoke-security-group-ingress \ --group-id "$SG_ID" \ --protocol tcp \ --port "$DOCDB_PORT" \ --cidr "${MY_IP}/32" 2>&1 || echo "WARNING: Failed to revoke SG ingress rule." fi # Delete instance (must be deleted before cluster) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "instance:"; then echo "Deleting instance '${INSTANCE_ID}'..." aws docdb delete-db-instance \ --db-instance-identifier "$INSTANCE_ID" 2>&1 || echo "WARNING: Failed to delete instance." wait_for_deletion "instance" "$INSTANCE_ID" || true fi # Delete cluster (skip final snapshot) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "cluster:"; then echo "Deleting cluster '${CLUSTER_ID}'..." aws docdb delete-db-cluster \ --db-cluster-identifier "$CLUSTER_ID" \ --skip-final-snapshot 2>&1 || echo "WARNING: Failed to delete cluster." wait_for_deletion "cluster" "$CLUSTER_ID" || true fi # Delete subnet group (must wait for cluster deletion) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "subnet-group:"; then echo "Deleting subnet group '${SUBNET_GROUP_NAME}'..." aws docdb delete-db-subnet-group \ --db-subnet-group-name "$SUBNET_GROUP_NAME" 2>&1 || echo "WARNING: Failed to delete subnet group." fi # Delete secret if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "secret:"; then echo "Deleting secret '${SECRET_NAME}'..." aws secretsmanager delete-secret \ --secret-id "$SECRET_NAME" \ --force-delete-without-recovery 2>&1 || echo "WARNING: Failed to delete secret." fi echo "" echo "Cleanup complete." } ############################################################################### # Step 1: Generate password and store in Secrets Manager ############################################################################### echo "===========================================" echo "Step 1: Create master password in Secrets Manager" echo "===========================================" echo "" # Generate a safe password (no / @ " or spaces) MASTER_PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!#$%^&*()_+=-' | fold -w 20 | head -n 1) SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "DocumentDB master password for ${CLUSTER_ID}" \ --secret-string "$MASTER_PASSWORD" \ --output text --query "ARN" 2>&1) if echo "$SECRET_OUTPUT" | grep -iq "error"; then echo "ERROR creating secret: $SECRET_OUTPUT" exit 1 fi SECRET_ARN="$SECRET_OUTPUT" CREATED_RESOURCES+=("secret:${SECRET_NAME}") echo "Secret created: $SECRET_NAME" echo "Secret ARN: $SECRET_ARN" echo "" ############################################################################### # Step 2: Find default VPC and subnets ############################################################################### echo "===========================================" echo "Step 2: Find default VPC and subnets" echo "===========================================" echo "" VPC_ID=$(aws ec2 describe-vpcs \ --filters "Name=isDefault,Values=true" \ --query "Vpcs[0].VpcId" --output text 2>&1) if echo "$VPC_ID" | grep -iq "error"; then echo "ERROR finding default VPC: $VPC_ID" exit 1 fi if [ "$VPC_ID" = "None" ] || [ -z "$VPC_ID" ]; then echo "ERROR: No default VPC found. Create one with 'aws ec2 create-default-vpc'." exit 1 fi echo "Default VPC: $VPC_ID" # Get subnets in at least 2 different AZs (space-separated) SUBNET_INFO=$(aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=${VPC_ID}" "Name=default-for-az,Values=true" \ --query "Subnets[*].[SubnetId,AvailabilityZone]" --output text 2>&1) if echo "$SUBNET_INFO" | grep -iq "error"; then echo "ERROR finding subnets: $SUBNET_INFO" exit 1 fi # Collect unique AZs and their subnet IDs declare -A AZ_SUBNETS while IFS=$'\t' read -r sid az; do if [ -z "${AZ_SUBNETS[$az]+x}" ]; then AZ_SUBNETS[$az]="$sid" fi done <<< "$SUBNET_INFO" AZ_COUNT=${#AZ_SUBNETS[@]} if [ "$AZ_COUNT" -lt 2 ]; then echo "ERROR: DocumentDB requires subnets in at least 2 AZs. Found $AZ_COUNT." exit 1 fi # Build space-separated subnet ID list SUBNET_IDS="" for az in "${!AZ_SUBNETS[@]}"; do if [ -n "$SUBNET_IDS" ]; then SUBNET_IDS="${SUBNET_IDS} ${AZ_SUBNETS[$az]}" else SUBNET_IDS="${AZ_SUBNETS[$az]}" fi done echo "Subnets (${AZ_COUNT} AZs): $SUBNET_IDS" echo "" ############################################################################### # Step 3: Create subnet group ############################################################################### echo "===========================================" echo "Step 3: Create DocumentDB subnet group" echo "===========================================" echo "" SUBNET_GROUP_OUTPUT=$(aws docdb create-db-subnet-group \ --db-subnet-group-name "$SUBNET_GROUP_NAME" \ --db-subnet-group-description "Subnet group for DocumentDB getting started" \ --subnet-ids $SUBNET_IDS \ --query "DBSubnetGroup.DBSubnetGroupName" --output text 2>&1) if echo "$SUBNET_GROUP_OUTPUT" | grep -iq "error"; then echo "ERROR creating subnet group: $SUBNET_GROUP_OUTPUT" exit 1 fi CREATED_RESOURCES+=("subnet-group:${SUBNET_GROUP_NAME}") echo "Subnet group created: $SUBNET_GROUP_NAME" echo "" ############################################################################### # Step 4: Create DocumentDB cluster ############################################################################### echo "===========================================" echo "Step 4: Create DocumentDB cluster" echo "===========================================" echo "" CLUSTER_OUTPUT=$(aws docdb create-db-cluster \ --db-cluster-identifier "$CLUSTER_ID" \ --engine docdb \ --engine-version "$ENGINE_VERSION" \ --master-username "$MASTER_USER" \ --master-user-password "$MASTER_PASSWORD" \ --db-subnet-group-name "$SUBNET_GROUP_NAME" \ --storage-encrypted \ --no-deletion-protection \ --query "DBCluster.DBClusterIdentifier" --output text 2>&1) if echo "$CLUSTER_OUTPUT" | grep -iq "error"; then echo "ERROR creating cluster: $CLUSTER_OUTPUT" exit 1 fi CREATED_RESOURCES+=("cluster:${CLUSTER_ID}") echo "Cluster created: $CLUSTER_ID" echo "" wait_for_status "cluster" "$CLUSTER_ID" "available" echo "" ############################################################################### # Step 5: Create DocumentDB instance ############################################################################### echo "===========================================" echo "Step 5: Create DocumentDB instance" echo "===========================================" echo "" INSTANCE_OUTPUT=$(aws docdb create-db-instance \ --db-instance-identifier "$INSTANCE_ID" \ --db-instance-class "$INSTANCE_CLASS" \ --db-cluster-identifier "$CLUSTER_ID" \ --engine docdb \ --query "DBInstance.DBInstanceIdentifier" --output text 2>&1) if echo "$INSTANCE_OUTPUT" | grep -iq "error"; then echo "ERROR creating instance: $INSTANCE_OUTPUT" exit 1 fi CREATED_RESOURCES+=("instance:${INSTANCE_ID}") echo "Instance created: $INSTANCE_ID" echo "" wait_for_status "instance" "$INSTANCE_ID" "available" echo "" ############################################################################### # Step 6: Get cluster endpoint and security group ############################################################################### echo "===========================================" echo "Step 6: Get cluster endpoint and security group" echo "===========================================" echo "" CLUSTER_DETAILS=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$CLUSTER_ID" \ --query "DBClusters[0].[Endpoint,VpcSecurityGroups[0].VpcSecurityGroupId]" \ --output text 2>&1) if echo "$CLUSTER_DETAILS" | grep -iq "error"; then echo "ERROR getting cluster details: $CLUSTER_DETAILS" exit 1 fi CLUSTER_ENDPOINT=$(echo "$CLUSTER_DETAILS" | awk '{print $1}') SG_ID=$(echo "$CLUSTER_DETAILS" | awk '{print $2}') echo "Cluster endpoint: $CLUSTER_ENDPOINT" echo "Security group: $SG_ID" echo "" ############################################################################### # Step 7: Add security group ingress for port 27017 from user's IP ############################################################################### echo "===========================================" echo "Step 7: Add security group ingress rule" echo "===========================================" echo "" # Get the user's public IP MY_IP=$(curl -s https://checkip.amazonaws.com 2>&1) if echo "$MY_IP" | grep -iq "error\|could not\|failed"; then echo "ERROR: Could not determine public IP address." exit 1 fi # Trim whitespace MY_IP=$(echo "$MY_IP" | tr -d '[:space:]') echo "Your public IP: $MY_IP" SG_RULE_OUTPUT=$(aws ec2 authorize-security-group-ingress \ --group-id "$SG_ID" \ --protocol tcp \ --port "$DOCDB_PORT" \ --cidr "${MY_IP}/32" 2>&1) if echo "$SG_RULE_OUTPUT" | grep -iq "error"; then # Ignore if rule already exists if echo "$SG_RULE_OUTPUT" | grep -iq "Duplicate"; then echo "Ingress rule already exists." else echo "ERROR adding ingress rule: $SG_RULE_OUTPUT" exit 1 fi else echo "Ingress rule added: TCP ${DOCDB_PORT} from ${MY_IP}/32" fi CREATED_RESOURCES+=("sg-rule:${SG_ID}:${MY_IP}") echo "" ############################################################################### # Step 8: Download CA certificate ############################################################################### echo "===========================================" echo "Step 8: Download Amazon DocumentDB CA certificate" echo "===========================================" echo "" CA_CERT_PATH="${TEMP_DIR}/global-bundle.pem" curl -s -o "$CA_CERT_PATH" https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem 2>&1 if [ ! -s "$CA_CERT_PATH" ]; then echo "WARNING: Failed to download CA certificate." else echo "CA certificate downloaded to: $CA_CERT_PATH" fi echo "" ############################################################################### # Step 9: Display connection information ############################################################################### echo "===========================================" echo "CONNECTION INFORMATION" echo "===========================================" echo "" echo "Cluster endpoint : $CLUSTER_ENDPOINT" echo "Port : $DOCDB_PORT" echo "Master username : $MASTER_USER" echo "Secret name : $SECRET_NAME (contains password)" echo "Security group : $SG_ID" echo "CA certificate : $CA_CERT_PATH" echo "" echo "To connect with mongosh:" echo " mongosh --tls --host ${CLUSTER_ENDPOINT} --tlsCAFile ${CA_CERT_PATH} \\" echo " --retryWrites false --username ${MASTER_USER} --password \$(aws secretsmanager get-secret-value --secret-id ${SECRET_NAME} --query SecretString --output text)" echo "" ############################################################################### # Step 10: Cleanup ############################################################################### echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "" echo "Resources created:" for r in "${CREATED_RESOURCES[@]}"; do echo " - $r" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [ "$CLEANUP_CHOICE" = "y" ] || [ "$CLEANUP_CHOICE" = "Y" ]; then cleanup_resources else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Revoke security group ingress rule" echo " aws ec2 revoke-security-group-ingress --group-id ${SG_ID} --protocol tcp --port ${DOCDB_PORT} --cidr ${MY_IP}/32" echo "" echo " # Delete instance (wait for it to finish before deleting cluster)" echo " aws docdb delete-db-instance --db-instance-identifier ${INSTANCE_ID}" echo " aws docdb wait db-instance-deleted --db-instance-identifier ${INSTANCE_ID}" echo "" echo " # Delete cluster" echo " aws docdb delete-db-cluster --db-cluster-identifier ${CLUSTER_ID} --skip-final-snapshot" echo "" echo " # Delete subnet group (after cluster is deleted)" echo " aws docdb delete-db-subnet-group --db-subnet-group-name ${SUBNET_GROUP_NAME}" echo "" echo " # Delete secret" echo " aws secretsmanager delete-secret --secret-id ${SECRET_NAME} --force-delete-without-recovery" echo "" fi rm -rf "$TEMP_DIR" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbCluster) + [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbInstance) + [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbSubnetGroup) + [CreateDefaultVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateDefaultVpc) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [DeleteDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbCluster) + [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbInstance) + [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbSubnetGroup) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DescribeDbClusters](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbClusters) + [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbInstances) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupIngress) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/Wait) # DynamoDB examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with DynamoDB. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Basics](#basics) + [Actions](#actions) + [Scenarios](#scenarios) ## Basics ### Learn the basics The following code example shows how to: + Create a table that can hold movie data. + Put, get, and update a single movie in the table. + Write movie data to the table from a sample JSON file. + Query for movies that were released in a given year. + Scan for movies that were released in a range of years. + Delete a movie from the table, then delete the table. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). The DynamoDB getting started scenario. ``` ############################################################################### # function dynamodb_getting_started_movies # # Scenario to create an Amazon DynamoDB table and perform a series of operations on the table. # # Returns: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function dynamodb_getting_started_movies() { source ./dynamodb_operations.sh key_schema_json_file="dynamodb_key_schema.json" attribute_definitions_json_file="dynamodb_attr_def.json" item_json_file="movie_item.json" key_json_file="movie_key.json" batch_json_file="batch.json" attribute_names_json_file="attribute_names.json" attributes_values_json_file="attribute_values.json" echo_repeat "*" 88 echo echo "Welcome to the Amazon DynamoDB getting started demo." echo echo_repeat "*" 88 echo local table_name echo -n "Enter a name for a new DynamoDB table: " get_input table_name=$get_input_result echo '[ {"AttributeName": "year", "KeyType": "HASH"}, {"AttributeName": "title", "KeyType": "RANGE"} ]' >"$key_schema_json_file" echo '[ {"AttributeName": "year", "AttributeType": "N"}, {"AttributeName": "title", "AttributeType": "S"} ]' >"$attribute_definitions_json_file" if dynamodb_create_table -n "$table_name" -a "$attribute_definitions_json_file" \ -k "$key_schema_json_file" 1>/dev/null; then echo "Created a DynamoDB table named $table_name" else errecho "The table failed to create. This demo will exit." clean_up return 1 fi echo "Waiting for the table to become active...." if dynamodb_wait_table_active -n "$table_name"; then echo "The table is now active." else errecho "The table failed to become active. This demo will exit." cleanup "$table_name" return 1 fi echo echo_repeat "*" 88 echo echo -n "Enter the title of a movie you want to add to the table: " get_input local added_title added_title=$get_input_result local added_year get_int_input "What year was it released? " added_year=$get_input_result local rating get_float_input "On a scale of 1 - 10, how do you rate it? " "1" "10" rating=$get_input_result local plot echo -n "Summarize the plot for me: " get_input plot=$get_input_result echo '{ "year": {"N" :"'"$added_year"'"}, "title": {"S" : "'"$added_title"'"}, "info": {"M" : {"plot": {"S" : "'"$plot"'"}, "rating": {"N" :"'"$rating"'"} } } }' >"$item_json_file" if dynamodb_put_item -n "$table_name" -i "$item_json_file"; then echo "The movie '$added_title' was successfully added to the table '$table_name'." else errecho "Put item failed. This demo will exit." clean_up "$table_name" return 1 fi echo echo_repeat "*" 88 echo echo "Let's update your movie '$added_title'." get_float_input "You rated it $rating, what new rating would you give it? " "1" "10" rating=$get_input_result echo -n "You summarized the plot as '$plot'." echo "What would you say now? " get_input plot=$get_input_result echo '{ "year": {"N" :"'"$added_year"'"}, "title": {"S" : "'"$added_title"'"} }' >"$key_json_file" echo '{ ":r": {"N" :"'"$rating"'"}, ":p": {"S" : "'"$plot"'"} }' >"$item_json_file" local update_expression="SET info.rating = :r, info.plot = :p" if dynamodb_update_item -n "$table_name" -k "$key_json_file" -e "$update_expression" -v "$item_json_file"; then echo "Updated '$added_title' with new attributes." else errecho "Update item failed. This demo will exit." clean_up "$table_name" return 1 fi echo echo_repeat "*" 88 echo echo "We will now use batch write to upload 150 movie entries into the table." local batch_json for batch_json in movie_files/movies_*.json; do echo "{ \"$table_name\" : $(<"$batch_json") }" >"$batch_json_file" if dynamodb_batch_write_item -i "$batch_json_file" 1>/dev/null; then echo "Entries in $batch_json added to table." else errecho "Batch write failed. This demo will exit." clean_up "$table_name" return 1 fi done local title="The Lord of the Rings: The Fellowship of the Ring" local year="2001" if get_yes_no_input "Let's move on...do you want to get info about '$title'? (y/n) "; then echo '{ "year": {"N" :"'"$year"'"}, "title": {"S" : "'"$title"'"} }' >"$key_json_file" local info info=$(dynamodb_get_item -n "$table_name" -k "$key_json_file") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "Get item failed. This demo will exit." clean_up "$table_name" return 1 fi echo "Here is what I found:" echo "$info" fi local ask_for_year=true while [[ "$ask_for_year" == true ]]; do echo "Let's get a list of movies released in a given year." get_int_input "Enter a year between 1972 and 2018: " "1972" "2018" year=$get_input_result echo '{ "#n": "year" }' >"$attribute_names_json_file" echo '{ ":v": {"N" :"'"$year"'"} }' >"$attributes_values_json_file" response=$(dynamodb_query -n "$table_name" -k "#n=:v" -a "$attribute_names_json_file" -v "$attributes_values_json_file") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "Query table failed. This demo will exit." clean_up "$table_name" return 1 fi echo "Here is what I found:" echo "$response" if ! get_yes_no_input "Try another year? (y/n) "; then ask_for_year=false fi done echo "Now let's scan for movies released in a range of years. Enter a year: " get_int_input "Enter a year between 1972 and 2018: " "1972" "2018" local start=$get_input_result get_int_input "Enter another year: " "1972" "2018" local end=$get_input_result echo '{ "#n": "year" }' >"$attribute_names_json_file" echo '{ ":v1": {"N" : "'"$start"'"}, ":v2": {"N" : "'"$end"'"} }' >"$attributes_values_json_file" response=$(dynamodb_scan -n "$table_name" -f "#n BETWEEN :v1 AND :v2" -a "$attribute_names_json_file" -v "$attributes_values_json_file") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "Scan table failed. This demo will exit." clean_up "$table_name" return 1 fi echo "Here is what I found:" echo "$response" echo echo_repeat "*" 88 echo echo "Let's remove your movie '$added_title' from the table." if get_yes_no_input "Do you want to remove '$added_title'? (y/n) "; then echo '{ "year": {"N" :"'"$added_year"'"}, "title": {"S" : "'"$added_title"'"} }' >"$key_json_file" if ! dynamodb_delete_item -n "$table_name" -k "$key_json_file"; then errecho "Delete item failed. This demo will exit." clean_up "$table_name" return 1 fi fi if get_yes_no_input "Do you want to delete the table '$table_name'? (y/n) "; then if ! clean_up "$table_name"; then return 1 fi else if ! clean_up; then return 1 fi fi return 0 } ``` The DynamoDB functions used in this scenario. ``` ############################################################################### # function dynamodb_create_table # # This function creates an Amazon DynamoDB table. # # Parameters: # -n table_name -- The name of the table to create. # -a attribute_definitions -- JSON file path of a list of attributes and their types. # -k key_schema -- JSON file path of a list of attributes and their key types. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function dynamodb_create_table() { local table_name attribute_definitions key_schema response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_create_table" echo "Creates an Amazon DynamoDB table with on-demand billing." echo " -n table_name -- The name of the table to create." echo " -a attribute_definitions -- JSON file path of a list of attributes and their types." echo " -k key_schema -- JSON file path of a list of attributes and their key types." echo "" } # Retrieve the calling parameters. while getopts "n:a:k:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; a) attribute_definitions="${OPTARG}" ;; k) key_schema="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$attribute_definitions" ]]; then errecho "ERROR: You must provide an attribute definitions json file path the -a parameter." usage return 1 fi if [[ -z "$key_schema" ]]; then errecho "ERROR: You must provide a key schema json file path the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " attribute_definitions: $attribute_definitions" iecho " key_schema: $key_schema" iecho "" response=$(aws dynamodb create-table \ --table-name "$table_name" \ --attribute-definitions file://"$attribute_definitions" \ --billing-mode PAY_PER_REQUEST \ --key-schema file://"$key_schema" ) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-table operation failed.$response" return 1 fi return 0 } ############################################################################### # function dynamodb_describe_table # # This function returns the status of a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # # Response: # - TableStatus: # And: # 0 - Table is active. # 1 - If it fails. ############################################################################### function dynamodb_describe_table { local table_name local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_describe_table" echo "Describe the status of a DynamoDB table." echo " -n table_name -- The name of the table." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi local table_status table_status=$( aws dynamodb describe-table \ --table-name "$table_name" \ --output text \ --query 'Table.TableStatus' ) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log "$error_code" errecho "ERROR: AWS reports describe-table operation failed.$table_status" return 1 fi echo "$table_status" return 0 } ############################################################################## # function dynamodb_put_item # # This function puts an item into a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -i item -- Path to json file containing the item values. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################## function dynamodb_put_item() { local table_name item response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_put_item" echo "Put an item into a DynamoDB table." echo " -n table_name -- The name of the table." echo " -i item -- Path to json file containing the item values." echo "" } while getopts "n:i:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; i) item="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$item" ]]; then errecho "ERROR: You must provide an item with the -i parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " item: $item" iecho "" iecho "" response=$(aws dynamodb put-item \ --table-name "$table_name" \ --item file://"$item") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports put-item operation failed.$response" return 1 fi return 0 } ############################################################################## # function dynamodb_update_item # # This function updates an item in a DynamoDB table. # # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to update. # -e update expression -- An expression that defines one or more attributes to be updated. # -v values -- Path to json file containing the update values. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################# function dynamodb_update_item() { local table_name keys update_expression values response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_update_item" echo "Update an item in a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to update." echo " -e update expression -- An expression that defines one or more attributes to be updated." echo " -v values -- Path to json file containing the update values." echo "" } while getopts "n:k:e:v:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; e) update_expression="${OPTARG}" ;; v) values="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi if [[ -z "$update_expression" ]]; then errecho "ERROR: You must provide an update expression with the -e parameter." usage return 1 fi if [[ -z "$values" ]]; then errecho "ERROR: You must provide a values json file path the -v parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " keys: $keys" iecho " update_expression: $update_expression" iecho " values: $values" response=$(aws dynamodb update-item \ --table-name "$table_name" \ --key file://"$keys" \ --update-expression "$update_expression" \ --expression-attribute-values file://"$values") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports update-item operation failed.$response" return 1 fi return 0 } ############################################################################## # function dynamodb_batch_write_item # # This function writes a batch of items into a DynamoDB table. # # Parameters: # -i item -- Path to json file containing the items to write. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################ function dynamodb_batch_write_item() { local item response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_batch_write_item" echo "Write a batch of items into a DynamoDB table." echo " -i item -- Path to json file containing the items to write." echo "" } while getopts "i:h" option; do case "${option}" in i) item="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$item" ]]; then errecho "ERROR: You must provide an item with the -i parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " item: $item" iecho "" response=$(aws dynamodb batch-write-item \ --request-items file://"$item") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports batch-write-item operation failed.$response" return 1 fi return 0 } ############################################################################# # function dynamodb_get_item # # This function gets an item from a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to get. # [-q query] -- Optional JMESPath query expression. # # Returns: # The item as text output. # And: # 0 - If successful. # 1 - If it fails. ############################################################################ function dynamodb_get_item() { local table_name keys query response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_get_item" echo "Get an item from a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to get." echo " [-q query] -- Optional JMESPath query expression." echo "" } query="" while getopts "n:k:q:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; q) query="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi if [[ -n "$query" ]]; then response=$(aws dynamodb get-item \ --table-name "$table_name" \ --key file://"$keys" \ --output text \ --query "$query") else response=$( aws dynamodb get-item \ --table-name "$table_name" \ --key file://"$keys" \ --output text ) fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports get-item operation failed.$response" return 1 fi if [[ -n "$query" ]]; then echo "$response" | sed "/^\t/s/\t//1" # Remove initial tab that the JMSEPath query inserts on some strings. else echo "$response" fi return 0 } ############################################################################# # function dynamodb_query # # This function queries a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k key_condition_expression -- The key condition expression. # -a attribute_names -- Path to JSON file containing the attribute names. # -v attribute_values -- Path to JSON file containing the attribute values. # [-p projection_expression] -- Optional projection expression. # # Returns: # The items as json output. # And: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_query() { local table_name key_condition_expression attribute_names attribute_values projection_expression response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_query" echo "Query a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k key_condition_expression -- The key condition expression." echo " -a attribute_names -- Path to JSON file containing the attribute names." echo " -v attribute_values -- Path to JSON file containing the attribute values." echo " [-p projection_expression] -- Optional projection expression." echo "" } while getopts "n:k:a:v:p:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) key_condition_expression="${OPTARG}" ;; a) attribute_names="${OPTARG}" ;; v) attribute_values="${OPTARG}" ;; p) projection_expression="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$key_condition_expression" ]]; then errecho "ERROR: You must provide a key condition expression with the -k parameter." usage return 1 fi if [[ -z "$attribute_names" ]]; then errecho "ERROR: You must provide a attribute names with the -a parameter." usage return 1 fi if [[ -z "$attribute_values" ]]; then errecho "ERROR: You must provide a attribute values with the -v parameter." usage return 1 fi if [[ -z "$projection_expression" ]]; then response=$(aws dynamodb query \ --table-name "$table_name" \ --key-condition-expression "$key_condition_expression" \ --expression-attribute-names file://"$attribute_names" \ --expression-attribute-values file://"$attribute_values") else response=$(aws dynamodb query \ --table-name "$table_name" \ --key-condition-expression "$key_condition_expression" \ --expression-attribute-names file://"$attribute_names" \ --expression-attribute-values file://"$attribute_values" \ --projection-expression "$projection_expression") fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports query operation failed.$response" return 1 fi echo "$response" return 0 } ############################################################################# # function dynamodb_scan # # This function scans a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -f filter_expression -- The filter expression. # -a expression_attribute_names -- Path to JSON file containing the expression attribute names. # -v expression_attribute_values -- Path to JSON file containing the expression attribute values. # [-p projection_expression] -- Optional projection expression. # # Returns: # The items as json output. # And: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_scan() { local table_name filter_expression expression_attribute_names expression_attribute_values projection_expression response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_scan" echo "Scan a DynamoDB table." echo " -n table_name -- The name of the table." echo " -f filter_expression -- The filter expression." echo " -a expression_attribute_names -- Path to JSON file containing the expression attribute names." echo " -v expression_attribute_values -- Path to JSON file containing the expression attribute values." echo " [-p projection_expression] -- Optional projection expression." echo "" } while getopts "n:f:a:v:p:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; f) filter_expression="${OPTARG}" ;; a) expression_attribute_names="${OPTARG}" ;; v) expression_attribute_values="${OPTARG}" ;; p) projection_expression="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$filter_expression" ]]; then errecho "ERROR: You must provide a filter expression with the -f parameter." usage return 1 fi if [[ -z "$expression_attribute_names" ]]; then errecho "ERROR: You must provide expression attribute names with the -a parameter." usage return 1 fi if [[ -z "$expression_attribute_values" ]]; then errecho "ERROR: You must provide expression attribute values with the -v parameter." usage return 1 fi if [[ -z "$projection_expression" ]]; then response=$(aws dynamodb scan \ --table-name "$table_name" \ --filter-expression "$filter_expression" \ --expression-attribute-names file://"$expression_attribute_names" \ --expression-attribute-values file://"$expression_attribute_values") else response=$(aws dynamodb scan \ --table-name "$table_name" \ --filter-expression "$filter_expression" \ --expression-attribute-names file://"$expression_attribute_names" \ --expression-attribute-values file://"$expression_attribute_values" \ --projection-expression "$projection_expression") fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports scan operation failed.$response" return 1 fi echo "$response" return 0 } ############################################################################## # function dynamodb_delete_item # # This function deletes an item from a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_delete_item() { local table_name keys response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_delete_item" echo "Delete an item from a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to delete." echo "" } while getopts "n:k:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " keys: $keys" iecho "" response=$(aws dynamodb delete-item \ --table-name "$table_name" \ --key file://"$keys") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-item operation failed.$response" return 1 fi return 0 } ############################################################################### # function dynamodb_delete_table # # This function deletes a DynamoDB table. # # Parameters: # -n table_name -- The name of the table to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function dynamodb_delete_table() { local table_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function dynamodb_delete_table" echo "Deletes an Amazon DynamoDB table." echo " -n table_name -- The name of the table to delete." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho "" response=$(aws dynamodb delete-table \ --table-name "$table_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-table operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this scenario. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [BatchWriteItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/BatchWriteItem) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteItem) + [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [GetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetItem) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) + [Scan](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Scan) + [UpdateItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateItem) ## Actions ### `BatchGetItem` The following code example shows how to use `BatchGetItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################# # function dynamodb_batch_get_item # # This function gets a batch of items from a DynamoDB table. # # Parameters: # -i item -- Path to json file containing the keys of the items to get. # # Returns: # The items as json output. # And: # 0 - If successful. # 1 - If it fails. ########################################################################## function dynamodb_batch_get_item() { local item response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_batch_get_item" echo "Get a batch of items from a DynamoDB table." echo " -i item -- Path to json file containing the keys of the items to get." echo "" } while getopts "i:h" option; do case "${option}" in i) item="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$item" ]]; then errecho "ERROR: You must provide an item with the -i parameter." usage return 1 fi response=$(aws dynamodb batch-get-item \ --request-items file://"$item") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports batch-get-item operation failed.$response" return 1 fi echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [BatchGetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/BatchGetItem) in *AWS CLI Command Reference*. ### `BatchWriteItem` The following code example shows how to use `BatchWriteItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################## # function dynamodb_batch_write_item # # This function writes a batch of items into a DynamoDB table. # # Parameters: # -i item -- Path to json file containing the items to write. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################ function dynamodb_batch_write_item() { local item response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_batch_write_item" echo "Write a batch of items into a DynamoDB table." echo " -i item -- Path to json file containing the items to write." echo "" } while getopts "i:h" option; do case "${option}" in i) item="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$item" ]]; then errecho "ERROR: You must provide an item with the -i parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " item: $item" iecho "" response=$(aws dynamodb batch-write-item \ --request-items file://"$item") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports batch-write-item operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [BatchWriteItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/BatchWriteItem) in *AWS CLI Command Reference*. ### `CreateTable` The following code example shows how to use `CreateTable`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################### # function dynamodb_create_table # # This function creates an Amazon DynamoDB table. # # Parameters: # -n table_name -- The name of the table to create. # -a attribute_definitions -- JSON file path of a list of attributes and their types. # -k key_schema -- JSON file path of a list of attributes and their key types. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function dynamodb_create_table() { local table_name attribute_definitions key_schema response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_create_table" echo "Creates an Amazon DynamoDB table with on-demand billing." echo " -n table_name -- The name of the table to create." echo " -a attribute_definitions -- JSON file path of a list of attributes and their types." echo " -k key_schema -- JSON file path of a list of attributes and their key types." echo "" } # Retrieve the calling parameters. while getopts "n:a:k:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; a) attribute_definitions="${OPTARG}" ;; k) key_schema="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$attribute_definitions" ]]; then errecho "ERROR: You must provide an attribute definitions json file path the -a parameter." usage return 1 fi if [[ -z "$key_schema" ]]; then errecho "ERROR: You must provide a key schema json file path the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " attribute_definitions: $attribute_definitions" iecho " key_schema: $key_schema" iecho "" response=$(aws dynamodb create-table \ --table-name "$table_name" \ --attribute-definitions file://"$attribute_definitions" \ --billing-mode PAY_PER_REQUEST \ --key-schema file://"$key_schema" ) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-table operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) in *AWS CLI Command Reference*. ### `DeleteItem` The following code example shows how to use `DeleteItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################## # function dynamodb_delete_item # # This function deletes an item from a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_delete_item() { local table_name keys response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_delete_item" echo "Delete an item from a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to delete." echo "" } while getopts "n:k:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " keys: $keys" iecho "" response=$(aws dynamodb delete-item \ --table-name "$table_name" \ --key file://"$keys") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-item operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DeleteItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteItem) in *AWS CLI Command Reference*. ### `DeleteTable` The following code example shows how to use `DeleteTable`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################### # function dynamodb_delete_table # # This function deletes a DynamoDB table. # # Parameters: # -n table_name -- The name of the table to delete. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function dynamodb_delete_table() { local table_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function dynamodb_delete_table" echo "Deletes an Amazon DynamoDB table." echo " -n table_name -- The name of the table to delete." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho "" response=$(aws dynamodb delete-table \ --table-name "$table_name") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports delete-table operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) in *AWS CLI Command Reference*. ### `DescribeTable` The following code example shows how to use `DescribeTable`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################### # function dynamodb_describe_table # # This function returns the status of a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # # Response: # - TableStatus: # And: # 0 - Table is active. # 1 - If it fails. ############################################################################### function dynamodb_describe_table { local table_name local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_describe_table" echo "Describe the status of a DynamoDB table." echo " -n table_name -- The name of the table." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi local table_status table_status=$( aws dynamodb describe-table \ --table-name "$table_name" \ --output text \ --query 'Table.TableStatus' ) local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log "$error_code" errecho "ERROR: AWS reports describe-table operation failed.$table_status" return 1 fi echo "$table_status" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) in *AWS CLI Command Reference*. ### `GetItem` The following code example shows how to use `GetItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################# # function dynamodb_get_item # # This function gets an item from a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to get. # [-q query] -- Optional JMESPath query expression. # # Returns: # The item as text output. # And: # 0 - If successful. # 1 - If it fails. ############################################################################ function dynamodb_get_item() { local table_name keys query response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_get_item" echo "Get an item from a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to get." echo " [-q query] -- Optional JMESPath query expression." echo "" } query="" while getopts "n:k:q:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; q) query="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi if [[ -n "$query" ]]; then response=$(aws dynamodb get-item \ --table-name "$table_name" \ --key file://"$keys" \ --output text \ --query "$query") else response=$( aws dynamodb get-item \ --table-name "$table_name" \ --key file://"$keys" \ --output text ) fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports get-item operation failed.$response" return 1 fi if [[ -n "$query" ]]; then echo "$response" | sed "/^\t/s/\t//1" # Remove initial tab that the JMSEPath query inserts on some strings. else echo "$response" fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [GetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetItem) in *AWS CLI Command Reference*. ### `ListTables` The following code example shows how to use `ListTables`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################## # function dynamodb_list_tables # # This function lists all the tables in a DynamoDB. # # Returns: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_list_tables() { response=$(aws dynamodb list-tables \ --output text \ --query "TableNames") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports batch-write-item operation failed.$response" return 1 fi echo "$response" | tr -s "[:space:]" "\n" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables) in *AWS CLI Command Reference*. ### `PutItem` The following code example shows how to use `PutItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################## # function dynamodb_put_item # # This function puts an item into a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -i item -- Path to json file containing the item values. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################## function dynamodb_put_item() { local table_name item response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_put_item" echo "Put an item into a DynamoDB table." echo " -n table_name -- The name of the table." echo " -i item -- Path to json file containing the item values." echo "" } while getopts "n:i:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; i) item="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$item" ]]; then errecho "ERROR: You must provide an item with the -i parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " item: $item" iecho "" iecho "" response=$(aws dynamodb put-item \ --table-name "$table_name" \ --item file://"$item") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports put-item operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) in *AWS CLI Command Reference*. ### `Query` The following code example shows how to use `Query`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################# # function dynamodb_query # # This function queries a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -k key_condition_expression -- The key condition expression. # -a attribute_names -- Path to JSON file containing the attribute names. # -v attribute_values -- Path to JSON file containing the attribute values. # [-p projection_expression] -- Optional projection expression. # # Returns: # The items as json output. # And: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_query() { local table_name key_condition_expression attribute_names attribute_values projection_expression response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_query" echo "Query a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k key_condition_expression -- The key condition expression." echo " -a attribute_names -- Path to JSON file containing the attribute names." echo " -v attribute_values -- Path to JSON file containing the attribute values." echo " [-p projection_expression] -- Optional projection expression." echo "" } while getopts "n:k:a:v:p:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) key_condition_expression="${OPTARG}" ;; a) attribute_names="${OPTARG}" ;; v) attribute_values="${OPTARG}" ;; p) projection_expression="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$key_condition_expression" ]]; then errecho "ERROR: You must provide a key condition expression with the -k parameter." usage return 1 fi if [[ -z "$attribute_names" ]]; then errecho "ERROR: You must provide a attribute names with the -a parameter." usage return 1 fi if [[ -z "$attribute_values" ]]; then errecho "ERROR: You must provide a attribute values with the -v parameter." usage return 1 fi if [[ -z "$projection_expression" ]]; then response=$(aws dynamodb query \ --table-name "$table_name" \ --key-condition-expression "$key_condition_expression" \ --expression-attribute-names file://"$attribute_names" \ --expression-attribute-values file://"$attribute_values") else response=$(aws dynamodb query \ --table-name "$table_name" \ --key-condition-expression "$key_condition_expression" \ --expression-attribute-names file://"$attribute_names" \ --expression-attribute-values file://"$attribute_values" \ --projection-expression "$projection_expression") fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports query operation failed.$response" return 1 fi echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) in *AWS CLI Command Reference*. ### `Scan` The following code example shows how to use `Scan`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################# # function dynamodb_scan # # This function scans a DynamoDB table. # # Parameters: # -n table_name -- The name of the table. # -f filter_expression -- The filter expression. # -a expression_attribute_names -- Path to JSON file containing the expression attribute names. # -v expression_attribute_values -- Path to JSON file containing the expression attribute values. # [-p projection_expression] -- Optional projection expression. # # Returns: # The items as json output. # And: # 0 - If successful. # 1 - If it fails. ########################################################################### function dynamodb_scan() { local table_name filter_expression expression_attribute_names expression_attribute_values projection_expression response local option OPTARG # Required to use getopts command in a function. # ###################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_scan" echo "Scan a DynamoDB table." echo " -n table_name -- The name of the table." echo " -f filter_expression -- The filter expression." echo " -a expression_attribute_names -- Path to JSON file containing the expression attribute names." echo " -v expression_attribute_values -- Path to JSON file containing the expression attribute values." echo " [-p projection_expression] -- Optional projection expression." echo "" } while getopts "n:f:a:v:p:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; f) filter_expression="${OPTARG}" ;; a) expression_attribute_names="${OPTARG}" ;; v) expression_attribute_values="${OPTARG}" ;; p) projection_expression="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$filter_expression" ]]; then errecho "ERROR: You must provide a filter expression with the -f parameter." usage return 1 fi if [[ -z "$expression_attribute_names" ]]; then errecho "ERROR: You must provide expression attribute names with the -a parameter." usage return 1 fi if [[ -z "$expression_attribute_values" ]]; then errecho "ERROR: You must provide expression attribute values with the -v parameter." usage return 1 fi if [[ -z "$projection_expression" ]]; then response=$(aws dynamodb scan \ --table-name "$table_name" \ --filter-expression "$filter_expression" \ --expression-attribute-names file://"$expression_attribute_names" \ --expression-attribute-values file://"$expression_attribute_values") else response=$(aws dynamodb scan \ --table-name "$table_name" \ --filter-expression "$filter_expression" \ --expression-attribute-names file://"$expression_attribute_names" \ --expression-attribute-values file://"$expression_attribute_values" \ --projection-expression "$projection_expression") fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports scan operation failed.$response" return 1 fi echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [Scan](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Scan) in *AWS CLI Command Reference*. ### `UpdateItem` The following code example shows how to use `UpdateItem`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/dynamodb#code-examples). ``` ############################################################################## # function dynamodb_update_item # # This function updates an item in a DynamoDB table. # # # Parameters: # -n table_name -- The name of the table. # -k keys -- Path to json file containing the keys that identify the item to update. # -e update expression -- An expression that defines one or more attributes to be updated. # -v values -- Path to json file containing the update values. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################# function dynamodb_update_item() { local table_name keys update_expression values response local option OPTARG # Required to use getopts command in a function. ####################################### # Function usage explanation ####################################### function usage() { echo "function dynamodb_update_item" echo "Update an item in a DynamoDB table." echo " -n table_name -- The name of the table." echo " -k keys -- Path to json file containing the keys that identify the item to update." echo " -e update expression -- An expression that defines one or more attributes to be updated." echo " -v values -- Path to json file containing the update values." echo "" } while getopts "n:k:e:v:h" option; do case "${option}" in n) table_name="${OPTARG}" ;; k) keys="${OPTARG}" ;; e) update_expression="${OPTARG}" ;; v) values="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$table_name" ]]; then errecho "ERROR: You must provide a table name with the -n parameter." usage return 1 fi if [[ -z "$keys" ]]; then errecho "ERROR: You must provide a keys json file path the -k parameter." usage return 1 fi if [[ -z "$update_expression" ]]; then errecho "ERROR: You must provide an update expression with the -e parameter." usage return 1 fi if [[ -z "$values" ]]; then errecho "ERROR: You must provide a values json file path the -v parameter." usage return 1 fi iecho "Parameters:\n" iecho " table_name: $table_name" iecho " keys: $keys" iecho " update_expression: $update_expression" iecho " values: $values" response=$(aws dynamodb update-item \ --table-name "$table_name" \ --key file://"$keys" \ --update-expression "$update_expression" \ --expression-attribute-values file://"$values") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports update-item operation failed.$response" return 1 fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # See https://docs.aws.amazon.com/cli/latest/topic/return-codes.html#cli-aws-help-return-codes. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [UpdateItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateItem) in *AWS CLI Command Reference*. ## Scenarios ### Advanced Global Secondary Index scenarios The following code example shows how to work with advanced Global Secondary Index configurations. + Create a table with multiple GSIs. + Create a table with on-demand capacity and GSI. + Put items into a table with multiple GSIs. + Query multiple GSIs with different conditions. **AWS CLI with Bash script** Create a table with multiple GSIs. ``` # Create a table with multiple GSIs aws dynamodb create-table \ --table-name MusicLibrary \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ AttributeName=AlbumTitle,AttributeType=S \ AttributeName=Genre,AttributeType=S \ AttributeName=Year,AttributeType=N \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --global-secondary-indexes \ "[ { \"IndexName\": \"AlbumIndex\", \"KeySchema\": [{\"AttributeName\":\"AlbumTitle\",\"KeyType\":\"HASH\"}], \"Projection\": {\"ProjectionType\":\"ALL\"} }, { \"IndexName\": \"GenreYearIndex\", \"KeySchema\": [ {\"AttributeName\":\"Genre\",\"KeyType\":\"HASH\"}, {\"AttributeName\":\"Year\",\"KeyType\":\"RANGE\"} ], \"Projection\": {\"ProjectionType\":\"INCLUDE\",\"NonKeyAttributes\":[\"Artist\",\"SongTitle\"]} } ]" ``` Create a table with on-demand capacity and GSI. ``` # Create a table with on-demand capacity and GSI aws dynamodb create-table \ --table-name MusicOnDemand \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ AttributeName=Genre,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --global-secondary-indexes \ "[ { \"IndexName\": \"GenreIndex\", \"KeySchema\": [{\"AttributeName\":\"Genre\",\"KeyType\":\"HASH\"}], \"Projection\": {\"ProjectionType\":\"ALL\"} } ]" ``` Put items into a table with multiple GSIs. ``` # Add items to MusicLibrary table aws dynamodb put-item \ --table-name MusicLibrary \ --item '{ "Artist": {"S": "The Beatles"}, "SongTitle": {"S": "Hey Jude"}, "AlbumTitle": {"S": "Past Masters"}, "Genre": {"S": "Rock"}, "Year": {"N": "1968"} }' aws dynamodb put-item \ --table-name MusicLibrary \ --item '{ "Artist": {"S": "Miles Davis"}, "SongTitle": {"S": "So What"}, "AlbumTitle": {"S": "Kind of Blue"}, "Genre": {"S": "Jazz"}, "Year": {"N": "1959"} }' ``` Query items from a table with multiple GSIs. ``` # Query the AlbumIndex GSI echo "Querying AlbumIndex GSI:" aws dynamodb query \ --table-name MusicLibrary \ --index-name AlbumIndex \ --key-condition-expression "AlbumTitle = :album" \ --expression-attribute-values '{":album":{"S":"Kind of Blue"}}' # Query the GenreYearIndex GSI with a range condition echo "Querying GenreYearIndex GSI with range condition:" aws dynamodb query \ --table-name MusicLibrary \ --index-name GenreYearIndex \ --key-condition-expression "Genre = :genre AND #yr > :year" \ --expression-attribute-names '{"#yr": "Year"}' \ --expression-attribute-values '{":genre":{"S":"Rock"},":year":{"N":"1965"}}' ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) ### Create and manage MRSC global tables The following code example shows how to create and manage DynamoDB global tables with Multi-Region Strong Consistency (MRSC). + Create a table with Multi-Region Strong Consistency. + Verify MRSC configuration and replica status. + Test strong consistency across Regions with immediate reads. + Perform conditional writes with MRSC guarantees. + Clean up MRSC global table resources. **AWS CLI with Bash script** Create a table with Multi-Region Strong Consistency. ``` # Step 1: Create a new table in us-east-2 (primary region for MRSC) # Note: Table must be empty when enabling MRSC aws dynamodb create-table \ --table-name MusicTable \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --region us-east-2 # Wait for table to become active aws dynamodb wait table-exists --table-name MusicTable --region us-east-2 # Step 2: Add replica and witness with Multi-Region Strong Consistency # MRSC requires exactly three replicas in supported regions aws dynamodb update-table \ --table-name MusicTable \ --replica-updates '[{"Create": {"RegionName": "us-east-1"}}]' \ --global-table-witness-updates '[{"Create": {"RegionName": "us-west-2"}}]' \ --multi-region-consistency STRONG \ --region us-east-2 ``` Verify MRSC configuration and replica status. ``` # Verify the global table configuration and MRSC setting aws dynamodb describe-table \ --table-name MusicTable \ --region us-east-2 \ --query 'Table.{TableName:TableName,TableStatus:TableStatus,MultiRegionConsistency:MultiRegionConsistency,Replicas:Replicas[*],GlobalTableWitnesses:GlobalTableWitnesses[*].{Region:RegionName,Status:ReplicaStatus}}' ``` Test strong consistency with immediate reads across Regions. ``` # Write an item to the primary region aws dynamodb put-item \ --table-name MusicTable \ --item '{"Artist": {"S":"The Beatles"},"SongTitle": {"S":"Hey Jude"},"Album": {"S":"The Beatles 1967-1970"},"Year": {"N":"1968"}}' \ --region us-east-2 # Read the item from replica region to verify strong consistency (cannot read or write to witness) # No wait time needed - MRSC provides immediate consistency echo "Reading from us-east-1 (immediate consistency):" aws dynamodb get-item \ --table-name MusicTable \ --key '{"Artist": {"S":"The Beatles"},"SongTitle": {"S":"Hey Jude"}}' \ --consistent-read \ --region us-east-1 ``` Perform conditional writes with MRSC guarantees. ``` # Perform a conditional update from a different region # This demonstrates that conditions work consistently across all regions aws dynamodb update-item \ --table-name MusicTable \ --key '{"Artist": {"S":"The Beatles"},"SongTitle": {"S":"Hey Jude"}}' \ --update-expression "SET #rating = :rating" \ --condition-expression "attribute_exists(Artist)" \ --expression-attribute-names '{"#rating": "Rating"}' \ --expression-attribute-values '{":rating": {"N":"5"}}' \ --region us-east-1 ``` Clean up MRSC global table resources. ``` # Remove replica tables (must be done before deleting the primary table) aws dynamodb update-table \ --table-name MusicTable \ --replica-updates '[{"Delete": {"RegionName": "us-east-1"}}]' \ --global-table-witness-updates '[{"Delete": {"RegionName": "us-west-2"}}]' \ --region us-east-2 # Wait for replicas to be deleted echo "Waiting for replicas to be deleted..." sleep 30 # Delete the primary table aws dynamodb delete-table \ --table-name MusicTable \ --region us-east-2 ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [GetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetItem) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [UpdateItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateItem) + [UpdateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTable) ### Getting started with DynamoDB The following code example shows how to: + Create a table in DynamoDB + Update data in a DynamoDB table + Query data in a DynamoDB table + Delete your DynamoDB table **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/070-amazon-dynamodb-gs) repository. ``` #!/bin/bash # DynamoDB Getting Started Tutorial Script # This script demonstrates basic operations with Amazon DynamoDB: # - Creating a table # - Writing data to the table # - Reading data from the table # - Updating data in the table # - Querying data in the table # - Deleting the table (cleanup) # Set up logging LOG_FILE="dynamodb-tutorial-$(date +%Y%m%d-%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting DynamoDB Getting Started Tutorial at $(date)" echo "Logging to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd_name=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR detected in $cmd_name command:" echo "$output" exit 1 fi } # Function to wait for table to be in ACTIVE state wait_for_table_active() { local table_name=$1 local status="" echo "Waiting for table $table_name to become ACTIVE..." while [[ "$status" != "ACTIVE" ]]; do sleep 5 status=$(aws dynamodb describe-table --table-name "$table_name" --query "Table.TableStatus" --output text) echo "Current status: $status" done echo "Table $table_name is now ACTIVE" } # Track created resources for cleanup RESOURCES=() # Step 1: Create a table in DynamoDB echo "Step 1: Creating Music table in DynamoDB..." CREATE_TABLE_OUTPUT=$(aws dynamodb create-table \ --table-name Music \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema AttributeName=Artist,KeyType=HASH AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --table-class STANDARD) check_error "$CREATE_TABLE_OUTPUT" "create-table" echo "$CREATE_TABLE_OUTPUT" # Add table to resources list RESOURCES+=("Table:Music") # Wait for table to be active wait_for_table_active "Music" # Enable point-in-time recovery (best practice) echo "Enabling point-in-time recovery for the Music table..." PITR_OUTPUT=$(aws dynamodb update-continuous-backups \ --table-name Music \ --point-in-time-recovery-specification PointInTimeRecoveryEnabled=true) check_error "$PITR_OUTPUT" "update-continuous-backups" echo "$PITR_OUTPUT" # Step 2: Write data to the DynamoDB table echo "Step 2: Writing data to the Music table..." # Add first item ITEM1_OUTPUT=$(aws dynamodb put-item \ --table-name Music \ --item \ '{"Artist": {"S": "No One You Know"}, "SongTitle": {"S": "Call Me Today"}, "AlbumTitle": {"S": "Somewhat Famous"}, "Awards": {"N": "1"}}') check_error "$ITEM1_OUTPUT" "put-item (item 1)" echo "$ITEM1_OUTPUT" # Add second item ITEM2_OUTPUT=$(aws dynamodb put-item \ --table-name Music \ --item \ '{"Artist": {"S": "No One You Know"}, "SongTitle": {"S": "Howdy"}, "AlbumTitle": {"S": "Somewhat Famous"}, "Awards": {"N": "2"}}') check_error "$ITEM2_OUTPUT" "put-item (item 2)" echo "$ITEM2_OUTPUT" # Add third item ITEM3_OUTPUT=$(aws dynamodb put-item \ --table-name Music \ --item \ '{"Artist": {"S": "Acme Band"}, "SongTitle": {"S": "Happy Day"}, "AlbumTitle": {"S": "Songs About Life"}, "Awards": {"N": "10"}}') check_error "$ITEM3_OUTPUT" "put-item (item 3)" echo "$ITEM3_OUTPUT" # Add fourth item ITEM4_OUTPUT=$(aws dynamodb put-item \ --table-name Music \ --item \ '{"Artist": {"S": "Acme Band"}, "SongTitle": {"S": "PartiQL Rocks"}, "AlbumTitle": {"S": "Another Album Title"}, "Awards": {"N": "8"}}') check_error "$ITEM4_OUTPUT" "put-item (item 4)" echo "$ITEM4_OUTPUT" # Step 3: Read data from the DynamoDB table echo "Step 3: Reading data from the Music table..." # Get a specific item GET_ITEM_OUTPUT=$(aws dynamodb get-item --consistent-read \ --table-name Music \ --key '{"Artist": {"S": "Acme Band"}, "SongTitle": {"S": "Happy Day"}}') check_error "$GET_ITEM_OUTPUT" "get-item" echo "Retrieved item:" echo "$GET_ITEM_OUTPUT" # Step 4: Update data in the DynamoDB table echo "Step 4: Updating data in the Music table..." # Update an item UPDATE_ITEM_OUTPUT=$(aws dynamodb update-item \ --table-name Music \ --key '{"Artist": {"S": "Acme Band"}, "SongTitle": {"S": "Happy Day"}}' \ --update-expression "SET AlbumTitle = :newval" \ --expression-attribute-values '{":newval": {"S": "Updated Album Title"}}' \ --return-values ALL_NEW) check_error "$UPDATE_ITEM_OUTPUT" "update-item" echo "Updated item:" echo "$UPDATE_ITEM_OUTPUT" # Step 5: Query data in the DynamoDB table echo "Step 5: Querying data in the Music table..." # Query items by Artist QUERY_OUTPUT=$(aws dynamodb query \ --table-name Music \ --key-condition-expression "Artist = :name" \ --expression-attribute-values '{":name": {"S": "Acme Band"}}') check_error "$QUERY_OUTPUT" "query" echo "Query results:" echo "$QUERY_OUTPUT" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" for resource in "${RESOURCES[@]}"; do echo "- $resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then # Step 6: Delete the DynamoDB table echo "Step 6: Deleting the Music table..." DELETE_TABLE_OUTPUT=$(aws dynamodb delete-table --table-name Music) check_error "$DELETE_TABLE_OUTPUT" "delete-table" echo "$DELETE_TABLE_OUTPUT" echo "Waiting for table deletion to complete..." aws dynamodb wait table-not-exists --table-name Music echo "Cleanup completed successfully." else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "DynamoDB Getting Started Tutorial completed at $(date)" echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [GetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetItem) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) + [UpdateContinuousBackups](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateContinuousBackups) + [UpdateItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateItem) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Wait) ### Manage Global Secondary Indexes The following code example shows how to manage the complete lifecycle of Global Secondary Indexes. + Create a table with a Global Secondary Index. + Add a new GSI to an existing table. + Update (increase) GSI warm throughput. + Query data using GSIs. + Delete a GSI. **AWS CLI with Bash script** Create a table with a Global Secondary Index. ``` # Create a table with a GSI aws dynamodb create-table \ --table-name MusicCollection \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ AttributeName=AlbumTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --global-secondary-indexes \ "IndexName=AlbumIndex,\ KeySchema=[{AttributeName=AlbumTitle,KeyType=HASH}],\ Projection={ProjectionType=ALL}" ``` Add a new (on-demand) GSI to an existing table. ``` # Add a new GSI to an existing table aws dynamodb update-table \ --table-name MusicCollection \ --attribute-definitions \ AttributeName=Genre,AttributeType=S \ --global-secondary-index-updates \ "[{\"Create\":{\"IndexName\":\"GenreIndex\",\ \"KeySchema\":[{\"AttributeName\":\"Genre\",\"KeyType\":\"HASH\"}],\ \"Projection\":{\"ProjectionType\":\"ALL\"}}}]" ``` Update (increase) GSI warm throughput. ``` # Increase the warm throughput of a GSI (default values are 12k reads, 4k writes) aws dynamodb update-table \ --table-name MusicCollection \ --global-secondary-index-updates \ "[{\"Update\":{\"IndexName\":\"AlbumIndex\",\ \"WarmThroughput\":{\"ReadUnitsPerSecond\":15000,\"WriteUnitsPerSecond\":6000}}}]" ``` Query data using GSIs. ``` # Query the AlbumIndex GSI aws dynamodb query \ --table-name MusicCollection \ --index-name AlbumIndex \ --key-condition-expression "AlbumTitle = :album" \ --expression-attribute-values '{":album":{"S":"Let It Be"}}' # Query the GenreIndex GSI aws dynamodb query \ --table-name MusicCollection \ --index-name GenreIndex \ --key-condition-expression "Genre = :genre" \ --expression-attribute-values '{":genre":{"S":"Jazz"}}' ``` Delete a GSI. ``` # Delete a GSI from a table aws dynamodb update-table \ --table-name MusicCollection \ --global-secondary-index-updates \ "[{\"Delete\":{\"IndexName\":\"GenreIndex\"}}]" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) + [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) + [UpdateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTable) ### Manage resource-based policies The following code example shows how to manage the complete lifecycle of resource-based policies for DynamoDB tables. + Create a table with a resource policy. + Get a resource policy. + Update a resource policy. + Delete a resource policy. **AWS CLI with Bash script** Create a table with a resource policy. ``` # Step 1: Create a DynamoDB table aws dynamodb create-table \ --table-name MusicCollection \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST # Step 2: Create a resource-based policy document cat > policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/DynamoDBReadOnly" }, "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection" } ] } EOF # Step 3: Attach the resource-based policy to the table aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection \ --policy file://policy.json ``` Get a resource policy. ``` # Get the resource-based policy attached to a table aws dynamodb get-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection ``` Update a resource policy. ``` # Step 1: Create an updated policy document cat > updated-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:role/DynamoDBReadOnly", "arn:aws:iam::123456789012:role/DynamoDBAnalytics" ] }, "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection" } ] } EOF # Step 2: Update the resource-based policy on the table aws dynamodb put-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection \ --policy file://updated-policy.json ``` Delete a resource policy. ``` # Delete the resource-based policy from a table aws dynamodb delete-resource-policy \ --resource-arn arn:aws:dynamodb:us-west-2:123456789012:table/MusicCollection ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteResourcePolicy](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteResourcePolicy) + [GetResourcePolicy](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetResourcePolicy) + [PutResourcePolicy](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutResourcePolicy) ### Set up Attribute-Based Access Control The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB. + Create an IAM policy for ABAC. + Create tables with tags for different departments. + List and filter tables based on tags. **AWS CLI with Bash script** Create an IAM policy for ABAC. ``` # Step 1: Create a policy document for ABAC cat > abac-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}" } } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}", "aws:ResourceTag/Environment": "Development" } } } ] } EOF # Step 2: Create the IAM policy aws iam create-policy \ --policy-name DynamoDBDepartmentBasedAccess \ --policy-document file://abac-policy.json ``` Create tables with tags for different departments. ``` # Create a DynamoDB table with tags for ABAC aws dynamodb create-table \ --table-name FinanceData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Department,Value=Finance \ Key=Environment,Value=Development # Create another table with different tags aws dynamodb create-table \ --table-name MarketingData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Department,Value=Marketing \ Key=Environment,Value=Production ``` List and filter tables based on tags. ``` # List all DynamoDB tables echo "Listing all tables:" aws dynamodb list-tables # Get ARNs for all tables echo -e "\nGetting ARNs for all tables:" TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text) # For each table ARN, list its tags echo -e "\nListing tags for each table:" for ARN in $TABLE_ARNS; do TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') echo -e "\nTags for table: $TABLE_NAME" aws dynamodb list-tags-of-resource --resource-arn $ARN done # Example: Find tables with a specific tag echo -e "\nFinding tables with Environment=Production tag:" for ARN in $TABLE_ARNS; do TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text) if [ ! -z "$TAGS" ]; then echo "Table with Production tag: $TABLE_NAME" fi done ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables) ### Work with Local Secondary Indexes The following code example shows how to create and query tables with Local Secondary Indexes. + Create a table with a Local Secondary Index (LSI). + Create a table with multiple LSIs with different projection types. + Query data using LSIs. **AWS CLI with Bash script** Create a table with a Local Secondary Index. ``` # Create a table with a Local Secondary Index aws dynamodb create-table \ --table-name CustomerOrders \ --attribute-definitions \ AttributeName=CustomerID,AttributeType=S \ AttributeName=OrderID,AttributeType=S \ AttributeName=OrderDate,AttributeType=S \ --key-schema \ AttributeName=CustomerID,KeyType=HASH \ AttributeName=OrderID,KeyType=RANGE \ --local-secondary-indexes \ "IndexName=OrderDateIndex,\ KeySchema=[{AttributeName=CustomerID,KeyType=HASH},{AttributeName=OrderDate,KeyType=RANGE}],\ Projection={ProjectionType=ALL}" \ --billing-mode PAY_PER_REQUEST ``` Create a table with multiple LSIs. ``` # Create a table with multiple Local Secondary Indexes aws dynamodb create-table \ --table-name CustomerDetails \ --attribute-definitions \ AttributeName=CustomerID,AttributeType=S \ AttributeName=Name,AttributeType=S \ AttributeName=Email,AttributeType=S \ AttributeName=RegistrationDate,AttributeType=S \ --key-schema \ AttributeName=CustomerID,KeyType=HASH \ AttributeName=Name,KeyType=RANGE \ --local-secondary-indexes \ "[ { \"IndexName\": \"EmailIndex\", \"KeySchema\": [ {\"AttributeName\":\"CustomerID\",\"KeyType\":\"HASH\"}, {\"AttributeName\":\"Email\",\"KeyType\":\"RANGE\"} ], \"Projection\": {\"ProjectionType\":\"INCLUDE\",\"NonKeyAttributes\":[\"Address\",\"Phone\"]} }, { \"IndexName\": \"RegistrationIndex\", \"KeySchema\": [ {\"AttributeName\":\"CustomerID\",\"KeyType\":\"HASH\"}, {\"AttributeName\":\"RegistrationDate\",\"KeyType\":\"RANGE\"} ], \"Projection\": {\"ProjectionType\":\"KEYS_ONLY\"} } ]" \ --billing-mode PAY_PER_REQUEST ``` Query data using LSIs. ``` # Query the OrderDateIndex LSI aws dynamodb query \ --table-name CustomerOrders \ --index-name OrderDateIndex \ --key-condition-expression "CustomerID = :custId AND OrderDate BETWEEN :date1 AND :date2" \ --expression-attribute-values '{ ":custId": {"S": "C1"}, ":date1": {"S": "2023-01-01"}, ":date2": {"S": "2023-02-01"} }' # Query with a filter expression aws dynamodb query \ --table-name CustomerOrders \ --index-name OrderDateIndex \ --key-condition-expression "CustomerID = :custId" \ --filter-expression "Amount > :amount" \ --expression-attribute-values '{ ":custId": {"S": "C1"}, ":amount": {"N": "150"} }' ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [Query](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/Query) ### Work with Streams and Time-to-Live The following code example shows how to manage DynamoDB Streams and Time-to-Live features. + Create a table with Streams enabled. + Describe Streams. + Create a Lambda function for processing Streams. + Enable TTL on a table. + Add items with TTL attributes. + Describe TTL settings. **AWS CLI with Bash script** Create a table with Streams enabled. ``` # Create a table with DynamoDB Streams enabled aws dynamodb create-table \ --table-name StreamsDemo \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES ``` Describe Streams. ``` # Get information about the stream aws dynamodb describe-table \ --table-name StreamsDemo \ --query "Table.StreamSpecification" # Get the stream ARN STREAM_ARN=$(aws dynamodb describe-table \ --table-name StreamsDemo \ --query "Table.LatestStreamArn" \ --output text) echo "Stream ARN: $STREAM_ARN" # Describe the stream aws dynamodbstreams describe-stream \ --stream-arn $STREAM_ARN ``` Create a Lambda function for Streams. ``` # Step 1: Create an IAM role for the Lambda function cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name DynamoDBStreamsLambdaRole \ --assume-role-policy-document file://trust-policy.json # Step 2: Attach permissions to the role aws iam attach-role-policy \ --role-name DynamoDBStreamsLambdaRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole # Step 3: Create a Lambda function (code would be in a separate file) echo "Lambda function creation would be done separately with appropriate code" # Step 4: Create an event source mapping echo "Example command to create event source mapping:" echo "aws lambda create-event-source-mapping \\" echo " --function-name ProcessDynamoDBRecords \\" echo " --event-source $STREAM_ARN \\" echo " --batch-size 100 \\" echo " --starting-position LATEST" ``` Enable TTL on a table. ``` # Create a table for TTL demonstration aws dynamodb create-table \ --table-name TTLDemo \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST # Wait for table to become active aws dynamodb wait table-exists --table-name TTLDemo # Enable TTL on the table aws dynamodb update-time-to-live \ --table-name TTLDemo \ --time-to-live-specification "Enabled=true, AttributeName=ExpirationTime" ``` Add items with TTL attributes. ``` # Calculate expiration time (current time + 1 day in seconds) EXPIRATION_TIME=$(date -d "+1 day" +%s) # Add an item with TTL attribute aws dynamodb put-item \ --table-name TTLDemo \ --item '{ "ID": {"S": "item1"}, "Data": {"S": "This item will expire in 1 day"}, "ExpirationTime": {"N": "'$EXPIRATION_TIME'"} }' # Add an item that expires in 1 hour EXPIRATION_TIME_HOUR=$(date -d "+1 hour" +%s) aws dynamodb put-item \ --table-name TTLDemo \ --item '{ "ID": {"S": "item2"}, "Data": {"S": "This item will expire in 1 hour"}, "ExpirationTime": {"N": "'$EXPIRATION_TIME_HOUR'"} }' ``` Describe TTL settings. ``` # Describe TTL settings for a table aws dynamodb describe-time-to-live \ --table-name TTLDemo ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [DescribeTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTimeToLive) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [UpdateTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTimeToLive) ### Work with global tables and multi-Region replication eventual consistency (MREC) The following code example shows how to manage DynamoDB global tables with multi-Region replication with eventual consistency (MREC). + Create a table with multi-Region replication (MREC). + Put and get items from replica tables. + Remove replicas one-by-one. + Clean up by deleting the table. **AWS CLI with Bash script** Create a table with multi-Region replication. ``` # Step 1: Create a new table (MusicTable) in US East (Ohio), with DynamoDB Streams enabled (NEW_AND_OLD_IMAGES) aws dynamodb create-table \ --table-name MusicTable \ --attribute-definitions \ AttributeName=Artist,AttributeType=S \ AttributeName=SongTitle,AttributeType=S \ --key-schema \ AttributeName=Artist,KeyType=HASH \ AttributeName=SongTitle,KeyType=RANGE \ --billing-mode PAY_PER_REQUEST \ --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES \ --region us-east-2 # Step 2: Create an identical MusicTable table in US East (N. Virginia) aws dynamodb update-table --table-name MusicTable --cli-input-json \ '{ "ReplicaUpdates": [ { "Create": { "RegionName": "us-east-1" } } ] }' \ --region us-east-2 # Step 3: Create a table in Europe (Ireland) aws dynamodb update-table --table-name MusicTable --cli-input-json \ '{ "ReplicaUpdates": [ { "Create": { "RegionName": "eu-west-1" } } ] }' \ --region us-east-2 ``` Describe the multi-Region table. ``` # Step 4: View the list of replicas created using describe-table aws dynamodb describe-table \ --table-name MusicTable \ --region us-east-2 \ --query 'Table.{TableName:TableName,TableStatus:TableStatus,MultiRegionConsistency:MultiRegionConsistency,Replicas:Replicas[*].{Region:RegionName,Status:ReplicaStatus}}' ``` Put items in a replica table. ``` # Step 5: To verify that replication is working, add a new item to the Music table in US East (Ohio) aws dynamodb put-item \ --table-name MusicTable \ --item '{"Artist": {"S":"item_1"},"SongTitle": {"S":"Song Value 1"}}' \ --region us-east-2 ``` Get items from replica tables. ``` # Step 6: Wait for a few seconds, and then check to see whether the item has been # successfully replicated to US East (N. Virginia) and Europe (Ireland) aws dynamodb get-item \ --table-name MusicTable \ --key '{"Artist": {"S":"item_1"},"SongTitle": {"S":"Song Value 1"}}' \ --region us-east-1 aws dynamodb get-item \ --table-name MusicTable \ --key '{"Artist": {"S":"item_1"},"SongTitle": {"S":"Song Value 1"}}' \ --region eu-west-1 ``` Remove replicas. ``` # Step 7: Delete the replica table in Europe (Ireland) Region aws dynamodb update-table --table-name MusicTable --cli-input-json \ '{ "ReplicaUpdates": [ { "Delete": { "RegionName": "eu-west-1" } } ] }' \ --region us-east-2 # Delete the replica table in US East (N. Virginia) Region aws dynamodb update-table --table-name MusicTable --cli-input-json \ '{ "ReplicaUpdates": [ { "Delete": { "RegionName": "us-east-1" } } ] }' \ --region us-east-2 ``` Clean up by deleting the table. ``` # Clean up: Delete the primary table aws dynamodb delete-table --table-name MusicTable --region us-east-2 echo "Global table demonstration complete." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DeleteTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DeleteTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [GetItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/GetItem) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [UpdateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTable) ### Work with resource tagging The following code example shows how to manage tags for DynamoDB resources. + Create a table with tags. + List tags for a resource. + Add tags to a resource. + Remove tags from a resource. + Filter tables by tags. **AWS CLI with Bash script** Create a table with tags. ``` # Create a table with tags aws dynamodb create-table \ --table-name TaggedTable \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Environment,Value=Production \ Key=Project,Value=Analytics \ Key=Owner,Value=DataTeam ``` List tags for a resource. ``` # Get the table ARN TABLE_ARN=$(aws dynamodb describe-table \ --table-name TaggedTable \ --query "Table.TableArn" \ --output text) # List tags for the table aws dynamodb list-tags-of-resource \ --resource-arn $TABLE_ARN ``` Add tags to a resource. ``` # Add tags to an existing table aws dynamodb tag-resource \ --resource-arn $TABLE_ARN \ --tags \ Key=CostCenter,Value=12345 \ Key=BackupSchedule,Value=Daily ``` Remove tags from a resource. ``` # Remove tags from a table aws dynamodb untag-resource \ --resource-arn $TABLE_ARN \ --tag-keys Owner BackupSchedule ``` Filter tables by tags. ``` # Create another table with different tags aws dynamodb create-table \ --table-name AnotherTaggedTable \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Environment,Value=Development \ Key=Project,Value=Testing # Wait for table to become active aws dynamodb wait table-exists --table-name AnotherTaggedTable # List all tables echo "All tables:" aws dynamodb list-tables # Get ARNs for all tables echo -e "\nFiltering tables by Environment=Production tag:" TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text) # Find tables with specific tag for ARN in $TABLE_ARNS; do TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text) if [ ! -z "$TAGS" ]; then echo "Table with Production tag: $TABLE_NAME" fi done ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [ListTagsOfResource](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTagsOfResource) + [TagResource](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/TagResource) + [UntagResource](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UntagResource) ### Work with table encryption The following code example shows how to manage encryption options for DynamoDB tables. + Create a table with default encryption. + Create a table with a customer managed CMK. + Update table encryption settings. + Describe table encryption. **AWS CLI with Bash script** Create a table with default encryption. ``` # Create a table with default encryption (AWS owned key) aws dynamodb create-table \ --table-name CustomerData \ --attribute-definitions \ AttributeName=CustomerID,AttributeType=S \ --key-schema \ AttributeName=CustomerID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --sse-specification Enabled=true,SSEType=KMS ``` Create a table with a customer managed CMK. ``` # Step 1: Create a customer managed key in KMS aws kms create-key \ --description "Key for DynamoDB table encryption" \ --key-usage ENCRYPT_DECRYPT \ --customer-master-key-spec SYMMETRIC_DEFAULT # Store the key ID for later use KEY_ID=$(aws kms list-keys --query "Keys[?contains(KeyArn, 'Key for DynamoDB')].KeyId" --output text) # Step 2: Create a table with the customer managed key aws dynamodb create-table \ --table-name SensitiveData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=$KEY_ID ``` Update table encryption. ``` # Update a table to use a different KMS key aws dynamodb update-table \ --table-name CustomerData \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=$KEY_ID ``` Describe table encryption. ``` # Describe the table to see encryption settings aws dynamodb describe-table \ --table-name CustomerData \ --query "Table.SSEDescription" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateKey](https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CreateKey) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [UpdateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTable) # Amazon EC2 examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon EC2. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Basics](#basics) + [Actions](#actions) + [Scenarios](#scenarios) ## Basics ### Learn the basics The following code example shows how to: + Create a key pair and security group. + Select an Amazon Machine Image (AMI) and compatible instance type, then create an instance. + Stop and restart the instance. + Associate an Elastic IP address with your instance. + Connect to your instance with SSH, then clean up resources. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). Run an interactive scenario at a command prompt. ``` ############################################################################### # function get_started_with_ec2_instances # # Runs an interactive scenario that shows how to get started using EC2 instances. # # "EC2 access" permissions are needed to run this code. # # Returns: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function get_started_with_ec2_instances() { # Requires version 4 for mapfile. local required_version=4.0 # Get the current Bash version # Check if BASH_VERSION is set local current_version if [[ -n "$BASH_VERSION" ]]; then # Convert BASH_VERSION to a number for comparison current_version=$BASH_VERSION else # Get the current Bash version using the bash command current_version=$(bash --version | head -n 1 | awk '{ print $4 }') fi # Convert version strings to numbers for comparison local required_version_num current_version_num required_version_num=$(echo "$required_version" | awk -F. '{ print ($1 * 10000) + ($2 * 100) + $3 }') current_version_num=$(echo "$current_version" | awk -F. '{ print ($1 * 10000) + ($2 * 100) + $3 }') # Compare versions if ((current_version_num < required_version_num)); then echo "Error: This script requires Bash version $required_version or higher." echo "Your current Bash version is number is $current_version." exit 1 fi { if [ "$EC2_OPERATIONS_SOURCED" != "True" ]; then source ./ec2_operations.sh fi } echo_repeat "*" 88 echo "Welcome to the Amazon Elastic Compute Cloud (Amazon EC2) get started with instances demo." echo_repeat "*" 88 echo echo "Let's create an RSA key pair that you can be use to securely connect to " echo "your EC2 instance." echo -n "Enter a unique name for your key: " get_input local key_name key_name=$get_input_result local temp_dir temp_dir=$(mktemp -d) local key_file_name="$temp_dir/${key_name}.pem" if ec2_create_keypair -n "${key_name}" -f "${key_file_name}"; then echo "Created a key pair $key_name and saved the private key to $key_file_name" echo else errecho "The key pair failed to create. This demo will exit." return 1 fi chmod 400 "${key_file_name}" if yes_no_input "Do you want to list some of your key pairs? (y/n) "; then local keys_and_fingerprints keys_and_fingerprints="$(ec2_describe_key_pairs)" && { local image_name_and_id while IFS=$'\n' read -r image_name_and_id; do local entries IFS=$'\t' read -ra entries <<<"$image_name_and_id" echo "Found rsa key ${entries[0]} with fingerprint:" echo " ${entries[1]}" done <<<"$keys_and_fingerprints" } fi echo_repeat "*" 88 echo_repeat "*" 88 echo "Let's create a security group to manage access to your instance." echo -n "Enter a unique name for your security group: " get_input local security_group_name security_group_name=$get_input_result local security_group_id security_group_id=$(ec2_create_security_group -n "$security_group_name" \ -d "Security group for EC2 instance") || { errecho "The security failed to create. This demo will exit." clean_up "$key_name" "$key_file_name" return 1 } echo "Security group created with ID $security_group_id" echo local public_ip public_ip=$(curl -s http://checkip.amazonaws.com) echo "Let's add a rule to allow SSH only from your current IP address." echo "Your public IP address is $public_ip" echo -n "press return to add this rule to your security group." get_input if ! ec2_authorize_security_group_ingress -g "$security_group_id" -i "$public_ip" -p tcp -f 22 -t 22; then errecho "The security group rules failed to update. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 fi echo "Security group rules updated" local security_group_description security_group_description="$(ec2_describe_security_groups -g "${security_group_id}")" || { errecho "Failed to describe security groups. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 } mapfile -t parameters <<<"$security_group_description" IFS=$'\t' read -ra entries <<<"${parameters[0]}" echo "Security group: ${entries[0]}" echo " ID: ${entries[1]}" echo " VPC: ${entries[2]}" echo "Inbound permissions:" IFS=$'\t' read -ra entries <<<"${parameters[1]}" echo " IpProtocol: ${entries[0]}" echo " FromPort: ${entries[1]}" echo " ToPort: ${entries[2]}" echo " CidrIp: ${parameters[2]}" local parameters parameters="$(ssm_get_parameters_by_path -p "/aws/service/ami-amazon-linux-latest")" || { errecho "Failed to get parameters. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 } local image_ids="" mapfile -t parameters <<<"$parameters" for image_name_and_id in "${parameters[@]}"; do IFS=$'\t' read -ra values <<<"$image_name_and_id" if [[ "${values[0]}" == *"amzn2"* ]]; then image_ids+="${values[1]} " fi done local images images="$(ec2_describe_images -i "$image_ids")" || { errecho "Failed to describe images. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 } new_line_and_tab_to_list "$images" local images=("${list_result[@]}") # Get the size of the array local images_count=${#images[@]} if ((images_count == 0)); then errecho "No images found. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 fi echo_repeat "*" 88 echo_repeat "*" 88 echo "Let's create an instance from an Amazon Linux 2 AMI. Here are some options:" for ((i = 0; i < images_count; i += 3)); do echo "$(((i / 3) + 1)) - ${images[$i]}" done integer_input "Please enter the number of the AMI you want to use: " 1 "$((images_count / 3))" local choice=$get_input_result choice=$(((choice - 1) * 3)) echo "Great choice." echo local architecture=${images[$((choice + 1))]} local image_id=${images[$((choice + 2))]} echo "Here are some instance types that support the ${architecture} architecture of the image:" response="$(ec2_describe_instance_types -a "${architecture}" -t "*.micro,*.small")" || { errecho "Failed to describe instance types. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 } local instance_types mapfile -t instance_types <<<"$response" # Get the size of the array local instance_types_count=${#instance_types[@]} echo "Here are some options:" for ((i = 0; i < instance_types_count; i++)); do echo "$((i + 1)) - ${instance_types[$i]}" done integer_input "Which one do you want to use? " 1 "${#instance_types[@]} " choice=$get_input_result local instance_type=${instance_types[$((choice - 1))]} echo "Another great choice." echo echo "Creating your instance and waiting for it to start..." local instance_id instance_id=$(ec2_run_instances -i "$image_id" -t "$instance_type" -k "$key_name" -s "$security_group_id") || { errecho "Failed to run instance. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" return 1 } ec2_wait_for_instance_running -i "$instance_id" echo "Your instance is ready:" echo local instance_details instance_details="$(ec2_describe_instances -i "${instance_id}")" echo print_instance_details "${instance_details}" local public_ip public_ip=$(echo "${instance_details}" | awk '{print $6}') echo echo "You can use SSH to connect to your instance" echo "If the connection attempt times out, you might have to manually update the SSH ingress rule" echo "for your IP address in the AWS Management Console." connect_to_instance "$key_file_name" "$public_ip" echo -n "Press Enter when you're ready to continue the demo: " get_input echo_repeat "*" 88 echo_repeat "*" 88 echo "Let's stop and start your instance to see what changes." echo "Stopping your instance and waiting until it's stopped..." ec2_stop_instances -i "$instance_id" ec2_wait_for_instance_stopped -i "$instance_id" echo "Your instance is stopped. Restarting..." ec2_start_instances -i "$instance_id" ec2_wait_for_instance_running -i "$instance_id" echo "Your instance is running again." local instance_details instance_details="$(ec2_describe_instances -i "${instance_id}")" print_instance_details "${instance_details}" public_ip=$(echo "${instance_details}" | awk '{print $6}') echo "Every time your instance is restarted, its public IP address changes" connect_to_instance "$key_file_name" "$public_ip" echo -n "Press Enter when you're ready to continue the demo: " get_input echo_repeat "*" 88 echo_repeat "*" 88 echo "You can allocate an Elastic IP address and associate it with your instance" echo "to keep a consistent IP address even when your instance restarts." local result result=$(ec2_allocate_address -d vpc) || { errecho "Failed to allocate an address. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" "$instance_id" return 1 } local elastic_ip allocation_id elastic_ip=$(echo "$result" | awk '{print $1}') allocation_id=$(echo "$result" | awk '{print $2}') echo "Allocated static Elastic IP address: $elastic_ip" local association_id association_id=$(ec2_associate_address -i "$instance_id" -a "$allocation_id") || { errecho "Failed to associate an address. This demo will exit." clean_up "$key_name" "$key_file_name" "$security_group_id" "$instance_id" "$allocation_id" return 1 } echo "Associated your Elastic IP with your instance." echo "You can now use SSH to connect to your instance by using the Elastic IP." connect_to_instance "$key_file_name" "$elastic_ip" echo -n "Press Enter when you're ready to continue the demo: " get_input echo_repeat "*" 88 echo_repeat "*" 88 echo "Let's stop and start your instance to see what changes." echo "Stopping your instance and waiting until it's stopped..." ec2_stop_instances -i "$instance_id" ec2_wait_for_instance_stopped -i "$instance_id" echo "Your instance is stopped. Restarting..." ec2_start_instances -i "$instance_id" ec2_wait_for_instance_running -i "$instance_id" echo "Your instance is running again." local instance_details instance_details="$(ec2_describe_instances -i "${instance_id}")" print_instance_details "${instance_details}" echo "Because you have associated an Elastic IP with your instance, you can" echo "connect by using a consistent IP address after the instance restarts." connect_to_instance "$key_file_name" "$elastic_ip" echo -n "Press Enter when you're ready to continue the demo: " get_input echo_repeat "*" 88 echo_repeat "*" 88 if yes_no_input "Do you want to delete the resources created in this demo: (y/n) "; then clean_up "$key_name" "$key_file_name" "$security_group_id" "$instance_id" \ "$allocation_id" "$association_id" else echo "The following resources were not deleted." echo "Key pair: $key_name" echo "Key file: $key_file_name" echo "Security group: $security_group_id" echo "Instance: $instance_id" echo "Elastic IP address: $elastic_ip" fi } ############################################################################### # function clean_up # # This function cleans up the created resources. # $1 - The name of the ec2 key pair to delete. # $2 - The name of the key file to delete. # $3 - The ID of the security group to delete. # $4 - The ID of the instance to terminate. # $5 - The ID of the elastic IP address to release. # $6 - The ID of the elastic IP address to disassociate. # # Returns: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function clean_up() { local result=0 local key_pair_name=$1 local key_file_name=$2 local security_group_id=$3 local instance_id=$4 local allocation_id=$5 local association_id=$6 if [ -n "$association_id" ]; then # bashsupport disable=BP2002 if (ec2_disassociate_address -a "$association_id"); then echo "Disassociated elastic IP address with ID $association_id" else errecho "The elastic IP address disassociation failed." result=1 fi fi if [ -n "$allocation_id" ]; then # bashsupport disable=BP2002 if (ec2_release_address -a "$allocation_id"); then echo "Released elastic IP address with ID $allocation_id" else errecho "The elastic IP address release failed." result=1 fi fi if [ -n "$instance_id" ]; then # bashsupport disable=BP2002 if (ec2_terminate_instances -i "$instance_id"); then echo "Started terminating instance with ID $instance_id" ec2_wait_for_instance_terminated -i "$instance_id" else errecho "The instance terminate failed." result=1 fi fi if [ -n "$security_group_id" ]; then # bashsupport disable=BP2002 if (ec2_delete_security_group -i "$security_group_id"); then echo "Deleted security group with ID $security_group_id" else errecho "The security group delete failed." result=1 fi fi if [ -n "$key_pair_name" ]; then # bashsupport disable=BP2002 if (ec2_delete_keypair -n "$key_pair_name"); then echo "Deleted key pair named $key_pair_name" else errecho "The key pair delete failed." result=1 fi fi if [ -n "$key_file_name" ]; then rm -f "$key_file_name" fi return $result } ############################################################################### # function ssm_get_parameters_by_path # # This function retrieves one or more parameters from the AWS Systems Manager Parameter Store # by specifying a parameter path. # # Parameters: # -p parameter_path - The path of the parameter(s) to retrieve. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ssm_get_parameters_by_path() { local parameter_path response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ssm_get_parameters_by_path" echo "Retrieves one or more parameters from the AWS Systems Manager Parameter Store by specifying a parameter path." echo " -p parameter_path - The path of the parameter(s) to retrieve." echo "" } # Retrieve the calling parameters. while getopts "p:h" option; do case "${option}" in p) parameter_path="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$parameter_path" ]]; then errecho "ERROR: You must provide a parameter path with the -p parameter." usage return 1 fi response=$(aws ssm get-parameters-by-path \ --path "$parameter_path" \ --query "Parameters[*].[Name, Value]" \ --output text) || { aws_cli_error_log $? errecho "ERROR: AWS reports get-parameters-by-path operation failed.$response" return 1 } echo "$response" return 0 } ############################################################################### # function print_instance_details # # This function prints the details of an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # instance_details - The instance details in the format "InstanceId ImageId InstanceType KeyName VpcId PublicIpAddress State.Name". # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function print_instance_details() { local instance_details="$1" if [[ -z "${instance_details}" ]]; then echo "Error: Missing required instance details argument." return 1 fi local instance_id image_id instance_type key_name vpc_id public_ip state instance_id=$(echo "${instance_details}" | awk '{print $1}') image_id=$(echo "${instance_details}" | awk '{print $2}') instance_type=$(echo "${instance_details}" | awk '{print $3}') key_name=$(echo "${instance_details}" | awk '{print $4}') vpc_id=$(echo "${instance_details}" | awk '{print $5}') public_ip=$(echo "${instance_details}" | awk '{print $6}') state=$(echo "${instance_details}" | awk '{print $7}') echo " ID: ${instance_id}" echo " Image ID: ${image_id}" echo " Instance type: ${instance_type}" echo " Key name: ${key_name}" echo " VPC ID: ${vpc_id}" echo " Public IP: ${public_ip}" echo " State: ${state}" return 0 } ############################################################################### # function connect_to_instance # # This function displays the public IP address of an Amazon Elastic Compute Cloud (Amazon EC2) instance and prompts the user to connect to the instance via SSH. # # Parameters: # $1 - The name of the key file used to connect to the instance. # $2 - The public IP address of the instance. # # Returns: # None ############################################################################### function connect_to_instance() { local key_file_name="$1" local public_ip="$2" # Validate the input parameters if [[ -z "$key_file_name" ]]; then echo "ERROR: You must provide a key file name as the first argument." >&2 return 1 fi if [[ -z "$public_ip" ]]; then echo "ERROR: You must provide a public IP address as the second argument." >&2 return 1 fi # Display the public IP address and connection command echo "To connect, run the following command:" echo " ssh -i ${key_file_name} ec2-user@${public_ip}" # Prompt the user to connect to the instance if yes_no_input "Do you want to connect now? (y/n) "; then echo "After you have connected, you can return to this example by typing 'exit'" ssh -i "${key_file_name}" ec2-user@"${public_ip}" fi } ############################################################################### # function get_input # # This function gets user input from the command line. # # Outputs: # User input to stdout. # # Returns: # 0 ############################################################################### function get_input() { if [ -z "${mock_input+x}" ]; then read -r get_input_result else if [ "$mock_input_array_index" -lt ${#mock_input_array[@]} ]; then get_input_result="${mock_input_array[$mock_input_array_index]}" # bashsupport disable=BP2001 # shellcheck disable=SC2206 ((mock_input_array_index++)) echo -n "$get_input_result" else echo "MOCK_INPUT_ARRAY has no more elements" 1>&2 return 1 fi fi return 0 } ############################################################################### # function yes_no_input # # This function requests a yes/no answer from the user, following to a prompt. # # Parameters: # $1 - The prompt. # # Returns: # 0 - If yes. # 1 - If no. ############################################################################### function yes_no_input() { if [ -z "$1" ]; then echo "Internal error yes_no_input" return 1 fi local index=0 local response="N" while [[ $index -lt 10 ]]; do index=$((index + 1)) echo -n "$1" if ! get_input; then return 1 fi response=$(echo "$get_input_result" | tr '[:upper:]' '[:lower:]') if [ "$response" = "y" ] || [ "$response" = "n" ]; then break else echo -e "\nPlease enter or 'y' or 'n'." fi done echo if [ "$response" = "y" ]; then return 0 else return 1 fi } ############################################################################### # function integer_input # # This function prompts the user to enter an integer within a specified range # and validates the input. # # Parameters: # $1 - The prompt message to display to the user. # $2 - The minimum value of the accepted range. # $3 - The maximum value of the accepted range. # # Returns: # The valid integer input from the user. # If the input is invalid or out of range, the function will continue # prompting the user until a valid input is provided. ############################################################################### function integer_input() { local prompt="$1" local min_value="$2" local max_value="$3" local input="" while true; do # Display the prompt message and wait for user input echo -n "$prompt" if ! get_input; then return 1 fi input="$get_input_result" # Check if the input is a valid integer if [[ "$input" =~ ^-?[0-9]+$ ]]; then # Check if the input is within the specified range if ((input >= min_value && input <= max_value)); then return 0 else echo "Error: Input, $input, must be between $min_value and $max_value." fi else echo "Error: Invalid input- $input. Please enter an integer." fi done } ############################################################################### # function new_line_and_tab_to_list # # This function takes a string input containing newlines and tabs, and # converts it into a list (array) of elements. # # Parameters: # $1 - The input string containing newlines and tabs. # # Returns: # The resulting list (array) is stored in the global variable # 'list_result'. ############################################################################### function new_line_and_tab_to_list() { local input=$1 export list_result list_result=() mapfile -t lines <<<"$input" local line for line in "${lines[@]}"; do IFS=$'\t' read -ra parameters <<<"$line" list_result+=("${parameters[@]}") done } ############################################################################### # function echo_repeat # # This function prints a string 'n' times to stdout. # # Parameters: # $1 - The string. # $2 - Number of times to print the string. # # Outputs: # String 'n' times to stdout. # # Returns: # 0 ############################################################################### function echo_repeat() { local end=$2 for ((i = 0; i < end; i++)); do echo -n "$1" done echo } ``` The DynamoDB functions used in this scenario. ``` ############################################################################### # function ec2_create_keypair # # This function creates an Amazon Elastic Compute Cloud (Amazon EC2) ED25519 or 2048-bit RSA key pair # and writes it to a file. # # Parameters: # -n key_pair_name - A key pair name. # -f file_path - File to store the key pair. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_create_keypair() { local key_pair_name file_path response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_create_keypair" echo "Creates an Amazon Elastic Compute Cloud (Amazon EC2) ED25519 or 2048-bit RSA key pair" echo " and writes it to a file." echo " -n key_pair_name - A key pair name." echo " -f file_path - File to store the key pair." echo "" } # Retrieve the calling parameters. while getopts "n:f:h" option; do case "${option}" in n) key_pair_name="${OPTARG}" ;; f) file_path="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key name with the -n parameter." usage return 1 fi if [[ -z "$file_path" ]]; then errecho "ERROR: You must provide a file path with the -f parameter." usage return 1 fi response=$(aws ec2 create-key-pair \ --key-name "$key_pair_name" \ --query 'KeyMaterial' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports create-access-key operation failed.$response" return 1 } if [[ -n "$file_path" ]]; then echo "$response" >"$file_path" fi return 0 } ############################################################################### # function ec2_describe_key_pairs # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) key pairs. # # Parameters: # -h - Display help. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_key_pairs() { local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_key_pairs" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) key pairs." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "h" option; do case "${option}" in h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local response response=$(aws ec2 describe-key-pairs \ --query 'KeyPairs[*].[KeyName, KeyFingerprint]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-key-pairs operation failed.$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_create_security_group # # This function creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -n security_group_name - The name of the security group. # -d security_group_description - The description of the security group. # # Returns: # The ID of the created security group, or an error message if the operation fails. # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_create_security_group() { local security_group_name security_group_description response # Function to display usage information function usage() { echo "function ec2_create_security_group" echo "Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -n security_group_name - The name of the security group." echo " -d security_group_description - The description of the security group." echo "" } # Parse the command-line arguments while getopts "n:d:h" option; do case "${option}" in n) security_group_name="${OPTARG}" ;; d) security_group_description="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$security_group_name" ]]; then errecho "ERROR: You must provide a security group name with the -n parameter." return 1 fi if [[ -z "$security_group_description" ]]; then errecho "ERROR: You must provide a security group description with the -d parameter." return 1 fi # Create the security group response=$(aws ec2 create-security-group \ --group-name "$security_group_name" \ --description "$security_group_description" \ --query "GroupId" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports create-security-group operation failed." errecho "$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_describe_security_groups # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) security groups. # # Parameters: # -g security_group_id - The ID of the security group to describe (optional). # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_security_groups() { local security_group_id response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_security_groups" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) security groups." echo " -g security_group_id - The ID of the security group to describe (optional)." echo "" } # Retrieve the calling parameters. while getopts "g:h" option; do case "${option}" in g) security_group_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local query="SecurityGroups[*].[GroupName, GroupId, VpcId, IpPermissions[*].[IpProtocol, FromPort, ToPort, IpRanges[*].CidrIp]]" if [[ -n "$security_group_id" ]]; then response=$(aws ec2 describe-security-groups --group-ids "$security_group_id" --query "${query}" --output text) else response=$(aws ec2 describe-security-groups --query "${query}" --output text) fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports describe-security-groups operation failed.$response" return 1 fi echo "$response" return 0 } ############################################################################### # function ec2_authorize_security_group_ingress # # This function authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -g security_group_id - The ID of the security group. # -i ip_address - The IP address or CIDR block to authorize. # -p protocol - The protocol to authorize (e.g., tcp, udp, icmp). # -f from_port - The start of the port range to authorize. # -t to_port - The end of the port range to authorize. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_authorize_security_group_ingress() { local security_group_id ip_address protocol from_port to_port response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_authorize_security_group_ingress" echo "Authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -g security_group_id - The ID of the security group." echo " -i ip_address - The IP address or CIDR block to authorize." echo " -p protocol - The protocol to authorize (e.g., tcp, udp, icmp)." echo " -f from_port - The start of the port range to authorize." echo " -t to_port - The end of the port range to authorize." echo "" } # Retrieve the calling parameters. while getopts "g:i:p:f:t:h" option; do case "${option}" in g) security_group_id="${OPTARG}" ;; i) ip_address="${OPTARG}" ;; p) protocol="${OPTARG}" ;; f) from_port="${OPTARG}" ;; t) to_port="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -g parameter." usage return 1 fi if [[ -z "$ip_address" ]]; then errecho "ERROR: You must provide an IP address or CIDR block with the -i parameter." usage return 1 fi if [[ -z "$protocol" ]]; then errecho "ERROR: You must provide a protocol with the -p parameter." usage return 1 fi if [[ -z "$from_port" ]]; then errecho "ERROR: You must provide a start port with the -f parameter." usage return 1 fi if [[ -z "$to_port" ]]; then errecho "ERROR: You must provide an end port with the -t parameter." usage return 1 fi response=$(aws ec2 authorize-security-group-ingress \ --group-id "$security_group_id" \ --cidr "${ip_address}/32" \ --protocol "$protocol" \ --port "$from_port-$to_port" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports authorize-security-group-ingress operation failed.$response" return 1 } return 0 } ############################################################################### # function ec2_describe_images # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) images. # # Parameters: # -i image_ids - A space-separated list of image IDs (optional). # -h - Display help. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_images() { local image_ids response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_images" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) images." echo " -i image_ids - A space-separated list of image IDs (optional)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) image_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local aws_cli_args=() if [[ -n "$image_ids" ]]; then # shellcheck disable=SC2206 aws_cli_args+=("--image-ids" $image_ids) fi response=$(aws ec2 describe-images \ "${aws_cli_args[@]}" \ --query 'Images[*].[Description,Architecture,ImageId]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-images operation failed.$response" return 1 } echo "$response" return 0 } ############################################################################### # ec2_describe_instance_types # # This function describes EC2 instance types filtered by processor architecture # and optionally by instance type. It takes the following arguments: # # -a, --architecture ARCHITECTURE Specify the processor architecture (e.g., x86_64) # -t, --type INSTANCE_TYPE Comma-separated list of instance types (e.g., t2.micro) # -h, --help Show the usage help # # The function prints the instance type and supported architecture for each # matching instance type. ############################################################################### function ec2_describe_instance_types() { local architecture="" local instance_types="" # bashsupport disable=BP5008 function usage() { echo "Usage: ec2_describe_instance_types [-a|--architecture ARCHITECTURE] [-t|--type INSTANCE_TYPE] [-h|--help]" echo " -a, --architecture ARCHITECTURE Specify the processor architecture (e.g., x86_64)" echo " -t, --type INSTANCE_TYPE Comma-separated list of instance types (e.g., t2.micro)" echo " -h, --help Show this help message" } while [[ $# -gt 0 ]]; do case "$1" in -a | --architecture) architecture="$2" shift 2 ;; -t | --type) instance_types="$2" shift 2 ;; -h | --help) usage return 0 ;; *) echo "Unknown argument: $1" return 1 ;; esac done if [[ -z "$architecture" ]]; then errecho "Error: Architecture not specified." usage return 1 fi if [[ -z "$instance_types" ]]; then errecho "Error: Instance type not specified." usage return 1 fi local tmp_json_file="temp_ec2.json" echo -n '[ { "Name": "processor-info.supported-architecture", "Values": [' >"$tmp_json_file" local items IFS=',' read -ra items <<<"$architecture" local array_size array_size=${#items[@]} for i in $(seq 0 $((array_size - 1))); do echo -n '"'"${items[$i]}"'"' >>"$tmp_json_file" if [[ $i -lt $((array_size - 1)) ]]; then echo -n ',' >>"$tmp_json_file" fi done echo -n ']}, { "Name": "instance-type", "Values": [' >>"$tmp_json_file" IFS=',' read -ra items <<<"$instance_types" local array_size array_size=${#items[@]} for i in $(seq 0 $((array_size - 1))); do echo -n '"'"${items[$i]}"'"' >>"$tmp_json_file" if [[ $i -lt $((array_size - 1)) ]]; then echo -n ',' >>"$tmp_json_file" fi done echo -n ']}]' >>"$tmp_json_file" local response response=$(aws ec2 describe-instance-types --filters file://"$tmp_json_file" \ --query 'InstanceTypes[*].[InstanceType]' --output text) local error_code=$? rm "$tmp_json_file" if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code echo "ERROR: AWS reports describe-instance-types operation failed." return 1 fi echo "$response" return 0 } ############################################################################### # function ec2_run_instances # # This function launches one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i image_id - The ID of the Amazon Machine Image (AMI) to use. # -t instance_type - The instance type to use (e.g., t2.micro). # -k key_pair_name - The name of the key pair to use. # -s security_group_id - The ID of the security group to use. # -c count - The number of instances to launch (default: 1). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_run_instances() { local image_id instance_type key_pair_name security_group_id count response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_run_instances" echo "Launches one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i image_id - The ID of the Amazon Machine Image (AMI) to use." echo " -t instance_type - The instance type to use (e.g., t2.micro)." echo " -k key_pair_name - The name of the key pair to use." echo " -s security_group_id - The ID of the security group to use." echo " -c count - The number of instances to launch (default: 1)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:t:k:s:c:h" option; do case "${option}" in i) image_id="${OPTARG}" ;; t) instance_type="${OPTARG}" ;; k) key_pair_name="${OPTARG}" ;; s) security_group_id="${OPTARG}" ;; c) count="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$image_id" ]]; then errecho "ERROR: You must provide an Amazon Machine Image (AMI) ID with the -i parameter." usage return 1 fi if [[ -z "$instance_type" ]]; then errecho "ERROR: You must provide an instance type with the -t parameter." usage return 1 fi if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key pair name with the -k parameter." usage return 1 fi if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -s parameter." usage return 1 fi if [[ -z "$count" ]]; then count=1 fi response=$(aws ec2 run-instances \ --image-id "$image_id" \ --instance-type "$instance_type" \ --key-name "$key_pair_name" \ --security-group-ids "$security_group_id" \ --count "$count" \ --query 'Instances[*].[InstanceId]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports run-instances operation failed.$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_describe_instances # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID of the instance to describe (optional). # -q query - The query to filter the response (optional). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_instances() { local instance_id query response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_instances" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID of the instance to describe (optional)." echo " -q query - The query to filter the response (optional)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:q:h" option; do case "${option}" in i) instance_id="${OPTARG}" ;; q) query="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local aws_cli_args=() if [[ -n "$instance_id" ]]; then # shellcheck disable=SC2206 aws_cli_args+=("--instance-ids" $instance_id) fi local query_arg="" if [[ -n "$query" ]]; then query_arg="--query '$query'" else query_arg="--query Reservations[*].Instances[*].[InstanceId,ImageId,InstanceType,KeyName,VpcId,PublicIpAddress,State.Name]" fi # shellcheck disable=SC2086 response=$(aws ec2 describe-instances \ "${aws_cli_args[@]}" \ $query_arg \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-instances operation failed.$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_stop_instances # # This function stops one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID(s) of the instance(s) to stop (comma-separated). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_stop_instances() { local instance_ids local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_stop_instances" echo "Stops one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID(s) of the instance(s) to stop (comma-separated)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$instance_ids" ]]; then errecho "ERROR: You must provide one or more instance IDs with the -i parameter." usage return 1 fi response=$(aws ec2 stop-instances \ --instance-ids "${instance_ids}") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports stop-instances operation failed with $response." return 1 } return 0 } ############################################################################### # function ec2_start_instances # # This function starts one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID(s) of the instance(s) to start (comma-separated). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_start_instances() { local instance_ids local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_start_instances" echo "Starts one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID(s) of the instance(s) to start (comma-separated)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$instance_ids" ]]; then errecho "ERROR: You must provide one or more instance IDs with the -i parameter." usage return 1 fi response=$(aws ec2 start-instances \ --instance-ids "${instance_ids}") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports start-instances operation failed with $response." return 1 } return 0 } ############################################################################### # function ec2_allocate_address # # This function allocates an Elastic IP address for use with Amazon Elastic Compute Cloud (Amazon EC2) instances in a specific AWS Region. # # Parameters: # -d domain - The domain for the Elastic IP address (either 'vpc' or 'standard'). # # Returns: # The allocated Elastic IP address, or an error message if the operation fails. # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_allocate_address() { local domain response # Function to display usage information function usage() { echo "function ec2_allocate_address" echo "Allocates an Elastic IP address for use with Amazon Elastic Compute Cloud (Amazon EC2) instances in a specific AWS Region." echo " -d domain - The domain for the Elastic IP address (either 'vpc' or 'standard')." echo "" } # Parse the command-line arguments while getopts "d:h" option; do case "${option}" in d) domain="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$domain" ]]; then errecho "ERROR: You must provide a domain with the -d parameter (either 'vpc' or 'standard')." return 1 fi if [[ "$domain" != "vpc" && "$domain" != "standard" ]]; then errecho "ERROR: Invalid domain value. Must be either 'vpc' or 'standard'." return 1 fi # Allocate the Elastic IP address response=$(aws ec2 allocate-address \ --domain "$domain" \ --query "[PublicIp,AllocationId]" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports allocate-address operation failed." errecho "$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_associate_address # # This function associates an Elastic IP address with an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a allocation_id - The allocation ID of the Elastic IP address to associate. # -i instance_id - The ID of the EC2 instance to associate the Elastic IP address with. # # Returns: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_associate_address() { local allocation_id instance_id response # Function to display usage information function usage() { echo "function ec2_associate_address" echo "Associates an Elastic IP address with an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a allocation_id - The allocation ID of the Elastic IP address to associate." echo " -i instance_id - The ID of the EC2 instance to associate the Elastic IP address with." echo "" } # Parse the command-line arguments while getopts "a:i:h" option; do case "${option}" in a) allocation_id="${OPTARG}" ;; i) instance_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$allocation_id" ]]; then errecho "ERROR: You must provide an allocation ID with the -a parameter." return 1 fi if [[ -z "$instance_id" ]]; then errecho "ERROR: You must provide an instance ID with the -i parameter." return 1 fi # Associate the Elastic IP address response=$(aws ec2 associate-address \ --allocation-id "$allocation_id" \ --instance-id "$instance_id" \ --query "AssociationId" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports associate-address operation failed." errecho "$response" return 1 } echo "$response" return 0 } ############################################################################### # function ec2_disassociate_address # # This function disassociates an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a association_id - The association ID that represents the association of the Elastic IP address with an instance. # # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_disassociate_address() { local association_id response # Function to display usage information function usage() { echo "function ec2_disassociate_address" echo "Disassociates an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a association_id - The association ID that represents the association of the Elastic IP address with an instance." echo "" } # Parse the command-line arguments while getopts "a:h" option; do case "${option}" in a) association_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$association_id" ]]; then errecho "ERROR: You must provide an association ID with the -a parameter." return 1 fi response=$(aws ec2 disassociate-address \ --association-id "$association_id") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports disassociate-address operation failed." errecho "$response" return 1 } return 0 } ############################################################################### # function ec2_release_address # # This function releases an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a allocation_id - The allocation ID of the Elastic IP address to release. # # Returns: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_release_address() { local allocation_id response # Function to display usage information function usage() { echo "function ec2_release_address" echo "Releases an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a allocation_id - The allocation ID of the Elastic IP address to release." echo "" } # Parse the command-line arguments while getopts "a:h" option; do case "${option}" in a) allocation_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$allocation_id" ]]; then errecho "ERROR: You must provide an allocation ID with the -a parameter." return 1 fi response=$(aws ec2 release-address \ --allocation-id "$allocation_id") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports release-address operation failed." errecho "$response" return 1 } return 0 } ############################################################################### # function ec2_terminate_instances # # This function terminates one or more Amazon Elastic Compute Cloud (Amazon EC2) # instances using the AWS CLI. # # Parameters: # -i instance_ids - A space-separated list of instance IDs. # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_terminate_instances() { local instance_ids response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_terminate_instances" echo "Terminates one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_ids - A space-separated list of instance IDs." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Check if instance ID is provided if [[ -z "${instance_ids}" ]]; then echo "Error: Missing required instance IDs parameter." usage return 1 fi # shellcheck disable=SC2086 response=$(aws ec2 terminate-instances \ "--instance-ids" $instance_ids \ --query 'TerminatingInstances[*].[InstanceId,CurrentState.Name]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports terminate-instances operation failed.$response" return 1 } return 0 } ############################################################################### # function ec2_delete_security_group # # This function deletes an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -i security_group_id - The ID of the security group to delete. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_delete_security_group() { local security_group_id response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_delete_security_group" echo "Deletes an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -i security_group_id - The ID of the security group to delete." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) security_group_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -i parameter." usage return 1 fi response=$(aws ec2 delete-security-group --group-id "$security_group_id" --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports delete-security-group operation failed.$response" return 1 } return 0 } ############################################################################### # function ec2_delete_keypair # # This function deletes an Amazon EC2 ED25519 or 2048-bit RSA key pair. # # Parameters: # -n key_pair_name - A key pair name. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_delete_keypair() { local key_pair_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_delete_keypair" echo "Deletes an Amazon EC2 ED25519 or 2048-bit RSA key pair." echo " -n key_pair_name - A key pair name." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) key_pair_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key pair name with the -n parameter." usage return 1 fi response=$(aws ec2 delete-key-pair \ --key-name "$key_pair_name") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports delete-key-pair operation failed.$response" return 1 } return 0 } ``` The utility functions used in this scenario. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AllocateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AllocateAddress) + [AssociateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateAddress) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DescribeInstanceTypes](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstanceTypes) + [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) + [DescribeKeyPairs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeKeyPairs) + [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) + [DisassociateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DisassociateAddress) + [ReleaseAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ReleaseAddress) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [StartInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/StartInstances) + [StopInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/StopInstances) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [UnmonitorInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/UnmonitorInstances) ## Actions ### `AllocateAddress` The following code example shows how to use `AllocateAddress`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_allocate_address # # This function allocates an Elastic IP address for use with Amazon Elastic Compute Cloud (Amazon EC2) instances in a specific AWS Region. # # Parameters: # -d domain - The domain for the Elastic IP address (either 'vpc' or 'standard'). # # Returns: # The allocated Elastic IP address, or an error message if the operation fails. # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_allocate_address() { local domain response # Function to display usage information function usage() { echo "function ec2_allocate_address" echo "Allocates an Elastic IP address for use with Amazon Elastic Compute Cloud (Amazon EC2) instances in a specific AWS Region." echo " -d domain - The domain for the Elastic IP address (either 'vpc' or 'standard')." echo "" } # Parse the command-line arguments while getopts "d:h" option; do case "${option}" in d) domain="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$domain" ]]; then errecho "ERROR: You must provide a domain with the -d parameter (either 'vpc' or 'standard')." return 1 fi if [[ "$domain" != "vpc" && "$domain" != "standard" ]]; then errecho "ERROR: Invalid domain value. Must be either 'vpc' or 'standard'." return 1 fi # Allocate the Elastic IP address response=$(aws ec2 allocate-address \ --domain "$domain" \ --query "[PublicIp,AllocationId]" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports allocate-address operation failed." errecho "$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [AllocateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AllocateAddress) in *AWS CLI Command Reference*. ### `AssociateAddress` The following code example shows how to use `AssociateAddress`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_associate_address # # This function associates an Elastic IP address with an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a allocation_id - The allocation ID of the Elastic IP address to associate. # -i instance_id - The ID of the EC2 instance to associate the Elastic IP address with. # # Returns: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_associate_address() { local allocation_id instance_id response # Function to display usage information function usage() { echo "function ec2_associate_address" echo "Associates an Elastic IP address with an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a allocation_id - The allocation ID of the Elastic IP address to associate." echo " -i instance_id - The ID of the EC2 instance to associate the Elastic IP address with." echo "" } # Parse the command-line arguments while getopts "a:i:h" option; do case "${option}" in a) allocation_id="${OPTARG}" ;; i) instance_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$allocation_id" ]]; then errecho "ERROR: You must provide an allocation ID with the -a parameter." return 1 fi if [[ -z "$instance_id" ]]; then errecho "ERROR: You must provide an instance ID with the -i parameter." return 1 fi # Associate the Elastic IP address response=$(aws ec2 associate-address \ --allocation-id "$allocation_id" \ --instance-id "$instance_id" \ --query "AssociationId" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports associate-address operation failed." errecho "$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [AssociateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateAddress) in *AWS CLI Command Reference*. ### `AuthorizeSecurityGroupIngress` The following code example shows how to use `AuthorizeSecurityGroupIngress`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_authorize_security_group_ingress # # This function authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -g security_group_id - The ID of the security group. # -i ip_address - The IP address or CIDR block to authorize. # -p protocol - The protocol to authorize (e.g., tcp, udp, icmp). # -f from_port - The start of the port range to authorize. # -t to_port - The end of the port range to authorize. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_authorize_security_group_ingress() { local security_group_id ip_address protocol from_port to_port response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_authorize_security_group_ingress" echo "Authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -g security_group_id - The ID of the security group." echo " -i ip_address - The IP address or CIDR block to authorize." echo " -p protocol - The protocol to authorize (e.g., tcp, udp, icmp)." echo " -f from_port - The start of the port range to authorize." echo " -t to_port - The end of the port range to authorize." echo "" } # Retrieve the calling parameters. while getopts "g:i:p:f:t:h" option; do case "${option}" in g) security_group_id="${OPTARG}" ;; i) ip_address="${OPTARG}" ;; p) protocol="${OPTARG}" ;; f) from_port="${OPTARG}" ;; t) to_port="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -g parameter." usage return 1 fi if [[ -z "$ip_address" ]]; then errecho "ERROR: You must provide an IP address or CIDR block with the -i parameter." usage return 1 fi if [[ -z "$protocol" ]]; then errecho "ERROR: You must provide a protocol with the -p parameter." usage return 1 fi if [[ -z "$from_port" ]]; then errecho "ERROR: You must provide a start port with the -f parameter." usage return 1 fi if [[ -z "$to_port" ]]; then errecho "ERROR: You must provide an end port with the -t parameter." usage return 1 fi response=$(aws ec2 authorize-security-group-ingress \ --group-id "$security_group_id" \ --cidr "${ip_address}/32" \ --protocol "$protocol" \ --port "$from_port-$to_port" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports authorize-security-group-ingress operation failed.$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) in *AWS CLI Command Reference*. ### `CreateKeyPair` The following code example shows how to use `CreateKeyPair`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_create_keypair # # This function creates an Amazon Elastic Compute Cloud (Amazon EC2) ED25519 or 2048-bit RSA key pair # and writes it to a file. # # Parameters: # -n key_pair_name - A key pair name. # -f file_path - File to store the key pair. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_create_keypair() { local key_pair_name file_path response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_create_keypair" echo "Creates an Amazon Elastic Compute Cloud (Amazon EC2) ED25519 or 2048-bit RSA key pair" echo " and writes it to a file." echo " -n key_pair_name - A key pair name." echo " -f file_path - File to store the key pair." echo "" } # Retrieve the calling parameters. while getopts "n:f:h" option; do case "${option}" in n) key_pair_name="${OPTARG}" ;; f) file_path="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key name with the -n parameter." usage return 1 fi if [[ -z "$file_path" ]]; then errecho "ERROR: You must provide a file path with the -f parameter." usage return 1 fi response=$(aws ec2 create-key-pair \ --key-name "$key_pair_name" \ --query 'KeyMaterial' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports create-access-key operation failed.$response" return 1 } if [[ -n "$file_path" ]]; then echo "$response" >"$file_path" fi return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) in *AWS CLI Command Reference*. ### `CreateSecurityGroup` The following code example shows how to use `CreateSecurityGroup`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_create_security_group # # This function creates an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -n security_group_name - The name of the security group. # -d security_group_description - The description of the security group. # # Returns: # The ID of the created security group, or an error message if the operation fails. # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_create_security_group() { local security_group_name security_group_description response # Function to display usage information function usage() { echo "function ec2_create_security_group" echo "Creates an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -n security_group_name - The name of the security group." echo " -d security_group_description - The description of the security group." echo "" } # Parse the command-line arguments while getopts "n:d:h" option; do case "${option}" in n) security_group_name="${OPTARG}" ;; d) security_group_description="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$security_group_name" ]]; then errecho "ERROR: You must provide a security group name with the -n parameter." return 1 fi if [[ -z "$security_group_description" ]]; then errecho "ERROR: You must provide a security group description with the -d parameter." return 1 fi # Create the security group response=$(aws ec2 create-security-group \ --group-name "$security_group_name" \ --description "$security_group_description" \ --query "GroupId" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports create-security-group operation failed." errecho "$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) in *AWS CLI Command Reference*. ### `DeleteKeyPair` The following code example shows how to use `DeleteKeyPair`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_delete_keypair # # This function deletes an Amazon EC2 ED25519 or 2048-bit RSA key pair. # # Parameters: # -n key_pair_name - A key pair name. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_delete_keypair() { local key_pair_name response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_delete_keypair" echo "Deletes an Amazon EC2 ED25519 or 2048-bit RSA key pair." echo " -n key_pair_name - A key pair name." echo "" } # Retrieve the calling parameters. while getopts "n:h" option; do case "${option}" in n) key_pair_name="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key pair name with the -n parameter." usage return 1 fi response=$(aws ec2 delete-key-pair \ --key-name "$key_pair_name") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports delete-key-pair operation failed.$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) in *AWS CLI Command Reference*. ### `DeleteSecurityGroup` The following code example shows how to use `DeleteSecurityGroup`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_delete_security_group # # This function deletes an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -i security_group_id - The ID of the security group to delete. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_delete_security_group() { local security_group_id response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_delete_security_group" echo "Deletes an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -i security_group_id - The ID of the security group to delete." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) security_group_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -i parameter." usage return 1 fi response=$(aws ec2 delete-security-group --group-id "$security_group_id" --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports delete-security-group operation failed.$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) in *AWS CLI Command Reference*. ### `DescribeImages` The following code example shows how to use `DescribeImages`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_describe_images # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) images. # # Parameters: # -i image_ids - A space-separated list of image IDs (optional). # -h - Display help. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_images() { local image_ids response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_images" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) images." echo " -i image_ids - A space-separated list of image IDs (optional)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) image_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local aws_cli_args=() if [[ -n "$image_ids" ]]; then # shellcheck disable=SC2206 aws_cli_args+=("--image-ids" $image_ids) fi response=$(aws ec2 describe-images \ "${aws_cli_args[@]}" \ --query 'Images[*].[Description,Architecture,ImageId]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-images operation failed.$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) in *AWS CLI Command Reference*. ### `DescribeInstanceTypes` The following code example shows how to use `DescribeInstanceTypes`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # ec2_describe_instance_types # # This function describes EC2 instance types filtered by processor architecture # and optionally by instance type. It takes the following arguments: # # -a, --architecture ARCHITECTURE Specify the processor architecture (e.g., x86_64) # -t, --type INSTANCE_TYPE Comma-separated list of instance types (e.g., t2.micro) # -h, --help Show the usage help # # The function prints the instance type and supported architecture for each # matching instance type. ############################################################################### function ec2_describe_instance_types() { local architecture="" local instance_types="" # bashsupport disable=BP5008 function usage() { echo "Usage: ec2_describe_instance_types [-a|--architecture ARCHITECTURE] [-t|--type INSTANCE_TYPE] [-h|--help]" echo " -a, --architecture ARCHITECTURE Specify the processor architecture (e.g., x86_64)" echo " -t, --type INSTANCE_TYPE Comma-separated list of instance types (e.g., t2.micro)" echo " -h, --help Show this help message" } while [[ $# -gt 0 ]]; do case "$1" in -a | --architecture) architecture="$2" shift 2 ;; -t | --type) instance_types="$2" shift 2 ;; -h | --help) usage return 0 ;; *) echo "Unknown argument: $1" return 1 ;; esac done if [[ -z "$architecture" ]]; then errecho "Error: Architecture not specified." usage return 1 fi if [[ -z "$instance_types" ]]; then errecho "Error: Instance type not specified." usage return 1 fi local tmp_json_file="temp_ec2.json" echo -n '[ { "Name": "processor-info.supported-architecture", "Values": [' >"$tmp_json_file" local items IFS=',' read -ra items <<<"$architecture" local array_size array_size=${#items[@]} for i in $(seq 0 $((array_size - 1))); do echo -n '"'"${items[$i]}"'"' >>"$tmp_json_file" if [[ $i -lt $((array_size - 1)) ]]; then echo -n ',' >>"$tmp_json_file" fi done echo -n ']}, { "Name": "instance-type", "Values": [' >>"$tmp_json_file" IFS=',' read -ra items <<<"$instance_types" local array_size array_size=${#items[@]} for i in $(seq 0 $((array_size - 1))); do echo -n '"'"${items[$i]}"'"' >>"$tmp_json_file" if [[ $i -lt $((array_size - 1)) ]]; then echo -n ',' >>"$tmp_json_file" fi done echo -n ']}]' >>"$tmp_json_file" local response response=$(aws ec2 describe-instance-types --filters file://"$tmp_json_file" \ --query 'InstanceTypes[*].[InstanceType]' --output text) local error_code=$? rm "$tmp_json_file" if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code echo "ERROR: AWS reports describe-instance-types operation failed." return 1 fi echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeInstanceTypes](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstanceTypes) in *AWS CLI Command Reference*. ### `DescribeInstances` The following code example shows how to use `DescribeInstances`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_describe_instances # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID of the instance to describe (optional). # -q query - The query to filter the response (optional). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_instances() { local instance_id query response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_instances" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID of the instance to describe (optional)." echo " -q query - The query to filter the response (optional)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:q:h" option; do case "${option}" in i) instance_id="${OPTARG}" ;; q) query="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local aws_cli_args=() if [[ -n "$instance_id" ]]; then # shellcheck disable=SC2206 aws_cli_args+=("--instance-ids" $instance_id) fi local query_arg="" if [[ -n "$query" ]]; then query_arg="--query '$query'" else query_arg="--query Reservations[*].Instances[*].[InstanceId,ImageId,InstanceType,KeyName,VpcId,PublicIpAddress,State.Name]" fi # shellcheck disable=SC2086 response=$(aws ec2 describe-instances \ "${aws_cli_args[@]}" \ $query_arg \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-instances operation failed.$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) in *AWS CLI Command Reference*. ### `DescribeKeyPairs` The following code example shows how to use `DescribeKeyPairs`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_describe_key_pairs # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) key pairs. # # Parameters: # -h - Display help. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_key_pairs() { local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_key_pairs" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) key pairs." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "h" option; do case "${option}" in h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local response response=$(aws ec2 describe-key-pairs \ --query 'KeyPairs[*].[KeyName, KeyFingerprint]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports describe-key-pairs operation failed.$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeKeyPairs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeKeyPairs) in *AWS CLI Command Reference*. ### `DescribeSecurityGroups` The following code example shows how to use `DescribeSecurityGroups`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_describe_security_groups # # This function describes one or more Amazon Elastic Compute Cloud (Amazon EC2) security groups. # # Parameters: # -g security_group_id - The ID of the security group to describe (optional). # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_describe_security_groups() { local security_group_id response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_describe_security_groups" echo "Describes one or more Amazon Elastic Compute Cloud (Amazon EC2) security groups." echo " -g security_group_id - The ID of the security group to describe (optional)." echo "" } # Retrieve the calling parameters. while getopts "g:h" option; do case "${option}" in g) security_group_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 local query="SecurityGroups[*].[GroupName, GroupId, VpcId, IpPermissions[*].[IpProtocol, FromPort, ToPort, IpRanges[*].CidrIp]]" if [[ -n "$security_group_id" ]]; then response=$(aws ec2 describe-security-groups --group-ids "$security_group_id" --query "${query}" --output text) else response=$(aws ec2 describe-security-groups --query "${query}" --output text) fi local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports describe-security-groups operation failed.$response" return 1 fi echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) in *AWS CLI Command Reference*. ### `DisassociateAddress` The following code example shows how to use `DisassociateAddress`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_disassociate_address # # This function disassociates an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a association_id - The association ID that represents the association of the Elastic IP address with an instance. # # And: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_disassociate_address() { local association_id response # Function to display usage information function usage() { echo "function ec2_disassociate_address" echo "Disassociates an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a association_id - The association ID that represents the association of the Elastic IP address with an instance." echo "" } # Parse the command-line arguments while getopts "a:h" option; do case "${option}" in a) association_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$association_id" ]]; then errecho "ERROR: You must provide an association ID with the -a parameter." return 1 fi response=$(aws ec2 disassociate-address \ --association-id "$association_id") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports disassociate-address operation failed." errecho "$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [DisassociateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DisassociateAddress) in *AWS CLI Command Reference*. ### `ReleaseAddress` The following code example shows how to use `ReleaseAddress`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_release_address # # This function releases an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance. # # Parameters: # -a allocation_id - The allocation ID of the Elastic IP address to release. # # Returns: # 0 - If successful. # 1 - If it fails. # ############################################################################### function ec2_release_address() { local allocation_id response # Function to display usage information function usage() { echo "function ec2_release_address" echo "Releases an Elastic IP address from an Amazon Elastic Compute Cloud (Amazon EC2) instance." echo " -a allocation_id - The allocation ID of the Elastic IP address to release." echo "" } # Parse the command-line arguments while getopts "a:h" option; do case "${option}" in a) allocation_id="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Validate the input parameters if [[ -z "$allocation_id" ]]; then errecho "ERROR: You must provide an allocation ID with the -a parameter." return 1 fi response=$(aws ec2 release-address \ --allocation-id "$allocation_id") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports release-address operation failed." errecho "$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [ReleaseAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ReleaseAddress) in *AWS CLI Command Reference*. ### `RunInstances` The following code example shows how to use `RunInstances`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_run_instances # # This function launches one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i image_id - The ID of the Amazon Machine Image (AMI) to use. # -t instance_type - The instance type to use (e.g., t2.micro). # -k key_pair_name - The name of the key pair to use. # -s security_group_id - The ID of the security group to use. # -c count - The number of instances to launch (default: 1). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_run_instances() { local image_id instance_type key_pair_name security_group_id count response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_run_instances" echo "Launches one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i image_id - The ID of the Amazon Machine Image (AMI) to use." echo " -t instance_type - The instance type to use (e.g., t2.micro)." echo " -k key_pair_name - The name of the key pair to use." echo " -s security_group_id - The ID of the security group to use." echo " -c count - The number of instances to launch (default: 1)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:t:k:s:c:h" option; do case "${option}" in i) image_id="${OPTARG}" ;; t) instance_type="${OPTARG}" ;; k) key_pair_name="${OPTARG}" ;; s) security_group_id="${OPTARG}" ;; c) count="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$image_id" ]]; then errecho "ERROR: You must provide an Amazon Machine Image (AMI) ID with the -i parameter." usage return 1 fi if [[ -z "$instance_type" ]]; then errecho "ERROR: You must provide an instance type with the -t parameter." usage return 1 fi if [[ -z "$key_pair_name" ]]; then errecho "ERROR: You must provide a key pair name with the -k parameter." usage return 1 fi if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -s parameter." usage return 1 fi if [[ -z "$count" ]]; then count=1 fi response=$(aws ec2 run-instances \ --image-id "$image_id" \ --instance-type "$instance_type" \ --key-name "$key_pair_name" \ --security-group-ids "$security_group_id" \ --count "$count" \ --query 'Instances[*].[InstanceId]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports run-instances operation failed.$response" return 1 } echo "$response" return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) in *AWS CLI Command Reference*. ### `StartInstances` The following code example shows how to use `StartInstances`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_start_instances # # This function starts one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID(s) of the instance(s) to start (comma-separated). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_start_instances() { local instance_ids local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_start_instances" echo "Starts one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID(s) of the instance(s) to start (comma-separated)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$instance_ids" ]]; then errecho "ERROR: You must provide one or more instance IDs with the -i parameter." usage return 1 fi response=$(aws ec2 start-instances \ --instance-ids "${instance_ids}") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports start-instances operation failed with $response." return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [StartInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/StartInstances) in *AWS CLI Command Reference*. ### `StopInstances` The following code example shows how to use `StopInstances`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_stop_instances # # This function stops one or more Amazon Elastic Compute Cloud (Amazon EC2) instances. # # Parameters: # -i instance_id - The ID(s) of the instance(s) to stop (comma-separated). # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_stop_instances() { local instance_ids local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_stop_instances" echo "Stops one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_id - The ID(s) of the instance(s) to stop (comma-separated)." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$instance_ids" ]]; then errecho "ERROR: You must provide one or more instance IDs with the -i parameter." usage return 1 fi response=$(aws ec2 stop-instances \ --instance-ids "${instance_ids}") || { aws_cli_error_log ${?} errecho "ERROR: AWS reports stop-instances operation failed with $response." return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [StopInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/StopInstances) in *AWS CLI Command Reference*. ### `TerminateInstances` The following code example shows how to use `TerminateInstances`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/ec2#code-examples). ``` ############################################################################### # function ec2_terminate_instances # # This function terminates one or more Amazon Elastic Compute Cloud (Amazon EC2) # instances using the AWS CLI. # # Parameters: # -i instance_ids - A space-separated list of instance IDs. # -h - Display help. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_terminate_instances() { local instance_ids response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_terminate_instances" echo "Terminates one or more Amazon Elastic Compute Cloud (Amazon EC2) instances." echo " -i instance_ids - A space-separated list of instance IDs." echo " -h - Display help." echo "" } # Retrieve the calling parameters. while getopts "i:h" option; do case "${option}" in i) instance_ids="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 # Check if instance ID is provided if [[ -z "${instance_ids}" ]]; then echo "Error: Missing required instance IDs parameter." usage return 1 fi # shellcheck disable=SC2086 response=$(aws ec2 terminate-instances \ "--instance-ids" $instance_ids \ --query 'TerminatingInstances[*].[InstanceId,CurrentState.Name]' \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports terminate-instances operation failed.$response" return 1 } return 0 } ``` The utility functions used in this example. ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 } ``` + For API details, see [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) in *AWS CLI Command Reference*. ## Scenarios ### Configure Amazon ECS Service Connect The following code example shows how to: + Create the VPC infrastructure + Set up logging + Create the ECS cluster + Configure IAM roles + Create the service with Service Connect + Verify the deployment + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. ``` #!/bin/bash # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC # This script creates an ECS cluster with Service Connect and deploys an nginx service # Uses the default VPC to avoid VPC limits set -e # Exit on any error # Configuration SCRIPT_NAME="ECS Service Connect Tutorial" LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} if [ -z "$REGION" ]; then echo "ERROR: No AWS region configured." echo "Set one with: aws configure set region us-east-1" exit 1 fi ENV_PREFIX="tutorial" CLUSTER_NAME="${ENV_PREFIX}-cluster" NAMESPACE_NAME="service-connect" # Generate random suffix for unique resource names RANDOM_SUFFIX=$(openssl rand -hex 6) # Arrays to track created resources for cleanup declare -a CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to add resource to tracking array track_resource() { CREATED_RESOURCES+=("$1") log "Tracking resource: $1" } # Function to check if command output contains actual errors check_for_errors() { local output="$1" local command_name="$2" # Check for specific AWS CLI error patterns, not just any occurrence of "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then log "ERROR in $command_name: $output" return 1 fi return 0 } # Function to get AWS account ID get_account_id() { ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Using AWS Account ID: $ACCOUNT_ID" } # Function to wait for resources to be ready wait_for_resource() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") log "Waiting for cluster $resource_id to be active..." local attempt=1 local max_attempts=30 while [ $attempt -le $max_attempts ]; do local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) if [ "$status" = "ACTIVE" ]; then log "Cluster is now active" return 0 fi log "Cluster status: $status (attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done log "ERROR: Cluster did not become active within expected time" return 1 ;; "service") log "Waiting for service $resource_id to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" ;; "nat-gateway") log "Waiting for NAT Gateway $resource_id to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" ;; esac } # Function to use default VPC infrastructure setup_default_vpc_infrastructure() { log "Using default VPC infrastructure..." # Get default VPC VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then log "ERROR: No default VPC found. Please create a default VPC first." exit 1 fi log "Using default VPC: $VPC_ID" # Get default subnets SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) SUBNET_ARRAY=($SUBNETS) if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" exit 1 fi PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" # Create security group for ECS tasks SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ --description "Security group for ECS Service Connect tutorial" \ --vpc-id "$VPC_ID" 2>&1) check_for_errors "$SG_OUTPUT" "create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) track_resource "SG:$SECURITY_GROUP_ID" log "Created security group: $SECURITY_GROUP_ID" # Add inbound rules to security group aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true log "Default VPC infrastructure setup completed" } # Function to create CloudWatch log groups create_log_groups() { log "Creating CloudWatch log groups..." # Create log group for nginx container aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-nginx created" track_resource "LOG_GROUP:/ecs/service-connect-nginx" else log "Log group /ecs/service-connect-nginx already exists" fi } # Create log group for service connect proxy aws logs create-log-group --log-group-name "/ecs/service-connect-proxy" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-proxy created" track_resource "LOG_GROUP:/ecs/service-connect-proxy" else log "Log group /ecs/service-connect-proxy already exists" fi } } # Function to create ECS cluster with Service Connect create_ecs_cluster() { log "Creating ECS cluster with Service Connect..." CLUSTER_OUTPUT=$(aws ecs create-cluster \ --cluster-name "$CLUSTER_NAME" \ --service-connect-defaults namespace="$NAMESPACE_NAME" \ --tags key=Environment,value=tutorial 2>&1) check_for_errors "$CLUSTER_OUTPUT" "create-cluster" track_resource "CLUSTER:$CLUSTER_NAME" log "Created ECS cluster: $CLUSTER_NAME" wait_for_resource "cluster" "$CLUSTER_NAME" # Track the Service Connect namespace that gets created # Wait a moment for the namespace to be created sleep 5 NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_ID" && "$NAMESPACE_ID" != "None" ]]; then track_resource "NAMESPACE:$NAMESPACE_ID" log "Service Connect namespace created: $NAMESPACE_ID" fi } # Function to create IAM roles create_iam_roles() { log "Creating IAM roles..." # Check if ecsTaskExecutionRole exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then log "IAM role ecsTaskExecutionRole exists" else log "Creating ecsTaskExecutionRole..." aws iam create-role \ --role-name ecsTaskExecutionRole \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' >/dev/null 2>&1 aws iam attach-role-policy \ --role-name ecsTaskExecutionRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1 track_resource "ROLE:ecsTaskExecutionRole" log "Created ecsTaskExecutionRole" sleep 10 fi # Check if ecsTaskRole exists, create if not if aws iam get-role --role-name ecsTaskRole >/dev/null 2>&1; then log "IAM role ecsTaskRole exists" else log "IAM role ecsTaskRole does not exist, will create it" # Create trust policy for ECS tasks cat > /tmp/ecs-task-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name ecsTaskRole \ --assume-role-policy-document file:///tmp/ecs-task-trust-policy.json >/dev/null track_resource "IAM_ROLE:ecsTaskRole" log "Created ecsTaskRole" # Wait for role to be available sleep 10 fi } # Function to create task definition create_task_definition() { log "Creating task definition..." # Create task definition JSON cat > /tmp/task-definition.json << EOF { "family": "service-connect-nginx", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole", "taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskRole", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "portMappings": [ { "containerPort": 80, "protocol": "tcp", "name": "nginx-port" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-nginx", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs" } } } ] } EOF TASK_DEF_OUTPUT=$(aws ecs register-task-definition --cli-input-json file:///tmp/task-definition.json 2>&1) check_for_errors "$TASK_DEF_OUTPUT" "register-task-definition" TASK_DEF_ARN=$(echo "$TASK_DEF_OUTPUT" | grep -o '"taskDefinitionArn": "[^"]*"' | cut -d'"' -f4) track_resource "TASK_DEF:service-connect-nginx" log "Created task definition: $TASK_DEF_ARN" # Clean up temporary file rm -f /tmp/task-definition.json } # Function to create ECS service with Service Connect create_ecs_service() { log "Creating ECS service with Service Connect..." # Create service definition JSON cat > /tmp/service-definition.json << EOF { "serviceName": "service-connect-nginx-service", "cluster": "${CLUSTER_NAME}", "taskDefinition": "service-connect-nginx", "desiredCount": 1, "launchType": "FARGATE", "networkConfiguration": { "awsvpcConfiguration": { "subnets": ["${PUBLIC_SUBNET1}", "${PUBLIC_SUBNET2}"], "securityGroups": ["${SECURITY_GROUP_ID}"], "assignPublicIp": "ENABLED" } }, "serviceConnectConfiguration": { "enabled": true, "namespace": "${NAMESPACE_NAME}", "services": [ { "portName": "nginx-port", "discoveryName": "nginx", "clientAliases": [ { "port": 80, "dnsName": "nginx" } ] } ], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-proxy", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs-service-connect" } } }, "tags": [ { "key": "Environment", "value": "tutorial" } ] } EOF SERVICE_OUTPUT=$(aws ecs create-service --cli-input-json file:///tmp/service-definition.json 2>&1) check_for_errors "$SERVICE_OUTPUT" "create-service" track_resource "SERVICE:service-connect-nginx-service" log "Created ECS service: service-connect-nginx-service" wait_for_resource "service" "service-connect-nginx-service" # Clean up temporary file rm -f /tmp/service-definition.json } # Function to verify deployment verify_deployment() { log "Verifying deployment..." # Check service status SERVICE_STATUS=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].status' --output text) log "Service status: $SERVICE_STATUS" # Check running tasks RUNNING_COUNT=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].runningCount' --output text) log "Running tasks: $RUNNING_COUNT" # Get task ARN TASK_ARN=$(aws ecs list-tasks \ --cluster "$CLUSTER_NAME" \ --service-name "service-connect-nginx-service" \ --query 'taskArns[0]' --output text) if [[ "$TASK_ARN" != "None" && -n "$TASK_ARN" ]]; then log "Task ARN: $TASK_ARN" # Try to get task IP address TASK_IP=$(aws ecs describe-tasks \ --cluster "$CLUSTER_NAME" \ --tasks "$TASK_ARN" \ --query 'tasks[0].attachments[0].details[?name==`privateIPv4Address`].value' \ --output text 2>/dev/null || echo "") if [[ -n "$TASK_IP" && "$TASK_IP" != "None" ]]; then log "Task IP address: $TASK_IP" else log "Could not retrieve task IP address" fi fi # Check Service Connect namespace NAMESPACE_STATUS=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_STATUS" && "$NAMESPACE_STATUS" != "None" ]]; then log "Service Connect namespace '$NAMESPACE_NAME' is active" else log "Service Connect namespace '$NAMESPACE_NAME' not found or not active" fi # Display Service Connect configuration log "Service Connect configuration:" aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].serviceConnectConfiguration' 2>/dev/null || true } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" echo "" } # Function to cleanup resources cleanup_resources() { log "Starting cleanup process..." # Delete resources in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) log "Cleaning up $resource_type: $resource_id" case "$resource_type" in "SERVICE") aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id" aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id" ;; "TASK_DEF") TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null) for arn in $TASK_DEF_ARNS; do aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true done ;; "ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "CLUSTER") aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id" ;; "SG") for attempt in 1 2 3 4 5; do if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then break fi log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..." sleep 30 done ;; "LOG_GROUP") aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id" ;; "NAMESPACE") # First, delete any services in the namespace NAMESPACE_SERVICES=$(aws servicediscovery list-services \ --filters Name=NAMESPACE_ID,Values="$resource_id" \ --query 'Services[].Id' --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_SERVICES" && "$NAMESPACE_SERVICES" != "None" ]]; then for service_id in $NAMESPACE_SERVICES; do aws servicediscovery delete-service --id "$service_id" >/dev/null 2>&1 || true sleep 2 done fi # Then delete the namespace aws servicediscovery delete-namespace --id "$resource_id" >/dev/null 2>&1 || true ;; esac sleep 2 # Brief pause between deletions done # Clean up temporary files rm -f /tmp/ecs-task-trust-policy.json rm -f /tmp/task-definition.json rm -f /tmp/service-definition.json log "Cleanup completed" } # Main execution main() { log "Starting $SCRIPT_NAME v4 (Default VPC)" log "Region: $REGION" log "Log file: $LOG_FILE" # Get AWS account ID get_account_id # Setup infrastructure using default VPC setup_default_vpc_infrastructure # Create CloudWatch log groups create_log_groups # Create ECS cluster create_ecs_cluster # Create IAM roles create_iam_roles # Create task definition create_task_definition # Create ECS service create_ecs_service # Verify deployment verify_deployment log "Tutorial completed successfully!" # Display created resources display_resources # Ask user if they want to clean up echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up later by running the cleanup function." echo "" echo "To clean up resources later, you can use the AWS CLI commands or the AWS Management Console." echo "Remember to delete resources in the correct order to avoid dependency issues." fi } # Make script executable and run chmod +x "$0" main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/CreateLogGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeClusters) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) ### Create a basic VPC The following code example shows how to: + Create a VPC + Create subnets + Configure internet connectivity + Create a NAT Gateway + Configure subnet settings + Create security groups + Verify your VPC configuration **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/002-vpc-gs) repository. ``` #!/bin/bash # VPC Creation Script # This script creates a VPC with public and private subnets, internet gateway, NAT gateway, and security groups # Set up logging LOG_FILE="vpc_creation.log" exec > >(tee -a "$LOG_FILE") 2>&1 # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created before error:" for resource in "${CREATED_RESOURCES[@]}" do echo "- $resource" done echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources in reverse order..." # Reverse the array to delete in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)) do resource="${CREATED_RESOURCES[$i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) case "$resource_type" in "INSTANCE") echo "Terminating EC2 instance: $resource_id" aws ec2 terminate-instances --instance-ids "$resource_id" || echo "Failed to terminate instance: $resource_id" # Wait for instance to terminate echo "Waiting for instance to terminate..." aws ec2 wait instance-terminated --instance-ids "$resource_id" || echo "Failed to wait for instance termination: $resource_id" ;; "KEY_PAIR") echo "Deleting key pair: $resource_id" aws ec2 delete-key-pair --key-name "$resource_id" || echo "Failed to delete key pair: $resource_id" # Remove the .pem file if it exists if [ -f "${resource_id}.pem" ]; then rm -f "${resource_id}.pem" fi ;; "NAT_GATEWAY") echo "Deleting NAT Gateway: $resource_id" aws ec2 delete-nat-gateway --nat-gateway-id "$resource_id" || echo "Failed to delete NAT Gateway: $resource_id" # NAT Gateway deletion takes time, wait for it to complete echo "Waiting for NAT Gateway to be deleted..." aws ec2 wait nat-gateway-deleted --nat-gateway-ids "$resource_id" || echo "Failed to wait for NAT Gateway deletion: $resource_id" ;; "EIP") echo "Releasing Elastic IP: $resource_id" aws ec2 release-address --allocation-id "$resource_id" || echo "Failed to release Elastic IP: $resource_id" ;; "ROUTE_TABLE_ASSOCIATION") echo "Disassociating Route Table: $resource_id" aws ec2 disassociate-route-table --association-id "$resource_id" || echo "Failed to disassociate Route Table: $resource_id" ;; "ROUTE_TABLE") echo "Deleting Route Table: $resource_id" aws ec2 delete-route-table --route-table-id "$resource_id" || echo "Failed to delete Route Table: $resource_id" ;; "INTERNET_GATEWAY") echo "Detaching Internet Gateway: $resource_id from VPC: $VPC_ID" aws ec2 detach-internet-gateway --internet-gateway-id "$resource_id" --vpc-id "$VPC_ID" || echo "Failed to detach Internet Gateway: $resource_id" echo "Deleting Internet Gateway: $resource_id" aws ec2 delete-internet-gateway --internet-gateway-id "$resource_id" || echo "Failed to delete Internet Gateway: $resource_id" ;; "SECURITY_GROUP") echo "Deleting Security Group: $resource_id" aws ec2 delete-security-group --group-id "$resource_id" || echo "Failed to delete Security Group: $resource_id" ;; "SUBNET") echo "Deleting Subnet: $resource_id" aws ec2 delete-subnet --subnet-id "$resource_id" || echo "Failed to delete Subnet: $resource_id" ;; "VPC") echo "Deleting VPC: $resource_id" aws ec2 delete-vpc --vpc-id "$resource_id" || echo "Failed to delete VPC: $resource_id" ;; esac done } # Initialize array to track created resources CREATED_RESOURCES=() echo "Starting VPC creation script at $(date)" # Verify AWS CLI configuration echo "Verifying AWS CLI configuration..." aws configure list || handle_error "AWS CLI is not properly configured" # Verify identity and permissions echo "Verifying identity and permissions..." if ! aws sts get-caller-identity; then echo "ERROR: Unable to verify AWS identity. This could be due to:" echo " - Expired credentials" echo " - Missing or invalid AWS credentials" echo " - Insufficient permissions" echo "" echo "Please run 'aws configure' to update your credentials or check your IAM permissions." exit 1 fi # Create VPC echo "Creating VPC with CIDR block 10.0.0.0/16..." VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]' --query 'Vpc.VpcId' --output text) if [ -z "$VPC_ID" ]; then handle_error "Failed to create VPC" fi CREATED_RESOURCES+=("VPC:$VPC_ID") echo "VPC created with ID: $VPC_ID" # Enable DNS support and hostnames echo "Enabling DNS support and hostnames for VPC..." aws ec2 modify-vpc-attribute --vpc-id "$VPC_ID" --enable-dns-support || handle_error "Failed to enable DNS support" aws ec2 modify-vpc-attribute --vpc-id "$VPC_ID" --enable-dns-hostnames || handle_error "Failed to enable DNS hostnames" # Get available Availability Zones echo "Getting available Availability Zones..." AZ1=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].ZoneName' --output text) AZ2=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[1].ZoneName' --output text) if [ -z "$AZ1" ] || [ -z "$AZ2" ]; then handle_error "Failed to get Availability Zones" fi echo "Using Availability Zones: $AZ1 and $AZ2" # Create public subnets echo "Creating public subnet in $AZ1..." PUBLIC_SUBNET_AZ1=$(aws ec2 create-subnet \ --vpc-id "$VPC_ID" \ --cidr-block 10.0.0.0/24 \ --availability-zone "$AZ1" \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-AZ1}]' \ --query 'Subnet.SubnetId' \ --output text) if [ -z "$PUBLIC_SUBNET_AZ1" ]; then handle_error "Failed to create public subnet in AZ1" fi CREATED_RESOURCES+=("SUBNET:$PUBLIC_SUBNET_AZ1") echo "Public subnet created in $AZ1 with ID: $PUBLIC_SUBNET_AZ1" echo "Creating public subnet in $AZ2..." PUBLIC_SUBNET_AZ2=$(aws ec2 create-subnet \ --vpc-id "$VPC_ID" \ --cidr-block 10.0.1.0/24 \ --availability-zone "$AZ2" \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Public-Subnet-AZ2}]' \ --query 'Subnet.SubnetId' \ --output text) if [ -z "$PUBLIC_SUBNET_AZ2" ]; then handle_error "Failed to create public subnet in AZ2" fi CREATED_RESOURCES+=("SUBNET:$PUBLIC_SUBNET_AZ2") echo "Public subnet created in $AZ2 with ID: $PUBLIC_SUBNET_AZ2" # Create private subnets echo "Creating private subnet in $AZ1..." PRIVATE_SUBNET_AZ1=$(aws ec2 create-subnet \ --vpc-id "$VPC_ID" \ --cidr-block 10.0.2.0/24 \ --availability-zone "$AZ1" \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-AZ1}]' \ --query 'Subnet.SubnetId' \ --output text) if [ -z "$PRIVATE_SUBNET_AZ1" ]; then handle_error "Failed to create private subnet in AZ1" fi CREATED_RESOURCES+=("SUBNET:$PRIVATE_SUBNET_AZ1") echo "Private subnet created in $AZ1 with ID: $PRIVATE_SUBNET_AZ1" echo "Creating private subnet in $AZ2..." PRIVATE_SUBNET_AZ2=$(aws ec2 create-subnet \ --vpc-id "$VPC_ID" \ --cidr-block 10.0.3.0/24 \ --availability-zone "$AZ2" \ --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=Private-Subnet-AZ2}]' \ --query 'Subnet.SubnetId' \ --output text) if [ -z "$PRIVATE_SUBNET_AZ2" ]; then handle_error "Failed to create private subnet in AZ2" fi CREATED_RESOURCES+=("SUBNET:$PRIVATE_SUBNET_AZ2") echo "Private subnet created in $AZ2 with ID: $PRIVATE_SUBNET_AZ2" # Create Internet Gateway echo "Creating Internet Gateway..." IGW_ID=$(aws ec2 create-internet-gateway \ --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]' \ --query 'InternetGateway.InternetGatewayId' \ --output text) if [ -z "$IGW_ID" ]; then handle_error "Failed to create Internet Gateway" fi CREATED_RESOURCES+=("INTERNET_GATEWAY:$IGW_ID") echo "Internet Gateway created with ID: $IGW_ID" # Attach Internet Gateway to VPC echo "Attaching Internet Gateway to VPC..." aws ec2 attach-internet-gateway --internet-gateway-id "$IGW_ID" --vpc-id "$VPC_ID" || handle_error "Failed to attach Internet Gateway to VPC" # Create public route table echo "Creating public route table..." PUBLIC_RT=$(aws ec2 create-route-table \ --vpc-id "$VPC_ID" \ --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Public-RT}]' \ --query 'RouteTable.RouteTableId' \ --output text) if [ -z "$PUBLIC_RT" ]; then handle_error "Failed to create public route table" fi CREATED_RESOURCES+=("ROUTE_TABLE:$PUBLIC_RT") echo "Public route table created with ID: $PUBLIC_RT" # Add route to Internet Gateway echo "Adding route to Internet Gateway in public route table..." aws ec2 create-route --route-table-id "$PUBLIC_RT" --destination-cidr-block 0.0.0.0/0 --gateway-id "$IGW_ID" || handle_error "Failed to add route to Internet Gateway" # Associate public subnets with public route table echo "Associating public subnet in $AZ1 with public route table..." PUBLIC_RT_ASSOC_1=$(aws ec2 associate-route-table --route-table-id "$PUBLIC_RT" --subnet-id "$PUBLIC_SUBNET_AZ1" --query 'AssociationId' --output text) if [ -z "$PUBLIC_RT_ASSOC_1" ]; then handle_error "Failed to associate public subnet in AZ1 with public route table" fi CREATED_RESOURCES+=("ROUTE_TABLE_ASSOCIATION:$PUBLIC_RT_ASSOC_1") echo "Associating public subnet in $AZ2 with public route table..." PUBLIC_RT_ASSOC_2=$(aws ec2 associate-route-table --route-table-id "$PUBLIC_RT" --subnet-id "$PUBLIC_SUBNET_AZ2" --query 'AssociationId' --output text) if [ -z "$PUBLIC_RT_ASSOC_2" ]; then handle_error "Failed to associate public subnet in AZ2 with public route table" fi CREATED_RESOURCES+=("ROUTE_TABLE_ASSOCIATION:$PUBLIC_RT_ASSOC_2") # Create private route table echo "Creating private route table..." PRIVATE_RT=$(aws ec2 create-route-table \ --vpc-id "$VPC_ID" \ --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=Private-RT}]' \ --query 'RouteTable.RouteTableId' \ --output text) if [ -z "$PRIVATE_RT" ]; then handle_error "Failed to create private route table" fi CREATED_RESOURCES+=("ROUTE_TABLE:$PRIVATE_RT") echo "Private route table created with ID: $PRIVATE_RT" # Associate private subnets with private route table echo "Associating private subnet in $AZ1 with private route table..." PRIVATE_RT_ASSOC_1=$(aws ec2 associate-route-table --route-table-id "$PRIVATE_RT" --subnet-id "$PRIVATE_SUBNET_AZ1" --query 'AssociationId' --output text) if [ -z "$PRIVATE_RT_ASSOC_1" ]; then handle_error "Failed to associate private subnet in AZ1 with private route table" fi CREATED_RESOURCES+=("ROUTE_TABLE_ASSOCIATION:$PRIVATE_RT_ASSOC_1") echo "Associating private subnet in $AZ2 with private route table..." PRIVATE_RT_ASSOC_2=$(aws ec2 associate-route-table --route-table-id "$PRIVATE_RT" --subnet-id "$PRIVATE_SUBNET_AZ2" --query 'AssociationId' --output text) if [ -z "$PRIVATE_RT_ASSOC_2" ]; then handle_error "Failed to associate private subnet in AZ2 with private route table" fi CREATED_RESOURCES+=("ROUTE_TABLE_ASSOCIATION:$PRIVATE_RT_ASSOC_2") # Allocate Elastic IP for NAT Gateway echo "Allocating Elastic IP for NAT Gateway..." EIP_ALLOC=$(aws ec2 allocate-address --domain vpc --query 'AllocationId' --output text) if [ -z "$EIP_ALLOC" ]; then handle_error "Failed to allocate Elastic IP" fi CREATED_RESOURCES+=("EIP:$EIP_ALLOC") echo "Elastic IP allocated with ID: $EIP_ALLOC" # Create NAT Gateway echo "Creating NAT Gateway in public subnet in $AZ1..." NAT_GW=$(aws ec2 create-nat-gateway \ --subnet-id "$PUBLIC_SUBNET_AZ1" \ --allocation-id "$EIP_ALLOC" \ --tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=MyNATGateway}]' \ --query 'NatGateway.NatGatewayId' \ --output text) if [ -z "$NAT_GW" ]; then handle_error "Failed to create NAT Gateway" fi CREATED_RESOURCES+=("NAT_GATEWAY:$NAT_GW") echo "NAT Gateway created with ID: $NAT_GW" # Wait for NAT Gateway to be available echo "Waiting for NAT Gateway to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$NAT_GW" || handle_error "NAT Gateway did not become available" # Add route to NAT Gateway in private route table echo "Adding route to NAT Gateway in private route table..." aws ec2 create-route --route-table-id "$PRIVATE_RT" --destination-cidr-block 0.0.0.0/0 --nat-gateway-id "$NAT_GW" || handle_error "Failed to add route to NAT Gateway" # Enable auto-assign public IP for instances in public subnets echo "Enabling auto-assign public IP for instances in public subnet in $AZ1..." aws ec2 modify-subnet-attribute --subnet-id "$PUBLIC_SUBNET_AZ1" --map-public-ip-on-launch || handle_error "Failed to enable auto-assign public IP for public subnet in AZ1" echo "Enabling auto-assign public IP for instances in public subnet in $AZ2..." aws ec2 modify-subnet-attribute --subnet-id "$PUBLIC_SUBNET_AZ2" --map-public-ip-on-launch || handle_error "Failed to enable auto-assign public IP for public subnet in AZ2" # Create security group for web servers echo "Creating security group for web servers..." WEB_SG=$(aws ec2 create-security-group \ --group-name "WebServerSG-$(date +%s)" \ --description "Security group for web servers" \ --vpc-id "$VPC_ID" \ --query 'GroupId' \ --output text) if [ -z "$WEB_SG" ]; then handle_error "Failed to create security group for web servers" fi CREATED_RESOURCES+=("SECURITY_GROUP:$WEB_SG") echo "Security group for web servers created with ID: $WEB_SG" # Allow HTTP and HTTPS traffic echo "Allowing HTTP traffic to web servers security group..." aws ec2 authorize-security-group-ingress --group-id "$WEB_SG" --protocol tcp --port 80 --cidr 0.0.0.0/0 || handle_error "Failed to allow HTTP traffic" echo "Allowing HTTPS traffic to web servers security group..." aws ec2 authorize-security-group-ingress --group-id "$WEB_SG" --protocol tcp --port 443 --cidr 0.0.0.0/0 || handle_error "Failed to allow HTTPS traffic" # Note: In a production environment, you should restrict the source IP ranges for security echo "NOTE: In a production environment, you should restrict the source IP ranges for HTTP and HTTPS traffic" # Create security group for database servers echo "Creating security group for database servers..." DB_SG=$(aws ec2 create-security-group \ --group-name "DBServerSG-$(date +%s)" \ --description "Security group for database servers" \ --vpc-id "$VPC_ID" \ --query 'GroupId' \ --output text) if [ -z "$DB_SG" ]; then handle_error "Failed to create security group for database servers" fi CREATED_RESOURCES+=("SECURITY_GROUP:$DB_SG") echo "Security group for database servers created with ID: $DB_SG" # Allow MySQL/Aurora traffic from web servers only echo "Allowing MySQL/Aurora traffic from web servers to database servers..." aws ec2 authorize-security-group-ingress --group-id "$DB_SG" --protocol tcp --port 3306 --source-group "$WEB_SG" || handle_error "Failed to allow MySQL/Aurora traffic" # Verify VPC configuration echo "Verifying VPC configuration..." echo "VPC:" aws ec2 describe-vpcs --vpc-id "$VPC_ID" || handle_error "Failed to describe VPC" echo "Subnets:" aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" || handle_error "Failed to describe subnets" echo "Route tables:" aws ec2 describe-route-tables --filters "Name=vpc-id,Values=$VPC_ID" || handle_error "Failed to describe route tables" echo "Internet gateway:" aws ec2 describe-internet-gateways --filters "Name=attachment.vpc-id,Values=$VPC_ID" || handle_error "Failed to describe Internet Gateway" echo "NAT gateway:" aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=$VPC_ID" || handle_error "Failed to describe NAT Gateway" echo "Security groups:" aws ec2 describe-security-groups --filters "Name=vpc-id,Values=$VPC_ID" || handle_error "Failed to describe security groups" echo "" # Summary of created resources echo "VPC creation completed successfully!" echo "Summary of created resources:" echo "- VPC: $VPC_ID" echo "- Public Subnet in $AZ1: $PUBLIC_SUBNET_AZ1" echo "- Public Subnet in $AZ2: $PUBLIC_SUBNET_AZ2" echo "- Private Subnet in $AZ1: $PRIVATE_SUBNET_AZ1" echo "- Private Subnet in $AZ2: $PRIVATE_SUBNET_AZ2" echo "- Internet Gateway: $IGW_ID" echo "- Public Route Table: $PUBLIC_RT" echo "- Private Route Table: $PRIVATE_RT" echo "- Elastic IP: $EIP_ALLOC" echo "- NAT Gateway: $NAT_GW" echo "- Web Servers Security Group: $WEB_SG" echo "- Database Servers Security Group: $DB_SG" # Deploy EC2 instances echo "" echo "Deploying EC2 instances..." # Create key pair for SSH access KEY_NAME="vpc-tutorial-key-$(date +%s)" echo "Creating key pair $KEY_NAME..." aws ec2 create-key-pair --key-name "$KEY_NAME" --query 'KeyMaterial' --output text > "${KEY_NAME}.pem" || handle_error "Failed to create key pair" chmod 400 "${KEY_NAME}.pem" echo "Key pair saved to ${KEY_NAME}.pem" CREATED_RESOURCES+=("KEY_PAIR:$KEY_NAME") # Get latest Amazon Linux 2 AMI echo "Getting latest Amazon Linux 2 AMI..." AMI_ID=$(aws ec2 describe-images --owners amazon \ --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" \ --query "sort_by(Images, &CreationDate)[-1].ImageId" --output text) || handle_error "Failed to get AMI" echo "Using AMI: $AMI_ID" # Launch web server in public subnet echo "Launching web server in public subnet..." WEB_INSTANCE=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --count 1 \ --instance-type t2.micro \ --key-name "$KEY_NAME" \ --security-group-ids "$WEB_SG" \ --subnet-id "$PUBLIC_SUBNET_AZ1" \ --associate-public-ip-address \ --user-data '#!/bin/bash yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd echo "

Hello from $(hostname -f) in the public subnet

" > /var/www/html/index.html' \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=WebServer}]' \ --query 'Instances[0].InstanceId' \ --output text) || handle_error "Failed to launch web server" echo "Web server instance created with ID: $WEB_INSTANCE" CREATED_RESOURCES+=("INSTANCE:$WEB_INSTANCE") # Wait for web server to be running echo "Waiting for web server to be running..." aws ec2 wait instance-running --instance-ids "$WEB_INSTANCE" # Get web server public IP WEB_PUBLIC_IP=$(aws ec2 describe-instances --instance-ids "$WEB_INSTANCE" \ --query 'Reservations[0].Instances[0].PublicIpAddress' --output text) echo "Web server public IP: $WEB_PUBLIC_IP" echo "You can access the web server at: http://$WEB_PUBLIC_IP" # Launch database server in private subnet echo "Launching database server in private subnet..." DB_INSTANCE=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --count 1 \ --instance-type t2.micro \ --key-name "$KEY_NAME" \ --security-group-ids "$DB_SG" \ --subnet-id "$PRIVATE_SUBNET_AZ1" \ --user-data '#!/bin/bash yum update -y yum install -y mariadb-server systemctl start mariadb systemctl enable mariadb' \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=DBServer}]' \ --query 'Instances[0].InstanceId' \ --output text) || handle_error "Failed to launch database server" echo "Database server instance created with ID: $DB_INSTANCE" CREATED_RESOURCES+=("INSTANCE:$DB_INSTANCE") # Wait for database server to be running echo "Waiting for database server to be running..." aws ec2 wait instance-running --instance-ids "$DB_INSTANCE" # Get database server private IP DB_PRIVATE_IP=$(aws ec2 describe-instances --instance-ids "$DB_INSTANCE" \ --query 'Reservations[0].Instances[0].PrivateIpAddress' --output text) echo "Database server private IP: $DB_PRIVATE_IP" echo "EC2 instances deployed successfully!" echo "- Web Server (Public): $WEB_INSTANCE ($WEB_PUBLIC_IP)" echo "- Database Server (Private): $DB_INSTANCE ($DB_PRIVATE_IP)" echo "" echo "Note: To connect to the web server: ssh -i ${KEY_NAME}.pem ec2-user@$WEB_PUBLIC_IP" echo "To connect to the database server, you must first connect to the web server, then use it as a bastion host." echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "All resources have been cleaned up." else echo "Resources will not be cleaned up. You can manually clean them up later." fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AllocateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AllocateAddress) + [AssociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateRouteTable) + [AttachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AttachInternetGateway) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateInternetGateway) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [CreateNatGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateNatGateway) + [CreateRoute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRoute) + [CreateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRouteTable) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSubnet) + [CreateVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpc) + [DeleteInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteInternetGateway) + [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) + [DeleteNatGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteNatGateway) + [DeleteRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteRouteTable) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSubnet) + [DeleteVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpc) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) + [DescribeInternetGateways](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInternetGateways) + [DescribeNatGateways](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeNatGateways) + [DescribeRouteTables](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeRouteTables) + [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DetachInternetGateway) + [DisassociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DisassociateRouteTable) + [ModifySubnetAttribute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ModifySubnetAttribute) + [ModifyVpcAttribute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ModifyVpcAttribute) + [ReleaseAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ReleaseAddress) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) ### Create an Amazon ECS Linux task for the Fargate launch type The following code example shows how to: + Create the cluster + Create a task definition + Create the service + Clean up **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/086-amazon-ecs-fargate-linux) repository. ``` #!/bin/bash # Amazon ECS Fargate Tutorial Script - Version 5 # This script creates an ECS cluster, task definition, and service using Fargate launch type # Fixed version with proper resource dependency handling during cleanup set -e # Exit on any error # Initialize logging LOG_FILE="ecs-fargate-tutorial-v5.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon ECS Fargate tutorial at $(date)" echo "Log file: $LOG_FILE" # Generate random identifier for unique resource names RANDOM_ID=$(openssl rand -hex 6) CLUSTER_NAME="fargate-cluster-${RANDOM_ID}" SERVICE_NAME="fargate-service-${RANDOM_ID}" TASK_FAMILY="sample-fargate-${RANDOM_ID}" SECURITY_GROUP_NAME="ecs-fargate-sg-${RANDOM_ID}" # Array to track created resources for cleanup CREATED_RESOURCES=() # Function to log and execute commands execute_command() { local cmd="$1" local description="$2" echo "" echo "==========================================" echo "EXECUTING: $description" echo "COMMAND: $cmd" echo "==========================================" local output local exit_code set +e # Temporarily disable exit on error output=$(eval "$cmd" 2>&1) exit_code=$? set -e # Re-enable exit on error if [[ $exit_code -eq 0 ]]; then echo "SUCCESS: $description" echo "OUTPUT: $output" return 0 else echo "FAILED: $description" echo "EXIT CODE: $exit_code" echo "OUTPUT: $output" return 1 fi } # Function to check for actual AWS API errors in command output check_for_aws_errors() { local output="$1" local description="$2" # Look for specific AWS error patterns, not just the word "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameter\|AccessDenied\|ResourceNotFound\|ValidationException"; then echo "AWS API ERROR detected in output for: $description" echo "Output: $output" return 1 fi return 0 } # Function to wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup() { local security_group_id="$1" local max_attempts=30 local attempt=1 echo "Waiting for network interfaces to be cleaned up..." while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Checking for dependent network interfaces..." # Check if there are any network interfaces still using this security group local eni_count eni_count=$(aws ec2 describe-network-interfaces \ --filters "Name=group-id,Values=$security_group_id" \ --query "length(NetworkInterfaces)" \ --output text 2>/dev/null || echo "0") if [[ "$eni_count" == "0" ]]; then echo "No network interfaces found using security group $security_group_id" return 0 else echo "Found $eni_count network interface(s) still using security group $security_group_id" echo "Waiting 10 seconds before next check..." sleep 10 ((attempt++)) fi done echo "WARNING: Network interfaces may still be attached after $max_attempts attempts" echo "This is normal and the security group deletion will be retried" return 1 } # Function to retry security group deletion with exponential backoff retry_security_group_deletion() { local security_group_id="$1" local max_attempts=10 local attempt=1 local wait_time=5 while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Trying to delete security group $security_group_id" if execute_command "aws ec2 delete-security-group --group-id $security_group_id" "Delete security group (attempt $attempt)"; then echo "Successfully deleted security group $security_group_id" return 0 else if [[ $attempt -eq $max_attempts ]]; then echo "FAILED: Could not delete security group $security_group_id after $max_attempts attempts" echo "This may be due to network interfaces that are still being cleaned up by AWS" echo "You can manually delete it later using: aws ec2 delete-security-group --group-id $security_group_id" return 1 else echo "Waiting $wait_time seconds before retry..." sleep $wait_time wait_time=$((wait_time * 2)) # Exponential backoff ((attempt++)) fi fi done } # Function to cleanup resources with proper dependency handling cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP PROCESS" echo "===========================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Step 1: Scale service to 0 tasks first, then delete service if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Service: $SERVICE_NAME " ]]; then echo "" echo "Step 1: Scaling service to 0 tasks..." if execute_command "aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" "Scale service to 0 tasks"; then echo "Waiting for service to stabilize after scaling to 0..." execute_command "aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" "Wait for service to stabilize" echo "Deleting service..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" "Delete ECS service" else echo "WARNING: Failed to scale service. Attempting to delete anyway..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --force" "Force delete ECS service" fi fi # Step 2: Wait a bit for tasks to fully terminate echo "" echo "Step 2: Waiting for tasks to fully terminate..." sleep 15 # Step 3: Delete cluster if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Cluster: $CLUSTER_NAME " ]]; then echo "" echo "Step 3: Deleting cluster..." execute_command "aws ecs delete-cluster --cluster $CLUSTER_NAME" "Delete ECS cluster" fi # Step 4: Wait for network interfaces to be cleaned up, then delete security group if [[ -n "$SECURITY_GROUP_ID" ]]; then echo "" echo "Step 4: Cleaning up security group..." # First, wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup "$SECURITY_GROUP_ID" # Then retry security group deletion with backoff retry_security_group_deletion "$SECURITY_GROUP_ID" fi # Step 5: Clean up task definition (deregister all revisions) if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "" echo "Step 5: Deregistering task definition revisions..." # Get all revisions of the task definition local revisions revisions=$(aws ecs list-task-definitions --family-prefix "$TASK_FAMILY" --query "taskDefinitionArns" --output text 2>/dev/null || echo "") if [[ -n "$revisions" && "$revisions" != "None" ]]; then for revision_arn in $revisions; do echo "Deregistering task definition: $revision_arn" execute_command "aws ecs deregister-task-definition --task-definition $revision_arn" "Deregister task definition $revision_arn" || true done else echo "No task definition revisions found to deregister" fi fi echo "" echo "===========================================" echo "CLEANUP COMPLETED" echo "===========================================" echo "All resources have been cleaned up successfully!" else echo "Cleanup skipped. Resources remain active." echo "" echo "To clean up manually later, use the following commands in order:" echo "1. Scale service to 0: aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" echo "2. Wait for stability: aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" echo "3. Delete service: aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" echo "4. Delete cluster: aws ecs delete-cluster --cluster $CLUSTER_NAME" echo "5. Wait 2-3 minutes, then delete security group: aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "6. Deregister task definitions: aws ecs list-task-definitions --family-prefix $TASK_FAMILY" echo " Then for each ARN: aws ecs deregister-task-definition --task-definition " fi fi } # Trap to handle script interruption trap cleanup_resources EXIT echo "Using random identifier: $RANDOM_ID" echo "Cluster name: $CLUSTER_NAME" echo "Service name: $SERVICE_NAME" echo "Task family: $TASK_FAMILY" # Step 1: Ensure ECS task execution role exists echo "" echo "===========================================" echo "STEP 1: VERIFY ECS TASK EXECUTION ROLE" echo "===========================================" ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) EXECUTION_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole" # Check if role exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then echo "ECS task execution role already exists" else echo "Creating ECS task execution role..." # Create trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF execute_command "aws iam create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://trust-policy.json" "Create ECS task execution role" execute_command "aws iam attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" "Attach ECS task execution policy" # Clean up temporary file rm -f trust-policy.json CREATED_RESOURCES+=("IAM Role: ecsTaskExecutionRole") fi # Step 2: Create ECS cluster echo "" echo "===========================================" echo "STEP 2: CREATE ECS CLUSTER" echo "===========================================" CLUSTER_OUTPUT=$(execute_command "aws ecs create-cluster --cluster-name $CLUSTER_NAME" "Create ECS cluster") check_for_aws_errors "$CLUSTER_OUTPUT" "Create ECS cluster" CREATED_RESOURCES+=("ECS Cluster: $CLUSTER_NAME") # Step 3: Create task definition echo "" echo "===========================================" echo "STEP 3: CREATE TASK DEFINITION" echo "===========================================" # Create task definition JSON cat > task-definition.json << EOF { "family": "$TASK_FAMILY", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "$EXECUTION_ROLE_ARN", "containerDefinitions": [ { "name": "fargate-app", "image": "public.ecr.aws/docker/library/httpd:latest", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ], "essential": true, "entryPoint": ["sh", "-c"], "command": [ "/bin/sh -c \"echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

Hello from $HOSTNAME in $AZ

" > /var/www/html/index.html EOF # Encode user data USER_DATA=$(base64 -w 0 user-data.sh) # Get latest Amazon Linux 2 AMI echo "Getting latest Amazon Linux 2 AMI..." AMI_ID=$(aws ec2 describe-images --owners amazon --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" --query 'sort_by(Images, &CreationDate)[-1].ImageId' --output text) check_command "Failed to get latest Amazon Linux 2 AMI" echo "Using AMI: $AMI_ID" # Create launch template with IMDSv2 required LAUNCH_TEMPLATE_NAME="AppServerTemplate-$RANDOM_ID" echo "Creating launch template: $LAUNCH_TEMPLATE_NAME" aws ec2 create-launch-template \ --launch-template-name "$LAUNCH_TEMPLATE_NAME" \ --version-description "Initial version" \ --tag-specifications "ResourceType=launch-template,Tags=[{Key=Name,Value=$LAUNCH_TEMPLATE_NAME}]" \ --launch-template-data "{ \"NetworkInterfaces\": [{ \"DeviceIndex\": 0, \"Groups\": [\"$APP_SG_ID\"], \"DeleteOnTermination\": true }], \"ImageId\": \"$AMI_ID\", \"InstanceType\": \"t3.micro\", \"UserData\": \"$USER_DATA\", \"MetadataOptions\": { \"HttpTokens\": \"required\", \"HttpEndpoint\": \"enabled\" }, \"TagSpecifications\": [{ \"ResourceType\": \"instance\", \"Tags\": [{ \"Key\": \"Name\", \"Value\": \"AppServer-$RANDOM_ID\" }] }] }" check_command "Failed to create launch template" # Create target group echo "Creating target group..." TARGET_GROUP_NAME="AppTargetGroup-$RANDOM_ID" TARGET_GROUP_RESULT=$(aws elbv2 create-target-group \ --name "$TARGET_GROUP_NAME" \ --protocol HTTP \ --port 80 \ --vpc-id "$VPC_ID" \ --target-type instance \ --health-check-protocol HTTP \ --health-check-path "/" \ --health-check-port traffic-port) check_command "Failed to create target group" TARGET_GROUP_ARN=$(echo "$TARGET_GROUP_RESULT" | jq -r '.TargetGroups[0].TargetGroupArn') echo "Target group created with ARN: $TARGET_GROUP_ARN" # Create load balancer echo "Creating load balancer..." LB_NAME="AppLoadBalancer-$RANDOM_ID" LB_RESULT=$(aws elbv2 create-load-balancer \ --name "$LB_NAME" \ --subnets "$PUBLIC_SUBNET1_ID" "$PUBLIC_SUBNET2_ID" \ --security-groups "$LB_SG_ID" \ --tags "Key=Name,Value=$LB_NAME") check_command "Failed to create load balancer" LB_ARN=$(echo "$LB_RESULT" | jq -r '.LoadBalancers[0].LoadBalancerArn') echo "Load balancer created with ARN: $LB_ARN" # Wait for load balancer to be active echo "Waiting for load balancer to be active..." aws elbv2 wait load-balancer-available --load-balancer-arns "$LB_ARN" check_command "Load balancer did not become available" # Create listener echo "Creating listener..." LISTENER_RESULT=$(aws elbv2 create-listener \ --load-balancer-arn "$LB_ARN" \ --protocol HTTP \ --port 80 \ --default-actions "Type=forward,TargetGroupArn=$TARGET_GROUP_ARN") check_command "Failed to create listener" LISTENER_ARN=$(echo "$LISTENER_RESULT" | jq -r '.Listeners[0].ListenerArn') echo "Listener created with ARN: $LISTENER_ARN" # Create Auto Scaling group echo "Creating Auto Scaling group..." ASG_NAME="AppAutoScalingGroup-$RANDOM_ID" aws autoscaling create-auto-scaling-group \ --auto-scaling-group-name "$ASG_NAME" \ --launch-template "LaunchTemplateName=$LAUNCH_TEMPLATE_NAME,Version=\$Latest" \ --min-size 2 \ --max-size 4 \ --desired-capacity 2 \ --vpc-zone-identifier "$PRIVATE_SUBNET1_ID,$PRIVATE_SUBNET2_ID" \ --target-group-arns "$TARGET_GROUP_ARN" \ --health-check-type ELB \ --health-check-grace-period 300 \ --tags "Key=Name,Value=AppServer-$RANDOM_ID,PropagateAtLaunch=true" check_command "Failed to create Auto Scaling group" echo "Auto Scaling group created with name: $ASG_NAME" # Get load balancer DNS name LB_DNS_NAME=$(aws elbv2 describe-load-balancers --load-balancer-arns "$LB_ARN" --query 'LoadBalancers[0].DNSName' --output text) check_command "Failed to get load balancer DNS name" echo "" echo "===========================================" echo "DEPLOYMENT COMPLETE" echo "===========================================" echo "VPC ID: $VPC_ID" echo "Public Subnet 1: $PUBLIC_SUBNET1_ID (AZ: $AZ1)" echo "Private Subnet 1: $PRIVATE_SUBNET1_ID (AZ: $AZ1)" echo "Public Subnet 2: $PUBLIC_SUBNET2_ID (AZ: $AZ2)" echo "Private Subnet 2: $PRIVATE_SUBNET2_ID (AZ: $AZ2)" echo "NAT Gateway 1: $NAT_GW1_ID" echo "NAT Gateway 2: $NAT_GW2_ID" echo "Load Balancer: $LB_NAME" echo "Auto Scaling Group: $ASG_NAME" echo "" echo "Your application will be available at: http://$LB_DNS_NAME" echo "It may take a few minutes for the instances to launch and pass health checks." echo "" # Add health check monitoring echo "===========================================" echo "MONITORING INSTANCE HEALTH AND LOAD BALANCER" echo "===========================================" echo "Waiting for instances to launch and pass health checks..." echo "This may take 3-5 minutes. Checking every 30 seconds..." # Monitor instance health and load balancer accessibility MAX_ATTEMPTS=10 ATTEMPT=1 HEALTHY_INSTANCES=0 while [ $ATTEMPT -le $MAX_ATTEMPTS ] && [ $HEALTHY_INSTANCES -lt 2 ]; do echo "Check attempt $ATTEMPT of $MAX_ATTEMPTS..." # Check Auto Scaling group instances echo "Checking Auto Scaling group instances..." ASG_INSTANCES=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names "$ASG_NAME" --query 'AutoScalingGroups[0].Instances[*].[InstanceId,HealthStatus]' --output json) echo "ASG Instances status:" echo "$ASG_INSTANCES" | jq -r '.[] | "Instance: \(.[0]), Health: \(.[1])"' # Check target group health echo "Checking target group health..." TARGET_HEALTH=$(aws elbv2 describe-target-health --target-group-arn "$TARGET_GROUP_ARN" --output json) echo "Target health status:" echo "$TARGET_HEALTH" | jq -r '.TargetHealthDescriptions[] | "Instance: \(.Target.Id), State: \(.TargetHealth.State), Reason: \(.TargetHealth.Reason // "N/A"), Description: \(.TargetHealth.Description // "N/A")"' # Count healthy instances HEALTHY_INSTANCES=$(echo "$TARGET_HEALTH" | jq -r '[.TargetHealthDescriptions[] | select(.TargetHealth.State=="healthy")] | length') echo "Number of healthy instances: $HEALTHY_INSTANCES of 2 expected" # Check if we have healthy instances if [ $HEALTHY_INSTANCES -ge 2 ]; then echo "All instances are healthy!" # Test load balancer accessibility echo "Testing load balancer accessibility..." HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "http://$LB_DNS_NAME") if [ "$HTTP_STATUS" = "200" ]; then echo "Load balancer is accessible! HTTP Status: $HTTP_STATUS" echo "You can access your application at: http://$LB_DNS_NAME" # Try to get the content to verify IMDSv2 is working echo "Fetching content to verify IMDSv2 functionality..." CONTENT=$(curl -s "http://$LB_DNS_NAME") echo "Response from server:" echo "$CONTENT" # Check if the content contains the expected pattern if [[ "$CONTENT" == *"Hello from"* && "$CONTENT" == *"in"* ]]; then echo "IMDSv2 is working correctly! The instance was able to access metadata using the token-based approach." else echo "Warning: Content doesn't match expected pattern. IMDSv2 functionality could not be verified." fi break else echo "Load balancer returned HTTP status: $HTTP_STATUS" echo "Will try again in 30 seconds..." fi else echo "Waiting for instances to become healthy..." echo "Will check again in 30 seconds..." fi ATTEMPT=$((ATTEMPT+1)) if [ $ATTEMPT -le $MAX_ATTEMPTS ]; then sleep 30 fi done if [ $HEALTHY_INSTANCES -lt 2 ]; then echo "Warning: Not all instances are healthy after maximum attempts." echo "You may need to wait longer or check for configuration issues." fi echo "To test your application, run:" echo "curl http://$LB_DNS_NAME" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources echo "All resources have been deleted." else echo "Resources will not be deleted. You can manually delete them later." echo "To delete resources, run this script again and choose to clean up." fi ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AllocateAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AllocateAddress) + [AssociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateRouteTable) + [AttachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AttachInternetGateway) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateInternetGateway) + [CreateLaunchTemplate](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateLaunchTemplate) + [CreateNatGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateNatGateway) + [CreateRoute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRoute) + [CreateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRouteTable) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSubnet) + [CreateVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpc) + [CreateVpcEndpoint](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpcEndpoint) + [DeleteAutoScalingGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteAutoScalingGroup) + [DeleteInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteInternetGateway) + [DeleteLaunchTemplate](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteLaunchTemplate) + [DeleteLoadBalancer](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteLoadBalancer) + [DeleteNatGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteNatGateway) + [DeleteRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteRouteTable) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSubnet) + [DeleteTargetGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteTargetGroup) + [DeleteVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpc) + [DeleteVpcEndpoints](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpcEndpoints) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DescribePrefixLists](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribePrefixLists) + [DetachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DetachInternetGateway) + [ReleaseAddress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ReleaseAddress) ### Working with Amazon EBS encryption, snapshots, and volume initialization The following code example shows how to: + Enable Amazon EBS encryption by default + Create an EBS snapshot + Create and initialize a volume from a snapshot + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/022-ebs-intermediate) repository. ``` #!/bin/bash # Script for EBS operations: encryption, snapshots, and volume initialization # This script demonstrates: # 1. Enabling EBS encryption by default # 2. Creating an EBS snapshot # 3. Creating a volume from a snapshot # Setup logging LOG_FILE="ebs-operations-v2.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting EBS operations script at $(date)" echo "All operations will be logged to $LOG_FILE" # Function to check command status check_status() { if [ $? -ne 0 ]; then echo "ERROR: $1 failed. Exiting." cleanup_resources exit 1 fi } # Function to cleanup resources cleanup_resources() { echo "Attempting to clean up resources..." if [ -n "$NEW_VOLUME_ID" ]; then echo "Checking if new volume is attached..." ATTACHMENT_STATE=$(aws ec2 describe-volumes --volume-ids "$NEW_VOLUME_ID" --query 'Volumes[0].Attachments[0].State' --output text 2>/dev/null) if [ "$ATTACHMENT_STATE" == "attached" ]; then echo "Detaching new volume $NEW_VOLUME_ID..." aws ec2 detach-volume --volume-id "$NEW_VOLUME_ID" echo "Waiting for volume to detach..." aws ec2 wait volume-available --volume-ids "$NEW_VOLUME_ID" fi echo "Deleting new volume $NEW_VOLUME_ID..." aws ec2 delete-volume --volume-id "$NEW_VOLUME_ID" fi if [ -n "$VOLUME_ID" ]; then echo "Checking if original volume is attached..." ATTACHMENT_STATE=$(aws ec2 describe-volumes --volume-ids "$VOLUME_ID" --query 'Volumes[0].Attachments[0].State' --output text 2>/dev/null) if [ "$ATTACHMENT_STATE" == "attached" ]; then echo "Detaching original volume $VOLUME_ID..." aws ec2 detach-volume --volume-id "$VOLUME_ID" echo "Waiting for volume to detach..." aws ec2 wait volume-available --volume-ids "$VOLUME_ID" fi echo "Deleting original volume $VOLUME_ID..." aws ec2 delete-volume --volume-id "$VOLUME_ID" fi if [ -n "$SNAPSHOT_ID" ]; then echo "Deleting snapshot $SNAPSHOT_ID..." aws ec2 delete-snapshot --snapshot-id "$SNAPSHOT_ID" fi if [ "$ENCRYPTION_MODIFIED" = true ]; then echo "Restoring original encryption setting..." if [ "$ORIGINAL_ENCRYPTION" = "False" ]; then aws ec2 disable-ebs-encryption-by-default else aws ec2 enable-ebs-encryption-by-default fi fi echo "Cleanup completed." } # Track created resources VOLUME_ID="" NEW_VOLUME_ID="" SNAPSHOT_ID="" ENCRYPTION_MODIFIED=false ORIGINAL_ENCRYPTION="" # Get the current AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No region found in AWS config. Using default: $AWS_REGION" fi # Get availability zones in the region AVAILABILITY_ZONE=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].ZoneName' --output text) check_status "Getting availability zone" echo "Using availability zone: $AVAILABILITY_ZONE" # Step 1: Check and enable EBS encryption by default echo "Step 1: Checking current EBS encryption by default setting..." ORIGINAL_ENCRYPTION=$(aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault' --output text) check_status "Checking encryption status" echo "Current encryption by default setting: $ORIGINAL_ENCRYPTION" if [ "$ORIGINAL_ENCRYPTION" = "False" ]; then echo "Enabling EBS encryption by default..." aws ec2 enable-ebs-encryption-by-default check_status "Enabling encryption by default" ENCRYPTION_MODIFIED=true # Verify encryption is enabled ENCRYPTION_STATUS=$(aws ec2 get-ebs-encryption-by-default --query 'EbsEncryptionByDefault' --output text) check_status "Verifying encryption status" echo "Updated encryption by default setting: $ENCRYPTION_STATUS" else echo "EBS encryption by default is already enabled." fi # Check the default KMS key echo "Checking default KMS key for EBS encryption..." KMS_KEY=$(aws ec2 get-ebs-default-kms-key-id --query 'KmsKeyId' --output text) check_status "Getting default KMS key" echo "Default KMS key: $KMS_KEY" # Step 2: Create a test volume for snapshot echo "Step 2: Creating a test volume..." VOLUME_ID=$(aws ec2 create-volume --availability-zone "$AVAILABILITY_ZONE" --size 1 --volume-type gp3 --query 'VolumeId' --output text) check_status "Creating test volume" echo "Created test volume: $VOLUME_ID" # Wait for volume to become available echo "Waiting for volume to become available..." aws ec2 wait volume-available --volume-ids "$VOLUME_ID" check_status "Waiting for volume" # Step 3: Create a snapshot of the volume echo "Step 3: Creating snapshot of the volume..." SNAPSHOT_ID=$(aws ec2 create-snapshot --volume-id "$VOLUME_ID" --description "Snapshot for EBS tutorial" --query 'SnapshotId' --output text) check_status "Creating snapshot" echo "Created snapshot: $SNAPSHOT_ID" # Wait for snapshot to complete echo "Waiting for snapshot to complete (this may take several minutes)..." aws ec2 wait snapshot-completed --snapshot-ids "$SNAPSHOT_ID" check_status "Waiting for snapshot" echo "Snapshot completed." # Step 4: Create a new volume from the snapshot echo "Step 4: Creating a new volume from the snapshot..." NEW_VOLUME_ID=$(aws ec2 create-volume --snapshot-id "$SNAPSHOT_ID" --availability-zone "$AVAILABILITY_ZONE" --volume-type gp3 --query 'VolumeId' --output text) check_status "Creating new volume from snapshot" echo "Created new volume from snapshot: $NEW_VOLUME_ID" # Wait for new volume to become available echo "Waiting for new volume to become available..." aws ec2 wait volume-available --volume-ids "$NEW_VOLUME_ID" check_status "Waiting for new volume" # Display created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "Original Volume: $VOLUME_ID" echo "Snapshot: $SNAPSHOT_ID" echo "New Volume: $NEW_VOLUME_ID" echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Starting cleanup process..." # Delete the new volume echo "Deleting new volume $NEW_VOLUME_ID..." aws ec2 delete-volume --volume-id "$NEW_VOLUME_ID" check_status "Deleting new volume" # Delete the original volume echo "Deleting original volume $VOLUME_ID..." aws ec2 delete-volume --volume-id "$VOLUME_ID" check_status "Deleting original volume" # Delete the snapshot echo "Deleting snapshot $SNAPSHOT_ID..." aws ec2 delete-snapshot --snapshot-id "$SNAPSHOT_ID" check_status "Deleting snapshot" # Restore original encryption setting if modified if [ "$ENCRYPTION_MODIFIED" = true ]; then echo "Restoring original encryption setting..." if [ "$ORIGINAL_ENCRYPTION" = "False" ]; then aws ec2 disable-ebs-encryption-by-default check_status "Disabling encryption by default" fi fi echo "Cleanup completed successfully." else echo "Skipping cleanup. Resources will remain in your account." echo "To clean up manually, delete the following resources:" echo "1. Volume: $NEW_VOLUME_ID" echo "2. Volume: $VOLUME_ID" echo "3. Snapshot: $SNAPSHOT_ID" echo "4. Restore encryption setting with: aws ec2 disable-ebs-encryption-by-default (if needed)" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateSnapshot](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSnapshot) + [CreateVolume](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVolume) + [DeleteSnapshot](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSnapshot) + [DeleteVolume](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVolume) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeVolumes](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVolumes) + [DetachVolume](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DetachVolume) + [DisableEbsEncryptionByDefault](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DisableEbsEncryptionByDefault) + [EnableEbsEncryptionByDefault](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/EnableEbsEncryptionByDefault) + [GetEbsDefaultKmsKeyId](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/GetEbsDefaultKmsKeyId) + [GetEbsEncryptionByDefault](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/GetEbsEncryptionByDefault) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) ### Working with VPC peering connections The following code example shows how to: + Create VPCs for peering + Create a VPC peering connection + Update route tables + Verify the VPC peering connection + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/015-vpc-peering) repository. ``` #!/bin/bash # VPC Peering Connection Script - Version 4 (Fixed) # This script establishes a VPC peering connection between two VPCs, # creates subnets if needed, and configures the necessary route tables. # It will use existing VPCs if available, or create new ones if needed. # Initialize log file LOG_FILE="vpc-peering-script-v4.log" echo "Starting VPC Peering script at $(date)" > $LOG_FILE # Function to log commands and their output log_cmd() { echo "$(date): COMMAND: $1" >> $LOG_FILE eval "$1" 2>&1 | tee -a $LOG_FILE return ${PIPESTATUS[0]} } # Function to check for errors check_error() { if [ $1 -ne 0 ]; then echo "ERROR: Command failed with exit code $1" | tee -a $LOG_FILE echo "See $LOG_FILE for details" cleanup_on_error exit $1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." | tee -a $LOG_FILE # List created resources echo "Resources created:" | tee -a $LOG_FILE for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" | tee -a $LOG_FILE done # Clean up in reverse order for ((i=${#CLEANUP_COMMANDS[@]}-1; i>=0; i--)); do echo "Executing cleanup: ${CLEANUP_COMMANDS[$i]}" >> $LOG_FILE eval "${CLEANUP_COMMANDS[$i]}" 2>&1 >> $LOG_FILE done } # Array to store created resources and cleanup commands declare -a CREATED_RESOURCES declare -a CLEANUP_COMMANDS echo "Setting up VPC peering connection..." # Check for existing VPCs echo "Checking for existing VPCs..." EXISTING_VPCS=$(aws ec2 describe-vpcs --query 'Vpcs[?State==`available`].[VpcId,CidrBlock]' --output text 2>/dev/null) if [ -z "$EXISTING_VPCS" ]; then echo "No existing VPCs found. Creating new VPCs..." CREATE_VPCS=true else echo "Found existing VPCs:" echo "$EXISTING_VPCS" echo "" echo "Do you want to use existing VPCs (e) or create new ones (n)? [e/n]: " read -r VPC_CHOICE if [[ "${VPC_CHOICE,,}" == "e" ]]; then CREATE_VPCS=false # Get the first two available VPCs VPC1_INFO=$(echo "$EXISTING_VPCS" | head -n 1) VPC2_INFO=$(echo "$EXISTING_VPCS" | head -n 2 | tail -n 1) if [ -z "$VPC2_INFO" ]; then echo "Only one VPC found. Creating a second VPC..." VPC1_ID=$(echo $VPC1_INFO | awk '{print $1}') VPC1_CIDR=$(echo $VPC1_INFO | awk '{print $2}') CREATE_VPC2_ONLY=true else VPC1_ID=$(echo $VPC1_INFO | awk '{print $1}') VPC1_CIDR=$(echo $VPC1_INFO | awk '{print $2}') VPC2_ID=$(echo $VPC2_INFO | awk '{print $1}') VPC2_CIDR=$(echo $VPC2_INFO | awk '{print $2}') CREATE_VPC2_ONLY=false fi else CREATE_VPCS=true fi fi # Create VPCs if needed if [ "$CREATE_VPCS" = true ]; then echo "Creating VPC1..." VPC1_ID=$(log_cmd "aws ec2 create-vpc --cidr-block 10.1.0.0/16 --tag-specifications \"ResourceType=vpc,Tags=[{Key=Name,Value=VPC1-Peering-Demo}]\" --query 'Vpc.VpcId' --output text") check_error $? VPC1_CIDR="10.1.0.0/16" CREATED_RESOURCES+=("VPC1: $VPC1_ID") CLEANUP_COMMANDS+=("aws ec2 delete-vpc --vpc-id $VPC1_ID") echo "VPC1 created with ID: $VPC1_ID" echo "Creating VPC2..." VPC2_ID=$(log_cmd "aws ec2 create-vpc --cidr-block 10.2.0.0/16 --tag-specifications \"ResourceType=vpc,Tags=[{Key=Name,Value=VPC2-Peering-Demo}]\" --query 'Vpc.VpcId' --output text") check_error $? VPC2_CIDR="10.2.0.0/16" CREATED_RESOURCES+=("VPC2: $VPC2_ID") CLEANUP_COMMANDS+=("aws ec2 delete-vpc --vpc-id $VPC2_ID") echo "VPC2 created with ID: $VPC2_ID" # Wait for VPCs to be available echo "Waiting for VPCs to be available..." log_cmd "aws ec2 wait vpc-available --vpc-ids $VPC1_ID $VPC2_ID" check_error $? elif [ "$CREATE_VPC2_ONLY" = true ]; then echo "Creating VPC2..." VPC2_ID=$(log_cmd "aws ec2 create-vpc --cidr-block 10.2.0.0/16 --tag-specifications \"ResourceType=vpc,Tags=[{Key=Name,Value=VPC2-Peering-Demo}]\" --query 'Vpc.VpcId' --output text") check_error $? VPC2_CIDR="10.2.0.0/16" CREATED_RESOURCES+=("VPC2: $VPC2_ID") CLEANUP_COMMANDS+=("aws ec2 delete-vpc --vpc-id $VPC2_ID") echo "VPC2 created with ID: $VPC2_ID" # Wait for VPC2 to be available echo "Waiting for VPC2 to be available..." log_cmd "aws ec2 wait vpc-available --vpc-ids $VPC2_ID" check_error $? fi echo "Using the following VPCs:" echo "VPC1: $VPC1_ID ($VPC1_CIDR)" echo "VPC2: $VPC2_ID ($VPC2_CIDR)" # Verify the VPCs exist and are available echo "Verifying VPCs..." log_cmd "aws ec2 describe-vpcs --vpc-ids $VPC1_ID $VPC2_ID --query 'Vpcs[*].[VpcId,State,CidrBlock]' --output table" check_error $? # Determine subnet CIDR blocks based on VPC CIDR blocks VPC1_SUBNET_CIDR=$(echo $VPC1_CIDR | sed 's/0\.0\/16/1.0\/24/') VPC2_SUBNET_CIDR=$(echo $VPC2_CIDR | sed 's/0\.0\/16/1.0\/24/') # Create subnets in both VPCs echo "Creating subnet in VPC1..." SUBNET1_ID=$(log_cmd "aws ec2 create-subnet --vpc-id $VPC1_ID --cidr-block $VPC1_SUBNET_CIDR --tag-specifications \"ResourceType=subnet,Tags=[{Key=Name,Value=VPC1-Peering-Subnet}]\" --query 'Subnet.SubnetId' --output text") check_error $? CREATED_RESOURCES+=("Subnet in VPC1: $SUBNET1_ID") CLEANUP_COMMANDS+=("aws ec2 delete-subnet --subnet-id $SUBNET1_ID") echo "Subnet created in VPC1 with ID: $SUBNET1_ID (CIDR: $VPC1_SUBNET_CIDR)" echo "Creating subnet in VPC2..." SUBNET2_ID=$(log_cmd "aws ec2 create-subnet --vpc-id $VPC2_ID --cidr-block $VPC2_SUBNET_CIDR --tag-specifications \"ResourceType=subnet,Tags=[{Key=Name,Value=VPC2-Peering-Subnet}]\" --query 'Subnet.SubnetId' --output text") check_error $? CREATED_RESOURCES+=("Subnet in VPC2: $SUBNET2_ID") CLEANUP_COMMANDS+=("aws ec2 delete-subnet --subnet-id $SUBNET2_ID") echo "Subnet created in VPC2 with ID: $SUBNET2_ID (CIDR: $VPC2_SUBNET_CIDR)" # Create a VPC peering connection echo "Creating VPC peering connection..." PEERING_ID=$(log_cmd "aws ec2 create-vpc-peering-connection --vpc-id $VPC1_ID --peer-vpc-id $VPC2_ID --tag-specifications \"ResourceType=vpc-peering-connection,Tags=[{Key=Name,Value=VPC1-VPC2-Peering}]\" --query 'VpcPeeringConnection.VpcPeeringConnectionId' --output text") check_error $? CREATED_RESOURCES+=("VPC Peering Connection: $PEERING_ID") CLEANUP_COMMANDS+=("aws ec2 delete-vpc-peering-connection --vpc-peering-connection-id $PEERING_ID") echo "VPC Peering Connection created with ID: $PEERING_ID" # Accept the VPC peering connection echo "Accepting VPC peering connection..." log_cmd "aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id $PEERING_ID" check_error $? echo "VPC Peering Connection accepted" # Wait for the peering connection to become active echo "Waiting for peering connection to become active..." log_cmd "aws ec2 wait vpc-peering-connection-exists --vpc-peering-connection-ids $PEERING_ID" check_error $? # Create a route table for VPC1 echo "Creating route table for VPC1..." RTB1_ID=$(log_cmd "aws ec2 create-route-table --vpc-id $VPC1_ID --tag-specifications \"ResourceType=route-table,Tags=[{Key=Name,Value=VPC1-RouteTable}]\" --query 'RouteTable.RouteTableId' --output text") check_error $? CREATED_RESOURCES+=("Route Table for VPC1: $RTB1_ID") CLEANUP_COMMANDS+=("aws ec2 delete-route-table --route-table-id $RTB1_ID") echo "Route table created for VPC1 with ID: $RTB1_ID" # Create a route from VPC1 to VPC2 echo "Creating route from VPC1 to VPC2..." log_cmd "aws ec2 create-route --route-table-id $RTB1_ID --destination-cidr-block $VPC2_CIDR --vpc-peering-connection-id $PEERING_ID" check_error $? echo "Route created from VPC1 to VPC2" # Associate the route table with the subnet in VPC1 echo "Associating route table with subnet in VPC1..." RTB1_ASSOC_ID=$(log_cmd "aws ec2 associate-route-table --route-table-id $RTB1_ID --subnet-id $SUBNET1_ID --query 'AssociationId' --output text") check_error $? CREATED_RESOURCES+=("Route Table Association for VPC1: $RTB1_ASSOC_ID") CLEANUP_COMMANDS+=("aws ec2 disassociate-route-table --association-id $RTB1_ASSOC_ID") echo "Route table associated with subnet in VPC1" # Create a route table for VPC2 echo "Creating route table for VPC2..." RTB2_ID=$(log_cmd "aws ec2 create-route-table --vpc-id $VPC2_ID --tag-specifications \"ResourceType=route-table,Tags=[{Key=Name,Value=VPC2-RouteTable}]\" --query 'RouteTable.RouteTableId' --output text") check_error $? CREATED_RESOURCES+=("Route Table for VPC2: $RTB2_ID") CLEANUP_COMMANDS+=("aws ec2 delete-route-table --route-table-id $RTB2_ID") echo "Route table created for VPC2 with ID: $RTB2_ID" # Create a route from VPC2 to VPC1 echo "Creating route from VPC2 to VPC1..." log_cmd "aws ec2 create-route --route-table-id $RTB2_ID --destination-cidr-block $VPC1_CIDR --vpc-peering-connection-id $PEERING_ID" check_error $? echo "Route created from VPC2 to VPC1" # Associate the route table with the subnet in VPC2 echo "Associating route table with subnet in VPC2..." RTB2_ASSOC_ID=$(log_cmd "aws ec2 associate-route-table --route-table-id $RTB2_ID --subnet-id $SUBNET2_ID --query 'AssociationId' --output text") check_error $? CREATED_RESOURCES+=("Route Table Association for VPC2: $RTB2_ASSOC_ID") CLEANUP_COMMANDS+=("aws ec2 disassociate-route-table --association-id $RTB2_ASSOC_ID") echo "Route table associated with subnet in VPC2" # Verify the VPC peering connection echo "Verifying VPC peering connection..." log_cmd "aws ec2 describe-vpc-peering-connections --vpc-peering-connection-ids $PEERING_ID --query 'VpcPeeringConnections[0].[VpcPeeringConnectionId,Status.Code,AccepterVpcInfo.VpcId,RequesterVpcInfo.VpcId]' --output table" check_error $? echo "VPC peering connection verified" # Display summary of created resources echo "" echo "==============================================" echo "SUMMARY OF CREATED RESOURCES" echo "==============================================" echo "VPC1 ID: $VPC1_ID" echo "VPC1 CIDR: $VPC1_CIDR" echo "Subnet1 ID: $SUBNET1_ID (CIDR: $VPC1_SUBNET_CIDR)" echo "VPC2 ID: $VPC2_ID" echo "VPC2 CIDR: $VPC2_CIDR" echo "Subnet2 ID: $SUBNET2_ID (CIDR: $VPC2_SUBNET_CIDR)" echo "Peering Connection ID: $PEERING_ID" echo "Route Table 1 ID: $RTB1_ID" echo "Route Table 1 Association ID: $RTB1_ASSOC_ID" echo "Route Table 2 ID: $RTB2_ID" echo "Route Table 2 Association ID: $RTB2_ASSOC_ID" echo "" echo "Created resources:" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "==============================================" echo "" # Test connectivity (optional) echo "==============================================" echo "CONNECTIVITY TEST" echo "==============================================" echo "To test connectivity between VPCs, you would need to:" echo "1. Launch EC2 instances in each subnet" echo "2. Configure security groups to allow traffic" echo "3. Test ping or other network connectivity" echo "" # Prompt for cleanup echo "" echo "==============================================" echo "CLEANUP CONFIRMATION" echo "==============================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Starting cleanup process..." # Clean up in reverse order echo "Disassociating route table from subnet in VPC2..." log_cmd "aws ec2 disassociate-route-table --association-id $RTB2_ASSOC_ID" echo "Disassociating route table from subnet in VPC1..." log_cmd "aws ec2 disassociate-route-table --association-id $RTB1_ASSOC_ID" echo "Deleting route table for VPC2..." log_cmd "aws ec2 delete-route-table --route-table-id $RTB2_ID" echo "Deleting route table for VPC1..." log_cmd "aws ec2 delete-route-table --route-table-id $RTB1_ID" echo "Deleting VPC peering connection..." log_cmd "aws ec2 delete-vpc-peering-connection --vpc-peering-connection-id $PEERING_ID" echo "Deleting subnet in VPC2..." log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET2_ID" echo "Deleting subnet in VPC1..." log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET1_ID" # Delete VPCs if they were created by this script if [ "$CREATE_VPCS" = true ]; then echo "Deleting VPC2..." log_cmd "aws ec2 delete-vpc --vpc-id $VPC2_ID" echo "Deleting VPC1..." log_cmd "aws ec2 delete-vpc --vpc-id $VPC1_ID" elif [ "$CREATE_VPC2_ONLY" = true ]; then echo "Deleting VPC2..." log_cmd "aws ec2 delete-vpc --vpc-id $VPC2_ID" fi echo "Cleanup completed successfully." else echo "Cleanup skipped. Resources will remain in your AWS account." echo "" echo "To manually clean up later, you can delete resources in this order:" echo "1. Route table associations" echo "2. Route tables" echo "3. VPC peering connection" echo "4. Subnets" if [ "$CREATE_VPCS" = true ] || [ "$CREATE_VPC2_ONLY" = true ]; then echo "5. VPCs (if created by this script)" fi fi echo "Script execution completed. See $LOG_FILE for detailed logs." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AcceptVpcPeeringConnection](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AcceptVpcPeeringConnection) + [AssociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateRouteTable) + [CreateRoute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRoute) + [CreateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRouteTable) + [CreateSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSubnet) + [CreateVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpc) + [CreateVpcPeeringConnection](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpcPeeringConnection) + [DeleteRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteRouteTable) + [DeleteSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSubnet) + [DeleteVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpc) + [DeleteVpcPeeringConnection](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpcPeeringConnection) + [DescribeVpcPeeringConnections](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcPeeringConnections) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DisassociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DisassociateRouteTable) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) # Amazon ECR examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon ECR. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon ECR The following code example shows how to: + Create a Docker image + Create an Amazon ECR repository + Delete resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/078-amazon-elastic-container-registry-gs) repository. ``` #!/bin/bash # Amazon ECR Getting Started Script # This script demonstrates the lifecycle of a Docker image in Amazon ECR # Set up logging LOG_FILE="ecr-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "Amazon ECR Getting Started Tutorial" echo "===================================================" echo "This script will:" echo "1. Create a Docker image" echo "2. Create an Amazon ECR repository" echo "3. Authenticate to Amazon ECR" echo "4. Push the image to Amazon ECR" echo "5. Pull the image from Amazon ECR" echo "6. Clean up resources (optional)" echo "===================================================" # Check prerequisites echo "Checking prerequisites..." # Check if AWS CLI is installed if ! command -v aws &> /dev/null; then echo "ERROR: AWS CLI is not installed. Please install it before running this script." echo "Visit https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html for installation instructions." exit 1 fi # Check if AWS CLI is configured if ! aws sts get-caller-identity &> /dev/null; then echo "ERROR: AWS CLI is not configured properly. Please run 'aws configure' to set up your credentials." exit 1 fi # Check if Docker is installed if ! command -v docker &> /dev/null; then echo "ERROR: Docker is not installed. Please install Docker before running this script." echo "Visit https://docs.docker.com/get-docker/ for installation instructions." exit 1 fi # Check if Docker daemon is running if ! docker info &> /dev/null; then echo "ERROR: Docker daemon is not running. Please start Docker and try again." exit 1 fi echo "All prerequisites met." # Initialize variables REPO_URI="" TIMEOUT_CMD="timeout 300" # 5-minute timeout for long-running commands # Function to handle errors handle_error() { echo "ERROR: $1" echo "Check the log file for details: $LOG_FILE" echo "===================================================" echo "Resources created:" echo "- Docker image: hello-world (local)" if [ -n "$REPO_URI" ]; then echo "- ECR Repository: hello-repository" echo "- ECR Image: $REPO_URI:latest" fi echo "===================================================" echo "Attempting to clean up resources..." cleanup exit 1 } # Function to clean up resources cleanup() { echo "===================================================" echo "Cleaning up resources..." # Delete the image from ECR if it exists if [ -n "$REPO_URI" ]; then echo "Deleting image from ECR repository..." aws ecr batch-delete-image --repository-name hello-repository --image-ids imageTag=latest || echo "Failed to delete image, it may not exist or may have already been deleted." fi # Delete the ECR repository if it exists if [ -n "$REPO_URI" ]; then echo "Deleting ECR repository..." aws ecr delete-repository --repository-name hello-repository --force || echo "Failed to delete repository, it may not exist or may have already been deleted." fi # Remove local Docker image echo "Removing local Docker image..." docker rmi hello-world:latest 2>/dev/null || echo "Failed to remove local image, it may not exist or may have already been deleted." if [ -n "$REPO_URI" ]; then docker rmi "$REPO_URI:latest" 2>/dev/null || echo "Failed to remove tagged image, it may not exist or may have already been deleted." fi echo "Cleanup completed." echo "===================================================" } # Step 1: Create a Docker image echo "Step 1: Creating a Docker image" # Create Dockerfile echo "Creating Dockerfile..." cat > Dockerfile << 'EOF' FROM public.ecr.aws/amazonlinux/amazonlinux:latest # Install dependencies RUN yum update -y && \ yum install -y httpd # Install apache and write hello world message RUN echo 'Hello World!' > /var/www/html/index.html # Configure apache RUN echo 'mkdir -p /var/run/httpd' >> /root/run_apache.sh && \ echo 'mkdir -p /var/lock/httpd' >> /root/run_apache.sh && \ echo '/usr/sbin/httpd -D FOREGROUND' >> /root/run_apache.sh && \ chmod 755 /root/run_apache.sh EXPOSE 80 CMD /root/run_apache.sh EOF # Build Docker image echo "Building Docker image..." $TIMEOUT_CMD docker build -t hello-world . || handle_error "Failed to build Docker image or operation timed out after 5 minutes" # Verify image was created echo "Verifying Docker image..." docker images --filter reference=hello-world || handle_error "Failed to list Docker images" echo "Docker image created successfully." # Step 2: Create an Amazon ECR repository echo "Step 2: Creating an Amazon ECR repository" # Get AWS account ID echo "Getting AWS account ID..." AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) if [[ -z "$AWS_ACCOUNT_ID" || "$AWS_ACCOUNT_ID" == *"error"* ]]; then handle_error "Failed to get AWS account ID. Make sure your AWS credentials are configured correctly." fi echo "AWS Account ID: $AWS_ACCOUNT_ID" # Get current region AWS_REGION=$(aws configure get region) if [[ -z "$AWS_REGION" ]]; then AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured echo "No AWS region configured, defaulting to $AWS_REGION" else echo "Using AWS region: $AWS_REGION" fi # Create ECR repository echo "Creating ECR repository..." REPO_RESULT=$(aws ecr create-repository --repository-name hello-repository) if [[ -z "$REPO_RESULT" || "$REPO_RESULT" == *"error"* ]]; then handle_error "Failed to create ECR repository" fi # Extract repository URI REPO_URI="$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/hello-repository" echo "Repository URI: $REPO_URI" # Step 3: Authenticate to Amazon ECR echo "Step 3: Authenticating to Amazon ECR" echo "Getting ECR login password..." aws ecr get-login-password --region "$AWS_REGION" | docker login --username AWS --password-stdin "$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com" || handle_error "Failed to authenticate to ECR" echo "Successfully authenticated to ECR." # Step 4: Push the image to Amazon ECR echo "Step 4: Pushing the image to Amazon ECR" # Tag the image echo "Tagging Docker image..." docker tag hello-world:latest "$REPO_URI:latest" || handle_error "Failed to tag Docker image" # Push the image with timeout echo "Pushing image to ECR..." $TIMEOUT_CMD docker push "$REPO_URI:latest" || handle_error "Failed to push image to ECR or operation timed out after 5 minutes" echo "Successfully pushed image to ECR." # Step 5: Pull the image from Amazon ECR echo "Step 5: Pulling the image from Amazon ECR" # Remove local image to ensure we're pulling from ECR echo "Removing local tagged image..." docker rmi "$REPO_URI:latest" || echo "Warning: Failed to remove local tagged image" # Pull the image with timeout echo "Pulling image from ECR..." $TIMEOUT_CMD docker pull "$REPO_URI:latest" || handle_error "Failed to pull image from ECR or operation timed out after 5 minutes" echo "Successfully pulled image from ECR." # List resources created echo "===================================================" echo "Resources created:" echo "- Docker image: hello-world (local)" echo "- ECR Repository: hello-repository" echo "- ECR Image: $REPO_URI:latest" echo "===================================================" # Ask user if they want to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then # Step 6: Delete the image from ECR echo "Step 6: Deleting the image from ECR" DELETE_IMAGE_RESULT=$(aws ecr batch-delete-image --repository-name hello-repository --image-ids imageTag=latest) if [[ -z "$DELETE_IMAGE_RESULT" || "$DELETE_IMAGE_RESULT" == *"error"* ]]; then echo "Warning: Failed to delete image from ECR" else echo "Successfully deleted image from ECR." fi # Step 7: Delete the ECR repository echo "Step 7: Deleting the ECR repository" DELETE_REPO_RESULT=$(aws ecr delete-repository --repository-name hello-repository --force) if [[ -z "$DELETE_REPO_RESULT" || "$DELETE_REPO_RESULT" == *"error"* ]]; then echo "Warning: Failed to delete ECR repository" else echo "Successfully deleted ECR repository." fi # Remove local Docker images echo "Removing local Docker images..." docker rmi hello-world:latest 2>/dev/null || echo "Warning: Failed to remove local image" echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually clean up later with:" echo "aws ecr batch-delete-image --repository-name hello-repository --image-ids imageTag=latest" echo "aws ecr delete-repository --repository-name hello-repository --force" echo "docker rmi hello-world:latest" echo "docker rmi $REPO_URI:latest" fi echo "===================================================" echo "Tutorial completed!" echo "Log file: $LOG_FILE" echo "===================================================" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [BatchDeleteImage](https://docs.aws.amazon.com/goto/aws-cli/ecr-2015-09-21/BatchDeleteImage) + [CreateRepository](https://docs.aws.amazon.com/goto/aws-cli/ecr-2015-09-21/CreateRepository) + [DeleteRepository](https://docs.aws.amazon.com/goto/aws-cli/ecr-2015-09-21/DeleteRepository) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetLoginPassword](https://docs.aws.amazon.com/goto/aws-cli/ecr-2015-09-21/GetLoginPassword) # Amazon ECS examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon ECS. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Configure Amazon ECS Service Connect The following code example shows how to: + Create the VPC infrastructure + Set up logging + Create the ECS cluster + Configure IAM roles + Create the service with Service Connect + Verify the deployment + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. ``` #!/bin/bash # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC # This script creates an ECS cluster with Service Connect and deploys an nginx service # Uses the default VPC to avoid VPC limits set -e # Exit on any error # Configuration SCRIPT_NAME="ECS Service Connect Tutorial" LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} if [ -z "$REGION" ]; then echo "ERROR: No AWS region configured." echo "Set one with: aws configure set region us-east-1" exit 1 fi ENV_PREFIX="tutorial" CLUSTER_NAME="${ENV_PREFIX}-cluster" NAMESPACE_NAME="service-connect" # Generate random suffix for unique resource names RANDOM_SUFFIX=$(openssl rand -hex 6) # Arrays to track created resources for cleanup declare -a CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to add resource to tracking array track_resource() { CREATED_RESOURCES+=("$1") log "Tracking resource: $1" } # Function to check if command output contains actual errors check_for_errors() { local output="$1" local command_name="$2" # Check for specific AWS CLI error patterns, not just any occurrence of "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then log "ERROR in $command_name: $output" return 1 fi return 0 } # Function to get AWS account ID get_account_id() { ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Using AWS Account ID: $ACCOUNT_ID" } # Function to wait for resources to be ready wait_for_resource() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") log "Waiting for cluster $resource_id to be active..." local attempt=1 local max_attempts=30 while [ $attempt -le $max_attempts ]; do local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) if [ "$status" = "ACTIVE" ]; then log "Cluster is now active" return 0 fi log "Cluster status: $status (attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done log "ERROR: Cluster did not become active within expected time" return 1 ;; "service") log "Waiting for service $resource_id to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" ;; "nat-gateway") log "Waiting for NAT Gateway $resource_id to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" ;; esac } # Function to use default VPC infrastructure setup_default_vpc_infrastructure() { log "Using default VPC infrastructure..." # Get default VPC VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then log "ERROR: No default VPC found. Please create a default VPC first." exit 1 fi log "Using default VPC: $VPC_ID" # Get default subnets SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) SUBNET_ARRAY=($SUBNETS) if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" exit 1 fi PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" # Create security group for ECS tasks SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ --description "Security group for ECS Service Connect tutorial" \ --vpc-id "$VPC_ID" 2>&1) check_for_errors "$SG_OUTPUT" "create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) track_resource "SG:$SECURITY_GROUP_ID" log "Created security group: $SECURITY_GROUP_ID" # Add inbound rules to security group aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true log "Default VPC infrastructure setup completed" } # Function to create CloudWatch log groups create_log_groups() { log "Creating CloudWatch log groups..." # Create log group for nginx container aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-nginx created" track_resource "LOG_GROUP:/ecs/service-connect-nginx" else log "Log group /ecs/service-connect-nginx already exists" fi } # Create log group for service connect proxy aws logs create-log-group --log-group-name "/ecs/service-connect-proxy" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-proxy created" track_resource "LOG_GROUP:/ecs/service-connect-proxy" else log "Log group /ecs/service-connect-proxy already exists" fi } } # Function to create ECS cluster with Service Connect create_ecs_cluster() { log "Creating ECS cluster with Service Connect..." CLUSTER_OUTPUT=$(aws ecs create-cluster \ --cluster-name "$CLUSTER_NAME" \ --service-connect-defaults namespace="$NAMESPACE_NAME" \ --tags key=Environment,value=tutorial 2>&1) check_for_errors "$CLUSTER_OUTPUT" "create-cluster" track_resource "CLUSTER:$CLUSTER_NAME" log "Created ECS cluster: $CLUSTER_NAME" wait_for_resource "cluster" "$CLUSTER_NAME" # Track the Service Connect namespace that gets created # Wait a moment for the namespace to be created sleep 5 NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_ID" && "$NAMESPACE_ID" != "None" ]]; then track_resource "NAMESPACE:$NAMESPACE_ID" log "Service Connect namespace created: $NAMESPACE_ID" fi } # Function to create IAM roles create_iam_roles() { log "Creating IAM roles..." # Check if ecsTaskExecutionRole exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then log "IAM role ecsTaskExecutionRole exists" else log "Creating ecsTaskExecutionRole..." aws iam create-role \ --role-name ecsTaskExecutionRole \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' >/dev/null 2>&1 aws iam attach-role-policy \ --role-name ecsTaskExecutionRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1 track_resource "ROLE:ecsTaskExecutionRole" log "Created ecsTaskExecutionRole" sleep 10 fi # Check if ecsTaskRole exists, create if not if aws iam get-role --role-name ecsTaskRole >/dev/null 2>&1; then log "IAM role ecsTaskRole exists" else log "IAM role ecsTaskRole does not exist, will create it" # Create trust policy for ECS tasks cat > /tmp/ecs-task-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name ecsTaskRole \ --assume-role-policy-document file:///tmp/ecs-task-trust-policy.json >/dev/null track_resource "IAM_ROLE:ecsTaskRole" log "Created ecsTaskRole" # Wait for role to be available sleep 10 fi } # Function to create task definition create_task_definition() { log "Creating task definition..." # Create task definition JSON cat > /tmp/task-definition.json << EOF { "family": "service-connect-nginx", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole", "taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskRole", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "portMappings": [ { "containerPort": 80, "protocol": "tcp", "name": "nginx-port" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-nginx", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs" } } } ] } EOF TASK_DEF_OUTPUT=$(aws ecs register-task-definition --cli-input-json file:///tmp/task-definition.json 2>&1) check_for_errors "$TASK_DEF_OUTPUT" "register-task-definition" TASK_DEF_ARN=$(echo "$TASK_DEF_OUTPUT" | grep -o '"taskDefinitionArn": "[^"]*"' | cut -d'"' -f4) track_resource "TASK_DEF:service-connect-nginx" log "Created task definition: $TASK_DEF_ARN" # Clean up temporary file rm -f /tmp/task-definition.json } # Function to create ECS service with Service Connect create_ecs_service() { log "Creating ECS service with Service Connect..." # Create service definition JSON cat > /tmp/service-definition.json << EOF { "serviceName": "service-connect-nginx-service", "cluster": "${CLUSTER_NAME}", "taskDefinition": "service-connect-nginx", "desiredCount": 1, "launchType": "FARGATE", "networkConfiguration": { "awsvpcConfiguration": { "subnets": ["${PUBLIC_SUBNET1}", "${PUBLIC_SUBNET2}"], "securityGroups": ["${SECURITY_GROUP_ID}"], "assignPublicIp": "ENABLED" } }, "serviceConnectConfiguration": { "enabled": true, "namespace": "${NAMESPACE_NAME}", "services": [ { "portName": "nginx-port", "discoveryName": "nginx", "clientAliases": [ { "port": 80, "dnsName": "nginx" } ] } ], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-proxy", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs-service-connect" } } }, "tags": [ { "key": "Environment", "value": "tutorial" } ] } EOF SERVICE_OUTPUT=$(aws ecs create-service --cli-input-json file:///tmp/service-definition.json 2>&1) check_for_errors "$SERVICE_OUTPUT" "create-service" track_resource "SERVICE:service-connect-nginx-service" log "Created ECS service: service-connect-nginx-service" wait_for_resource "service" "service-connect-nginx-service" # Clean up temporary file rm -f /tmp/service-definition.json } # Function to verify deployment verify_deployment() { log "Verifying deployment..." # Check service status SERVICE_STATUS=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].status' --output text) log "Service status: $SERVICE_STATUS" # Check running tasks RUNNING_COUNT=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].runningCount' --output text) log "Running tasks: $RUNNING_COUNT" # Get task ARN TASK_ARN=$(aws ecs list-tasks \ --cluster "$CLUSTER_NAME" \ --service-name "service-connect-nginx-service" \ --query 'taskArns[0]' --output text) if [[ "$TASK_ARN" != "None" && -n "$TASK_ARN" ]]; then log "Task ARN: $TASK_ARN" # Try to get task IP address TASK_IP=$(aws ecs describe-tasks \ --cluster "$CLUSTER_NAME" \ --tasks "$TASK_ARN" \ --query 'tasks[0].attachments[0].details[?name==`privateIPv4Address`].value' \ --output text 2>/dev/null || echo "") if [[ -n "$TASK_IP" && "$TASK_IP" != "None" ]]; then log "Task IP address: $TASK_IP" else log "Could not retrieve task IP address" fi fi # Check Service Connect namespace NAMESPACE_STATUS=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_STATUS" && "$NAMESPACE_STATUS" != "None" ]]; then log "Service Connect namespace '$NAMESPACE_NAME' is active" else log "Service Connect namespace '$NAMESPACE_NAME' not found or not active" fi # Display Service Connect configuration log "Service Connect configuration:" aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].serviceConnectConfiguration' 2>/dev/null || true } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" echo "" } # Function to cleanup resources cleanup_resources() { log "Starting cleanup process..." # Delete resources in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) log "Cleaning up $resource_type: $resource_id" case "$resource_type" in "SERVICE") aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id" aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id" ;; "TASK_DEF") TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null) for arn in $TASK_DEF_ARNS; do aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true done ;; "ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "CLUSTER") aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id" ;; "SG") for attempt in 1 2 3 4 5; do if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then break fi log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..." sleep 30 done ;; "LOG_GROUP") aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id" ;; "NAMESPACE") # First, delete any services in the namespace NAMESPACE_SERVICES=$(aws servicediscovery list-services \ --filters Name=NAMESPACE_ID,Values="$resource_id" \ --query 'Services[].Id' --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_SERVICES" && "$NAMESPACE_SERVICES" != "None" ]]; then for service_id in $NAMESPACE_SERVICES; do aws servicediscovery delete-service --id "$service_id" >/dev/null 2>&1 || true sleep 2 done fi # Then delete the namespace aws servicediscovery delete-namespace --id "$resource_id" >/dev/null 2>&1 || true ;; esac sleep 2 # Brief pause between deletions done # Clean up temporary files rm -f /tmp/ecs-task-trust-policy.json rm -f /tmp/task-definition.json rm -f /tmp/service-definition.json log "Cleanup completed" } # Main execution main() { log "Starting $SCRIPT_NAME v4 (Default VPC)" log "Region: $REGION" log "Log file: $LOG_FILE" # Get AWS account ID get_account_id # Setup infrastructure using default VPC setup_default_vpc_infrastructure # Create CloudWatch log groups create_log_groups # Create ECS cluster create_ecs_cluster # Create IAM roles create_iam_roles # Create task definition create_task_definition # Create ECS service create_ecs_service # Verify deployment verify_deployment log "Tutorial completed successfully!" # Display created resources display_resources # Ask user if they want to clean up echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up later by running the cleanup function." echo "" echo "To clean up resources later, you can use the AWS CLI commands or the AWS Management Console." echo "Remember to delete resources in the correct order to avoid dependency issues." fi } # Make script executable and run chmod +x "$0" main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/CreateLogGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeClusters) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) ### Create an Amazon ECS Linux task for the Fargate launch type The following code example shows how to: + Create the cluster + Create a task definition + Create the service + Clean up **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/086-amazon-ecs-fargate-linux) repository. ``` #!/bin/bash # Amazon ECS Fargate Tutorial Script - Version 5 # This script creates an ECS cluster, task definition, and service using Fargate launch type # Fixed version with proper resource dependency handling during cleanup set -e # Exit on any error # Initialize logging LOG_FILE="ecs-fargate-tutorial-v5.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon ECS Fargate tutorial at $(date)" echo "Log file: $LOG_FILE" # Generate random identifier for unique resource names RANDOM_ID=$(openssl rand -hex 6) CLUSTER_NAME="fargate-cluster-${RANDOM_ID}" SERVICE_NAME="fargate-service-${RANDOM_ID}" TASK_FAMILY="sample-fargate-${RANDOM_ID}" SECURITY_GROUP_NAME="ecs-fargate-sg-${RANDOM_ID}" # Array to track created resources for cleanup CREATED_RESOURCES=() # Function to log and execute commands execute_command() { local cmd="$1" local description="$2" echo "" echo "==========================================" echo "EXECUTING: $description" echo "COMMAND: $cmd" echo "==========================================" local output local exit_code set +e # Temporarily disable exit on error output=$(eval "$cmd" 2>&1) exit_code=$? set -e # Re-enable exit on error if [[ $exit_code -eq 0 ]]; then echo "SUCCESS: $description" echo "OUTPUT: $output" return 0 else echo "FAILED: $description" echo "EXIT CODE: $exit_code" echo "OUTPUT: $output" return 1 fi } # Function to check for actual AWS API errors in command output check_for_aws_errors() { local output="$1" local description="$2" # Look for specific AWS error patterns, not just the word "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameter\|AccessDenied\|ResourceNotFound\|ValidationException"; then echo "AWS API ERROR detected in output for: $description" echo "Output: $output" return 1 fi return 0 } # Function to wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup() { local security_group_id="$1" local max_attempts=30 local attempt=1 echo "Waiting for network interfaces to be cleaned up..." while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Checking for dependent network interfaces..." # Check if there are any network interfaces still using this security group local eni_count eni_count=$(aws ec2 describe-network-interfaces \ --filters "Name=group-id,Values=$security_group_id" \ --query "length(NetworkInterfaces)" \ --output text 2>/dev/null || echo "0") if [[ "$eni_count" == "0" ]]; then echo "No network interfaces found using security group $security_group_id" return 0 else echo "Found $eni_count network interface(s) still using security group $security_group_id" echo "Waiting 10 seconds before next check..." sleep 10 ((attempt++)) fi done echo "WARNING: Network interfaces may still be attached after $max_attempts attempts" echo "This is normal and the security group deletion will be retried" return 1 } # Function to retry security group deletion with exponential backoff retry_security_group_deletion() { local security_group_id="$1" local max_attempts=10 local attempt=1 local wait_time=5 while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Trying to delete security group $security_group_id" if execute_command "aws ec2 delete-security-group --group-id $security_group_id" "Delete security group (attempt $attempt)"; then echo "Successfully deleted security group $security_group_id" return 0 else if [[ $attempt -eq $max_attempts ]]; then echo "FAILED: Could not delete security group $security_group_id after $max_attempts attempts" echo "This may be due to network interfaces that are still being cleaned up by AWS" echo "You can manually delete it later using: aws ec2 delete-security-group --group-id $security_group_id" return 1 else echo "Waiting $wait_time seconds before retry..." sleep $wait_time wait_time=$((wait_time * 2)) # Exponential backoff ((attempt++)) fi fi done } # Function to cleanup resources with proper dependency handling cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP PROCESS" echo "===========================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Step 1: Scale service to 0 tasks first, then delete service if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Service: $SERVICE_NAME " ]]; then echo "" echo "Step 1: Scaling service to 0 tasks..." if execute_command "aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" "Scale service to 0 tasks"; then echo "Waiting for service to stabilize after scaling to 0..." execute_command "aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" "Wait for service to stabilize" echo "Deleting service..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" "Delete ECS service" else echo "WARNING: Failed to scale service. Attempting to delete anyway..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --force" "Force delete ECS service" fi fi # Step 2: Wait a bit for tasks to fully terminate echo "" echo "Step 2: Waiting for tasks to fully terminate..." sleep 15 # Step 3: Delete cluster if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Cluster: $CLUSTER_NAME " ]]; then echo "" echo "Step 3: Deleting cluster..." execute_command "aws ecs delete-cluster --cluster $CLUSTER_NAME" "Delete ECS cluster" fi # Step 4: Wait for network interfaces to be cleaned up, then delete security group if [[ -n "$SECURITY_GROUP_ID" ]]; then echo "" echo "Step 4: Cleaning up security group..." # First, wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup "$SECURITY_GROUP_ID" # Then retry security group deletion with backoff retry_security_group_deletion "$SECURITY_GROUP_ID" fi # Step 5: Clean up task definition (deregister all revisions) if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "" echo "Step 5: Deregistering task definition revisions..." # Get all revisions of the task definition local revisions revisions=$(aws ecs list-task-definitions --family-prefix "$TASK_FAMILY" --query "taskDefinitionArns" --output text 2>/dev/null || echo "") if [[ -n "$revisions" && "$revisions" != "None" ]]; then for revision_arn in $revisions; do echo "Deregistering task definition: $revision_arn" execute_command "aws ecs deregister-task-definition --task-definition $revision_arn" "Deregister task definition $revision_arn" || true done else echo "No task definition revisions found to deregister" fi fi echo "" echo "===========================================" echo "CLEANUP COMPLETED" echo "===========================================" echo "All resources have been cleaned up successfully!" else echo "Cleanup skipped. Resources remain active." echo "" echo "To clean up manually later, use the following commands in order:" echo "1. Scale service to 0: aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" echo "2. Wait for stability: aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" echo "3. Delete service: aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" echo "4. Delete cluster: aws ecs delete-cluster --cluster $CLUSTER_NAME" echo "5. Wait 2-3 minutes, then delete security group: aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "6. Deregister task definitions: aws ecs list-task-definitions --family-prefix $TASK_FAMILY" echo " Then for each ARN: aws ecs deregister-task-definition --task-definition " fi fi } # Trap to handle script interruption trap cleanup_resources EXIT echo "Using random identifier: $RANDOM_ID" echo "Cluster name: $CLUSTER_NAME" echo "Service name: $SERVICE_NAME" echo "Task family: $TASK_FAMILY" # Step 1: Ensure ECS task execution role exists echo "" echo "===========================================" echo "STEP 1: VERIFY ECS TASK EXECUTION ROLE" echo "===========================================" ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) EXECUTION_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole" # Check if role exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then echo "ECS task execution role already exists" else echo "Creating ECS task execution role..." # Create trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF execute_command "aws iam create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://trust-policy.json" "Create ECS task execution role" execute_command "aws iam attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" "Attach ECS task execution policy" # Clean up temporary file rm -f trust-policy.json CREATED_RESOURCES+=("IAM Role: ecsTaskExecutionRole") fi # Step 2: Create ECS cluster echo "" echo "===========================================" echo "STEP 2: CREATE ECS CLUSTER" echo "===========================================" CLUSTER_OUTPUT=$(execute_command "aws ecs create-cluster --cluster-name $CLUSTER_NAME" "Create ECS cluster") check_for_aws_errors "$CLUSTER_OUTPUT" "Create ECS cluster" CREATED_RESOURCES+=("ECS Cluster: $CLUSTER_NAME") # Step 3: Create task definition echo "" echo "===========================================" echo "STEP 3: CREATE TASK DEFINITION" echo "===========================================" # Create task definition JSON cat > task-definition.json << EOF { "family": "$TASK_FAMILY", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "$EXECUTION_ROLE_ARN", "containerDefinitions": [ { "name": "fargate-app", "image": "public.ecr.aws/docker/library/httpd:latest", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ], "essential": true, "entryPoint": ["sh", "-c"], "command": [ "/bin/sh -c \"echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ] } ] } EOF TASK_DEF_OUTPUT=$(execute_command "aws ecs register-task-definition --cli-input-json file://task-definition.json" "Register task definition") check_for_aws_errors "$TASK_DEF_OUTPUT" "Register task definition" # Clean up temporary file rm -f task-definition.json CREATED_RESOURCES+=("Task Definition: $TASK_FAMILY") # Step 4: Set up networking echo "" echo "===========================================" echo "STEP 4: SET UP NETWORKING" echo "===========================================" # Get default VPC ID VPC_ID=$(aws ec2 describe-vpcs --filters "Name=is-default,Values=true" --query "Vpcs[0].VpcId" --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then echo "ERROR: No default VPC found. Please create a default VPC or specify a custom VPC." exit 1 fi echo "Using default VPC: $VPC_ID" # Create security group with restricted access # Note: This allows HTTP access from anywhere for demo purposes # In production, restrict source to specific IP ranges or security groups SECURITY_GROUP_OUTPUT=$(execute_command "aws ec2 create-security-group --group-name $SECURITY_GROUP_NAME --description 'Security group for ECS Fargate tutorial - HTTP access' --vpc-id $VPC_ID" "Create security group") check_for_aws_errors "$SECURITY_GROUP_OUTPUT" "Create security group" SECURITY_GROUP_ID=$(echo "$SECURITY_GROUP_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) if [[ -z "$SECURITY_GROUP_ID" ]]; then SECURITY_GROUP_ID=$(aws ec2 describe-security-groups --group-names "$SECURITY_GROUP_NAME" --query "SecurityGroups[0].GroupId" --output text) fi echo "Created security group: $SECURITY_GROUP_ID" CREATED_RESOURCES+=("Security Group: $SECURITY_GROUP_ID") # Add HTTP inbound rule # WARNING: This allows HTTP access from anywhere (0.0.0.0/0) # In production environments, restrict this to specific IP ranges execute_command "aws ec2 authorize-security-group-ingress --group-id $SECURITY_GROUP_ID --protocol tcp --port 80 --cidr 0.0.0.0/0" "Add HTTP inbound rule to security group" # Get subnet IDs from default VPC echo "Getting subnet IDs from default VPC..." SUBNET_IDS_RAW=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" --query "Subnets[*].SubnetId" --output text) if [[ -z "$SUBNET_IDS_RAW" ]]; then echo "ERROR: No subnets found in default VPC" exit 1 fi # Convert to proper comma-separated format, handling both spaces and tabs SUBNET_IDS_COMMA=$(echo "$SUBNET_IDS_RAW" | tr -s '[:space:]' ',' | sed 's/,$//') echo "Raw subnet IDs: $SUBNET_IDS_RAW" echo "Formatted subnet IDs: $SUBNET_IDS_COMMA" # Validate subnet IDs format if [[ ! "$SUBNET_IDS_COMMA" =~ ^subnet-[a-z0-9]+(,subnet-[a-z0-9]+)*$ ]]; then echo "ERROR: Invalid subnet ID format: $SUBNET_IDS_COMMA" exit 1 fi # Step 5: Create ECS service echo "" echo "===========================================" echo "STEP 5: CREATE ECS SERVICE" echo "===========================================" # Create the service with proper JSON formatting for network configuration SERVICE_CMD="aws ecs create-service --cluster $CLUSTER_NAME --service-name $SERVICE_NAME --task-definition $TASK_FAMILY --desired-count 1 --launch-type FARGATE --network-configuration '{\"awsvpcConfiguration\":{\"subnets\":[\"$(echo $SUBNET_IDS_COMMA | sed 's/,/","/g')\"],\"securityGroups\":[\"$SECURITY_GROUP_ID\"],\"assignPublicIp\":\"ENABLED\"}}'" echo "Service creation command: $SERVICE_CMD" SERVICE_OUTPUT=$(execute_command "$SERVICE_CMD" "Create ECS service") check_for_aws_errors "$SERVICE_OUTPUT" "Create ECS service" CREATED_RESOURCES+=("ECS Service: $SERVICE_NAME") # Step 6: Wait for service to stabilize and get public IP echo "" echo "===========================================" echo "STEP 6: WAIT FOR SERVICE AND GET PUBLIC IP" echo "===========================================" echo "Waiting for service to stabilize (this may take a few minutes)..." execute_command "aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" "Wait for service to stabilize" # Get task ARN TASK_ARN=$(aws ecs list-tasks --cluster $CLUSTER_NAME --service-name $SERVICE_NAME --query "taskArns[0]" --output text) if [[ "$TASK_ARN" == "None" || -z "$TASK_ARN" ]]; then echo "ERROR: No running tasks found for service" exit 1 fi echo "Task ARN: $TASK_ARN" # Get network interface ID ENI_ID=$(aws ecs describe-tasks --cluster $CLUSTER_NAME --tasks $TASK_ARN --query "tasks[0].attachments[0].details[?name=='networkInterfaceId'].value" --output text) if [[ "$ENI_ID" == "None" || -z "$ENI_ID" ]]; then echo "ERROR: Could not retrieve network interface ID" exit 1 fi echo "Network Interface ID: $ENI_ID" # Get public IP PUBLIC_IP=$(aws ec2 describe-network-interfaces --network-interface-ids $ENI_ID --query "NetworkInterfaces[0].Association.PublicIp" --output text) if [[ "$PUBLIC_IP" == "None" || -z "$PUBLIC_IP" ]]; then echo "WARNING: No public IP assigned to the task" echo "The task may be in a private subnet or public IP assignment failed" else echo "" echo "===========================================" echo "SUCCESS! APPLICATION IS RUNNING" echo "===========================================" echo "Your application is available at: http://$PUBLIC_IP" echo "You can test it by opening this URL in your browser" echo "" fi # Display service information echo "" echo "===========================================" echo "SERVICE INFORMATION" echo "===========================================" execute_command "aws ecs describe-services --cluster $CLUSTER_NAME --services $SERVICE_NAME" "Get service details" echo "" echo "===========================================" echo "TUTORIAL COMPLETED SUCCESSFULLY" echo "===========================================" echo "Resources created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done if [[ -n "$PUBLIC_IP" && "$PUBLIC_IP" != "None" ]]; then echo "" echo "Application URL: http://$PUBLIC_IP" fi echo "" echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeNetworkInterfaces](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeNetworkInterfaces) + [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) ### Creating a CloudWatch dashboard with function name as a variable The following code example shows how to: + Create a CloudWatch dashboard + Add Lambda metrics widgets with a function name variable + Verify the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/031-cloudwatch-dynamicdash) repository. ``` #!/bin/bash # Script to create a CloudWatch dashboard with Lambda function name as a variable # This script creates a CloudWatch dashboard that allows you to switch between different Lambda functions # Set up logging LOG_FILE="cloudwatch-dashboard-script.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "$(date): Starting CloudWatch dashboard creation script" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" echo "- CloudWatch Dashboard: LambdaMetricsDashboard" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "An error occurred. Do you want to clean up the created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later." fi exit 1 } # Check if AWS CLI is installed and configured echo "Checking AWS CLI configuration..." aws sts get-caller-identity > /dev/null 2>&1 if [ $? -ne 0 ]; then handle_error "AWS CLI is not properly configured. Please configure it with 'aws configure' and try again." fi # Get the current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No region found in AWS config, defaulting to $REGION" fi echo "Using region: $REGION" # Check if there are any Lambda functions in the account echo "Checking for Lambda functions..." LAMBDA_FUNCTIONS=$(aws lambda list-functions --query "Functions[*].FunctionName" --output text) if [ -z "$LAMBDA_FUNCTIONS" ]; then echo "No Lambda functions found in your account. Creating a simple test function..." # Create a temporary directory for Lambda function code TEMP_DIR=$(mktemp -d) # Create a simple Lambda function cat > "$TEMP_DIR/index.js" << EOF exports.handler = async (event) => { console.log('Event:', JSON.stringify(event, null, 2)); return { statusCode: 200, body: JSON.stringify('Hello from Lambda!'), }; }; EOF # Zip the function code cd "$TEMP_DIR" || handle_error "Failed to change to temporary directory" zip -q function.zip index.js # Create a role for the Lambda function ROLE_NAME="LambdaDashboardTestRole" ROLE_ARN=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' \ --query "Role.Arn" \ --output text) if [ $? -ne 0 ]; then handle_error "Failed to create IAM role for Lambda function" fi echo "Waiting for role to be available..." sleep 10 # Attach basic Lambda execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to attach policy to IAM role" fi # Create the Lambda function FUNCTION_NAME="DashboardTestFunction" aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime nodejs18.x \ --role "$ROLE_ARN" \ --handler index.handler \ --zip-file fileb://function.zip if [ $? -ne 0 ]; then aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to create Lambda function" fi # Invoke the function to generate some metrics echo "Invoking Lambda function to generate metrics..." for i in {1..5}; do aws lambda invoke --function-name "$FUNCTION_NAME" --payload '{}' /dev/null > /dev/null sleep 1 done # Clean up temporary directory cd - > /dev/null rm -rf "$TEMP_DIR" # Set the function name for the dashboard DEFAULT_FUNCTION="$FUNCTION_NAME" else # Use the first Lambda function as default DEFAULT_FUNCTION=$(echo "$LAMBDA_FUNCTIONS" | awk '{print $1}') echo "Found Lambda functions. Using $DEFAULT_FUNCTION as default." fi # Create a dashboard with Lambda metrics and a function name variable echo "Creating CloudWatch dashboard with Lambda function name variable..." # Create a JSON file for the dashboard body cat > dashboard-body.json << EOF { "widgets": [ { "type": "metric", "x": 0, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Invocations", "FunctionName", "\${FunctionName}" ], [ ".", "Errors", ".", "." ], [ ".", "Throttles", ".", "." ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Lambda Function Metrics for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 0, "y": 6, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Duration", "FunctionName", "\${FunctionName}", { "stat": "Average" } ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Duration for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 12, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "ConcurrentExecutions", "FunctionName", "\${FunctionName}" ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Concurrent Executions for \${FunctionName}", "period": 300 } } ], "periodOverride": "auto", "variables": [ { "type": "property", "id": "FunctionName", "property": "FunctionName", "label": "Lambda Function", "inputType": "select", "values": [ { "value": "$DEFAULT_FUNCTION", "label": "$DEFAULT_FUNCTION" } ] } ] } EOF # Create the dashboard using the JSON file DASHBOARD_RESULT=$(aws cloudwatch put-dashboard --dashboard-name LambdaMetricsDashboard --dashboard-body file://dashboard-body.json) DASHBOARD_EXIT_CODE=$? # Check if there was a fatal error if [ $DASHBOARD_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to create CloudWatch dashboard." fi # Display any validation messages but continue if [[ "$DASHBOARD_RESULT" == *"DashboardValidationMessages"* ]]; then echo "Dashboard created with validation messages:" echo "$DASHBOARD_RESULT" echo "These validation messages are warnings and the dashboard should still function." else echo "Dashboard created successfully!" fi # Verify the dashboard was created echo "Verifying dashboard creation..." DASHBOARD_INFO=$(aws cloudwatch get-dashboard --dashboard-name LambdaMetricsDashboard) DASHBOARD_INFO_EXIT_CODE=$? if [ $DASHBOARD_INFO_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to verify dashboard creation." fi echo "Dashboard verification successful!" echo "Dashboard details:" echo "$DASHBOARD_INFO" # List all dashboards to confirm echo "Listing all dashboards:" DASHBOARDS=$(aws cloudwatch list-dashboards) DASHBOARDS_EXIT_CODE=$? if [ $DASHBOARDS_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to list dashboards." fi echo "$DASHBOARDS" # Show instructions for accessing the dashboard echo "" echo "Dashboard created successfully! To access it:" echo "1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/" echo "2. In the navigation pane, choose Dashboards" echo "3. Select LambdaMetricsDashboard" echo "4. You should see a dropdown menu labeled 'Lambda Function' at the top of the dashboard" echo "5. Use this dropdown to select different Lambda functions and see their metrics" echo "" # Create a list of resources for cleanup RESOURCES=("- CloudWatch Dashboard: LambdaMetricsDashboard") if [ -n "${FUNCTION_NAME:-}" ]; then RESOURCES+=("- Lambda Function: $FUNCTION_NAME") RESOURCES+=("- IAM Role: $ROLE_NAME") fi # Prompt for cleanup echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" for resource in "${RESOURCES[@]}"; do echo "$resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the dashboard aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard if [ $? -ne 0 ]; then echo "WARNING: Failed to delete dashboard. You may need to delete it manually." else echo "Dashboard deleted successfully." fi # If we created a Lambda function, delete it and its role if [ -n "${FUNCTION_NAME:-}" ]; then echo "Deleting Lambda function..." aws lambda delete-function --function-name "$FUNCTION_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete Lambda function. You may need to delete it manually." else echo "Lambda function deleted successfully." fi echo "Detaching role policy..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then echo "WARNING: Failed to detach role policy. You may need to detach it manually." else echo "Role policy detached successfully." fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete IAM role. You may need to delete it manually." else echo "IAM role deleted successfully." fi fi # Clean up the JSON file rm -f dashboard-body.json echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later with:" echo "aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard" if [ -n "${FUNCTION_NAME:-}" ]; then echo "aws lambda delete-function --function-name $FUNCTION_NAME" echo "aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "aws iam delete-role --role-name $ROLE_NAME" fi fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [ListDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/ListDashboards) + [ListFunctions](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/ListFunctions) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) ### Creating an Amazon ECS service for the EC2 launch type The following code example shows how to: + Create an ECS cluster + Create and monitor a service + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/018-ecs-ec2) repository. ``` #!/bin/bash # ECS EC2 Launch Type Tutorial Script - UPDATED VERSION # This script demonstrates creating an ECS cluster, launching a container instance, # registering a task definition, and creating a service using the EC2 launch type. # Updated to match the tutorial draft with nginx web server and service creation. # # - UPDATED: Changed from sleep task to nginx web server with service set -e # Exit on any error # Configuration SCRIPT_NAME="ecs-ec2-tutorial" LOG_FILE="${SCRIPT_NAME}-$(date +%Y%m%d-%H%M%S).log" CLUSTER_NAME="tutorial-cluster-$(openssl rand -hex 4)" TASK_FAMILY="nginx-task-$(openssl rand -hex 4)" SERVICE_NAME="nginx-service-$(openssl rand -hex 4)" KEY_PAIR_NAME="ecs-tutorial-key-$(openssl rand -hex 4)" SECURITY_GROUP_NAME="ecs-tutorial-sg-$(openssl rand -hex 4)" # Get current AWS region dynamically AWS_REGION=$(aws configure get region || echo "us-east-1") # Resource tracking arrays CREATED_RESOURCES=() CLEANUP_ORDER=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { local exit_code=$? log "ERROR: Script failed with exit code $exit_code" log "ERROR: Last command: $BASH_COMMAND" echo "" echo "===========================================" echo "ERROR OCCURRED - ATTEMPTING CLEANUP" echo "===========================================" echo "Resources created before error:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done cleanup_resources exit $exit_code } # Set error trap trap handle_error ERR # FIXED: Enhanced cleanup function with proper error handling and logging cleanup_resources() { log "Starting cleanup process..." local cleanup_errors=0 # Delete service first (this will stop tasks automatically) if [[ -n "${SERVICE_ARN:-}" ]]; then log "Updating service to desired count 0: $SERVICE_NAME" if ! aws ecs update-service --cluster "$CLUSTER_NAME" --service "$SERVICE_NAME" --desired-count 0 2>>"$LOG_FILE"; then log "WARNING: Failed to update service desired count to 0" ((cleanup_errors++)) else log "Waiting for service tasks to stop..." sleep 30 # Give time for tasks to stop fi log "Deleting service: $SERVICE_NAME" if ! aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$SERVICE_NAME" 2>>"$LOG_FILE"; then log "WARNING: Failed to delete service $SERVICE_NAME" ((cleanup_errors++)) fi fi # Stop and delete any remaining tasks if [[ -n "${TASK_ARN:-}" ]]; then log "Stopping task: $TASK_ARN" if ! aws ecs stop-task --cluster "$CLUSTER_NAME" --task "$TASK_ARN" --reason "Tutorial cleanup" 2>>"$LOG_FILE"; then log "WARNING: Failed to stop task $TASK_ARN" ((cleanup_errors++)) else log "Waiting for task to stop..." if ! aws ecs wait tasks-stopped --cluster "$CLUSTER_NAME" --tasks "$TASK_ARN" 2>>"$LOG_FILE"; then log "WARNING: Task stop wait failed for $TASK_ARN" ((cleanup_errors++)) fi fi fi # Deregister task definition if [[ -n "${TASK_DEFINITION_ARN:-}" ]]; then log "Deregistering task definition: $TASK_DEFINITION_ARN" if ! aws ecs deregister-task-definition --task-definition "$TASK_DEFINITION_ARN" 2>>"$LOG_FILE"; then log "WARNING: Failed to deregister task definition $TASK_DEFINITION_ARN" ((cleanup_errors++)) fi fi # Terminate EC2 instance if [[ -n "${INSTANCE_ID:-}" ]]; then log "Terminating EC2 instance: $INSTANCE_ID" if ! aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" 2>>"$LOG_FILE"; then log "WARNING: Failed to terminate instance $INSTANCE_ID" ((cleanup_errors++)) else log "Waiting for instance to terminate..." if ! aws ec2 wait instance-terminated --instance-ids "$INSTANCE_ID" 2>>"$LOG_FILE"; then log "WARNING: Instance termination wait failed for $INSTANCE_ID" ((cleanup_errors++)) fi fi fi # Delete security group with retry logic if [[ -n "${SECURITY_GROUP_ID:-}" ]]; then log "Deleting security group: $SECURITY_GROUP_ID" local retry_count=0 local max_retries=3 while [[ $retry_count -lt $max_retries ]]; do if aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" 2>>"$LOG_FILE"; then log "Successfully deleted security group" break else ((retry_count++)) if [[ $retry_count -lt $max_retries ]]; then log "Retry $retry_count/$max_retries: Waiting 10 seconds before retrying security group deletion..." sleep 10 else log "ERROR: Failed to delete security group after $max_retries attempts" ((cleanup_errors++)) fi fi done fi # Delete key pair if [[ -n "${KEY_PAIR_NAME:-}" ]]; then log "Deleting key pair: $KEY_PAIR_NAME" if ! aws ec2 delete-key-pair --key-name "$KEY_PAIR_NAME" 2>>"$LOG_FILE"; then log "WARNING: Failed to delete key pair $KEY_PAIR_NAME" ((cleanup_errors++)) fi rm -f "${KEY_PAIR_NAME}.pem" 2>>"$LOG_FILE" || log "WARNING: Failed to remove local key file" fi # Delete ECS cluster if [[ -n "${CLUSTER_NAME:-}" ]]; then log "Deleting ECS cluster: $CLUSTER_NAME" if ! aws ecs delete-cluster --cluster "$CLUSTER_NAME" 2>>"$LOG_FILE"; then log "WARNING: Failed to delete cluster $CLUSTER_NAME" ((cleanup_errors++)) fi fi if [[ $cleanup_errors -eq 0 ]]; then log "Cleanup completed successfully" else log "Cleanup completed with $cleanup_errors warnings/errors. Check log file for details." fi } # Function to check prerequisites check_prerequisites() { log "Checking prerequisites..." # Check AWS CLI if ! command -v aws &> /dev/null; then log "ERROR: AWS CLI is not installed" exit 1 fi # Check AWS credentials if ! aws sts get-caller-identity &> /dev/null; then log "ERROR: AWS credentials not configured" exit 1 fi # Get caller identity CALLER_IDENTITY=$(aws sts get-caller-identity --output text --query 'Account') log "AWS Account: $CALLER_IDENTITY" log "AWS Region: $AWS_REGION" # Check for default VPC DEFAULT_VPC=$(aws ec2 describe-vpcs --filters "Name=is-default,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$DEFAULT_VPC" == "None" ]]; then log "ERROR: No default VPC found. Please create a VPC first." exit 1 fi log "Using default VPC: $DEFAULT_VPC" # Get default subnet DEFAULT_SUBNET=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$DEFAULT_VPC" "Name=default-for-az,Values=true" --query 'Subnets[0].SubnetId' --output text) if [[ "$DEFAULT_SUBNET" == "None" ]]; then log "ERROR: No default subnet found" exit 1 fi log "Using default subnet: $DEFAULT_SUBNET" log "Prerequisites check completed successfully" } # Function to create ECS cluster create_cluster() { log "Creating ECS cluster: $CLUSTER_NAME" CLUSTER_ARN=$(aws ecs create-cluster --cluster-name "$CLUSTER_NAME" --query 'cluster.clusterArn' --output text) if [[ -z "$CLUSTER_ARN" ]]; then log "ERROR: Failed to create cluster" exit 1 fi log "Created cluster: $CLUSTER_ARN" CREATED_RESOURCES+=("ECS Cluster: $CLUSTER_NAME") } # Function to create key pair create_key_pair() { log "Creating EC2 key pair: $KEY_PAIR_NAME" # FIXED: Set secure umask before key creation umask 077 aws ec2 create-key-pair --key-name "$KEY_PAIR_NAME" --query 'KeyMaterial' --output text > "${KEY_PAIR_NAME}.pem" chmod 400 "${KEY_PAIR_NAME}.pem" umask 022 # Reset umask log "Created key pair: $KEY_PAIR_NAME" CREATED_RESOURCES+=("EC2 Key Pair: $KEY_PAIR_NAME") } # Function to create security group create_security_group() { log "Creating security group: $SECURITY_GROUP_NAME" SECURITY_GROUP_ID=$(aws ec2 create-security-group \ --group-name "$SECURITY_GROUP_NAME" \ --description "ECS tutorial security group" \ --vpc-id "$DEFAULT_VPC" \ --query 'GroupId' --output text) if [[ -z "$SECURITY_GROUP_ID" ]]; then log "ERROR: Failed to create security group" exit 1 fi # Add HTTP access rule for nginx web server aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr "0.0.0.0/0" log "Created security group: $SECURITY_GROUP_ID" log "Added HTTP access on port 80" CREATED_RESOURCES+=("Security Group: $SECURITY_GROUP_ID") } # Function to get ECS optimized AMI get_ecs_ami() { log "Getting ECS-optimized AMI ID..." ECS_AMI_ID=$(aws ssm get-parameters \ --names /aws/service/ecs/optimized-ami/amazon-linux-2/recommended \ --query 'Parameters[0].Value' --output text | jq -r '.image_id') if [[ -z "$ECS_AMI_ID" ]]; then log "ERROR: Failed to get ECS-optimized AMI ID" exit 1 fi log "ECS-optimized AMI ID: $ECS_AMI_ID" } # Function to create IAM role for ECS instance (if it doesn't exist) ensure_ecs_instance_role() { log "Checking for ecsInstanceRole..." if ! aws iam get-role --role-name ecsInstanceRole &> /dev/null; then log "Creating ecsInstanceRole..." # Create trust policy cat > ecs-instance-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create role aws iam create-role \ --role-name ecsInstanceRole \ --assume-role-policy-document file://ecs-instance-trust-policy.json # Attach managed policy aws iam attach-role-policy \ --role-name ecsInstanceRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role # Create instance profile aws iam create-instance-profile --instance-profile-name ecsInstanceRole # Add role to instance profile aws iam add-role-to-instance-profile \ --instance-profile-name ecsInstanceRole \ --role-name ecsInstanceRole # FIXED: Enhanced wait for role to be ready log "Waiting for IAM role to be ready..." aws iam wait role-exists --role-name ecsInstanceRole sleep 30 # Additional buffer for eventual consistency rm -f ecs-instance-trust-policy.json log "Created ecsInstanceRole" CREATED_RESOURCES+=("IAM Role: ecsInstanceRole") else log "ecsInstanceRole already exists" fi } # Function to launch container instance launch_container_instance() { log "Launching ECS container instance..." # Create user data script cat > ecs-user-data.sh << EOF #!/bin/bash echo ECS_CLUSTER=$CLUSTER_NAME >> /etc/ecs/ecs.config EOF INSTANCE_ID=$(aws ec2 run-instances \ --image-id "$ECS_AMI_ID" \ --instance-type t3.micro \ --key-name "$KEY_PAIR_NAME" \ --security-group-ids "$SECURITY_GROUP_ID" \ --subnet-id "$DEFAULT_SUBNET" \ --iam-instance-profile Name=ecsInstanceRole \ --user-data file://ecs-user-data.sh \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=ecs-tutorial-instance}]" \ --query 'Instances[0].InstanceId' --output text) if [[ -z "$INSTANCE_ID" ]]; then log "ERROR: Failed to launch EC2 instance" exit 1 fi log "Launched EC2 instance: $INSTANCE_ID" CREATED_RESOURCES+=("EC2 Instance: $INSTANCE_ID") # Wait for instance to be running log "Waiting for instance to be running..." aws ec2 wait instance-running --instance-ids "$INSTANCE_ID" # Wait for ECS agent to register log "Waiting for ECS agent to register with cluster..." local max_attempts=30 local attempt=0 while [[ $attempt -lt $max_attempts ]]; do CONTAINER_INSTANCES=$(aws ecs list-container-instances --cluster "$CLUSTER_NAME" --query 'containerInstanceArns' --output text) if [[ -n "$CONTAINER_INSTANCES" && "$CONTAINER_INSTANCES" != "None" ]]; then log "Container instance registered successfully" break fi attempt=$((attempt + 1)) log "Waiting for container instance registration... (attempt $attempt/$max_attempts)" sleep 10 done if [[ $attempt -eq $max_attempts ]]; then log "ERROR: Container instance failed to register within expected time" exit 1 fi rm -f ecs-user-data.sh } # Function to register task definition register_task_definition() { log "Creating task definition..." # Create nginx task definition JSON matching the tutorial cat > task-definition.json << EOF { "family": "$TASK_FAMILY", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "cpu": 256, "memory": 512, "essential": true, "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ] } ], "requiresCompatibilities": ["EC2"], "networkMode": "bridge" } EOF # FIXED: Validate JSON before registration if ! jq empty task-definition.json 2>/dev/null; then log "ERROR: Invalid JSON in task definition" exit 1 fi TASK_DEFINITION_ARN=$(aws ecs register-task-definition \ --cli-input-json file://task-definition.json \ --query 'taskDefinition.taskDefinitionArn' --output text) if [[ -z "$TASK_DEFINITION_ARN" ]]; then log "ERROR: Failed to register task definition" exit 1 fi log "Registered task definition: $TASK_DEFINITION_ARN" CREATED_RESOURCES+=("Task Definition: $TASK_DEFINITION_ARN") rm -f task-definition.json } # Function to create service create_service() { log "Creating ECS service..." SERVICE_ARN=$(aws ecs create-service \ --cluster "$CLUSTER_NAME" \ --service-name "$SERVICE_NAME" \ --task-definition "$TASK_FAMILY" \ --desired-count 1 \ --query 'service.serviceArn' --output text) if [[ -z "$SERVICE_ARN" ]]; then log "ERROR: Failed to create service" exit 1 fi log "Created service: $SERVICE_ARN" CREATED_RESOURCES+=("ECS Service: $SERVICE_NAME") # Wait for service to be stable log "Waiting for service to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$SERVICE_NAME" log "Service is now stable and running" # Get the task ARN for monitoring TASK_ARN=$(aws ecs list-tasks --cluster "$CLUSTER_NAME" --service-name "$SERVICE_NAME" --query 'taskArns[0]' --output text) if [[ -n "$TASK_ARN" && "$TASK_ARN" != "None" ]]; then log "Service task: $TASK_ARN" CREATED_RESOURCES+=("ECS Task: $TASK_ARN") fi } # Function to demonstrate monitoring and testing demonstrate_monitoring() { log "Demonstrating monitoring capabilities..." # List services log "Listing services in cluster:" aws ecs list-services --cluster "$CLUSTER_NAME" --output table # Describe service log "Service details:" aws ecs describe-services --cluster "$CLUSTER_NAME" --services "$SERVICE_NAME" --output table --query 'services[0].{ServiceName:serviceName,Status:status,RunningCount:runningCount,DesiredCount:desiredCount,TaskDefinition:taskDefinition}' # List tasks log "Listing tasks in service:" aws ecs list-tasks --cluster "$CLUSTER_NAME" --service-name "$SERVICE_NAME" --output table # Describe task if [[ -n "$TASK_ARN" && "$TASK_ARN" != "None" ]]; then log "Task details:" aws ecs describe-tasks --cluster "$CLUSTER_NAME" --tasks "$TASK_ARN" --output table --query 'tasks[0].{TaskArn:taskArn,LastStatus:lastStatus,DesiredStatus:desiredStatus,CreatedAt:createdAt}' fi # List container instances log "Container instances in cluster:" aws ecs list-container-instances --cluster "$CLUSTER_NAME" --output table # Describe container instance CONTAINER_INSTANCE_ARN=$(aws ecs list-container-instances --cluster "$CLUSTER_NAME" --query 'containerInstanceArns[0]' --output text) if [[ -n "$CONTAINER_INSTANCE_ARN" && "$CONTAINER_INSTANCE_ARN" != "None" ]]; then log "Container instance details:" aws ecs describe-container-instances --cluster "$CLUSTER_NAME" --container-instances "$CONTAINER_INSTANCE_ARN" --output table --query 'containerInstances[0].{Arn:containerInstanceArn,Status:status,RunningTasks:runningTasksCount,PendingTasks:pendingTasksCount}' fi # Test the nginx web server log "Testing nginx web server..." PUBLIC_IP=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID" --query 'Reservations[0].Instances[0].PublicIpAddress' --output text) if [[ -n "$PUBLIC_IP" && "$PUBLIC_IP" != "None" ]]; then log "Container instance public IP: $PUBLIC_IP" log "Testing HTTP connection to nginx..." # Wait a moment for nginx to be fully ready sleep 10 if curl -s --connect-timeout 10 "http://$PUBLIC_IP" | grep -q "Welcome to nginx"; then log "SUCCESS: Nginx web server is responding correctly" echo "" echo "===========================================" echo "WEB SERVER TEST SUCCESSFUL" echo "===========================================" echo "You can access your nginx web server at: http://$PUBLIC_IP" echo "The nginx welcome page should be visible in your browser." else log "WARNING: Nginx web server may not be fully ready yet. Try accessing http://$PUBLIC_IP in a few minutes." fi else log "WARNING: Could not retrieve public IP address" fi } # Main execution main() { log "Starting ECS EC2 Launch Type Tutorial (UPDATED VERSION)" log "Log file: $LOG_FILE" check_prerequisites create_cluster create_key_pair create_security_group get_ecs_ami ensure_ecs_instance_role launch_container_instance register_task_definition create_service demonstrate_monitoring log "Tutorial completed successfully!" echo "" echo "===========================================" echo "TUTORIAL COMPLETED SUCCESSFULLY" echo "===========================================" echo "Resources created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" echo "The nginx service will continue running and maintain the desired task count." echo "You can monitor the service status using:" echo " aws ecs describe-services --cluster $CLUSTER_NAME --services $SERVICE_NAME" echo "" if [[ -n "${PUBLIC_IP:-}" ]]; then echo "Access your web server at: http://$PUBLIC_IP" echo "" fi echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left running. Remember to clean them up manually to avoid charges." echo "" echo "To clean up manually later, run these commands:" echo " aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" echo " aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" echo " aws ecs delete-cluster --cluster $CLUSTER_NAME" echo " aws ec2 terminate-instances --instance-ids $INSTANCE_ID" echo " aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" echo " aws ec2 delete-key-pair --key-name $KEY_PAIR_NAME" fi log "Script execution completed" } # Run main function main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddRoleToInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AddRoleToInstanceProfile) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateInstanceProfile) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeContainerInstances](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeContainerInstances) + [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetParameters](https://docs.aws.amazon.com/goto/aws-cli/ssm-2014-11-06/GetParameters) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListContainerInstances](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListContainerInstances) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListServices) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [StopTask](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/StopTask) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/Wait) ### Creating an Amazon Managed Grafana workspace The following code example shows how to: + Create an IAM role for your workspace + Create a Grafana workspace + Configure authentication + Configure optional settings + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/044-amazon-managed-grafana-gs) repository. ``` #!/bin/bash # Amazon Managed Grafana Workspace Creation Script # This script creates an Amazon Managed Grafana workspace and configures it # Set up logging LOG_FILE="grafana-workspace-creation.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Managed Grafana workspace creation script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command '$cmd' failed with output:" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$WORKSPACE_ID" ]; then echo "Deleting workspace $WORKSPACE_ID..." aws grafana delete-workspace --workspace-id "$WORKSPACE_ID" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policies from role $ROLE_NAME..." if [ -n "$POLICY_ARN" ]; then aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" fi echo "Deleting role $ROLE_NAME..." aws iam delete-role --role-name "$ROLE_NAME" fi if [ -n "$POLICY_ARN" ]; then echo "Deleting policy..." aws iam delete-policy --policy-arn "$POLICY_ARN" fi # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed. See $LOG_FILE for details." } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) WORKSPACE_NAME="GrafanaWorkspace-${RANDOM_ID}" ROLE_NAME="GrafanaWorkspaceRole-${RANDOM_ID}" echo "Using workspace name: $WORKSPACE_NAME" echo "Using role name: $ROLE_NAME" # Step 1: Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_error "$ACCOUNT_ID" "get-caller-identity" echo "AWS Account ID: $ACCOUNT_ID" # Step 2: Create IAM role for Grafana workspace echo "Creating IAM role for Grafana workspace..." # Create trust policy document cat > trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "grafana.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json \ --description "Role for Amazon Managed Grafana workspace") check_error "$ROLE_OUTPUT" "create-role" echo "IAM role created successfully" # Extract role ARN ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" # Attach policies to the role echo "Attaching policies to the role..." # CloudWatch policy cat > cloudwatch-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricData" ], "Resource": "*" } ] } EOF POLICY_OUTPUT=$(aws iam create-policy \ --policy-name "GrafanaCloudWatchPolicy-${RANDOM_ID}" \ --policy-document file://cloudwatch-policy.json) check_error "$POLICY_OUTPUT" "create-policy" POLICY_ARN=$(echo "$POLICY_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "CloudWatch policy ARN: $POLICY_ARN" ATTACH_OUTPUT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN") check_error "$ATTACH_OUTPUT" "attach-role-policy" echo "CloudWatch policy attached to role" # Step 3: Create the Grafana workspace echo "Creating Amazon Managed Grafana workspace..." WORKSPACE_OUTPUT=$(aws grafana create-workspace \ --workspace-name "$WORKSPACE_NAME" \ --authentication-providers "SAML" \ --permission-type "CUSTOMER_MANAGED" \ --account-access-type "CURRENT_ACCOUNT" \ --workspace-role-arn "$ROLE_ARN" \ --workspace-data-sources "CLOUDWATCH" "PROMETHEUS" "XRAY" \ --grafana-version "10.4" \ --tags Environment=Development) check_error "$WORKSPACE_OUTPUT" "create-workspace" echo "Workspace creation initiated:" echo "$WORKSPACE_OUTPUT" # Extract workspace ID WORKSPACE_ID=$(echo "$WORKSPACE_OUTPUT" | grep -o '"id": "[^"]*' | cut -d'"' -f4) if [ -z "$WORKSPACE_ID" ]; then echo "ERROR: Failed to extract workspace ID from output" exit 1 fi echo "Workspace ID: $WORKSPACE_ID" # Step 4: Wait for workspace to become active echo "Waiting for workspace to become active. This may take several minutes..." ACTIVE=false MAX_ATTEMPTS=30 ATTEMPT=0 while [ $ACTIVE = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking workspace status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." DESCRIBE_OUTPUT=$(aws grafana describe-workspace --workspace-id "$WORKSPACE_ID") check_error "$DESCRIBE_OUTPUT" "describe-workspace" STATUS=$(echo "$DESCRIBE_OUTPUT" | grep -o '"status": "[^"]*' | cut -d'"' -f4) echo "Current status: $STATUS" if [ "$STATUS" = "ACTIVE" ]; then ACTIVE=true echo "Workspace is now ACTIVE" elif [ "$STATUS" = "FAILED" ]; then echo "ERROR: Workspace creation failed" cleanup_on_error exit 1 else echo "Workspace is still being created. Waiting 30 seconds..." sleep 30 fi done if [ $ACTIVE = false ]; then echo "ERROR: Workspace did not become active within the expected time" cleanup_on_error exit 1 fi # Extract workspace endpoint URL WORKSPACE_URL=$(echo "$DESCRIBE_OUTPUT" | grep -o '"endpoint": "[^"]*' | cut -d'"' -f4) echo "Workspace URL: https://$WORKSPACE_URL" # Step 5: Display workspace information echo "" echo "===========================================" echo "WORKSPACE INFORMATION" echo "===========================================" echo "Workspace ID: $WORKSPACE_ID" echo "Workspace URL: https://$WORKSPACE_URL" echo "Workspace Name: $WORKSPACE_NAME" echo "IAM Role: $ROLE_NAME" echo "" echo "Note: Since SAML authentication is used, you need to configure SAML settings" echo "using the AWS Management Console or the update-workspace-authentication command." echo "===========================================" # Step 6: Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" echo "- Amazon Managed Grafana workspace: $WORKSPACE_ID" echo "- IAM Role: $ROLE_NAME" echo "- IAM Policy: GrafanaCloudWatchPolicy-${RANDOM_ID}" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Cleaning up resources..." echo "Deleting workspace $WORKSPACE_ID..." DELETE_OUTPUT=$(aws grafana delete-workspace --workspace-id "$WORKSPACE_ID") check_error "$DELETE_OUTPUT" "delete-workspace" echo "Waiting for workspace to be deleted..." DELETED=false ATTEMPT=0 while [ $DELETED = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking deletion status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." if aws grafana describe-workspace --workspace-id "$WORKSPACE_ID" 2>&1 | grep -i "not found\|does not exist" > /dev/null; then DELETED=true echo "Workspace has been deleted" else echo "Workspace is still being deleted. Waiting 30 seconds..." sleep 30 fi done if [ $DELETED = false ]; then echo "WARNING: Workspace deletion is taking longer than expected. It may still be in progress." fi # Detach policy from role echo "Detaching policy from role..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" # Delete policy echo "Deleting IAM policy..." aws iam delete-policy \ --policy-arn "$POLICY_ARN" # Delete role echo "Deleting IAM role..." aws iam delete-role \ --role-name "$ROLE_NAME" # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/CreateWorkspace) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DeleteWorkspace) + [DescribeWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DescribeWorkspace) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) ### Creating your first Lambda function The following code example shows how to: + Create an IAM role for Lambda + Create function code + Create a Lambda function + Test your Lambda function + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/019-lambda-gettingstarted) repository. ``` #!/bin/bash # AWS Lambda - Create Your First Function # This script creates a Lambda function, invokes it with a test event, # views CloudWatch logs, and cleans up all resources. # # Source: https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html # # Resources created: # - IAM role (Lambda execution role with basic logging permissions) # - Lambda function (Python 3.13 or Node.js 22.x runtime) # - CloudWatch log group (created automatically by Lambda on invocation) set -eE ############################################################################### # Setup ############################################################################### UNIQUE_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) FUNCTION_NAME="my-lambda-function-${UNIQUE_ID}" ROLE_NAME="lambda-execution-role-${UNIQUE_ID}" LOG_GROUP_NAME="/aws/lambda/${FUNCTION_NAME}" TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/lambda-gettingstarted.log" exec > >(tee -a "$LOG_FILE") 2>&1 declare -a CREATED_RESOURCES ############################################################################### # Helper functions ############################################################################### cleanup_resources() { # Disable error trap to prevent recursion during cleanup trap - ERR set +eE echo "" echo "Cleaning up resources..." echo "" for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do local RESOURCE="${CREATED_RESOURCES[$i]}" local TYPE="${RESOURCE%%:*}" local NAME="${RESOURCE#*:}" case "$TYPE" in log-group) echo "Deleting CloudWatch log group: ${NAME}" aws logs delete-log-group \ --log-group-name "$NAME" 2>&1 || echo " WARNING: Could not delete log group ${NAME}." ;; lambda-function) echo "Deleting Lambda function: ${NAME}" aws lambda delete-function \ --function-name "$NAME" 2>&1 || echo " WARNING: Could not delete Lambda function ${NAME}." echo " Waiting for function deletion to complete..." local DELETE_WAIT=0 while aws lambda get-function --function-name "$NAME" > /dev/null 2>&1; do sleep 2 DELETE_WAIT=$((DELETE_WAIT + 2)) if [ "$DELETE_WAIT" -ge 60 ]; then echo " WARNING: Timed out waiting for function deletion." break fi done ;; iam-role-policy) local ROLE_PART="${NAME%%|*}" local POLICY_PART="${NAME#*|}" echo "Detaching policy from role: ${ROLE_PART}" aws iam detach-role-policy \ --role-name "$ROLE_PART" \ --policy-arn "$POLICY_PART" 2>&1 || echo " WARNING: Could not detach policy from role ${ROLE_PART}." ;; iam-role) echo "Deleting IAM role: ${NAME}" aws iam delete-role \ --role-name "$NAME" 2>&1 || echo " WARNING: Could not delete IAM role ${NAME}." ;; esac done if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi echo "" echo "Cleanup complete." } handle_error() { echo "" echo "===========================================" echo "ERROR: Script failed at $1" echo "===========================================" echo "" if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then echo "Attempting to clean up ${#CREATED_RESOURCES[@]} resource(s)..." cleanup_resources fi exit 1 } trap 'handle_error "line $LINENO"' ERR wait_for_resource() { local DESCRIPTION="$1" local COMMAND="$2" local TARGET_VALUE="$3" local TIMEOUT=300 local ELAPSED=0 local INTERVAL=5 echo "Waiting for ${DESCRIPTION}..." while true; do local RESULT RESULT=$(eval "$COMMAND" 2>&1) || true if echo "$RESULT" | grep -q "$TARGET_VALUE"; then echo " ${DESCRIPTION} is ready." return 0 fi if [ "$ELAPSED" -ge "$TIMEOUT" ]; then echo "ERROR: Timed out waiting for ${DESCRIPTION} after ${TIMEOUT} seconds." return 1 fi sleep "$INTERVAL" ELAPSED=$((ELAPSED + INTERVAL)) done } ############################################################################### # Region pre-check ############################################################################### CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured." echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION." exit 1 fi ############################################################################### # Runtime selection ############################################################################### echo "" echo "===========================================" echo "AWS Lambda - Create Your First Function" echo "===========================================" echo "" echo "Select a runtime for your Lambda function:" echo " 1) Python 3.13" echo " 2) Node.js 22.x" echo "" echo "Enter your choice (1 or 2): " read -r RUNTIME_CHOICE case "$RUNTIME_CHOICE" in 1) RUNTIME="python3.13" HANDLER="lambda_function.lambda_handler" CODE_FILE="lambda_function.py" cat > "${TEMP_DIR}/${CODE_FILE}" << 'PYTHON_EOF' import json import logging logger = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): length = event['length'] width = event['width'] area = calculate_area(length, width) print(f'The area is {area}') logger.info(f'CloudWatch logs group: {context.log_group_name}') return json.dumps({'area': area}) def calculate_area(length, width): return length * width PYTHON_EOF echo "Selected runtime: Python 3.13" ;; 2) RUNTIME="nodejs22.x" HANDLER="index.handler" CODE_FILE="index.mjs" cat > "${TEMP_DIR}/${CODE_FILE}" << 'NODEJS_EOF' export const handler = async (event, context) => { const area = event.length * event.width; console.log(`The area is ${area}`); console.log('CloudWatch log group: ', context.logGroupName); return JSON.stringify({area}); }; NODEJS_EOF echo "Selected runtime: Node.js 22.x" ;; *) echo "ERROR: Invalid choice. Please enter 1 or 2." exit 1 ;; esac ############################################################################### # Step 1: Create IAM execution role ############################################################################### echo "" echo "===========================================" echo "Step 1: Create IAM execution role" echo "===========================================" echo "" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "Creating IAM role: ${ROLE_NAME}" ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" \ --query 'Role.Arn' \ --output text 2>&1) echo "$ROLE_OUTPUT" ROLE_ARN="$ROLE_OUTPUT" CREATED_RESOURCES+=("iam-role:${ROLE_NAME}") echo "Role ARN: ${ROLE_ARN}" echo "" echo "Attaching AWSLambdaBasicExecutionRole policy..." aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 2>&1 CREATED_RESOURCES+=("iam-role-policy:${ROLE_NAME}|arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") echo "Policy attached." # IAM roles can take a few seconds to propagate echo "Waiting for IAM role to propagate..." sleep 10 ############################################################################### # Step 2: Create Lambda function ############################################################################### echo "" echo "===========================================" echo "Step 2: Create Lambda function" echo "===========================================" echo "" echo "Creating deployment package..." ORIGINAL_DIR=$(pwd) cd "$TEMP_DIR" zip -j function.zip "$CODE_FILE" > /dev/null 2>&1 cd "$ORIGINAL_DIR" echo "Creating Lambda function: ${FUNCTION_NAME}" echo " Runtime: ${RUNTIME}" echo " Handler: ${HANDLER}" echo "" CREATE_OUTPUT=$(aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime "$RUNTIME" \ --role "$ROLE_ARN" \ --handler "$HANDLER" \ --architectures x86_64 \ --zip-file "fileb://${TEMP_DIR}/function.zip" \ --query '[FunctionName, FunctionArn, Runtime, State]' \ --output text 2>&1) echo "$CREATE_OUTPUT" CREATED_RESOURCES+=("lambda-function:${FUNCTION_NAME}") wait_for_resource "Lambda function to become Active" \ "aws lambda get-function-configuration --function-name ${FUNCTION_NAME} --query State --output text" \ "Active" ############################################################################### # Step 3: Invoke the function ############################################################################### echo "" echo "===========================================" echo "Step 3: Invoke the function" echo "===========================================" echo "" TEST_EVENT='{"length": 6, "width": 7}' echo "Invoking function with test event: ${TEST_EVENT}" echo "" echo "$TEST_EVENT" > "${TEMP_DIR}/test-event.json" INVOKE_OUTPUT=$(aws lambda invoke \ --function-name "$FUNCTION_NAME" \ --payload "fileb://${TEMP_DIR}/test-event.json" \ --cli-read-timeout 30 \ "${TEMP_DIR}/response.json" 2>&1) echo "$INVOKE_OUTPUT" RESPONSE=$(cat "${TEMP_DIR}/response.json") echo "" echo "Function response: ${RESPONSE}" echo "" if echo "$INVOKE_OUTPUT" | grep -qi "functionerror"; then echo "WARNING: Function returned an error." fi ############################################################################### # Step 4: View CloudWatch logs ############################################################################### echo "" echo "===========================================" echo "Step 4: View CloudWatch Logs" echo "===========================================" echo "" echo "Log group: ${LOG_GROUP_NAME}" echo "" echo "Waiting for CloudWatch logs to be available..." LOG_STREAMS="" for i in $(seq 1 6); do LOG_STREAMS=$(aws logs describe-log-streams \ --log-group-name "$LOG_GROUP_NAME" \ --order-by LastEventTime \ --descending \ --query 'logStreams[0].logStreamName' \ --output text 2>/dev/null) || true if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then break fi LOG_STREAMS="" sleep 5 done if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then echo "Latest log stream: ${LOG_STREAMS}" echo "" echo "--- Log events ---" LOG_EVENTS=$(aws logs get-log-events \ --log-group-name "$LOG_GROUP_NAME" \ --log-stream-name "$LOG_STREAMS" \ --query 'events[].message' \ --output text 2>&1) || true echo "$LOG_EVENTS" echo "--- End of log events ---" else echo "No log streams found yet. Logs may take a moment to appear." echo "You can view them in the CloudWatch console:" echo " Log group: ${LOG_GROUP_NAME}" fi CREATED_RESOURCES+=("log-group:${LOG_GROUP_NAME}") ############################################################################### # Summary and cleanup ############################################################################### echo "" echo "===========================================" echo "SUMMARY" echo "===========================================" echo "" echo "Resources created:" echo " IAM role: ${ROLE_NAME}" echo " Lambda function: ${FUNCTION_NAME}" echo " CloudWatch logs: ${LOG_GROUP_NAME}" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Delete the Lambda function" echo " aws lambda delete-function --function-name ${FUNCTION_NAME}" echo "" echo " # Delete the CloudWatch log group" echo " aws logs delete-log-group --log-group-name ${LOG_GROUP_NAME}" echo "" echo " # Detach the policy and delete the IAM role" echo " aws iam detach-role-policy --role-name ${ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo " aws iam delete-role --role-name ${ROLE_NAME}" echo "" if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi fi echo "" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeLogStreams](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DescribeLogStreams) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunction) + [GetFunctionConfiguration](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunctionConfiguration) + [GetLogEvents](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/GetLogEvents) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) ### Get started with Redshift Serverless The following code example shows how to: + Use secrets-manager CreateSecret + Use secrets-manager DeleteSecret + Use secrets-manager GetSecretValue + Use redshift CreateNamespace + Use redshift CreateWorkgroup + Use redshift DeleteNamespace + Use iam CreateRole **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/038-redshift-serverless) repository. ``` #!/bin/bash # Amazon Redshift Serverless Tutorial Script with Secrets Manager (No jq dependency) # This script creates a Redshift Serverless environment, loads sample data, and runs queries # Uses AWS Secrets Manager for secure password management without requiring jq # Set up logging LOG_FILE="redshift-serverless-tutorial-v4.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Redshift Serverless tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_resources exit 1 fi } # Function to generate a secure password that meets Redshift requirements generate_secure_password() { # Redshift password requirements: # - 8-64 characters # - At least one uppercase letter # - At least one lowercase letter # - At least one decimal digit # - Can contain printable ASCII characters except /, ", ', \, @, space local password="" local valid=false local attempts=0 local max_attempts=10 while [[ "$valid" == false && $attempts -lt $max_attempts ]]; do # Generate base password with safe characters local base=$(openssl rand -base64 12 | tr -d '/+=' | head -c 12) # Ensure we have at least one of each required character type local upper=$(echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | fold -w1 | shuf -n1) local lower=$(echo "abcdefghijklmnopqrstuvwxyz" | fold -w1 | shuf -n1) local digit=$(echo "0123456789" | fold -w1 | shuf -n1) local special=$(echo "!#$%&*()_+-=[]{}|;:,.<>?" | fold -w1 | shuf -n1) # Combine and shuffle password="${base}${upper}${lower}${digit}${special}" password=$(echo "$password" | fold -w1 | shuf | tr -d '\n') # Validate password meets requirements if [[ ${#password} -ge 8 && ${#password} -le 64 ]] && \ [[ "$password" =~ [A-Z] ]] && \ [[ "$password" =~ [a-z] ]] && \ [[ "$password" =~ [0-9] ]] && \ [[ ! "$password" =~ [/\"\'\\@[:space:]] ]]; then valid=true fi ((attempts++)) done if [[ "$valid" == false ]]; then echo "ERROR: Failed to generate valid password after $max_attempts attempts" exit 1 fi echo "$password" } # Function to create secret in AWS Secrets Manager create_secret() { local secret_name=$1 local username=$2 local password=$3 local description=$4 echo "Creating secret in AWS Secrets Manager: $secret_name" # Create the secret using AWS CLI without jq local secret_output=$(aws secretsmanager create-secret \ --name "$secret_name" \ --description "$description" \ --secret-string "{\"username\":\"$username\",\"password\":\"$password\"}" 2>&1) if echo "$secret_output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Failed to create secret: $secret_output" return 1 fi echo "Secret created successfully: $secret_name" return 0 } # Function to retrieve password from AWS Secrets Manager get_password_from_secret() { local secret_name=$1 # Get the secret value and extract password using sed/grep instead of jq local secret_value=$(aws secretsmanager get-secret-value \ --secret-id "$secret_name" \ --query 'SecretString' \ --output text 2>/dev/null) if [[ $? -eq 0 ]]; then # Extract password from JSON using sed echo "$secret_value" | sed -n 's/.*"password":"$[^"]*$".*/\1/p' else echo "" fi } # Function to wait for a resource to be available wait_for_resource() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be available..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>/dev/null) local status=$(echo "$output" | grep -o '"Status": "[^"]*' | cut -d'"' -f4 || echo "") if [[ "$status" == "AVAILABLE" ]]; then echo "$resource_type $resource_name is now available" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name status: $status. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be available" return 1 } # Function to wait for a resource to be deleted wait_for_resource_deletion() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be deleted..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>&1) if echo "$output" | grep -i "not found\|does not exist" > /dev/null; then echo "$resource_type $resource_name has been deleted" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name is still being deleted. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be deleted" return 1 } # Function to clean up resources cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "The following resources were created:" echo "- Redshift Serverless Workgroup: $WORKGROUP_NAME" echo "- Redshift Serverless Namespace: $NAMESPACE_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secrets Manager Secret: $SECRET_NAME" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the workgroup echo "Deleting Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_DELETE_OUTPUT=$(aws redshift-serverless delete-workgroup --workgroup-name "$WORKGROUP_NAME" 2>&1) echo "$WORKGROUP_DELETE_OUTPUT" # Wait for workgroup to be deleted before deleting namespace wait_for_resource_deletion "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Delete the namespace echo "Deleting Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_DELETE_OUTPUT=$(aws redshift-serverless delete-namespace --namespace-name "$NAMESPACE_NAME" 2>&1) echo "$NAMESPACE_DELETE_OUTPUT" # Wait for namespace to be deleted wait_for_resource_deletion "namespace" "$NAMESPACE_NAME" 20 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Delete the IAM role policy echo "Deleting IAM role policy..." POLICY_DELETE_OUTPUT=$(aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name S3Access 2>&1) echo "$POLICY_DELETE_OUTPUT" # Delete the IAM role echo "Deleting IAM role $ROLE_NAME..." ROLE_DELETE_OUTPUT=$(aws iam delete-role --role-name "$ROLE_NAME" 2>&1) echo "$ROLE_DELETE_OUTPUT" # Delete the secret echo "Deleting Secrets Manager secret $SECRET_NAME..." SECRET_DELETE_OUTPUT=$(aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery 2>&1) echo "$SECRET_DELETE_OUTPUT" echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." fi } # Check if required tools are available if ! command -v openssl &> /dev/null; then echo "ERROR: openssl is required but not installed. Please install openssl to continue." exit 1 fi # Generate unique names for resources RANDOM_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 6) NAMESPACE_NAME="rs-namespace-${RANDOM_SUFFIX}" WORKGROUP_NAME="rs-workgroup-${RANDOM_SUFFIX}" ROLE_NAME="RedshiftServerlessS3Role-${RANDOM_SUFFIX}" SECRET_NAME="redshift-serverless-admin-${RANDOM_SUFFIX}" DB_NAME="dev" ADMIN_USERNAME="admin" # Generate secure password echo "Generating secure password..." ADMIN_PASSWORD=$(generate_secure_password) # Create secret in AWS Secrets Manager create_secret "$SECRET_NAME" "$ADMIN_USERNAME" "$ADMIN_PASSWORD" "Admin credentials for Redshift Serverless namespace $NAMESPACE_NAME" if [[ $? -ne 0 ]]; then echo "ERROR: Failed to create secret in AWS Secrets Manager" exit 1 fi # Track created resources CREATED_RESOURCES=() echo "Using the following resource names:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secret: $SECRET_NAME" echo "- Database: $DB_NAME" echo "- Admin Username: $ADMIN_USERNAME" echo "- Admin Password: [STORED IN SECRETS MANAGER]" # Step 1: Create IAM role for S3 access echo "Creating IAM role for Redshift Serverless S3 access..." # Create trust policy document cat > redshift-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift-serverless.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create S3 access policy document cat > redshift-s3-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::redshift-downloads", "arn:aws:s3:::redshift-downloads/*" ] } ] } EOF # Create IAM role echo "Creating IAM role $ROLE_NAME..." ROLE_OUTPUT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://redshift-trust-policy.json 2>&1) echo "$ROLE_OUTPUT" check_error "$ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $ROLE_NAME") # Attach S3 policy to the role echo "Attaching S3 access policy to role $ROLE_NAME..." POLICY_OUTPUT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name S3Access --policy-document file://redshift-s3-policy.json 2>&1) echo "$POLICY_OUTPUT" check_error "$POLICY_OUTPUT" "aws iam put-role-policy" # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" # Step 2: Create a namespace echo "Creating Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_OUTPUT=$(aws redshift-serverless create-namespace \ --namespace-name "$NAMESPACE_NAME" \ --admin-username "$ADMIN_USERNAME" \ --admin-user-password "$ADMIN_PASSWORD" \ --db-name "$DB_NAME" 2>&1) echo "$NAMESPACE_OUTPUT" check_error "$NAMESPACE_OUTPUT" "aws redshift-serverless create-namespace" CREATED_RESOURCES+=("Redshift Serverless Namespace: $NAMESPACE_NAME") # Wait for namespace to be available wait_for_resource "namespace" "$NAMESPACE_NAME" 10 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Associate IAM role with namespace echo "Associating IAM role with namespace..." UPDATE_NAMESPACE_OUTPUT=$(aws redshift-serverless update-namespace \ --namespace-name "$NAMESPACE_NAME" \ --iam-roles "$ROLE_ARN" 2>&1) echo "$UPDATE_NAMESPACE_OUTPUT" check_error "$UPDATE_NAMESPACE_OUTPUT" "aws redshift-serverless update-namespace" # Step 3: Create a workgroup echo "Creating Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_OUTPUT=$(aws redshift-serverless create-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --namespace-name "$NAMESPACE_NAME" \ --base-capacity 8 2>&1) echo "$WORKGROUP_OUTPUT" check_error "$WORKGROUP_OUTPUT" "aws redshift-serverless create-workgroup" CREATED_RESOURCES+=("Redshift Serverless Workgroup: $WORKGROUP_NAME") # Wait for workgroup to be available wait_for_resource "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Get workgroup endpoint WORKGROUP_ENDPOINT=$(aws redshift-serverless get-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --query 'workgroup.endpoint.address' \ --output text) echo "Workgroup endpoint: $WORKGROUP_ENDPOINT" # Wait additional time for the endpoint to be fully operational echo "Waiting for endpoint to be fully operational..." sleep 60 # Step 4: Create tables for sample data echo "Creating tables for sample data..." # Create users table echo "Creating users table..." USERS_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE users( userid INTEGER NOT NULL DISTKEY SORTKEY, username CHAR(8), firstname VARCHAR(30), lastname VARCHAR(30), city VARCHAR(30), state CHAR(2), email VARCHAR(100), phone CHAR(14), likesports BOOLEAN, liketheatre BOOLEAN, likeconcerts BOOLEAN, likejazz BOOLEAN, likeclassical BOOLEAN, likeopera BOOLEAN, likerock BOOLEAN, likevegas BOOLEAN, likebroadway BOOLEAN, likemusicals BOOLEAN );" 2>&1) echo "$USERS_TABLE_OUTPUT" check_error "$USERS_TABLE_OUTPUT" "aws redshift-data execute-statement (users table)" USERS_QUERY_ID=$(echo "$USERS_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for users table creation to complete..." sleep 5 # Create event table echo "Creating event table..." EVENT_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE event( eventid INTEGER NOT NULL DISTKEY, venueid SMALLINT NOT NULL, catid SMALLINT NOT NULL, dateid SMALLINT NOT NULL SORTKEY, eventname VARCHAR(200), starttime TIMESTAMP );" 2>&1) echo "$EVENT_TABLE_OUTPUT" check_error "$EVENT_TABLE_OUTPUT" "aws redshift-data execute-statement (event table)" EVENT_QUERY_ID=$(echo "$EVENT_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for event table creation to complete..." sleep 5 # Create sales table echo "Creating sales table..." SALES_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE sales( salesid INTEGER NOT NULL, listid INTEGER NOT NULL DISTKEY, sellerid INTEGER NOT NULL, buyerid INTEGER NOT NULL, eventid INTEGER NOT NULL, dateid SMALLINT NOT NULL SORTKEY, qtysold SMALLINT NOT NULL, pricepaid DECIMAL(8,2), commission DECIMAL(8,2), saletime TIMESTAMP );" 2>&1) echo "$SALES_TABLE_OUTPUT" check_error "$SALES_TABLE_OUTPUT" "aws redshift-data execute-statement (sales table)" SALES_QUERY_ID=$(echo "$SALES_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for tables to be created echo "Waiting for tables to be created..." sleep 10 # Step 5: Load sample data from Amazon S3 echo "Loading sample data from Amazon S3..." # Load data into users table echo "Loading data into users table..." USERS_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY users FROM 's3://redshift-downloads/tickit/allusers_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$USERS_LOAD_OUTPUT" check_error "$USERS_LOAD_OUTPUT" "aws redshift-data execute-statement (load users)" USERS_LOAD_QUERY_ID=$(echo "$USERS_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for users data loading to complete..." sleep 10 # Load data into event table echo "Loading data into event table..." EVENT_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY event FROM 's3://redshift-downloads/tickit/allevents_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$EVENT_LOAD_OUTPUT" check_error "$EVENT_LOAD_OUTPUT" "aws redshift-data execute-statement (load event)" EVENT_LOAD_QUERY_ID=$(echo "$EVENT_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for event data loading to complete..." sleep 10 # Load data into sales table echo "Loading data into sales table..." SALES_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY sales FROM 's3://redshift-downloads/tickit/sales_tab.txt' DELIMITER '\t' TIMEFORMAT 'MM/DD/YYYY HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$SALES_LOAD_OUTPUT" check_error "$SALES_LOAD_OUTPUT" "aws redshift-data execute-statement (load sales)" SALES_LOAD_QUERY_ID=$(echo "$SALES_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for sales data loading to complete..." sleep 30 # Step 6: Run sample queries echo "Running sample queries..." # Query 1: Find top 10 buyers by quantity echo "Running query: Find top 10 buyers by quantity..." QUERY1_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT firstname, lastname, total_quantity FROM (SELECT buyerid, sum(qtysold) total_quantity FROM sales GROUP BY buyerid ORDER BY total_quantity desc limit 10) Q, users WHERE Q.buyerid = userid ORDER BY Q.total_quantity desc;" 2>&1) echo "$QUERY1_OUTPUT" check_error "$QUERY1_OUTPUT" "aws redshift-data execute-statement (query 1)" QUERY1_ID=$(echo "$QUERY1_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 1 to complete..." sleep 10 # Get query 1 results echo "Getting results for query 1..." QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) echo "$QUERY1_STATUS_OUTPUT" check_error "$QUERY1_STATUS_OUTPUT" "aws redshift-data describe-statement (query 1)" QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is not yet complete. Status: $QUERY1_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is still not complete. Status: $QUERY1_STATUS" fi fi # Query 2: Find events in the 99.9 percentile in terms of all time total sales echo "Running query: Find events in the 99.9 percentile in terms of all time total sales..." QUERY2_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT eventname, total_price FROM (SELECT eventid, total_price, ntile(1000) over(order by total_price desc) as percentile FROM (SELECT eventid, sum(pricepaid) total_price FROM sales GROUP BY eventid)) Q, event E WHERE Q.eventid = E.eventid AND percentile = 1 ORDER BY total_price desc;" 2>&1) echo "$QUERY2_OUTPUT" check_error "$QUERY2_OUTPUT" "aws redshift-data execute-statement (query 2)" QUERY2_ID=$(echo "$QUERY2_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 2 to complete..." sleep 10 # Get query 2 results echo "Getting results for query 2..." QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) echo "$QUERY2_STATUS_OUTPUT" check_error "$QUERY2_STATUS_OUTPUT" "aws redshift-data describe-statement (query 2)" QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is not yet complete. Status: $QUERY2_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is still not complete. Status: $QUERY2_STATUS" fi fi # Summary echo "" echo "===========================================" echo "TUTORIAL SUMMARY" echo "===========================================" echo "You have successfully:" echo "1. Created a Redshift Serverless namespace and workgroup" echo "2. Created an IAM role with S3 access permissions" echo "3. Stored admin credentials securely in AWS Secrets Manager" echo "4. Created tables for sample data" echo "5. Loaded sample data from Amazon S3" echo "6. Run sample queries on the data" echo "" echo "Redshift Serverless Resources:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- Database: $DB_NAME" echo "- Endpoint: $WORKGROUP_ENDPOINT" echo "- Credentials Secret: $SECRET_NAME" echo "" echo "To connect to your Redshift Serverless database using SQL tools:" echo "- Host: $WORKGROUP_ENDPOINT" echo "- Database: $DB_NAME" echo "- Username: $ADMIN_USERNAME" echo "- Password: Retrieve from AWS Secrets Manager secret '$SECRET_NAME'" echo "" echo "To retrieve the password from Secrets Manager (without jq):" echo "aws secretsmanager get-secret-value --secret-id $SECRET_NAME --query 'SecretString' --output text | sed -n 's/.*\"password\":\"$[^\"]*$\".*/\1/p'" echo "" # Clean up temporary files rm -f redshift-trust-policy.json redshift-s3-policy.json # Clean up resources cleanup_resources echo "Tutorial completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateNamespace) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [CreateWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateWorkgroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DeleteWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteWorkgroup) + [GetNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetNamespace) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [GetWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetWorkgroup) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [UpdateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/UpdateNamespace) ### Getting Started with IoT Device Defender The following code example shows how to: + Create Required IAM Roles + Enable IoT Device Defender Audit Checks + Run an On-Demand Audit + Create a Mitigation Action + Apply Mitigation Actions to Findings + Set Up SNS Notifications (Optional) + Enable IoT Logging **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/079-aws-iot-device-defender-gs) repository. ``` #!/bin/bash # AWS IoT Device Defender Getting Started Script # This script demonstrates how to use AWS IoT Device Defender to enable audit checks, # view audit results, create mitigation actions, and apply them to findings. # Set up logging LOG_FILE="iot-device-defender-script-$(date +%Y%m%d%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "AWS IoT Device Defender Getting Started Script" echo "===================================================" echo "Starting script execution at $(date)" echo "" # Function to check for errors in command output check_error() { if echo "$1" | grep -i "An error occurred\|Exception\|Failed\|usage: aws" > /dev/null; then echo "ERROR: Command failed with the following output:" echo "$1" return 1 fi return 0 } # Function to create IAM roles create_iam_role() { local ROLE_NAME=$1 local TRUST_POLICY=$2 local MANAGED_POLICY=$3 echo "Creating IAM role: $ROLE_NAME" # Check if role already exists ROLE_EXISTS=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1 || echo "NOT_EXISTS") if echo "$ROLE_EXISTS" | grep -i "NoSuchEntity" > /dev/null; then # Create the role with trust policy ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" 2>&1) if ! check_error "$ROLE_RESULT"; then echo "Failed to create role $ROLE_NAME" return 1 fi # For IoT logging role, create an inline policy instead of using a managed policy if [[ "$ROLE_NAME" == "AWSIoTLoggingRole" ]]; then LOGGING_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy", "logs:GetLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$LOGGING_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi elif [[ "$ROLE_NAME" == "IoTMitigationActionErrorLoggingRole" ]]; then MITIGATION_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:UpdateCACertificate", "iot:UpdateCertificate", "iot:SetV2LoggingOptions", "iot:SetLoggingOptions", "iot:AddThingToThingGroup", "iot:PublishToTopic" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "iot.amazonaws.com" } } } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$MITIGATION_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi else # Attach managed policy to role if provided if [ -n "$MANAGED_POLICY" ]; then ATTACH_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$MANAGED_POLICY" 2>&1) if ! check_error "$ATTACH_RESULT"; then echo "Failed to attach policy to role $ROLE_NAME" return 1 fi fi fi echo "Role $ROLE_NAME created successfully" else echo "Role $ROLE_NAME already exists, skipping creation" fi # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" return 0 } # Array to store created resources for cleanup declare -a CREATED_RESOURCES # Step 1: Create IAM roles needed for the tutorial echo "===================================================" echo "Step 1: Creating required IAM roles" echo "===================================================" # Create IoT Device Defender Audit role IOT_DEFENDER_AUDIT_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTDeviceDefenderAuditRole" "$IOT_DEFENDER_AUDIT_TRUST_POLICY" "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" AUDIT_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTDeviceDefenderAuditRole") # Create IoT Logging role IOT_LOGGING_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTLoggingRole" "$IOT_LOGGING_TRUST_POLICY" "" LOGGING_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTLoggingRole") # Create IoT Mitigation Action role IOT_MITIGATION_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "IoTMitigationActionErrorLoggingRole" "$IOT_MITIGATION_TRUST_POLICY" "" MITIGATION_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: IoTMitigationActionErrorLoggingRole") # Step 2: Enable audit checks echo "" echo "===================================================" echo "Step 2: Enabling AWS IoT Device Defender audit checks" echo "===================================================" # Get current audit configuration echo "Getting current audit configuration..." CURRENT_CONFIG=$(aws iot describe-account-audit-configuration) echo "$CURRENT_CONFIG" # Enable specific audit checks echo "Enabling audit checks..." UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --role-arn "$AUDIT_ROLE_ARN" \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":true}}') if ! check_error "$UPDATE_RESULT"; then echo "Failed to update audit configuration" exit 1 fi echo "Audit checks enabled successfully" # Step 3: Run an on-demand audit echo "" echo "===================================================" echo "Step 3: Running an on-demand audit" echo "===================================================" echo "Starting on-demand audit task..." AUDIT_TASK_RESULT=$(aws iot start-on-demand-audit-task \ --target-check-names LOGGING_DISABLED_CHECK) if ! check_error "$AUDIT_TASK_RESULT"; then echo "Failed to start on-demand audit task" exit 1 fi TASK_ID=$(echo "$AUDIT_TASK_RESULT" | grep -o '"taskId": "[^"]*' | cut -d'"' -f4) echo "Audit task started with ID: $TASK_ID" CREATED_RESOURCES+=("Audit Task: $TASK_ID") # Wait for the audit task to complete echo "Waiting for audit task to complete (this may take a few minutes)..." TASK_STATUS="IN_PROGRESS" while [ "$TASK_STATUS" != "COMPLETED" ]; do sleep 10 TASK_DETAILS=$(aws iot describe-audit-task --task-id "$TASK_ID") TASK_STATUS=$(echo "$TASK_DETAILS" | grep -o '"taskStatus": "[^"]*' | cut -d'"' -f4) echo "Current task status: $TASK_STATUS" if [ "$TASK_STATUS" == "FAILED" ]; then echo "Audit task failed" exit 1 fi done echo "Audit task completed successfully" # Get audit findings echo "Getting audit findings..." FINDINGS=$(aws iot list-audit-findings \ --task-id "$TASK_ID") echo "Audit findings:" echo "$FINDINGS" # Check if we have any non-compliant findings if echo "$FINDINGS" | grep -q '"findingId"'; then FINDING_ID=$(echo "$FINDINGS" | grep -o '"findingId": "[^"]*' | head -1 | cut -d'"' -f4) echo "Found non-compliant finding with ID: $FINDING_ID" HAS_FINDINGS=true else echo "No non-compliant findings detected" HAS_FINDINGS=false fi # Step 4: Create a mitigation action echo "" echo "===================================================" echo "Step 4: Creating a mitigation action" echo "===================================================" # Check if mitigation action already exists MITIGATION_EXISTS=$(aws iot list-mitigation-actions --action-name "EnableErrorLoggingAction" 2>&1) if echo "$MITIGATION_EXISTS" | grep -q "EnableErrorLoggingAction"; then echo "Mitigation action 'EnableErrorLoggingAction' already exists, deleting it first..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Wait a moment for deletion to complete sleep 5 fi echo "Creating mitigation action to enable AWS IoT logging..." MITIGATION_RESULT=$(aws iot create-mitigation-action \ --action-name "EnableErrorLoggingAction" \ --role-arn "$MITIGATION_ROLE_ARN" \ --action-params "{\"enableIoTLoggingParams\":{\"roleArnForLogging\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}}") echo "$MITIGATION_RESULT" if ! check_error "$MITIGATION_RESULT"; then echo "Failed to create mitigation action" exit 1 fi echo "Mitigation action created successfully" CREATED_RESOURCES+=("Mitigation Action: EnableErrorLoggingAction") # Step 5: Apply mitigation action to findings (if any) if [ "$HAS_FINDINGS" = true ]; then echo "" echo "===================================================" echo "Step 5: Applying mitigation action to findings" echo "===================================================" MITIGATION_TASK_ID="MitigationTask-$(date +%s)" echo "Starting mitigation actions task with ID: $MITIGATION_TASK_ID" MITIGATION_TASK_RESULT=$(aws iot start-audit-mitigation-actions-task \ --task-id "$MITIGATION_TASK_ID" \ --target "{\"findingIds\":[\"$FINDING_ID\"]}" \ --audit-check-to-actions-mapping "{\"LOGGING_DISABLED_CHECK\":[\"EnableErrorLoggingAction\"]}") if ! check_error "$MITIGATION_TASK_RESULT"; then echo "Failed to start mitigation actions task" exit 1 fi echo "Mitigation actions task started successfully" CREATED_RESOURCES+=("Mitigation Task: $MITIGATION_TASK_ID") # Wait for the mitigation task to complete echo "Waiting for mitigation task to complete..." sleep 10 # Use a more reliable date format for the API call START_TIME=$(date -u -d 'today' '+%Y-%m-%dT%H:%M:%S.000Z') END_TIME=$(date -u '+%Y-%m-%dT%H:%M:%S.000Z') MITIGATION_TASKS=$(aws iot list-audit-mitigation-actions-tasks \ --start-time "$START_TIME" \ --end-time "$END_TIME" 2>&1) if check_error "$MITIGATION_TASKS"; then echo "Mitigation tasks:" echo "$MITIGATION_TASKS" else echo "Could not retrieve mitigation task status, but task was started successfully" fi else echo "" echo "===================================================" echo "Step 5: Skipping mitigation action application (no findings)" echo "===================================================" fi # Step 6: Set up SNS notifications (optional) echo "" echo "===================================================" echo "Step 6: Setting up SNS notifications" echo "===================================================" # Check if SNS topic already exists SNS_TOPICS=$(aws sns list-topics) if echo "$SNS_TOPICS" | grep -q "IoTDDNotifications"; then echo "SNS topic 'IoTDDNotifications' already exists, using existing topic..." TOPIC_ARN=$(echo "$SNS_TOPICS" | grep -o '"TopicArn": "[^"]*IoTDDNotifications' | cut -d'"' -f4) else echo "Creating SNS topic for notifications..." SNS_RESULT=$(aws sns create-topic --name "IoTDDNotifications") if ! check_error "$SNS_RESULT"; then echo "Failed to create SNS topic" exit 1 fi TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o '"TopicArn": "[^"]*' | cut -d'"' -f4) echo "SNS topic created with ARN: $TOPIC_ARN" CREATED_RESOURCES+=("SNS Topic: IoTDDNotifications") fi echo "Updating audit configuration to enable SNS notifications..." SNS_UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --audit-notification-target-configurations "{\"SNS\":{\"targetArn\":\"$TOPIC_ARN\",\"roleArn\":\"$AUDIT_ROLE_ARN\",\"enabled\":true}}") if ! check_error "$SNS_UPDATE_RESULT"; then echo "Failed to update audit configuration for SNS notifications" exit 1 fi echo "SNS notifications enabled successfully" # Step 7: Enable AWS IoT logging echo "" echo "===================================================" echo "Step 7: Enabling AWS IoT logging" echo "===================================================" echo "Setting up AWS IoT logging options..." # Create the logging options payload LOGGING_OPTIONS_PAYLOAD="{\"roleArn\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}" LOGGING_RESULT=$(aws iot set-v2-logging-options \ --role-arn "$LOGGING_ROLE_ARN" \ --default-log-level "ERROR" 2>&1) if ! check_error "$LOGGING_RESULT"; then echo "Failed to set up AWS IoT v2 logging, trying v1 logging..." # Try the older set-logging-options command with proper payload format LOGGING_RESULT_V1=$(aws iot set-logging-options \ --logging-options-payload "$LOGGING_OPTIONS_PAYLOAD" 2>&1) if ! check_error "$LOGGING_RESULT_V1"; then echo "Failed to set up AWS IoT logging with both v1 and v2 methods" echo "V2 result: $LOGGING_RESULT" echo "V1 result: $LOGGING_RESULT_V1" exit 1 else echo "AWS IoT v1 logging enabled successfully" fi else echo "AWS IoT v2 logging enabled successfully" fi # Verify logging is enabled echo "Verifying logging configuration..." LOGGING_CONFIG=$(aws iot get-v2-logging-options 2>&1) if check_error "$LOGGING_CONFIG"; then echo "V2 Logging configuration:" echo "$LOGGING_CONFIG" else echo "Checking v1 logging configuration..." LOGGING_CONFIG_V1=$(aws iot get-logging-options 2>&1) if check_error "$LOGGING_CONFIG_V1"; then echo "V1 Logging configuration:" echo "$LOGGING_CONFIG_V1" else echo "Could not retrieve logging configuration" fi fi # Script completed successfully echo "" echo "===================================================" echo "AWS IoT Device Defender setup completed successfully!" echo "===================================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "" # Ask if user wants to clean up resources echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Disable AWS IoT logging echo "Disabling AWS IoT logging..." # Try to disable v2 logging first DISABLE_V2_RESULT=$(aws iot set-v2-logging-options \ --default-log-level "DISABLED" 2>&1) if ! check_error "$DISABLE_V2_RESULT"; then echo "Failed to disable v2 logging, trying v1..." # Try v1 logging disable DISABLE_V1_RESULT=$(aws iot set-logging-options \ --logging-options-payload "{\"logLevel\":\"DISABLED\"}" 2>&1) if ! check_error "$DISABLE_V1_RESULT"; then echo "Warning: Could not disable logging through either v1 or v2 methods" else echo "V1 logging disabled successfully" fi else echo "V2 logging disabled successfully" fi # Delete mitigation action echo "Deleting mitigation action..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Reset audit configuration echo "Resetting IoT Device Defender audit configuration..." aws iot update-account-audit-configuration \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":false}}' 2>&1 | grep -qi "error" && echo "Warning: Failed to disable audit check" aws iot delete-account-audit-configuration --delete-scheduled-audits 2>&1 | grep -qi "error" && echo "Warning: Failed to delete audit configuration" # Delete SNS topic echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$TOPIC_ARN" # Detach policies from roles and delete roles (in reverse order) echo "Cleaning up IAM roles..." # Check if policies exist before trying to delete them ROLE_POLICIES=$(aws iam list-role-policies --role-name "IoTMitigationActionErrorLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "IoTMitigationActionErrorLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "IoTMitigationActionErrorLoggingRole" \ --policy-name "IoTMitigationActionErrorLoggingRolePolicy" fi fi aws iam delete-role --role-name "IoTMitigationActionErrorLoggingRole" ROLE_POLICIES=$(aws iam list-role-policies --role-name "AWSIoTLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "AWSIoTLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "AWSIoTLoggingRole" \ --policy-name "AWSIoTLoggingRolePolicy" fi fi aws iam delete-role --role-name "AWSIoTLoggingRole" aws iam detach-role-policy \ --role-name "AWSIoTDeviceDefenderAuditRole" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" aws iam delete-role --role-name "AWSIoTDeviceDefenderAuditRole" echo "Cleanup completed successfully" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "" echo "Script execution completed at $(date)" echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreateMitigationAction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteAccountAuditConfiguration) + [DeleteMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteMitigationAction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAccountAuditConfiguration) + [DescribeAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAuditTask) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetLoggingOptions) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetV2LoggingOptions) + [ListAuditFindings](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditFindings) + [ListAuditMitigationActionsTasks](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditMitigationActionsTasks) + [ListMitigationActions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListMitigationActions) + [ListRolePolicies](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListRolePolicies) + [ListTopics](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/ListTopics) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [SetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetLoggingOptions) + [SetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetV2LoggingOptions) + [StartAuditMitigationActionsTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartAuditMitigationActionsTask) + [StartOnDemandAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartOnDemandAuditTask) + [UpdateAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/UpdateAccountAuditConfiguration) ### Getting started with Amazon EKS The following code example shows how to: + Create a VPC for your EKS cluster + Create IAM roles for your EKS cluster + Create your EKS cluster + Configure kubectl to communicate with your cluster + Create a managed node group + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/034-eks-gs) repository. ``` #!/bin/bash # Amazon EKS Cluster Creation Script (v2) # This script creates an Amazon EKS cluster with a managed node group using the AWS CLI # Set up logging LOG_FILE="eks-cluster-creation-v2.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon EKS cluster creation script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Error handling function handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check command success check_command() { if [ $? -ne 0 ] || echo "$1" | grep -i "error" > /dev/null; then handle_error "$1" fi } # Function to check if kubectl is installed check_kubectl() { if ! command -v kubectl &> /dev/null; then echo "WARNING: kubectl is not installed or not in your PATH." echo "" echo "To install kubectl, follow these instructions based on your operating system:" echo "" echo "For Linux:" echo " 1. Download the latest release:" echo " curl -LO \"https://dl.k8s.io/release/\$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"" echo "" echo " 2. Make the kubectl binary executable:" echo " chmod +x ./kubectl" echo "" echo " 3. Move the binary to your PATH:" echo " sudo mv ./kubectl /usr/local/bin/kubectl" echo "" echo "For macOS:" echo " 1. Using Homebrew:" echo " brew install kubectl" echo " or" echo " 2. Using curl:" echo " curl -LO \"https://dl.k8s.io/release/\$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/darwin/amd64/kubectl\"" echo " chmod +x ./kubectl" echo " sudo mv ./kubectl /usr/local/bin/kubectl" echo "" echo "For Windows:" echo " 1. Using curl:" echo " curl -LO \"https://dl.k8s.io/release/v1.28.0/bin/windows/amd64/kubectl.exe\"" echo " Add the binary to your PATH" echo " or" echo " 2. Using Chocolatey:" echo " choco install kubernetes-cli" echo "" echo "After installation, verify with: kubectl version --client" echo "" return 1 fi return 0 } # Generate a random identifier for resource names RANDOM_ID=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | fold -w 6 | head -n 1) STACK_NAME="eks-vpc-stack-${RANDOM_ID}" CLUSTER_NAME="eks-cluster-${RANDOM_ID}" NODEGROUP_NAME="eks-nodegroup-${RANDOM_ID}" CLUSTER_ROLE_NAME="EKSClusterRole-${RANDOM_ID}" NODE_ROLE_NAME="EKSNodeRole-${RANDOM_ID}" echo "Using the following resource names:" echo "- VPC Stack: $STACK_NAME" echo "- EKS Cluster: $CLUSTER_NAME" echo "- Node Group: $NODEGROUP_NAME" echo "- Cluster IAM Role: $CLUSTER_ROLE_NAME" echo "- Node IAM Role: $NODE_ROLE_NAME" # Array to track created resources for cleanup declare -a CREATED_RESOURCES # Function to clean up resources cleanup_resources() { echo "Cleaning up resources in reverse order..." # Check if node group exists and delete it if aws eks list-nodegroups --cluster-name "$CLUSTER_NAME" --query "nodegroups[?contains(@,'$NODEGROUP_NAME')]" --output text 2>/dev/null | grep -q "$NODEGROUP_NAME"; then echo "Deleting node group: $NODEGROUP_NAME" aws eks delete-nodegroup --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" echo "Waiting for node group deletion to complete..." aws eks wait nodegroup-deleted --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" echo "Node group deleted successfully." fi # Check if cluster exists and delete it if aws eks describe-cluster --name "$CLUSTER_NAME" 2>/dev/null; then echo "Deleting cluster: $CLUSTER_NAME" aws eks delete-cluster --name "$CLUSTER_NAME" echo "Waiting for cluster deletion to complete (this may take several minutes)..." aws eks wait cluster-deleted --name "$CLUSTER_NAME" echo "Cluster deleted successfully." fi # Check if CloudFormation stack exists and delete it if aws cloudformation describe-stacks --stack-name "$STACK_NAME" 2>/dev/null; then echo "Deleting CloudFormation stack: $STACK_NAME" aws cloudformation delete-stack --stack-name "$STACK_NAME" echo "Waiting for CloudFormation stack deletion to complete..." aws cloudformation wait stack-delete-complete --stack-name "$STACK_NAME" echo "CloudFormation stack deleted successfully." fi # Clean up IAM roles if aws iam get-role --role-name "$NODE_ROLE_NAME" 2>/dev/null; then echo "Detaching policies from node role: $NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy --role-name "$NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly --role-name "$NODE_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy --role-name "$NODE_ROLE_NAME" echo "Deleting node role: $NODE_ROLE_NAME" aws iam delete-role --role-name "$NODE_ROLE_NAME" echo "Node role deleted successfully." fi if aws iam get-role --role-name "$CLUSTER_ROLE_NAME" 2>/dev/null; then echo "Detaching policies from cluster role: $CLUSTER_ROLE_NAME" aws iam detach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy --role-name "$CLUSTER_ROLE_NAME" echo "Deleting cluster role: $CLUSTER_ROLE_NAME" aws iam delete-role --role-name "$CLUSTER_ROLE_NAME" echo "Cluster role deleted successfully." fi echo "Cleanup complete." } # Trap to ensure cleanup on script exit trap 'echo "Script interrupted. Cleaning up resources..."; cleanup_resources; exit 1' SIGINT SIGTERM # Verify AWS CLI configuration echo "Verifying AWS CLI configuration..." AWS_ACCOUNT_INFO=$(aws sts get-caller-identity) check_command "$AWS_ACCOUNT_INFO" echo "AWS CLI is properly configured." # Step 1: Create VPC using CloudFormation echo "Step 1: Creating VPC with CloudFormation..." echo "Creating CloudFormation stack: $STACK_NAME" # Create the CloudFormation stack CF_CREATE_OUTPUT=$(aws cloudformation create-stack \ --stack-name "$STACK_NAME" \ --template-url https://s3.us-west-2.amazonaws.com/amazon-eks/cloudformation/2020-10-29/amazon-eks-vpc-private-subnets.yaml) check_command "$CF_CREATE_OUTPUT" CREATED_RESOURCES+=("CloudFormation Stack: $STACK_NAME") echo "Waiting for CloudFormation stack to complete (this may take a few minutes)..." aws cloudformation wait stack-create-complete --stack-name "$STACK_NAME" if [ $? -ne 0 ]; then handle_error "CloudFormation stack creation failed" fi echo "CloudFormation stack created successfully." # Step 2: Create IAM roles for EKS echo "Step 2: Creating IAM roles for EKS..." # Create cluster role trust policy echo "Creating cluster role trust policy..." cat > eks-cluster-role-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create cluster role echo "Creating cluster IAM role: $CLUSTER_ROLE_NAME" CLUSTER_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$CLUSTER_ROLE_NAME" \ --assume-role-policy-document file://"eks-cluster-role-trust-policy.json") check_command "$CLUSTER_ROLE_OUTPUT" CREATED_RESOURCES+=("IAM Role: $CLUSTER_ROLE_NAME") # Attach policy to cluster role echo "Attaching EKS cluster policy to role..." ATTACH_CLUSTER_POLICY_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSClusterPolicy \ --role-name "$CLUSTER_ROLE_NAME") check_command "$ATTACH_CLUSTER_POLICY_OUTPUT" # Create node role trust policy echo "Creating node role trust policy..." cat > node-role-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create node role echo "Creating node IAM role: $NODE_ROLE_NAME" NODE_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$NODE_ROLE_NAME" \ --assume-role-policy-document file://"node-role-trust-policy.json") check_command "$NODE_ROLE_OUTPUT" CREATED_RESOURCES+=("IAM Role: $NODE_ROLE_NAME") # Attach policies to node role echo "Attaching EKS node policies to role..." ATTACH_NODE_POLICY1_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY1_OUTPUT" ATTACH_NODE_POLICY2_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY2_OUTPUT" ATTACH_NODE_POLICY3_OUTPUT=$(aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy \ --role-name "$NODE_ROLE_NAME") check_command "$ATTACH_NODE_POLICY3_OUTPUT" # Step 3: Get VPC and subnet information echo "Step 3: Getting VPC and subnet information..." VPC_ID=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='VpcId'].OutputValue" \ --output text) if [ -z "$VPC_ID" ]; then handle_error "Failed to get VPC ID from CloudFormation stack" fi echo "VPC ID: $VPC_ID" SUBNET_IDS=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='SubnetIds'].OutputValue" \ --output text) if [ -z "$SUBNET_IDS" ]; then handle_error "Failed to get Subnet IDs from CloudFormation stack" fi echo "Subnet IDs: $SUBNET_IDS" SECURITY_GROUP_ID=$(aws cloudformation describe-stacks \ --stack-name "$STACK_NAME" \ --query "Stacks[0].Outputs[?OutputKey=='SecurityGroups'].OutputValue" \ --output text) if [ -z "$SECURITY_GROUP_ID" ]; then handle_error "Failed to get Security Group ID from CloudFormation stack" fi echo "Security Group ID: $SECURITY_GROUP_ID" # Step 4: Create EKS cluster echo "Step 4: Creating EKS cluster: $CLUSTER_NAME" CLUSTER_ROLE_ARN=$(aws iam get-role --role-name "$CLUSTER_ROLE_NAME" --query "Role.Arn" --output text) if [ -z "$CLUSTER_ROLE_ARN" ]; then handle_error "Failed to get Cluster Role ARN" fi echo "Creating EKS cluster (this will take 10-15 minutes)..." CREATE_CLUSTER_OUTPUT=$(aws eks create-cluster \ --name "$CLUSTER_NAME" \ --role-arn "$CLUSTER_ROLE_ARN" \ --resources-vpc-config subnetIds="$SUBNET_IDS",securityGroupIds="$SECURITY_GROUP_ID") check_command "$CREATE_CLUSTER_OUTPUT" CREATED_RESOURCES+=("EKS Cluster: $CLUSTER_NAME") echo "Waiting for EKS cluster to become active (this may take 10-15 minutes)..." aws eks wait cluster-active --name "$CLUSTER_NAME" if [ $? -ne 0 ]; then handle_error "Cluster creation failed or timed out" fi echo "EKS cluster is now active." # Step 5: Configure kubectl echo "Step 5: Configuring kubectl to communicate with the cluster..." # Check if kubectl is installed if ! check_kubectl; then echo "Will skip kubectl configuration steps but continue with the script." echo "You can manually configure kubectl later with: aws eks update-kubeconfig --name \"$CLUSTER_NAME\"" else UPDATE_KUBECONFIG_OUTPUT=$(aws eks update-kubeconfig --name "$CLUSTER_NAME") check_command "$UPDATE_KUBECONFIG_OUTPUT" echo "kubectl configured successfully." # Test kubectl configuration echo "Testing kubectl configuration..." KUBECTL_TEST_OUTPUT=$(kubectl get svc 2>&1) if [ $? -ne 0 ]; then echo "Warning: kubectl configuration test failed. This might be due to permissions or network issues." echo "Error details: $KUBECTL_TEST_OUTPUT" echo "Continuing with script execution..." else echo "$KUBECTL_TEST_OUTPUT" echo "kubectl configuration test successful." fi fi # Step 6: Create managed node group echo "Step 6: Creating managed node group: $NODEGROUP_NAME" NODE_ROLE_ARN=$(aws iam get-role --role-name "$NODE_ROLE_NAME" --query "Role.Arn" --output text) if [ -z "$NODE_ROLE_ARN" ]; then handle_error "Failed to get Node Role ARN" fi # Convert comma-separated subnet IDs to space-separated for the create-nodegroup command SUBNET_IDS_ARRAY=(${SUBNET_IDS//,/ }) echo "Creating managed node group (this will take 5-10 minutes)..." CREATE_NODEGROUP_OUTPUT=$(aws eks create-nodegroup \ --cluster-name "$CLUSTER_NAME" \ --nodegroup-name "$NODEGROUP_NAME" \ --node-role "$NODE_ROLE_ARN" \ --subnets "${SUBNET_IDS_ARRAY[@]}") check_command "$CREATE_NODEGROUP_OUTPUT" CREATED_RESOURCES+=("EKS Node Group: $NODEGROUP_NAME") echo "Waiting for node group to become active (this may take 5-10 minutes)..." aws eks wait nodegroup-active --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME" if [ $? -ne 0 ]; then handle_error "Node group creation failed or timed out" fi echo "Node group is now active." # Step 7: Verify nodes echo "Step 7: Verifying nodes..." echo "Waiting for nodes to register with the cluster (this may take a few minutes)..." sleep 60 # Give nodes more time to register # Check if kubectl is installed before attempting to use it if ! check_kubectl; then echo "Cannot verify nodes without kubectl. Skipping this step." echo "You can manually verify nodes after installing kubectl with: kubectl get nodes" else NODES_OUTPUT=$(kubectl get nodes 2>&1) if [ $? -ne 0 ]; then echo "Warning: Unable to get nodes. This might be due to permissions or the nodes are still registering." echo "Error details: $NODES_OUTPUT" echo "Continuing with script execution..." else echo "$NODES_OUTPUT" echo "Nodes verified successfully." fi fi # Step 8: View resources echo "Step 8: Viewing cluster resources..." echo "Cluster information:" CLUSTER_INFO=$(aws eks describe-cluster --name "$CLUSTER_NAME") echo "$CLUSTER_INFO" echo "Node group information:" NODEGROUP_INFO=$(aws eks describe-nodegroup --cluster-name "$CLUSTER_NAME" --nodegroup-name "$NODEGROUP_NAME") echo "$NODEGROUP_INFO" echo "Kubernetes resources:" if ! check_kubectl; then echo "Cannot list Kubernetes resources without kubectl. Skipping this step." echo "You can manually list resources after installing kubectl with: kubectl get all --all-namespaces" else KUBE_RESOURCES=$(kubectl get all --all-namespaces 2>&1) if [ $? -ne 0 ]; then echo "Warning: Unable to get Kubernetes resources. This might be due to permissions." echo "Error details: $KUBE_RESOURCES" echo "Continuing with script execution..." else echo "$KUBE_RESOURCES" fi fi # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then cleanup_resources else echo "Resources will not be cleaned up. You can manually clean them up later." echo "To clean up resources, run the following commands:" echo "1. Delete node group: aws eks delete-nodegroup --cluster-name $CLUSTER_NAME --nodegroup-name $NODEGROUP_NAME" echo "2. Wait for node group deletion: aws eks wait nodegroup-deleted --cluster-name $CLUSTER_NAME --nodegroup-name $NODEGROUP_NAME" echo "3. Delete cluster: aws eks delete-cluster --name $CLUSTER_NAME" echo "4. Wait for cluster deletion: aws eks wait cluster-deleted --name $CLUSTER_NAME" echo "5. Delete CloudFormation stack: aws cloudformation delete-stack --stack-name $STACK_NAME" echo "6. Detach and delete IAM roles for the node group and cluster" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/CreateCluster) + [CreateNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/CreateNodegroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/CreateStack) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DeleteCluster) + [DeleteNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DeleteNodegroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteStack](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DeleteStack) + [DescribeCluster](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DescribeCluster) + [DescribeNodegroup](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/DescribeNodegroup) + [DescribeStacks](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/DescribeStacks) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNodegroups](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/ListNodegroups) + [UpdateKubeconfig](https://docs.aws.amazon.com/goto/aws-cli/eks-2017-11-01/UpdateKubeconfig) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/cloudformation-2010-05-15/Wait) ### Getting started with Amazon MSK The following code example shows how to: + Create an MSK cluster + Create IAM permissions for MSK access + Create a client machine + Get bootstrap brokers + Set up the client machine + Create a topic and produce/consume data + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/057-amazon-managed-streaming-for-apache-kafka-gs) repository. ``` #!/bin/bash # Amazon MSK Getting Started Tutorial Script - Version 8 # This script automates the steps in the Amazon MSK Getting Started tutorial # It creates an MSK cluster, sets up IAM permissions, creates a client machine, # and configures the client to interact with the cluster # Set up logging LOG_FILE="msk_tutorial_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon MSK Getting Started Tutorial Script - Version 8" echo "Logging to $LOG_FILE" echo "==============================================" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created so far:" if [ -n "$CLUSTER_ARN" ]; then echo "- MSK Cluster: $CLUSTER_ARN"; fi if [ -n "$POLICY_ARN" ]; then echo "- IAM Policy: $POLICY_ARN"; fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME"; fi if [ -n "$INSTANCE_PROFILE_NAME" ]; then echo "- IAM Instance Profile: $INSTANCE_PROFILE_NAME"; fi if [ -n "$CLIENT_SG_ID" ]; then echo "- Client Security Group: $CLIENT_SG_ID"; fi if [ -n "$INSTANCE_ID" ]; then echo "- EC2 Instance: $INSTANCE_ID"; fi if [ -n "$KEY_NAME" ]; then echo "- Key Pair: $KEY_NAME"; fi echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check if a resource exists resource_exists() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") aws kafka describe-cluster --cluster-arn "$resource_id" &>/dev/null ;; "policy") aws iam get-policy --policy-arn "$resource_id" &>/dev/null ;; "role") aws iam get-role --role-name "$resource_id" &>/dev/null ;; "instance-profile") aws iam get-instance-profile --instance-profile-name "$resource_id" &>/dev/null ;; "security-group") aws ec2 describe-security-groups --group-ids "$resource_id" &>/dev/null ;; "instance") aws ec2 describe-instances --instance-ids "$resource_id" --query 'Reservations[0].Instances[0].State.Name' --output text | grep -v "terminated" &>/dev/null ;; "key-pair") aws ec2 describe-key-pairs --key-names "$resource_id" &>/dev/null ;; esac } # Function to remove security group references remove_security_group_references() { local sg_id="$1" if [ -z "$sg_id" ]; then echo "No security group ID provided for reference removal" return fi echo "Removing security group references for $sg_id" # Get all security groups in the VPC that might reference our client security group local vpc_security_groups=$(aws ec2 describe-security-groups \ --filters "Name=vpc-id,Values=$DEFAULT_VPC_ID" \ --query 'SecurityGroups[].GroupId' \ --output text 2>/dev/null) if [ -n "$vpc_security_groups" ]; then for other_sg in $vpc_security_groups; do if [ "$other_sg" != "$sg_id" ]; then echo "Checking security group $other_sg for references to $sg_id" # Get the security group details in JSON format local sg_details=$(aws ec2 describe-security-groups \ --group-ids "$other_sg" \ --output json 2>/dev/null) if [ -n "$sg_details" ]; then # Check if our security group is referenced in inbound rules local has_inbound_ref=$(echo "$sg_details" | grep -o "\"GroupId\": \"$sg_id\"" | head -1) if [ -n "$has_inbound_ref" ]; then echo "Found inbound rules in $other_sg referencing $sg_id, removing them..." # Try to remove common rule types echo "Attempting to remove all-traffic rule" aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol all \ --source-group "$sg_id" 2>/dev/null || echo "No all-traffic rule to remove" # Try to remove TCP rules on common ports for port in 22 80 443 9092 9094 9096; do aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol tcp \ --port "$port" \ --source-group "$sg_id" 2>/dev/null || true done # Try to remove UDP rules aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol udp \ --source-group "$sg_id" 2>/dev/null || true fi # Check for outbound rules (less common but possible) local has_outbound_ref=$(echo "$sg_details" | grep -A 20 "IpPermissionsEgress" | grep -o "\"GroupId\": \"$sg_id\"" | head -1) if [ -n "$has_outbound_ref" ]; then echo "Found outbound rules in $other_sg referencing $sg_id, removing them..." aws ec2 revoke-security-group-egress \ --group-id "$other_sg" \ --protocol all \ --source-group "$sg_id" 2>/dev/null || echo "No outbound all-traffic rule to remove" fi fi fi done fi echo "Completed security group reference removal for $sg_id" } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Delete EC2 instance if it exists if [ -n "$INSTANCE_ID" ] && resource_exists "instance" "$INSTANCE_ID"; then echo "Terminating EC2 instance: $INSTANCE_ID" aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" || echo "Failed to terminate instance" echo "Waiting for instance to terminate..." aws ec2 wait instance-terminated --instance-ids "$INSTANCE_ID" || echo "Failed to wait for instance termination" fi # Delete MSK cluster first (to remove dependencies on security group) if [ -n "$CLUSTER_ARN" ] && resource_exists "cluster" "$CLUSTER_ARN"; then echo "Deleting MSK cluster: $CLUSTER_ARN" aws kafka delete-cluster --cluster-arn "$CLUSTER_ARN" || echo "Failed to delete cluster" # Wait a bit for the cluster deletion to start echo "Waiting 30 seconds for cluster deletion to begin..." sleep 30 fi # Remove security group references before attempting deletion if [ -n "$CLIENT_SG_ID" ] && resource_exists "security-group" "$CLIENT_SG_ID"; then remove_security_group_references "$CLIENT_SG_ID" echo "Deleting security group: $CLIENT_SG_ID" # Try multiple times with longer delays to ensure dependencies are removed for i in {1..10}; do if aws ec2 delete-security-group --group-id "$CLIENT_SG_ID"; then echo "Security group deleted successfully" break fi echo "Failed to delete security group (attempt $i/10), retrying in 30 seconds..." sleep 30 done fi # Delete key pair if it exists if [ -n "$KEY_NAME" ] && resource_exists "key-pair" "$KEY_NAME"; then echo "Deleting key pair: $KEY_NAME" aws ec2 delete-key-pair --key-name "$KEY_NAME" || echo "Failed to delete key pair" fi # Remove role from instance profile if [ -n "$ROLE_NAME" ] && [ -n "$INSTANCE_PROFILE_NAME" ] && resource_exists "instance-profile" "$INSTANCE_PROFILE_NAME"; then echo "Removing role from instance profile" aws iam remove-role-from-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$ROLE_NAME" || echo "Failed to remove role from instance profile" fi # Delete instance profile if [ -n "$INSTANCE_PROFILE_NAME" ] && resource_exists "instance-profile" "$INSTANCE_PROFILE_NAME"; then echo "Deleting instance profile: $INSTANCE_PROFILE_NAME" aws iam delete-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" || echo "Failed to delete instance profile" fi # Detach policy from role if [ -n "$ROLE_NAME" ] && [ -n "$POLICY_ARN" ] && resource_exists "role" "$ROLE_NAME"; then echo "Detaching policy from role" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" || echo "Failed to detach policy" fi # Delete role if [ -n "$ROLE_NAME" ] && resource_exists "role" "$ROLE_NAME"; then echo "Deleting role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi # Delete policy if [ -n "$POLICY_ARN" ] && resource_exists "policy" "$POLICY_ARN"; then echo "Deleting policy: $POLICY_ARN" aws iam delete-policy --policy-arn "$POLICY_ARN" || echo "Failed to delete policy" fi echo "Cleanup completed" } # Function to find a suitable subnet and instance type combination find_suitable_subnet_and_instance_type() { local vpc_id="$1" local -a subnet_array=("${!2}") # List of instance types to try, in order of preference local instance_types=("t3.micro" "t2.micro" "t3.small" "t2.small") echo "Finding suitable subnet and instance type combination..." for instance_type in "${instance_types[@]}"; do echo "Trying instance type: $instance_type" for subnet_id in "${subnet_array[@]}"; do # Get the availability zone for this subnet local az=$(aws ec2 describe-subnets \ --subnet-ids "$subnet_id" \ --query 'Subnets[0].AvailabilityZone' \ --output text) echo " Checking subnet $subnet_id in AZ $az" # Check if this instance type is available in this AZ local available=$(aws ec2 describe-instance-type-offerings \ --location-type availability-zone \ --filters "Name=location,Values=$az" "Name=instance-type,Values=$instance_type" \ --query 'InstanceTypeOfferings[0].InstanceType' \ --output text 2>/dev/null) if [ "$available" = "$instance_type" ]; then echo " ✓ Found suitable combination: $instance_type in $az (subnet: $subnet_id)" SELECTED_SUBNET_ID="$subnet_id" SELECTED_INSTANCE_TYPE="$instance_type" return 0 else echo " ✗ $instance_type not available in $az" fi done done echo "ERROR: Could not find any suitable subnet and instance type combination" return 1 } # Generate unique identifiers RANDOM_SUFFIX=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | fold -w 8 | head -n 1) CLUSTER_NAME="MSKTutorialCluster-${RANDOM_SUFFIX}" POLICY_NAME="msk-tutorial-policy-${RANDOM_SUFFIX}" ROLE_NAME="msk-tutorial-role-${RANDOM_SUFFIX}" INSTANCE_PROFILE_NAME="msk-tutorial-profile-${RANDOM_SUFFIX}" SG_NAME="MSKClientSecurityGroup-${RANDOM_SUFFIX}" echo "Using the following resource names:" echo "- Cluster Name: $CLUSTER_NAME" echo "- Policy Name: $POLICY_NAME" echo "- Role Name: $ROLE_NAME" echo "- Instance Profile Name: $INSTANCE_PROFILE_NAME" echo "- Security Group Name: $SG_NAME" echo "==============================================" # Step 1: Create an MSK Provisioned cluster echo "Step 1: Creating MSK Provisioned cluster" # Get the default VPC ID first echo "Getting default VPC..." DEFAULT_VPC_ID=$(aws ec2 describe-vpcs \ --filters "Name=is-default,Values=true" \ --query "Vpcs[0].VpcId" \ --output text) if [ -z "$DEFAULT_VPC_ID" ] || [ "$DEFAULT_VPC_ID" = "None" ]; then handle_error "Could not find default VPC. Please ensure you have a default VPC in your region." fi echo "Default VPC ID: $DEFAULT_VPC_ID" # Get available subnets in the default VPC echo "Getting available subnets in the default VPC..." SUBNETS=$(aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=$DEFAULT_VPC_ID" "Name=default-for-az,Values=true" \ --query "Subnets[0:3].SubnetId" \ --output text) # Convert space-separated subnet IDs to an array read -r -a SUBNET_ARRAY <<< "$SUBNETS" if [ ${#SUBNET_ARRAY[@]} -lt 3 ]; then handle_error "Not enough subnets available in the default VPC. Need at least 3 subnets, found ${#SUBNET_ARRAY[@]}." fi # Get default security group for the default VPC echo "Getting default security group for the default VPC..." DEFAULT_SG=$(aws ec2 describe-security-groups \ --filters "Name=group-name,Values=default" "Name=vpc-id,Values=$DEFAULT_VPC_ID" \ --query "SecurityGroups[0].GroupId" \ --output text) if [ -z "$DEFAULT_SG" ] || [ "$DEFAULT_SG" = "None" ]; then handle_error "Could not find default security group for VPC $DEFAULT_VPC_ID" fi echo "Creating MSK cluster: $CLUSTER_NAME" echo "Using VPC: $DEFAULT_VPC_ID" echo "Using subnets: ${SUBNET_ARRAY[0]} ${SUBNET_ARRAY[1]} ${SUBNET_ARRAY[2]}" echo "Using security group: $DEFAULT_SG" # Create the MSK cluster with proper error handling CLUSTER_RESPONSE=$(aws kafka create-cluster \ --cluster-name "$CLUSTER_NAME" \ --broker-node-group-info "{\"InstanceType\": \"kafka.t3.small\", \"ClientSubnets\": [\"${SUBNET_ARRAY[0]}\", \"${SUBNET_ARRAY[1]}\", \"${SUBNET_ARRAY[2]}\"], \"SecurityGroups\": [\"$DEFAULT_SG\"]}" \ --kafka-version "3.6.0" \ --number-of-broker-nodes 3 \ --encryption-info "{\"EncryptionInTransit\": {\"InCluster\": true, \"ClientBroker\": \"TLS\"}}" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create MSK cluster: $CLUSTER_RESPONSE" fi # Extract the cluster ARN using grep CLUSTER_ARN=$(echo "$CLUSTER_RESPONSE" | grep -o '"ClusterArn": "[^"]*' | cut -d'"' -f4) if [ -z "$CLUSTER_ARN" ]; then handle_error "Failed to extract cluster ARN from response: $CLUSTER_RESPONSE" fi echo "MSK cluster creation initiated. ARN: $CLUSTER_ARN" echo "Waiting for cluster to become active (this may take 15-20 minutes)..." # Wait for the cluster to become active while true; do CLUSTER_STATUS=$(aws kafka describe-cluster --cluster-arn "$CLUSTER_ARN" --query "ClusterInfo.State" --output text 2>/dev/null) if [ $? -ne 0 ]; then echo "Failed to get cluster status. Retrying in 30 seconds..." sleep 30 continue fi echo "Current cluster status: $CLUSTER_STATUS" if [ "$CLUSTER_STATUS" = "ACTIVE" ]; then echo "Cluster is now active!" break elif [ "$CLUSTER_STATUS" = "FAILED" ]; then handle_error "Cluster creation failed" fi echo "Still waiting for cluster to become active... (checking again in 60 seconds)" sleep 60 done echo "==============================================" # Step 2: Create an IAM role granting access to create topics on the Amazon MSK cluster echo "Step 2: Creating IAM policy and role" # Get account ID and region ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].RegionName' --output text) fi if [ -z "$ACCOUNT_ID" ] || [ -z "$REGION" ]; then handle_error "Could not determine AWS account ID or region" fi echo "Account ID: $ACCOUNT_ID" echo "Region: $REGION" # Create IAM policy echo "Creating IAM policy: $POLICY_NAME" POLICY_DOCUMENT="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:Connect\", \"kafka-cluster:AlterCluster\", \"kafka-cluster:DescribeCluster\" ], \"Resource\": [ \"$CLUSTER_ARN\" ] }, { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:*Topic*\", \"kafka-cluster:WriteData\", \"kafka-cluster:ReadData\" ], \"Resource\": [ \"arn:aws:kafka:$REGION:$ACCOUNT_ID:topic/$CLUSTER_NAME/*\" ] }, { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:AlterGroup\", \"kafka-cluster:DescribeGroup\" ], \"Resource\": [ \"arn:aws:kafka:$REGION:$ACCOUNT_ID:group/$CLUSTER_NAME/*\" ] } ] }" POLICY_RESPONSE=$(aws iam create-policy \ --policy-name "$POLICY_NAME" \ --policy-document "$POLICY_DOCUMENT" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create IAM policy: $POLICY_RESPONSE" fi # Extract the policy ARN using grep POLICY_ARN=$(echo "$POLICY_RESPONSE" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) if [ -z "$POLICY_ARN" ]; then handle_error "Failed to extract policy ARN from response: $POLICY_RESPONSE" fi echo "IAM policy created. ARN: $POLICY_ARN" # Create IAM role for EC2 echo "Creating IAM role: $ROLE_NAME" TRUST_POLICY="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" ROLE_RESPONSE=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create IAM role: $ROLE_RESPONSE" fi echo "IAM role created: $ROLE_NAME" # Attach policy to role echo "Attaching policy to role" ATTACH_RESPONSE=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to attach policy to role: $ATTACH_RESPONSE" fi echo "Policy attached to role" # Create instance profile and add role to it echo "Creating instance profile: $INSTANCE_PROFILE_NAME" PROFILE_RESPONSE=$(aws iam create-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create instance profile: $PROFILE_RESPONSE" fi echo "Instance profile created" echo "Adding role to instance profile" ADD_ROLE_RESPONSE=$(aws iam add-role-to-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$ROLE_NAME" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to add role to instance profile: $ADD_ROLE_RESPONSE" fi echo "Role added to instance profile" # Wait a moment for IAM propagation echo "Waiting 10 seconds for IAM propagation..." sleep 10 echo "==============================================" # Step 3: Create a client machine echo "Step 3: Creating client machine" # Find a suitable subnet and instance type combination if ! find_suitable_subnet_and_instance_type "$DEFAULT_VPC_ID" SUBNET_ARRAY[@]; then handle_error "Could not find a suitable subnet and instance type combination" fi echo "Selected subnet: $SELECTED_SUBNET_ID" echo "Selected instance type: $SELECTED_INSTANCE_TYPE" # Verify the subnet is in the same VPC we're using SUBNET_VPC_ID=$(aws ec2 describe-subnets \ --subnet-ids "$SELECTED_SUBNET_ID" \ --query 'Subnets[0].VpcId' \ --output text) if [ "$SUBNET_VPC_ID" != "$DEFAULT_VPC_ID" ]; then handle_error "Subnet VPC ($SUBNET_VPC_ID) does not match default VPC ($DEFAULT_VPC_ID)" fi echo "VPC ID: $SUBNET_VPC_ID" # Get security group ID from the MSK cluster echo "Getting security group ID from the MSK cluster" MSK_SG_ID=$(aws kafka describe-cluster \ --cluster-arn "$CLUSTER_ARN" \ --query 'ClusterInfo.BrokerNodeGroupInfo.SecurityGroups[0]' \ --output text) if [ -z "$MSK_SG_ID" ] || [ "$MSK_SG_ID" = "None" ]; then handle_error "Failed to get security group ID from cluster" fi echo "MSK security group ID: $MSK_SG_ID" # Create security group for client echo "Creating security group for client: $SG_NAME" CLIENT_SG_RESPONSE=$(aws ec2 create-security-group \ --group-name "$SG_NAME" \ --description "Security group for MSK client" \ --vpc-id "$DEFAULT_VPC_ID" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create security group: $CLIENT_SG_RESPONSE" fi # Extract the security group ID using grep CLIENT_SG_ID=$(echo "$CLIENT_SG_RESPONSE" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4) if [ -z "$CLIENT_SG_ID" ]; then handle_error "Failed to extract security group ID from response: $CLIENT_SG_RESPONSE" fi echo "Client security group created. ID: $CLIENT_SG_ID" # Allow SSH access to client from your IP only echo "Getting your public IP address" MY_IP=$(curl -s https://checkip.amazonaws.com 2>/dev/null) if [ -z "$MY_IP" ]; then echo "Warning: Could not determine your IP address. Using 0.0.0.0/0 (not recommended for production)" MY_IP="0.0.0.0/0" else MY_IP="$MY_IP/32" echo "Your IP address: $MY_IP" fi echo "Adding SSH ingress rule to client security group" SSH_RULE_RESPONSE=$(aws ec2 authorize-security-group-ingress \ --group-id "$CLIENT_SG_ID" \ --protocol tcp \ --port 22 \ --cidr "$MY_IP" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then echo "Warning: Failed to add SSH ingress rule: $SSH_RULE_RESPONSE" echo "You may need to manually add SSH access to security group $CLIENT_SG_ID" fi echo "SSH ingress rule added" # Update MSK security group to allow traffic from client security group echo "Adding ingress rule to MSK security group to allow traffic from client" MSK_RULE_RESPONSE=$(aws ec2 authorize-security-group-ingress \ --group-id "$MSK_SG_ID" \ --protocol all \ --source-group "$CLIENT_SG_ID" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then echo "Warning: Failed to add ingress rule to MSK security group: $MSK_RULE_RESPONSE" echo "You may need to manually add ingress rule to security group $MSK_SG_ID" fi echo "Ingress rule added to MSK security group" # Create key pair KEY_NAME="MSKKeyPair-${RANDOM_SUFFIX}" echo "Creating key pair: $KEY_NAME" KEY_RESPONSE=$(aws ec2 create-key-pair --key-name "$KEY_NAME" --query 'KeyMaterial' --output text 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create key pair: $KEY_RESPONSE" fi # Save the private key to a file KEY_FILE="${KEY_NAME}.pem" echo "$KEY_RESPONSE" > "$KEY_FILE" chmod 400 "$KEY_FILE" echo "Key pair created and saved to $KEY_FILE" # Get the latest Amazon Linux 2 AMI echo "Getting latest Amazon Linux 2 AMI ID" AMI_ID=$(aws ec2 describe-images \ --owners amazon \ --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" \ --query "sort_by(Images, &CreationDate)[-1].ImageId" \ --output text 2>/dev/null) if [ -z "$AMI_ID" ] || [ "$AMI_ID" = "None" ]; then handle_error "Failed to get Amazon Linux 2 AMI ID" fi echo "Using AMI ID: $AMI_ID" # Launch EC2 instance with the selected subnet and instance type echo "Launching EC2 instance" echo "Instance type: $SELECTED_INSTANCE_TYPE" echo "Subnet: $SELECTED_SUBNET_ID" INSTANCE_RESPONSE=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --instance-type "$SELECTED_INSTANCE_TYPE" \ --key-name "$KEY_NAME" \ --security-group-ids "$CLIENT_SG_ID" \ --subnet-id "$SELECTED_SUBNET_ID" \ --iam-instance-profile "Name=$INSTANCE_PROFILE_NAME" \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=MSKTutorialClient-${RANDOM_SUFFIX}}]" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to launch EC2 instance: $INSTANCE_RESPONSE" fi # Extract the instance ID using grep INSTANCE_ID=$(echo "$INSTANCE_RESPONSE" | grep -o '"InstanceId": "[^"]*' | head -1 | cut -d'"' -f4) if [ -z "$INSTANCE_ID" ]; then handle_error "Failed to extract instance ID from response: $INSTANCE_RESPONSE" fi echo "EC2 instance launched successfully. ID: $INSTANCE_ID" echo "Waiting for instance to be running..." # Wait for the instance to be running aws ec2 wait instance-running --instance-ids "$INSTANCE_ID" if [ $? -ne 0 ]; then handle_error "Instance failed to reach running state" fi # Wait a bit more for the instance to initialize echo "Instance is running. Waiting 30 seconds for initialization..." sleep 30 # Get public DNS name of instance CLIENT_DNS=$(aws ec2 describe-instances \ --instance-ids "$INSTANCE_ID" \ --query 'Reservations[0].Instances[0].PublicDnsName' \ --output text) if [ -z "$CLIENT_DNS" ] || [ "$CLIENT_DNS" = "None" ]; then echo "Warning: Could not get public DNS name for instance. Trying public IP..." CLIENT_DNS=$(aws ec2 describe-instances \ --instance-ids "$INSTANCE_ID" \ --query 'Reservations[0].Instances[0].PublicIpAddress' \ --output text) if [ -z "$CLIENT_DNS" ] || [ "$CLIENT_DNS" = "None" ]; then handle_error "Failed to get public DNS name or IP address for instance" fi fi echo "Client instance DNS/IP: $CLIENT_DNS" echo "==============================================" # Get bootstrap brokers with improved logic echo "Getting bootstrap brokers" MAX_RETRIES=10 RETRY_COUNT=0 BOOTSTRAP_BROKERS="" AUTH_METHOD="" while [ -z "$BOOTSTRAP_BROKERS" ] || [ "$BOOTSTRAP_BROKERS" = "None" ]; do # Get the full bootstrap brokers response BOOTSTRAP_RESPONSE=$(aws kafka get-bootstrap-brokers \ --cluster-arn "$CLUSTER_ARN" 2>/dev/null) if [ $? -eq 0 ] && [ -n "$BOOTSTRAP_RESPONSE" ]; then # Try to get IAM authentication brokers first using grep BOOTSTRAP_BROKERS=$(echo "$BOOTSTRAP_RESPONSE" | grep -o '"BootstrapBrokerStringSaslIam": "[^"]*' | cut -d'"' -f4) if [ -n "$BOOTSTRAP_BROKERS" ]; then AUTH_METHOD="IAM" else # Fall back to TLS authentication BOOTSTRAP_BROKERS=$(echo "$BOOTSTRAP_RESPONSE" | grep -o '"BootstrapBrokerStringTls": "[^"]*' | cut -d'"' -f4) if [ -n "$BOOTSTRAP_BROKERS" ]; then AUTH_METHOD="TLS" fi fi fi RETRY_COUNT=$((RETRY_COUNT + 1)) if [ "$RETRY_COUNT" -ge "$MAX_RETRIES" ]; then echo "Warning: Could not get bootstrap brokers after $MAX_RETRIES attempts." echo "You may need to manually retrieve them later using:" echo "aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN" BOOTSTRAP_BROKERS="BOOTSTRAP_BROKERS_NOT_AVAILABLE" AUTH_METHOD="UNKNOWN" break fi if [ -z "$BOOTSTRAP_BROKERS" ] || [ "$BOOTSTRAP_BROKERS" = "None" ]; then echo "Bootstrap brokers not available yet. Retrying in 30 seconds... (Attempt $RETRY_COUNT/$MAX_RETRIES)" sleep 30 fi done echo "Bootstrap brokers: $BOOTSTRAP_BROKERS" echo "Authentication method: $AUTH_METHOD" echo "==============================================" # Create setup script for the client machine echo "Creating setup script for the client machine" cat > setup_client.sh << 'EOF' #!/bin/bash # Set up logging LOG_FILE="client_setup_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting client setup" echo "==============================================" # Install Java echo "Installing Java" sudo yum -y install java-11 # Set environment variables echo "Setting up environment variables" export KAFKA_VERSION="3.6.0" echo "KAFKA_VERSION=$KAFKA_VERSION" # Download and extract Apache Kafka echo "Downloading Apache Kafka" wget https://archive.apache.org/dist/kafka/$KAFKA_VERSION/kafka_2.13-$KAFKA_VERSION.tgz if [ $? -ne 0 ]; then echo "Failed to download Kafka. Trying alternative mirror..." wget https://www.apache.org/dyn/closer.cgi?path=/kafka/$KAFKA_VERSION/kafka_2.13-$KAFKA_VERSION.tgz fi echo "Extracting Kafka" tar -xzf kafka_2.13-$KAFKA_VERSION.tgz export KAFKA_ROOT=$(pwd)/kafka_2.13-$KAFKA_VERSION echo "KAFKA_ROOT=$KAFKA_ROOT" # Download the MSK IAM authentication package (needed for both IAM and TLS) echo "Downloading MSK IAM authentication package" cd $KAFKA_ROOT/libs wget https://github.com/aws/aws-msk-iam-auth/releases/latest/download/aws-msk-iam-auth-1.1.6-all.jar if [ $? -ne 0 ]; then echo "Failed to download specific version. Trying to get latest version..." LATEST_VERSION=$(curl -s https://api.github.com/repos/aws/aws-msk-iam-auth/releases/latest | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4) wget https://github.com/aws/aws-msk-iam-auth/releases/download/$LATEST_VERSION/aws-msk-iam-auth-$LATEST_VERSION-all.jar if [ $? -ne 0 ]; then echo "Failed to download IAM auth package. Please check the URL and try again." exit 1 fi export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-$LATEST_VERSION-all.jar else export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-1.1.6-all.jar fi echo "CLASSPATH=$CLASSPATH" # Create client properties file based on authentication method echo "Creating client properties file" cd $KAFKA_ROOT/config # The AUTH_METHOD_PLACEHOLDER will be replaced by the script AUTH_METHOD="AUTH_METHOD_PLACEHOLDER" if [ "$AUTH_METHOD" = "IAM" ]; then echo "Configuring for IAM authentication" cat > client.properties << 'EOT' security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler EOT elif [ "$AUTH_METHOD" = "TLS" ]; then echo "Configuring for TLS authentication" cat > client.properties << 'EOT' security.protocol=SSL EOT else echo "Unknown authentication method. Creating basic TLS configuration." cat > client.properties << 'EOT' security.protocol=SSL EOT fi echo "Client setup completed" echo "==============================================" # Create a script to set up environment variables cat > ~/setup_env.sh << 'EOT' #!/bin/bash export KAFKA_VERSION="3.6.0" export KAFKA_ROOT=~/kafka_2.13-$KAFKA_VERSION export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-1.1.6-all.jar export BOOTSTRAP_SERVER="BOOTSTRAP_SERVER_PLACEHOLDER" export AUTH_METHOD="AUTH_METHOD_PLACEHOLDER" echo "Environment variables set:" echo "KAFKA_VERSION=$KAFKA_VERSION" echo "KAFKA_ROOT=$KAFKA_ROOT" echo "CLASSPATH=$CLASSPATH" echo "BOOTSTRAP_SERVER=$BOOTSTRAP_SERVER" echo "AUTH_METHOD=$AUTH_METHOD" EOT chmod +x ~/setup_env.sh echo "Created environment setup script: ~/setup_env.sh" echo "Run 'source ~/setup_env.sh' to set up your environment" EOF # Replace placeholders in the setup script if [ -n "$BOOTSTRAP_BROKERS" ] && [ "$BOOTSTRAP_BROKERS" != "None" ] && [ "$BOOTSTRAP_BROKERS" != "BOOTSTRAP_BROKERS_NOT_AVAILABLE" ]; then sed -i "s|BOOTSTRAP_SERVER_PLACEHOLDER|$BOOTSTRAP_BROKERS|g" setup_client.sh else # If bootstrap brokers are not available, provide instructions to get them sed -i "s|BOOTSTRAP_SERVER_PLACEHOLDER|\$(aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN --query 'BootstrapBrokerStringTls' --output text)|g" setup_client.sh fi # Replace auth method placeholder sed -i "s|AUTH_METHOD_PLACEHOLDER|$AUTH_METHOD|g" setup_client.sh echo "Setup script created" echo "==============================================" # Display summary of created resources echo "" echo "==============================================" echo "RESOURCE SUMMARY" echo "==============================================" echo "MSK Cluster ARN: $CLUSTER_ARN" echo "MSK Cluster Name: $CLUSTER_NAME" echo "Authentication Method: $AUTH_METHOD" echo "IAM Policy ARN: $POLICY_ARN" echo "IAM Role Name: $ROLE_NAME" echo "IAM Instance Profile: $INSTANCE_PROFILE_NAME" echo "Client Security Group: $CLIENT_SG_ID" echo "EC2 Instance ID: $INSTANCE_ID" echo "EC2 Instance Type: $SELECTED_INSTANCE_TYPE" echo "EC2 Instance DNS: $CLIENT_DNS" echo "Key Pair: $KEY_NAME (saved to $KEY_FILE)" echo "Bootstrap Brokers: $BOOTSTRAP_BROKERS" echo "==============================================" echo "" # Instructions for connecting to the instance and setting up the client echo "NEXT STEPS:" echo "1. Connect to your EC2 instance:" echo " ssh -i $KEY_FILE ec2-user@$CLIENT_DNS" echo "" echo "2. Upload the setup script to your instance:" echo " scp -i $KEY_FILE setup_client.sh ec2-user@$CLIENT_DNS:~/" echo "" echo "3. Run the setup script on your instance:" echo " ssh -i $KEY_FILE ec2-user@$CLIENT_DNS 'chmod +x ~/setup_client.sh && ~/setup_client.sh'" echo "" echo "4. Source the environment setup script:" echo " source ~/setup_env.sh" echo "" # Provide different instructions based on authentication method if [ "$AUTH_METHOD" = "IAM" ]; then echo "5. Create a Kafka topic (using IAM authentication):" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --create \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties \\" echo " --replication-factor 3 \\" echo " --partitions 1 \\" echo " --topic MSKTutorialTopic" echo "" echo "6. Start a producer:" echo " \$KAFKA_ROOT/bin/kafka-console-producer.sh \\" echo " --broker-list \$BOOTSTRAP_SERVER \\" echo " --producer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic" echo "" echo "7. Start a consumer:" echo " \$KAFKA_ROOT/bin/kafka-console-consumer.sh \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --consumer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic \\" echo " --from-beginning" elif [ "$AUTH_METHOD" = "TLS" ]; then echo "5. Create a Kafka topic (using TLS authentication):" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --create \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties \\" echo " --replication-factor 3 \\" echo " --partitions 1 \\" echo " --topic MSKTutorialTopic" echo "" echo "6. Start a producer:" echo " \$KAFKA_ROOT/bin/kafka-console-producer.sh \\" echo " --broker-list \$BOOTSTRAP_SERVER \\" echo " --producer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic" echo "" echo "7. Start a consumer:" echo " \$KAFKA_ROOT/bin/kafka-console-consumer.sh \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --consumer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic \\" echo " --from-beginning" else echo "5. Manually retrieve bootstrap brokers and configure authentication:" echo " aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN" fi echo "" echo "8. Verify the topic was created:" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --list \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties" echo "==============================================" echo "" # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then cleanup_resources echo "All resources have been cleaned up." else echo "Resources will not be cleaned up. You can manually clean them up later." echo "To clean up resources, run this script again and choose 'y' when prompted." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddRoleToInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AddRoleToInstanceProfile) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/CreateCluster) + [CreateInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateInstanceProfile) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/DeleteCluster) + [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteInstanceProfile) + [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/DescribeCluster) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DescribeInstanceTypeOfferings](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstanceTypeOfferings) + [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) + [DescribeKeyPairs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeKeyPairs) + [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetBootstrapBrokers](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/GetBootstrapBrokers) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetInstanceProfile) + [GetPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetPolicy) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/RemoveRoleFromInstanceProfile) + [RevokeSecurityGroupEgress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupEgress) + [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupIngress) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) ### Getting started with Amazon Redshift provisioned clusters The following code example shows how to: + Create a Redshift cluster + Create an IAM role for S3 access + Create tables and load data + Run example queries + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/039-redshift-provisioned) repository. ``` #!/bin/bash # Amazon Redshift Provisioned Cluster Tutorial Script # This script creates a Redshift cluster, loads sample data, runs queries, and cleans up resources # Version 3: Fixed IAM role usage in COPY commands # Set up logging LOG_FILE="redshift_tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Redshift tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created so far:" if [ -n "$CLUSTER_ID" ]; then echo "- Redshift Cluster: $CLUSTER_ID"; fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME"; fi echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Delete the cluster if it exists if [ -n "$CLUSTER_ID" ]; then echo "Deleting Redshift cluster: $CLUSTER_ID" aws redshift delete-cluster --cluster-identifier "$CLUSTER_ID" --skip-final-cluster-snapshot echo "Waiting for cluster deletion to complete..." aws redshift wait cluster-deleted --cluster-identifier "$CLUSTER_ID" echo "Cluster deleted successfully." fi # Delete the IAM role if it exists if [ -n "$ROLE_NAME" ]; then echo "Removing IAM role policy..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name RedshiftS3Access || echo "Failed to delete role policy" echo "Deleting IAM role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi echo "Cleanup completed." } # Function to wait for SQL statement to complete wait_for_statement() { local statement_id=$1 local max_attempts=30 local attempt=1 local status="" echo "Waiting for statement $statement_id to complete..." while [ $attempt -le $max_attempts ]; do status=$(aws redshift-data describe-statement --id "$statement_id" --query 'Status' --output text) if [ "$status" == "FINISHED" ]; then echo "Statement completed successfully." return 0 elif [ "$status" == "FAILED" ]; then local error=$(aws redshift-data describe-statement --id "$statement_id" --query 'Error' --output text) echo "Statement failed with error: $error" return 1 elif [ "$status" == "ABORTED" ]; then echo "Statement was aborted." return 1 fi echo "Statement status: $status. Waiting... (Attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done echo "Timed out waiting for statement to complete." return 1 } # Function to check if IAM role is attached to cluster check_role_attached() { local role_arn=$1 local max_attempts=10 local attempt=1 echo "Checking if IAM role is attached to the cluster..." while [ $attempt -le $max_attempts ]; do local status=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query "Clusters[0].IamRoles[?IamRoleArn=='$role_arn'].ApplyStatus" \ --output text) if [ "$status" == "in-sync" ]; then echo "IAM role is successfully attached to the cluster." return 0 fi echo "IAM role status: $status. Waiting... (Attempt $attempt/$max_attempts)" sleep 30 ((attempt++)) done echo "Timed out waiting for IAM role to be attached." return 1 } # Variables to track created resources CLUSTER_ID="examplecluster" ROLE_NAME="RedshiftS3Role-$(date +%s)" DB_NAME="dev" DB_USER="awsuser" DB_PASSWORD="Changeit1" # In production, use AWS Secrets Manager to generate and store passwords echo "=== Step 1: Creating Amazon Redshift Cluster ===" # Create the Redshift cluster echo "Creating Redshift cluster: $CLUSTER_ID" CLUSTER_RESULT=$(aws redshift create-cluster \ --cluster-identifier "$CLUSTER_ID" \ --node-type ra3.4xlarge \ --number-of-nodes 2 \ --master-username "$DB_USER" \ --master-user-password "$DB_PASSWORD" \ --db-name "$DB_NAME" \ --port 5439 2>&1) # Check for errors if echo "$CLUSTER_RESULT" | grep -i "error"; then handle_error "Failed to create Redshift cluster: $CLUSTER_RESULT" fi echo "$CLUSTER_RESULT" echo "Waiting for cluster to become available..." # Wait for the cluster to be available aws redshift wait cluster-available --cluster-identifier "$CLUSTER_ID" || handle_error "Timeout waiting for cluster to become available" # Get cluster status to confirm CLUSTER_STATUS=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query 'Clusters[0].ClusterStatus' \ --output text) echo "Cluster status: $CLUSTER_STATUS" echo "=== Step 2: Creating IAM Role for S3 Access ===" # Create trust policy file echo "Creating trust policy for Redshift" cat > redshift-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://redshift-trust-policy.json 2>&1) # Check for errors if echo "$ROLE_RESULT" | grep -i "error"; then handle_error "Failed to create IAM role: $ROLE_RESULT" fi echo "$ROLE_RESULT" # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" # Create policy document for S3 access echo "Creating S3 access policy" cat > redshift-s3-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::redshift-downloads", "arn:aws:s3:::redshift-downloads/*" ] } ] } EOF # Attach policy to role echo "Attaching S3 access policy to role" POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name RedshiftS3Access \ --policy-document file://redshift-s3-policy.json 2>&1) # Check for errors if echo "$POLICY_RESULT" | grep -i "error"; then handle_error "Failed to attach policy to role: $POLICY_RESULT" fi echo "$POLICY_RESULT" # Attach role to cluster echo "Attaching IAM role to Redshift cluster" ATTACH_ROLE_RESULT=$(aws redshift modify-cluster-iam-roles \ --cluster-identifier "$CLUSTER_ID" \ --add-iam-roles "$ROLE_ARN" 2>&1) # Check for errors if echo "$ATTACH_ROLE_RESULT" | grep -i "error"; then handle_error "Failed to attach role to cluster: $ATTACH_ROLE_RESULT" fi echo "$ATTACH_ROLE_RESULT" # Wait for the role to be attached echo "Waiting for IAM role to be attached to the cluster..." if ! check_role_attached "$ROLE_ARN"; then handle_error "Failed to attach IAM role to cluster" fi echo "=== Step 3: Getting Cluster Connection Information ===" # Get cluster endpoint CLUSTER_INFO=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query 'Clusters[0].Endpoint.{Address:Address,Port:Port}' \ --output json) echo "Cluster endpoint information:" echo "$CLUSTER_INFO" echo "=== Step 4: Creating Tables and Loading Data ===" echo "Creating sales table" SALES_TABLE_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "DROP TABLE IF EXISTS sales; CREATE TABLE sales(salesid integer not null, listid integer not null distkey, sellerid integer not null, buyerid integer not null, eventid integer not null, dateid smallint not null sortkey, qtysold smallint not null, pricepaid decimal(8,2), commission decimal(8,2), saletime timestamp);" \ --query 'Id' --output text) echo "Sales table creation statement ID: $SALES_TABLE_ID" # Wait for statement to complete if ! wait_for_statement "$SALES_TABLE_ID"; then handle_error "Failed to create sales table" fi echo "Creating date table" DATE_TABLE_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "DROP TABLE IF EXISTS date; CREATE TABLE date(dateid smallint not null distkey sortkey, caldate date not null, day character(3) not null, week smallint not null, month character(5) not null, qtr character(5) not null, year smallint not null, holiday boolean default('N'));" \ --query 'Id' --output text) echo "Date table creation statement ID: $DATE_TABLE_ID" # Wait for statement to complete if ! wait_for_statement "$DATE_TABLE_ID"; then handle_error "Failed to create date table" fi echo "Loading data into sales table" SALES_LOAD_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "COPY sales FROM 's3://redshift-downloads/tickit/sales_tab.txt' DELIMITER '\t' TIMEFORMAT 'MM/DD/YYYY HH:MI:SS' REGION 'us-east-1' IAM_ROLE '$ROLE_ARN';" \ --query 'Id' --output text) echo "Sales data load statement ID: $SALES_LOAD_ID" # Wait for statement to complete if ! wait_for_statement "$SALES_LOAD_ID"; then handle_error "Failed to load data into sales table" fi echo "Loading data into date table" DATE_LOAD_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "COPY date FROM 's3://redshift-downloads/tickit/date2008_pipe.txt' DELIMITER '|' REGION 'us-east-1' IAM_ROLE '$ROLE_ARN';" \ --query 'Id' --output text) echo "Date data load statement ID: $DATE_LOAD_ID" # Wait for statement to complete if ! wait_for_statement "$DATE_LOAD_ID"; then handle_error "Failed to load data into date table" fi echo "=== Step 5: Running Example Queries ===" echo "Running query: Get definition for the sales table" QUERY1_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "SELECT * FROM pg_table_def WHERE tablename = 'sales';" \ --query 'Id' --output text) echo "Query 1 statement ID: $QUERY1_ID" # Wait for statement to complete if ! wait_for_statement "$QUERY1_ID"; then handle_error "Query 1 failed" fi # Get and display results echo "Query 1 results (first 10 rows):" aws redshift-data get-statement-result --id "$QUERY1_ID" --max-items 10 echo "Running query: Find total sales on a given calendar date" QUERY2_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "SELECT sum(qtysold) FROM sales, date WHERE sales.dateid = date.dateid AND caldate = '2008-01-05';" \ --query 'Id' --output text) echo "Query 2 statement ID: $QUERY2_ID" # Wait for statement to complete if ! wait_for_statement "$QUERY2_ID"; then handle_error "Query 2 failed" fi # Get and display results echo "Query 2 results:" aws redshift-data get-statement-result --id "$QUERY2_ID" echo "=== Tutorial Complete ===" echo "The following resources were created:" echo "- Redshift Cluster: $CLUSTER_ID" echo "- IAM Role: $ROLE_NAME" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then cleanup_resources echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually delete them later." echo "To avoid incurring charges, remember to delete the following resources:" echo "- Redshift Cluster: $CLUSTER_ID" echo "- IAM Role: $ROLE_NAME" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateCluster) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteCluster) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DescribeClusters) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ModifyClusterIamRoles](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/ModifyClusterIamRoles) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/Wait) ### Getting started with Amazon SageMaker Feature Store The following code example shows how to: + Set up IAM permissions + Create a SageMaker execution role + Create feature groups + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/028-sagemaker-featurestore) repository. ``` #!/bin/bash # Amazon SageMaker Feature Store Tutorial Script - Version 3 # This script demonstrates how to use Amazon SageMaker Feature Store with AWS CLI # Setup logging LOG_FILE="sagemaker-featurestore-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting SageMaker Feature Store tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" echo "" # Track created resources for cleanup CREATED_RESOURCES=() # Function to handle errors handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check command status check_status() { if echo "$1" | grep -i "error" > /dev/null; then handle_error "$1" fi } # Function to wait for feature group to be created wait_for_feature_group() { local feature_group_name=$1 local status="Creating" echo "Waiting for feature group ${feature_group_name} to be created..." while [ "$status" = "Creating" ]; do sleep 5 status=$(aws sagemaker describe-feature-group \ --feature-group-name "${feature_group_name}" \ --query 'FeatureGroupStatus' \ --output text) echo "Current status: ${status}" if [ "$status" = "Failed" ]; then handle_error "Feature group ${feature_group_name} creation failed" fi done echo "Feature group ${feature_group_name} is now ${status}" } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Clean up in reverse order for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" resource_type=$(echo "$resource" | cut -d: -f1) resource_name=$(echo "$resource" | cut -d: -f2) echo "Deleting $resource_type: $resource_name" case "$resource_type" in "FeatureGroup") aws sagemaker delete-feature-group --feature-group-name "$resource_name" ;; "S3Bucket") echo "Emptying S3 bucket: $resource_name" aws s3 rm "s3://$resource_name" --recursive 2>/dev/null echo "Deleting S3 bucket: $resource_name" aws s3api delete-bucket --bucket "$resource_name" 2>/dev/null ;; "IAMRole") echo "Detaching policies from role: $resource_name" aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>/dev/null aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>/dev/null echo "Deleting IAM role: $resource_name" aws iam delete-role --role-name "$resource_name" 2>/dev/null ;; *) echo "Unknown resource type: $resource_type" ;; esac done } # Function to create SageMaker execution role create_sagemaker_role() { local role_name="SageMakerFeatureStoreRole-$(openssl rand -hex 4)" echo "Creating SageMaker execution role: $role_name" >&2 # Create trust policy document local trust_policy='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' # Create the role local role_result=$(aws iam create-role \ --role-name "$role_name" \ --assume-role-policy-document "$trust_policy" \ --description "SageMaker execution role for Feature Store tutorial" 2>&1) if echo "$role_result" | grep -i "error" > /dev/null; then handle_error "Failed to create IAM role: $role_result" fi echo "Role created successfully" >&2 CREATED_RESOURCES+=("IAMRole:$role_name") # Attach necessary policies echo "Attaching policies to role..." >&2 # SageMaker execution policy local policy1_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>&1) if echo "$policy1_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach SageMaker policy: $policy1_result" fi # S3 access policy local policy2_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>&1) if echo "$policy2_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach S3 policy: $policy2_result" fi # Get account ID for role ARN local account_id=$(aws sts get-caller-identity --query Account --output text) local role_arn="arn:aws:iam::${account_id}:role/${role_name}" echo "Role ARN: $role_arn" >&2 echo "Waiting 10 seconds for role to propagate..." >&2 sleep 10 # Return only the role ARN to stdout echo "$role_arn" } # Handle SageMaker execution role ROLE_ARN="" if [ -z "$1" ]; then echo "Creating SageMaker execution role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi else ROLE_ARN="$1" # Validate the role ARN ROLE_NAME=$(echo "$ROLE_ARN" | sed 's/.*role\///') ROLE_CHECK=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1) if echo "$ROLE_CHECK" | grep -i "error" > /dev/null; then echo "Creating a new role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi fi fi # Handle cleanup option AUTO_CLEANUP="" if [ -n "$2" ]; then AUTO_CLEANUP="$2" fi # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) echo "Using random identifier: $RANDOM_ID" # Set variables ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_status "$ACCOUNT_ID" echo "Account ID: $ACCOUNT_ID" # Get current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No default region configured, using: $REGION" else echo "Using region: $REGION" fi S3_BUCKET_NAME="sagemaker-featurestore-${RANDOM_ID}-${ACCOUNT_ID}" PREFIX="featurestore-tutorial" CURRENT_TIME=$(date +%s) echo "Creating S3 bucket: $S3_BUCKET_NAME" # Create bucket in current region if [ "$REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" 2>&1) else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" \ --create-bucket-configuration LocationConstraint="$REGION" 2>&1) fi if echo "$BUCKET_RESULT" | grep -i "error" > /dev/null; then echo "Failed to create S3 bucket: $BUCKET_RESULT" exit 1 fi echo "$BUCKET_RESULT" CREATED_RESOURCES+=("S3Bucket:$S3_BUCKET_NAME") # Block public access to the bucket BLOCK_RESULT=$(aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" 2>&1) if echo "$BLOCK_RESULT" | grep -i "error" > /dev/null; then echo "Failed to block public access to S3 bucket: $BLOCK_RESULT" cleanup_resources exit 1 fi # Create feature groups echo "Creating feature groups..." # Create customers feature group CUSTOMERS_FEATURE_GROUP_NAME="customers-feature-group-${RANDOM_ID}" echo "Creating customers feature group: $CUSTOMERS_FEATURE_GROUP_NAME" CUSTOMERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "name", "FeatureType": "String"}, {"FeatureName": "age", "FeatureType": "Integral"}, {"FeatureName": "address", "FeatureType": "String"}, {"FeatureName": "membership_type", "FeatureType": "String"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$CUSTOMERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create customers feature group: $CUSTOMERS_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$CUSTOMERS_FEATURE_GROUP_NAME") # Create orders feature group ORDERS_FEATURE_GROUP_NAME="orders-feature-group-${RANDOM_ID}" echo "Creating orders feature group: $ORDERS_FEATURE_GROUP_NAME" ORDERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "order_id", "FeatureType": "String"}, {"FeatureName": "order_date", "FeatureType": "String"}, {"FeatureName": "product", "FeatureType": "String"}, {"FeatureName": "quantity", "FeatureType": "Integral"}, {"FeatureName": "amount", "FeatureType": "Fractional"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$ORDERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create orders feature group: $ORDERS_RESPONSE" cleanup_resources exit 1 fi echo "$ORDERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$ORDERS_FEATURE_GROUP_NAME") # Wait for feature groups to be created wait_for_feature_group "$CUSTOMERS_FEATURE_GROUP_NAME" wait_for_feature_group "$ORDERS_FEATURE_GROUP_NAME" # Ingest data into feature groups echo "Ingesting data into feature groups..." # Ingest customer data echo "Ingesting customer data..." CUSTOMER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "name", "ValueAsString": "John Doe"}, {"FeatureName": "age", "ValueAsString": "35"}, {"FeatureName": "address", "ValueAsString": "123 Main St"}, {"FeatureName": "membership_type", "ValueAsString": "premium"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 1 data: $CUSTOMER1_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER1_RESPONSE" CUSTOMER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "name", "ValueAsString": "Jane Smith"}, {"FeatureName": "age", "ValueAsString": "28"}, {"FeatureName": "address", "ValueAsString": "456 Oak Ave"}, {"FeatureName": "membership_type", "ValueAsString": "standard"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 2 data: $CUSTOMER2_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER2_RESPONSE" # Ingest order data echo "Ingesting order data..." ORDER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "order_id", "ValueAsString": "ORD-001"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-15"}, {"FeatureName": "product", "ValueAsString": "Laptop"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "1299.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 1 data: $ORDER1_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER1_RESPONSE" ORDER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "order_id", "ValueAsString": "ORD-002"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-20"}, {"FeatureName": "product", "ValueAsString": "Smartphone"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "899.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 2 data: $ORDER2_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER2_RESPONSE" # Retrieve records from feature groups echo "Retrieving records from feature groups..." # Get a single customer record echo "Getting customer record with ID 573291:" CUSTOMER_RECORD=$(aws sagemaker-featurestore-runtime get-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-value-as-string "573291" 2>&1) if echo "$CUSTOMER_RECORD" | grep -i "error" > /dev/null; then echo "Failed to get customer record: $CUSTOMER_RECORD" cleanup_resources exit 1 fi echo "$CUSTOMER_RECORD" # Get multiple records using batch-get-record echo "Getting multiple records using batch-get-record:" BATCH_RECORDS=$(aws sagemaker-featurestore-runtime batch-get-record \ --identifiers '[ { "FeatureGroupName": "'${CUSTOMERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] }, { "FeatureGroupName": "'${ORDERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] } ]' 2>&1) if echo "$BATCH_RECORDS" | grep -i "error" > /dev/null && ! echo "$BATCH_RECORDS" | grep -i "Records" > /dev/null; then echo "Failed to get batch records: $BATCH_RECORDS" cleanup_resources exit 1 fi echo "$BATCH_RECORDS" # List feature groups echo "Listing feature groups:" FEATURE_GROUPS=$(aws sagemaker list-feature-groups 2>&1) if echo "$FEATURE_GROUPS" | grep -i "error" > /dev/null; then echo "Failed to list feature groups: $FEATURE_GROUPS" cleanup_resources exit 1 fi echo "$FEATURE_GROUPS" # Display summary of created resources echo "" echo "===========================================" echo "TUTORIAL COMPLETED SUCCESSFULLY!" echo "===========================================" echo "Resources created:" echo "- S3 Bucket: $S3_BUCKET_NAME" echo "- Customers Feature Group: $CUSTOMERS_FEATURE_GROUP_NAME" echo "- Orders Feature Group: $ORDERS_FEATURE_GROUP_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "You can now:" echo "1. View your feature groups in the SageMaker console" echo "2. Query the offline store using Amazon Athena" echo "3. Use the feature groups in your ML workflows" echo "===========================================" echo "" # Handle cleanup if [ "$AUTO_CLEANUP" = "y" ]; then echo "Auto-cleanup enabled. Starting cleanup..." cleanup_resources echo "Cleanup completed." elif [ "$AUTO_CLEANUP" = "n" ]; then echo "Auto-cleanup disabled. Resources will remain in your account." echo "To clean up later, run this script again with cleanup option 'y'" else echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup..." cleanup_resources echo "Cleanup completed." else echo "Skipping cleanup. Resources will remain in your account." echo "To clean up later, delete the following resources:" echo "- Feature Groups: $CUSTOMERS_FEATURE_GROUP_NAME, $ORDERS_FEATURE_GROUP_NAME" echo "- S3 Bucket: $S3_BUCKET_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "Estimated ongoing cost: ~$0.01 per month for online store" fi fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/CreateFeatureGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DeleteFeatureGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DescribeFeatureGroup) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListFeatureGroups](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/ListFeatureGroups) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) ### Getting started with Config The following code example shows how to: + Create an Amazon S3 bucket + Create an Amazon SNS topic + Create an IAM role for Config + Set up the Config configuration recorder + Set up the Config delivery channel + Start the configuration recorder + Verify the Config setup **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/053-aws-config-gs) repository. ``` #!/bin/bash # AWS Config Setup Script (v2) # This script sets up AWS Config with the AWS CLI # Error handling set -e LOGFILE="aws-config-setup-v2.log" touch $LOGFILE exec > >(tee -a $LOGFILE) exec 2>&1 # Function to handle errors handle_error() { echo "ERROR: An error occurred at line $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Set trap for error handling trap 'handle_error $LINENO' ERR # Function to generate random identifier generate_random_id() { echo $(openssl rand -hex 6) } # Function to check if command was successful check_command() { if echo "$1" | grep -i "error" > /dev/null; then echo "ERROR: $1" return 1 fi return 0 } # Function to clean up resources cleanup_resources() { if [ -n "$CONFIG_RECORDER_NAME" ]; then echo "Stopping configuration recorder..." aws configservice stop-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi # Check if we created a new delivery channel before trying to delete it if [ -n "$DELIVERY_CHANNEL_NAME" ] && [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Deleting delivery channel..." aws configservice delete-delivery-channel --delivery-channel-name "$DELIVERY_CHANNEL_NAME" 2>/dev/null || true fi if [ -n "$CONFIG_RECORDER_NAME" ] && [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Deleting configuration recorder..." aws configservice delete-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi if [ -n "$ROLE_NAME" ]; then if [ -n "$POLICY_NAME" ]; then echo "Detaching custom policy from role..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" 2>/dev/null || true fi if [ -n "$MANAGED_POLICY_ARN" ]; then echo "Detaching managed policy from role..." aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN" 2>/dev/null || true fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null || true fi if [ -n "$SNS_TOPIC_ARN" ]; then echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$SNS_TOPIC_ARN" 2>/dev/null || true fi if [ -n "$S3_BUCKET_NAME" ]; then echo "Emptying S3 bucket..." aws s3 rm "s3://$S3_BUCKET_NAME" --recursive 2>/dev/null || true echo "Deleting S3 bucket..." aws s3api delete-bucket --bucket "$S3_BUCKET_NAME" 2>/dev/null || true fi } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" echo "S3 Bucket: $S3_BUCKET_NAME" echo "SNS Topic ARN: $SNS_TOPIC_ARN" echo "IAM Role: $ROLE_NAME" if [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Configuration Recorder: $CONFIG_RECORDER_NAME (newly created)" else echo "Configuration Recorder: $CONFIG_RECORDER_NAME (existing)" fi if [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (newly created)" else echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (existing)" fi echo "===========================================" } # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) if [ -z "$ACCOUNT_ID" ]; then echo "ERROR: Failed to get AWS account ID" exit 1 fi echo "AWS Account ID: $ACCOUNT_ID" # Generate random identifier for resources RANDOM_ID=$(generate_random_id) echo "Generated random identifier: $RANDOM_ID" # Step 1: Create an S3 bucket S3_BUCKET_NAME="configservice-${RANDOM_ID}" echo "Creating S3 bucket: $S3_BUCKET_NAME" # Get the current region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured fi echo "Using AWS Region: $AWS_REGION" # Create bucket with appropriate command based on region if [ "$AWS_REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME") else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" --create-bucket-configuration LocationConstraint="$AWS_REGION") fi check_command "$BUCKET_RESULT" echo "S3 bucket created: $S3_BUCKET_NAME" # Block public access for the bucket aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" echo "Public access blocked for bucket" # Step 2: Create an SNS topic TOPIC_NAME="config-topic-${RANDOM_ID}" echo "Creating SNS topic: $TOPIC_NAME" SNS_RESULT=$(aws sns create-topic --name "$TOPIC_NAME") check_command "$SNS_RESULT" SNS_TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o 'arn:aws:sns:[^"]*') echo "SNS topic created: $SNS_TOPIC_ARN" # Step 3: Create an IAM role for AWS Config ROLE_NAME="config-role-${RANDOM_ID}" POLICY_NAME="config-delivery-permissions" MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" echo "Creating trust policy document..." cat > config-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://config-trust-policy.json) check_command "$ROLE_RESULT" ROLE_ARN=$(echo "$ROLE_RESULT" | grep -o 'arn:aws:iam::[^"]*' | head -1) echo "IAM role created: $ROLE_ARN" echo "Attaching AWS managed policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN") check_command "$ATTACH_RESULT" echo "AWS managed policy attached" echo "Creating custom policy document for S3 and SNS access..." cat > config-delivery-permissions.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/*", "Condition": { "StringLike": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "${SNS_TOPIC_ARN}" } ] } EOF echo "Attaching custom policy to role..." POLICY_RESULT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" --policy-document file://config-delivery-permissions.json) check_command "$POLICY_RESULT" echo "Custom policy attached" # Wait for IAM role to propagate echo "Waiting for IAM role to propagate (15 seconds)..." sleep 15 # Step 4: Check if configuration recorder already exists CONFIG_RECORDER_NAME="default" CREATED_NEW_CONFIG_RECORDER="false" echo "Checking for existing configuration recorder..." EXISTING_RECORDERS=$(aws configservice describe-configuration-recorders 2>/dev/null || echo "") if echo "$EXISTING_RECORDERS" | grep -q "name"; then echo "Configuration recorder already exists. Will update it." # Get the name of the existing recorder CONFIG_RECORDER_NAME=$(echo "$EXISTING_RECORDERS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing configuration recorder: $CONFIG_RECORDER_NAME" else echo "No existing configuration recorder found. Will create a new one." CREATED_NEW_CONFIG_RECORDER="true" fi echo "Creating configuration recorder configuration..." cat > configurationRecorder.json << EOF { "name": "${CONFIG_RECORDER_NAME}", "roleARN": "${ROLE_ARN}", "recordingMode": { "recordingFrequency": "CONTINUOUS" } } EOF echo "Creating recording group configuration..." cat > recordingGroup.json << EOF { "allSupported": true, "includeGlobalResourceTypes": true } EOF echo "Setting up configuration recorder..." RECORDER_RESULT=$(aws configservice put-configuration-recorder --configuration-recorder file://configurationRecorder.json --recording-group file://recordingGroup.json) check_command "$RECORDER_RESULT" echo "Configuration recorder set up" # Step 5: Check if delivery channel already exists DELIVERY_CHANNEL_NAME="default" CREATED_NEW_DELIVERY_CHANNEL="false" echo "Checking for existing delivery channel..." EXISTING_CHANNELS=$(aws configservice describe-delivery-channels 2>/dev/null || echo "") if echo "$EXISTING_CHANNELS" | grep -q "name"; then echo "Delivery channel already exists." # Get the name of the existing channel DELIVERY_CHANNEL_NAME=$(echo "$EXISTING_CHANNELS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing delivery channel: $DELIVERY_CHANNEL_NAME" # Update the existing delivery channel echo "Creating delivery channel configuration for update..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Updating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel updated" else echo "No existing delivery channel found. Will create a new one." CREATED_NEW_DELIVERY_CHANNEL="true" echo "Creating delivery channel configuration..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Creating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel created" fi # Step 6: Start the configuration recorder echo "Checking configuration recorder status..." RECORDER_STATUS=$(aws configservice describe-configuration-recorder-status 2>/dev/null || echo "") if echo "$RECORDER_STATUS" | grep -q '"recording": true'; then echo "Configuration recorder is already running." else echo "Starting configuration recorder..." START_RESULT=$(aws configservice start-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME") check_command "$START_RESULT" echo "Configuration recorder started" fi # Step 7: Verify the AWS Config setup echo "Verifying delivery channel..." VERIFY_CHANNEL=$(aws configservice describe-delivery-channels) check_command "$VERIFY_CHANNEL" echo "$VERIFY_CHANNEL" echo "Verifying configuration recorder..." VERIFY_RECORDER=$(aws configservice describe-configuration-recorders) check_command "$VERIFY_RECORDER" echo "$VERIFY_RECORDER" echo "Verifying configuration recorder status..." VERIFY_STATUS=$(aws configservice describe-configuration-recorder-status) check_command "$VERIFY_STATUS" echo "$VERIFY_STATUS" # Display created resources display_resources # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "Cleanup completed." else echo "Resources will not be cleaned up. You can manually clean them up later." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteConfigurationRecorder) + [DeleteDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteDeliveryChannel) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorderStatus) + [DescribeConfigurationRecorders](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorders) + [DescribeDeliveryChannels](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeDeliveryChannels) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [PutConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutConfigurationRecorder) + [PutDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutDeliveryChannel) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StartConfigurationRecorder) + [StopConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StopConfigurationRecorder) ### Getting started with Step Functions The following code example shows how to: + Create an IAM role for Step Functions + Create your first state machine + Start your state machine execution + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/080-aws-step-functions-gs) repository. ``` #!/bin/bash # AWS Step Functions Getting Started Tutorial Script # This script creates and runs a Step Functions state machine based on the AWS Step Functions Getting Started tutorial # Parse command line arguments AUTO_CLEANUP=false while [[ $# -gt 0 ]]; do case $1 in --auto-cleanup) AUTO_CLEANUP=true shift ;; -h|--help) echo "Usage: $0 [--auto-cleanup] [--help]" echo " --auto-cleanup: Automatically clean up resources without prompting" echo " --help: Show this help message" exit 0 ;; *) echo "Unknown option: $1" echo "Use --help for usage information" exit 1 ;; esac done # Set up logging LOG_FILE="step-functions-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS Step Functions Getting Started Tutorial..." echo "Logging to $LOG_FILE" # Check if jq is available for better JSON parsing if ! command -v jq &> /dev/null; then echo "WARNING: jq is not installed. Using basic JSON parsing which may be less reliable." echo "Consider installing jq for better error handling: brew install jq (macOS) or apt-get install jq (Ubuntu)" USE_JQ=false else USE_JQ=true fi # Use fixed region that supports Amazon Comprehend CURRENT_REGION="us-west-2" echo "Using fixed AWS region: $CURRENT_REGION (supports Amazon Comprehend)" # Set AWS CLI to use the fixed region for all commands export AWS_DEFAULT_REGION="$CURRENT_REGION" # Amazon Comprehend is available in us-west-2, so we can always enable it echo "Amazon Comprehend is available in region $CURRENT_REGION" SKIP_COMPREHEND=false # Function to check for API errors in JSON response check_api_error() { local response="$1" local operation="$2" if [[ "$USE_JQ" == "true" ]]; then # Use jq for more reliable JSON parsing if echo "$response" | jq -e '.Error' > /dev/null 2>&1; then local error_message=$(echo "$response" | jq -r '.Error.Message // .Error.Code // "Unknown error"') handle_error "$operation failed: $error_message" fi else # Fallback to grep-based detection if echo "$response" | grep -q '"Error":\|"error":'; then handle_error "$operation failed: $response" fi fi } # Function to wait for resource propagation with exponential backoff wait_for_propagation() { local resource_type="$1" local wait_time="${2:-10}" echo "Waiting for $resource_type to propagate ($wait_time seconds)..." sleep "$wait_time" } # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" if [ -n "$STATE_MACHINE_ARN" ]; then echo "- State Machine: $STATE_MACHINE_ARN" fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME" fi if [ -n "$POLICY_ARN" ]; then echo "- IAM Policy: $POLICY_ARN" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ]; then echo "- Step Functions Policy: $STEPFUNCTIONS_POLICY_ARN" fi echo "Attempting to clean up resources..." cleanup exit 1 } # Function to clean up resources cleanup() { echo "Cleaning up resources..." # Delete state machine if it exists if [ -n "$STATE_MACHINE_ARN" ]; then echo "Deleting state machine: $STATE_MACHINE_ARN" aws stepfunctions delete-state-machine --state-machine-arn "$STATE_MACHINE_ARN" || echo "Failed to delete state machine" fi # Detach and delete policies if they exist if [ -n "$POLICY_ARN" ] && [ -n "$ROLE_NAME" ]; then echo "Detaching Comprehend policy $POLICY_ARN from role $ROLE_NAME" aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" || echo "Failed to detach Comprehend policy" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ] && [ -n "$ROLE_NAME" ]; then echo "Detaching Step Functions policy $STEPFUNCTIONS_POLICY_ARN from role $ROLE_NAME" aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$STEPFUNCTIONS_POLICY_ARN" || echo "Failed to detach Step Functions policy" fi # Delete custom policies if they exist if [ -n "$POLICY_ARN" ]; then echo "Deleting Comprehend policy: $POLICY_ARN" aws iam delete-policy --policy-arn "$POLICY_ARN" || echo "Failed to delete Comprehend policy" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ]; then echo "Deleting Step Functions policy: $STEPFUNCTIONS_POLICY_ARN" aws iam delete-policy --policy-arn "$STEPFUNCTIONS_POLICY_ARN" || echo "Failed to delete Step Functions policy" fi # Delete role if it exists if [ -n "$ROLE_NAME" ]; then echo "Deleting role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi # Remove temporary files echo "Removing temporary files" rm -f hello-world.json updated-hello-world.json sentiment-hello-world.json step-functions-trust-policy.json comprehend-policy.json stepfunctions-policy.json input.json sentiment-input.json } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) ROLE_NAME="StepFunctionsHelloWorldRole-${RANDOM_ID}" POLICY_NAME="DetectSentimentPolicy-${RANDOM_ID}" STATE_MACHINE_NAME="MyFirstStateMachine-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" echo "Role name: $ROLE_NAME" echo "Policy name: $POLICY_NAME" echo "State machine name: $STATE_MACHINE_NAME" # Step 1: Create the state machine definition echo "Creating state machine definition..." cat > hello-world.json << 'EOF' { "Comment": "A Hello World example of the Amazon States Language using a Pass state", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Result": { "IsHelloWorldExample": true, "ExecutionWaitTimeInSeconds": 10 }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "FailState" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" }, "FailState": { "Type": "Fail", "Error": "NotHelloWorldExample", "Cause": "The IsHelloWorldExample value was false" } } } EOF # Create IAM role trust policy echo "Creating IAM role trust policy..." cat > step-functions-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://step-functions-trust-policy.json) check_api_error "$ROLE_RESULT" "Create IAM role" echo "Role created successfully" # Get the role ARN if [[ "$USE_JQ" == "true" ]]; then ROLE_ARN=$(echo "$ROLE_RESULT" | jq -r '.Role.Arn') else ROLE_ARN=$(echo "$ROLE_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$ROLE_ARN" ]; then handle_error "Failed to extract role ARN" fi echo "Role ARN: $ROLE_ARN" # Create a custom policy for Step Functions echo "Creating custom policy for Step Functions..." cat > stepfunctions-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:*" ], "Resource": "*" } ] } EOF # Create the policy echo "Creating Step Functions policy..." STEPFUNCTIONS_POLICY_RESULT=$(aws iam create-policy \ --policy-name "StepFunctionsPolicy-${RANDOM_ID}" \ --policy-document file://stepfunctions-policy.json) check_api_error "$STEPFUNCTIONS_POLICY_RESULT" "Create Step Functions policy" echo "Step Functions policy created successfully" # Get the policy ARN if [[ "$USE_JQ" == "true" ]]; then STEPFUNCTIONS_POLICY_ARN=$(echo "$STEPFUNCTIONS_POLICY_RESULT" | jq -r '.Policy.Arn') else STEPFUNCTIONS_POLICY_ARN=$(echo "$STEPFUNCTIONS_POLICY_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$STEPFUNCTIONS_POLICY_ARN" ]; then handle_error "Failed to extract Step Functions policy ARN" fi echo "Step Functions policy ARN: $STEPFUNCTIONS_POLICY_ARN" # Attach policy to the role echo "Attaching Step Functions policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$STEPFUNCTIONS_POLICY_ARN") if [ $? -ne 0 ]; then handle_error "Failed to attach Step Functions policy to role" fi # Wait for role to propagate (IAM changes can take time to propagate) wait_for_propagation "IAM role" 10 # Create state machine echo "Creating state machine: $STATE_MACHINE_NAME" SM_RESULT=$(aws stepfunctions create-state-machine \ --name "$STATE_MACHINE_NAME" \ --definition file://hello-world.json \ --role-arn "$ROLE_ARN" \ --type STANDARD) check_api_error "$SM_RESULT" "Create state machine" echo "State machine created successfully" # Get the state machine ARN if [[ "$USE_JQ" == "true" ]]; then STATE_MACHINE_ARN=$(echo "$SM_RESULT" | jq -r '.stateMachineArn') else STATE_MACHINE_ARN=$(echo "$SM_RESULT" | grep "stateMachineArn" | cut -d'"' -f4) fi if [ -z "$STATE_MACHINE_ARN" ]; then handle_error "Failed to extract state machine ARN" fi echo "State machine ARN: $STATE_MACHINE_ARN" # Step 2: Start the state machine execution echo "Starting state machine execution..." EXEC_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello001-${RANDOM_ID}") check_api_error "$EXEC_RESULT" "Start execution" echo "Execution started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION_ARN=$(echo "$EXEC_RESULT" | jq -r '.executionArn') else EXECUTION_ARN=$(echo "$EXEC_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION_ARN" # Wait for execution to complete (the workflow has a 10-second wait state) echo "Waiting for execution to complete (15 seconds)..." sleep 15 # Check execution status echo "Checking execution status..." EXEC_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION_ARN") echo "Execution status: $EXEC_STATUS" # Step 3: Update state machine to process external input echo "Updating state machine to process external input..." cat > updated-hello-world.json << 'EOF' { "Comment": "A Hello World example of the Amazon States Language using a Pass state", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Parameters": { "IsHelloWorldExample.$": "$.hello_world", "ExecutionWaitTimeInSeconds.$": "$.wait" }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "FailState" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" }, "FailState": { "Type": "Fail", "Error": "NotHelloWorldExample", "Cause": "The IsHelloWorldExample value was false" } } } EOF # Update state machine echo "Updating state machine..." UPDATE_RESULT=$(aws stepfunctions update-state-machine \ --state-machine-arn "$STATE_MACHINE_ARN" \ --definition file://updated-hello-world.json \ --role-arn "$ROLE_ARN") check_api_error "$UPDATE_RESULT" "Update state machine" echo "State machine updated successfully" # Create input file echo "Creating input file..." cat > input.json << 'EOF' { "wait": 5, "hello_world": true } EOF # Start execution with input echo "Starting execution with input..." EXEC2_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello002-${RANDOM_ID}" \ --input file://input.json) check_api_error "$EXEC2_RESULT" "Start execution with input" echo "Execution with input started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION2_ARN=$(echo "$EXEC2_RESULT" | jq -r '.executionArn') else EXECUTION2_ARN=$(echo "$EXEC2_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION2_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION2_ARN" # Wait for execution to complete (the workflow has a 5-second wait state) echo "Waiting for execution to complete (10 seconds)..." sleep 10 # Check execution status echo "Checking execution status..." EXEC2_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION2_ARN") echo "Execution status: $EXEC2_STATUS" # Step 4: Integrate Amazon Comprehend for sentiment analysis (if available) if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo "Creating policy for Amazon Comprehend access..." cat > comprehend-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:DetectSentiment" ], "Resource": "*" } ] } EOF # Create policy echo "Creating IAM policy: $POLICY_NAME" POLICY_RESULT=$(aws iam create-policy \ --policy-name "$POLICY_NAME" \ --policy-document file://comprehend-policy.json) check_api_error "$POLICY_RESULT" "Create Comprehend policy" echo "Comprehend policy created successfully" # Get policy ARN if [[ "$USE_JQ" == "true" ]]; then POLICY_ARN=$(echo "$POLICY_RESULT" | jq -r '.Policy.Arn') else POLICY_ARN=$(echo "$POLICY_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$POLICY_ARN" ]; then handle_error "Failed to extract policy ARN" fi echo "Policy ARN: $POLICY_ARN" # Attach policy to role echo "Attaching policy to role..." ATTACH2_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN") if [ $? -ne 0 ]; then handle_error "Failed to attach policy to role" fi # Create updated state machine definition with sentiment analysis echo "Creating updated state machine definition with sentiment analysis..." cat > sentiment-hello-world.json << 'EOF' { "Comment": "A Hello World example with sentiment analysis", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Parameters": { "IsHelloWorldExample.$": "$.hello_world", "ExecutionWaitTimeInSeconds.$": "$.wait", "FeedbackComment.$": "$.feedback_comment" }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "DetectSentiment" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "DetectSentiment": { "Type": "Task", "Resource": "arn:aws:states:::aws-sdk:comprehend:detectSentiment", "Parameters": { "LanguageCode": "en", "Text.$": "$.FeedbackComment" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" } } } EOF # Wait for IAM changes to propagate wait_for_propagation "IAM changes" 10 # Update state machine echo "Updating state machine with sentiment analysis..." UPDATE2_RESULT=$(aws stepfunctions update-state-machine \ --state-machine-arn "$STATE_MACHINE_ARN" \ --definition file://sentiment-hello-world.json \ --role-arn "$ROLE_ARN") check_api_error "$UPDATE2_RESULT" "Update state machine with sentiment analysis" echo "State machine updated with sentiment analysis successfully" # Create input file with feedback comment echo "Creating input file with feedback comment..." cat > sentiment-input.json << 'EOF' { "hello_world": false, "wait": 5, "feedback_comment": "This getting started with Step Functions workshop is a challenge!" } EOF # Start execution with sentiment analysis input echo "Starting execution with sentiment analysis input..." EXEC3_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello003-${RANDOM_ID}" \ --input file://sentiment-input.json) check_api_error "$EXEC3_RESULT" "Start execution with sentiment analysis" echo "Execution with sentiment analysis started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION3_ARN=$(echo "$EXEC3_RESULT" | jq -r '.executionArn') else EXECUTION3_ARN=$(echo "$EXEC3_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION3_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION3_ARN" # Wait for execution to complete echo "Waiting for execution to complete (5 seconds)..." sleep 5 # Check execution status echo "Checking execution status..." EXEC3_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION3_ARN") echo "Execution status: $EXEC3_STATUS" else echo "Skipping Amazon Comprehend integration (not available in $CURRENT_REGION)" EXECUTION3_ARN="" fi # Display summary of resources created echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "State Machine: $STATE_MACHINE_ARN" echo "IAM Role: $ROLE_NAME" echo "Step Functions Policy: StepFunctionsPolicy-${RANDOM_ID} ($STEPFUNCTIONS_POLICY_ARN)" if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo "Comprehend Policy: $POLICY_NAME ($POLICY_ARN)" fi echo "Executions:" echo " - hello001-${RANDOM_ID}: $EXECUTION_ARN" echo " - hello002-${RANDOM_ID}: $EXECUTION2_ARN" if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo " - hello003-${RANDOM_ID}: $EXECUTION3_ARN" fi echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" if [[ "$AUTO_CLEANUP" == "true" ]]; then echo "Auto-cleanup enabled. Cleaning up resources..." cleanup echo "All resources have been cleaned up." else echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually clean them up later." echo "To view the state machine in the AWS console, visit:" echo "https://console.aws.amazon.com/states/home?region=$CURRENT_REGION" fi fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/CreateStateMachine) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/DeleteStateMachine) + [DescribeExecution](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/DescribeExecution) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [StartExecution](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/StartExecution) + [UpdateStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/UpdateStateMachine) ### Moving hardcoded secrets to Secrets Manager The following code example shows how to: + Create IAM roles + Create a secret in Secrets Manager + Update your application code + Update the secret + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/073-aws-secrets-manager-gs) repository. ``` #!/bin/bash # Script to move hardcoded secrets to AWS Secrets Manager # This script demonstrates how to create IAM roles, store a secret in AWS Secrets Manager, # and set up appropriate permissions # Set up logging LOG_FILE="secrets_manager_tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS Secrets Manager tutorial script at $(date)" echo "======================================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "$output" cleanup_resources exit 1 fi } # Function to generate a random identifier generate_random_id() { echo "sm$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)" } # Function to clean up resources cleanup_resources() { echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" if [ -n "$SECRET_NAME" ]; then echo "Secret: $SECRET_NAME" fi if [ -n "$RUNTIME_ROLE_NAME" ]; then echo "IAM Role: $RUNTIME_ROLE_NAME" fi if [ -n "$ADMIN_ROLE_NAME" ]; then echo "IAM Role: $ADMIN_ROLE_NAME" fi echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." # Delete secret if it exists if [ -n "$SECRET_NAME" ]; then echo "Deleting secret: $SECRET_NAME" aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery fi # Detach policies and delete runtime role if it exists if [ -n "$RUNTIME_ROLE_NAME" ]; then echo "Deleting IAM role: $RUNTIME_ROLE_NAME" aws iam delete-role --role-name "$RUNTIME_ROLE_NAME" fi # Detach policies and delete admin role if it exists if [ -n "$ADMIN_ROLE_NAME" ]; then echo "Detaching policy from role: $ADMIN_ROLE_NAME" aws iam detach-role-policy --role-name "$ADMIN_ROLE_NAME" --policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite" echo "Deleting IAM role: $ADMIN_ROLE_NAME" aws iam delete-role --role-name "$ADMIN_ROLE_NAME" fi echo "Cleanup completed." else echo "Resources will not be deleted." fi } # Trap to ensure cleanup on script exit trap 'echo "Script interrupted. Running cleanup..."; cleanup_resources' INT TERM # Generate random identifiers for resources ADMIN_ROLE_NAME="SecretsManagerAdmin-$(generate_random_id)" RUNTIME_ROLE_NAME="RoleToRetrieveSecretAtRuntime-$(generate_random_id)" SECRET_NAME="MyAPIKey-$(generate_random_id)" echo "Using the following resource names:" echo "Admin Role: $ADMIN_ROLE_NAME" echo "Runtime Role: $RUNTIME_ROLE_NAME" echo "Secret Name: $SECRET_NAME" echo "" # Step 1: Create IAM roles echo "Creating IAM roles..." # Create the SecretsManagerAdmin role echo "Creating admin role: $ADMIN_ROLE_NAME" ADMIN_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ADMIN_ROLE_NAME" \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }') check_error "$ADMIN_ROLE_OUTPUT" "create-role for admin" echo "$ADMIN_ROLE_OUTPUT" # Attach the SecretsManagerReadWrite policy to the admin role echo "Attaching SecretsManagerReadWrite policy to admin role" ATTACH_POLICY_OUTPUT=$(aws iam attach-role-policy \ --role-name "$ADMIN_ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite") check_error "$ATTACH_POLICY_OUTPUT" "attach-role-policy for admin" echo "$ATTACH_POLICY_OUTPUT" # Create the RoleToRetrieveSecretAtRuntime role echo "Creating runtime role: $RUNTIME_ROLE_NAME" RUNTIME_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$RUNTIME_ROLE_NAME" \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }') check_error "$RUNTIME_ROLE_OUTPUT" "create-role for runtime" echo "$RUNTIME_ROLE_OUTPUT" # Wait for roles to be fully created echo "Waiting for IAM roles to be fully created..." sleep 10 # Step 2: Create a secret in AWS Secrets Manager echo "Creating secret in AWS Secrets Manager..." CREATE_SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "API key for my application" \ --secret-string '{"ClientID":"my_client_id","ClientSecret":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}') check_error "$CREATE_SECRET_OUTPUT" "create-secret" echo "$CREATE_SECRET_OUTPUT" # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID_OUTPUT=$(aws sts get-caller-identity --query "Account" --output text) check_error "$ACCOUNT_ID_OUTPUT" "get-caller-identity" ACCOUNT_ID=$ACCOUNT_ID_OUTPUT echo "Account ID: $ACCOUNT_ID" # Add resource policy to the secret echo "Adding resource policy to secret..." RESOURCE_POLICY=$(cat < The following code example shows how to: + Create IAM roles + Create a CloudWatch alarm + Create an experiment template + Run the experiment + Verify the results + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/069-aws-fault-injection-service-gs) repository. ``` #!/bin/bash # AWS FIS CPU Stress Test Tutorial Script # This script automates the steps in the AWS FIS CPU stress test tutorial # approach using epoch time calculations that work across all Linux distributions # Set up logging LOG_FILE="fis-tutorial-$(date +%Y%m%d-%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS FIS CPU Stress Test Tutorial Script" echo "Logging to $LOG_FILE" echo "==============================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then # Ignore specific expected errors if [[ "$cmd" == *"aws fis get-experiment"* ]] && [[ "$output" == *"ConfigurationFailure"* ]]; then echo "Note: Experiment failed due to configuration issue. This is expected in some cases." return 0 fi echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Cleaning up resources..." if [ -n "$EXPERIMENT_ID" ]; then echo "Stopping experiment $EXPERIMENT_ID if running..." aws fis stop-experiment --id "$EXPERIMENT_ID" 2>/dev/null || true fi if [ -n "$TEMPLATE_ID" ]; then echo "Deleting experiment template $TEMPLATE_ID..." aws fis delete-experiment-template --id "$TEMPLATE_ID" || true fi if [ -n "$INSTANCE_ID" ]; then echo "Terminating EC2 instance $INSTANCE_ID..." aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" || true fi if [ -n "$ALARM_NAME" ]; then echo "Deleting CloudWatch alarm $ALARM_NAME..." aws cloudwatch delete-alarms --alarm-names "$ALARM_NAME" || true fi if [ -n "$INSTANCE_PROFILE_NAME" ]; then echo "Removing role from instance profile..." aws iam remove-role-from-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" --role-name "$EC2_ROLE_NAME" || true echo "Deleting instance profile..." aws iam delete-instance-profile --instance-profile-name "$INSTANCE_PROFILE_NAME" || true fi if [ -n "$FIS_ROLE_NAME" ]; then echo "Deleting FIS role policy..." aws iam delete-role-policy --role-name "$FIS_ROLE_NAME" --policy-name "$FIS_POLICY_NAME" || true echo "Deleting FIS role..." aws iam delete-role --role-name "$FIS_ROLE_NAME" || true fi if [ -n "$EC2_ROLE_NAME" ]; then echo "Detaching policy from EC2 role..." aws iam detach-role-policy --role-name "$EC2_ROLE_NAME" --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" || true echo "Deleting EC2 role..." aws iam delete-role --role-name "$EC2_ROLE_NAME" || true fi echo "Cleanup completed." } # Generate unique identifiers for resources TIMESTAMP=$(date +%Y%m%d%H%M%S) FIS_ROLE_NAME="FISRole-${TIMESTAMP}" FIS_POLICY_NAME="FISPolicy-${TIMESTAMP}" EC2_ROLE_NAME="EC2SSMRole-${TIMESTAMP}" INSTANCE_PROFILE_NAME="EC2SSMProfile-${TIMESTAMP}" ALARM_NAME="FIS-CPU-Alarm-${TIMESTAMP}" # Track created resources CREATED_RESOURCES=() echo "Step 1: Creating IAM role for AWS FIS" # Create trust policy file for AWS FIS cat > fis-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "fis.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role for FIS echo "Creating IAM role $FIS_ROLE_NAME for AWS FIS..." FIS_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$FIS_ROLE_NAME" \ --assume-role-policy-document file://fis-trust-policy.json) check_error "$FIS_ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $FIS_ROLE_NAME") # Create policy document for SSM actions cat > fis-ssm-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:SendCommand", "ssm:ListCommands", "ssm:ListCommandInvocations" ], "Resource": "*" } ] } EOF # Attach policy to the role echo "Attaching policy $FIS_POLICY_NAME to role $FIS_ROLE_NAME..." FIS_POLICY_OUTPUT=$(aws iam put-role-policy \ --role-name "$FIS_ROLE_NAME" \ --policy-name "$FIS_POLICY_NAME" \ --policy-document file://fis-ssm-policy.json) check_error "$FIS_POLICY_OUTPUT" "aws iam put-role-policy" CREATED_RESOURCES+=("IAM Policy: $FIS_POLICY_NAME attached to $FIS_ROLE_NAME") echo "Step 2: Creating IAM role for EC2 instance with SSM permissions" # Create trust policy file for EC2 cat > ec2-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role for EC2 echo "Creating IAM role $EC2_ROLE_NAME for EC2 instance..." EC2_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$EC2_ROLE_NAME" \ --assume-role-policy-document file://ec2-trust-policy.json) check_error "$EC2_ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $EC2_ROLE_NAME") # Attach SSM policy to the EC2 role echo "Attaching AmazonSSMManagedInstanceCore policy to role $EC2_ROLE_NAME..." EC2_POLICY_OUTPUT=$(aws iam attach-role-policy \ --role-name "$EC2_ROLE_NAME" \ --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore) check_error "$EC2_POLICY_OUTPUT" "aws iam attach-role-policy" CREATED_RESOURCES+=("IAM Policy: AmazonSSMManagedInstanceCore attached to $EC2_ROLE_NAME") # Create instance profile echo "Creating instance profile $INSTANCE_PROFILE_NAME..." PROFILE_OUTPUT=$(aws iam create-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME") check_error "$PROFILE_OUTPUT" "aws iam create-instance-profile" CREATED_RESOURCES+=("IAM Instance Profile: $INSTANCE_PROFILE_NAME") # Add role to instance profile echo "Adding role $EC2_ROLE_NAME to instance profile $INSTANCE_PROFILE_NAME..." ADD_ROLE_OUTPUT=$(aws iam add-role-to-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$EC2_ROLE_NAME") check_error "$ADD_ROLE_OUTPUT" "aws iam add-role-to-instance-profile" # Wait for role to propagate echo "Waiting for IAM role to propagate..." sleep 10 echo "Step 3: Launching EC2 instance" # Get the latest Amazon Linux 2 AMI ID echo "Finding latest Amazon Linux 2 AMI..." AMI_ID=$(aws ec2 describe-images \ --owners amazon \ --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" \ --query "sort_by(Images, &CreationDate)[-1].ImageId" \ --output text) check_error "$AMI_ID" "aws ec2 describe-images" echo "Using AMI: $AMI_ID" # Launch EC2 instance echo "Launching EC2 instance with AMI $AMI_ID..." INSTANCE_OUTPUT=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --instance-type t2.micro \ --iam-instance-profile Name="$INSTANCE_PROFILE_NAME" \ --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=FIS-Test-Instance}]') check_error "$INSTANCE_OUTPUT" "aws ec2 run-instances" # Get instance ID INSTANCE_ID=$(echo "$INSTANCE_OUTPUT" | grep -i "InstanceId" | head -1 | awk -F'"' '{print $4}') if [ -z "$INSTANCE_ID" ]; then echo "Failed to get instance ID" cleanup_on_error exit 1 fi echo "Launched instance: $INSTANCE_ID" CREATED_RESOURCES+=("EC2 Instance: $INSTANCE_ID") # Enable detailed monitoring echo "Enabling detailed monitoring for instance $INSTANCE_ID..." MONITOR_OUTPUT=$(aws ec2 monitor-instances --instance-ids "$INSTANCE_ID") check_error "$MONITOR_OUTPUT" "aws ec2 monitor-instances" # Wait for instance to be running and status checks to pass echo "Waiting for instance to be ready..." aws ec2 wait instance-running --instance-ids "$INSTANCE_ID" aws ec2 wait instance-status-ok --instance-ids "$INSTANCE_ID" echo "Instance is ready" echo "Step 4: Creating CloudWatch alarm for CPU utilization" # Create CloudWatch alarm echo "Creating CloudWatch alarm $ALARM_NAME..." ALARM_OUTPUT=$(aws cloudwatch put-metric-alarm \ --alarm-name "$ALARM_NAME" \ --alarm-description "Alarm when CPU exceeds 50%" \ --metric-name CPUUtilization \ --namespace AWS/EC2 \ --statistic Maximum \ --period 60 \ --threshold 50 \ --comparison-operator GreaterThanOrEqualToThreshold \ --dimensions "Name=InstanceId,Value=$INSTANCE_ID" \ --evaluation-periods 1) check_error "$ALARM_OUTPUT" "aws cloudwatch put-metric-alarm" CREATED_RESOURCES+=("CloudWatch Alarm: $ALARM_NAME") # Get the alarm ARN echo "Getting CloudWatch alarm ARN..." ALARM_ARN_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") check_error "$ALARM_ARN_OUTPUT" "aws cloudwatch describe-alarms" ALARM_ARN=$(echo "$ALARM_ARN_OUTPUT" | grep -i "AlarmArn" | head -1 | awk -F'"' '{print $4}') if [ -z "$ALARM_ARN" ]; then echo "Failed to get alarm ARN" cleanup_on_error exit 1 fi echo "Alarm ARN: $ALARM_ARN" # Wait for the alarm to initialize and reach OK state echo "Waiting for CloudWatch alarm to initialize (60 seconds)..." sleep 60 # Check alarm state echo "Checking alarm state..." ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") ALARM_STATE=$(echo "$ALARM_STATE_OUTPUT" | grep -i "StateValue" | head -1 | awk -F'"' '{print $4}') echo "Current alarm state: $ALARM_STATE" # If alarm is not in OK state, wait longer or generate some baseline metrics if [ "$ALARM_STATE" != "OK" ]; then echo "Alarm not in OK state. Waiting for alarm to stabilize (additional 60 seconds)..." sleep 60 # Check alarm state again ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms \ --alarm-names "$ALARM_NAME") ALARM_STATE=$(echo "$ALARM_STATE_OUTPUT" | grep -i "StateValue" | head -1 | awk -F'"' '{print $4}') echo "Updated alarm state: $ALARM_STATE" if [ "$ALARM_STATE" != "OK" ]; then echo "Warning: Alarm still not in OK state. Experiment may fail to start." fi fi echo "Step 5: Creating AWS FIS experiment template" # Get the IAM role ARN echo "Getting IAM role ARN for $FIS_ROLE_NAME..." ROLE_ARN_OUTPUT=$(aws iam get-role \ --role-name "$FIS_ROLE_NAME") check_error "$ROLE_ARN_OUTPUT" "aws iam get-role" ROLE_ARN=$(echo "$ROLE_ARN_OUTPUT" | grep -i "Arn" | head -1 | awk -F'"' '{print $4}') if [ -z "$ROLE_ARN" ]; then echo "Failed to get role ARN" cleanup_on_error exit 1 fi echo "Role ARN: $ROLE_ARN" # Get account ID and region ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" # Default to us-east-1 if region not set fi INSTANCE_ARN="arn:aws:ec2:${REGION}:${ACCOUNT_ID}:instance/${INSTANCE_ID}" echo "Instance ARN: $INSTANCE_ARN" # Create experiment template - Fixed JSON escaping issue cat > experiment-template.json << EOF { "description": "Test CPU stress predefined SSM document", "targets": { "testInstance": { "resourceType": "aws:ec2:instance", "resourceArns": ["$INSTANCE_ARN"], "selectionMode": "ALL" } }, "actions": { "runCpuStress": { "actionId": "aws:ssm:send-command", "parameters": { "documentArn": "arn:aws:ssm:$REGION::document/AWSFIS-Run-CPU-Stress", "documentParameters": "{\"DurationSeconds\":\"120\"}", "duration": "PT5M" }, "targets": { "Instances": "testInstance" } } }, "stopConditions": [ { "source": "aws:cloudwatch:alarm", "value": "$ALARM_ARN" } ], "roleArn": "$ROLE_ARN", "tags": { "Name": "FIS-CPU-Stress-Experiment" } } EOF # Create experiment template echo "Creating AWS FIS experiment template..." TEMPLATE_OUTPUT=$(aws fis create-experiment-template --cli-input-json file://experiment-template.json) check_error "$TEMPLATE_OUTPUT" "aws fis create-experiment-template" TEMPLATE_ID=$(echo "$TEMPLATE_OUTPUT" | grep -i "id" | head -1 | awk -F'"' '{print $4}') if [ -z "$TEMPLATE_ID" ]; then echo "Failed to get template ID" cleanup_on_error exit 1 fi echo "Experiment template created with ID: $TEMPLATE_ID" CREATED_RESOURCES+=("FIS Experiment Template: $TEMPLATE_ID") echo "Step 6: Starting the experiment" # Start the experiment echo "Starting AWS FIS experiment using template $TEMPLATE_ID..." EXPERIMENT_OUTPUT=$(aws fis start-experiment \ --experiment-template-id "$TEMPLATE_ID" \ --tags '{"Name": "FIS-CPU-Stress-Run"}') check_error "$EXPERIMENT_OUTPUT" "aws fis start-experiment" EXPERIMENT_ID=$(echo "$EXPERIMENT_OUTPUT" | grep -i "id" | head -1 | awk -F'"' '{print $4}') if [ -z "$EXPERIMENT_ID" ]; then echo "Failed to get experiment ID" cleanup_on_error exit 1 fi echo "Experiment started with ID: $EXPERIMENT_ID" CREATED_RESOURCES+=("FIS Experiment: $EXPERIMENT_ID") echo "Step 7: Tracking experiment progress" # Track experiment progress echo "Tracking experiment progress..." MAX_CHECKS=30 CHECK_COUNT=0 EXPERIMENT_STATE="" while [ $CHECK_COUNT -lt $MAX_CHECKS ]; do EXPERIMENT_INFO=$(aws fis get-experiment --id "$EXPERIMENT_ID") # Don't check for errors here, as we expect some experiments to fail EXPERIMENT_STATE=$(echo "$EXPERIMENT_INFO" | grep -i "status" | head -1 | awk -F'"' '{print $4}') echo "Experiment state: $EXPERIMENT_STATE" if [ "$EXPERIMENT_STATE" == "completed" ] || [ "$EXPERIMENT_STATE" == "stopped" ] || [ "$EXPERIMENT_STATE" == "failed" ]; then # Show the reason for the state REASON=$(echo "$EXPERIMENT_INFO" | grep -i "reason" | head -1 | awk -F'"' '{print $4}') if [ -n "$REASON" ]; then echo "Reason: $REASON" fi break fi echo "Waiting 10 seconds before checking again..." sleep 10 CHECK_COUNT=$((CHECK_COUNT + 1)) done if [ $CHECK_COUNT -eq $MAX_CHECKS ]; then echo "Experiment is taking longer than expected. You can check its status later using:" echo "aws fis get-experiment --id $EXPERIMENT_ID" fi echo "Step 8: Verifying experiment results" # Check CloudWatch alarm state echo "Checking CloudWatch alarm state..." ALARM_STATE_OUTPUT=$(aws cloudwatch describe-alarms --alarm-names "$ALARM_NAME") check_error "$ALARM_STATE_OUTPUT" "aws cloudwatch describe-alarms" echo "$ALARM_STATE_OUTPUT" # Get CPU utilization metrics echo "Getting CPU utilization metrics..." END_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") # FIXED: Cross-platform compatible way to calculate time 10 minutes ago # This approach uses epoch seconds and basic arithmetic which works on all Linux distributions CURRENT_EPOCH=$(date +%s) TEN_MINUTES_AGO_EPOCH=$((CURRENT_EPOCH - 600)) START_TIME=$(date -u -d "@$TEN_MINUTES_AGO_EPOCH" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || date -u -r "$TEN_MINUTES_AGO_EPOCH" +"%Y-%m-%dT%H:%M:%SZ") # Create metric query file cat > metric-query.json << EOF [ { "Id": "cpu", "MetricStat": { "Metric": { "Namespace": "AWS/EC2", "MetricName": "CPUUtilization", "Dimensions": [ { "Name": "InstanceId", "Value": "$INSTANCE_ID" } ] }, "Period": 60, "Stat": "Maximum" } } ] EOF METRICS_OUTPUT=$(aws cloudwatch get-metric-data \ --start-time "$START_TIME" \ --end-time "$END_TIME" \ --metric-data-queries file://metric-query.json) check_error "$METRICS_OUTPUT" "aws cloudwatch get-metric-data" echo "CPU Utilization Metrics:" echo "$METRICS_OUTPUT" # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Stop experiment if still running if [ "$EXPERIMENT_STATE" != "completed" ] && [ "$EXPERIMENT_STATE" != "stopped" ] && [ "$EXPERIMENT_STATE" != "failed" ]; then echo "Stopping experiment $EXPERIMENT_ID..." STOP_OUTPUT=$(aws fis stop-experiment --id "$EXPERIMENT_ID") check_error "$STOP_OUTPUT" "aws fis stop-experiment" echo "Waiting for experiment to stop..." sleep 10 fi # Delete experiment template echo "Deleting experiment template $TEMPLATE_ID..." DELETE_TEMPLATE_OUTPUT=$(aws fis delete-experiment-template --id "$TEMPLATE_ID") check_error "$DELETE_TEMPLATE_OUTPUT" "aws fis delete-experiment-template" # Delete CloudWatch alarm echo "Deleting CloudWatch alarm $ALARM_NAME..." DELETE_ALARM_OUTPUT=$(aws cloudwatch delete-alarms --alarm-names "$ALARM_NAME") check_error "$DELETE_ALARM_OUTPUT" "aws cloudwatch delete-alarms" # Terminate EC2 instance echo "Terminating EC2 instance $INSTANCE_ID..." TERMINATE_OUTPUT=$(aws ec2 terminate-instances --instance-ids "$INSTANCE_ID") check_error "$TERMINATE_OUTPUT" "aws ec2 terminate-instances" echo "Waiting for instance to terminate..." aws ec2 wait instance-terminated --instance-ids "$INSTANCE_ID" # Clean up IAM resources echo "Removing role from instance profile..." REMOVE_ROLE_OUTPUT=$(aws iam remove-role-from-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$EC2_ROLE_NAME") check_error "$REMOVE_ROLE_OUTPUT" "aws iam remove-role-from-instance-profile" echo "Deleting instance profile..." DELETE_PROFILE_OUTPUT=$(aws iam delete-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME") check_error "$DELETE_PROFILE_OUTPUT" "aws iam delete-instance-profile" echo "Deleting FIS role policy..." DELETE_POLICY_OUTPUT=$(aws iam delete-role-policy \ --role-name "$FIS_ROLE_NAME" \ --policy-name "$FIS_POLICY_NAME") check_error "$DELETE_POLICY_OUTPUT" "aws iam delete-role-policy" echo "Detaching policy from EC2 role..." DETACH_POLICY_OUTPUT=$(aws iam detach-role-policy \ --role-name "$EC2_ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore") check_error "$DETACH_POLICY_OUTPUT" "aws iam detach-role-policy" echo "Deleting FIS role..." DELETE_FIS_ROLE_OUTPUT=$(aws iam delete-role \ --role-name "$FIS_ROLE_NAME") check_error "$DELETE_FIS_ROLE_OUTPUT" "aws iam delete-role" echo "Deleting EC2 role..." DELETE_EC2_ROLE_OUTPUT=$(aws iam delete-role \ --role-name "$EC2_ROLE_NAME") check_error "$DELETE_EC2_ROLE_OUTPUT" "aws iam delete-role" # Clean up temporary files echo "Cleaning up temporary files..." rm -f fis-trust-policy.json ec2-trust-policy.json fis-ssm-policy.json experiment-template.json metric-query.json echo "Cleanup completed successfully." else echo "Cleanup skipped. Resources will remain in your AWS account." echo "You can manually clean up the resources listed above." fi echo "" echo "Script execution completed." echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddRoleToInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AddRoleToInstanceProfile) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateExperimentTemplate](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/CreateExperimentTemplate) + [CreateInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateInstanceProfile) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteAlarms](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteAlarms) + [DeleteExperimentTemplate](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/DeleteExperimentTemplate) + [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteInstanceProfile) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DescribeAlarms](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DescribeAlarms) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/GetExperiment) + [GetMetricData](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetMetricData) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [MonitorInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/MonitorInstances) + [PutMetricAlarm](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutMetricAlarm) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/RemoveRoleFromInstanceProfile) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [StartExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/StartExperiment) + [StopExperiment](https://docs.aws.amazon.com/goto/aws-cli/fis-2020-12-01/StopExperiment) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) ### Set up Attribute-Based Access Control The following code example shows how to implement Attribute-Based Access Control (ABAC) for DynamoDB. + Create an IAM policy for ABAC. + Create tables with tags for different departments. + List and filter tables based on tags. **AWS CLI with Bash script** Create an IAM policy for ABAC. ``` # Step 1: Create a policy document for ABAC cat > abac-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}" } } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": "arn:aws:dynamodb:*:*:table/*", "Condition": { "StringEquals": { "aws:ResourceTag/Department": "${aws:PrincipalTag/Department}", "aws:ResourceTag/Environment": "Development" } } } ] } EOF # Step 2: Create the IAM policy aws iam create-policy \ --policy-name DynamoDBDepartmentBasedAccess \ --policy-document file://abac-policy.json ``` Create tables with tags for different departments. ``` # Create a DynamoDB table with tags for ABAC aws dynamodb create-table \ --table-name FinanceData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Department,Value=Finance \ Key=Environment,Value=Development # Create another table with different tags aws dynamodb create-table \ --table-name MarketingData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --tags \ Key=Department,Value=Marketing \ Key=Environment,Value=Production ``` List and filter tables based on tags. ``` # List all DynamoDB tables echo "Listing all tables:" aws dynamodb list-tables # Get ARNs for all tables echo -e "\nGetting ARNs for all tables:" TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text) # For each table ARN, list its tags echo -e "\nListing tags for each table:" for ARN in $TABLE_ARNS; do TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') echo -e "\nTags for table: $TABLE_NAME" aws dynamodb list-tags-of-resource --resource-arn $ARN done # Example: Find tables with a specific tag echo -e "\nFinding tables with Environment=Production tag:" for ARN in $TABLE_ARNS; do TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}') TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text) if [ ! -z "$TAGS" ]; then echo "Table with Production tag: $TABLE_NAME" fi done ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables) ### Setting up Systems Manager The following code example shows how to: + Create IAM permissions for Systems Manager + Create an IAM role for Systems Manager + Configure Systems Manager + Verify the setup + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/046-aws-systems-manager-gs) repository. ``` #!/bin/bash # AWS Systems Manager Setup Script # This script sets up AWS Systems Manager for a single account and region # # Version 17 fixes: # 1. Added cloudformation.amazonaws.com to the IAM role trust policy # 2. Systems Manager Quick Setup uses CloudFormation for deployments, so the role must trust CloudFormation service # Initialize log file LOG_FILE="ssm_setup_$(date +%Y%m%d_%H%M%S).log" echo "Starting AWS Systems Manager setup at $(date)" > "$LOG_FILE" # Function to log commands and their outputs with immediate terminal display log_cmd() { echo "$(date): Running command: $1" | tee -a "$LOG_FILE" local output output=$(eval "$1" 2>&1) local status=$? echo "$output" | tee -a "$LOG_FILE" return $status } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [[ $cmd_status -ne 0 || "$cmd_output" =~ [Ee][Rr][Rr][Oo][Rr] ]]; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" echo "Command output: $cmd_output" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi } # Array to track created resources for cleanup declare -a CREATED_RESOURCES # Function to add a resource to the tracking array track_resource() { local resource_type="$1" local resource_id="$2" CREATED_RESOURCES+=("$resource_type:$resource_id") echo "Tracked resource: $resource_type:$resource_id" | tee -a "$LOG_FILE" } # Function to clean up resources on error cleanup_on_error() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "ERROR OCCURRED - CLEANING UP RESOURCES" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "The following resources were created:" | tee -a "$LOG_FILE" # Display resources in reverse order for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do echo "${CREATED_RESOURCES[$i]}" | tee -a "$LOG_FILE" done echo "" | tee -a "$LOG_FILE" echo "Attempting to clean up resources..." | tee -a "$LOG_FILE" # Clean up resources in reverse order cleanup_resources } # Function to clean up all created resources cleanup_resources() { # Process resources in reverse order (last created, first deleted) for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do IFS=':' read -r resource_type resource_id <<< "${CREATED_RESOURCES[$i]}" echo "Deleting $resource_type: $resource_id" | tee -a "$LOG_FILE" case "$resource_type" in "IAM_POLICY") # Delete the policy (detachment should have been handled when the role was deleted) log_cmd "aws iam delete-policy --policy-arn $resource_id" || true ;; "IAM_ROLE") # Detach all policies from the role first if [[ -n "$POLICY_ARN" ]]; then log_cmd "aws iam detach-role-policy --role-name $resource_id --policy-arn $POLICY_ARN" || true fi # Delete the role log_cmd "aws iam delete-role --role-name $resource_id" || true ;; "SSM_CONFIG_MANAGER") log_cmd "aws ssm-quicksetup delete-configuration-manager --manager-arn $resource_id" || true ;; *) echo "Unknown resource type: $resource_type, cannot delete automatically" | tee -a "$LOG_FILE" ;; esac done echo "Cleanup completed" | tee -a "$LOG_FILE" # Clean up temporary files rm -f ssm-onboarding-policy.json trust-policy.json ssm-config.json 2>/dev/null || true } # Main script execution echo "AWS Systems Manager Setup Script" echo "================================" echo "This script will set up AWS Systems Manager for a single account and region." echo "It will create IAM policies and roles, then enable Systems Manager features." echo "" # Get the current AWS region CURRENT_REGION=$(aws configure get region) if [[ -z "$CURRENT_REGION" ]]; then echo "No AWS region configured. Please specify a region:" read -r CURRENT_REGION if [[ -z "$CURRENT_REGION" ]]; then echo "ERROR: A region must be specified" | tee -a "$LOG_FILE" exit 1 fi fi echo "Using AWS region: $CURRENT_REGION" | tee -a "$LOG_FILE" # Step 1: Create IAM policy for Systems Manager onboarding echo "Step 1: Creating IAM policy for Systems Manager onboarding..." # Create policy document cat > ssm-onboarding-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Sid": "QuickSetupActions", "Effect": "Allow", "Action": [ "ssm-quicksetup:*" ], "Resource": "*" }, { "Sid": "SsmReadOnly", "Effect": "Allow", "Action": [ "ssm:DescribeAutomationExecutions", "ssm:GetAutomationExecution", "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:ListDocuments", "ssm:ListResourceDataSync", "ssm:DescribePatchBaselines", "ssm:GetPatchBaseline", "ssm:DescribeMaintenanceWindows", "ssm:DescribeMaintenanceWindowTasks" ], "Resource": "*" }, { "Sid": "SsmDocument", "Effect": "Allow", "Action": [ "ssm:GetDocument", "ssm:DescribeDocument" ], "Resource": [ "arn:aws:ssm:*:*:document/AWSQuickSetupType-*", "arn:aws:ssm:*:*:document/AWS-EnableExplorer" ] }, { "Sid": "SsmEnableExplorer", "Effect": "Allow", "Action": "ssm:StartAutomationExecution", "Resource": "arn:aws:ssm:*:*:automation-definition/AWS-EnableExplorer:*" }, { "Sid": "SsmExplorerRds", "Effect": "Allow", "Action": [ "ssm:GetOpsSummary", "ssm:CreateResourceDataSync", "ssm:UpdateResourceDataSync" ], "Resource": "arn:aws:ssm:*:*:resource-data-sync/AWS-QuickSetup-*" }, { "Sid": "OrgsReadOnly", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "organizations:ListRoots", "organizations:ListParents", "organizations:ListOrganizationalUnitsForParent", "organizations:DescribeOrganizationalUnit", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" }, { "Sid": "OrgsAdministration", "Effect": "Allow", "Action": [ "organizations:EnableAWSServiceAccess", "organizations:RegisterDelegatedAdministrator", "organizations:DeregisterDelegatedAdministrator" ], "Resource": "*", "Condition": { "StringEquals": { "organizations:ServicePrincipal": [ "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "member.org.stacksets.cloudformation.amazonaws.com", "resource-explorer-2.amazonaws.com" ] } } }, { "Sid": "CfnReadOnly", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:DescribeStacks", "cloudformation:ListStackSets", "cloudformation:DescribeOrganizationsAccess" ], "Resource": "*" }, { "Sid": "OrgCfnAccess", "Effect": "Allow", "Action": [ "cloudformation:ActivateOrganizationsAccess" ], "Resource": "*" }, { "Sid": "CfnStackActions", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackResources", "cloudformation:DescribeStackEvents", "cloudformation:GetTemplate", "cloudformation:RollbackStack", "cloudformation:TagResource", "cloudformation:UntagResource", "cloudformation:UpdateStack" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/StackSet-AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:stack/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:type/resource/*" ] }, { "Sid": "CfnStackSetActions", "Effect": "Allow", "Action": [ "cloudformation:CreateStackInstances", "cloudformation:CreateStackSet", "cloudformation:DeleteStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DetectStackSetDrift", "cloudformation:ListStackInstanceResourceDrifts", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults", "cloudformation:TagResource", "cloudformation:UntagResource", "cloudformation:UpdateStackSet" ], "Resource": [ "arn:aws:cloudformation:*:*:stackset/AWS-QuickSetup-*", "arn:aws:cloudformation:*:*:type/resource/*", "arn:aws:cloudformation:*:*:stackset-target/AWS-QuickSetup-*:*" ] }, { "Sid": "ValidationReadonlyActions", "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:GetRole" ], "Resource": "*" }, { "Sid": "IamRolesMgmt", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:GetRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRolePolicy", "iam:ListRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-*" ] }, { "Sid": "IamPassRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "cloudformation.amazonaws.com" ] } } }, { "Sid": "IamRolesPoliciesMgmt", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/AWS-QuickSetup-*", "arn:aws:iam::*:role/service-role/AWS-QuickSetup-*" ], "Condition": { "ArnEquals": { "iam:PolicyARN": [ "arn:aws:iam::aws:policy/AWSSystemsManagerEnableExplorerExecutionPolicy", "arn:aws:iam::aws:policy/AWSQuickSetupSSMDeploymentRolePolicy" ] } } }, { "Sid": "CfnStackSetsSLR", "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": [ "arn:aws:iam::*:role/aws-service-role/stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgAdmin", "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM", "arn:aws:iam::*:role/aws-service-role/accountdiscovery.ssm.amazonaws.com/AWSServiceRoleForAmazonSSM_AccountDiscovery", "arn:aws:iam::*:role/aws-service-role/ssm-quicksetup.amazonaws.com/AWSServiceRoleForSSMQuickSetup", "arn:aws:iam::*:role/aws-service-role/resource-explorer-2.amazonaws.com/AWSServiceRoleForResourceExplorer" ] } ] } EOF # Create the IAM policy POLICY_OUTPUT=$(log_cmd "aws iam create-policy --policy-name SSMOnboardingPolicy --policy-document file://ssm-onboarding-policy.json --output json") POLICY_STATUS=$? check_error "$POLICY_OUTPUT" $POLICY_STATUS "Failed to create IAM policy" # Extract the policy ARN POLICY_ARN=$(echo "$POLICY_OUTPUT" | grep -o 'arn:aws:iam::[0-9]*:policy/SSMOnboardingPolicy') if [[ -z "$POLICY_ARN" ]]; then echo "ERROR: Failed to extract policy ARN" | tee -a "$LOG_FILE" exit 1 fi # Track the created policy track_resource "IAM_POLICY" "$POLICY_ARN" echo "Created policy: $POLICY_ARN" | tee -a "$LOG_FILE" # Step 2: Create and configure IAM role for Systems Manager echo "" echo "Step 2: Creating IAM role for Systems Manager..." # Get current user name USER_OUTPUT=$(log_cmd "aws sts get-caller-identity --output json") USER_STATUS=$? check_error "$USER_OUTPUT" $USER_STATUS "Failed to get caller identity" # Extract account ID ACCOUNT_ID=$(echo "$USER_OUTPUT" | grep -o '"Account": "[0-9]*"' | cut -d'"' -f4) if [[ -z "$ACCOUNT_ID" ]]; then echo "ERROR: Failed to extract account ID" | tee -a "$LOG_FILE" exit 1 fi # Generate a unique role name ROLE_NAME="SSMTutorialRole-$(openssl rand -hex 4)" # Create trust policy for the role - FIXED: Added cloudformation.amazonaws.com cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ssm.amazonaws.com", "ssm-quicksetup.amazonaws.com", "cloudformation.amazonaws.com" ] }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_ID:root" }, "Action": "sts:AssumeRole" } ] } EOF # Replace ACCOUNT_ID placeholder in trust policy sed -i "s/ACCOUNT_ID/$ACCOUNT_ID/g" trust-policy.json # Create the IAM role ROLE_OUTPUT=$(log_cmd "aws iam create-role --role-name $ROLE_NAME --assume-role-policy-document file://trust-policy.json --description 'Role for Systems Manager tutorial' --output json") ROLE_STATUS=$? check_error "$ROLE_OUTPUT" $ROLE_STATUS "Failed to create IAM role" # Extract the role ARN ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o 'arn:aws:iam::[0-9]*:role/[^"]*') if [[ -z "$ROLE_ARN" ]]; then echo "ERROR: Failed to extract role ARN" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi # Track the created role track_resource "IAM_ROLE" "$ROLE_NAME" echo "Created IAM role: $ROLE_NAME" | tee -a "$LOG_FILE" echo "Role ARN: $ROLE_ARN" | tee -a "$LOG_FILE" # Set identity variables for cleanup IDENTITY_TYPE="role" IDENTITY_NAME="$ROLE_NAME" # Attach the policy to the role ATTACH_OUTPUT=$(log_cmd "aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn $POLICY_ARN") ATTACH_STATUS=$? check_error "$ATTACH_OUTPUT" $ATTACH_STATUS "Failed to attach policy to role $ROLE_NAME" echo "Policy attached to role: $ROLE_NAME" | tee -a "$LOG_FILE" # Step 3: Create Systems Manager configuration using Host Management echo "" echo "Step 3: Creating Systems Manager configuration..." # Generate a random identifier for the configuration name CONFIG_NAME="SSMSetup-$(openssl rand -hex 4)" # Create configuration file for Systems Manager setup using Host Management # Added both required parameters for single account deployment based on CloudFormation documentation cat > ssm-config.json << EOF [ { "Type": "AWSQuickSetupType-SSMHostMgmt", "LocalDeploymentAdministrationRoleArn": "$ROLE_ARN", "LocalDeploymentExecutionRoleName": "$ROLE_NAME", "Parameters": { "TargetAccounts": "$ACCOUNT_ID", "TargetRegions": "$CURRENT_REGION" } } ] EOF echo "Configuration file created:" | tee -a "$LOG_FILE" cat ssm-config.json | tee -a "$LOG_FILE" # Create the configuration manager CONFIG_OUTPUT=$(log_cmd "aws ssm-quicksetup create-configuration-manager --name \"$CONFIG_NAME\" --configuration-definitions file://ssm-config.json --region $CURRENT_REGION") CONFIG_STATUS=$? check_error "$CONFIG_OUTPUT" $CONFIG_STATUS "Failed to create Systems Manager configuration" # Extract the manager ARN MANAGER_ARN=$(echo "$CONFIG_OUTPUT" | grep -o 'arn:aws:ssm-quicksetup:[^"]*') if [[ -z "$MANAGER_ARN" ]]; then echo "ERROR: Failed to extract manager ARN" | tee -a "$LOG_FILE" exit 1 fi # Track the created configuration manager track_resource "SSM_CONFIG_MANAGER" "$MANAGER_ARN" echo "Created Systems Manager configuration: $MANAGER_ARN" | tee -a "$LOG_FILE" # Step 4: Verify the setup echo "" echo "Step 4: Verifying the setup..." # Wait for the configuration to be fully deployed echo "Waiting for the configuration to be deployed (this may take a few minutes)..." sleep 30 # Check the configuration manager status VERIFY_OUTPUT=$(log_cmd "aws ssm-quicksetup get-configuration-manager --manager-arn $MANAGER_ARN --region $CURRENT_REGION") VERIFY_STATUS=$? check_error "$VERIFY_OUTPUT" $VERIFY_STATUS "Failed to verify configuration manager" echo "Systems Manager setup completed successfully!" | tee -a "$LOG_FILE" # List the created resources echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "$resource" done # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." | tee -a "$LOG_FILE" cleanup_resources echo "Cleanup completed." | tee -a "$LOG_FILE" else echo "Resources will not be cleaned up. You can manually clean them up later." | tee -a "$LOG_FILE" fi echo "" echo "Script execution completed. See $LOG_FILE for details." # Clean up temporary files rm -f ssm-onboarding-policy.json trust-policy.json ssm-config.json 2>/dev/null || true ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateConfigurationManager](https://docs.aws.amazon.com/goto/aws-cli/ssm-2014-11-06/CreateConfigurationManager) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteConfigurationManager](https://docs.aws.amazon.com/goto/aws-cli/ssm-2014-11-06/DeleteConfigurationManager) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetConfigurationManager](https://docs.aws.amazon.com/goto/aws-cli/ssm-2014-11-06/GetConfigurationManager) ### Using property variables in CloudWatch dashboards to monitor multiple Lambda functions The following code example shows how to: + Create Lambda functions for monitoring + Create a CloudWatch dashboard + Add a property variable to the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/032-cloudwatch-streams) repository. ``` #!/bin/bash # CloudWatch Dashboard with Lambda Function Variable Script # This script creates a CloudWatch dashboard with a property variable for Lambda function names # Set up logging LOG_FILE="cloudwatch-dashboard-script-v4.log" echo "Starting script execution at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "$(date): Running command: $1" >> "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [ $cmd_status -ne 0 ] || echo "$cmd_output" | grep -i "error" > /dev/null; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" echo "Command output: $cmd_output" | tee -a "$LOG_FILE" cleanup_resources exit 1 fi } # Function to clean up resources cleanup_resources() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP PROCESS" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" if [ -n "$DASHBOARD_NAME" ]; then echo "Deleting CloudWatch dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" log_cmd "aws cloudwatch delete-dashboards --dashboard-names \"$DASHBOARD_NAME\"" fi if [ -n "$LAMBDA_FUNCTION1" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION1\"" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION2\"" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policy from role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam detach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "Deleting IAM role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam delete-role --role-name \"$ROLE_NAME\"" fi echo "Cleanup completed." | tee -a "$LOG_FILE" } # Function to prompt for cleanup confirmation confirm_cleanup() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP CONFIRMATION" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "The following resources were created:" | tee -a "$LOG_FILE" echo "- CloudWatch Dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" if [ -n "$LAMBDA_FUNCTION1" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME" | tee -a "$LOG_FILE" fi echo "" | tee -a "$LOG_FILE" echo "Do you want to clean up all created resources? (y/n): " | tee -a "$LOG_FILE" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "Resources were not cleaned up. You can manually delete them later." | tee -a "$LOG_FILE" fi } # Get AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No region found in AWS config, defaulting to $AWS_REGION" | tee -a "$LOG_FILE" else echo "Using AWS region: $AWS_REGION" | tee -a "$LOG_FILE" fi # Generate unique identifiers RANDOM_ID=$(openssl rand -hex 6) DASHBOARD_NAME="LambdaMetricsDashboard-${RANDOM_ID}" LAMBDA_FUNCTION1="TestFunction1-${RANDOM_ID}" LAMBDA_FUNCTION2="TestFunction2-${RANDOM_ID}" ROLE_NAME="LambdaExecutionRole-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" | tee -a "$LOG_FILE" echo "Dashboard name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda function names: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "IAM role name: $ROLE_NAME" | tee -a "$LOG_FILE" # Create IAM role for Lambda functions echo "Creating IAM role for Lambda..." | tee -a "$LOG_FILE" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "$TRUST_POLICY" > trust-policy.json ROLE_OUTPUT=$(log_cmd "aws iam create-role --role-name \"$ROLE_NAME\" --assume-role-policy-document file://trust-policy.json --output json") check_error "$ROLE_OUTPUT" $? "Failed to create IAM role" ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" | tee -a "$LOG_FILE" # Attach Lambda basic execution policy to the role echo "Attaching Lambda execution policy to role..." | tee -a "$LOG_FILE" POLICY_OUTPUT=$(log_cmd "aws iam attach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") check_error "$POLICY_OUTPUT" $? "Failed to attach policy to role" # Wait for role to propagate echo "Waiting for IAM role to propagate..." | tee -a "$LOG_FILE" sleep 10 # Create simple Python Lambda function code echo "Creating Lambda function code..." | tee -a "$LOG_FILE" cat > lambda_function.py << 'EOF' def handler(event, context): print("Lambda function executed successfully") return { 'statusCode': 200, 'body': 'Success' } EOF # Zip the Lambda function code log_cmd "zip -j lambda_function.zip lambda_function.py" # Create first Lambda function echo "Creating first Lambda function: $LAMBDA_FUNCTION1..." | tee -a "$LOG_FILE" LAMBDA1_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION1\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA1_OUTPUT" $? "Failed to create first Lambda function" # Create second Lambda function echo "Creating second Lambda function: $LAMBDA_FUNCTION2..." | tee -a "$LOG_FILE" LAMBDA2_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION2\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA2_OUTPUT" $? "Failed to create second Lambda function" # Invoke Lambda functions to generate some metrics echo "Invoking Lambda functions to generate metrics..." | tee -a "$LOG_FILE" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION1\" --payload '{}' /dev/null" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION2\" --payload '{}' /dev/null" # Create CloudWatch dashboard with property variable echo "Creating CloudWatch dashboard with property variable..." | tee -a "$LOG_FILE" # Create a simpler dashboard with a property variable # This approach uses a more basic dashboard structure that's known to work with the CloudWatch API DASHBOARD_BODY=$(cat < Variables > Create a variable" | tee -a "$LOG_FILE" echo "4. Choose Property variable" | tee -a "$LOG_FILE" echo "5. For Property that the variable changes, choose FunctionName" | tee -a "$LOG_FILE" echo "6. For Input type, choose Select menu (dropdown)" | tee -a "$LOG_FILE" echo "7. Choose Use the results of a metric search" | tee -a "$LOG_FILE" echo "8. Choose Pre-built queries > Lambda > Errors" | tee -a "$LOG_FILE" echo "9. Choose By Function Name and then choose Search" | tee -a "$LOG_FILE" echo "10. (Optional) Configure any secondary settings as desired" | tee -a "$LOG_FILE" echo "11. Choose Add variable" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "The dashboard has been created and can be accessed at:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" # Verify dashboard creation echo "Verifying dashboard creation..." | tee -a "$LOG_FILE" VERIFY_OUTPUT=$(log_cmd "aws cloudwatch get-dashboard --dashboard-name \"$DASHBOARD_NAME\"") check_error "$VERIFY_OUTPUT" $? "Failed to verify dashboard creation" echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "DASHBOARD CREATED SUCCESSFULLY" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "Dashboard Name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda Functions: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "You can view your dashboard in the CloudWatch console:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" # Prompt for cleanup confirm_cleanup echo "Script completed successfully." | tee -a "$LOG_FILE" exit 0 ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) ### Work with Streams and Time-to-Live The following code example shows how to manage DynamoDB Streams and Time-to-Live features. + Create a table with Streams enabled. + Describe Streams. + Create a Lambda function for processing Streams. + Enable TTL on a table. + Add items with TTL attributes. + Describe TTL settings. **AWS CLI with Bash script** Create a table with Streams enabled. ``` # Create a table with DynamoDB Streams enabled aws dynamodb create-table \ --table-name StreamsDemo \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES ``` Describe Streams. ``` # Get information about the stream aws dynamodb describe-table \ --table-name StreamsDemo \ --query "Table.StreamSpecification" # Get the stream ARN STREAM_ARN=$(aws dynamodb describe-table \ --table-name StreamsDemo \ --query "Table.LatestStreamArn" \ --output text) echo "Stream ARN: $STREAM_ARN" # Describe the stream aws dynamodbstreams describe-stream \ --stream-arn $STREAM_ARN ``` Create a Lambda function for Streams. ``` # Step 1: Create an IAM role for the Lambda function cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name DynamoDBStreamsLambdaRole \ --assume-role-policy-document file://trust-policy.json # Step 2: Attach permissions to the role aws iam attach-role-policy \ --role-name DynamoDBStreamsLambdaRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole # Step 3: Create a Lambda function (code would be in a separate file) echo "Lambda function creation would be done separately with appropriate code" # Step 4: Create an event source mapping echo "Example command to create event source mapping:" echo "aws lambda create-event-source-mapping \\" echo " --function-name ProcessDynamoDBRecords \\" echo " --event-source $STREAM_ARN \\" echo " --batch-size 100 \\" echo " --starting-position LATEST" ``` Enable TTL on a table. ``` # Create a table for TTL demonstration aws dynamodb create-table \ --table-name TTLDemo \ --attribute-definitions \ AttributeName=ID,AttributeType=S \ --key-schema \ AttributeName=ID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST # Wait for table to become active aws dynamodb wait table-exists --table-name TTLDemo # Enable TTL on the table aws dynamodb update-time-to-live \ --table-name TTLDemo \ --time-to-live-specification "Enabled=true, AttributeName=ExpirationTime" ``` Add items with TTL attributes. ``` # Calculate expiration time (current time + 1 day in seconds) EXPIRATION_TIME=$(date -d "+1 day" +%s) # Add an item with TTL attribute aws dynamodb put-item \ --table-name TTLDemo \ --item '{ "ID": {"S": "item1"}, "Data": {"S": "This item will expire in 1 day"}, "ExpirationTime": {"N": "'$EXPIRATION_TIME'"} }' # Add an item that expires in 1 hour EXPIRATION_TIME_HOUR=$(date -d "+1 hour" +%s) aws dynamodb put-item \ --table-name TTLDemo \ --item '{ "ID": {"S": "item2"}, "Data": {"S": "This item will expire in 1 hour"}, "ExpirationTime": {"N": "'$EXPIRATION_TIME_HOUR'"} }' ``` Describe TTL settings. ``` # Describe TTL settings for a table aws dynamodb describe-time-to-live \ --table-name TTLDemo ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [DescribeTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTimeToLive) + [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem) + [UpdateTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTimeToLive) # AWS IoT examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS IoT. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting Started with IoT Device Defender The following code example shows how to: + Create Required IAM Roles + Enable IoT Device Defender Audit Checks + Run an On-Demand Audit + Create a Mitigation Action + Apply Mitigation Actions to Findings + Set Up SNS Notifications (Optional) + Enable IoT Logging **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/079-aws-iot-device-defender-gs) repository. ``` #!/bin/bash # AWS IoT Device Defender Getting Started Script # This script demonstrates how to use AWS IoT Device Defender to enable audit checks, # view audit results, create mitigation actions, and apply them to findings. # Set up logging LOG_FILE="iot-device-defender-script-$(date +%Y%m%d%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "AWS IoT Device Defender Getting Started Script" echo "===================================================" echo "Starting script execution at $(date)" echo "" # Function to check for errors in command output check_error() { if echo "$1" | grep -i "An error occurred\|Exception\|Failed\|usage: aws" > /dev/null; then echo "ERROR: Command failed with the following output:" echo "$1" return 1 fi return 0 } # Function to create IAM roles create_iam_role() { local ROLE_NAME=$1 local TRUST_POLICY=$2 local MANAGED_POLICY=$3 echo "Creating IAM role: $ROLE_NAME" # Check if role already exists ROLE_EXISTS=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1 || echo "NOT_EXISTS") if echo "$ROLE_EXISTS" | grep -i "NoSuchEntity" > /dev/null; then # Create the role with trust policy ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" 2>&1) if ! check_error "$ROLE_RESULT"; then echo "Failed to create role $ROLE_NAME" return 1 fi # For IoT logging role, create an inline policy instead of using a managed policy if [[ "$ROLE_NAME" == "AWSIoTLoggingRole" ]]; then LOGGING_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy", "logs:GetLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$LOGGING_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi elif [[ "$ROLE_NAME" == "IoTMitigationActionErrorLoggingRole" ]]; then MITIGATION_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:UpdateCACertificate", "iot:UpdateCertificate", "iot:SetV2LoggingOptions", "iot:SetLoggingOptions", "iot:AddThingToThingGroup", "iot:PublishToTopic" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "iot.amazonaws.com" } } } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$MITIGATION_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi else # Attach managed policy to role if provided if [ -n "$MANAGED_POLICY" ]; then ATTACH_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$MANAGED_POLICY" 2>&1) if ! check_error "$ATTACH_RESULT"; then echo "Failed to attach policy to role $ROLE_NAME" return 1 fi fi fi echo "Role $ROLE_NAME created successfully" else echo "Role $ROLE_NAME already exists, skipping creation" fi # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" return 0 } # Array to store created resources for cleanup declare -a CREATED_RESOURCES # Step 1: Create IAM roles needed for the tutorial echo "===================================================" echo "Step 1: Creating required IAM roles" echo "===================================================" # Create IoT Device Defender Audit role IOT_DEFENDER_AUDIT_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTDeviceDefenderAuditRole" "$IOT_DEFENDER_AUDIT_TRUST_POLICY" "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" AUDIT_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTDeviceDefenderAuditRole") # Create IoT Logging role IOT_LOGGING_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTLoggingRole" "$IOT_LOGGING_TRUST_POLICY" "" LOGGING_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTLoggingRole") # Create IoT Mitigation Action role IOT_MITIGATION_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "IoTMitigationActionErrorLoggingRole" "$IOT_MITIGATION_TRUST_POLICY" "" MITIGATION_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: IoTMitigationActionErrorLoggingRole") # Step 2: Enable audit checks echo "" echo "===================================================" echo "Step 2: Enabling AWS IoT Device Defender audit checks" echo "===================================================" # Get current audit configuration echo "Getting current audit configuration..." CURRENT_CONFIG=$(aws iot describe-account-audit-configuration) echo "$CURRENT_CONFIG" # Enable specific audit checks echo "Enabling audit checks..." UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --role-arn "$AUDIT_ROLE_ARN" \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":true}}') if ! check_error "$UPDATE_RESULT"; then echo "Failed to update audit configuration" exit 1 fi echo "Audit checks enabled successfully" # Step 3: Run an on-demand audit echo "" echo "===================================================" echo "Step 3: Running an on-demand audit" echo "===================================================" echo "Starting on-demand audit task..." AUDIT_TASK_RESULT=$(aws iot start-on-demand-audit-task \ --target-check-names LOGGING_DISABLED_CHECK) if ! check_error "$AUDIT_TASK_RESULT"; then echo "Failed to start on-demand audit task" exit 1 fi TASK_ID=$(echo "$AUDIT_TASK_RESULT" | grep -o '"taskId": "[^"]*' | cut -d'"' -f4) echo "Audit task started with ID: $TASK_ID" CREATED_RESOURCES+=("Audit Task: $TASK_ID") # Wait for the audit task to complete echo "Waiting for audit task to complete (this may take a few minutes)..." TASK_STATUS="IN_PROGRESS" while [ "$TASK_STATUS" != "COMPLETED" ]; do sleep 10 TASK_DETAILS=$(aws iot describe-audit-task --task-id "$TASK_ID") TASK_STATUS=$(echo "$TASK_DETAILS" | grep -o '"taskStatus": "[^"]*' | cut -d'"' -f4) echo "Current task status: $TASK_STATUS" if [ "$TASK_STATUS" == "FAILED" ]; then echo "Audit task failed" exit 1 fi done echo "Audit task completed successfully" # Get audit findings echo "Getting audit findings..." FINDINGS=$(aws iot list-audit-findings \ --task-id "$TASK_ID") echo "Audit findings:" echo "$FINDINGS" # Check if we have any non-compliant findings if echo "$FINDINGS" | grep -q '"findingId"'; then FINDING_ID=$(echo "$FINDINGS" | grep -o '"findingId": "[^"]*' | head -1 | cut -d'"' -f4) echo "Found non-compliant finding with ID: $FINDING_ID" HAS_FINDINGS=true else echo "No non-compliant findings detected" HAS_FINDINGS=false fi # Step 4: Create a mitigation action echo "" echo "===================================================" echo "Step 4: Creating a mitigation action" echo "===================================================" # Check if mitigation action already exists MITIGATION_EXISTS=$(aws iot list-mitigation-actions --action-name "EnableErrorLoggingAction" 2>&1) if echo "$MITIGATION_EXISTS" | grep -q "EnableErrorLoggingAction"; then echo "Mitigation action 'EnableErrorLoggingAction' already exists, deleting it first..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Wait a moment for deletion to complete sleep 5 fi echo "Creating mitigation action to enable AWS IoT logging..." MITIGATION_RESULT=$(aws iot create-mitigation-action \ --action-name "EnableErrorLoggingAction" \ --role-arn "$MITIGATION_ROLE_ARN" \ --action-params "{\"enableIoTLoggingParams\":{\"roleArnForLogging\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}}") echo "$MITIGATION_RESULT" if ! check_error "$MITIGATION_RESULT"; then echo "Failed to create mitigation action" exit 1 fi echo "Mitigation action created successfully" CREATED_RESOURCES+=("Mitigation Action: EnableErrorLoggingAction") # Step 5: Apply mitigation action to findings (if any) if [ "$HAS_FINDINGS" = true ]; then echo "" echo "===================================================" echo "Step 5: Applying mitigation action to findings" echo "===================================================" MITIGATION_TASK_ID="MitigationTask-$(date +%s)" echo "Starting mitigation actions task with ID: $MITIGATION_TASK_ID" MITIGATION_TASK_RESULT=$(aws iot start-audit-mitigation-actions-task \ --task-id "$MITIGATION_TASK_ID" \ --target "{\"findingIds\":[\"$FINDING_ID\"]}" \ --audit-check-to-actions-mapping "{\"LOGGING_DISABLED_CHECK\":[\"EnableErrorLoggingAction\"]}") if ! check_error "$MITIGATION_TASK_RESULT"; then echo "Failed to start mitigation actions task" exit 1 fi echo "Mitigation actions task started successfully" CREATED_RESOURCES+=("Mitigation Task: $MITIGATION_TASK_ID") # Wait for the mitigation task to complete echo "Waiting for mitigation task to complete..." sleep 10 # Use a more reliable date format for the API call START_TIME=$(date -u -d 'today' '+%Y-%m-%dT%H:%M:%S.000Z') END_TIME=$(date -u '+%Y-%m-%dT%H:%M:%S.000Z') MITIGATION_TASKS=$(aws iot list-audit-mitigation-actions-tasks \ --start-time "$START_TIME" \ --end-time "$END_TIME" 2>&1) if check_error "$MITIGATION_TASKS"; then echo "Mitigation tasks:" echo "$MITIGATION_TASKS" else echo "Could not retrieve mitigation task status, but task was started successfully" fi else echo "" echo "===================================================" echo "Step 5: Skipping mitigation action application (no findings)" echo "===================================================" fi # Step 6: Set up SNS notifications (optional) echo "" echo "===================================================" echo "Step 6: Setting up SNS notifications" echo "===================================================" # Check if SNS topic already exists SNS_TOPICS=$(aws sns list-topics) if echo "$SNS_TOPICS" | grep -q "IoTDDNotifications"; then echo "SNS topic 'IoTDDNotifications' already exists, using existing topic..." TOPIC_ARN=$(echo "$SNS_TOPICS" | grep -o '"TopicArn": "[^"]*IoTDDNotifications' | cut -d'"' -f4) else echo "Creating SNS topic for notifications..." SNS_RESULT=$(aws sns create-topic --name "IoTDDNotifications") if ! check_error "$SNS_RESULT"; then echo "Failed to create SNS topic" exit 1 fi TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o '"TopicArn": "[^"]*' | cut -d'"' -f4) echo "SNS topic created with ARN: $TOPIC_ARN" CREATED_RESOURCES+=("SNS Topic: IoTDDNotifications") fi echo "Updating audit configuration to enable SNS notifications..." SNS_UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --audit-notification-target-configurations "{\"SNS\":{\"targetArn\":\"$TOPIC_ARN\",\"roleArn\":\"$AUDIT_ROLE_ARN\",\"enabled\":true}}") if ! check_error "$SNS_UPDATE_RESULT"; then echo "Failed to update audit configuration for SNS notifications" exit 1 fi echo "SNS notifications enabled successfully" # Step 7: Enable AWS IoT logging echo "" echo "===================================================" echo "Step 7: Enabling AWS IoT logging" echo "===================================================" echo "Setting up AWS IoT logging options..." # Create the logging options payload LOGGING_OPTIONS_PAYLOAD="{\"roleArn\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}" LOGGING_RESULT=$(aws iot set-v2-logging-options \ --role-arn "$LOGGING_ROLE_ARN" \ --default-log-level "ERROR" 2>&1) if ! check_error "$LOGGING_RESULT"; then echo "Failed to set up AWS IoT v2 logging, trying v1 logging..." # Try the older set-logging-options command with proper payload format LOGGING_RESULT_V1=$(aws iot set-logging-options \ --logging-options-payload "$LOGGING_OPTIONS_PAYLOAD" 2>&1) if ! check_error "$LOGGING_RESULT_V1"; then echo "Failed to set up AWS IoT logging with both v1 and v2 methods" echo "V2 result: $LOGGING_RESULT" echo "V1 result: $LOGGING_RESULT_V1" exit 1 else echo "AWS IoT v1 logging enabled successfully" fi else echo "AWS IoT v2 logging enabled successfully" fi # Verify logging is enabled echo "Verifying logging configuration..." LOGGING_CONFIG=$(aws iot get-v2-logging-options 2>&1) if check_error "$LOGGING_CONFIG"; then echo "V2 Logging configuration:" echo "$LOGGING_CONFIG" else echo "Checking v1 logging configuration..." LOGGING_CONFIG_V1=$(aws iot get-logging-options 2>&1) if check_error "$LOGGING_CONFIG_V1"; then echo "V1 Logging configuration:" echo "$LOGGING_CONFIG_V1" else echo "Could not retrieve logging configuration" fi fi # Script completed successfully echo "" echo "===================================================" echo "AWS IoT Device Defender setup completed successfully!" echo "===================================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "" # Ask if user wants to clean up resources echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Disable AWS IoT logging echo "Disabling AWS IoT logging..." # Try to disable v2 logging first DISABLE_V2_RESULT=$(aws iot set-v2-logging-options \ --default-log-level "DISABLED" 2>&1) if ! check_error "$DISABLE_V2_RESULT"; then echo "Failed to disable v2 logging, trying v1..." # Try v1 logging disable DISABLE_V1_RESULT=$(aws iot set-logging-options \ --logging-options-payload "{\"logLevel\":\"DISABLED\"}" 2>&1) if ! check_error "$DISABLE_V1_RESULT"; then echo "Warning: Could not disable logging through either v1 or v2 methods" else echo "V1 logging disabled successfully" fi else echo "V2 logging disabled successfully" fi # Delete mitigation action echo "Deleting mitigation action..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Reset audit configuration echo "Resetting IoT Device Defender audit configuration..." aws iot update-account-audit-configuration \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":false}}' 2>&1 | grep -qi "error" && echo "Warning: Failed to disable audit check" aws iot delete-account-audit-configuration --delete-scheduled-audits 2>&1 | grep -qi "error" && echo "Warning: Failed to delete audit configuration" # Delete SNS topic echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$TOPIC_ARN" # Detach policies from roles and delete roles (in reverse order) echo "Cleaning up IAM roles..." # Check if policies exist before trying to delete them ROLE_POLICIES=$(aws iam list-role-policies --role-name "IoTMitigationActionErrorLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "IoTMitigationActionErrorLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "IoTMitigationActionErrorLoggingRole" \ --policy-name "IoTMitigationActionErrorLoggingRolePolicy" fi fi aws iam delete-role --role-name "IoTMitigationActionErrorLoggingRole" ROLE_POLICIES=$(aws iam list-role-policies --role-name "AWSIoTLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "AWSIoTLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "AWSIoTLoggingRole" \ --policy-name "AWSIoTLoggingRolePolicy" fi fi aws iam delete-role --role-name "AWSIoTLoggingRole" aws iam detach-role-policy \ --role-name "AWSIoTDeviceDefenderAuditRole" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" aws iam delete-role --role-name "AWSIoTDeviceDefenderAuditRole" echo "Cleanup completed successfully" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "" echo "Script execution completed at $(date)" echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreateMitigationAction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteAccountAuditConfiguration) + [DeleteMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteMitigationAction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAccountAuditConfiguration) + [DescribeAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAuditTask) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetLoggingOptions) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetV2LoggingOptions) + [ListAuditFindings](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditFindings) + [ListAuditMitigationActionsTasks](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditMitigationActionsTasks) + [ListMitigationActions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListMitigationActions) + [ListRolePolicies](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListRolePolicies) + [ListTopics](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/ListTopics) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [SetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetLoggingOptions) + [SetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetV2LoggingOptions) + [StartAuditMitigationActionsTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartAuditMitigationActionsTask) + [StartOnDemandAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartOnDemandAuditTask) + [UpdateAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/UpdateAccountAuditConfiguration) ### Getting started with IoT Core The following code example shows how to: + Create IoT resources + Configure your device + Run the sample application + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/063-aws-iot-core-gs) repository. ``` #!/bin/bash # AWS IoT Core Getting Started Script # This script creates AWS IoT resources, configures a device, and runs a sample application # Set up logging LOG_FILE="iot-core-setup.log" echo "Starting AWS IoT Core setup at $(date)" > $LOG_FILE # Function to log commands and their outputs log_cmd() { echo "$(date): Running command: $1" >> $LOG_FILE eval "$1" 2>&1 | tee -a $LOG_FILE return ${PIPESTATUS[0]} } # Function to check for errors check_error() { if [ $1 -ne 0 ]; then echo "ERROR: Command failed with exit code $1" | tee -a $LOG_FILE echo "Please check the log file $LOG_FILE for details" | tee -a $LOG_FILE cleanup_on_error exit $1 fi } # Function to cleanup resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." | tee -a $LOG_FILE echo "Resources created:" | tee -a $LOG_FILE if [ ! -z "$CERTIFICATE_ARN" ]; then echo "Certificate ARN: $CERTIFICATE_ARN" | tee -a $LOG_FILE if [ ! -z "$POLICY_NAME" ]; then log_cmd "aws iot detach-policy --policy-name $POLICY_NAME --target $CERTIFICATE_ARN" fi if [ ! -z "$THING_NAME" ]; then log_cmd "aws iot detach-thing-principal --thing-name $THING_NAME --principal $CERTIFICATE_ARN" fi if [ ! -z "$CERTIFICATE_ID" ]; then log_cmd "aws iot update-certificate --certificate-id $CERTIFICATE_ID --new-status INACTIVE" log_cmd "aws iot delete-certificate --certificate-id $CERTIFICATE_ID" fi fi if [ ! -z "$THING_NAME" ]; then echo "Thing Name: $THING_NAME" | tee -a $LOG_FILE log_cmd "aws iot delete-thing --thing-name $THING_NAME" fi if [ ! -z "$POLICY_NAME" ]; then echo "Policy Name: $POLICY_NAME" | tee -a $LOG_FILE log_cmd "aws iot delete-policy --policy-name $POLICY_NAME" fi if [ ! -z "$SHARED_POLICY_NAME" ]; then echo "Shared Policy Name: $SHARED_POLICY_NAME" | tee -a $LOG_FILE log_cmd "aws iot delete-policy --policy-name $SHARED_POLICY_NAME" fi } # Generate unique identifiers RANDOM_SUFFIX=$(openssl rand -hex 4) THING_NAME="MyIoTThing-${RANDOM_SUFFIX}" POLICY_NAME="MyIoTPolicy-${RANDOM_SUFFIX}" SHARED_POLICY_NAME="SharedSubPolicy-${RANDOM_SUFFIX}" CERTS_DIR="$HOME/certs" echo "==================================================" | tee -a $LOG_FILE echo "AWS IoT Core Getting Started" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "This script will:" | tee -a $LOG_FILE echo "1. Create AWS IoT resources (policy, thing, certificate)" | tee -a $LOG_FILE echo "2. Configure your device" | tee -a $LOG_FILE echo "3. Set up for running the sample application" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "Thing Name: $THING_NAME" | tee -a $LOG_FILE echo "Policy Name: $POLICY_NAME" | tee -a $LOG_FILE echo "Certificates Directory: $CERTS_DIR" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Get AWS account ID echo "Getting AWS account ID..." | tee -a $LOG_FILE ACCOUNT_ID=$(log_cmd "aws sts get-caller-identity --query Account --output text") check_error $? # Get AWS region echo "Getting AWS region..." | tee -a $LOG_FILE REGION=$(log_cmd "aws configure get region") check_error $? if [ -z "$REGION" ]; then echo "AWS region not configured. Please run 'aws configure' to set your region." | tee -a $LOG_FILE exit 1 fi echo "Using AWS Account ID: $ACCOUNT_ID and Region: $REGION" | tee -a $LOG_FILE # Step 1: Create AWS IoT Resources echo "" | tee -a $LOG_FILE echo "Step 1: Creating AWS IoT Resources..." | tee -a $LOG_FILE # Create IoT policy echo "Creating IoT policy document..." | tee -a $LOG_FILE cat > iot-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:client/test-*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:topic/test/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:topicfilter/test/topic" ] } ] } EOF echo "Creating IoT policy: $POLICY_NAME..." | tee -a $LOG_FILE log_cmd "aws iot create-policy --policy-name $POLICY_NAME --policy-document file://iot-policy.json" check_error $? # Create IoT thing echo "Creating IoT thing: $THING_NAME..." | tee -a $LOG_FILE log_cmd "aws iot create-thing --thing-name $THING_NAME" check_error $? # Create directory for certificates echo "Creating certificates directory..." | tee -a $LOG_FILE log_cmd "mkdir -p $CERTS_DIR" check_error $? # Create keys and certificate echo "Creating keys and certificate..." | tee -a $LOG_FILE CERT_OUTPUT=$(log_cmd "aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile $CERTS_DIR/device.pem.crt --public-key-outfile $CERTS_DIR/public.pem.key --private-key-outfile $CERTS_DIR/private.pem.key") check_error $? # Extract certificate ARN and ID CERTIFICATE_ARN=$(echo "$CERT_OUTPUT" | grep "certificateArn" | cut -d'"' -f4) CERTIFICATE_ID=$(echo "$CERTIFICATE_ARN" | cut -d/ -f2) if [ -z "$CERTIFICATE_ARN" ] || [ -z "$CERTIFICATE_ID" ]; then echo "Failed to extract certificate ARN or ID" | tee -a $LOG_FILE cleanup_on_error exit 1 fi echo "Certificate ARN: $CERTIFICATE_ARN" | tee -a $LOG_FILE echo "Certificate ID: $CERTIFICATE_ID" | tee -a $LOG_FILE # Attach policy to certificate echo "Attaching policy to certificate..." | tee -a $LOG_FILE log_cmd "aws iot attach-policy --policy-name $POLICY_NAME --target $CERTIFICATE_ARN" check_error $? # Attach certificate to thing echo "Attaching certificate to thing..." | tee -a $LOG_FILE log_cmd "aws iot attach-thing-principal --thing-name $THING_NAME --principal $CERTIFICATE_ARN" check_error $? # Download Amazon Root CA certificate echo "Downloading Amazon Root CA certificate..." | tee -a $LOG_FILE log_cmd "curl -s -o $CERTS_DIR/Amazon-root-CA-1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem" check_error $? # Step 2: Configure Your Device echo "" | tee -a $LOG_FILE echo "Step 2: Configuring Your Device..." | tee -a $LOG_FILE # Check if Git is installed echo "Checking if Git is installed..." | tee -a $LOG_FILE if ! command -v git &> /dev/null; then echo "Git is not installed. Please install Git and run this script again." | tee -a $LOG_FILE cleanup_on_error exit 1 fi # Check if Python is installed echo "Checking if Python is installed..." | tee -a $LOG_FILE if ! command -v python3 &> /dev/null; then echo "Python 3 is not installed. Please install Python 3 and run this script again." | tee -a $LOG_FILE cleanup_on_error exit 1 fi # Install AWS IoT Device SDK for Python echo "Installing AWS IoT Device SDK for Python..." | tee -a $LOG_FILE log_cmd "python3 -m pip install awsiotsdk" check_error $? # Clone the AWS IoT Device SDK for Python repository echo "Cloning AWS IoT Device SDK for Python repository..." | tee -a $LOG_FILE if [ ! -d "$HOME/aws-iot-device-sdk-python-v2" ]; then log_cmd "cd $HOME && git clone https://github.com/aws/aws-iot-device-sdk-python-v2.git" check_error $? else echo "AWS IoT Device SDK for Python repository already exists." | tee -a $LOG_FILE fi # Step 3: Get AWS IoT Endpoint echo "" | tee -a $LOG_FILE echo "Step 3: Getting AWS IoT Endpoint..." | tee -a $LOG_FILE IOT_ENDPOINT=$(log_cmd "aws iot describe-endpoint --endpoint-type iot:Data-ATS --query endpointAddress --output text") check_error $? echo "AWS IoT Endpoint: $IOT_ENDPOINT" | tee -a $LOG_FILE # Create a shared subscription policy (optional) echo "" | tee -a $LOG_FILE echo "Creating shared subscription policy (optional)..." | tee -a $LOG_FILE cat > shared-sub-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:Connect" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:client/*" ] }, { "Effect": "Allow", "Action": [ "iot:Publish", "iot:Receive" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:topic/test/topic" ] }, { "Effect": "Allow", "Action": [ "iot:Subscribe" ], "Resource": [ "arn:aws:iot:$REGION:$ACCOUNT_ID:topicfilter/test/topic", "arn:aws:iot:$REGION:$ACCOUNT_ID:topicfilter/\$share/*/test/topic" ] } ] } EOF log_cmd "aws iot create-policy --policy-name $SHARED_POLICY_NAME --policy-document file://shared-sub-policy.json" check_error $? log_cmd "aws iot attach-policy --policy-name $SHARED_POLICY_NAME --target $CERTIFICATE_ARN" check_error $? # Summary of created resources echo "" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "Setup Complete! Resources Created:" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "Thing Name: $THING_NAME" | tee -a $LOG_FILE echo "Policy Name: $POLICY_NAME" | tee -a $LOG_FILE echo "Shared Subscription Policy Name: $SHARED_POLICY_NAME" | tee -a $LOG_FILE echo "Certificate ID: $CERTIFICATE_ID" | tee -a $LOG_FILE echo "Certificate ARN: $CERTIFICATE_ARN" | tee -a $LOG_FILE echo "Certificate Files Location: $CERTS_DIR" | tee -a $LOG_FILE echo "AWS IoT Endpoint: $IOT_ENDPOINT" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE # Instructions for running the sample application echo "" | tee -a $LOG_FILE echo "To run the sample application, execute:" | tee -a $LOG_FILE echo "cd $HOME/aws-iot-device-sdk-python-v2/samples" | tee -a $LOG_FILE echo "python3 pubsub.py \\" | tee -a $LOG_FILE echo " --endpoint $IOT_ENDPOINT \\" | tee -a $LOG_FILE echo " --ca_file $CERTS_DIR/Amazon-root-CA-1.pem \\" | tee -a $LOG_FILE echo " --cert $CERTS_DIR/device.pem.crt \\" | tee -a $LOG_FILE echo " --key $CERTS_DIR/private.pem.key" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "To run the shared subscription example, execute:" | tee -a $LOG_FILE echo "cd $HOME/aws-iot-device-sdk-python-v2/samples" | tee -a $LOG_FILE echo "python3 mqtt5_shared_subscription.py \\" | tee -a $LOG_FILE echo " --endpoint $IOT_ENDPOINT \\" | tee -a $LOG_FILE echo " --ca_file $CERTS_DIR/Amazon-root-CA-1.pem \\" | tee -a $LOG_FILE echo " --cert $CERTS_DIR/device.pem.crt \\" | tee -a $LOG_FILE echo " --key $CERTS_DIR/private.pem.key \\" | tee -a $LOG_FILE echo " --group_identifier consumer" | tee -a $LOG_FILE # Ask if user wants to clean up resources echo "" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "CLEANUP CONFIRMATION" | tee -a $LOG_FILE echo "==================================================" | tee -a $LOG_FILE echo "Do you want to clean up all created resources? (y/n): " | tee -a $LOG_FILE read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." | tee -a $LOG_FILE # Detach policies from certificate echo "Detaching policies from certificate..." | tee -a $LOG_FILE log_cmd "aws iot detach-policy --policy-name $POLICY_NAME --target $CERTIFICATE_ARN" log_cmd "aws iot detach-policy --policy-name $SHARED_POLICY_NAME --target $CERTIFICATE_ARN" # Detach certificate from thing echo "Detaching certificate from thing..." | tee -a $LOG_FILE log_cmd "aws iot detach-thing-principal --thing-name $THING_NAME --principal $CERTIFICATE_ARN" # Update certificate status to INACTIVE echo "Setting certificate to inactive..." | tee -a $LOG_FILE log_cmd "aws iot update-certificate --certificate-id $CERTIFICATE_ID --new-status INACTIVE" # Delete certificate echo "Deleting certificate..." | tee -a $LOG_FILE log_cmd "aws iot delete-certificate --certificate-id $CERTIFICATE_ID" # Delete thing echo "Deleting thing..." | tee -a $LOG_FILE log_cmd "aws iot delete-thing --thing-name $THING_NAME" # Delete policies echo "Deleting policies..." | tee -a $LOG_FILE log_cmd "aws iot delete-policy --policy-name $POLICY_NAME" log_cmd "aws iot delete-policy --policy-name $SHARED_POLICY_NAME" echo "Cleanup complete!" | tee -a $LOG_FILE else echo "Resources were not cleaned up. You can manually clean them up later." | tee -a $LOG_FILE echo "To clean up resources, run the following commands:" | tee -a $LOG_FILE echo "aws iot detach-policy --policy-name $POLICY_NAME --target $CERTIFICATE_ARN" | tee -a $LOG_FILE echo "aws iot detach-policy --policy-name $SHARED_POLICY_NAME --target $CERTIFICATE_ARN" | tee -a $LOG_FILE echo "aws iot detach-thing-principal --thing-name $THING_NAME --principal $CERTIFICATE_ARN" | tee -a $LOG_FILE echo "aws iot update-certificate --certificate-id $CERTIFICATE_ID --new-status INACTIVE" | tee -a $LOG_FILE echo "aws iot delete-certificate --certificate-id $CERTIFICATE_ID" | tee -a $LOG_FILE echo "aws iot delete-thing --thing-name $THING_NAME" | tee -a $LOG_FILE echo "aws iot delete-policy --policy-name $POLICY_NAME" | tee -a $LOG_FILE echo "aws iot delete-policy --policy-name $SHARED_POLICY_NAME" | tee -a $LOG_FILE fi echo "" | tee -a $LOG_FILE echo "Script execution completed. See $LOG_FILE for details." | tee -a $LOG_FILE ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachPolicy](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/AttachPolicy) + [AttachThingPrincipal](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/AttachThingPrincipal) + [CreateKeysAndCertificate](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreateKeysAndCertificate) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreatePolicy) + [CreateThing](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreateThing) + [DeleteCertificate](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteCertificate) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeletePolicy) + [DeleteThing](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteThing) + [DescribeEndpoint](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeEndpoint) + [DetachPolicy](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DetachPolicy) + [DetachThingPrincipal](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DetachThingPrincipal) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [UpdateCertificate](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/UpdateCertificate) # AWS KMS examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS KMS. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Work with table encryption The following code example shows how to manage encryption options for DynamoDB tables. + Create a table with default encryption. + Create a table with a customer managed CMK. + Update table encryption settings. + Describe table encryption. **AWS CLI with Bash script** Create a table with default encryption. ``` # Create a table with default encryption (AWS owned key) aws dynamodb create-table \ --table-name CustomerData \ --attribute-definitions \ AttributeName=CustomerID,AttributeType=S \ --key-schema \ AttributeName=CustomerID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --sse-specification Enabled=true,SSEType=KMS ``` Create a table with a customer managed CMK. ``` # Step 1: Create a customer managed key in KMS aws kms create-key \ --description "Key for DynamoDB table encryption" \ --key-usage ENCRYPT_DECRYPT \ --customer-master-key-spec SYMMETRIC_DEFAULT # Store the key ID for later use KEY_ID=$(aws kms list-keys --query "Keys[?contains(KeyArn, 'Key for DynamoDB')].KeyId" --output text) # Step 2: Create a table with the customer managed key aws dynamodb create-table \ --table-name SensitiveData \ --attribute-definitions \ AttributeName=RecordID,AttributeType=S \ --key-schema \ AttributeName=RecordID,KeyType=HASH \ --billing-mode PAY_PER_REQUEST \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=$KEY_ID ``` Update table encryption. ``` # Update a table to use a different KMS key aws dynamodb update-table \ --table-name CustomerData \ --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=$KEY_ID ``` Describe table encryption. ``` # Describe the table to see encryption settings aws dynamodb describe-table \ --table-name CustomerData \ --query "Table.SSEDescription" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateKey](https://docs.aws.amazon.com/goto/aws-cli/kms-2014-11-01/CreateKey) + [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable) + [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable) + [UpdateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTable) # Lambda examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Lambda. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Create a REST API with Lambda proxy integration The following code example shows how to: + Create an IAM role for Lambda execution + Create and deploy a Lambda function + Create a REST API + Configure Lambda proxy integration + Deploy and test the API + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/087-apigateway-lambda-integration) repository. ``` #!/bin/bash # Simple API Gateway Lambda Integration Script # This script creates a REST API with Lambda proxy integration # Generate random identifiers FUNCTION_NAME="GetStartedLambdaProxyIntegration-$(openssl rand -hex 4)" ROLE_NAME="GetStartedLambdaBasicExecutionRole-$(openssl rand -hex 4)" API_NAME="LambdaProxyAPI-$(openssl rand -hex 4)" # Get AWS account info ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) REGION=$(aws configure get region || echo "us-east-1") echo "Creating Lambda function code..." # Create Lambda function code cat > lambda_function.py << 'EOF' import json def lambda_handler(event, context): print(event) greeter = 'World' try: if (event['queryStringParameters']) and (event['queryStringParameters']['greeter']) and ( event['queryStringParameters']['greeter'] is not None): greeter = event['queryStringParameters']['greeter'] except KeyError: print('No greeter') try: if (event['multiValueHeaders']) and (event['multiValueHeaders']['greeter']) and ( event['multiValueHeaders']['greeter'] is not None): greeter = " and ".join(event['multiValueHeaders']['greeter']) except KeyError: print('No greeter') try: if (event['headers']) and (event['headers']['greeter']) and ( event['headers']['greeter'] is not None): greeter = event['headers']['greeter'] except KeyError: print('No greeter') if (event['body']) and (event['body'] is not None): body = json.loads(event['body']) try: if (body['greeter']) and (body['greeter'] is not None): greeter = body['greeter'] except KeyError: print('No greeter') res = { "statusCode": 200, "headers": { "Content-Type": "*/*" }, "body": "Hello, " + greeter + "!" } return res EOF # Create deployment package zip function.zip lambda_function.py echo "Creating IAM role..." # Create IAM trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json # Attach execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Wait for role propagation sleep 15 echo "Creating Lambda function..." # Create Lambda function aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime python3.9 \ --role "arn:aws:iam::$ACCOUNT_ID:role/$ROLE_NAME" \ --handler lambda_function.lambda_handler \ --zip-file fileb://function.zip echo "Creating API Gateway..." # Create REST API aws apigateway create-rest-api \ --name "$API_NAME" \ --endpoint-configuration types=REGIONAL # Get API ID API_ID=$(aws apigateway get-rest-apis --query "items[?name=='$API_NAME'].id" --output text) # Get root resource ID ROOT_RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query 'items[?path==`/`].id' --output text) # Create helloworld resource aws apigateway create-resource \ --rest-api-id "$API_ID" \ --parent-id "$ROOT_RESOURCE_ID" \ --path-part helloworld # Get resource ID RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query "items[?pathPart=='helloworld'].id" --output text) # Create ANY method aws apigateway put-method \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --authorization-type NONE # Set up Lambda proxy integration LAMBDA_URI="arn:aws:apigateway:$REGION:lambda:path/2015-03-31/functions/arn:aws:lambda:$REGION:$ACCOUNT_ID:function:$FUNCTION_NAME/invocations" aws apigateway put-integration \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --type AWS_PROXY \ --integration-http-method POST \ --uri "$LAMBDA_URI" # Grant API Gateway permission to invoke Lambda SOURCE_ARN="arn:aws:execute-api:$REGION:$ACCOUNT_ID:$API_ID/*/*" aws lambda add-permission \ --function-name "$FUNCTION_NAME" \ --statement-id "apigateway-invoke-$(openssl rand -hex 4)" \ --action lambda:InvokeFunction \ --principal apigateway.amazonaws.com \ --source-arn "$SOURCE_ARN" # Deploy API aws apigateway create-deployment \ --rest-api-id "$API_ID" \ --stage-name test echo "Testing API..." # Test the API INVOKE_URL="https://$API_ID.execute-api.$REGION.amazonaws.com/test/helloworld" echo "API URL: $INVOKE_URL" # Test with query parameter echo "Testing with query parameter:" curl -X GET "$INVOKE_URL?greeter=John" echo "" # Test with header echo "Testing with header:" curl -X GET "$INVOKE_URL" \ -H 'content-type: application/json' \ -H 'greeter: John' echo "" # Test with body echo "Testing with POST body:" curl -X POST "$INVOKE_URL" \ -H 'content-type: application/json' \ -d '{ "greeter": "John" }' echo "" echo "Tutorial completed! API is available at: $INVOKE_URL" # Cleanup echo "Cleaning up resources..." # Delete API aws apigateway delete-rest-api --rest-api-id "$API_ID" # Delete Lambda function aws lambda delete-function --function-name "$FUNCTION_NAME" # Detach policy and delete role aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" # Clean up local files rm -f lambda_function.py function.zip trust-policy.json echo "Cleanup completed!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddPermission](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/AddPermission) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateDeployment](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateDeployment) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateResource](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateResource) + [CreateRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateRestApi) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/DeleteRestApi) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetResources](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetResources) + [GetRestApis](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetRestApis) + [PutIntegration](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutIntegration) + [PutMethod](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutMethod) ### Creating a CloudWatch dashboard with function name as a variable The following code example shows how to: + Create a CloudWatch dashboard + Add Lambda metrics widgets with a function name variable + Verify the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/031-cloudwatch-dynamicdash) repository. ``` #!/bin/bash # Script to create a CloudWatch dashboard with Lambda function name as a variable # This script creates a CloudWatch dashboard that allows you to switch between different Lambda functions # Set up logging LOG_FILE="cloudwatch-dashboard-script.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "$(date): Starting CloudWatch dashboard creation script" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" echo "- CloudWatch Dashboard: LambdaMetricsDashboard" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "An error occurred. Do you want to clean up the created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later." fi exit 1 } # Check if AWS CLI is installed and configured echo "Checking AWS CLI configuration..." aws sts get-caller-identity > /dev/null 2>&1 if [ $? -ne 0 ]; then handle_error "AWS CLI is not properly configured. Please configure it with 'aws configure' and try again." fi # Get the current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No region found in AWS config, defaulting to $REGION" fi echo "Using region: $REGION" # Check if there are any Lambda functions in the account echo "Checking for Lambda functions..." LAMBDA_FUNCTIONS=$(aws lambda list-functions --query "Functions[*].FunctionName" --output text) if [ -z "$LAMBDA_FUNCTIONS" ]; then echo "No Lambda functions found in your account. Creating a simple test function..." # Create a temporary directory for Lambda function code TEMP_DIR=$(mktemp -d) # Create a simple Lambda function cat > "$TEMP_DIR/index.js" << EOF exports.handler = async (event) => { console.log('Event:', JSON.stringify(event, null, 2)); return { statusCode: 200, body: JSON.stringify('Hello from Lambda!'), }; }; EOF # Zip the function code cd "$TEMP_DIR" || handle_error "Failed to change to temporary directory" zip -q function.zip index.js # Create a role for the Lambda function ROLE_NAME="LambdaDashboardTestRole" ROLE_ARN=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document '{"Version":"2012-10-17", "Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' \ --query "Role.Arn" \ --output text) if [ $? -ne 0 ]; then handle_error "Failed to create IAM role for Lambda function" fi echo "Waiting for role to be available..." sleep 10 # Attach basic Lambda execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to attach policy to IAM role" fi # Create the Lambda function FUNCTION_NAME="DashboardTestFunction" aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime nodejs18.x \ --role "$ROLE_ARN" \ --handler index.handler \ --zip-file fileb://function.zip if [ $? -ne 0 ]; then aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" handle_error "Failed to create Lambda function" fi # Invoke the function to generate some metrics echo "Invoking Lambda function to generate metrics..." for i in {1..5}; do aws lambda invoke --function-name "$FUNCTION_NAME" --payload '{}' /dev/null > /dev/null sleep 1 done # Clean up temporary directory cd - > /dev/null rm -rf "$TEMP_DIR" # Set the function name for the dashboard DEFAULT_FUNCTION="$FUNCTION_NAME" else # Use the first Lambda function as default DEFAULT_FUNCTION=$(echo "$LAMBDA_FUNCTIONS" | awk '{print $1}') echo "Found Lambda functions. Using $DEFAULT_FUNCTION as default." fi # Create a dashboard with Lambda metrics and a function name variable echo "Creating CloudWatch dashboard with Lambda function name variable..." # Create a JSON file for the dashboard body cat > dashboard-body.json << EOF { "widgets": [ { "type": "metric", "x": 0, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Invocations", "FunctionName", "\${FunctionName}" ], [ ".", "Errors", ".", "." ], [ ".", "Throttles", ".", "." ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Lambda Function Metrics for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 0, "y": 6, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "Duration", "FunctionName", "\${FunctionName}", { "stat": "Average" } ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Duration for \${FunctionName}", "period": 300 } }, { "type": "metric", "x": 12, "y": 0, "width": 12, "height": 6, "properties": { "metrics": [ [ "AWS/Lambda", "ConcurrentExecutions", "FunctionName", "\${FunctionName}" ] ], "view": "timeSeries", "stacked": false, "region": "$REGION", "title": "Concurrent Executions for \${FunctionName}", "period": 300 } } ], "periodOverride": "auto", "variables": [ { "type": "property", "id": "FunctionName", "property": "FunctionName", "label": "Lambda Function", "inputType": "select", "values": [ { "value": "$DEFAULT_FUNCTION", "label": "$DEFAULT_FUNCTION" } ] } ] } EOF # Create the dashboard using the JSON file DASHBOARD_RESULT=$(aws cloudwatch put-dashboard --dashboard-name LambdaMetricsDashboard --dashboard-body file://dashboard-body.json) DASHBOARD_EXIT_CODE=$? # Check if there was a fatal error if [ $DASHBOARD_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to create CloudWatch dashboard." fi # Display any validation messages but continue if [[ "$DASHBOARD_RESULT" == *"DashboardValidationMessages"* ]]; then echo "Dashboard created with validation messages:" echo "$DASHBOARD_RESULT" echo "These validation messages are warnings and the dashboard should still function." else echo "Dashboard created successfully!" fi # Verify the dashboard was created echo "Verifying dashboard creation..." DASHBOARD_INFO=$(aws cloudwatch get-dashboard --dashboard-name LambdaMetricsDashboard) DASHBOARD_INFO_EXIT_CODE=$? if [ $DASHBOARD_INFO_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to verify dashboard creation." fi echo "Dashboard verification successful!" echo "Dashboard details:" echo "$DASHBOARD_INFO" # List all dashboards to confirm echo "Listing all dashboards:" DASHBOARDS=$(aws cloudwatch list-dashboards) DASHBOARDS_EXIT_CODE=$? if [ $DASHBOARDS_EXIT_CODE -ne 0 ]; then # If we created resources, clean them up if [ -n "${FUNCTION_NAME:-}" ]; then aws lambda delete-function --function-name "$FUNCTION_NAME" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" fi handle_error "Failed to list dashboards." fi echo "$DASHBOARDS" # Show instructions for accessing the dashboard echo "" echo "Dashboard created successfully! To access it:" echo "1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/" echo "2. In the navigation pane, choose Dashboards" echo "3. Select LambdaMetricsDashboard" echo "4. You should see a dropdown menu labeled 'Lambda Function' at the top of the dashboard" echo "5. Use this dropdown to select different Lambda functions and see their metrics" echo "" # Create a list of resources for cleanup RESOURCES=("- CloudWatch Dashboard: LambdaMetricsDashboard") if [ -n "${FUNCTION_NAME:-}" ]; then RESOURCES+=("- Lambda Function: $FUNCTION_NAME") RESOURCES+=("- IAM Role: $ROLE_NAME") fi # Prompt for cleanup echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" for resource in "${RESOURCES[@]}"; do echo "$resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the dashboard aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard if [ $? -ne 0 ]; then echo "WARNING: Failed to delete dashboard. You may need to delete it manually." else echo "Dashboard deleted successfully." fi # If we created a Lambda function, delete it and its role if [ -n "${FUNCTION_NAME:-}" ]; then echo "Deleting Lambda function..." aws lambda delete-function --function-name "$FUNCTION_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete Lambda function. You may need to delete it manually." else echo "Lambda function deleted successfully." fi echo "Detaching role policy..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" if [ $? -ne 0 ]; then echo "WARNING: Failed to detach role policy. You may need to detach it manually." else echo "Role policy detached successfully." fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" if [ $? -ne 0 ]; then echo "WARNING: Failed to delete IAM role. You may need to delete it manually." else echo "IAM role deleted successfully." fi fi # Clean up the JSON file rm -f dashboard-body.json echo "Cleanup complete." else echo "Resources were not cleaned up. You can manually delete them later with:" echo "aws cloudwatch delete-dashboards --dashboard-names LambdaMetricsDashboard" if [ -n "${FUNCTION_NAME:-}" ]; then echo "aws lambda delete-function --function-name $FUNCTION_NAME" echo "aws iam detach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "aws iam delete-role --role-name $ROLE_NAME" fi fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [ListDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/ListDashboards) + [ListFunctions](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/ListFunctions) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) ### Creating your first Lambda function The following code example shows how to: + Create an IAM role for Lambda + Create function code + Create a Lambda function + Test your Lambda function + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/019-lambda-gettingstarted) repository. ``` #!/bin/bash # AWS Lambda - Create Your First Function # This script creates a Lambda function, invokes it with a test event, # views CloudWatch logs, and cleans up all resources. # # Source: https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html # # Resources created: # - IAM role (Lambda execution role with basic logging permissions) # - Lambda function (Python 3.13 or Node.js 22.x runtime) # - CloudWatch log group (created automatically by Lambda on invocation) set -eE ############################################################################### # Setup ############################################################################### UNIQUE_ID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) FUNCTION_NAME="my-lambda-function-${UNIQUE_ID}" ROLE_NAME="lambda-execution-role-${UNIQUE_ID}" LOG_GROUP_NAME="/aws/lambda/${FUNCTION_NAME}" TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/lambda-gettingstarted.log" exec > >(tee -a "$LOG_FILE") 2>&1 declare -a CREATED_RESOURCES ############################################################################### # Helper functions ############################################################################### cleanup_resources() { # Disable error trap to prevent recursion during cleanup trap - ERR set +eE echo "" echo "Cleaning up resources..." echo "" for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do local RESOURCE="${CREATED_RESOURCES[$i]}" local TYPE="${RESOURCE%%:*}" local NAME="${RESOURCE#*:}" case "$TYPE" in log-group) echo "Deleting CloudWatch log group: ${NAME}" aws logs delete-log-group \ --log-group-name "$NAME" 2>&1 || echo " WARNING: Could not delete log group ${NAME}." ;; lambda-function) echo "Deleting Lambda function: ${NAME}" aws lambda delete-function \ --function-name "$NAME" 2>&1 || echo " WARNING: Could not delete Lambda function ${NAME}." echo " Waiting for function deletion to complete..." local DELETE_WAIT=0 while aws lambda get-function --function-name "$NAME" > /dev/null 2>&1; do sleep 2 DELETE_WAIT=$((DELETE_WAIT + 2)) if [ "$DELETE_WAIT" -ge 60 ]; then echo " WARNING: Timed out waiting for function deletion." break fi done ;; iam-role-policy) local ROLE_PART="${NAME%%|*}" local POLICY_PART="${NAME#*|}" echo "Detaching policy from role: ${ROLE_PART}" aws iam detach-role-policy \ --role-name "$ROLE_PART" \ --policy-arn "$POLICY_PART" 2>&1 || echo " WARNING: Could not detach policy from role ${ROLE_PART}." ;; iam-role) echo "Deleting IAM role: ${NAME}" aws iam delete-role \ --role-name "$NAME" 2>&1 || echo " WARNING: Could not delete IAM role ${NAME}." ;; esac done if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi echo "" echo "Cleanup complete." } handle_error() { echo "" echo "===========================================" echo "ERROR: Script failed at $1" echo "===========================================" echo "" if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then echo "Attempting to clean up ${#CREATED_RESOURCES[@]} resource(s)..." cleanup_resources fi exit 1 } trap 'handle_error "line $LINENO"' ERR wait_for_resource() { local DESCRIPTION="$1" local COMMAND="$2" local TARGET_VALUE="$3" local TIMEOUT=300 local ELAPSED=0 local INTERVAL=5 echo "Waiting for ${DESCRIPTION}..." while true; do local RESULT RESULT=$(eval "$COMMAND" 2>&1) || true if echo "$RESULT" | grep -q "$TARGET_VALUE"; then echo " ${DESCRIPTION} is ready." return 0 fi if [ "$ELAPSED" -ge "$TIMEOUT" ]; then echo "ERROR: Timed out waiting for ${DESCRIPTION} after ${TIMEOUT} seconds." return 1 fi sleep "$INTERVAL" ELAPSED=$((ELAPSED + INTERVAL)) done } ############################################################################### # Region pre-check ############################################################################### CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured." echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION." exit 1 fi ############################################################################### # Runtime selection ############################################################################### echo "" echo "===========================================" echo "AWS Lambda - Create Your First Function" echo "===========================================" echo "" echo "Select a runtime for your Lambda function:" echo " 1) Python 3.13" echo " 2) Node.js 22.x" echo "" echo "Enter your choice (1 or 2): " read -r RUNTIME_CHOICE case "$RUNTIME_CHOICE" in 1) RUNTIME="python3.13" HANDLER="lambda_function.lambda_handler" CODE_FILE="lambda_function.py" cat > "${TEMP_DIR}/${CODE_FILE}" << 'PYTHON_EOF' import json import logging logger = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): length = event['length'] width = event['width'] area = calculate_area(length, width) print(f'The area is {area}') logger.info(f'CloudWatch logs group: {context.log_group_name}') return json.dumps({'area': area}) def calculate_area(length, width): return length * width PYTHON_EOF echo "Selected runtime: Python 3.13" ;; 2) RUNTIME="nodejs22.x" HANDLER="index.handler" CODE_FILE="index.mjs" cat > "${TEMP_DIR}/${CODE_FILE}" << 'NODEJS_EOF' export const handler = async (event, context) => { const area = event.length * event.width; console.log(`The area is ${area}`); console.log('CloudWatch log group: ', context.logGroupName); return JSON.stringify({area}); }; NODEJS_EOF echo "Selected runtime: Node.js 22.x" ;; *) echo "ERROR: Invalid choice. Please enter 1 or 2." exit 1 ;; esac ############################################################################### # Step 1: Create IAM execution role ############################################################################### echo "" echo "===========================================" echo "Step 1: Create IAM execution role" echo "===========================================" echo "" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "Creating IAM role: ${ROLE_NAME}" ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" \ --query 'Role.Arn' \ --output text 2>&1) echo "$ROLE_OUTPUT" ROLE_ARN="$ROLE_OUTPUT" CREATED_RESOURCES+=("iam-role:${ROLE_NAME}") echo "Role ARN: ${ROLE_ARN}" echo "" echo "Attaching AWSLambdaBasicExecutionRole policy..." aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 2>&1 CREATED_RESOURCES+=("iam-role-policy:${ROLE_NAME}|arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") echo "Policy attached." # IAM roles can take a few seconds to propagate echo "Waiting for IAM role to propagate..." sleep 10 ############################################################################### # Step 2: Create Lambda function ############################################################################### echo "" echo "===========================================" echo "Step 2: Create Lambda function" echo "===========================================" echo "" echo "Creating deployment package..." ORIGINAL_DIR=$(pwd) cd "$TEMP_DIR" zip -j function.zip "$CODE_FILE" > /dev/null 2>&1 cd "$ORIGINAL_DIR" echo "Creating Lambda function: ${FUNCTION_NAME}" echo " Runtime: ${RUNTIME}" echo " Handler: ${HANDLER}" echo "" CREATE_OUTPUT=$(aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime "$RUNTIME" \ --role "$ROLE_ARN" \ --handler "$HANDLER" \ --architectures x86_64 \ --zip-file "fileb://${TEMP_DIR}/function.zip" \ --query '[FunctionName, FunctionArn, Runtime, State]' \ --output text 2>&1) echo "$CREATE_OUTPUT" CREATED_RESOURCES+=("lambda-function:${FUNCTION_NAME}") wait_for_resource "Lambda function to become Active" \ "aws lambda get-function-configuration --function-name ${FUNCTION_NAME} --query State --output text" \ "Active" ############################################################################### # Step 3: Invoke the function ############################################################################### echo "" echo "===========================================" echo "Step 3: Invoke the function" echo "===========================================" echo "" TEST_EVENT='{"length": 6, "width": 7}' echo "Invoking function with test event: ${TEST_EVENT}" echo "" echo "$TEST_EVENT" > "${TEMP_DIR}/test-event.json" INVOKE_OUTPUT=$(aws lambda invoke \ --function-name "$FUNCTION_NAME" \ --payload "fileb://${TEMP_DIR}/test-event.json" \ --cli-read-timeout 30 \ "${TEMP_DIR}/response.json" 2>&1) echo "$INVOKE_OUTPUT" RESPONSE=$(cat "${TEMP_DIR}/response.json") echo "" echo "Function response: ${RESPONSE}" echo "" if echo "$INVOKE_OUTPUT" | grep -qi "functionerror"; then echo "WARNING: Function returned an error." fi ############################################################################### # Step 4: View CloudWatch logs ############################################################################### echo "" echo "===========================================" echo "Step 4: View CloudWatch Logs" echo "===========================================" echo "" echo "Log group: ${LOG_GROUP_NAME}" echo "" echo "Waiting for CloudWatch logs to be available..." LOG_STREAMS="" for i in $(seq 1 6); do LOG_STREAMS=$(aws logs describe-log-streams \ --log-group-name "$LOG_GROUP_NAME" \ --order-by LastEventTime \ --descending \ --query 'logStreams[0].logStreamName' \ --output text 2>/dev/null) || true if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then break fi LOG_STREAMS="" sleep 5 done if [ -n "$LOG_STREAMS" ] && [ "$LOG_STREAMS" != "None" ]; then echo "Latest log stream: ${LOG_STREAMS}" echo "" echo "--- Log events ---" LOG_EVENTS=$(aws logs get-log-events \ --log-group-name "$LOG_GROUP_NAME" \ --log-stream-name "$LOG_STREAMS" \ --query 'events[].message' \ --output text 2>&1) || true echo "$LOG_EVENTS" echo "--- End of log events ---" else echo "No log streams found yet. Logs may take a moment to appear." echo "You can view them in the CloudWatch console:" echo " Log group: ${LOG_GROUP_NAME}" fi CREATED_RESOURCES+=("log-group:${LOG_GROUP_NAME}") ############################################################################### # Summary and cleanup ############################################################################### echo "" echo "===========================================" echo "SUMMARY" echo "===========================================" echo "" echo "Resources created:" echo " IAM role: ${ROLE_NAME}" echo " Lambda function: ${FUNCTION_NAME}" echo " CloudWatch logs: ${LOG_GROUP_NAME}" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Delete the Lambda function" echo " aws lambda delete-function --function-name ${FUNCTION_NAME}" echo "" echo " # Delete the CloudWatch log group" echo " aws logs delete-log-group --log-group-name ${LOG_GROUP_NAME}" echo "" echo " # Detach the policy and delete the IAM role" echo " aws iam detach-role-policy --role-name ${ROLE_NAME} --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo " aws iam delete-role --role-name ${ROLE_NAME}" echo "" if [ -d "$TEMP_DIR" ]; then rm -rf "$TEMP_DIR" fi fi echo "" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeLogStreams](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DescribeLogStreams) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunction) + [GetFunctionConfiguration](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/GetFunctionConfiguration) + [GetLogEvents](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/GetLogEvents) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) ### Using property variables in CloudWatch dashboards to monitor multiple Lambda functions The following code example shows how to: + Create Lambda functions for monitoring + Create a CloudWatch dashboard + Add a property variable to the dashboard + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/032-cloudwatch-streams) repository. ``` #!/bin/bash # CloudWatch Dashboard with Lambda Function Variable Script # This script creates a CloudWatch dashboard with a property variable for Lambda function names # Set up logging LOG_FILE="cloudwatch-dashboard-script-v4.log" echo "Starting script execution at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "$(date): Running command: $1" >> "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [ $cmd_status -ne 0 ] || echo "$cmd_output" | grep -i "error" > /dev/null; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" echo "Command output: $cmd_output" | tee -a "$LOG_FILE" cleanup_resources exit 1 fi } # Function to clean up resources cleanup_resources() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP PROCESS" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" if [ -n "$DASHBOARD_NAME" ]; then echo "Deleting CloudWatch dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" log_cmd "aws cloudwatch delete-dashboards --dashboard-names \"$DASHBOARD_NAME\"" fi if [ -n "$LAMBDA_FUNCTION1" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION1\"" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "Deleting Lambda function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" log_cmd "aws lambda delete-function --function-name \"$LAMBDA_FUNCTION2\"" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policy from role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam detach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" echo "Deleting IAM role: $ROLE_NAME" | tee -a "$LOG_FILE" log_cmd "aws iam delete-role --role-name \"$ROLE_NAME\"" fi echo "Cleanup completed." | tee -a "$LOG_FILE" } # Function to prompt for cleanup confirmation confirm_cleanup() { echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "CLEANUP CONFIRMATION" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "The following resources were created:" | tee -a "$LOG_FILE" echo "- CloudWatch Dashboard: $DASHBOARD_NAME" | tee -a "$LOG_FILE" if [ -n "$LAMBDA_FUNCTION1" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION1" | tee -a "$LOG_FILE" fi if [ -n "$LAMBDA_FUNCTION2" ]; then echo "- Lambda Function: $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME" | tee -a "$LOG_FILE" fi echo "" | tee -a "$LOG_FILE" echo "Do you want to clean up all created resources? (y/n): " | tee -a "$LOG_FILE" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources else echo "Resources were not cleaned up. You can manually delete them later." | tee -a "$LOG_FILE" fi } # Get AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No region found in AWS config, defaulting to $AWS_REGION" | tee -a "$LOG_FILE" else echo "Using AWS region: $AWS_REGION" | tee -a "$LOG_FILE" fi # Generate unique identifiers RANDOM_ID=$(openssl rand -hex 6) DASHBOARD_NAME="LambdaMetricsDashboard-${RANDOM_ID}" LAMBDA_FUNCTION1="TestFunction1-${RANDOM_ID}" LAMBDA_FUNCTION2="TestFunction2-${RANDOM_ID}" ROLE_NAME="LambdaExecutionRole-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" | tee -a "$LOG_FILE" echo "Dashboard name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda function names: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "IAM role name: $ROLE_NAME" | tee -a "$LOG_FILE" # Create IAM role for Lambda functions echo "Creating IAM role for Lambda..." | tee -a "$LOG_FILE" TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' echo "$TRUST_POLICY" > trust-policy.json ROLE_OUTPUT=$(log_cmd "aws iam create-role --role-name \"$ROLE_NAME\" --assume-role-policy-document file://trust-policy.json --output json") check_error "$ROLE_OUTPUT" $? "Failed to create IAM role" ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" | tee -a "$LOG_FILE" # Attach Lambda basic execution policy to the role echo "Attaching Lambda execution policy to role..." | tee -a "$LOG_FILE" POLICY_OUTPUT=$(log_cmd "aws iam attach-role-policy --role-name \"$ROLE_NAME\" --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole") check_error "$POLICY_OUTPUT" $? "Failed to attach policy to role" # Wait for role to propagate echo "Waiting for IAM role to propagate..." | tee -a "$LOG_FILE" sleep 10 # Create simple Python Lambda function code echo "Creating Lambda function code..." | tee -a "$LOG_FILE" cat > lambda_function.py << 'EOF' def handler(event, context): print("Lambda function executed successfully") return { 'statusCode': 200, 'body': 'Success' } EOF # Zip the Lambda function code log_cmd "zip -j lambda_function.zip lambda_function.py" # Create first Lambda function echo "Creating first Lambda function: $LAMBDA_FUNCTION1..." | tee -a "$LOG_FILE" LAMBDA1_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION1\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA1_OUTPUT" $? "Failed to create first Lambda function" # Create second Lambda function echo "Creating second Lambda function: $LAMBDA_FUNCTION2..." | tee -a "$LOG_FILE" LAMBDA2_OUTPUT=$(log_cmd "aws lambda create-function --function-name \"$LAMBDA_FUNCTION2\" --runtime python3.9 --role \"$ROLE_ARN\" --handler lambda_function.handler --zip-file fileb://lambda_function.zip") check_error "$LAMBDA2_OUTPUT" $? "Failed to create second Lambda function" # Invoke Lambda functions to generate some metrics echo "Invoking Lambda functions to generate metrics..." | tee -a "$LOG_FILE" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION1\" --payload '{}' /dev/null" log_cmd "aws lambda invoke --function-name \"$LAMBDA_FUNCTION2\" --payload '{}' /dev/null" # Create CloudWatch dashboard with property variable echo "Creating CloudWatch dashboard with property variable..." | tee -a "$LOG_FILE" # Create a simpler dashboard with a property variable # This approach uses a more basic dashboard structure that's known to work with the CloudWatch API DASHBOARD_BODY=$(cat < Variables > Create a variable" | tee -a "$LOG_FILE" echo "4. Choose Property variable" | tee -a "$LOG_FILE" echo "5. For Property that the variable changes, choose FunctionName" | tee -a "$LOG_FILE" echo "6. For Input type, choose Select menu (dropdown)" | tee -a "$LOG_FILE" echo "7. Choose Use the results of a metric search" | tee -a "$LOG_FILE" echo "8. Choose Pre-built queries > Lambda > Errors" | tee -a "$LOG_FILE" echo "9. Choose By Function Name and then choose Search" | tee -a "$LOG_FILE" echo "10. (Optional) Configure any secondary settings as desired" | tee -a "$LOG_FILE" echo "11. Choose Add variable" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "The dashboard has been created and can be accessed at:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" # Verify dashboard creation echo "Verifying dashboard creation..." | tee -a "$LOG_FILE" VERIFY_OUTPUT=$(log_cmd "aws cloudwatch get-dashboard --dashboard-name \"$DASHBOARD_NAME\"") check_error "$VERIFY_OUTPUT" $? "Failed to verify dashboard creation" echo "" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "DASHBOARD CREATED SUCCESSFULLY" | tee -a "$LOG_FILE" echo "==========================================" | tee -a "$LOG_FILE" echo "Dashboard Name: $DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "Lambda Functions: $LAMBDA_FUNCTION1, $LAMBDA_FUNCTION2" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "You can view your dashboard in the CloudWatch console:" | tee -a "$LOG_FILE" echo "https://console.aws.amazon.com/cloudwatch/home#dashboards:name=$DASHBOARD_NAME" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" # Prompt for cleanup confirm_cleanup echo "Script completed successfully." | tee -a "$LOG_FILE" exit 0 ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteDashboards](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/DeleteDashboards) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/GetDashboard) + [Invoke](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/Invoke) + [PutDashboard](https://docs.aws.amazon.com/goto/aws-cli/monitoring-2010-08-01/PutDashboard) # Lightsail examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Lightsail. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon Lightsail The following code example shows how to: + Create an instance + Add storage to your instance + Create a snapshot + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/001-lightsail-gs) repository. ``` #!/bin/bash # Amazon Lightsail Getting Started CLI Script # This script demonstrates how to create and manage Lightsail resources using the AWS CLI # Set AWS region export AWS_REGION="us-west-2" echo "Using AWS region: $AWS_REGION" # Set up logging LOG_FILE="lightsail-script.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Lightsail Getting Started script at $(date)" # Error handling function handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check if a command succeeded check_status() { if [ $? -ne 0 ]; then handle_error "$1" fi } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) INSTANCE_NAME="LightsailInstance-${RANDOM_ID}" DISK_NAME="LightsailDisk-${RANDOM_ID}" SNAPSHOT_NAME="LightsailSnapshot-${RANDOM_ID}" # Array to track created resources declare -a CREATED_RESOURCES # Function to add a resource to the tracking array track_resource() { CREATED_RESOURCES+=("$1:$2") echo "Created $1: $2" } # Function to clean up resources cleanup_resources() { echo "Resources created by this script:" for resource in "${CREATED_RESOURCES[@]}"; do echo " $resource" done # Reverse the array to delete resources in reverse order for (( idx=${#CREATED_RESOURCES[@]}-1 ; idx>=0 ; idx-- )); do IFS=':' read -r type name <<< "${CREATED_RESOURCES[idx]}" case "$type" in "instance_snapshot") echo "Deleting instance snapshot: $name" aws lightsail delete-instance-snapshot --instance-snapshot-name "$name" --region $AWS_REGION ;; "disk_snapshot") echo "Deleting disk snapshot: $name" aws lightsail delete-disk-snapshot --disk-snapshot-name "$name" --region $AWS_REGION ;; "disk") echo "Detaching disk: $name" aws lightsail detach-disk --disk-name "$name" --region $AWS_REGION sleep 10 # Wait for detach to complete echo "Deleting disk: $name" aws lightsail delete-disk --disk-name "$name" --region $AWS_REGION ;; "instance") echo "Deleting instance: $name" # Check instance state before attempting to delete INSTANCE_STATE=$(aws lightsail get-instance-state --instance-name "$name" --region $AWS_REGION --query 'state.name' --output text 2>/dev/null) if [ "$INSTANCE_STATE" == "pending" ]; then echo "Instance is in pending state. Waiting for it to be ready before deleting..." MAX_WAIT=30 WAITED=0 while [ "$INSTANCE_STATE" == "pending" ] && [ $WAITED -lt $MAX_WAIT ]; do sleep 10 WAITED=$((WAITED+1)) INSTANCE_STATE=$(aws lightsail get-instance-state --instance-name "$name" --region $AWS_REGION --query 'state.name' --output text 2>/dev/null) echo "Instance state: $INSTANCE_STATE" done fi aws lightsail delete-instance --instance-name "$name" --region $AWS_REGION ;; esac done echo "Cleanup completed" } # Step 1: Verify AWS CLI configuration echo "Step 1: Verifying AWS CLI configuration" aws configure list check_status "Failed to verify AWS CLI configuration" # Step 2: Get available blueprints and bundles echo "Step 2: Getting available blueprints and bundles" echo "Available blueprints (showing first 5):" aws lightsail get-blueprints --region $AWS_REGION --query 'blueprints[0:5].[blueprintId,name]' --output table check_status "Failed to get blueprints" echo "Available bundles (showing first 5):" aws lightsail get-bundles --region $AWS_REGION --query 'bundles[0:5].[bundleId,name,price]' --output table check_status "Failed to get bundles" # Get available regions and availability zones echo "Getting available regions and availability zones" # Use a specific availability zone in us-west-2 region AVAILABILITY_ZONE="us-west-2a" echo "Using availability zone: $AVAILABILITY_ZONE" # Step 3: Create a Lightsail instance echo "Step 3: Creating Lightsail instance: $INSTANCE_NAME" aws lightsail create-instances \ --instance-names "$INSTANCE_NAME" \ --availability-zone "$AVAILABILITY_ZONE" \ --blueprint-id amazon_linux_2023 \ --bundle-id nano_3_0 \ --region $AWS_REGION check_status "Failed to create Lightsail instance" track_resource "instance" "$INSTANCE_NAME" # Wait for the instance to be in a running state echo "Waiting for instance to be in running state..." # Wait for the instance to be ready (polling approach) MAX_ATTEMPTS=30 ATTEMPTS=0 while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do STATUS=$(aws lightsail get-instance-state --instance-name "$INSTANCE_NAME" --region $AWS_REGION --query 'state.name' --output text) if [ "$STATUS" == "running" ]; then echo "Instance is now running" break fi echo "Instance status: $STATUS. Waiting..." ATTEMPTS=$((ATTEMPTS+1)) sleep 10 done if [ $ATTEMPTS -eq $MAX_ATTEMPTS ]; then handle_error "Instance failed to reach running state after 5 minutes" fi # Get instance details echo "Getting instance details" INSTANCE_IP=$(aws lightsail get-instance --instance-name "$INSTANCE_NAME" --region $AWS_REGION --query 'instance.publicIpAddress' --output text) check_status "Failed to get instance IP address" echo "Instance IP address: $INSTANCE_IP" # Step 4: Download the default key pair echo "Step 4: Downloading default key pair" KEY_FILE="lightsail_key_${RANDOM_ID}.pem" aws lightsail download-default-key-pair --region $AWS_REGION --output text > "$KEY_FILE" check_status "Failed to download key pair" chmod 400 "$KEY_FILE" check_status "Failed to set permissions on key pair" echo "Key pair downloaded to $KEY_FILE" echo "To connect to your instance, use:" echo "ssh -i $KEY_FILE ec2-user@$INSTANCE_IP" # Step 5: Create a block storage disk echo "Step 5: Creating block storage disk: $DISK_NAME" aws lightsail create-disk \ --disk-name "$DISK_NAME" \ --availability-zone "$AVAILABILITY_ZONE" \ --size-in-gb 8 \ --region $AWS_REGION check_status "Failed to create disk" track_resource "disk" "$DISK_NAME" # FIX: Wait for the disk to be available using polling instead of fixed sleep echo "Waiting for disk to be available..." MAX_ATTEMPTS=30 ATTEMPTS=0 while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do DISK_STATE=$(aws lightsail get-disk --disk-name "$DISK_NAME" --region $AWS_REGION --query 'disk.state' --output text 2>/dev/null) if [ "$DISK_STATE" == "available" ]; then echo "Disk is now available" break fi echo "Disk status: $DISK_STATE. Waiting..." ATTEMPTS=$((ATTEMPTS+1)) sleep 10 done if [ $ATTEMPTS -eq $MAX_ATTEMPTS ]; then handle_error "Disk failed to become available after 5 minutes" fi # Attach the disk to the instance echo "Attaching disk to instance" aws lightsail attach-disk \ --disk-name "$DISK_NAME" \ --instance-name "$INSTANCE_NAME" \ --disk-path /dev/xvdf \ --region $AWS_REGION check_status "Failed to attach disk to instance" echo "Disk attached. To format and mount the disk, connect to your instance and run:" echo "sudo mkfs -t ext4 /dev/xvdf" echo "sudo mkdir -p /mnt/my-data" echo "sudo mount /dev/xvdf /mnt/my-data" echo "sudo chown ec2-user:ec2-user /mnt/my-data" # Step 6: Create a snapshot of the instance echo "Step 6: Creating snapshot of the instance: $SNAPSHOT_NAME" aws lightsail create-instance-snapshot \ --instance-name "$INSTANCE_NAME" \ --instance-snapshot-name "$SNAPSHOT_NAME" \ --region $AWS_REGION check_status "Failed to create instance snapshot" track_resource "instance_snapshot" "$SNAPSHOT_NAME" # FIX: Wait for the snapshot to complete using polling instead of fixed sleep echo "Waiting for snapshot to complete... (this may take several minutes)" MAX_ATTEMPTS=60 # Increased timeout for snapshot creation ATTEMPTS=0 while [ $ATTEMPTS -lt $MAX_ATTEMPTS ]; do SNAPSHOT_STATE=$(aws lightsail get-instance-snapshot --instance-snapshot-name "$SNAPSHOT_NAME" --region $AWS_REGION --query 'instanceSnapshot.state' --output text 2>/dev/null) if [ "$SNAPSHOT_STATE" == "completed" ]; then echo "Snapshot creation completed" break fi echo "Snapshot status: $SNAPSHOT_STATE. Waiting... ($ATTEMPTS/$MAX_ATTEMPTS)" ATTEMPTS=$((ATTEMPTS+1)) sleep 10 done if [ $ATTEMPTS -eq $MAX_ATTEMPTS ]; then echo "Warning: Snapshot creation is taking longer than expected but will continue in the background." echo "You can check its status later with: aws lightsail get-instance-snapshot --instance-snapshot-name $SNAPSHOT_NAME --region $AWS_REGION" fi # Step 7: Clean up resources echo "Step 7: Clean up resources" echo "The script has created the following resources:" for resource in "${CREATED_RESOURCES[@]}"; do echo " $resource" done read -p "Do you want to clean up these resources? (y/n): " CLEANUP_CONFIRM if [[ "$CLEANUP_CONFIRM" == "y" || "$CLEANUP_CONFIRM" == "Y" ]]; then cleanup_resources else echo "Resources will not be cleaned up. You can manually delete them later." echo "To clean up manually, use the following commands:" echo "aws lightsail delete-instance-snapshot --instance-snapshot-name $SNAPSHOT_NAME --region $AWS_REGION" echo "aws lightsail detach-disk --disk-name $DISK_NAME --region $AWS_REGION" echo "aws lightsail delete-disk --disk-name $DISK_NAME --region $AWS_REGION" echo "aws lightsail delete-instance --instance-name $INSTANCE_NAME --region $AWS_REGION" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachDisk](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/AttachDisk) + [CreateDisk](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/CreateDisk) + [CreateInstanceSnapshot](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/CreateInstanceSnapshot) + [CreateInstances](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/CreateInstances) + [DeleteDisk](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/DeleteDisk) + [DeleteInstance](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/DeleteInstance) + [DeleteInstanceSnapshot](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/DeleteInstanceSnapshot) + [DetachDisk](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/DetachDisk) + [DownloadDefaultKeyPair](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/DownloadDefaultKeyPair) + [GetBlueprints](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetBlueprints) + [GetBundles](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetBundles) + [GetDisk](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetDisk) + [GetInstance](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetInstance) + [GetInstanceSnapshot](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetInstanceSnapshot) + [GetInstanceState](https://docs.aws.amazon.com/goto/aws-cli/lightsail-2016-11-28/GetInstanceState) # Amazon Managed Grafana examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Managed Grafana. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating an Amazon Managed Grafana workspace The following code example shows how to: + Create an IAM role for your workspace + Create a Grafana workspace + Configure authentication + Configure optional settings + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/044-amazon-managed-grafana-gs) repository. ``` #!/bin/bash # Amazon Managed Grafana Workspace Creation Script # This script creates an Amazon Managed Grafana workspace and configures it # Set up logging LOG_FILE="grafana-workspace-creation.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Managed Grafana workspace creation script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command '$cmd' failed with output:" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$WORKSPACE_ID" ]; then echo "Deleting workspace $WORKSPACE_ID..." aws grafana delete-workspace --workspace-id "$WORKSPACE_ID" fi if [ -n "$ROLE_NAME" ]; then echo "Detaching policies from role $ROLE_NAME..." if [ -n "$POLICY_ARN" ]; then aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" fi echo "Deleting role $ROLE_NAME..." aws iam delete-role --role-name "$ROLE_NAME" fi if [ -n "$POLICY_ARN" ]; then echo "Deleting policy..." aws iam delete-policy --policy-arn "$POLICY_ARN" fi # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed. See $LOG_FILE for details." } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) WORKSPACE_NAME="GrafanaWorkspace-${RANDOM_ID}" ROLE_NAME="GrafanaWorkspaceRole-${RANDOM_ID}" echo "Using workspace name: $WORKSPACE_NAME" echo "Using role name: $ROLE_NAME" # Step 1: Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_error "$ACCOUNT_ID" "get-caller-identity" echo "AWS Account ID: $ACCOUNT_ID" # Step 2: Create IAM role for Grafana workspace echo "Creating IAM role for Grafana workspace..." # Create trust policy document cat > trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "grafana.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json \ --description "Role for Amazon Managed Grafana workspace") check_error "$ROLE_OUTPUT" "create-role" echo "IAM role created successfully" # Extract role ARN ROLE_ARN=$(echo "$ROLE_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "Role ARN: $ROLE_ARN" # Attach policies to the role echo "Attaching policies to the role..." # CloudWatch policy cat > cloudwatch-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarmsForMetric", "cloudwatch:DescribeAlarmHistory", "cloudwatch:DescribeAlarms", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:GetMetricData" ], "Resource": "*" } ] } EOF POLICY_OUTPUT=$(aws iam create-policy \ --policy-name "GrafanaCloudWatchPolicy-${RANDOM_ID}" \ --policy-document file://cloudwatch-policy.json) check_error "$POLICY_OUTPUT" "create-policy" POLICY_ARN=$(echo "$POLICY_OUTPUT" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) echo "CloudWatch policy ARN: $POLICY_ARN" ATTACH_OUTPUT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN") check_error "$ATTACH_OUTPUT" "attach-role-policy" echo "CloudWatch policy attached to role" # Step 3: Create the Grafana workspace echo "Creating Amazon Managed Grafana workspace..." WORKSPACE_OUTPUT=$(aws grafana create-workspace \ --workspace-name "$WORKSPACE_NAME" \ --authentication-providers "SAML" \ --permission-type "CUSTOMER_MANAGED" \ --account-access-type "CURRENT_ACCOUNT" \ --workspace-role-arn "$ROLE_ARN" \ --workspace-data-sources "CLOUDWATCH" "PROMETHEUS" "XRAY" \ --grafana-version "10.4" \ --tags Environment=Development) check_error "$WORKSPACE_OUTPUT" "create-workspace" echo "Workspace creation initiated:" echo "$WORKSPACE_OUTPUT" # Extract workspace ID WORKSPACE_ID=$(echo "$WORKSPACE_OUTPUT" | grep -o '"id": "[^"]*' | cut -d'"' -f4) if [ -z "$WORKSPACE_ID" ]; then echo "ERROR: Failed to extract workspace ID from output" exit 1 fi echo "Workspace ID: $WORKSPACE_ID" # Step 4: Wait for workspace to become active echo "Waiting for workspace to become active. This may take several minutes..." ACTIVE=false MAX_ATTEMPTS=30 ATTEMPT=0 while [ $ACTIVE = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking workspace status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." DESCRIBE_OUTPUT=$(aws grafana describe-workspace --workspace-id "$WORKSPACE_ID") check_error "$DESCRIBE_OUTPUT" "describe-workspace" STATUS=$(echo "$DESCRIBE_OUTPUT" | grep -o '"status": "[^"]*' | cut -d'"' -f4) echo "Current status: $STATUS" if [ "$STATUS" = "ACTIVE" ]; then ACTIVE=true echo "Workspace is now ACTIVE" elif [ "$STATUS" = "FAILED" ]; then echo "ERROR: Workspace creation failed" cleanup_on_error exit 1 else echo "Workspace is still being created. Waiting 30 seconds..." sleep 30 fi done if [ $ACTIVE = false ]; then echo "ERROR: Workspace did not become active within the expected time" cleanup_on_error exit 1 fi # Extract workspace endpoint URL WORKSPACE_URL=$(echo "$DESCRIBE_OUTPUT" | grep -o '"endpoint": "[^"]*' | cut -d'"' -f4) echo "Workspace URL: https://$WORKSPACE_URL" # Step 5: Display workspace information echo "" echo "===========================================" echo "WORKSPACE INFORMATION" echo "===========================================" echo "Workspace ID: $WORKSPACE_ID" echo "Workspace URL: https://$WORKSPACE_URL" echo "Workspace Name: $WORKSPACE_NAME" echo "IAM Role: $ROLE_NAME" echo "" echo "Note: Since SAML authentication is used, you need to configure SAML settings" echo "using the AWS Management Console or the update-workspace-authentication command." echo "===========================================" # Step 6: Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Resources created:" echo "- Amazon Managed Grafana workspace: $WORKSPACE_ID" echo "- IAM Role: $ROLE_NAME" echo "- IAM Policy: GrafanaCloudWatchPolicy-${RANDOM_ID}" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Cleaning up resources..." echo "Deleting workspace $WORKSPACE_ID..." DELETE_OUTPUT=$(aws grafana delete-workspace --workspace-id "$WORKSPACE_ID") check_error "$DELETE_OUTPUT" "delete-workspace" echo "Waiting for workspace to be deleted..." DELETED=false ATTEMPT=0 while [ $DELETED = false ] && [ $ATTEMPT -lt $MAX_ATTEMPTS ]; do ATTEMPT=$((ATTEMPT+1)) echo "Checking deletion status (attempt $ATTEMPT of $MAX_ATTEMPTS)..." if aws grafana describe-workspace --workspace-id "$WORKSPACE_ID" 2>&1 | grep -i "not found\|does not exist" > /dev/null; then DELETED=true echo "Workspace has been deleted" else echo "Workspace is still being deleted. Waiting 30 seconds..." sleep 30 fi done if [ $DELETED = false ]; then echo "WARNING: Workspace deletion is taking longer than expected. It may still be in progress." fi # Detach policy from role echo "Detaching policy from role..." aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" # Delete policy echo "Deleting IAM policy..." aws iam delete-policy \ --policy-arn "$POLICY_ARN" # Delete role echo "Deleting IAM role..." aws iam delete-role \ --role-name "$ROLE_NAME" # Clean up JSON files rm -f trust-policy.json cloudwatch-policy.json echo "Cleanup completed" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/CreateWorkspace) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DeleteWorkspace) + [DescribeWorkspace](https://docs.aws.amazon.com/goto/aws-cli/grafana-2020-08-18/DescribeWorkspace) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) # MediaConnect examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with MediaConnect. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Elemental MediaConnect The following code example shows how to: + Verify access to Elemental MediaConnect + Create a flow + Add an output + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/081-aws-elemental-mediaconnect-gs) repository. ``` #!/bin/bash # AWS Elemental MediaConnect Getting Started Tutorial Script # This script creates a MediaConnect flow, adds an output, grants an entitlement, # and then cleans up the resources. # Set up logging LOG_FILE="mediaconnect-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS Elemental MediaConnect tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." if [ -n "$FLOW_ARN" ]; then # Check flow status before attempting to stop echo "Checking flow status..." FLOW_STATUS_OUTPUT=$(aws mediaconnect describe-flow --flow-arn "$FLOW_ARN" --query "Flow.Status" --output text 2>&1) echo "Current flow status: $FLOW_STATUS_OUTPUT" if [ "$FLOW_STATUS_OUTPUT" == "ACTIVE" ] || [ "$FLOW_STATUS_OUTPUT" == "UPDATING" ]; then echo "Stopping flow: $FLOW_ARN" STOP_FLOW_OUTPUT=$(aws mediaconnect stop-flow --flow-arn "$FLOW_ARN" 2>&1) if echo "$STOP_FLOW_OUTPUT" | grep -i "error" > /dev/null; then echo "WARNING: Failed to stop flow. Output: $STOP_FLOW_OUTPUT" echo "Attempting to delete anyway..." else echo "$STOP_FLOW_OUTPUT" # Wait for flow to stop before deleting echo "Waiting for flow to stop..." sleep 10 fi else echo "Flow is not in ACTIVE or UPDATING state, skipping stop operation." fi # Delete the flow echo "Deleting flow: $FLOW_ARN" DELETE_FLOW_OUTPUT=$(aws mediaconnect delete-flow --flow-arn "$FLOW_ARN" 2>&1) if echo "$DELETE_FLOW_OUTPUT" | grep -i "error" > /dev/null; then echo "WARNING: Failed to delete flow. Output: $DELETE_FLOW_OUTPUT" echo "You may need to manually delete the flow from the AWS console." else echo "$DELETE_FLOW_OUTPUT" fi fi } # Get the current AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then handle_error "Failed to get AWS region. Please make sure AWS CLI is configured." fi echo "Using AWS Region: $AWS_REGION" # Get available availability zones in the current region echo "Getting available availability zones in region $AWS_REGION..." AZ_OUTPUT=$(aws ec2 describe-availability-zones --region "$AWS_REGION" --query "AvailabilityZones[0].ZoneName" --output text 2>&1) if echo "$AZ_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to get availability zones. Output: $AZ_OUTPUT" fi AVAILABILITY_ZONE="$AZ_OUTPUT" echo "Using availability zone: $AVAILABILITY_ZONE" # Generate a unique suffix for resource names SUFFIX=$(date +%s | cut -c 6-10) FLOW_NAME="AwardsNYCShow-${SUFFIX}" SOURCE_NAME="AwardsNYCSource-${SUFFIX}" OUTPUT_NAME="AwardsNYCOutput-${SUFFIX}" ENTITLEMENT_NAME="PhillyTeam-${SUFFIX}" echo "Using the following resource names:" echo "Flow name: $FLOW_NAME" echo "Source name: $SOURCE_NAME" echo "Output name: $OUTPUT_NAME" echo "Entitlement name: $ENTITLEMENT_NAME" # Step 1: Verify access to MediaConnect echo "Step 1: Verifying access to AWS Elemental MediaConnect..." LIST_FLOWS_OUTPUT=$(aws mediaconnect list-flows 2>&1) if echo "$LIST_FLOWS_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to list flows. Please check your AWS credentials and permissions. Output: $LIST_FLOWS_OUTPUT" fi echo "$LIST_FLOWS_OUTPUT" # Step 2: Create a flow echo "Step 2: Creating a flow..." CREATE_FLOW_OUTPUT=$(aws mediaconnect create-flow \ --availability-zone "$AVAILABILITY_ZONE" \ --name "$FLOW_NAME" \ --source "Name=$SOURCE_NAME,Protocol=zixi-push,WhitelistCidr=10.24.34.0/23,StreamId=ZixiAwardsNYCFeed" 2>&1) if echo "$CREATE_FLOW_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to create flow. Output: $CREATE_FLOW_OUTPUT" fi echo "$CREATE_FLOW_OUTPUT" # Extract the flow ARN from the output FLOW_ARN=$(echo "$CREATE_FLOW_OUTPUT" | grep -o '"FlowArn": "[^"]*' | cut -d'"' -f4) if [ -z "$FLOW_ARN" ]; then handle_error "Failed to extract flow ARN from output" fi echo "Flow ARN: $FLOW_ARN" # Step 3: Add an output echo "Step 3: Adding an output to the flow..." ADD_OUTPUT_OUTPUT=$(aws mediaconnect add-flow-outputs \ --flow-arn "$FLOW_ARN" \ --outputs "Name=$OUTPUT_NAME,Protocol=zixi-push,Destination=198.51.100.11,Port=1024,StreamId=ZixiAwardsOutput" 2>&1) if echo "$ADD_OUTPUT_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to add output to flow. Output: $ADD_OUTPUT_OUTPUT" fi echo "$ADD_OUTPUT_OUTPUT" # Extract the output ARN OUTPUT_ARN=$(echo "$ADD_OUTPUT_OUTPUT" | grep -o '"OutputArn": "[^"]*' | cut -d'"' -f4) echo "Output ARN: $OUTPUT_ARN" # Step 4: Grant an entitlement echo "Step 4: Granting an entitlement..." GRANT_ENTITLEMENT_OUTPUT=$(aws mediaconnect grant-flow-entitlements \ --flow-arn "$FLOW_ARN" \ --entitlements "Name=$ENTITLEMENT_NAME,Subscribers=222233334444" 2>&1) if echo "$GRANT_ENTITLEMENT_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to grant entitlement. Output: $GRANT_ENTITLEMENT_OUTPUT" fi echo "$GRANT_ENTITLEMENT_OUTPUT" # Extract the entitlement ARN ENTITLEMENT_ARN=$(echo "$GRANT_ENTITLEMENT_OUTPUT" | grep -o '"EntitlementArn": "[^"]*' | cut -d'"' -f4) echo "Entitlement ARN: $ENTITLEMENT_ARN" # Step 5: List entitlements to share with affiliates echo "Step 5: Listing entitlements for the flow..." DESCRIBE_FLOW_OUTPUT=$(aws mediaconnect describe-flow --flow-arn "$FLOW_ARN" --query "Flow.Entitlements" 2>&1) if echo "$DESCRIBE_FLOW_OUTPUT" | grep -i "error" > /dev/null; then handle_error "Failed to describe flow. Output: $DESCRIBE_FLOW_OUTPUT" fi echo "Entitlements for the flow:" echo "$DESCRIBE_FLOW_OUTPUT" # Display information to share with affiliates echo "" echo "Information to share with your Philadelphia affiliate:" echo "Entitlement ARN: $ENTITLEMENT_ARN" echo "AWS Region: $AWS_REGION" # Prompt user before cleanup echo "" echo "===========================================" echo "RESOURCE SUMMARY" echo "===========================================" echo "The following resources were created:" echo "1. Flow: $FLOW_NAME (ARN: $FLOW_ARN)" echo "2. Output: $OUTPUT_NAME (ARN: $OUTPUT_ARN)" echo "3. Entitlement: $ENTITLEMENT_NAME (ARN: $ENTITLEMENT_ARN)" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then # Step 6: Clean up resources echo "Step 6: Cleaning up resources..." # Check flow status before attempting to stop echo "Checking flow status..." FLOW_STATUS_OUTPUT=$(aws mediaconnect describe-flow --flow-arn "$FLOW_ARN" --query "Flow.Status" --output text 2>&1) echo "Current flow status: $FLOW_STATUS_OUTPUT" if [ "$FLOW_STATUS_OUTPUT" == "ACTIVE" ] || [ "$FLOW_STATUS_OUTPUT" == "UPDATING" ]; then echo "Stopping flow: $FLOW_ARN" STOP_FLOW_OUTPUT=$(aws mediaconnect stop-flow --flow-arn "$FLOW_ARN" 2>&1) if echo "$STOP_FLOW_OUTPUT" | grep -i "error" > /dev/null; then echo "WARNING: Failed to stop flow. Output: $STOP_FLOW_OUTPUT" echo "Attempting to delete anyway..." else echo "$STOP_FLOW_OUTPUT" # Wait for flow to stop before deleting echo "Waiting for flow to stop..." sleep 10 fi else echo "Flow is not in ACTIVE or UPDATING state, skipping stop operation." fi # Delete the flow echo "Deleting flow: $FLOW_ARN" DELETE_FLOW_OUTPUT=$(aws mediaconnect delete-flow --flow-arn "$FLOW_ARN" 2>&1) if echo "$DELETE_FLOW_OUTPUT" | grep -i "error" > /dev/null; then echo "WARNING: Failed to delete flow. Output: $DELETE_FLOW_OUTPUT" echo "You may need to manually delete the flow from the AWS console." else echo "$DELETE_FLOW_OUTPUT" fi echo "Cleanup completed." else echo "Skipping cleanup. Resources will remain in your AWS account." echo "To clean up later, you'll need to manually stop and delete the flow using the AWS console or CLI." fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddFlowOutputs](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/AddFlowOutputs) + [CreateFlow](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/CreateFlow) + [DeleteFlow](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/DeleteFlow) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeFlow](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/DescribeFlow) + [GrantFlowEntitlements](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/GrantFlowEntitlements) + [ListFlows](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/ListFlows) + [StopFlow](https://docs.aws.amazon.com/goto/aws-cli/mediaconnect-2018-11-14/StopFlow) # Amazon MSK examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon MSK. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon MSK The following code example shows how to: + Create an MSK cluster + Create IAM permissions for MSK access + Create a client machine + Get bootstrap brokers + Set up the client machine + Create a topic and produce/consume data + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/057-amazon-managed-streaming-for-apache-kafka-gs) repository. ``` #!/bin/bash # Amazon MSK Getting Started Tutorial Script - Version 8 # This script automates the steps in the Amazon MSK Getting Started tutorial # It creates an MSK cluster, sets up IAM permissions, creates a client machine, # and configures the client to interact with the cluster # Set up logging LOG_FILE="msk_tutorial_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon MSK Getting Started Tutorial Script - Version 8" echo "Logging to $LOG_FILE" echo "==============================================" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created so far:" if [ -n "$CLUSTER_ARN" ]; then echo "- MSK Cluster: $CLUSTER_ARN"; fi if [ -n "$POLICY_ARN" ]; then echo "- IAM Policy: $POLICY_ARN"; fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME"; fi if [ -n "$INSTANCE_PROFILE_NAME" ]; then echo "- IAM Instance Profile: $INSTANCE_PROFILE_NAME"; fi if [ -n "$CLIENT_SG_ID" ]; then echo "- Client Security Group: $CLIENT_SG_ID"; fi if [ -n "$INSTANCE_ID" ]; then echo "- EC2 Instance: $INSTANCE_ID"; fi if [ -n "$KEY_NAME" ]; then echo "- Key Pair: $KEY_NAME"; fi echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check if a resource exists resource_exists() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") aws kafka describe-cluster --cluster-arn "$resource_id" &>/dev/null ;; "policy") aws iam get-policy --policy-arn "$resource_id" &>/dev/null ;; "role") aws iam get-role --role-name "$resource_id" &>/dev/null ;; "instance-profile") aws iam get-instance-profile --instance-profile-name "$resource_id" &>/dev/null ;; "security-group") aws ec2 describe-security-groups --group-ids "$resource_id" &>/dev/null ;; "instance") aws ec2 describe-instances --instance-ids "$resource_id" --query 'Reservations[0].Instances[0].State.Name' --output text | grep -v "terminated" &>/dev/null ;; "key-pair") aws ec2 describe-key-pairs --key-names "$resource_id" &>/dev/null ;; esac } # Function to remove security group references remove_security_group_references() { local sg_id="$1" if [ -z "$sg_id" ]; then echo "No security group ID provided for reference removal" return fi echo "Removing security group references for $sg_id" # Get all security groups in the VPC that might reference our client security group local vpc_security_groups=$(aws ec2 describe-security-groups \ --filters "Name=vpc-id,Values=$DEFAULT_VPC_ID" \ --query 'SecurityGroups[].GroupId' \ --output text 2>/dev/null) if [ -n "$vpc_security_groups" ]; then for other_sg in $vpc_security_groups; do if [ "$other_sg" != "$sg_id" ]; then echo "Checking security group $other_sg for references to $sg_id" # Get the security group details in JSON format local sg_details=$(aws ec2 describe-security-groups \ --group-ids "$other_sg" \ --output json 2>/dev/null) if [ -n "$sg_details" ]; then # Check if our security group is referenced in inbound rules local has_inbound_ref=$(echo "$sg_details" | grep -o "\"GroupId\": \"$sg_id\"" | head -1) if [ -n "$has_inbound_ref" ]; then echo "Found inbound rules in $other_sg referencing $sg_id, removing them..." # Try to remove common rule types echo "Attempting to remove all-traffic rule" aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol all \ --source-group "$sg_id" 2>/dev/null || echo "No all-traffic rule to remove" # Try to remove TCP rules on common ports for port in 22 80 443 9092 9094 9096; do aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol tcp \ --port "$port" \ --source-group "$sg_id" 2>/dev/null || true done # Try to remove UDP rules aws ec2 revoke-security-group-ingress \ --group-id "$other_sg" \ --protocol udp \ --source-group "$sg_id" 2>/dev/null || true fi # Check for outbound rules (less common but possible) local has_outbound_ref=$(echo "$sg_details" | grep -A 20 "IpPermissionsEgress" | grep -o "\"GroupId\": \"$sg_id\"" | head -1) if [ -n "$has_outbound_ref" ]; then echo "Found outbound rules in $other_sg referencing $sg_id, removing them..." aws ec2 revoke-security-group-egress \ --group-id "$other_sg" \ --protocol all \ --source-group "$sg_id" 2>/dev/null || echo "No outbound all-traffic rule to remove" fi fi fi done fi echo "Completed security group reference removal for $sg_id" } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Delete EC2 instance if it exists if [ -n "$INSTANCE_ID" ] && resource_exists "instance" "$INSTANCE_ID"; then echo "Terminating EC2 instance: $INSTANCE_ID" aws ec2 terminate-instances --instance-ids "$INSTANCE_ID" || echo "Failed to terminate instance" echo "Waiting for instance to terminate..." aws ec2 wait instance-terminated --instance-ids "$INSTANCE_ID" || echo "Failed to wait for instance termination" fi # Delete MSK cluster first (to remove dependencies on security group) if [ -n "$CLUSTER_ARN" ] && resource_exists "cluster" "$CLUSTER_ARN"; then echo "Deleting MSK cluster: $CLUSTER_ARN" aws kafka delete-cluster --cluster-arn "$CLUSTER_ARN" || echo "Failed to delete cluster" # Wait a bit for the cluster deletion to start echo "Waiting 30 seconds for cluster deletion to begin..." sleep 30 fi # Remove security group references before attempting deletion if [ -n "$CLIENT_SG_ID" ] && resource_exists "security-group" "$CLIENT_SG_ID"; then remove_security_group_references "$CLIENT_SG_ID" echo "Deleting security group: $CLIENT_SG_ID" # Try multiple times with longer delays to ensure dependencies are removed for i in {1..10}; do if aws ec2 delete-security-group --group-id "$CLIENT_SG_ID"; then echo "Security group deleted successfully" break fi echo "Failed to delete security group (attempt $i/10), retrying in 30 seconds..." sleep 30 done fi # Delete key pair if it exists if [ -n "$KEY_NAME" ] && resource_exists "key-pair" "$KEY_NAME"; then echo "Deleting key pair: $KEY_NAME" aws ec2 delete-key-pair --key-name "$KEY_NAME" || echo "Failed to delete key pair" fi # Remove role from instance profile if [ -n "$ROLE_NAME" ] && [ -n "$INSTANCE_PROFILE_NAME" ] && resource_exists "instance-profile" "$INSTANCE_PROFILE_NAME"; then echo "Removing role from instance profile" aws iam remove-role-from-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$ROLE_NAME" || echo "Failed to remove role from instance profile" fi # Delete instance profile if [ -n "$INSTANCE_PROFILE_NAME" ] && resource_exists "instance-profile" "$INSTANCE_PROFILE_NAME"; then echo "Deleting instance profile: $INSTANCE_PROFILE_NAME" aws iam delete-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" || echo "Failed to delete instance profile" fi # Detach policy from role if [ -n "$ROLE_NAME" ] && [ -n "$POLICY_ARN" ] && resource_exists "role" "$ROLE_NAME"; then echo "Detaching policy from role" aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" || echo "Failed to detach policy" fi # Delete role if [ -n "$ROLE_NAME" ] && resource_exists "role" "$ROLE_NAME"; then echo "Deleting role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi # Delete policy if [ -n "$POLICY_ARN" ] && resource_exists "policy" "$POLICY_ARN"; then echo "Deleting policy: $POLICY_ARN" aws iam delete-policy --policy-arn "$POLICY_ARN" || echo "Failed to delete policy" fi echo "Cleanup completed" } # Function to find a suitable subnet and instance type combination find_suitable_subnet_and_instance_type() { local vpc_id="$1" local -a subnet_array=("${!2}") # List of instance types to try, in order of preference local instance_types=("t3.micro" "t2.micro" "t3.small" "t2.small") echo "Finding suitable subnet and instance type combination..." for instance_type in "${instance_types[@]}"; do echo "Trying instance type: $instance_type" for subnet_id in "${subnet_array[@]}"; do # Get the availability zone for this subnet local az=$(aws ec2 describe-subnets \ --subnet-ids "$subnet_id" \ --query 'Subnets[0].AvailabilityZone' \ --output text) echo " Checking subnet $subnet_id in AZ $az" # Check if this instance type is available in this AZ local available=$(aws ec2 describe-instance-type-offerings \ --location-type availability-zone \ --filters "Name=location,Values=$az" "Name=instance-type,Values=$instance_type" \ --query 'InstanceTypeOfferings[0].InstanceType' \ --output text 2>/dev/null) if [ "$available" = "$instance_type" ]; then echo " ✓ Found suitable combination: $instance_type in $az (subnet: $subnet_id)" SELECTED_SUBNET_ID="$subnet_id" SELECTED_INSTANCE_TYPE="$instance_type" return 0 else echo " ✗ $instance_type not available in $az" fi done done echo "ERROR: Could not find any suitable subnet and instance type combination" return 1 } # Generate unique identifiers RANDOM_SUFFIX=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | fold -w 8 | head -n 1) CLUSTER_NAME="MSKTutorialCluster-${RANDOM_SUFFIX}" POLICY_NAME="msk-tutorial-policy-${RANDOM_SUFFIX}" ROLE_NAME="msk-tutorial-role-${RANDOM_SUFFIX}" INSTANCE_PROFILE_NAME="msk-tutorial-profile-${RANDOM_SUFFIX}" SG_NAME="MSKClientSecurityGroup-${RANDOM_SUFFIX}" echo "Using the following resource names:" echo "- Cluster Name: $CLUSTER_NAME" echo "- Policy Name: $POLICY_NAME" echo "- Role Name: $ROLE_NAME" echo "- Instance Profile Name: $INSTANCE_PROFILE_NAME" echo "- Security Group Name: $SG_NAME" echo "==============================================" # Step 1: Create an MSK Provisioned cluster echo "Step 1: Creating MSK Provisioned cluster" # Get the default VPC ID first echo "Getting default VPC..." DEFAULT_VPC_ID=$(aws ec2 describe-vpcs \ --filters "Name=is-default,Values=true" \ --query "Vpcs[0].VpcId" \ --output text) if [ -z "$DEFAULT_VPC_ID" ] || [ "$DEFAULT_VPC_ID" = "None" ]; then handle_error "Could not find default VPC. Please ensure you have a default VPC in your region." fi echo "Default VPC ID: $DEFAULT_VPC_ID" # Get available subnets in the default VPC echo "Getting available subnets in the default VPC..." SUBNETS=$(aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=$DEFAULT_VPC_ID" "Name=default-for-az,Values=true" \ --query "Subnets[0:3].SubnetId" \ --output text) # Convert space-separated subnet IDs to an array read -r -a SUBNET_ARRAY <<< "$SUBNETS" if [ ${#SUBNET_ARRAY[@]} -lt 3 ]; then handle_error "Not enough subnets available in the default VPC. Need at least 3 subnets, found ${#SUBNET_ARRAY[@]}." fi # Get default security group for the default VPC echo "Getting default security group for the default VPC..." DEFAULT_SG=$(aws ec2 describe-security-groups \ --filters "Name=group-name,Values=default" "Name=vpc-id,Values=$DEFAULT_VPC_ID" \ --query "SecurityGroups[0].GroupId" \ --output text) if [ -z "$DEFAULT_SG" ] || [ "$DEFAULT_SG" = "None" ]; then handle_error "Could not find default security group for VPC $DEFAULT_VPC_ID" fi echo "Creating MSK cluster: $CLUSTER_NAME" echo "Using VPC: $DEFAULT_VPC_ID" echo "Using subnets: ${SUBNET_ARRAY[0]} ${SUBNET_ARRAY[1]} ${SUBNET_ARRAY[2]}" echo "Using security group: $DEFAULT_SG" # Create the MSK cluster with proper error handling CLUSTER_RESPONSE=$(aws kafka create-cluster \ --cluster-name "$CLUSTER_NAME" \ --broker-node-group-info "{\"InstanceType\": \"kafka.t3.small\", \"ClientSubnets\": [\"${SUBNET_ARRAY[0]}\", \"${SUBNET_ARRAY[1]}\", \"${SUBNET_ARRAY[2]}\"], \"SecurityGroups\": [\"$DEFAULT_SG\"]}" \ --kafka-version "3.6.0" \ --number-of-broker-nodes 3 \ --encryption-info "{\"EncryptionInTransit\": {\"InCluster\": true, \"ClientBroker\": \"TLS\"}}" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create MSK cluster: $CLUSTER_RESPONSE" fi # Extract the cluster ARN using grep CLUSTER_ARN=$(echo "$CLUSTER_RESPONSE" | grep -o '"ClusterArn": "[^"]*' | cut -d'"' -f4) if [ -z "$CLUSTER_ARN" ]; then handle_error "Failed to extract cluster ARN from response: $CLUSTER_RESPONSE" fi echo "MSK cluster creation initiated. ARN: $CLUSTER_ARN" echo "Waiting for cluster to become active (this may take 15-20 minutes)..." # Wait for the cluster to become active while true; do CLUSTER_STATUS=$(aws kafka describe-cluster --cluster-arn "$CLUSTER_ARN" --query "ClusterInfo.State" --output text 2>/dev/null) if [ $? -ne 0 ]; then echo "Failed to get cluster status. Retrying in 30 seconds..." sleep 30 continue fi echo "Current cluster status: $CLUSTER_STATUS" if [ "$CLUSTER_STATUS" = "ACTIVE" ]; then echo "Cluster is now active!" break elif [ "$CLUSTER_STATUS" = "FAILED" ]; then handle_error "Cluster creation failed" fi echo "Still waiting for cluster to become active... (checking again in 60 seconds)" sleep 60 done echo "==============================================" # Step 2: Create an IAM role granting access to create topics on the Amazon MSK cluster echo "Step 2: Creating IAM policy and role" # Get account ID and region ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION=$(aws ec2 describe-availability-zones --query 'AvailabilityZones[0].RegionName' --output text) fi if [ -z "$ACCOUNT_ID" ] || [ -z "$REGION" ]; then handle_error "Could not determine AWS account ID or region" fi echo "Account ID: $ACCOUNT_ID" echo "Region: $REGION" # Create IAM policy echo "Creating IAM policy: $POLICY_NAME" POLICY_DOCUMENT="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:Connect\", \"kafka-cluster:AlterCluster\", \"kafka-cluster:DescribeCluster\" ], \"Resource\": [ \"$CLUSTER_ARN\" ] }, { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:*Topic*\", \"kafka-cluster:WriteData\", \"kafka-cluster:ReadData\" ], \"Resource\": [ \"arn:aws:kafka:$REGION:$ACCOUNT_ID:topic/$CLUSTER_NAME/*\" ] }, { \"Effect\": \"Allow\", \"Action\": [ \"kafka-cluster:AlterGroup\", \"kafka-cluster:DescribeGroup\" ], \"Resource\": [ \"arn:aws:kafka:$REGION:$ACCOUNT_ID:group/$CLUSTER_NAME/*\" ] } ] }" POLICY_RESPONSE=$(aws iam create-policy \ --policy-name "$POLICY_NAME" \ --policy-document "$POLICY_DOCUMENT" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create IAM policy: $POLICY_RESPONSE" fi # Extract the policy ARN using grep POLICY_ARN=$(echo "$POLICY_RESPONSE" | grep -o '"Arn": "[^"]*' | cut -d'"' -f4) if [ -z "$POLICY_ARN" ]; then handle_error "Failed to extract policy ARN from response: $POLICY_RESPONSE" fi echo "IAM policy created. ARN: $POLICY_ARN" # Create IAM role for EC2 echo "Creating IAM role: $ROLE_NAME" TRUST_POLICY="{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}" ROLE_RESPONSE=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create IAM role: $ROLE_RESPONSE" fi echo "IAM role created: $ROLE_NAME" # Attach policy to role echo "Attaching policy to role" ATTACH_RESPONSE=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to attach policy to role: $ATTACH_RESPONSE" fi echo "Policy attached to role" # Create instance profile and add role to it echo "Creating instance profile: $INSTANCE_PROFILE_NAME" PROFILE_RESPONSE=$(aws iam create-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create instance profile: $PROFILE_RESPONSE" fi echo "Instance profile created" echo "Adding role to instance profile" ADD_ROLE_RESPONSE=$(aws iam add-role-to-instance-profile \ --instance-profile-name "$INSTANCE_PROFILE_NAME" \ --role-name "$ROLE_NAME" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to add role to instance profile: $ADD_ROLE_RESPONSE" fi echo "Role added to instance profile" # Wait a moment for IAM propagation echo "Waiting 10 seconds for IAM propagation..." sleep 10 echo "==============================================" # Step 3: Create a client machine echo "Step 3: Creating client machine" # Find a suitable subnet and instance type combination if ! find_suitable_subnet_and_instance_type "$DEFAULT_VPC_ID" SUBNET_ARRAY[@]; then handle_error "Could not find a suitable subnet and instance type combination" fi echo "Selected subnet: $SELECTED_SUBNET_ID" echo "Selected instance type: $SELECTED_INSTANCE_TYPE" # Verify the subnet is in the same VPC we're using SUBNET_VPC_ID=$(aws ec2 describe-subnets \ --subnet-ids "$SELECTED_SUBNET_ID" \ --query 'Subnets[0].VpcId' \ --output text) if [ "$SUBNET_VPC_ID" != "$DEFAULT_VPC_ID" ]; then handle_error "Subnet VPC ($SUBNET_VPC_ID) does not match default VPC ($DEFAULT_VPC_ID)" fi echo "VPC ID: $SUBNET_VPC_ID" # Get security group ID from the MSK cluster echo "Getting security group ID from the MSK cluster" MSK_SG_ID=$(aws kafka describe-cluster \ --cluster-arn "$CLUSTER_ARN" \ --query 'ClusterInfo.BrokerNodeGroupInfo.SecurityGroups[0]' \ --output text) if [ -z "$MSK_SG_ID" ] || [ "$MSK_SG_ID" = "None" ]; then handle_error "Failed to get security group ID from cluster" fi echo "MSK security group ID: $MSK_SG_ID" # Create security group for client echo "Creating security group for client: $SG_NAME" CLIENT_SG_RESPONSE=$(aws ec2 create-security-group \ --group-name "$SG_NAME" \ --description "Security group for MSK client" \ --vpc-id "$DEFAULT_VPC_ID" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create security group: $CLIENT_SG_RESPONSE" fi # Extract the security group ID using grep CLIENT_SG_ID=$(echo "$CLIENT_SG_RESPONSE" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4) if [ -z "$CLIENT_SG_ID" ]; then handle_error "Failed to extract security group ID from response: $CLIENT_SG_RESPONSE" fi echo "Client security group created. ID: $CLIENT_SG_ID" # Allow SSH access to client from your IP only echo "Getting your public IP address" MY_IP=$(curl -s https://checkip.amazonaws.com 2>/dev/null) if [ -z "$MY_IP" ]; then echo "Warning: Could not determine your IP address. Using 0.0.0.0/0 (not recommended for production)" MY_IP="0.0.0.0/0" else MY_IP="$MY_IP/32" echo "Your IP address: $MY_IP" fi echo "Adding SSH ingress rule to client security group" SSH_RULE_RESPONSE=$(aws ec2 authorize-security-group-ingress \ --group-id "$CLIENT_SG_ID" \ --protocol tcp \ --port 22 \ --cidr "$MY_IP" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then echo "Warning: Failed to add SSH ingress rule: $SSH_RULE_RESPONSE" echo "You may need to manually add SSH access to security group $CLIENT_SG_ID" fi echo "SSH ingress rule added" # Update MSK security group to allow traffic from client security group echo "Adding ingress rule to MSK security group to allow traffic from client" MSK_RULE_RESPONSE=$(aws ec2 authorize-security-group-ingress \ --group-id "$MSK_SG_ID" \ --protocol all \ --source-group "$CLIENT_SG_ID" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then echo "Warning: Failed to add ingress rule to MSK security group: $MSK_RULE_RESPONSE" echo "You may need to manually add ingress rule to security group $MSK_SG_ID" fi echo "Ingress rule added to MSK security group" # Create key pair KEY_NAME="MSKKeyPair-${RANDOM_SUFFIX}" echo "Creating key pair: $KEY_NAME" KEY_RESPONSE=$(aws ec2 create-key-pair --key-name "$KEY_NAME" --query 'KeyMaterial' --output text 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to create key pair: $KEY_RESPONSE" fi # Save the private key to a file KEY_FILE="${KEY_NAME}.pem" echo "$KEY_RESPONSE" > "$KEY_FILE" chmod 400 "$KEY_FILE" echo "Key pair created and saved to $KEY_FILE" # Get the latest Amazon Linux 2 AMI echo "Getting latest Amazon Linux 2 AMI ID" AMI_ID=$(aws ec2 describe-images \ --owners amazon \ --filters "Name=name,Values=amzn2-ami-hvm-*-x86_64-gp2" "Name=state,Values=available" \ --query "sort_by(Images, &CreationDate)[-1].ImageId" \ --output text 2>/dev/null) if [ -z "$AMI_ID" ] || [ "$AMI_ID" = "None" ]; then handle_error "Failed to get Amazon Linux 2 AMI ID" fi echo "Using AMI ID: $AMI_ID" # Launch EC2 instance with the selected subnet and instance type echo "Launching EC2 instance" echo "Instance type: $SELECTED_INSTANCE_TYPE" echo "Subnet: $SELECTED_SUBNET_ID" INSTANCE_RESPONSE=$(aws ec2 run-instances \ --image-id "$AMI_ID" \ --instance-type "$SELECTED_INSTANCE_TYPE" \ --key-name "$KEY_NAME" \ --security-group-ids "$CLIENT_SG_ID" \ --subnet-id "$SELECTED_SUBNET_ID" \ --iam-instance-profile "Name=$INSTANCE_PROFILE_NAME" \ --tag-specifications "ResourceType=instance,Tags=[{Key=Name,Value=MSKTutorialClient-${RANDOM_SUFFIX}}]" 2>&1) # Check if the command was successful if [ $? -ne 0 ]; then handle_error "Failed to launch EC2 instance: $INSTANCE_RESPONSE" fi # Extract the instance ID using grep INSTANCE_ID=$(echo "$INSTANCE_RESPONSE" | grep -o '"InstanceId": "[^"]*' | head -1 | cut -d'"' -f4) if [ -z "$INSTANCE_ID" ]; then handle_error "Failed to extract instance ID from response: $INSTANCE_RESPONSE" fi echo "EC2 instance launched successfully. ID: $INSTANCE_ID" echo "Waiting for instance to be running..." # Wait for the instance to be running aws ec2 wait instance-running --instance-ids "$INSTANCE_ID" if [ $? -ne 0 ]; then handle_error "Instance failed to reach running state" fi # Wait a bit more for the instance to initialize echo "Instance is running. Waiting 30 seconds for initialization..." sleep 30 # Get public DNS name of instance CLIENT_DNS=$(aws ec2 describe-instances \ --instance-ids "$INSTANCE_ID" \ --query 'Reservations[0].Instances[0].PublicDnsName' \ --output text) if [ -z "$CLIENT_DNS" ] || [ "$CLIENT_DNS" = "None" ]; then echo "Warning: Could not get public DNS name for instance. Trying public IP..." CLIENT_DNS=$(aws ec2 describe-instances \ --instance-ids "$INSTANCE_ID" \ --query 'Reservations[0].Instances[0].PublicIpAddress' \ --output text) if [ -z "$CLIENT_DNS" ] || [ "$CLIENT_DNS" = "None" ]; then handle_error "Failed to get public DNS name or IP address for instance" fi fi echo "Client instance DNS/IP: $CLIENT_DNS" echo "==============================================" # Get bootstrap brokers with improved logic echo "Getting bootstrap brokers" MAX_RETRIES=10 RETRY_COUNT=0 BOOTSTRAP_BROKERS="" AUTH_METHOD="" while [ -z "$BOOTSTRAP_BROKERS" ] || [ "$BOOTSTRAP_BROKERS" = "None" ]; do # Get the full bootstrap brokers response BOOTSTRAP_RESPONSE=$(aws kafka get-bootstrap-brokers \ --cluster-arn "$CLUSTER_ARN" 2>/dev/null) if [ $? -eq 0 ] && [ -n "$BOOTSTRAP_RESPONSE" ]; then # Try to get IAM authentication brokers first using grep BOOTSTRAP_BROKERS=$(echo "$BOOTSTRAP_RESPONSE" | grep -o '"BootstrapBrokerStringSaslIam": "[^"]*' | cut -d'"' -f4) if [ -n "$BOOTSTRAP_BROKERS" ]; then AUTH_METHOD="IAM" else # Fall back to TLS authentication BOOTSTRAP_BROKERS=$(echo "$BOOTSTRAP_RESPONSE" | grep -o '"BootstrapBrokerStringTls": "[^"]*' | cut -d'"' -f4) if [ -n "$BOOTSTRAP_BROKERS" ]; then AUTH_METHOD="TLS" fi fi fi RETRY_COUNT=$((RETRY_COUNT + 1)) if [ "$RETRY_COUNT" -ge "$MAX_RETRIES" ]; then echo "Warning: Could not get bootstrap brokers after $MAX_RETRIES attempts." echo "You may need to manually retrieve them later using:" echo "aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN" BOOTSTRAP_BROKERS="BOOTSTRAP_BROKERS_NOT_AVAILABLE" AUTH_METHOD="UNKNOWN" break fi if [ -z "$BOOTSTRAP_BROKERS" ] || [ "$BOOTSTRAP_BROKERS" = "None" ]; then echo "Bootstrap brokers not available yet. Retrying in 30 seconds... (Attempt $RETRY_COUNT/$MAX_RETRIES)" sleep 30 fi done echo "Bootstrap brokers: $BOOTSTRAP_BROKERS" echo "Authentication method: $AUTH_METHOD" echo "==============================================" # Create setup script for the client machine echo "Creating setup script for the client machine" cat > setup_client.sh << 'EOF' #!/bin/bash # Set up logging LOG_FILE="client_setup_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting client setup" echo "==============================================" # Install Java echo "Installing Java" sudo yum -y install java-11 # Set environment variables echo "Setting up environment variables" export KAFKA_VERSION="3.6.0" echo "KAFKA_VERSION=$KAFKA_VERSION" # Download and extract Apache Kafka echo "Downloading Apache Kafka" wget https://archive.apache.org/dist/kafka/$KAFKA_VERSION/kafka_2.13-$KAFKA_VERSION.tgz if [ $? -ne 0 ]; then echo "Failed to download Kafka. Trying alternative mirror..." wget https://www.apache.org/dyn/closer.cgi?path=/kafka/$KAFKA_VERSION/kafka_2.13-$KAFKA_VERSION.tgz fi echo "Extracting Kafka" tar -xzf kafka_2.13-$KAFKA_VERSION.tgz export KAFKA_ROOT=$(pwd)/kafka_2.13-$KAFKA_VERSION echo "KAFKA_ROOT=$KAFKA_ROOT" # Download the MSK IAM authentication package (needed for both IAM and TLS) echo "Downloading MSK IAM authentication package" cd $KAFKA_ROOT/libs wget https://github.com/aws/aws-msk-iam-auth/releases/latest/download/aws-msk-iam-auth-1.1.6-all.jar if [ $? -ne 0 ]; then echo "Failed to download specific version. Trying to get latest version..." LATEST_VERSION=$(curl -s https://api.github.com/repos/aws/aws-msk-iam-auth/releases/latest | grep -o '"tag_name": "[^"]*' | cut -d'"' -f4) wget https://github.com/aws/aws-msk-iam-auth/releases/download/$LATEST_VERSION/aws-msk-iam-auth-$LATEST_VERSION-all.jar if [ $? -ne 0 ]; then echo "Failed to download IAM auth package. Please check the URL and try again." exit 1 fi export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-$LATEST_VERSION-all.jar else export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-1.1.6-all.jar fi echo "CLASSPATH=$CLASSPATH" # Create client properties file based on authentication method echo "Creating client properties file" cd $KAFKA_ROOT/config # The AUTH_METHOD_PLACEHOLDER will be replaced by the script AUTH_METHOD="AUTH_METHOD_PLACEHOLDER" if [ "$AUTH_METHOD" = "IAM" ]; then echo "Configuring for IAM authentication" cat > client.properties << 'EOT' security.protocol=SASL_SSL sasl.mechanism=AWS_MSK_IAM sasl.jaas.config=software.amazon.msk.auth.iam.IAMLoginModule required; sasl.client.callback.handler.class=software.amazon.msk.auth.iam.IAMClientCallbackHandler EOT elif [ "$AUTH_METHOD" = "TLS" ]; then echo "Configuring for TLS authentication" cat > client.properties << 'EOT' security.protocol=SSL EOT else echo "Unknown authentication method. Creating basic TLS configuration." cat > client.properties << 'EOT' security.protocol=SSL EOT fi echo "Client setup completed" echo "==============================================" # Create a script to set up environment variables cat > ~/setup_env.sh << 'EOT' #!/bin/bash export KAFKA_VERSION="3.6.0" export KAFKA_ROOT=~/kafka_2.13-$KAFKA_VERSION export CLASSPATH=$KAFKA_ROOT/libs/aws-msk-iam-auth-1.1.6-all.jar export BOOTSTRAP_SERVER="BOOTSTRAP_SERVER_PLACEHOLDER" export AUTH_METHOD="AUTH_METHOD_PLACEHOLDER" echo "Environment variables set:" echo "KAFKA_VERSION=$KAFKA_VERSION" echo "KAFKA_ROOT=$KAFKA_ROOT" echo "CLASSPATH=$CLASSPATH" echo "BOOTSTRAP_SERVER=$BOOTSTRAP_SERVER" echo "AUTH_METHOD=$AUTH_METHOD" EOT chmod +x ~/setup_env.sh echo "Created environment setup script: ~/setup_env.sh" echo "Run 'source ~/setup_env.sh' to set up your environment" EOF # Replace placeholders in the setup script if [ -n "$BOOTSTRAP_BROKERS" ] && [ "$BOOTSTRAP_BROKERS" != "None" ] && [ "$BOOTSTRAP_BROKERS" != "BOOTSTRAP_BROKERS_NOT_AVAILABLE" ]; then sed -i "s|BOOTSTRAP_SERVER_PLACEHOLDER|$BOOTSTRAP_BROKERS|g" setup_client.sh else # If bootstrap brokers are not available, provide instructions to get them sed -i "s|BOOTSTRAP_SERVER_PLACEHOLDER|\$(aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN --query 'BootstrapBrokerStringTls' --output text)|g" setup_client.sh fi # Replace auth method placeholder sed -i "s|AUTH_METHOD_PLACEHOLDER|$AUTH_METHOD|g" setup_client.sh echo "Setup script created" echo "==============================================" # Display summary of created resources echo "" echo "==============================================" echo "RESOURCE SUMMARY" echo "==============================================" echo "MSK Cluster ARN: $CLUSTER_ARN" echo "MSK Cluster Name: $CLUSTER_NAME" echo "Authentication Method: $AUTH_METHOD" echo "IAM Policy ARN: $POLICY_ARN" echo "IAM Role Name: $ROLE_NAME" echo "IAM Instance Profile: $INSTANCE_PROFILE_NAME" echo "Client Security Group: $CLIENT_SG_ID" echo "EC2 Instance ID: $INSTANCE_ID" echo "EC2 Instance Type: $SELECTED_INSTANCE_TYPE" echo "EC2 Instance DNS: $CLIENT_DNS" echo "Key Pair: $KEY_NAME (saved to $KEY_FILE)" echo "Bootstrap Brokers: $BOOTSTRAP_BROKERS" echo "==============================================" echo "" # Instructions for connecting to the instance and setting up the client echo "NEXT STEPS:" echo "1. Connect to your EC2 instance:" echo " ssh -i $KEY_FILE ec2-user@$CLIENT_DNS" echo "" echo "2. Upload the setup script to your instance:" echo " scp -i $KEY_FILE setup_client.sh ec2-user@$CLIENT_DNS:~/" echo "" echo "3. Run the setup script on your instance:" echo " ssh -i $KEY_FILE ec2-user@$CLIENT_DNS 'chmod +x ~/setup_client.sh && ~/setup_client.sh'" echo "" echo "4. Source the environment setup script:" echo " source ~/setup_env.sh" echo "" # Provide different instructions based on authentication method if [ "$AUTH_METHOD" = "IAM" ]; then echo "5. Create a Kafka topic (using IAM authentication):" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --create \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties \\" echo " --replication-factor 3 \\" echo " --partitions 1 \\" echo " --topic MSKTutorialTopic" echo "" echo "6. Start a producer:" echo " \$KAFKA_ROOT/bin/kafka-console-producer.sh \\" echo " --broker-list \$BOOTSTRAP_SERVER \\" echo " --producer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic" echo "" echo "7. Start a consumer:" echo " \$KAFKA_ROOT/bin/kafka-console-consumer.sh \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --consumer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic \\" echo " --from-beginning" elif [ "$AUTH_METHOD" = "TLS" ]; then echo "5. Create a Kafka topic (using TLS authentication):" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --create \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties \\" echo " --replication-factor 3 \\" echo " --partitions 1 \\" echo " --topic MSKTutorialTopic" echo "" echo "6. Start a producer:" echo " \$KAFKA_ROOT/bin/kafka-console-producer.sh \\" echo " --broker-list \$BOOTSTRAP_SERVER \\" echo " --producer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic" echo "" echo "7. Start a consumer:" echo " \$KAFKA_ROOT/bin/kafka-console-consumer.sh \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --consumer.config \$KAFKA_ROOT/config/client.properties \\" echo " --topic MSKTutorialTopic \\" echo " --from-beginning" else echo "5. Manually retrieve bootstrap brokers and configure authentication:" echo " aws kafka get-bootstrap-brokers --cluster-arn $CLUSTER_ARN" fi echo "" echo "8. Verify the topic was created:" echo " \$KAFKA_ROOT/bin/kafka-topics.sh --list \\" echo " --bootstrap-server \$BOOTSTRAP_SERVER \\" echo " --command-config \$KAFKA_ROOT/config/client.properties" echo "==============================================" echo "" # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then cleanup_resources echo "All resources have been cleaned up." else echo "Resources will not be cleaned up. You can manually clean them up later." echo "To clean up resources, run this script again and choose 'y' when prompted." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddRoleToInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AddRoleToInstanceProfile) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/CreateCluster) + [CreateInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateInstanceProfile) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/DeleteCluster) + [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteInstanceProfile) + [DeleteKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteKeyPair) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeCluster](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/DescribeCluster) + [DescribeImages](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeImages) + [DescribeInstanceTypeOfferings](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstanceTypeOfferings) + [DescribeInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeInstances) + [DescribeKeyPairs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeKeyPairs) + [DescribeSecurityGroups](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSecurityGroups) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetBootstrapBrokers](https://docs.aws.amazon.com/goto/aws-cli/kafka-2018-11-14/GetBootstrapBrokers) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetInstanceProfile) + [GetPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetPolicy) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [RemoveRoleFromInstanceProfile](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/RemoveRoleFromInstanceProfile) + [RevokeSecurityGroupEgress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupEgress) + [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupIngress) + [RunInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RunInstances) + [TerminateInstances](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/TerminateInstances) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/Wait) # Neptune examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Neptune. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon Neptune The following code example shows how to: + Create a VPC for your Neptune database + Create subnets in multiple availability zones + Configure security for your Neptune database + Create a Neptune DB subnet group + Create a Neptune DB cluster and instance + Add data to your graph database + Query your graph database **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/064-amazon-neptune-gs) repository. ``` #!/bin/bash # Amazon Neptune Getting Started Script # This script creates an Amazon Neptune database cluster and demonstrates basic operations # Set up logging LOG_FILE="neptune-setup.log" echo "Starting Neptune setup at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "Running: $1" | tee -a "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" if [[ $cmd_status -ne 0 || "$cmd_output" =~ [Ee][Rr][Rr][Oo][Rr] ]]; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Cleaning up resources..." | tee -a "$LOG_FILE" # Only attempt to delete resources that were successfully created if [[ -n "$DB_INSTANCE_ID" ]]; then echo "Deleting DB instance $DB_INSTANCE_ID..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-instance --db-instance-identifier $DB_INSTANCE_ID --skip-final-snapshot" log_cmd "aws neptune wait db-instance-deleted --db-instance-identifier $DB_INSTANCE_ID" fi if [[ -n "$DB_CLUSTER_ID" ]]; then echo "Deleting DB cluster $DB_CLUSTER_ID..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-cluster --db-cluster-identifier $DB_CLUSTER_ID --skip-final-snapshot" fi if [[ -n "$DB_SUBNET_GROUP" ]]; then echo "Deleting DB subnet group $DB_SUBNET_GROUP..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-subnet-group --db-subnet-group-name $DB_SUBNET_GROUP" fi if [[ -n "$SECURITY_GROUP_ID" ]]; then echo "Deleting security group $SECURITY_GROUP_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" fi if [[ -n "$SUBNET_IDS" ]]; then for SUBNET_ID in $SUBNET_IDS; do echo "Deleting subnet $SUBNET_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET_ID" done fi if [[ -n "$VPC_ID" ]]; then echo "Deleting VPC $VPC_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-vpc --vpc-id $VPC_ID" fi } # Generate random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) VPC_NAME="neptune-vpc-$RANDOM_ID" DB_SUBNET_GROUP="neptune-subnet-group-$RANDOM_ID" DB_CLUSTER_ID="neptune-cluster-$RANDOM_ID" DB_INSTANCE_ID="neptune-instance-$RANDOM_ID" SG_NAME="neptune-sg-$RANDOM_ID" echo "Using random identifier: $RANDOM_ID" | tee -a "$LOG_FILE" echo "VPC Name: $VPC_NAME" | tee -a "$LOG_FILE" echo "DB Subnet Group: $DB_SUBNET_GROUP" | tee -a "$LOG_FILE" echo "DB Cluster ID: $DB_CLUSTER_ID" | tee -a "$LOG_FILE" echo "DB Instance ID: $DB_INSTANCE_ID" | tee -a "$LOG_FILE" echo "Security Group Name: $SG_NAME" | tee -a "$LOG_FILE" # Step 1: Create VPC echo "Creating VPC..." | tee -a "$LOG_FILE" VPC_OUTPUT=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications "ResourceType=vpc,Tags=[{Key=Name,Value=$VPC_NAME}]" --output json) check_error "$VPC_OUTPUT" $? "Failed to create VPC" VPC_ID=$(echo "$VPC_OUTPUT" | grep -o '"VpcId": "[^"]*' | cut -d'"' -f4) echo "VPC created with ID: $VPC_ID" | tee -a "$LOG_FILE" # Enable DNS support for the VPC log_cmd "aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-support" log_cmd "aws ec2 modify-vpc-attribute --vpc-id $VPC_ID --enable-dns-hostnames" # Step 2: Create Internet Gateway and attach to VPC echo "Creating Internet Gateway..." | tee -a "$LOG_FILE" IGW_OUTPUT=$(aws ec2 create-internet-gateway --output json) check_error "$IGW_OUTPUT" $? "Failed to create Internet Gateway" IGW_ID=$(echo "$IGW_OUTPUT" | grep -o '"InternetGatewayId": "[^"]*' | cut -d'"' -f4) echo "Internet Gateway created with ID: $IGW_ID" | tee -a "$LOG_FILE" log_cmd "aws ec2 attach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID" # Step 3: Create subnets in different AZs echo "Creating subnets..." | tee -a "$LOG_FILE" # Get available AZs AZ_OUTPUT=$(aws ec2 describe-availability-zones --output json) check_error "$AZ_OUTPUT" $? "Failed to get availability zones" # Extract first 3 AZ names AZ1=$(echo "$AZ_OUTPUT" | grep -o '"ZoneName": "[^"]*' | cut -d'"' -f4 | head -1) AZ2=$(echo "$AZ_OUTPUT" | grep -o '"ZoneName": "[^"]*' | cut -d'"' -f4 | head -2 | tail -1) AZ3=$(echo "$AZ_OUTPUT" | grep -o '"ZoneName": "[^"]*' | cut -d'"' -f4 | head -3 | tail -1) # Create 3 subnets in different AZs SUBNET1_OUTPUT=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --availability-zone $AZ1 --output json) check_error "$SUBNET1_OUTPUT" $? "Failed to create subnet 1" SUBNET1_ID=$(echo "$SUBNET1_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4) SUBNET2_OUTPUT=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --availability-zone $AZ2 --output json) check_error "$SUBNET2_OUTPUT" $? "Failed to create subnet 2" SUBNET2_ID=$(echo "$SUBNET2_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4) SUBNET3_OUTPUT=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.3.0/24 --availability-zone $AZ3 --output json) check_error "$SUBNET3_OUTPUT" $? "Failed to create subnet 3" SUBNET3_ID=$(echo "$SUBNET3_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4) SUBNET_IDS="$SUBNET1_ID $SUBNET2_ID $SUBNET3_ID" echo "Created subnets: $SUBNET1_ID, $SUBNET2_ID, $SUBNET3_ID" | tee -a "$LOG_FILE" # Step 4: Create route table and add route to Internet Gateway echo "Creating route table..." | tee -a "$LOG_FILE" ROUTE_TABLE_OUTPUT=$(aws ec2 create-route-table --vpc-id $VPC_ID --output json) check_error "$ROUTE_TABLE_OUTPUT" $? "Failed to create route table" ROUTE_TABLE_ID=$(echo "$ROUTE_TABLE_OUTPUT" | grep -o '"RouteTableId": "[^"]*' | cut -d'"' -f4) echo "Route table created with ID: $ROUTE_TABLE_ID" | tee -a "$LOG_FILE" # Add route to Internet Gateway log_cmd "aws ec2 create-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID" # Associate route table with subnets log_cmd "aws ec2 associate-route-table --route-table-id $ROUTE_TABLE_ID --subnet-id $SUBNET1_ID" log_cmd "aws ec2 associate-route-table --route-table-id $ROUTE_TABLE_ID --subnet-id $SUBNET2_ID" log_cmd "aws ec2 associate-route-table --route-table-id $ROUTE_TABLE_ID --subnet-id $SUBNET3_ID" # Step 5: Create security group echo "Creating security group..." | tee -a "$LOG_FILE" SG_OUTPUT=$(aws ec2 create-security-group --group-name $SG_NAME --description "Security group for Neptune" --vpc-id $VPC_ID --output json) check_error "$SG_OUTPUT" $? "Failed to create security group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4) echo "Security group created with ID: $SECURITY_GROUP_ID" | tee -a "$LOG_FILE" # Add inbound rule for Neptune port (8182) # Note: In production, you should restrict this to specific IP ranges echo "Adding security group rule for Neptune port 8182..." | tee -a "$LOG_FILE" log_cmd "aws ec2 authorize-security-group-ingress --group-id $SECURITY_GROUP_ID --protocol tcp --port 8182 --cidr 10.0.0.0/16" # Step 6: Create DB subnet group echo "Creating DB subnet group..." | tee -a "$LOG_FILE" DB_SUBNET_GROUP_OUTPUT=$(aws neptune create-db-subnet-group --db-subnet-group-name $DB_SUBNET_GROUP --db-subnet-group-description "Subnet group for Neptune" --subnet-ids $SUBNET1_ID $SUBNET2_ID $SUBNET3_ID --output json) check_error "$DB_SUBNET_GROUP_OUTPUT" $? "Failed to create DB subnet group" echo "DB subnet group created: $DB_SUBNET_GROUP" | tee -a "$LOG_FILE" # Step 7: Create Neptune DB cluster echo "Creating Neptune DB cluster..." | tee -a "$LOG_FILE" DB_CLUSTER_OUTPUT=$(aws neptune create-db-cluster --db-cluster-identifier $DB_CLUSTER_ID --engine neptune --vpc-security-group-ids $SECURITY_GROUP_ID --db-subnet-group-name $DB_SUBNET_GROUP --output json) check_error "$DB_CLUSTER_OUTPUT" $? "Failed to create Neptune DB cluster" echo "Neptune DB cluster created: $DB_CLUSTER_ID" | tee -a "$LOG_FILE" # Step 8: Create Neptune DB instance echo "Creating Neptune DB instance..." | tee -a "$LOG_FILE" DB_INSTANCE_OUTPUT=$(aws neptune create-db-instance --db-instance-identifier $DB_INSTANCE_ID --db-instance-class db.r5.large --engine neptune --db-cluster-identifier $DB_CLUSTER_ID --output json) check_error "$DB_INSTANCE_OUTPUT" $? "Failed to create Neptune DB instance" echo "Neptune DB instance created: $DB_INSTANCE_ID" | tee -a "$LOG_FILE" # Step 9: Wait for the DB instance to become available echo "Waiting for Neptune DB instance to become available..." | tee -a "$LOG_FILE" log_cmd "aws neptune wait db-instance-available --db-instance-identifier $DB_INSTANCE_ID" # Step 10: Get the Neptune endpoint echo "Getting Neptune endpoint..." | tee -a "$LOG_FILE" ENDPOINT_OUTPUT=$(aws neptune describe-db-clusters --db-cluster-identifier $DB_CLUSTER_ID --output json) check_error "$ENDPOINT_OUTPUT" $? "Failed to get Neptune endpoint" NEPTUNE_ENDPOINT=$(echo "$ENDPOINT_OUTPUT" | grep -o '"Endpoint": "[^"]*' | cut -d'"' -f4) echo "Neptune endpoint: $NEPTUNE_ENDPOINT" | tee -a "$LOG_FILE" # Step 11: Display information about how to connect to Neptune echo "" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "NEPTUNE SETUP COMPLETE" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "Neptune Endpoint: $NEPTUNE_ENDPOINT" | tee -a "$LOG_FILE" echo "Port: 8182" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "To query your Neptune database using Gremlin, you can use curl:" | tee -a "$LOG_FILE" echo "curl -X POST -d '{\"gremlin\":\"g.V().limit(1)\"}' https://$NEPTUNE_ENDPOINT:8182/gremlin" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "To add data to your graph:" | tee -a "$LOG_FILE" echo "curl -X POST -d '{\"gremlin\":\"g.addV(\\\"person\\\").property(\\\"name\\\", \\\"Howard\\\")\"}' https://$NEPTUNE_ENDPOINT:8182/gremlin" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" echo "Note: You may need to configure your client machine to access the Neptune instance within the VPC." | tee -a "$LOG_FILE" echo "For production use, consider using an EC2 instance in the same VPC or setting up a bastion host." | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" # Step 12: List all created resources echo "" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "RESOURCES CREATED" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "VPC: $VPC_ID" | tee -a "$LOG_FILE" echo "Internet Gateway: $IGW_ID" | tee -a "$LOG_FILE" echo "Subnets: $SUBNET1_ID, $SUBNET2_ID, $SUBNET3_ID" | tee -a "$LOG_FILE" echo "Route Table: $ROUTE_TABLE_ID" | tee -a "$LOG_FILE" echo "Security Group: $SECURITY_GROUP_ID" | tee -a "$LOG_FILE" echo "DB Subnet Group: $DB_SUBNET_GROUP" | tee -a "$LOG_FILE" echo "Neptune DB Cluster: $DB_CLUSTER_ID" | tee -a "$LOG_FILE" echo "Neptune DB Instance: $DB_INSTANCE_ID" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" # Step 13: Ask if user wants to clean up resources echo "" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "CLEANUP CONFIRMATION" | tee -a "$LOG_FILE" echo "=============================================" | tee -a "$LOG_FILE" echo "Do you want to clean up all created resources? (y/n): " | tee -a "$LOG_FILE" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." | tee -a "$LOG_FILE" # Delete DB instance echo "Deleting DB instance $DB_INSTANCE_ID..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-instance --db-instance-identifier $DB_INSTANCE_ID --skip-final-snapshot" # Wait for DB instance to be deleted echo "Waiting for DB instance to be deleted..." | tee -a "$LOG_FILE" log_cmd "aws neptune wait db-instance-deleted --db-instance-identifier $DB_INSTANCE_ID" # Delete DB cluster echo "Deleting DB cluster $DB_CLUSTER_ID..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-cluster --db-cluster-identifier $DB_CLUSTER_ID --skip-final-snapshot" # Wait for DB cluster to be deleted (no specific wait command for this, so we'll sleep) echo "Waiting for DB cluster to be deleted..." | tee -a "$LOG_FILE" sleep 60 # Delete DB subnet group echo "Deleting DB subnet group $DB_SUBNET_GROUP..." | tee -a "$LOG_FILE" log_cmd "aws neptune delete-db-subnet-group --db-subnet-group-name $DB_SUBNET_GROUP" # Delete security group echo "Deleting security group $SECURITY_GROUP_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" # Detach and delete internet gateway echo "Detaching and deleting internet gateway $IGW_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 detach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID" log_cmd "aws ec2 delete-internet-gateway --internet-gateway-id $IGW_ID" # Delete subnets echo "Deleting subnets..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET1_ID" log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET2_ID" log_cmd "aws ec2 delete-subnet --subnet-id $SUBNET3_ID" # Delete route table echo "Deleting route table $ROUTE_TABLE_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-route-table --route-table-id $ROUTE_TABLE_ID" # Delete VPC echo "Deleting VPC $VPC_ID..." | tee -a "$LOG_FILE" log_cmd "aws ec2 delete-vpc --vpc-id $VPC_ID" echo "Cleanup complete!" | tee -a "$LOG_FILE" else echo "Resources will not be cleaned up. You can delete them manually later." | tee -a "$LOG_FILE" echo "See the list of resources above for reference." | tee -a "$LOG_FILE" fi echo "Script completed. See $LOG_FILE for details." | tee -a "$LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AssociateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AssociateRouteTable) + [AttachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AttachInternetGateway) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateDbCluster](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/CreateDbCluster) + [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/CreateDbInstance) + [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/CreateDbSubnetGroup) + [CreateInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateInternetGateway) + [CreateRoute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRoute) + [CreateRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateRouteTable) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSubnet) + [CreateVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateVpc) + [DeleteDbCluster](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/DeleteDbCluster) + [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/DeleteDbInstance) + [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/DeleteDbSubnetGroup) + [DeleteInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteInternetGateway) + [DeleteRouteTable](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteRouteTable) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteSubnet](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSubnet) + [DeleteVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteVpc) + [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeAvailabilityZones) + [DescribeDbClusters](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/DescribeDbClusters) + [DetachInternetGateway](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DetachInternetGateway) + [ModifyVpcAttribute](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/ModifyVpcAttribute) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/neptune-2014-10-31/Wait) # AWS Payment Cryptography examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS Payment Cryptography. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Payment Cryptography The following code example shows how to: + Create a key + Verify the CVV2 value + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/067-aws-payment-cryptography-gs) repository. ``` #!/bin/bash # AWS Payment Cryptography Getting Started Script # This script demonstrates how to use AWS Payment Cryptography to create a key, # generate and verify CVV2 values, and clean up resources. # Initialize log file LOG_FILE="payment-cryptography-tutorial.log" echo "AWS Payment Cryptography Tutorial - $(date)" > $LOG_FILE # Function to log messages log() { local message="$1" echo "$(date +"%Y-%m-%d %H:%M:%S") - $message" | tee -a $LOG_FILE } # Function to handle errors handle_error() { local error_message="$1" log "ERROR: $error_message" log "Script failed. Please check the log file: $LOG_FILE" echo "" echo "===========================================" echo "ERROR ENCOUNTERED" echo "===========================================" echo "The script encountered an error: $error_message" echo "Resources created will be listed below." echo "" if [ -n "$KEY_ARN" ]; then echo "Key ARN: $KEY_ARN" fi exit 1 } # Function to check command output for errors check_error() { local output="$1" local command="$2" if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then handle_error "Command failed: $command. Output: $output" fi } log "Starting AWS Payment Cryptography tutorial" # Step 1: Create a key log "Step 1: Creating a card verification key (CVK)" KEY_OUTPUT=$(aws payment-cryptography create-key \ --exportable \ --key-attributes KeyAlgorithm=TDES_2KEY,KeyUsage=TR31_C0_CARD_VERIFICATION_KEY,KeyClass=SYMMETRIC_KEY,KeyModesOfUse='{Generate=true,Verify=true}' 2>&1) echo "$KEY_OUTPUT" check_error "$KEY_OUTPUT" "create-key" # Extract the Key ARN from the output KEY_ARN=$(echo "$KEY_OUTPUT" | grep -o '"KeyArn": "[^"]*' | cut -d'"' -f4) if [ -z "$KEY_ARN" ]; then handle_error "Failed to extract Key ARN from output" fi log "Successfully created key with ARN: $KEY_ARN" # Step 2: Generate a CVV2 value log "Step 2: Generating a CVV2 value" CVV2_OUTPUT=$(aws payment-cryptography-data generate-card-validation-data \ --key-identifier "$KEY_ARN" \ --primary-account-number=171234567890123 \ --generation-attributes CardVerificationValue2={CardExpiryDate=0123} 2>&1) echo "$CVV2_OUTPUT" check_error "$CVV2_OUTPUT" "generate-card-validation-data" # Extract the CVV2 value from the output - updated to use ValidationData instead of CardDataValue CVV2_VALUE=$(echo "$CVV2_OUTPUT" | grep -o '"ValidationData": "[^"]*' | cut -d'"' -f4) if [ -z "$CVV2_VALUE" ]; then handle_error "Failed to extract CVV2 value from output" fi log "Successfully generated CVV2 value: $CVV2_VALUE" # Step 3: Verify the CVV2 value log "Step 3: Verifying the CVV2 value" VERIFY_OUTPUT=$(aws payment-cryptography-data verify-card-validation-data \ --key-identifier "$KEY_ARN" \ --primary-account-number=171234567890123 \ --verification-attributes CardVerificationValue2={CardExpiryDate=0123} \ --validation-data "$CVV2_VALUE" 2>&1) echo "$VERIFY_OUTPUT" check_error "$VERIFY_OUTPUT" "verify-card-validation-data" log "Successfully verified CVV2 value" # Step 4: Perform a negative test log "Step 4: Performing a negative test with incorrect CVV2" NEGATIVE_OUTPUT=$(aws payment-cryptography-data verify-card-validation-data \ --key-identifier "$KEY_ARN" \ --primary-account-number=171234567890123 \ --verification-attributes CardVerificationValue2={CardExpiryDate=0123} \ --validation-data 999 2>&1 || echo "Expected error: Verification failed") echo "$NEGATIVE_OUTPUT" if ! echo "$NEGATIVE_OUTPUT" | grep -i "fail\|error" > /dev/null; then handle_error "Negative test did not fail as expected" fi log "Negative test completed successfully (verification failed as expected)" # Display created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "Key ARN: $KEY_ARN" echo "" # Prompt for cleanup echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then log "Step 5: Cleaning up resources" # Delete the key log "Deleting key: $KEY_ARN" DELETE_OUTPUT=$(aws payment-cryptography delete-key \ --key-identifier "$KEY_ARN" 2>&1) echo "$DELETE_OUTPUT" check_error "$DELETE_OUTPUT" "delete-key" log "Key scheduled for deletion. Default waiting period is 7 days." log "To cancel deletion before the waiting period ends, use:" log "aws payment-cryptography restore-key --key-identifier $KEY_ARN" echo "" echo "===========================================" echo "CLEANUP COMPLETE" echo "===========================================" echo "The key has been scheduled for deletion after the default waiting period (7 days)." echo "To cancel deletion before the waiting period ends, use:" echo "aws payment-cryptography restore-key --key-identifier $KEY_ARN" else log "Cleanup skipped. Resources were not deleted." echo "" echo "===========================================" echo "CLEANUP SKIPPED" echo "===========================================" echo "Resources were not deleted. You can manually delete them later." fi log "Tutorial completed successfully" echo "" echo "Tutorial completed successfully. See $LOG_FILE for details." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateKey](https://docs.aws.amazon.com/goto/aws-cli/payment-cryptography-2021-09-14/CreateKey) + [DeleteKey](https://docs.aws.amazon.com/goto/aws-cli/payment-cryptography-2021-09-14/DeleteKey) + [RestoreKey](https://docs.aws.amazon.com/goto/aws-cli/payment-cryptography-2021-09-14/RestoreKey) # Amazon Pinpoint examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Pinpoint. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with End User Messaging Push The following code example shows how to: + Create an application + Enable push notification channels + Send a push notification + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/049-aws-end-user-messaging-gs) repository. ``` #!/bin/bash # AWS End User Messaging Push Getting Started Script # This script creates an AWS End User Messaging Push application and demonstrates # how to enable push notification channels and send a test message. # # Prerequisites: # - AWS CLI installed and configured # - Appropriate IAM permissions for Pinpoint operations # # Usage: ./2-cli-script-final-working.sh [--auto-cleanup] # Check for auto-cleanup flag AUTO_CLEANUP=false if [[ "${1:-}" == "--auto-cleanup" ]]; then AUTO_CLEANUP=true fi # Set up logging LOG_FILE="aws-end-user-messaging-push-script-$(date +%Y%m%d-%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS End User Messaging Push setup script..." echo "Logging to $LOG_FILE" echo "Timestamp: $(date)" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 local ignore_error=${3:-false} if echo "$output" | grep -qi "error\|exception\|fail"; then echo "ERROR: Command failed: $cmd" echo "Error details: $output" if [ "$ignore_error" = "true" ]; then echo "Ignoring error and continuing..." return 1 else cleanup_on_error exit 1 fi fi return 0 } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Cleaning up resources..." if [ -n "${APP_ID:-}" ]; then echo "Deleting application with ID: $APP_ID" aws pinpoint delete-app --application-id "$APP_ID" 2>/dev/null || echo "Failed to delete application" fi # Clean up any created files rm -f gcm-message.json apns-message.json echo "Cleanup completed." } # Function to validate AWS CLI is configured validate_aws_cli() { echo "Validating AWS CLI configuration..." # Check if AWS CLI is installed if ! command -v aws &> /dev/null; then echo "ERROR: AWS CLI is not installed. Please install it first." echo "Visit: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" exit 1 fi # Check AWS CLI version AWS_VERSION=$(aws --version 2>&1 | head -n1) echo "AWS CLI version: $AWS_VERSION" # Check if AWS CLI is configured if ! aws sts get-caller-identity &> /dev/null; then echo "ERROR: AWS CLI is not configured or credentials are invalid." echo "Please run 'aws configure' to set up your credentials." exit 1 fi # Get current AWS identity and region CALLER_IDENTITY=$(aws sts get-caller-identity) CURRENT_REGION=$(aws configure get region 2>/dev/null || echo "us-east-1") echo "AWS CLI configured for:" echo "$CALLER_IDENTITY" echo "Current region: $CURRENT_REGION" echo "" } # Function to check if jq is available for JSON parsing check_json_tools() { if command -v jq &> /dev/null; then USE_JQ=true echo "jq is available for JSON parsing" else USE_JQ=false echo "jq is not available, using grep for JSON parsing" echo "Consider installing jq for better JSON handling: https://stedolan.github.io/jq/" fi } # Function to extract JSON values extract_json_value() { local json=$1 local key=$2 if [ "$USE_JQ" = "true" ]; then echo "$json" | jq -r ".$key" else # Fallback to grep method echo "$json" | grep -o "\"$key\": \"[^\"]*" | cut -d'"' -f4 | head -n1 fi } # Function to validate required IAM permissions validate_permissions() { echo "Validating IAM permissions..." # Test basic Pinpoint permissions if ! aws pinpoint get-apps &> /dev/null; then echo "WARNING: Unable to list Pinpoint applications. Please ensure you have the following IAM permissions:" echo "- mobiletargeting:GetApps" echo "- mobiletargeting:CreateApp" echo "- mobiletargeting:DeleteApp" echo "- mobiletargeting:UpdateGcmChannel" echo "- mobiletargeting:UpdateApnsChannel" echo "- mobiletargeting:SendMessages" echo "" echo "Continuing anyway..." else echo "Basic Pinpoint permissions validated." fi } # Validate prerequisites validate_aws_cli check_json_tools validate_permissions # Generate a random suffix for resource names to avoid conflicts RANDOM_SUFFIX=$(LC_ALL=C tr -dc 'a-z0-9' < /dev/urandom | fold -w 8 | head -n1) APP_NAME="PushNotificationApp-${RANDOM_SUFFIX}" echo "Creating application with name: $APP_NAME" # Step 1: Create an application echo "Executing: aws pinpoint create-app --create-application-request Name=${APP_NAME}" CREATE_APP_OUTPUT=$(aws pinpoint create-app --create-application-request "Name=${APP_NAME}" 2>&1) check_error "$CREATE_APP_OUTPUT" "create-app" echo "Application created successfully:" echo "$CREATE_APP_OUTPUT" # Extract the application ID from the output if [ "$USE_JQ" = "true" ]; then APP_ID=$(echo "$CREATE_APP_OUTPUT" | jq -r '.ApplicationResponse.Id') else APP_ID=$(echo "$CREATE_APP_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4 | head -n1) fi if [ -z "$APP_ID" ] || [ "$APP_ID" = "null" ]; then echo "ERROR: Failed to extract application ID from output" echo "Output was: $CREATE_APP_OUTPUT" exit 1 fi echo "Application ID: $APP_ID" # Create a resources list to track what we've created RESOURCES=("Application: $APP_ID") # Step 2: Enable FCM (GCM) channel with a sample API key echo "" echo "===========================================" echo "ENABLING FCM (GCM) CHANNEL" echo "===========================================" echo "Note: This is using a placeholder API key for demonstration purposes only." echo "In a production environment, you should use your actual FCM API key from Firebase Console." echo "" echo "IMPORTANT: The following command will likely fail because we're using a placeholder API key." echo "This is expected behavior for this demonstration script." echo "Executing: aws pinpoint update-gcm-channel --application-id $APP_ID --gcm-channel-request ..." UPDATE_GCM_OUTPUT=$(aws pinpoint update-gcm-channel \ --application-id "$APP_ID" \ --gcm-channel-request '{"Enabled": true, "ApiKey": "sample-fcm-api-key-for-demo-only"}' 2>&1) # We'll ignore this specific error since we're using a placeholder API key if check_error "$UPDATE_GCM_OUTPUT" "update-gcm-channel" "true"; then echo "FCM channel enabled successfully:" echo "$UPDATE_GCM_OUTPUT" RESOURCES+=("GCM Channel for application: $APP_ID") else echo "As expected, FCM channel update failed with the placeholder API key." echo "Error details: $UPDATE_GCM_OUTPUT" echo "" echo "To enable FCM in production:" echo "1. Go to Firebase Console (https://console.firebase.google.com/)" echo "2. Create or select your project" echo "3. Go to Project Settings > Cloud Messaging" echo "4. Copy the Server Key" echo "5. Replace 'sample-fcm-api-key-for-demo-only' with your actual Server Key" fi # Step 3: Try to enable APNS channel (this will also fail without real certificates) echo "" echo "===========================================" echo "ENABLING APNS CHANNEL (OPTIONAL)" echo "===========================================" echo "Attempting to enable APNS channel with placeholder certificate..." echo "This will also fail without real APNS certificates, which is expected." # Create a placeholder APNS configuration echo "Executing: aws pinpoint update-apns-channel --application-id $APP_ID --apns-channel-request ..." UPDATE_APNS_OUTPUT=$(aws pinpoint update-apns-channel \ --application-id "$APP_ID" \ --apns-channel-request '{"Enabled": true, "Certificate": "placeholder-certificate", "PrivateKey": "placeholder-private-key"}' 2>&1) if check_error "$UPDATE_APNS_OUTPUT" "update-apns-channel" "true"; then echo "APNS channel enabled successfully:" echo "$UPDATE_APNS_OUTPUT" RESOURCES+=("APNS Channel for application: $APP_ID") else echo "As expected, APNS channel update failed with placeholder certificates." echo "Error details: $UPDATE_APNS_OUTPUT" echo "" echo "To enable APNS in production:" echo "1. Generate APNS certificates from Apple Developer Console" echo "2. Convert certificates to PEM format" echo "3. Use the actual certificate and private key in the update-apns-channel command" fi # Step 4: Create message files for different platforms echo "" echo "===========================================" echo "CREATING MESSAGE FILES" echo "===========================================" # Create FCM message file echo "Creating FCM message file..." cat > gcm-message.json << 'EOF' { "Addresses": { "SAMPLE-DEVICE-TOKEN-FCM": { "ChannelType": "GCM" } }, "MessageConfiguration": { "GCMMessage": { "Action": "OPEN_APP", "Body": "Hello from AWS End User Messaging Push! This is an FCM notification.", "Priority": "normal", "SilentPush": false, "Title": "My First FCM Push Notification", "TimeToLive": 30, "Data": { "key1": "value1", "key2": "value2" } } } } EOF # Create APNS message file echo "Creating APNS message file..." cat > apns-message.json << 'EOF' { "Addresses": { "SAMPLE-DEVICE-TOKEN-APNS": { "ChannelType": "APNS" } }, "MessageConfiguration": { "APNSMessage": { "Action": "OPEN_APP", "Body": "Hello from AWS End User Messaging Push! This is an APNS notification.", "Priority": "normal", "SilentPush": false, "Title": "My First APNS Push Notification", "TimeToLive": 30, "Badge": 1, "Sound": "default" } } } EOF echo "Message files created:" echo "- gcm-message.json (for FCM/Android)" echo "- apns-message.json (for APNS/iOS)" echo "" echo "Note: These messages use placeholder device tokens and will not actually be delivered." echo "To send real messages, you would need to replace the sample device tokens with actual ones." # Step 5: Demonstrate how to send messages (this will fail with placeholder tokens) echo "" echo "===========================================" echo "DEMONSTRATING MESSAGE SENDING" echo "===========================================" echo "Attempting to send FCM message (will fail with placeholder token)..." echo "Executing: aws pinpoint send-messages --application-id $APP_ID --message-request file://gcm-message.json" SEND_FCM_OUTPUT=$(aws pinpoint send-messages \ --application-id "$APP_ID" \ --message-request file://gcm-message.json 2>&1) if check_error "$SEND_FCM_OUTPUT" "send-messages (FCM)" "true"; then echo "FCM message sent successfully:" echo "$SEND_FCM_OUTPUT" else echo "As expected, FCM message sending failed with placeholder token." echo "Error details: $SEND_FCM_OUTPUT" fi echo "" echo "Attempting to send APNS message (will fail with placeholder token)..." echo "Executing: aws pinpoint send-messages --application-id $APP_ID --message-request file://apns-message.json" SEND_APNS_OUTPUT=$(aws pinpoint send-messages \ --application-id "$APP_ID" \ --message-request file://apns-message.json 2>&1) if check_error "$SEND_APNS_OUTPUT" "send-messages (APNS)" "true"; then echo "APNS message sent successfully:" echo "$SEND_APNS_OUTPUT" else echo "As expected, APNS message sending failed with placeholder token." echo "Error details: $SEND_APNS_OUTPUT" fi # Step 6: Show application details echo "" echo "===========================================" echo "APPLICATION DETAILS" echo "===========================================" echo "Retrieving application details..." echo "Executing: aws pinpoint get-app --application-id $APP_ID" GET_APP_OUTPUT=$(aws pinpoint get-app --application-id "$APP_ID" 2>&1) if check_error "$GET_APP_OUTPUT" "get-app"; then echo "Application details:" echo "$GET_APP_OUTPUT" fi # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" for resource in "${RESOURCES[@]}"; do echo "- $resource" done echo "" echo "Files created:" echo "- gcm-message.json" echo "- apns-message.json" echo "- $LOG_FILE" # Cleanup prompt with proper input handling echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "This script created AWS resources that may incur charges." if [ "$AUTO_CLEANUP" = "true" ]; then echo "Auto-cleanup enabled. Cleaning up resources..." CLEANUP_CHOICE="y" else echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE fi if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "" echo "Cleaning up resources..." echo "Deleting application with ID: $APP_ID" echo "Executing: aws pinpoint delete-app --application-id $APP_ID" DELETE_APP_OUTPUT=$(aws pinpoint delete-app --application-id "$APP_ID" 2>&1) if check_error "$DELETE_APP_OUTPUT" "delete-app" "true"; then echo "Application deleted successfully." else echo "Failed to delete application. You may need to delete it manually:" echo "aws pinpoint delete-app --application-id $APP_ID" fi echo "Deleting message files..." rm -f gcm-message.json apns-message.json echo "Cleanup completed successfully." echo "Log file ($LOG_FILE) has been preserved for reference." else echo "" echo "Skipping cleanup. Resources will remain in your AWS account." echo "" echo "To manually delete the application later, run:" echo "aws pinpoint delete-app --application-id $APP_ID" echo "" echo "To delete the message files, run:" echo "rm -f gcm-message.json apns-message.json" fi echo "" echo "===========================================" echo "SCRIPT COMPLETED SUCCESSFULLY" echo "===========================================" echo "This script demonstrated:" echo "1. Creating an AWS End User Messaging Push application" echo "2. Attempting to enable FCM and APNS channels (with placeholder credentials)" echo "3. Creating message templates for different platforms" echo "4. Demonstrating message sending commands (with placeholder tokens)" echo "5. Retrieving application details" echo "6. Proper cleanup of resources" echo "" echo "For production use:" echo "- Replace placeholder API keys with real FCM server keys" echo "- Replace placeholder certificates with real APNS certificates" echo "- Replace placeholder device tokens with real device tokens" echo "- Implement proper error handling for your use case" echo "- Consider using AWS IAM roles instead of long-term credentials" echo "" echo "Log file: $LOG_FILE" echo "Script completed at: $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateApp](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/CreateApp) + [DeleteApp](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/DeleteApp) + [GetApp](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/GetApp) + [GetApps](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/GetApps) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [SendMessages](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/SendMessages) + [UpdateApnsChannel](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/UpdateApnsChannel) + [UpdateGcmChannel](https://docs.aws.amazon.com/goto/aws-cli/pinpoint-2016-12-01/UpdateGcmChannel) # Amazon Polly examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Polly. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon Polly The following code example shows how to: + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/082-amazon-polly-gs) repository. ``` #!/bin/bash # Amazon Polly Getting Started Script # This script demonstrates how to use Amazon Polly with the AWS CLI # Set up logging LOG_FILE="polly-tutorial.log" echo "Starting Amazon Polly tutorial at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "Running: $1" | tee -a "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors check_error() { if echo "$1" | grep -i "error" > /dev/null; then echo "ERROR detected in output. Exiting script." | tee -a "$LOG_FILE" echo "$1" | tee -a "$LOG_FILE" exit 1 fi } # Function to handle errors and cleanup handle_error() { echo "Error occurred. Attempting cleanup..." | tee -a "$LOG_FILE" cleanup exit 1 } # Function to clean up resources cleanup() { echo "" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" echo "CLEANUP PROCESS" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" # Delete lexicon if it exists if [ -n "$LEXICON_NAME" ]; then echo "Deleting lexicon: $LEXICON_NAME" | tee -a "$LOG_FILE" log_cmd "aws polly delete-lexicon --name $LEXICON_NAME" fi echo "Cleanup complete." | tee -a "$LOG_FILE" } # Trap errors trap 'handle_error' ERR # Step 1: Verify Amazon Polly is available echo "Step 1: Verifying Amazon Polly availability" | tee -a "$LOG_FILE" POLLY_CHECK=$(aws polly help 2>&1) if echo "$POLLY_CHECK" | grep -i "not.*found\|invalid\|error" > /dev/null; then echo "Amazon Polly is not available in your AWS CLI installation." | tee -a "$LOG_FILE" echo "Please update your AWS CLI to the latest version." | tee -a "$LOG_FILE" exit 1 else echo "Amazon Polly is available. Proceeding with tutorial." | tee -a "$LOG_FILE" fi # Step 2: List available voices echo "" | tee -a "$LOG_FILE" echo "Step 2: Listing available voices" | tee -a "$LOG_FILE" log_cmd "aws polly describe-voices --language-code en-US --output text --query 'Voices[0:3].[Id, LanguageCode, Gender]'" # Step 3: Basic text-to-speech conversion echo "" | tee -a "$LOG_FILE" echo "Step 3: Converting text to speech" | tee -a "$LOG_FILE" log_cmd "aws polly synthesize-speech --output-format mp3 --voice-id Joanna --text \"Hello, welcome to Amazon Polly. This is a sample text to speech conversion.\" output.mp3" if [ -f "output.mp3" ]; then echo "Successfully created output.mp3 file." | tee -a "$LOG_FILE" echo "You can play this file with your preferred audio player." | tee -a "$LOG_FILE" else echo "Failed to create output.mp3 file." | tee -a "$LOG_FILE" exit 1 fi # Step 4: Using SSML for enhanced speech echo "" | tee -a "$LOG_FILE" echo "Step 4: Using SSML for enhanced speech" | tee -a "$LOG_FILE" log_cmd "aws polly synthesize-speech --output-format mp3 --voice-id Matthew --text-type ssml --text \"Hello! This is a sample of SSML enhanced speech.\" ssml-output.mp3" if [ -f "ssml-output.mp3" ]; then echo "Successfully created ssml-output.mp3 file." | tee -a "$LOG_FILE" echo "You can play this file with your preferred audio player." | tee -a "$LOG_FILE" else echo "Failed to create ssml-output.mp3 file." | tee -a "$LOG_FILE" exit 1 fi # Step 5: Working with lexicons echo "" | tee -a "$LOG_FILE" echo "Step 5: Working with lexicons" | tee -a "$LOG_FILE" # Generate a random identifier for the lexicon (max 20 chars, alphanumeric only) LEXICON_NAME="example$(openssl rand -hex 6)" echo "Using lexicon name: $LEXICON_NAME" | tee -a "$LOG_FILE" # Create a lexicon file echo "Creating lexicon file..." | tee -a "$LOG_FILE" cat > example.pls << 'EOF' AWS Amazon Web Services EOF # Upload the lexicon echo "Uploading lexicon..." | tee -a "$LOG_FILE" log_cmd "aws polly put-lexicon --name $LEXICON_NAME --content file://example.pls" # List available lexicons echo "Listing available lexicons..." | tee -a "$LOG_FILE" log_cmd "aws polly list-lexicons --output text --query 'Lexicons[*].[Name]'" # Get details about the lexicon echo "Getting details about the lexicon..." | tee -a "$LOG_FILE" log_cmd "aws polly get-lexicon --name $LEXICON_NAME --output text --query 'Lexicon.Name'" # Use the lexicon when synthesizing speech echo "Using the lexicon for speech synthesis..." | tee -a "$LOG_FILE" log_cmd "aws polly synthesize-speech --output-format mp3 --voice-id Joanna --lexicon-names $LEXICON_NAME --text \"I work with AWS every day.\" lexicon-output.mp3" if [ -f "lexicon-output.mp3" ]; then echo "Successfully created lexicon-output.mp3 file." | tee -a "$LOG_FILE" echo "You can play this file with your preferred audio player." | tee -a "$LOG_FILE" else echo "Failed to create lexicon-output.mp3 file." | tee -a "$LOG_FILE" exit 1 fi # Summary of created resources echo "" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" echo "TUTORIAL SUMMARY" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" echo "Created resources:" | tee -a "$LOG_FILE" echo "1. Lexicon: $LEXICON_NAME" | tee -a "$LOG_FILE" echo "2. Audio files:" | tee -a "$LOG_FILE" echo " - output.mp3" | tee -a "$LOG_FILE" echo " - ssml-output.mp3" | tee -a "$LOG_FILE" echo " - lexicon-output.mp3" | tee -a "$LOG_FILE" echo "" | tee -a "$LOG_FILE" # Prompt for cleanup echo "" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" echo "CLEANUP CONFIRMATION" | tee -a "$LOG_FILE" echo "===========================================================" | tee -a "$LOG_FILE" echo "Do you want to clean up all created resources? (y/n): " | tee -a "$LOG_FILE" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then cleanup else echo "Skipping cleanup. Resources will remain in your account." | tee -a "$LOG_FILE" echo "To manually delete the lexicon later, run:" | tee -a "$LOG_FILE" echo "aws polly delete-lexicon --name $LEXICON_NAME" | tee -a "$LOG_FILE" fi echo "" | tee -a "$LOG_FILE" echo "Tutorial completed successfully!" | tee -a "$LOG_FILE" echo "Log file: $LOG_FILE" | tee -a "$LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [DeleteLexicon](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/DeleteLexicon) + [DescribeVoices](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/DescribeVoices) + [GetLexicon](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/GetLexicon) + [Help](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/Help) + [ListLexicons](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/ListLexicons) + [PutLexicon](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/PutLexicon) + [SynthesizeSpeech](https://docs.aws.amazon.com/goto/aws-cli/polly-2016-06-10/SynthesizeSpeech) # Amazon RDS examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon RDS. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating an Amazon RDS DB instance The following code example shows how to: + Set up networking components + Create a DB subnet group + Create a DB instance + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/036-rds-gs) repository. ``` #!/bin/bash # Script to create an Amazon RDS DB instance # This script follows the tutorial at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html # Set up logging LOG_FILE="rds_creation_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting RDS DB instance creation script - $(date)" echo "All actions will be logged to $LOG_FILE" echo "==============================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$DB_INSTANCE_ID" ]; then echo "Deleting DB instance $DB_INSTANCE_ID..." aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot echo "Waiting for DB instance to be deleted..." aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID" fi if [ -n "$DB_SUBNET_GROUP_NAME" ] && [ "$CREATED_SUBNET_GROUP" = "true" ]; then echo "Deleting DB subnet group $DB_SUBNET_GROUP_NAME..." aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" fi if [ -n "$SECURITY_GROUP_ID" ] && [ "$CREATED_SECURITY_GROUP" = "true" ]; then echo "Deleting security group $SECURITY_GROUP_ID..." aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" fi echo "Cleanup completed." } # Generate a random identifier for resources RANDOM_ID=$(openssl rand -hex 4) DB_INSTANCE_ID="mydb-${RANDOM_ID}" DB_SUBNET_GROUP_NAME="mydbsubnet-${RANDOM_ID}" SECURITY_GROUP_NAME="mydbsg-${RANDOM_ID}" # Track created resources CREATED_SECURITY_GROUP="false" CREATED_SUBNET_GROUP="false" # Array to store created resources for display declare -a CREATED_RESOURCES echo "Step 1: Checking for default VPC..." VPC_OUTPUT=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true") check_error "$VPC_OUTPUT" "aws ec2 describe-vpcs" # Extract VPC ID VPC_ID=$(echo "$VPC_OUTPUT" | grep -o '"VpcId": "[^"]*' | cut -d'"' -f4) if [ -z "$VPC_ID" ]; then echo "No default VPC found. Please create a VPC before running this script." exit 1 fi echo "Using VPC: $VPC_ID" echo "Step 2: Getting subnets from the VPC..." SUBNET_OUTPUT=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID") check_error "$SUBNET_OUTPUT" "aws ec2 describe-subnets" # Extract subnet IDs (we need at least 2 in different AZs) SUBNET_IDS=($(echo "$SUBNET_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4)) if [ ${#SUBNET_IDS[@]} -lt 2 ]; then echo "Error: Need at least 2 subnets in different AZs. Found ${#SUBNET_IDS[@]} subnets." exit 1 fi echo "Found ${#SUBNET_IDS[@]} subnets: ${SUBNET_IDS[*]}" echo "Step 3: Creating security group for RDS..." SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "$SECURITY_GROUP_NAME" \ --description "Security group for RDS database access" \ --vpc-id "$VPC_ID") check_error "$SG_OUTPUT" "aws ec2 create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4) CREATED_SECURITY_GROUP="true" CREATED_RESOURCES+=("Security Group: $SECURITY_GROUP_ID ($SECURITY_GROUP_NAME)") echo "Created security group: $SECURITY_GROUP_ID" echo "Step 4: Adding inbound rule to security group..." # Note: In a production environment, you should restrict this to specific IP ranges # We're using the local machine's IP address for this example MY_IP=$(curl -s https://checkip.amazonaws.com) check_error "$MY_IP" "curl -s https://checkip.amazonaws.com" INGRESS_OUTPUT=$(aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 3306 \ --cidr "${MY_IP}/32") check_error "$INGRESS_OUTPUT" "aws ec2 authorize-security-group-ingress" echo "Added inbound rule to allow MySQL connections from ${MY_IP}/32" echo "Step 5: Creating DB subnet group..." # Select the first two subnets for the DB subnet group SUBNET1=${SUBNET_IDS[0]} SUBNET2=${SUBNET_IDS[1]} SUBNET_GROUP_OUTPUT=$(aws rds create-db-subnet-group \ --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \ --db-subnet-group-description "Subnet group for RDS tutorial" \ --subnet-ids "$SUBNET1" "$SUBNET2") check_error "$SUBNET_GROUP_OUTPUT" "aws rds create-db-subnet-group" CREATED_SUBNET_GROUP="true" CREATED_RESOURCES+=("DB Subnet Group: $DB_SUBNET_GROUP_NAME") echo "Created DB subnet group: $DB_SUBNET_GROUP_NAME" echo "Step 6: Creating a secure password in AWS Secrets Manager..." SECRET_NAME="rds-db-credentials-${RANDOM_ID}" SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "RDS DB credentials for $DB_INSTANCE_ID" \ --secret-string '{"username":"adminuser","password":"'"$(openssl rand -base64 16)"'"}') check_error "$SECRET_OUTPUT" "aws secretsmanager create-secret" SECRET_ARN=$(echo "$SECRET_OUTPUT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4) CREATED_RESOURCES+=("Secret: $SECRET_ARN ($SECRET_NAME)") echo "Created secret: $SECRET_NAME" echo "Step 7: Retrieving the username and password from the secret..." SECRET_VALUE_OUTPUT=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME" --query 'SecretString' --output text) check_error "$SECRET_VALUE_OUTPUT" "aws secretsmanager get-secret-value" DB_USERNAME=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"username":"[^"]*' | cut -d'"' -f4) DB_PASSWORD=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"password":"[^"]*' | cut -d'"' -f4) echo "Retrieved database credentials" echo "Step 8: Creating RDS DB instance..." echo "This may take several minutes..." DB_OUTPUT=$(aws rds create-db-instance \ --db-instance-identifier "$DB_INSTANCE_ID" \ --db-instance-class db.t3.micro \ --engine mysql \ --master-username "$DB_USERNAME" \ --master-user-password "$DB_PASSWORD" \ --allocated-storage 20 \ --vpc-security-group-ids "$SECURITY_GROUP_ID" \ --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \ --backup-retention-period 7 \ --no-publicly-accessible \ --no-multi-az) check_error "$DB_OUTPUT" "aws rds create-db-instance" CREATED_RESOURCES+=("DB Instance: $DB_INSTANCE_ID") echo "DB instance creation initiated: $DB_INSTANCE_ID" echo "Waiting for DB instance to become available..." echo "This may take 5-10 minutes..." aws rds wait db-instance-available --db-instance-identifier "$DB_INSTANCE_ID" DB_STATUS=$? if [ $DB_STATUS -ne 0 ]; then echo "Error waiting for DB instance to become available" cleanup_on_error exit 1 fi echo "DB instance is now available!" echo "Step 9: Getting connection information..." ENDPOINT_INFO=$(aws rds describe-db-instances \ --db-instance-identifier "$DB_INSTANCE_ID" \ --query 'DBInstances[0].[Endpoint.Address,Endpoint.Port,MasterUsername]' \ --output text) check_error "$ENDPOINT_INFO" "aws rds describe-db-instances" DB_ENDPOINT=$(echo "$ENDPOINT_INFO" | awk '{print $1}') DB_PORT=$(echo "$ENDPOINT_INFO" | awk '{print $2}') DB_USER=$(echo "$ENDPOINT_INFO" | awk '{print $3}') echo "==============================================" echo "DB Instance successfully created!" echo "==============================================" echo "Connection Information:" echo " Endpoint: $DB_ENDPOINT" echo " Port: $DB_PORT" echo " Username: $DB_USER" echo " Password: [Stored in AWS Secrets Manager - $SECRET_NAME]" echo "" echo "To connect using the mysql client:" echo "mysql -h $DB_ENDPOINT -P $DB_PORT -u $DB_USER -p" echo "==============================================" echo "" echo "Resources created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" # Ask user if they want to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy] ]]; then echo "Starting cleanup process..." echo "Step 1: Deleting DB instance $DB_INSTANCE_ID..." aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot echo "Waiting for DB instance to be deleted..." aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID" echo "Step 2: Deleting secret $SECRET_NAME..." aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery echo "Step 3: Deleting DB subnet group $DB_SUBNET_GROUP_NAME..." aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" echo "Step 4: Deleting security group $SECURITY_GROUP_ID..." aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" echo "Cleanup completed successfully!" else echo "Skipping cleanup. Resources will remain in your AWS account." echo "To clean up later, you'll need to delete these resources manually." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbInstance) + [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbSubnetGroup) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbInstance) + [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbSubnetGroup) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DescribeDbInstances) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/Wait) # Amazon Redshift examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon Redshift. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Get started with Redshift Serverless The following code example shows how to: + Use secrets-manager CreateSecret + Use secrets-manager DeleteSecret + Use secrets-manager GetSecretValue + Use redshift CreateNamespace + Use redshift CreateWorkgroup + Use redshift DeleteNamespace + Use iam CreateRole **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/038-redshift-serverless) repository. ``` #!/bin/bash # Amazon Redshift Serverless Tutorial Script with Secrets Manager (No jq dependency) # This script creates a Redshift Serverless environment, loads sample data, and runs queries # Uses AWS Secrets Manager for secure password management without requiring jq # Set up logging LOG_FILE="redshift-serverless-tutorial-v4.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Redshift Serverless tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_resources exit 1 fi } # Function to generate a secure password that meets Redshift requirements generate_secure_password() { # Redshift password requirements: # - 8-64 characters # - At least one uppercase letter # - At least one lowercase letter # - At least one decimal digit # - Can contain printable ASCII characters except /, ", ', \, @, space local password="" local valid=false local attempts=0 local max_attempts=10 while [[ "$valid" == false && $attempts -lt $max_attempts ]]; do # Generate base password with safe characters local base=$(openssl rand -base64 12 | tr -d '/+=' | head -c 12) # Ensure we have at least one of each required character type local upper=$(echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | fold -w1 | shuf -n1) local lower=$(echo "abcdefghijklmnopqrstuvwxyz" | fold -w1 | shuf -n1) local digit=$(echo "0123456789" | fold -w1 | shuf -n1) local special=$(echo "!#$%&*()_+-=[]{}|;:,.<>?" | fold -w1 | shuf -n1) # Combine and shuffle password="${base}${upper}${lower}${digit}${special}" password=$(echo "$password" | fold -w1 | shuf | tr -d '\n') # Validate password meets requirements if [[ ${#password} -ge 8 && ${#password} -le 64 ]] && \ [[ "$password" =~ [A-Z] ]] && \ [[ "$password" =~ [a-z] ]] && \ [[ "$password" =~ [0-9] ]] && \ [[ ! "$password" =~ [/\"\'\\@[:space:]] ]]; then valid=true fi ((attempts++)) done if [[ "$valid" == false ]]; then echo "ERROR: Failed to generate valid password after $max_attempts attempts" exit 1 fi echo "$password" } # Function to create secret in AWS Secrets Manager create_secret() { local secret_name=$1 local username=$2 local password=$3 local description=$4 echo "Creating secret in AWS Secrets Manager: $secret_name" # Create the secret using AWS CLI without jq local secret_output=$(aws secretsmanager create-secret \ --name "$secret_name" \ --description "$description" \ --secret-string "{\"username\":\"$username\",\"password\":\"$password\"}" 2>&1) if echo "$secret_output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Failed to create secret: $secret_output" return 1 fi echo "Secret created successfully: $secret_name" return 0 } # Function to retrieve password from AWS Secrets Manager get_password_from_secret() { local secret_name=$1 # Get the secret value and extract password using sed/grep instead of jq local secret_value=$(aws secretsmanager get-secret-value \ --secret-id "$secret_name" \ --query 'SecretString' \ --output text 2>/dev/null) if [[ $? -eq 0 ]]; then # Extract password from JSON using sed echo "$secret_value" | sed -n 's/.*"password":"$[^"]*$".*/\1/p' else echo "" fi } # Function to wait for a resource to be available wait_for_resource() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be available..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>/dev/null) local status=$(echo "$output" | grep -o '"Status": "[^"]*' | cut -d'"' -f4 || echo "") if [[ "$status" == "AVAILABLE" ]]; then echo "$resource_type $resource_name is now available" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name status: $status. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be available" return 1 } # Function to wait for a resource to be deleted wait_for_resource_deletion() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be deleted..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>&1) if echo "$output" | grep -i "not found\|does not exist" > /dev/null; then echo "$resource_type $resource_name has been deleted" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name is still being deleted. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be deleted" return 1 } # Function to clean up resources cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "The following resources were created:" echo "- Redshift Serverless Workgroup: $WORKGROUP_NAME" echo "- Redshift Serverless Namespace: $NAMESPACE_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secrets Manager Secret: $SECRET_NAME" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the workgroup echo "Deleting Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_DELETE_OUTPUT=$(aws redshift-serverless delete-workgroup --workgroup-name "$WORKGROUP_NAME" 2>&1) echo "$WORKGROUP_DELETE_OUTPUT" # Wait for workgroup to be deleted before deleting namespace wait_for_resource_deletion "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Delete the namespace echo "Deleting Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_DELETE_OUTPUT=$(aws redshift-serverless delete-namespace --namespace-name "$NAMESPACE_NAME" 2>&1) echo "$NAMESPACE_DELETE_OUTPUT" # Wait for namespace to be deleted wait_for_resource_deletion "namespace" "$NAMESPACE_NAME" 20 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Delete the IAM role policy echo "Deleting IAM role policy..." POLICY_DELETE_OUTPUT=$(aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name S3Access 2>&1) echo "$POLICY_DELETE_OUTPUT" # Delete the IAM role echo "Deleting IAM role $ROLE_NAME..." ROLE_DELETE_OUTPUT=$(aws iam delete-role --role-name "$ROLE_NAME" 2>&1) echo "$ROLE_DELETE_OUTPUT" # Delete the secret echo "Deleting Secrets Manager secret $SECRET_NAME..." SECRET_DELETE_OUTPUT=$(aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery 2>&1) echo "$SECRET_DELETE_OUTPUT" echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." fi } # Check if required tools are available if ! command -v openssl &> /dev/null; then echo "ERROR: openssl is required but not installed. Please install openssl to continue." exit 1 fi # Generate unique names for resources RANDOM_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 6) NAMESPACE_NAME="rs-namespace-${RANDOM_SUFFIX}" WORKGROUP_NAME="rs-workgroup-${RANDOM_SUFFIX}" ROLE_NAME="RedshiftServerlessS3Role-${RANDOM_SUFFIX}" SECRET_NAME="redshift-serverless-admin-${RANDOM_SUFFIX}" DB_NAME="dev" ADMIN_USERNAME="admin" # Generate secure password echo "Generating secure password..." ADMIN_PASSWORD=$(generate_secure_password) # Create secret in AWS Secrets Manager create_secret "$SECRET_NAME" "$ADMIN_USERNAME" "$ADMIN_PASSWORD" "Admin credentials for Redshift Serverless namespace $NAMESPACE_NAME" if [[ $? -ne 0 ]]; then echo "ERROR: Failed to create secret in AWS Secrets Manager" exit 1 fi # Track created resources CREATED_RESOURCES=() echo "Using the following resource names:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secret: $SECRET_NAME" echo "- Database: $DB_NAME" echo "- Admin Username: $ADMIN_USERNAME" echo "- Admin Password: [STORED IN SECRETS MANAGER]" # Step 1: Create IAM role for S3 access echo "Creating IAM role for Redshift Serverless S3 access..." # Create trust policy document cat > redshift-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift-serverless.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create S3 access policy document cat > redshift-s3-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::redshift-downloads", "arn:aws:s3:::redshift-downloads/*" ] } ] } EOF # Create IAM role echo "Creating IAM role $ROLE_NAME..." ROLE_OUTPUT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://redshift-trust-policy.json 2>&1) echo "$ROLE_OUTPUT" check_error "$ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $ROLE_NAME") # Attach S3 policy to the role echo "Attaching S3 access policy to role $ROLE_NAME..." POLICY_OUTPUT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name S3Access --policy-document file://redshift-s3-policy.json 2>&1) echo "$POLICY_OUTPUT" check_error "$POLICY_OUTPUT" "aws iam put-role-policy" # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" # Step 2: Create a namespace echo "Creating Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_OUTPUT=$(aws redshift-serverless create-namespace \ --namespace-name "$NAMESPACE_NAME" \ --admin-username "$ADMIN_USERNAME" \ --admin-user-password "$ADMIN_PASSWORD" \ --db-name "$DB_NAME" 2>&1) echo "$NAMESPACE_OUTPUT" check_error "$NAMESPACE_OUTPUT" "aws redshift-serverless create-namespace" CREATED_RESOURCES+=("Redshift Serverless Namespace: $NAMESPACE_NAME") # Wait for namespace to be available wait_for_resource "namespace" "$NAMESPACE_NAME" 10 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Associate IAM role with namespace echo "Associating IAM role with namespace..." UPDATE_NAMESPACE_OUTPUT=$(aws redshift-serverless update-namespace \ --namespace-name "$NAMESPACE_NAME" \ --iam-roles "$ROLE_ARN" 2>&1) echo "$UPDATE_NAMESPACE_OUTPUT" check_error "$UPDATE_NAMESPACE_OUTPUT" "aws redshift-serverless update-namespace" # Step 3: Create a workgroup echo "Creating Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_OUTPUT=$(aws redshift-serverless create-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --namespace-name "$NAMESPACE_NAME" \ --base-capacity 8 2>&1) echo "$WORKGROUP_OUTPUT" check_error "$WORKGROUP_OUTPUT" "aws redshift-serverless create-workgroup" CREATED_RESOURCES+=("Redshift Serverless Workgroup: $WORKGROUP_NAME") # Wait for workgroup to be available wait_for_resource "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Get workgroup endpoint WORKGROUP_ENDPOINT=$(aws redshift-serverless get-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --query 'workgroup.endpoint.address' \ --output text) echo "Workgroup endpoint: $WORKGROUP_ENDPOINT" # Wait additional time for the endpoint to be fully operational echo "Waiting for endpoint to be fully operational..." sleep 60 # Step 4: Create tables for sample data echo "Creating tables for sample data..." # Create users table echo "Creating users table..." USERS_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE users( userid INTEGER NOT NULL DISTKEY SORTKEY, username CHAR(8), firstname VARCHAR(30), lastname VARCHAR(30), city VARCHAR(30), state CHAR(2), email VARCHAR(100), phone CHAR(14), likesports BOOLEAN, liketheatre BOOLEAN, likeconcerts BOOLEAN, likejazz BOOLEAN, likeclassical BOOLEAN, likeopera BOOLEAN, likerock BOOLEAN, likevegas BOOLEAN, likebroadway BOOLEAN, likemusicals BOOLEAN );" 2>&1) echo "$USERS_TABLE_OUTPUT" check_error "$USERS_TABLE_OUTPUT" "aws redshift-data execute-statement (users table)" USERS_QUERY_ID=$(echo "$USERS_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for users table creation to complete..." sleep 5 # Create event table echo "Creating event table..." EVENT_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE event( eventid INTEGER NOT NULL DISTKEY, venueid SMALLINT NOT NULL, catid SMALLINT NOT NULL, dateid SMALLINT NOT NULL SORTKEY, eventname VARCHAR(200), starttime TIMESTAMP );" 2>&1) echo "$EVENT_TABLE_OUTPUT" check_error "$EVENT_TABLE_OUTPUT" "aws redshift-data execute-statement (event table)" EVENT_QUERY_ID=$(echo "$EVENT_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for event table creation to complete..." sleep 5 # Create sales table echo "Creating sales table..." SALES_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE sales( salesid INTEGER NOT NULL, listid INTEGER NOT NULL DISTKEY, sellerid INTEGER NOT NULL, buyerid INTEGER NOT NULL, eventid INTEGER NOT NULL, dateid SMALLINT NOT NULL SORTKEY, qtysold SMALLINT NOT NULL, pricepaid DECIMAL(8,2), commission DECIMAL(8,2), saletime TIMESTAMP );" 2>&1) echo "$SALES_TABLE_OUTPUT" check_error "$SALES_TABLE_OUTPUT" "aws redshift-data execute-statement (sales table)" SALES_QUERY_ID=$(echo "$SALES_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for tables to be created echo "Waiting for tables to be created..." sleep 10 # Step 5: Load sample data from Amazon S3 echo "Loading sample data from Amazon S3..." # Load data into users table echo "Loading data into users table..." USERS_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY users FROM 's3://redshift-downloads/tickit/allusers_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$USERS_LOAD_OUTPUT" check_error "$USERS_LOAD_OUTPUT" "aws redshift-data execute-statement (load users)" USERS_LOAD_QUERY_ID=$(echo "$USERS_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for users data loading to complete..." sleep 10 # Load data into event table echo "Loading data into event table..." EVENT_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY event FROM 's3://redshift-downloads/tickit/allevents_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$EVENT_LOAD_OUTPUT" check_error "$EVENT_LOAD_OUTPUT" "aws redshift-data execute-statement (load event)" EVENT_LOAD_QUERY_ID=$(echo "$EVENT_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for event data loading to complete..." sleep 10 # Load data into sales table echo "Loading data into sales table..." SALES_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY sales FROM 's3://redshift-downloads/tickit/sales_tab.txt' DELIMITER '\t' TIMEFORMAT 'MM/DD/YYYY HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$SALES_LOAD_OUTPUT" check_error "$SALES_LOAD_OUTPUT" "aws redshift-data execute-statement (load sales)" SALES_LOAD_QUERY_ID=$(echo "$SALES_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for sales data loading to complete..." sleep 30 # Step 6: Run sample queries echo "Running sample queries..." # Query 1: Find top 10 buyers by quantity echo "Running query: Find top 10 buyers by quantity..." QUERY1_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT firstname, lastname, total_quantity FROM (SELECT buyerid, sum(qtysold) total_quantity FROM sales GROUP BY buyerid ORDER BY total_quantity desc limit 10) Q, users WHERE Q.buyerid = userid ORDER BY Q.total_quantity desc;" 2>&1) echo "$QUERY1_OUTPUT" check_error "$QUERY1_OUTPUT" "aws redshift-data execute-statement (query 1)" QUERY1_ID=$(echo "$QUERY1_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 1 to complete..." sleep 10 # Get query 1 results echo "Getting results for query 1..." QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) echo "$QUERY1_STATUS_OUTPUT" check_error "$QUERY1_STATUS_OUTPUT" "aws redshift-data describe-statement (query 1)" QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is not yet complete. Status: $QUERY1_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is still not complete. Status: $QUERY1_STATUS" fi fi # Query 2: Find events in the 99.9 percentile in terms of all time total sales echo "Running query: Find events in the 99.9 percentile in terms of all time total sales..." QUERY2_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT eventname, total_price FROM (SELECT eventid, total_price, ntile(1000) over(order by total_price desc) as percentile FROM (SELECT eventid, sum(pricepaid) total_price FROM sales GROUP BY eventid)) Q, event E WHERE Q.eventid = E.eventid AND percentile = 1 ORDER BY total_price desc;" 2>&1) echo "$QUERY2_OUTPUT" check_error "$QUERY2_OUTPUT" "aws redshift-data execute-statement (query 2)" QUERY2_ID=$(echo "$QUERY2_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 2 to complete..." sleep 10 # Get query 2 results echo "Getting results for query 2..." QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) echo "$QUERY2_STATUS_OUTPUT" check_error "$QUERY2_STATUS_OUTPUT" "aws redshift-data describe-statement (query 2)" QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is not yet complete. Status: $QUERY2_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is still not complete. Status: $QUERY2_STATUS" fi fi # Summary echo "" echo "===========================================" echo "TUTORIAL SUMMARY" echo "===========================================" echo "You have successfully:" echo "1. Created a Redshift Serverless namespace and workgroup" echo "2. Created an IAM role with S3 access permissions" echo "3. Stored admin credentials securely in AWS Secrets Manager" echo "4. Created tables for sample data" echo "5. Loaded sample data from Amazon S3" echo "6. Run sample queries on the data" echo "" echo "Redshift Serverless Resources:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- Database: $DB_NAME" echo "- Endpoint: $WORKGROUP_ENDPOINT" echo "- Credentials Secret: $SECRET_NAME" echo "" echo "To connect to your Redshift Serverless database using SQL tools:" echo "- Host: $WORKGROUP_ENDPOINT" echo "- Database: $DB_NAME" echo "- Username: $ADMIN_USERNAME" echo "- Password: Retrieve from AWS Secrets Manager secret '$SECRET_NAME'" echo "" echo "To retrieve the password from Secrets Manager (without jq):" echo "aws secretsmanager get-secret-value --secret-id $SECRET_NAME --query 'SecretString' --output text | sed -n 's/.*\"password\":\"$[^\"]*$\".*/\1/p'" echo "" # Clean up temporary files rm -f redshift-trust-policy.json redshift-s3-policy.json # Clean up resources cleanup_resources echo "Tutorial completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateNamespace) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [CreateWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateWorkgroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DeleteWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteWorkgroup) + [GetNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetNamespace) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [GetWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetWorkgroup) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [UpdateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/UpdateNamespace) ### Getting started with Amazon Redshift provisioned clusters The following code example shows how to: + Create a Redshift cluster + Create an IAM role for S3 access + Create tables and load data + Run example queries + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/039-redshift-provisioned) repository. ``` #!/bin/bash # Amazon Redshift Provisioned Cluster Tutorial Script # This script creates a Redshift cluster, loads sample data, runs queries, and cleans up resources # Version 3: Fixed IAM role usage in COPY commands # Set up logging LOG_FILE="redshift_tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Redshift tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created so far:" if [ -n "$CLUSTER_ID" ]; then echo "- Redshift Cluster: $CLUSTER_ID"; fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME"; fi echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Delete the cluster if it exists if [ -n "$CLUSTER_ID" ]; then echo "Deleting Redshift cluster: $CLUSTER_ID" aws redshift delete-cluster --cluster-identifier "$CLUSTER_ID" --skip-final-cluster-snapshot echo "Waiting for cluster deletion to complete..." aws redshift wait cluster-deleted --cluster-identifier "$CLUSTER_ID" echo "Cluster deleted successfully." fi # Delete the IAM role if it exists if [ -n "$ROLE_NAME" ]; then echo "Removing IAM role policy..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name RedshiftS3Access || echo "Failed to delete role policy" echo "Deleting IAM role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi echo "Cleanup completed." } # Function to wait for SQL statement to complete wait_for_statement() { local statement_id=$1 local max_attempts=30 local attempt=1 local status="" echo "Waiting for statement $statement_id to complete..." while [ $attempt -le $max_attempts ]; do status=$(aws redshift-data describe-statement --id "$statement_id" --query 'Status' --output text) if [ "$status" == "FINISHED" ]; then echo "Statement completed successfully." return 0 elif [ "$status" == "FAILED" ]; then local error=$(aws redshift-data describe-statement --id "$statement_id" --query 'Error' --output text) echo "Statement failed with error: $error" return 1 elif [ "$status" == "ABORTED" ]; then echo "Statement was aborted." return 1 fi echo "Statement status: $status. Waiting... (Attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done echo "Timed out waiting for statement to complete." return 1 } # Function to check if IAM role is attached to cluster check_role_attached() { local role_arn=$1 local max_attempts=10 local attempt=1 echo "Checking if IAM role is attached to the cluster..." while [ $attempt -le $max_attempts ]; do local status=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query "Clusters[0].IamRoles[?IamRoleArn=='$role_arn'].ApplyStatus" \ --output text) if [ "$status" == "in-sync" ]; then echo "IAM role is successfully attached to the cluster." return 0 fi echo "IAM role status: $status. Waiting... (Attempt $attempt/$max_attempts)" sleep 30 ((attempt++)) done echo "Timed out waiting for IAM role to be attached." return 1 } # Variables to track created resources CLUSTER_ID="examplecluster" ROLE_NAME="RedshiftS3Role-$(date +%s)" DB_NAME="dev" DB_USER="awsuser" DB_PASSWORD="Changeit1" # In production, use AWS Secrets Manager to generate and store passwords echo "=== Step 1: Creating Amazon Redshift Cluster ===" # Create the Redshift cluster echo "Creating Redshift cluster: $CLUSTER_ID" CLUSTER_RESULT=$(aws redshift create-cluster \ --cluster-identifier "$CLUSTER_ID" \ --node-type ra3.4xlarge \ --number-of-nodes 2 \ --master-username "$DB_USER" \ --master-user-password "$DB_PASSWORD" \ --db-name "$DB_NAME" \ --port 5439 2>&1) # Check for errors if echo "$CLUSTER_RESULT" | grep -i "error"; then handle_error "Failed to create Redshift cluster: $CLUSTER_RESULT" fi echo "$CLUSTER_RESULT" echo "Waiting for cluster to become available..." # Wait for the cluster to be available aws redshift wait cluster-available --cluster-identifier "$CLUSTER_ID" || handle_error "Timeout waiting for cluster to become available" # Get cluster status to confirm CLUSTER_STATUS=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query 'Clusters[0].ClusterStatus' \ --output text) echo "Cluster status: $CLUSTER_STATUS" echo "=== Step 2: Creating IAM Role for S3 Access ===" # Create trust policy file echo "Creating trust policy for Redshift" cat > redshift-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://redshift-trust-policy.json 2>&1) # Check for errors if echo "$ROLE_RESULT" | grep -i "error"; then handle_error "Failed to create IAM role: $ROLE_RESULT" fi echo "$ROLE_RESULT" # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" # Create policy document for S3 access echo "Creating S3 access policy" cat > redshift-s3-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::redshift-downloads", "arn:aws:s3:::redshift-downloads/*" ] } ] } EOF # Attach policy to role echo "Attaching S3 access policy to role" POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name RedshiftS3Access \ --policy-document file://redshift-s3-policy.json 2>&1) # Check for errors if echo "$POLICY_RESULT" | grep -i "error"; then handle_error "Failed to attach policy to role: $POLICY_RESULT" fi echo "$POLICY_RESULT" # Attach role to cluster echo "Attaching IAM role to Redshift cluster" ATTACH_ROLE_RESULT=$(aws redshift modify-cluster-iam-roles \ --cluster-identifier "$CLUSTER_ID" \ --add-iam-roles "$ROLE_ARN" 2>&1) # Check for errors if echo "$ATTACH_ROLE_RESULT" | grep -i "error"; then handle_error "Failed to attach role to cluster: $ATTACH_ROLE_RESULT" fi echo "$ATTACH_ROLE_RESULT" # Wait for the role to be attached echo "Waiting for IAM role to be attached to the cluster..." if ! check_role_attached "$ROLE_ARN"; then handle_error "Failed to attach IAM role to cluster" fi echo "=== Step 3: Getting Cluster Connection Information ===" # Get cluster endpoint CLUSTER_INFO=$(aws redshift describe-clusters \ --cluster-identifier "$CLUSTER_ID" \ --query 'Clusters[0].Endpoint.{Address:Address,Port:Port}' \ --output json) echo "Cluster endpoint information:" echo "$CLUSTER_INFO" echo "=== Step 4: Creating Tables and Loading Data ===" echo "Creating sales table" SALES_TABLE_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "DROP TABLE IF EXISTS sales; CREATE TABLE sales(salesid integer not null, listid integer not null distkey, sellerid integer not null, buyerid integer not null, eventid integer not null, dateid smallint not null sortkey, qtysold smallint not null, pricepaid decimal(8,2), commission decimal(8,2), saletime timestamp);" \ --query 'Id' --output text) echo "Sales table creation statement ID: $SALES_TABLE_ID" # Wait for statement to complete if ! wait_for_statement "$SALES_TABLE_ID"; then handle_error "Failed to create sales table" fi echo "Creating date table" DATE_TABLE_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "DROP TABLE IF EXISTS date; CREATE TABLE date(dateid smallint not null distkey sortkey, caldate date not null, day character(3) not null, week smallint not null, month character(5) not null, qtr character(5) not null, year smallint not null, holiday boolean default('N'));" \ --query 'Id' --output text) echo "Date table creation statement ID: $DATE_TABLE_ID" # Wait for statement to complete if ! wait_for_statement "$DATE_TABLE_ID"; then handle_error "Failed to create date table" fi echo "Loading data into sales table" SALES_LOAD_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "COPY sales FROM 's3://redshift-downloads/tickit/sales_tab.txt' DELIMITER '\t' TIMEFORMAT 'MM/DD/YYYY HH:MI:SS' REGION 'us-east-1' IAM_ROLE '$ROLE_ARN';" \ --query 'Id' --output text) echo "Sales data load statement ID: $SALES_LOAD_ID" # Wait for statement to complete if ! wait_for_statement "$SALES_LOAD_ID"; then handle_error "Failed to load data into sales table" fi echo "Loading data into date table" DATE_LOAD_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "COPY date FROM 's3://redshift-downloads/tickit/date2008_pipe.txt' DELIMITER '|' REGION 'us-east-1' IAM_ROLE '$ROLE_ARN';" \ --query 'Id' --output text) echo "Date data load statement ID: $DATE_LOAD_ID" # Wait for statement to complete if ! wait_for_statement "$DATE_LOAD_ID"; then handle_error "Failed to load data into date table" fi echo "=== Step 5: Running Example Queries ===" echo "Running query: Get definition for the sales table" QUERY1_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "SELECT * FROM pg_table_def WHERE tablename = 'sales';" \ --query 'Id' --output text) echo "Query 1 statement ID: $QUERY1_ID" # Wait for statement to complete if ! wait_for_statement "$QUERY1_ID"; then handle_error "Query 1 failed" fi # Get and display results echo "Query 1 results (first 10 rows):" aws redshift-data get-statement-result --id "$QUERY1_ID" --max-items 10 echo "Running query: Find total sales on a given calendar date" QUERY2_ID=$(aws redshift-data execute-statement \ --cluster-identifier "$CLUSTER_ID" \ --database "$DB_NAME" \ --db-user "$DB_USER" \ --sql "SELECT sum(qtysold) FROM sales, date WHERE sales.dateid = date.dateid AND caldate = '2008-01-05';" \ --query 'Id' --output text) echo "Query 2 statement ID: $QUERY2_ID" # Wait for statement to complete if ! wait_for_statement "$QUERY2_ID"; then handle_error "Query 2 failed" fi # Get and display results echo "Query 2 results:" aws redshift-data get-statement-result --id "$QUERY2_ID" echo "=== Tutorial Complete ===" echo "The following resources were created:" echo "- Redshift Cluster: $CLUSTER_ID" echo "- IAM Role: $ROLE_NAME" echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then cleanup_resources echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually delete them later." echo "To avoid incurring charges, remember to delete the following resources:" echo "- Redshift Cluster: $CLUSTER_ID" echo "- IAM Role: $ROLE_NAME" fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateCluster) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteCluster) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DescribeClusters) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ModifyClusterIamRoles](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/ModifyClusterIamRoles) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/Wait) # Amazon S3 examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon S3. *Basics* are code examples that show you how to perform the essential operations within a service. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Basics](#basics) + [Actions](#actions) + [Scenarios](#scenarios) ## Basics ### Learn the basics The following code example shows how to: + Create a bucket and upload a file to it. + Download an object from a bucket. + Copy an object to a subfolder in a bucket. + List the objects in a bucket. + Delete the bucket objects and the bucket. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function s3_getting_started # # This function creates, copies, and deletes S3 buckets and objects. # # Returns: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function s3_getting_started() { { if [ "$BUCKET_OPERATIONS_SOURCED" != "True" ]; then cd bucket-lifecycle-operations || exit source ./bucket_operations.sh cd .. fi } echo_repeat "*" 88 echo "Welcome to the Amazon S3 getting started demo." echo_repeat "*" 88 echo "A unique bucket will be created by appending a Universally Unique Identifier to a bucket name prefix." echo -n "Enter a prefix for the S3 bucket that will be used in this demo: " get_input bucket_name_prefix=$get_input_result local bucket_name bucket_name=$(generate_random_name "$bucket_name_prefix") local region_code region_code=$(aws configure get region) if create_bucket -b "$bucket_name" -r "$region_code"; then echo "Created demo bucket named $bucket_name" else errecho "The bucket failed to create. This demo will exit." return 1 fi local file_name while [ -z "$file_name" ]; do echo -n "Enter a file you want to upload to your bucket: " get_input file_name=$get_input_result if [ ! -f "$file_name" ]; then echo "Could not find file $file_name. Are you sure it exists?" file_name="" fi done local key key="$(basename "$file_name")" local result=0 if copy_file_to_bucket "$bucket_name" "$file_name" "$key"; then echo "Uploaded file $file_name into bucket $bucket_name with key $key." else result=1 fi local destination_file destination_file="$file_name.download" if yes_no_input "Would you like to download $key to the file $destination_file? (y/n) "; then if download_object_from_bucket "$bucket_name" "$destination_file" "$key"; then echo "Downloaded $key in the bucket $bucket_name to the file $destination_file." else result=1 fi fi if yes_no_input "Would you like to copy $key a new object key in your bucket? (y/n) "; then local to_key to_key="demo/$key" if copy_item_in_bucket "$bucket_name" "$key" "$to_key"; then echo "Copied $key in the bucket $bucket_name to the $to_key." else result=1 fi fi local bucket_items bucket_items=$(list_items_in_bucket "$bucket_name") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then result=1 fi echo "Your bucket contains the following items." echo -e "Name\t\tSize" echo "$bucket_items" if yes_no_input "Delete the bucket, $bucket_name, as well as the objects in it? (y/n) "; then bucket_items=$(echo "$bucket_items" | cut -f 1) if delete_items_in_bucket "$bucket_name" "$bucket_items"; then echo "The following items were deleted from the bucket $bucket_name" echo "$bucket_items" else result=1 fi if delete_bucket "$bucket_name"; then echo "Deleted the bucket $bucket_name" else result=1 fi fi return $result } ``` The Amazon S3 functions used in this scenario. ``` ############################################################################### # function create-bucket # # This function creates the specified bucket in the specified AWS Region, unless # it already exists. # # Parameters: # -b bucket_name -- The name of the bucket to create. # -r region_code -- The code for an AWS Region in which to # create the bucket. # # Returns: # The URL of the bucket that was created. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function create_bucket() { local bucket_name region_code response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function create_bucket" echo "Creates an Amazon S3 bucket. You must supply a bucket name:" echo " -b bucket_name The name of the bucket. It must be globally unique." echo " [-r region_code] The code for an AWS Region in which the bucket is created." echo "" } # Retrieve the calling parameters. while getopts "b:r:h" option; do case "${option}" in b) bucket_name="${OPTARG}" ;; r) region_code="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done if [[ -z "$bucket_name" ]]; then errecho "ERROR: You must provide a bucket name with the -b parameter." usage return 1 fi local bucket_config_arg # A location constraint for "us-east-1" returns an error. if [[ -n "$region_code" ]] && [[ "$region_code" != "us-east-1" ]]; then bucket_config_arg="--create-bucket-configuration LocationConstraint=$region_code" fi iecho "Parameters:\n" iecho " Bucket name: $bucket_name" iecho " Region code: $region_code" iecho "" # If the bucket already exists, we don't want to try to create it. if (bucket_exists "$bucket_name"); then errecho "ERROR: A bucket with that name already exists. Try again." return 1 fi # shellcheck disable=SC2086 response=$(aws s3api create-bucket \ --bucket "$bucket_name" \ $bucket_config_arg) # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports create-bucket operation failed.\n$response" return 1 fi } ############################################################################### # function copy_file_to_bucket # # This function creates a file in the specified bucket. # # Parameters: # $1 - The name of the bucket to copy the file to. # $2 - The path and file name of the local file to copy to the bucket. # $3 - The key (name) to call the copy of the file in the bucket. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function copy_file_to_bucket() { local response bucket_name source_file destination_file_name bucket_name=$1 source_file=$2 destination_file_name=$3 response=$(aws s3api put-object \ --bucket "$bucket_name" \ --body "$source_file" \ --key "$destination_file_name") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports put-object operation failed.\n$response" return 1 fi } ############################################################################### # function download_object_from_bucket # # This function downloads an object in a bucket to a file. # # Parameters: # $1 - The name of the bucket to download the object from. # $2 - The path and file name to store the downloaded bucket. # $3 - The key (name) of the object in the bucket. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function download_object_from_bucket() { local bucket_name=$1 local destination_file_name=$2 local object_name=$3 local response response=$(aws s3api get-object \ --bucket "$bucket_name" \ --key "$object_name" \ "$destination_file_name") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports put-object operation failed.\n$response" return 1 fi } ############################################################################### # function copy_item_in_bucket # # This function creates a copy of the specified file in the same bucket. # # Parameters: # $1 - The name of the bucket to copy the file from and to. # $2 - The key of the source file to copy. # $3 - The key of the destination file. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function copy_item_in_bucket() { local bucket_name=$1 local source_key=$2 local destination_key=$3 local response response=$(aws s3api copy-object \ --bucket "$bucket_name" \ --copy-source "$bucket_name/$source_key" \ --key "$destination_key") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api copy-object operation failed.\n$response" return 1 fi } ############################################################################### # function list_items_in_bucket # # This function displays a list of the files in the bucket with each file's # size. The function uses the --query parameter to retrieve only the key and # size fields from the Contents collection. # # Parameters: # $1 - The name of the bucket. # # Returns: # The list of files in text format. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function list_items_in_bucket() { local bucket_name=$1 local response response=$(aws s3api list-objects \ --bucket "$bucket_name" \ --output text \ --query 'Contents[].{Key: Key, Size: Size}') # shellcheck disable=SC2181 if [[ ${?} -eq 0 ]]; then echo "$response" else errecho "ERROR: AWS reports s3api list-objects operation failed.\n$response" return 1 fi } ############################################################################### # function delete_items_in_bucket # # This function deletes the specified list of keys from the specified bucket. # # Parameters: # $1 - The name of the bucket. # $2 - A list of keys in the bucket to delete. # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function delete_items_in_bucket() { local bucket_name=$1 local keys=$2 local response # Create the JSON for the items to delete. local delete_items delete_items="{\"Objects\":[" for key in $keys; do delete_items="$delete_items{\"Key\": \"$key\"}," done delete_items=${delete_items%?} # Remove the final comma. delete_items="$delete_items]}" response=$(aws s3api delete-objects \ --bucket "$bucket_name" \ --delete "$delete_items") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api delete-object operation failed.\n$response" return 1 fi } ############################################################################### # function delete_bucket # # This function deletes the specified bucket. # # Parameters: # $1 - The name of the bucket. # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function delete_bucket() { local bucket_name=$1 local response response=$(aws s3api delete-bucket \ --bucket "$bucket_name") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api delete-bucket failed.\n$response" return 1 fi } ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CopyObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CopyObject) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteObjects](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteObjects) + [GetObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/GetObject) + [ListObjectsV2](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/ListObjectsV2) + [PutObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutObject) ## Actions ### `CopyObject` The following code example shows how to use `CopyObject`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function copy_item_in_bucket # # This function creates a copy of the specified file in the same bucket. # # Parameters: # $1 - The name of the bucket to copy the file from and to. # $2 - The key of the source file to copy. # $3 - The key of the destination file. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function copy_item_in_bucket() { local bucket_name=$1 local source_key=$2 local destination_key=$3 local response response=$(aws s3api copy-object \ --bucket "$bucket_name" \ --copy-source "$bucket_name/$source_key" \ --key "$destination_key") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api copy-object operation failed.\n$response" return 1 fi } ``` + For API details, see [CopyObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CopyObject) in *AWS CLI Command Reference*. ### `CreateBucket` The following code example shows how to use `CreateBucket`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function create-bucket # # This function creates the specified bucket in the specified AWS Region, unless # it already exists. # # Parameters: # -b bucket_name -- The name of the bucket to create. # -r region_code -- The code for an AWS Region in which to # create the bucket. # # Returns: # The URL of the bucket that was created. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function create_bucket() { local bucket_name region_code response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function create_bucket" echo "Creates an Amazon S3 bucket. You must supply a bucket name:" echo " -b bucket_name The name of the bucket. It must be globally unique." echo " [-r region_code] The code for an AWS Region in which the bucket is created." echo "" } # Retrieve the calling parameters. while getopts "b:r:h" option; do case "${option}" in b) bucket_name="${OPTARG}" ;; r) region_code="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done if [[ -z "$bucket_name" ]]; then errecho "ERROR: You must provide a bucket name with the -b parameter." usage return 1 fi local bucket_config_arg # A location constraint for "us-east-1" returns an error. if [[ -n "$region_code" ]] && [[ "$region_code" != "us-east-1" ]]; then bucket_config_arg="--create-bucket-configuration LocationConstraint=$region_code" fi iecho "Parameters:\n" iecho " Bucket name: $bucket_name" iecho " Region code: $region_code" iecho "" # If the bucket already exists, we don't want to try to create it. if (bucket_exists "$bucket_name"); then errecho "ERROR: A bucket with that name already exists. Try again." return 1 fi # shellcheck disable=SC2086 response=$(aws s3api create-bucket \ --bucket "$bucket_name" \ $bucket_config_arg) # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports create-bucket operation failed.\n$response" return 1 fi } ``` + For API details, see [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) in *AWS CLI Command Reference*. ### `DeleteBucket` The following code example shows how to use `DeleteBucket`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function delete_bucket # # This function deletes the specified bucket. # # Parameters: # $1 - The name of the bucket. # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function delete_bucket() { local bucket_name=$1 local response response=$(aws s3api delete-bucket \ --bucket "$bucket_name") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api delete-bucket failed.\n$response" return 1 fi } ``` + For API details, see [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) in *AWS CLI Command Reference*. ### `DeleteObject` The following code example shows how to use `DeleteObject`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function delete_item_in_bucket # # This function deletes the specified file from the specified bucket. # # Parameters: # $1 - The name of the bucket. # $2 - The key (file name) in the bucket to delete. # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function delete_item_in_bucket() { local bucket_name=$1 local key=$2 local response response=$(aws s3api delete-object \ --bucket "$bucket_name" \ --key "$key") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api delete-object operation failed.\n$response" return 1 fi } ``` + For API details, see [DeleteObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteObject) in *AWS CLI Command Reference*. ### `DeleteObjects` The following code example shows how to use `DeleteObjects`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function delete_items_in_bucket # # This function deletes the specified list of keys from the specified bucket. # # Parameters: # $1 - The name of the bucket. # $2 - A list of keys in the bucket to delete. # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function delete_items_in_bucket() { local bucket_name=$1 local keys=$2 local response # Create the JSON for the items to delete. local delete_items delete_items="{\"Objects\":[" for key in $keys; do delete_items="$delete_items{\"Key\": \"$key\"}," done delete_items=${delete_items%?} # Remove the final comma. delete_items="$delete_items]}" response=$(aws s3api delete-objects \ --bucket "$bucket_name" \ --delete "$delete_items") # shellcheck disable=SC2181 if [[ $? -ne 0 ]]; then errecho "ERROR: AWS reports s3api delete-object operation failed.\n$response" return 1 fi } ``` + For API details, see [DeleteObjects](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteObjects) in *AWS CLI Command Reference*. ### `GetObject` The following code example shows how to use `GetObject`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function download_object_from_bucket # # This function downloads an object in a bucket to a file. # # Parameters: # $1 - The name of the bucket to download the object from. # $2 - The path and file name to store the downloaded bucket. # $3 - The key (name) of the object in the bucket. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function download_object_from_bucket() { local bucket_name=$1 local destination_file_name=$2 local object_name=$3 local response response=$(aws s3api get-object \ --bucket "$bucket_name" \ --key "$object_name" \ "$destination_file_name") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports put-object operation failed.\n$response" return 1 fi } ``` + For API details, see [GetObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/GetObject) in *AWS CLI Command Reference*. ### `HeadBucket` The following code example shows how to use `HeadBucket`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function bucket_exists # # This function checks to see if the specified bucket already exists. # # Parameters: # $1 - The name of the bucket to check. # # Returns: # 0 - If the bucket already exists. # 1 - If the bucket doesn't exist. ############################################################################### function bucket_exists() { local bucket_name bucket_name=$1 # Check whether the bucket already exists. # We suppress all output - we're interested only in the return code. if aws s3api head-bucket \ --bucket "$bucket_name" \ >/dev/null 2>&1; then return 0 # 0 in Bash script means true. else return 1 # 1 in Bash script means false. fi } ``` + For API details, see [HeadBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/HeadBucket) in *AWS CLI Command Reference*. ### `ListObjectsV2` The following code example shows how to use `ListObjectsV2`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function list_items_in_bucket # # This function displays a list of the files in the bucket with each file's # size. The function uses the --query parameter to retrieve only the key and # size fields from the Contents collection. # # Parameters: # $1 - The name of the bucket. # # Returns: # The list of files in text format. # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function list_items_in_bucket() { local bucket_name=$1 local response response=$(aws s3api list-objects \ --bucket "$bucket_name" \ --output text \ --query 'Contents[].{Key: Key, Size: Size}') # shellcheck disable=SC2181 if [[ ${?} -eq 0 ]]; then echo "$response" else errecho "ERROR: AWS reports s3api list-objects operation failed.\n$response" return 1 fi } ``` + For API details, see [ListObjectsV2](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/ListObjectsV2) in *AWS CLI Command Reference*. ### `PutObject` The following code example shows how to use `PutObject`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/s3#code-examples). ``` ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function copy_file_to_bucket # # This function creates a file in the specified bucket. # # Parameters: # $1 - The name of the bucket to copy the file to. # $2 - The path and file name of the local file to copy to the bucket. # $3 - The key (name) to call the copy of the file in the bucket. # # Returns: # 0 - If successful. # 1 - If it fails. ############################################################################### function copy_file_to_bucket() { local response bucket_name source_file destination_file_name bucket_name=$1 source_file=$2 destination_file_name=$3 response=$(aws s3api put-object \ --bucket "$bucket_name" \ --body "$source_file" \ --key "$destination_file_name") # shellcheck disable=SC2181 if [[ ${?} -ne 0 ]]; then errecho "ERROR: AWS reports put-object operation failed.\n$response" return 1 fi } ``` + For API details, see [PutObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutObject) in *AWS CLI Command Reference*. ## Scenarios ### Getting started with Amazon Athena The following code example shows how to: + Create an S3 bucket for query results + Create a database + Create a table + Run a query + Create and use named queries + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/061-amazon-athena-gs) repository. ``` #!/bin/bash # Amazon Athena Getting Started Script # This script demonstrates how to use Amazon Athena with AWS CLI # It creates a database, table, runs queries, and manages named queries # Set up logging LOG_FILE="athena-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Athena Getting Started Tutorial..." echo "Logging to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" if [ -n "$NAMED_QUERY_ID" ]; then echo "- Named Query: $NAMED_QUERY_ID" fi if [ -n "$DATABASE_NAME" ]; then echo "- Database: $DATABASE_NAME" if [ -n "$TABLE_NAME" ]; then echo "- Table: $TABLE_NAME in $DATABASE_NAME" fi fi if [ -n "$S3_BUCKET" ]; then echo "- S3 Bucket: $S3_BUCKET" fi echo "Exiting..." exit 1 } # Generate a random identifier for S3 bucket RANDOM_ID=$(openssl rand -hex 6) S3_BUCKET="athena-${RANDOM_ID}" DATABASE_NAME="mydatabase" TABLE_NAME="cloudfront_logs" # Get the current AWS region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" echo "No AWS region found in configuration, defaulting to $AWS_REGION" fi echo "Using AWS Region: $AWS_REGION" # Create S3 bucket for Athena query results echo "Creating S3 bucket for Athena query results: $S3_BUCKET" CREATE_BUCKET_RESULT=$(aws s3 mb "s3://$S3_BUCKET" 2>&1) if echo "$CREATE_BUCKET_RESULT" | grep -i "error"; then handle_error "Failed to create S3 bucket: $CREATE_BUCKET_RESULT" fi echo "$CREATE_BUCKET_RESULT" # Step 1: Create a database echo "Step 1: Creating Athena database: $DATABASE_NAME" CREATE_DB_RESULT=$(aws athena start-query-execution \ --query-string "CREATE DATABASE IF NOT EXISTS $DATABASE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$CREATE_DB_RESULT" | grep -i "error"; then handle_error "Failed to create database: $CREATE_DB_RESULT" fi QUERY_ID=$(echo "$CREATE_DB_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Database creation query ID: $QUERY_ID" # Wait for database creation to complete echo "Waiting for database creation to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Database creation completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Database creation failed with status: $QUERY_STATUS" fi echo "Database creation in progress, status: $QUERY_STATUS" sleep 2 done # Verify the database was created echo "Verifying database creation..." LIST_DB_RESULT=$(aws athena list-databases --catalog-name AwsDataCatalog 2>&1) if echo "$LIST_DB_RESULT" | grep -i "error"; then handle_error "Failed to list databases: $LIST_DB_RESULT" fi echo "$LIST_DB_RESULT" # Step 2: Create a table echo "Step 2: Creating Athena table: $TABLE_NAME" # Replace the region placeholder in the S3 location CREATE_TABLE_QUERY="CREATE EXTERNAL TABLE IF NOT EXISTS $DATABASE_NAME.$TABLE_NAME ( \`Date\` DATE, Time STRING, Location STRING, Bytes INT, RequestIP STRING, Method STRING, Host STRING, Uri STRING, Status INT, Referrer STRING, os STRING, Browser STRING, BrowserVersion STRING ) ROW FORMAT SERDE 'org.apache.hadoop.hive.serde2.RegexSerDe' WITH SERDEPROPERTIES ( \"input.regex\" = \"^(?!#)([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+([^ ]+)\\\\s+[^\\\\(]+[\\\\(]([^\\\\;]+).*\\\\%20([^\\\\/]+)[\\\\/](.*)$\" ) LOCATION 's3://athena-examples-us-east-1/cloudfront/plaintext/';" CREATE_TABLE_RESULT=$(aws athena start-query-execution \ --query-string "$CREATE_TABLE_QUERY" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$CREATE_TABLE_RESULT" | grep -i "error"; then handle_error "Failed to create table: $CREATE_TABLE_RESULT" fi QUERY_ID=$(echo "$CREATE_TABLE_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Table creation query ID: $QUERY_ID" # Wait for table creation to complete echo "Waiting for table creation to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Table creation completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Table creation failed with status: $QUERY_STATUS" fi echo "Table creation in progress, status: $QUERY_STATUS" sleep 2 done # Verify the table was created echo "Verifying table creation..." LIST_TABLE_RESULT=$(aws athena list-table-metadata \ --catalog-name AwsDataCatalog \ --database-name "$DATABASE_NAME" 2>&1) if echo "$LIST_TABLE_RESULT" | grep -i "error"; then handle_error "Failed to list tables: $LIST_TABLE_RESULT" fi echo "$LIST_TABLE_RESULT" # Step 3: Query data echo "Step 3: Running a query on the table..." QUERY="SELECT os, COUNT(*) count FROM $DATABASE_NAME.$TABLE_NAME WHERE date BETWEEN date '2014-07-05' AND date '2014-08-05' GROUP BY os" QUERY_RESULT=$(aws athena start-query-execution \ --query-string "$QUERY" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$QUERY_RESULT" | grep -i "error"; then handle_error "Failed to run query: $QUERY_RESULT" fi QUERY_ID=$(echo "$QUERY_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Query execution ID: $QUERY_ID" # Wait for query to complete echo "Waiting for query to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Query completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Query failed with status: $QUERY_STATUS" fi echo "Query in progress, status: $QUERY_STATUS" sleep 2 done # Get query results echo "Getting query results..." RESULTS=$(aws athena get-query-results --query-execution-id "$QUERY_ID" 2>&1) if echo "$RESULTS" | grep -i "error"; then handle_error "Failed to get query results: $RESULTS" fi echo "$RESULTS" # Download results from S3 echo "Downloading query results from S3..." S3_PATH=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.ResultConfiguration.OutputLocation" --output text 2>&1) if echo "$S3_PATH" | grep -i "error"; then handle_error "Failed to get S3 path for results: $S3_PATH" fi DOWNLOAD_RESULT=$(aws s3 cp "$S3_PATH" "./query-results.csv" 2>&1) if echo "$DOWNLOAD_RESULT" | grep -i "error"; then handle_error "Failed to download query results: $DOWNLOAD_RESULT" fi echo "Query results downloaded to query-results.csv" # Step 4: Create a named query echo "Step 4: Creating a named query..." NAMED_QUERY_RESULT=$(aws athena create-named-query \ --name "OS Count Query" \ --description "Count of operating systems in CloudFront logs" \ --database "$DATABASE_NAME" \ --query-string "$QUERY" 2>&1) if echo "$NAMED_QUERY_RESULT" | grep -i "error"; then handle_error "Failed to create named query: $NAMED_QUERY_RESULT" fi NAMED_QUERY_ID=$(echo "$NAMED_QUERY_RESULT" | grep -o '"NamedQueryId": "[^"]*' | cut -d'"' -f4) echo "Named query created with ID: $NAMED_QUERY_ID" # List named queries echo "Listing named queries..." LIST_QUERIES_RESULT=$(aws athena list-named-queries 2>&1) if echo "$LIST_QUERIES_RESULT" | grep -i "error"; then handle_error "Failed to list named queries: $LIST_QUERIES_RESULT" fi echo "$LIST_QUERIES_RESULT" # Get the named query details echo "Getting named query details..." GET_QUERY_RESULT=$(aws athena get-named-query --named-query-id "$NAMED_QUERY_ID" 2>&1) if echo "$GET_QUERY_RESULT" | grep -i "error"; then handle_error "Failed to get named query: $GET_QUERY_RESULT" fi echo "$GET_QUERY_RESULT" # Execute the named query echo "Executing the named query..." QUERY_STRING=$(aws athena get-named-query --named-query-id "$NAMED_QUERY_ID" --query "NamedQuery.QueryString" --output text 2>&1) if echo "$QUERY_STRING" | grep -i "error"; then handle_error "Failed to get query string: $QUERY_STRING" fi EXEC_RESULT=$(aws athena start-query-execution \ --query-string "$QUERY_STRING" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$EXEC_RESULT" | grep -i "error"; then handle_error "Failed to execute named query: $EXEC_RESULT" fi QUERY_ID=$(echo "$EXEC_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Named query execution ID: $QUERY_ID" # Wait for named query to complete echo "Waiting for named query execution to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Named query execution completed successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then handle_error "Named query execution failed with status: $QUERY_STATUS" fi echo "Named query execution in progress, status: $QUERY_STATUS" sleep 2 done # Summary of resources created echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "- S3 Bucket: $S3_BUCKET" echo "- Database: $DATABASE_NAME" echo "- Table: $TABLE_NAME" echo "- Named Query: $NAMED_QUERY_ID" echo "- Query results saved to: query-results.csv" echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup..." # Delete named query echo "Deleting named query: $NAMED_QUERY_ID" DELETE_QUERY_RESULT=$(aws athena delete-named-query --named-query-id "$NAMED_QUERY_ID" 2>&1) if echo "$DELETE_QUERY_RESULT" | grep -i "error"; then echo "Warning: Failed to delete named query: $DELETE_QUERY_RESULT" else echo "Named query deleted successfully." fi # Drop table echo "Dropping table: $TABLE_NAME" DROP_TABLE_RESULT=$(aws athena start-query-execution \ --query-string "DROP TABLE IF EXISTS $DATABASE_NAME.$TABLE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$DROP_TABLE_RESULT" | grep -i "error"; then echo "Warning: Failed to drop table: $DROP_TABLE_RESULT" else QUERY_ID=$(echo "$DROP_TABLE_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Waiting for table deletion to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Table dropped successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then echo "Warning: Table deletion failed with status: $QUERY_STATUS" break fi echo "Table deletion in progress, status: $QUERY_STATUS" sleep 2 done fi # Drop database echo "Dropping database: $DATABASE_NAME" DROP_DB_RESULT=$(aws athena start-query-execution \ --query-string "DROP DATABASE IF EXISTS $DATABASE_NAME" \ --result-configuration "OutputLocation=s3://$S3_BUCKET/output/" 2>&1) if echo "$DROP_DB_RESULT" | grep -i "error"; then echo "Warning: Failed to drop database: $DROP_DB_RESULT" else QUERY_ID=$(echo "$DROP_DB_RESULT" | grep -o '"QueryExecutionId": "[^"]*' | cut -d'"' -f4) echo "Waiting for database deletion to complete..." while true; do QUERY_STATUS=$(aws athena get-query-execution --query-execution-id "$QUERY_ID" --query "QueryExecution.Status.State" --output text 2>&1) if [ "$QUERY_STATUS" = "SUCCEEDED" ]; then echo "Database dropped successfully." break elif [ "$QUERY_STATUS" = "FAILED" ] || [ "$QUERY_STATUS" = "CANCELLED" ]; then echo "Warning: Database deletion failed with status: $QUERY_STATUS" break fi echo "Database deletion in progress, status: $QUERY_STATUS" sleep 2 done fi # Empty and delete S3 bucket echo "Emptying S3 bucket: $S3_BUCKET" EMPTY_BUCKET_RESULT=$(aws s3 rm "s3://$S3_BUCKET" --recursive 2>&1) if echo "$EMPTY_BUCKET_RESULT" | grep -i "error"; then echo "Warning: Failed to empty S3 bucket: $EMPTY_BUCKET_RESULT" else echo "S3 bucket emptied successfully." fi echo "Deleting S3 bucket: $S3_BUCKET" DELETE_BUCKET_RESULT=$(aws s3 rb "s3://$S3_BUCKET" 2>&1) if echo "$DELETE_BUCKET_RESULT" | grep -i "error"; then echo "Warning: Failed to delete S3 bucket: $DELETE_BUCKET_RESULT" else echo "S3 bucket deleted successfully." fi echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." fi echo "Tutorial completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [Cp](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Cp) + [CreateNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/CreateNamedQuery) + [DeleteNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/DeleteNamedQuery) + [GetNamedQuery](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetNamedQuery) + [GetQueryExecution](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetQueryExecution) + [GetQueryResults](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/GetQueryResults) + [ListDatabases](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListDatabases) + [ListNamedQueries](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListNamedQueries) + [ListTableMetadata](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/ListTableMetadata) + [Mb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Mb) + [Rb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rb) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartQueryExecution](https://docs.aws.amazon.com/goto/aws-cli/athena-2017-05-18/StartQueryExecution) ### Getting started with Amazon EMR The following code example shows how to: + Create an EC2 key pair + Set up storage and prepare your application + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/037-emr-gs) repository. ``` #!/bin/bash # EMR Getting Started Tutorial Script # This script automates the steps in the Amazon EMR Getting Started tutorial # Set up logging LOG_FILE="emr-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon EMR Getting Started Tutorial Script" echo "Logging to $LOG_FILE" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created so far:" if [ -n "$BUCKET_NAME" ]; then echo "- S3 Bucket: $BUCKET_NAME"; fi if [ -n "$CLUSTER_ID" ]; then echo "- EMR Cluster: $CLUSTER_ID"; fi echo "Attempting to clean up resources..." cleanup exit 1 } # Function to clean up resources cleanup() { echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Starting cleanup process..." # Terminate EMR cluster if it exists if [ -n "$CLUSTER_ID" ]; then echo "Terminating EMR cluster: $CLUSTER_ID" aws emr terminate-clusters --cluster-ids "$CLUSTER_ID" echo "Waiting for cluster to terminate..." aws emr wait cluster-terminated --cluster-id "$CLUSTER_ID" echo "Cluster terminated successfully." fi # Delete S3 bucket and contents if it exists if [ -n "$BUCKET_NAME" ]; then echo "Deleting S3 bucket contents: $BUCKET_NAME" aws s3 rm "s3://$BUCKET_NAME" --recursive echo "Deleting S3 bucket: $BUCKET_NAME" aws s3 rb "s3://$BUCKET_NAME" fi echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." echo "To avoid ongoing charges, remember to manually delete these resources." fi } # Generate a random identifier for S3 bucket RANDOM_ID=$(openssl rand -hex 6) BUCKET_NAME="emr${RANDOM_ID}" echo "Using bucket name: $BUCKET_NAME" # Create S3 bucket echo "Creating S3 bucket: $BUCKET_NAME" aws s3 mb "s3://$BUCKET_NAME" || handle_error "Failed to create S3 bucket" echo "S3 bucket created successfully." # Create PySpark script echo "Creating PySpark script: health_violations.py" cat > health_violations.py << 'EOL' import argparse from pyspark.sql import SparkSession def calculate_red_violations(data_source, output_uri): """ Processes sample food establishment inspection data and queries the data to find the top 10 establishments with the most Red violations from 2006 to 2020. :param data_source: The URI of your food establishment data CSV, such as 's3://emr-tutorial-bucket/food-establishment-data.csv'. :param output_uri: The URI where output is written, such as 's3://emr-tutorial-bucket/restaurant_violation_results'. """ with SparkSession.builder.appName("Calculate Red Health Violations").getOrCreate() as spark: # Load the restaurant violation CSV data if data_source is not None: restaurants_df = spark.read.option("header", "true").csv(data_source) # Create an in-memory DataFrame to query restaurants_df.createOrReplaceTempView("restaurant_violations") # Create a DataFrame of the top 10 restaurants with the most Red violations top_red_violation_restaurants = spark.sql("""SELECT name, count(*) AS total_red_violations FROM restaurant_violations WHERE violation_type = 'RED' GROUP BY name ORDER BY total_red_violations DESC LIMIT 10""") # Write the results to the specified output URI top_red_violation_restaurants.write.option("header", "true").mode("overwrite").csv(output_uri) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument( '--data_source', help="The URI for you CSV restaurant data, like an S3 bucket location.") parser.add_argument( '--output_uri', help="The URI where output is saved, like an S3 bucket location.") args = parser.parse_args() calculate_red_violations(args.data_source, args.output_uri) EOL # Upload PySpark script to S3 echo "Uploading PySpark script to S3" aws s3 cp health_violations.py "s3://$BUCKET_NAME/" || handle_error "Failed to upload PySpark script" echo "PySpark script uploaded successfully." # Download and prepare sample data echo "Downloading sample data" curl -o food_establishment_data.zip https://docs.aws.amazon.com/emr/latest/ManagementGuide/samples/food_establishment_data.zip || handle_error "Failed to download sample data" unzip -o food_establishment_data.zip || handle_error "Failed to unzip sample data" echo "Sample data downloaded and extracted successfully." # Upload sample data to S3 echo "Uploading sample data to S3" aws s3 cp food_establishment_data.csv "s3://$BUCKET_NAME/" || handle_error "Failed to upload sample data" echo "Sample data uploaded successfully." # Create IAM default roles for EMR echo "Creating IAM default roles for EMR" aws emr create-default-roles || handle_error "Failed to create default roles" echo "IAM default roles created successfully." # Check if EC2 key pair exists echo "Checking for EC2 key pair" KEY_PAIRS=$(aws ec2 describe-key-pairs --query "KeyPairs[*].KeyName" --output text) if [ -z "$KEY_PAIRS" ]; then echo "No EC2 key pairs found. Creating a new key pair..." KEY_NAME="emr-tutorial-key-$RANDOM_ID" aws ec2 create-key-pair --key-name "$KEY_NAME" --query "KeyMaterial" --output text > "${KEY_NAME}.pem" chmod 400 "${KEY_NAME}.pem" echo "Created new key pair: $KEY_NAME" else # Use the first available key pair KEY_NAME=$(echo "$KEY_PAIRS" | awk '{print $1}') echo "Using existing key pair: $KEY_NAME" fi # Launch EMR cluster echo "Launching EMR cluster with Spark" CLUSTER_RESPONSE=$(aws emr create-cluster \ --name "EMR Tutorial Cluster" \ --release-label emr-6.10.0 \ --applications Name=Spark \ --ec2-attributes KeyName="$KEY_NAME" \ --instance-type m5.xlarge \ --instance-count 3 \ --use-default-roles \ --log-uri "s3://$BUCKET_NAME/logs/") # Check for errors in the response if echo "$CLUSTER_RESPONSE" | grep -i "error" > /dev/null; then handle_error "Failed to create EMR cluster: $CLUSTER_RESPONSE" fi # Extract cluster ID CLUSTER_ID=$(echo "$CLUSTER_RESPONSE" | grep -o '"ClusterId": "[^"]*' | cut -d'"' -f4) if [ -z "$CLUSTER_ID" ]; then handle_error "Failed to extract cluster ID from response" fi echo "EMR cluster created with ID: $CLUSTER_ID" # Wait for cluster to be ready echo "Waiting for cluster to be ready (this may take several minutes)..." aws emr wait cluster-running --cluster-id "$CLUSTER_ID" || handle_error "Cluster failed to reach running state" # Check if cluster is in WAITING state CLUSTER_STATE=$(aws emr describe-cluster --cluster-id "$CLUSTER_ID" --query "Cluster.Status.State" --output text) if [ "$CLUSTER_STATE" != "WAITING" ]; then echo "Waiting for cluster to reach WAITING state..." while [ "$CLUSTER_STATE" != "WAITING" ]; do sleep 30 CLUSTER_STATE=$(aws emr describe-cluster --cluster-id "$CLUSTER_ID" --query "Cluster.Status.State" --output text) echo "Current cluster state: $CLUSTER_STATE" # Check for error states if [[ "$CLUSTER_STATE" == "TERMINATED_WITH_ERRORS" || "$CLUSTER_STATE" == "TERMINATED" ]]; then handle_error "Cluster entered error state: $CLUSTER_STATE" fi done fi echo "Cluster is now in WAITING state and ready to accept work." # Submit Spark application as a step echo "Submitting Spark application as a step" STEP_RESPONSE=$(aws emr add-steps \ --cluster-id "$CLUSTER_ID" \ --steps Type=Spark,Name="Health Violations Analysis",ActionOnFailure=CONTINUE,Args=["s3://$BUCKET_NAME/health_violations.py","--data_source","s3://$BUCKET_NAME/food_establishment_data.csv","--output_uri","s3://$BUCKET_NAME/results/"]) # Check for errors in the response if echo "$STEP_RESPONSE" | grep -i "error" > /dev/null; then handle_error "Failed to submit step: $STEP_RESPONSE" fi # FIXED: Check if jq is available before using it # Extract step ID using the appropriate method based on available tools if command -v jq &> /dev/null; then # Use jq if available echo "Using jq to parse JSON response" STEP_ID=$(echo "$STEP_RESPONSE" | jq -r '.StepIds[0]') else # Fallback to grep/awk if jq is not available echo "jq not found, using grep for parsing" STEP_ID=$(echo "$STEP_RESPONSE" | grep -o '"StepIds":\s*\[\s*"[^"]*"' | grep -o 's-[A-Z0-9]*') if [ -z "$STEP_ID" ]; then # Another fallback method STEP_ID=$(echo "$STEP_RESPONSE" | grep -o '"StepIds":\s*\[\s*"[^"]*' | grep -o 's-[A-Z0-9]*') if [ -z "$STEP_ID" ]; then # One more attempt with a different pattern STEP_ID=$(echo "$STEP_RESPONSE" | grep -o 's-[A-Z0-9]*') if [ -z "$STEP_ID" ]; then echo "Full step response: $STEP_RESPONSE" handle_error "Failed to extract step ID from response" fi fi fi fi if [ -z "$STEP_ID" ] || [ "$STEP_ID" == "null" ]; then echo "Full step response: $STEP_RESPONSE" handle_error "Failed to extract valid step ID from response" fi echo "Step submitted with ID: $STEP_ID" # Wait for step to complete echo "Waiting for step to complete (this may take several minutes)..." aws emr wait step-complete --cluster-id "$CLUSTER_ID" --step-id "$STEP_ID" || handle_error "Step failed to complete" # Check step status STEP_STATE=$(aws emr describe-step --cluster-id "$CLUSTER_ID" --step-id "$STEP_ID" --query "Step.Status.State" --output text) if [ "$STEP_STATE" != "COMPLETED" ]; then handle_error "Step did not complete successfully. Final state: $STEP_STATE" fi echo "Step completed successfully." # View results echo "Listing output files in S3" aws s3 ls "s3://$BUCKET_NAME/results/" || handle_error "Failed to list output files" # Download results echo "Downloading results file" RESULT_FILE=$(aws s3 ls "s3://$BUCKET_NAME/results/" | grep -o "part-[0-9]*.csv" | head -1) if [ -z "$RESULT_FILE" ]; then echo "No result file found with pattern 'part-[0-9]*.csv'. Trying to find any CSV file..." RESULT_FILE=$(aws s3 ls "s3://$BUCKET_NAME/results/" | grep -o "part-.*\.csv" | head -1) if [ -z "$RESULT_FILE" ]; then echo "Listing all files in results directory:" aws s3 ls "s3://$BUCKET_NAME/results/" handle_error "No result file found in the output directory" fi fi aws s3 cp "s3://$BUCKET_NAME/results/$RESULT_FILE" ./results.csv || handle_error "Failed to download results file" echo "Results downloaded to results.csv" echo "Top 10 establishments with the most red violations:" cat results.csv # Display SSH connection information echo "" echo "To connect to the cluster via SSH, use the following command:" echo "aws emr ssh --cluster-id $CLUSTER_ID --key-pair-file ${KEY_NAME}.pem" # Display summary of created resources echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "- S3 Bucket: $BUCKET_NAME" echo "- EMR Cluster: $CLUSTER_ID" echo "- Results file: results.csv" if [ -f "${KEY_NAME}.pem" ]; then echo "- EC2 Key Pair: $KEY_NAME (saved to ${KEY_NAME}.pem)" fi # Offer to clean up resources cleanup echo "Script completed successfully." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddSteps](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/AddSteps) + [Cp](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Cp) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/CreateCluster) + [CreateDefaultRoles](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/CreateDefaultRoles) + [CreateKeyPair](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateKeyPair) + [DescribeCluster](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/DescribeCluster) + [DescribeKeyPairs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeKeyPairs) + [DescribeStep](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/DescribeStep) + [Ls](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Ls) + [Mb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Mb) + [Rb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rb) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [Ssh](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/Ssh) + [TerminateClusters](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/TerminateClusters) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/elasticmapreduce-2009-03-31/Wait) ### Getting started with Amazon S3 The following code example shows how to: + Create your first S3 bucket + Upload an object + Enable versioning + Configure default encryption + Add tags to your bucket + List objects and versions + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/003-s3-gettingstarted) repository. ``` #!/bin/bash # S3 Getting Started - Create a bucket, upload and download objects, copy to a # folder prefix, enable versioning, configure encryption and public access # blocking, tag the bucket, list objects and versions, and clean up. set -eE # ============================================================================ # Prerequisites check # ============================================================================ CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured. Run 'aws configure' or set AWS_DEFAULT_REGION." exit 1 fi # ============================================================================ # Setup: logging, temp directory, resource tracking # ============================================================================ UNIQUE_ID=$(cat /dev/urandom | tr -dc 'a-f0-9' | fold -w 12 | head -n 1) BUCKET_NAME="s3api-${UNIQUE_ID}" TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/s3-gettingstarted.log" CREATED_RESOURCES=() exec > >(tee -a "$LOG_FILE") 2>&1 echo "============================================" echo "S3 Getting Started" echo "============================================" echo "Bucket name: ${BUCKET_NAME}" echo "Temp directory: ${TEMP_DIR}" echo "Log file: ${LOG_FILE}" echo "" # ============================================================================ # Error handling and cleanup functions # ============================================================================ cleanup() { echo "" echo "============================================" echo "CLEANUP" echo "============================================" # Delete all object versions and delete markers echo "Listing all object versions in bucket..." VERSIONS_OUTPUT=$(aws s3api list-object-versions \ --bucket "$BUCKET_NAME" \ --query "Versions[].{Key:Key,VersionId:VersionId}" \ --output text 2>&1) || true if [ -n "$VERSIONS_OUTPUT" ] && [ "$VERSIONS_OUTPUT" != "None" ]; then while IFS=$'\t' read -r KEY VERSION_ID; do if [ -n "$KEY" ] && [ "$KEY" != "None" ]; then echo "Deleting version: ${KEY} (${VERSION_ID})" aws s3api delete-object \ --bucket "$BUCKET_NAME" \ --key "$KEY" \ --version-id "$VERSION_ID" 2>&1 || echo "WARNING: Failed to delete version ${KEY} (${VERSION_ID})" fi done <<< "$VERSIONS_OUTPUT" fi DELETE_MARKERS_OUTPUT=$(aws s3api list-object-versions \ --bucket "$BUCKET_NAME" \ --query "DeleteMarkers[].{Key:Key,VersionId:VersionId}" \ --output text 2>&1) || true if [ -n "$DELETE_MARKERS_OUTPUT" ] && [ "$DELETE_MARKERS_OUTPUT" != "None" ]; then while IFS=$'\t' read -r KEY VERSION_ID; do if [ -n "$KEY" ] && [ "$KEY" != "None" ]; then echo "Deleting delete marker: ${KEY} (${VERSION_ID})" aws s3api delete-object \ --bucket "$BUCKET_NAME" \ --key "$KEY" \ --version-id "$VERSION_ID" 2>&1 || echo "WARNING: Failed to delete marker ${KEY} (${VERSION_ID})" fi done <<< "$DELETE_MARKERS_OUTPUT" fi echo "Deleting bucket: ${BUCKET_NAME}" aws s3api delete-bucket --bucket "$BUCKET_NAME" 2>&1 || echo "WARNING: Failed to delete bucket ${BUCKET_NAME}" echo "" echo "Cleaning up temp directory: ${TEMP_DIR}" rm -rf "$TEMP_DIR" echo "" echo "Cleanup complete." } handle_error() { echo "" echo "============================================" echo "ERROR on $1" echo "============================================" echo "" echo "Resources created before error:" for RESOURCE in "${CREATED_RESOURCES[@]}"; do echo " - ${RESOURCE}" done echo "" echo "Attempting cleanup..." cleanup exit 1 } trap 'handle_error "line $LINENO"' ERR # ============================================================================ # Step 1: Create a bucket # ============================================================================ echo "Step 1: Creating bucket ${BUCKET_NAME}..." # CreateBucket requires LocationConstraint for all regions except us-east-1 REGION="${AWS_REGION:-${AWS_DEFAULT_REGION:-${CONFIGURED_REGION}}}" if [ "$REGION" = "us-east-1" ]; then CREATE_OUTPUT=$(aws s3api create-bucket \ --bucket "$BUCKET_NAME" 2>&1) else CREATE_OUTPUT=$(aws s3api create-bucket \ --bucket "$BUCKET_NAME" \ --create-bucket-configuration LocationConstraint="$REGION" 2>&1) fi echo "$CREATE_OUTPUT" CREATED_RESOURCES+=("s3:bucket:${BUCKET_NAME}") echo "Bucket created." echo "" # ============================================================================ # Step 2: Upload a sample text file # ============================================================================ echo "Step 2: Uploading a sample text file..." SAMPLE_FILE="${TEMP_DIR}/sample.txt" echo "Hello, Amazon S3! This is a sample file for the getting started tutorial." > "$SAMPLE_FILE" UPLOAD_OUTPUT=$(aws s3api put-object \ --bucket "$BUCKET_NAME" \ --key "sample.txt" \ --body "$SAMPLE_FILE" 2>&1) echo "$UPLOAD_OUTPUT" echo "File uploaded." echo "" # ============================================================================ # Step 3: Download the object # ============================================================================ echo "Step 3: Downloading the object..." DOWNLOAD_FILE="${TEMP_DIR}/downloaded-sample.txt" aws s3api get-object \ --bucket "$BUCKET_NAME" \ --key "sample.txt" \ "$DOWNLOAD_FILE" 2>&1 echo "Downloaded to: ${DOWNLOAD_FILE}" echo "Contents:" cat "$DOWNLOAD_FILE" echo "" # ============================================================================ # Step 4: Copy the object to a folder prefix # ============================================================================ echo "Step 4: Copying object to a folder prefix..." COPY_OUTPUT=$(aws s3api copy-object \ --bucket "$BUCKET_NAME" \ --copy-source "${BUCKET_NAME}/sample.txt" \ --key "backup/sample.txt" 2>&1) echo "$COPY_OUTPUT" echo "Object copied to backup/sample.txt." echo "" # ============================================================================ # Step 5: Enable versioning and upload a second version # ============================================================================ echo "Step 5: Enabling versioning..." VERSIONING_OUTPUT=$(aws s3api put-bucket-versioning \ --bucket "$BUCKET_NAME" \ --versioning-configuration Status=Enabled 2>&1) echo "$VERSIONING_OUTPUT" echo "Versioning enabled." echo "Uploading a second version of sample.txt..." echo "Hello, Amazon S3! This is version 2 of the sample file." > "$SAMPLE_FILE" UPLOAD_V2_OUTPUT=$(aws s3api put-object \ --bucket "$BUCKET_NAME" \ --key "sample.txt" \ --body "$SAMPLE_FILE" 2>&1) echo "$UPLOAD_V2_OUTPUT" echo "Second version uploaded." echo "" # ============================================================================ # Step 6: Configure SSE-S3 encryption # ============================================================================ echo "Step 6: Configuring SSE-S3 default encryption..." ENCRYPTION_OUTPUT=$(aws s3api put-bucket-encryption \ --bucket "$BUCKET_NAME" \ --server-side-encryption-configuration '{ "Rules": [ { "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" }, "BucketKeyEnabled": true } ] }' 2>&1) echo "$ENCRYPTION_OUTPUT" echo "SSE-S3 encryption configured." echo "" # ============================================================================ # Step 7: Block all public access # ============================================================================ echo "Step 7: Blocking all public access..." PUBLIC_ACCESS_OUTPUT=$(aws s3api put-public-access-block \ --bucket "$BUCKET_NAME" \ --public-access-block-configuration '{ "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true }' 2>&1) echo "$PUBLIC_ACCESS_OUTPUT" echo "Public access blocked." echo "" # ============================================================================ # Step 8: Tag the bucket # ============================================================================ echo "Step 8: Tagging the bucket..." TAG_OUTPUT=$(aws s3api put-bucket-tagging \ --bucket "$BUCKET_NAME" \ --tagging '{ "TagSet": [ { "Key": "Environment", "Value": "Tutorial" }, { "Key": "Project", "Value": "S3-GettingStarted" } ] }' 2>&1) echo "$TAG_OUTPUT" echo "Bucket tagged." echo "Verifying tags..." GET_TAGS_OUTPUT=$(aws s3api get-bucket-tagging \ --bucket "$BUCKET_NAME" 2>&1) echo "$GET_TAGS_OUTPUT" echo "" # ============================================================================ # Step 9: List objects and versions # ============================================================================ echo "Step 9: Listing objects..." LIST_OUTPUT=$(aws s3api list-objects-v2 \ --bucket "$BUCKET_NAME" 2>&1) echo "$LIST_OUTPUT" echo "" echo "Listing object versions..." VERSIONS_LIST=$(aws s3api list-object-versions \ --bucket "$BUCKET_NAME" 2>&1) echo "$VERSIONS_LIST" echo "" # ============================================================================ # Step 10: Cleanup # ============================================================================ echo "" echo "============================================" echo "TUTORIAL COMPLETE" echo "============================================" echo "" echo "Resources created:" for RESOURCE in "${CREATED_RESOURCES[@]}"; do echo " - ${RESOURCE}" done echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Delete all object versions" echo " aws s3api list-object-versions --bucket ${BUCKET_NAME} --query 'Versions[].{Key:Key,VersionId:VersionId}' --output text | while IFS=\$'\\t' read -r KEY VID; do aws s3api delete-object --bucket ${BUCKET_NAME} --key \"\$KEY\" --version-id \"\$VID\"; done" echo "" echo " # Delete all delete markers" echo " aws s3api list-object-versions --bucket ${BUCKET_NAME} --query 'DeleteMarkers[].{Key:Key,VersionId:VersionId}' --output text | while IFS=\$'\\t' read -r KEY VID; do aws s3api delete-object --bucket ${BUCKET_NAME} --key \"\$KEY\" --version-id \"\$VID\"; done" echo "" echo " # Delete the bucket" echo " aws s3api delete-bucket --bucket ${BUCKET_NAME}" echo "" echo " # Remove temp directory" echo " rm -rf ${TEMP_DIR}" fi echo "" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CopyObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CopyObject) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteObjects](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteObjects) + [GetObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/GetObject) + [HeadObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/HeadObject) + [ListObjectVersions](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/ListObjectVersions) + [ListObjectsV2](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/ListObjectsV2) + [PutBucketEncryption](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutBucketEncryption) + [PutBucketTagging](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutBucketTagging) + [PutBucketVersioning](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutBucketVersioning) + [PutObject](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutObject) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) ### Getting started with Amazon SageMaker Feature Store The following code example shows how to: + Set up IAM permissions + Create a SageMaker execution role + Create feature groups + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/028-sagemaker-featurestore) repository. ``` #!/bin/bash # Amazon SageMaker Feature Store Tutorial Script - Version 3 # This script demonstrates how to use Amazon SageMaker Feature Store with AWS CLI # Setup logging LOG_FILE="sagemaker-featurestore-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting SageMaker Feature Store tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" echo "" # Track created resources for cleanup CREATED_RESOURCES=() # Function to handle errors handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check command status check_status() { if echo "$1" | grep -i "error" > /dev/null; then handle_error "$1" fi } # Function to wait for feature group to be created wait_for_feature_group() { local feature_group_name=$1 local status="Creating" echo "Waiting for feature group ${feature_group_name} to be created..." while [ "$status" = "Creating" ]; do sleep 5 status=$(aws sagemaker describe-feature-group \ --feature-group-name "${feature_group_name}" \ --query 'FeatureGroupStatus' \ --output text) echo "Current status: ${status}" if [ "$status" = "Failed" ]; then handle_error "Feature group ${feature_group_name} creation failed" fi done echo "Feature group ${feature_group_name} is now ${status}" } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Clean up in reverse order for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" resource_type=$(echo "$resource" | cut -d: -f1) resource_name=$(echo "$resource" | cut -d: -f2) echo "Deleting $resource_type: $resource_name" case "$resource_type" in "FeatureGroup") aws sagemaker delete-feature-group --feature-group-name "$resource_name" ;; "S3Bucket") echo "Emptying S3 bucket: $resource_name" aws s3 rm "s3://$resource_name" --recursive 2>/dev/null echo "Deleting S3 bucket: $resource_name" aws s3api delete-bucket --bucket "$resource_name" 2>/dev/null ;; "IAMRole") echo "Detaching policies from role: $resource_name" aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>/dev/null aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>/dev/null echo "Deleting IAM role: $resource_name" aws iam delete-role --role-name "$resource_name" 2>/dev/null ;; *) echo "Unknown resource type: $resource_type" ;; esac done } # Function to create SageMaker execution role create_sagemaker_role() { local role_name="SageMakerFeatureStoreRole-$(openssl rand -hex 4)" echo "Creating SageMaker execution role: $role_name" >&2 # Create trust policy document local trust_policy='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' # Create the role local role_result=$(aws iam create-role \ --role-name "$role_name" \ --assume-role-policy-document "$trust_policy" \ --description "SageMaker execution role for Feature Store tutorial" 2>&1) if echo "$role_result" | grep -i "error" > /dev/null; then handle_error "Failed to create IAM role: $role_result" fi echo "Role created successfully" >&2 CREATED_RESOURCES+=("IAMRole:$role_name") # Attach necessary policies echo "Attaching policies to role..." >&2 # SageMaker execution policy local policy1_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>&1) if echo "$policy1_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach SageMaker policy: $policy1_result" fi # S3 access policy local policy2_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>&1) if echo "$policy2_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach S3 policy: $policy2_result" fi # Get account ID for role ARN local account_id=$(aws sts get-caller-identity --query Account --output text) local role_arn="arn:aws:iam::${account_id}:role/${role_name}" echo "Role ARN: $role_arn" >&2 echo "Waiting 10 seconds for role to propagate..." >&2 sleep 10 # Return only the role ARN to stdout echo "$role_arn" } # Handle SageMaker execution role ROLE_ARN="" if [ -z "$1" ]; then echo "Creating SageMaker execution role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi else ROLE_ARN="$1" # Validate the role ARN ROLE_NAME=$(echo "$ROLE_ARN" | sed 's/.*role\///') ROLE_CHECK=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1) if echo "$ROLE_CHECK" | grep -i "error" > /dev/null; then echo "Creating a new role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi fi fi # Handle cleanup option AUTO_CLEANUP="" if [ -n "$2" ]; then AUTO_CLEANUP="$2" fi # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) echo "Using random identifier: $RANDOM_ID" # Set variables ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_status "$ACCOUNT_ID" echo "Account ID: $ACCOUNT_ID" # Get current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No default region configured, using: $REGION" else echo "Using region: $REGION" fi S3_BUCKET_NAME="sagemaker-featurestore-${RANDOM_ID}-${ACCOUNT_ID}" PREFIX="featurestore-tutorial" CURRENT_TIME=$(date +%s) echo "Creating S3 bucket: $S3_BUCKET_NAME" # Create bucket in current region if [ "$REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" 2>&1) else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" \ --create-bucket-configuration LocationConstraint="$REGION" 2>&1) fi if echo "$BUCKET_RESULT" | grep -i "error" > /dev/null; then echo "Failed to create S3 bucket: $BUCKET_RESULT" exit 1 fi echo "$BUCKET_RESULT" CREATED_RESOURCES+=("S3Bucket:$S3_BUCKET_NAME") # Block public access to the bucket BLOCK_RESULT=$(aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" 2>&1) if echo "$BLOCK_RESULT" | grep -i "error" > /dev/null; then echo "Failed to block public access to S3 bucket: $BLOCK_RESULT" cleanup_resources exit 1 fi # Create feature groups echo "Creating feature groups..." # Create customers feature group CUSTOMERS_FEATURE_GROUP_NAME="customers-feature-group-${RANDOM_ID}" echo "Creating customers feature group: $CUSTOMERS_FEATURE_GROUP_NAME" CUSTOMERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "name", "FeatureType": "String"}, {"FeatureName": "age", "FeatureType": "Integral"}, {"FeatureName": "address", "FeatureType": "String"}, {"FeatureName": "membership_type", "FeatureType": "String"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$CUSTOMERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create customers feature group: $CUSTOMERS_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$CUSTOMERS_FEATURE_GROUP_NAME") # Create orders feature group ORDERS_FEATURE_GROUP_NAME="orders-feature-group-${RANDOM_ID}" echo "Creating orders feature group: $ORDERS_FEATURE_GROUP_NAME" ORDERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "order_id", "FeatureType": "String"}, {"FeatureName": "order_date", "FeatureType": "String"}, {"FeatureName": "product", "FeatureType": "String"}, {"FeatureName": "quantity", "FeatureType": "Integral"}, {"FeatureName": "amount", "FeatureType": "Fractional"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$ORDERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create orders feature group: $ORDERS_RESPONSE" cleanup_resources exit 1 fi echo "$ORDERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$ORDERS_FEATURE_GROUP_NAME") # Wait for feature groups to be created wait_for_feature_group "$CUSTOMERS_FEATURE_GROUP_NAME" wait_for_feature_group "$ORDERS_FEATURE_GROUP_NAME" # Ingest data into feature groups echo "Ingesting data into feature groups..." # Ingest customer data echo "Ingesting customer data..." CUSTOMER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "name", "ValueAsString": "John Doe"}, {"FeatureName": "age", "ValueAsString": "35"}, {"FeatureName": "address", "ValueAsString": "123 Main St"}, {"FeatureName": "membership_type", "ValueAsString": "premium"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 1 data: $CUSTOMER1_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER1_RESPONSE" CUSTOMER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "name", "ValueAsString": "Jane Smith"}, {"FeatureName": "age", "ValueAsString": "28"}, {"FeatureName": "address", "ValueAsString": "456 Oak Ave"}, {"FeatureName": "membership_type", "ValueAsString": "standard"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 2 data: $CUSTOMER2_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER2_RESPONSE" # Ingest order data echo "Ingesting order data..." ORDER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "order_id", "ValueAsString": "ORD-001"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-15"}, {"FeatureName": "product", "ValueAsString": "Laptop"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "1299.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 1 data: $ORDER1_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER1_RESPONSE" ORDER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "order_id", "ValueAsString": "ORD-002"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-20"}, {"FeatureName": "product", "ValueAsString": "Smartphone"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "899.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 2 data: $ORDER2_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER2_RESPONSE" # Retrieve records from feature groups echo "Retrieving records from feature groups..." # Get a single customer record echo "Getting customer record with ID 573291:" CUSTOMER_RECORD=$(aws sagemaker-featurestore-runtime get-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-value-as-string "573291" 2>&1) if echo "$CUSTOMER_RECORD" | grep -i "error" > /dev/null; then echo "Failed to get customer record: $CUSTOMER_RECORD" cleanup_resources exit 1 fi echo "$CUSTOMER_RECORD" # Get multiple records using batch-get-record echo "Getting multiple records using batch-get-record:" BATCH_RECORDS=$(aws sagemaker-featurestore-runtime batch-get-record \ --identifiers '[ { "FeatureGroupName": "'${CUSTOMERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] }, { "FeatureGroupName": "'${ORDERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] } ]' 2>&1) if echo "$BATCH_RECORDS" | grep -i "error" > /dev/null && ! echo "$BATCH_RECORDS" | grep -i "Records" > /dev/null; then echo "Failed to get batch records: $BATCH_RECORDS" cleanup_resources exit 1 fi echo "$BATCH_RECORDS" # List feature groups echo "Listing feature groups:" FEATURE_GROUPS=$(aws sagemaker list-feature-groups 2>&1) if echo "$FEATURE_GROUPS" | grep -i "error" > /dev/null; then echo "Failed to list feature groups: $FEATURE_GROUPS" cleanup_resources exit 1 fi echo "$FEATURE_GROUPS" # Display summary of created resources echo "" echo "===========================================" echo "TUTORIAL COMPLETED SUCCESSFULLY!" echo "===========================================" echo "Resources created:" echo "- S3 Bucket: $S3_BUCKET_NAME" echo "- Customers Feature Group: $CUSTOMERS_FEATURE_GROUP_NAME" echo "- Orders Feature Group: $ORDERS_FEATURE_GROUP_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "You can now:" echo "1. View your feature groups in the SageMaker console" echo "2. Query the offline store using Amazon Athena" echo "3. Use the feature groups in your ML workflows" echo "===========================================" echo "" # Handle cleanup if [ "$AUTO_CLEANUP" = "y" ]; then echo "Auto-cleanup enabled. Starting cleanup..." cleanup_resources echo "Cleanup completed." elif [ "$AUTO_CLEANUP" = "n" ]; then echo "Auto-cleanup disabled. Resources will remain in your account." echo "To clean up later, run this script again with cleanup option 'y'" else echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup..." cleanup_resources echo "Cleanup completed." else echo "Skipping cleanup. Resources will remain in your account." echo "To clean up later, delete the following resources:" echo "- Feature Groups: $CUSTOMERS_FEATURE_GROUP_NAME, $ORDERS_FEATURE_GROUP_NAME" echo "- S3 Bucket: $S3_BUCKET_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "Estimated ongoing cost: ~$0.01 per month for online store" fi fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/CreateFeatureGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DeleteFeatureGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DescribeFeatureGroup) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListFeatureGroups](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/ListFeatureGroups) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) ### Getting started with Amazon Textract The following code example shows how to: + Create an S3 bucket + Upload a document to S3 + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/074-amazon-textract-gs) repository. ``` #!/bin/bash # Amazon Textract Getting Started Tutorial Script # This script demonstrates how to use Amazon Textract to analyze document text # Set up logging LOG_FILE="textract-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "Amazon Textract Getting Started Tutorial" echo "===================================================" echo "This script will guide you through using Amazon Textract to analyze document text." echo "" # Function to check for errors in command output and exit code check_error() { local exit_code=$1 local output=$2 local cmd=$3 if [ $exit_code -ne 0 ] || echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Cleaning up resources..." # Clean up temporary JSON files if [ -f "document.json" ]; then rm -f document.json fi if [ -f "features.json" ]; then rm -f features.json fi if [ -n "$DOCUMENT_NAME" ] && [ -n "$BUCKET_NAME" ]; then echo "Deleting document from S3..." aws s3 rm "s3://$BUCKET_NAME/$DOCUMENT_NAME" || echo "Failed to delete document" fi if [ -n "$BUCKET_NAME" ]; then echo "Deleting S3 bucket..." aws s3 rb "s3://$BUCKET_NAME" --force || echo "Failed to delete bucket" fi } # Verify AWS CLI is installed and configured echo "Verifying AWS CLI configuration..." AWS_CONFIG_OUTPUT=$(aws configure list 2>&1) AWS_CONFIG_STATUS=$? if [ $AWS_CONFIG_STATUS -ne 0 ]; then echo "ERROR: AWS CLI is not properly configured." echo "$AWS_CONFIG_OUTPUT" exit 1 fi # Verify AWS region is configured and supports Textract AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured. Please run 'aws configure' to set a default region." exit 1 fi # Check if Textract is available in the configured region echo "Checking if Amazon Textract is available in region $AWS_REGION..." TEXTRACT_CHECK=$(aws textract help 2>&1) TEXTRACT_CHECK_STATUS=$? if [ $TEXTRACT_CHECK_STATUS -ne 0 ]; then echo "ERROR: Amazon Textract may not be available in region $AWS_REGION." echo "$TEXTRACT_CHECK" exit 1 fi # Generate a random identifier for S3 bucket RANDOM_ID=$(openssl rand -hex 6) BUCKET_NAME="textract-${RANDOM_ID}" DOCUMENT_NAME="document.png" RESOURCES_CREATED=() # Step 1: Create S3 bucket echo "Creating S3 bucket: $BUCKET_NAME" CREATE_BUCKET_OUTPUT=$(aws s3 mb "s3://$BUCKET_NAME" 2>&1) CREATE_BUCKET_STATUS=$? echo "$CREATE_BUCKET_OUTPUT" check_error $CREATE_BUCKET_STATUS "$CREATE_BUCKET_OUTPUT" "aws s3 mb s3://$BUCKET_NAME" RESOURCES_CREATED+=("S3 Bucket: $BUCKET_NAME") # Step 2: Check if sample document exists, if not create a simple one if [ ! -f "$DOCUMENT_NAME" ]; then echo "Sample document not found. Please provide a document to analyze." echo "Enter the path to your document (must be an image file like PNG or JPEG):" read -r DOCUMENT_PATH if [ ! -f "$DOCUMENT_PATH" ]; then echo "File not found: $DOCUMENT_PATH" cleanup_on_error exit 1 fi DOCUMENT_NAME=$(basename "$DOCUMENT_PATH") echo "Using document: $DOCUMENT_PATH as $DOCUMENT_NAME" # Copy the document to the current directory cp "$DOCUMENT_PATH" "./$DOCUMENT_NAME" fi # Step 3: Upload document to S3 echo "Uploading document to S3..." UPLOAD_OUTPUT=$(aws s3 cp "./$DOCUMENT_NAME" "s3://$BUCKET_NAME/" 2>&1) UPLOAD_STATUS=$? echo "$UPLOAD_OUTPUT" check_error $UPLOAD_STATUS "$UPLOAD_OUTPUT" "aws s3 cp ./$DOCUMENT_NAME s3://$BUCKET_NAME/" RESOURCES_CREATED+=("S3 Object: s3://$BUCKET_NAME/$DOCUMENT_NAME") # Step 4: Analyze document with Amazon Textract echo "Analyzing document with Amazon Textract..." echo "This may take a few seconds..." # Create a JSON file for the document parameter to avoid shell escaping issues cat > document.json << EOF { "S3Object": { "Bucket": "$BUCKET_NAME", "Name": "$DOCUMENT_NAME" } } EOF # Create a JSON file for the feature types parameter cat > features.json << EOF ["TABLES","FORMS","SIGNATURES"] EOF ANALYZE_OUTPUT=$(aws textract analyze-document --document file://document.json --feature-types file://features.json 2>&1) ANALYZE_STATUS=$? echo "Analysis complete." if [ $ANALYZE_STATUS -ne 0 ]; then echo "ERROR: Document analysis failed" echo "$ANALYZE_OUTPUT" cleanup_on_error exit 1 fi # Save the analysis results to a file echo "$ANALYZE_OUTPUT" > textract-analysis-results.json echo "Analysis results saved to textract-analysis-results.json" RESOURCES_CREATED+=("Local file: textract-analysis-results.json") # Display a summary of the analysis echo "" echo "===================================================" echo "Analysis Summary" echo "===================================================" PAGES=$(echo "$ANALYZE_OUTPUT" | grep -o '"Pages": [0-9]*' | awk '{print $2}') echo "Document pages: $PAGES" BLOCKS_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType":' | wc -l) echo "Total blocks detected: $BLOCKS_COUNT" # Count different block types PAGE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "PAGE"' | wc -l) LINE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "LINE"' | wc -l) WORD_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "WORD"' | wc -l) TABLE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "TABLE"' | wc -l) CELL_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "CELL"' | wc -l) KEY_VALUE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "KEY_VALUE_SET"' | wc -l) SIGNATURE_COUNT=$(echo "$ANALYZE_OUTPUT" | grep -o '"BlockType": "SIGNATURE"' | wc -l) echo "Pages: $PAGE_COUNT" echo "Lines of text: $LINE_COUNT" echo "Words: $WORD_COUNT" echo "Tables: $TABLE_COUNT" echo "Table cells: $CELL_COUNT" echo "Key-value pairs: $KEY_VALUE_COUNT" echo "Signatures: $SIGNATURE_COUNT" echo "" # Cleanup confirmation echo "" echo "===================================================" echo "RESOURCES CREATED" echo "===================================================" for resource in "${RESOURCES_CREATED[@]}"; do echo "- $resource" done echo "" echo "===================================================" echo "CLEANUP CONFIRMATION" echo "===================================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then echo "Cleaning up resources..." # Delete document from S3 echo "Deleting document from S3..." DELETE_DOC_OUTPUT=$(aws s3 rm "s3://$BUCKET_NAME/$DOCUMENT_NAME" 2>&1) DELETE_DOC_STATUS=$? echo "$DELETE_DOC_OUTPUT" check_error $DELETE_DOC_STATUS "$DELETE_DOC_OUTPUT" "aws s3 rm s3://$BUCKET_NAME/$DOCUMENT_NAME" # Delete S3 bucket echo "Deleting S3 bucket..." DELETE_BUCKET_OUTPUT=$(aws s3 rb "s3://$BUCKET_NAME" --force 2>&1) DELETE_BUCKET_STATUS=$? echo "$DELETE_BUCKET_OUTPUT" check_error $DELETE_BUCKET_STATUS "$DELETE_BUCKET_OUTPUT" "aws s3 rb s3://$BUCKET_NAME --force" # Delete local JSON files rm -f document.json features.json echo "Cleanup complete. The analysis results file (textract-analysis-results.json) has been kept." else echo "Resources have been preserved." fi echo "" echo "===================================================" echo "Tutorial complete!" echo "===================================================" echo "You have successfully analyzed a document using Amazon Textract." echo "The analysis results are available in textract-analysis-results.json" echo "" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AnalyzeDocument](https://docs.aws.amazon.com/goto/aws-cli/textract-2018-06-27/AnalyzeDocument) + [Cp](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Cp) + [Help](https://docs.aws.amazon.com/goto/aws-cli/textract-2018-06-27/Help) + [Mb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Mb) + [Rb](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rb) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) ### Getting started with Config The following code example shows how to: + Create an Amazon S3 bucket + Create an Amazon SNS topic + Create an IAM role for Config + Set up the Config configuration recorder + Set up the Config delivery channel + Start the configuration recorder + Verify the Config setup **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/053-aws-config-gs) repository. ``` #!/bin/bash # AWS Config Setup Script (v2) # This script sets up AWS Config with the AWS CLI # Error handling set -e LOGFILE="aws-config-setup-v2.log" touch $LOGFILE exec > >(tee -a $LOGFILE) exec 2>&1 # Function to handle errors handle_error() { echo "ERROR: An error occurred at line $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Set trap for error handling trap 'handle_error $LINENO' ERR # Function to generate random identifier generate_random_id() { echo $(openssl rand -hex 6) } # Function to check if command was successful check_command() { if echo "$1" | grep -i "error" > /dev/null; then echo "ERROR: $1" return 1 fi return 0 } # Function to clean up resources cleanup_resources() { if [ -n "$CONFIG_RECORDER_NAME" ]; then echo "Stopping configuration recorder..." aws configservice stop-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi # Check if we created a new delivery channel before trying to delete it if [ -n "$DELIVERY_CHANNEL_NAME" ] && [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Deleting delivery channel..." aws configservice delete-delivery-channel --delivery-channel-name "$DELIVERY_CHANNEL_NAME" 2>/dev/null || true fi if [ -n "$CONFIG_RECORDER_NAME" ] && [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Deleting configuration recorder..." aws configservice delete-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi if [ -n "$ROLE_NAME" ]; then if [ -n "$POLICY_NAME" ]; then echo "Detaching custom policy from role..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" 2>/dev/null || true fi if [ -n "$MANAGED_POLICY_ARN" ]; then echo "Detaching managed policy from role..." aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN" 2>/dev/null || true fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null || true fi if [ -n "$SNS_TOPIC_ARN" ]; then echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$SNS_TOPIC_ARN" 2>/dev/null || true fi if [ -n "$S3_BUCKET_NAME" ]; then echo "Emptying S3 bucket..." aws s3 rm "s3://$S3_BUCKET_NAME" --recursive 2>/dev/null || true echo "Deleting S3 bucket..." aws s3api delete-bucket --bucket "$S3_BUCKET_NAME" 2>/dev/null || true fi } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" echo "S3 Bucket: $S3_BUCKET_NAME" echo "SNS Topic ARN: $SNS_TOPIC_ARN" echo "IAM Role: $ROLE_NAME" if [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Configuration Recorder: $CONFIG_RECORDER_NAME (newly created)" else echo "Configuration Recorder: $CONFIG_RECORDER_NAME (existing)" fi if [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (newly created)" else echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (existing)" fi echo "===========================================" } # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) if [ -z "$ACCOUNT_ID" ]; then echo "ERROR: Failed to get AWS account ID" exit 1 fi echo "AWS Account ID: $ACCOUNT_ID" # Generate random identifier for resources RANDOM_ID=$(generate_random_id) echo "Generated random identifier: $RANDOM_ID" # Step 1: Create an S3 bucket S3_BUCKET_NAME="configservice-${RANDOM_ID}" echo "Creating S3 bucket: $S3_BUCKET_NAME" # Get the current region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured fi echo "Using AWS Region: $AWS_REGION" # Create bucket with appropriate command based on region if [ "$AWS_REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME") else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" --create-bucket-configuration LocationConstraint="$AWS_REGION") fi check_command "$BUCKET_RESULT" echo "S3 bucket created: $S3_BUCKET_NAME" # Block public access for the bucket aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" echo "Public access blocked for bucket" # Step 2: Create an SNS topic TOPIC_NAME="config-topic-${RANDOM_ID}" echo "Creating SNS topic: $TOPIC_NAME" SNS_RESULT=$(aws sns create-topic --name "$TOPIC_NAME") check_command "$SNS_RESULT" SNS_TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o 'arn:aws:sns:[^"]*') echo "SNS topic created: $SNS_TOPIC_ARN" # Step 3: Create an IAM role for AWS Config ROLE_NAME="config-role-${RANDOM_ID}" POLICY_NAME="config-delivery-permissions" MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" echo "Creating trust policy document..." cat > config-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://config-trust-policy.json) check_command "$ROLE_RESULT" ROLE_ARN=$(echo "$ROLE_RESULT" | grep -o 'arn:aws:iam::[^"]*' | head -1) echo "IAM role created: $ROLE_ARN" echo "Attaching AWS managed policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN") check_command "$ATTACH_RESULT" echo "AWS managed policy attached" echo "Creating custom policy document for S3 and SNS access..." cat > config-delivery-permissions.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/*", "Condition": { "StringLike": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "${SNS_TOPIC_ARN}" } ] } EOF echo "Attaching custom policy to role..." POLICY_RESULT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" --policy-document file://config-delivery-permissions.json) check_command "$POLICY_RESULT" echo "Custom policy attached" # Wait for IAM role to propagate echo "Waiting for IAM role to propagate (15 seconds)..." sleep 15 # Step 4: Check if configuration recorder already exists CONFIG_RECORDER_NAME="default" CREATED_NEW_CONFIG_RECORDER="false" echo "Checking for existing configuration recorder..." EXISTING_RECORDERS=$(aws configservice describe-configuration-recorders 2>/dev/null || echo "") if echo "$EXISTING_RECORDERS" | grep -q "name"; then echo "Configuration recorder already exists. Will update it." # Get the name of the existing recorder CONFIG_RECORDER_NAME=$(echo "$EXISTING_RECORDERS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing configuration recorder: $CONFIG_RECORDER_NAME" else echo "No existing configuration recorder found. Will create a new one." CREATED_NEW_CONFIG_RECORDER="true" fi echo "Creating configuration recorder configuration..." cat > configurationRecorder.json << EOF { "name": "${CONFIG_RECORDER_NAME}", "roleARN": "${ROLE_ARN}", "recordingMode": { "recordingFrequency": "CONTINUOUS" } } EOF echo "Creating recording group configuration..." cat > recordingGroup.json << EOF { "allSupported": true, "includeGlobalResourceTypes": true } EOF echo "Setting up configuration recorder..." RECORDER_RESULT=$(aws configservice put-configuration-recorder --configuration-recorder file://configurationRecorder.json --recording-group file://recordingGroup.json) check_command "$RECORDER_RESULT" echo "Configuration recorder set up" # Step 5: Check if delivery channel already exists DELIVERY_CHANNEL_NAME="default" CREATED_NEW_DELIVERY_CHANNEL="false" echo "Checking for existing delivery channel..." EXISTING_CHANNELS=$(aws configservice describe-delivery-channels 2>/dev/null || echo "") if echo "$EXISTING_CHANNELS" | grep -q "name"; then echo "Delivery channel already exists." # Get the name of the existing channel DELIVERY_CHANNEL_NAME=$(echo "$EXISTING_CHANNELS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing delivery channel: $DELIVERY_CHANNEL_NAME" # Update the existing delivery channel echo "Creating delivery channel configuration for update..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Updating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel updated" else echo "No existing delivery channel found. Will create a new one." CREATED_NEW_DELIVERY_CHANNEL="true" echo "Creating delivery channel configuration..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Creating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel created" fi # Step 6: Start the configuration recorder echo "Checking configuration recorder status..." RECORDER_STATUS=$(aws configservice describe-configuration-recorder-status 2>/dev/null || echo "") if echo "$RECORDER_STATUS" | grep -q '"recording": true'; then echo "Configuration recorder is already running." else echo "Starting configuration recorder..." START_RESULT=$(aws configservice start-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME") check_command "$START_RESULT" echo "Configuration recorder started" fi # Step 7: Verify the AWS Config setup echo "Verifying delivery channel..." VERIFY_CHANNEL=$(aws configservice describe-delivery-channels) check_command "$VERIFY_CHANNEL" echo "$VERIFY_CHANNEL" echo "Verifying configuration recorder..." VERIFY_RECORDER=$(aws configservice describe-configuration-recorders) check_command "$VERIFY_RECORDER" echo "$VERIFY_RECORDER" echo "Verifying configuration recorder status..." VERIFY_STATUS=$(aws configservice describe-configuration-recorder-status) check_command "$VERIFY_STATUS" echo "$VERIFY_STATUS" # Display created resources display_resources # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "Cleanup completed." else echo "Resources will not be cleaned up. You can manually clean them up later." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteConfigurationRecorder) + [DeleteDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteDeliveryChannel) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorderStatus) + [DescribeConfigurationRecorders](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorders) + [DescribeDeliveryChannels](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeDeliveryChannels) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [PutConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutConfigurationRecorder) + [PutDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutDeliveryChannel) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StartConfigurationRecorder) + [StopConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StopConfigurationRecorder) # SageMaker AI examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with SageMaker AI. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Amazon SageMaker Feature Store The following code example shows how to: + Set up IAM permissions + Create a SageMaker execution role + Create feature groups + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/028-sagemaker-featurestore) repository. ``` #!/bin/bash # Amazon SageMaker Feature Store Tutorial Script - Version 3 # This script demonstrates how to use Amazon SageMaker Feature Store with AWS CLI # Setup logging LOG_FILE="sagemaker-featurestore-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting SageMaker Feature Store tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" echo "" # Track created resources for cleanup CREATED_RESOURCES=() # Function to handle errors handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to check command status check_status() { if echo "$1" | grep -i "error" > /dev/null; then handle_error "$1" fi } # Function to wait for feature group to be created wait_for_feature_group() { local feature_group_name=$1 local status="Creating" echo "Waiting for feature group ${feature_group_name} to be created..." while [ "$status" = "Creating" ]; do sleep 5 status=$(aws sagemaker describe-feature-group \ --feature-group-name "${feature_group_name}" \ --query 'FeatureGroupStatus' \ --output text) echo "Current status: ${status}" if [ "$status" = "Failed" ]; then handle_error "Feature group ${feature_group_name} creation failed" fi done echo "Feature group ${feature_group_name} is now ${status}" } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." # Clean up in reverse order for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[$i]}" resource_type=$(echo "$resource" | cut -d: -f1) resource_name=$(echo "$resource" | cut -d: -f2) echo "Deleting $resource_type: $resource_name" case "$resource_type" in "FeatureGroup") aws sagemaker delete-feature-group --feature-group-name "$resource_name" ;; "S3Bucket") echo "Emptying S3 bucket: $resource_name" aws s3 rm "s3://$resource_name" --recursive 2>/dev/null echo "Deleting S3 bucket: $resource_name" aws s3api delete-bucket --bucket "$resource_name" 2>/dev/null ;; "IAMRole") echo "Detaching policies from role: $resource_name" aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>/dev/null aws iam detach-role-policy --role-name "$resource_name" --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>/dev/null echo "Deleting IAM role: $resource_name" aws iam delete-role --role-name "$resource_name" 2>/dev/null ;; *) echo "Unknown resource type: $resource_type" ;; esac done } # Function to create SageMaker execution role create_sagemaker_role() { local role_name="SageMakerFeatureStoreRole-$(openssl rand -hex 4)" echo "Creating SageMaker execution role: $role_name" >&2 # Create trust policy document local trust_policy='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' # Create the role local role_result=$(aws iam create-role \ --role-name "$role_name" \ --assume-role-policy-document "$trust_policy" \ --description "SageMaker execution role for Feature Store tutorial" 2>&1) if echo "$role_result" | grep -i "error" > /dev/null; then handle_error "Failed to create IAM role: $role_result" fi echo "Role created successfully" >&2 CREATED_RESOURCES+=("IAMRole:$role_name") # Attach necessary policies echo "Attaching policies to role..." >&2 # SageMaker execution policy local policy1_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess" 2>&1) if echo "$policy1_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach SageMaker policy: $policy1_result" fi # S3 access policy local policy2_result=$(aws iam attach-role-policy \ --role-name "$role_name" \ --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess" 2>&1) if echo "$policy2_result" | grep -i "error" > /dev/null; then handle_error "Failed to attach S3 policy: $policy2_result" fi # Get account ID for role ARN local account_id=$(aws sts get-caller-identity --query Account --output text) local role_arn="arn:aws:iam::${account_id}:role/${role_name}" echo "Role ARN: $role_arn" >&2 echo "Waiting 10 seconds for role to propagate..." >&2 sleep 10 # Return only the role ARN to stdout echo "$role_arn" } # Handle SageMaker execution role ROLE_ARN="" if [ -z "$1" ]; then echo "Creating SageMaker execution role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi else ROLE_ARN="$1" # Validate the role ARN ROLE_NAME=$(echo "$ROLE_ARN" | sed 's/.*role\///') ROLE_CHECK=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1) if echo "$ROLE_CHECK" | grep -i "error" > /dev/null; then echo "Creating a new role automatically..." ROLE_ARN=$(create_sagemaker_role) if [ -z "$ROLE_ARN" ]; then handle_error "Failed to create SageMaker execution role" fi fi fi # Handle cleanup option AUTO_CLEANUP="" if [ -n "$2" ]; then AUTO_CLEANUP="$2" fi # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) echo "Using random identifier: $RANDOM_ID" # Set variables ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) check_status "$ACCOUNT_ID" echo "Account ID: $ACCOUNT_ID" # Get current region REGION=$(aws configure get region) if [ -z "$REGION" ]; then REGION="us-east-1" echo "No default region configured, using: $REGION" else echo "Using region: $REGION" fi S3_BUCKET_NAME="sagemaker-featurestore-${RANDOM_ID}-${ACCOUNT_ID}" PREFIX="featurestore-tutorial" CURRENT_TIME=$(date +%s) echo "Creating S3 bucket: $S3_BUCKET_NAME" # Create bucket in current region if [ "$REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" 2>&1) else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" \ --region "$REGION" \ --create-bucket-configuration LocationConstraint="$REGION" 2>&1) fi if echo "$BUCKET_RESULT" | grep -i "error" > /dev/null; then echo "Failed to create S3 bucket: $BUCKET_RESULT" exit 1 fi echo "$BUCKET_RESULT" CREATED_RESOURCES+=("S3Bucket:$S3_BUCKET_NAME") # Block public access to the bucket BLOCK_RESULT=$(aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" 2>&1) if echo "$BLOCK_RESULT" | grep -i "error" > /dev/null; then echo "Failed to block public access to S3 bucket: $BLOCK_RESULT" cleanup_resources exit 1 fi # Create feature groups echo "Creating feature groups..." # Create customers feature group CUSTOMERS_FEATURE_GROUP_NAME="customers-feature-group-${RANDOM_ID}" echo "Creating customers feature group: $CUSTOMERS_FEATURE_GROUP_NAME" CUSTOMERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "name", "FeatureType": "String"}, {"FeatureName": "age", "FeatureType": "Integral"}, {"FeatureName": "address", "FeatureType": "String"}, {"FeatureName": "membership_type", "FeatureType": "String"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$CUSTOMERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create customers feature group: $CUSTOMERS_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$CUSTOMERS_FEATURE_GROUP_NAME") # Create orders feature group ORDERS_FEATURE_GROUP_NAME="orders-feature-group-${RANDOM_ID}" echo "Creating orders feature group: $ORDERS_FEATURE_GROUP_NAME" ORDERS_RESPONSE=$(aws sagemaker create-feature-group \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record-identifier-feature-name "customer_id" \ --event-time-feature-name "EventTime" \ --feature-definitions '[ {"FeatureName": "customer_id", "FeatureType": "Integral"}, {"FeatureName": "order_id", "FeatureType": "String"}, {"FeatureName": "order_date", "FeatureType": "String"}, {"FeatureName": "product", "FeatureType": "String"}, {"FeatureName": "quantity", "FeatureType": "Integral"}, {"FeatureName": "amount", "FeatureType": "Fractional"}, {"FeatureName": "EventTime", "FeatureType": "Fractional"} ]' \ --online-store-config '{"EnableOnlineStore": true}' \ --offline-store-config '{ "S3StorageConfig": { "S3Uri": "s3://'${S3_BUCKET_NAME}'/'${PREFIX}'" }, "DisableGlueTableCreation": false }' \ --role-arn "$ROLE_ARN" 2>&1) if echo "$ORDERS_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to create orders feature group: $ORDERS_RESPONSE" cleanup_resources exit 1 fi echo "$ORDERS_RESPONSE" CREATED_RESOURCES+=("FeatureGroup:$ORDERS_FEATURE_GROUP_NAME") # Wait for feature groups to be created wait_for_feature_group "$CUSTOMERS_FEATURE_GROUP_NAME" wait_for_feature_group "$ORDERS_FEATURE_GROUP_NAME" # Ingest data into feature groups echo "Ingesting data into feature groups..." # Ingest customer data echo "Ingesting customer data..." CUSTOMER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "name", "ValueAsString": "John Doe"}, {"FeatureName": "age", "ValueAsString": "35"}, {"FeatureName": "address", "ValueAsString": "123 Main St"}, {"FeatureName": "membership_type", "ValueAsString": "premium"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 1 data: $CUSTOMER1_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER1_RESPONSE" CUSTOMER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "name", "ValueAsString": "Jane Smith"}, {"FeatureName": "age", "ValueAsString": "28"}, {"FeatureName": "address", "ValueAsString": "456 Oak Ave"}, {"FeatureName": "membership_type", "ValueAsString": "standard"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$CUSTOMER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest customer 2 data: $CUSTOMER2_RESPONSE" cleanup_resources exit 1 fi echo "$CUSTOMER2_RESPONSE" # Ingest order data echo "Ingesting order data..." ORDER1_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "573291"}, {"FeatureName": "order_id", "ValueAsString": "ORD-001"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-15"}, {"FeatureName": "product", "ValueAsString": "Laptop"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "1299.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER1_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 1 data: $ORDER1_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER1_RESPONSE" ORDER2_RESPONSE=$(aws sagemaker-featurestore-runtime put-record \ --feature-group-name "$ORDERS_FEATURE_GROUP_NAME" \ --record '[ {"FeatureName": "customer_id", "ValueAsString": "109382"}, {"FeatureName": "order_id", "ValueAsString": "ORD-002"}, {"FeatureName": "order_date", "ValueAsString": "2023-01-20"}, {"FeatureName": "product", "ValueAsString": "Smartphone"}, {"FeatureName": "quantity", "ValueAsString": "1"}, {"FeatureName": "amount", "ValueAsString": "899.99"}, {"FeatureName": "EventTime", "ValueAsString": "'${CURRENT_TIME}'"} ]' 2>&1) if echo "$ORDER2_RESPONSE" | grep -i "error" > /dev/null; then echo "Failed to ingest order 2 data: $ORDER2_RESPONSE" cleanup_resources exit 1 fi echo "$ORDER2_RESPONSE" # Retrieve records from feature groups echo "Retrieving records from feature groups..." # Get a single customer record echo "Getting customer record with ID 573291:" CUSTOMER_RECORD=$(aws sagemaker-featurestore-runtime get-record \ --feature-group-name "$CUSTOMERS_FEATURE_GROUP_NAME" \ --record-identifier-value-as-string "573291" 2>&1) if echo "$CUSTOMER_RECORD" | grep -i "error" > /dev/null; then echo "Failed to get customer record: $CUSTOMER_RECORD" cleanup_resources exit 1 fi echo "$CUSTOMER_RECORD" # Get multiple records using batch-get-record echo "Getting multiple records using batch-get-record:" BATCH_RECORDS=$(aws sagemaker-featurestore-runtime batch-get-record \ --identifiers '[ { "FeatureGroupName": "'${CUSTOMERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] }, { "FeatureGroupName": "'${ORDERS_FEATURE_GROUP_NAME}'", "RecordIdentifiersValueAsString": ["573291", "109382"] } ]' 2>&1) if echo "$BATCH_RECORDS" | grep -i "error" > /dev/null && ! echo "$BATCH_RECORDS" | grep -i "Records" > /dev/null; then echo "Failed to get batch records: $BATCH_RECORDS" cleanup_resources exit 1 fi echo "$BATCH_RECORDS" # List feature groups echo "Listing feature groups:" FEATURE_GROUPS=$(aws sagemaker list-feature-groups 2>&1) if echo "$FEATURE_GROUPS" | grep -i "error" > /dev/null; then echo "Failed to list feature groups: $FEATURE_GROUPS" cleanup_resources exit 1 fi echo "$FEATURE_GROUPS" # Display summary of created resources echo "" echo "===========================================" echo "TUTORIAL COMPLETED SUCCESSFULLY!" echo "===========================================" echo "Resources created:" echo "- S3 Bucket: $S3_BUCKET_NAME" echo "- Customers Feature Group: $CUSTOMERS_FEATURE_GROUP_NAME" echo "- Orders Feature Group: $ORDERS_FEATURE_GROUP_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "You can now:" echo "1. View your feature groups in the SageMaker console" echo "2. Query the offline store using Amazon Athena" echo "3. Use the feature groups in your ML workflows" echo "===========================================" echo "" # Handle cleanup if [ "$AUTO_CLEANUP" = "y" ]; then echo "Auto-cleanup enabled. Starting cleanup..." cleanup_resources echo "Cleanup completed." elif [ "$AUTO_CLEANUP" = "n" ]; then echo "Auto-cleanup disabled. Resources will remain in your account." echo "To clean up later, run this script again with cleanup option 'y'" else echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup..." cleanup_resources echo "Cleanup completed." else echo "Skipping cleanup. Resources will remain in your account." echo "To clean up later, delete the following resources:" echo "- Feature Groups: $CUSTOMERS_FEATURE_GROUP_NAME, $ORDERS_FEATURE_GROUP_NAME" echo "- S3 Bucket: $S3_BUCKET_NAME" if [[ " ${CREATED_RESOURCES[@]} " =~ " IAMRole:" ]]; then echo "- IAM Role: $(echo "${CREATED_RESOURCES[@]}" | grep -o 'IAMRole:[^[:space:]]*' | cut -d: -f2)" fi echo "" echo "Estimated ongoing cost: ~$0.01 per month for online store" fi fi echo "Script completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/CreateFeatureGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DeleteFeatureGroup) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DescribeFeatureGroup](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/DescribeFeatureGroup) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListFeatureGroups](https://docs.aws.amazon.com/goto/aws-cli/sagemaker-2017-07-24/ListFeatureGroups) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) # Secrets Manager examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Secrets Manager. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Creating an Amazon RDS DB instance The following code example shows how to: + Set up networking components + Create a DB subnet group + Create a DB instance + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/036-rds-gs) repository. ``` #!/bin/bash # Script to create an Amazon RDS DB instance # This script follows the tutorial at https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateDBInstance.html # Set up logging LOG_FILE="rds_creation_$(date +%Y%m%d_%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting RDS DB instance creation script - $(date)" echo "All actions will be logged to $LOG_FILE" echo "==============================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "$output" cleanup_on_error exit 1 fi } # Function to clean up resources on error cleanup_on_error() { echo "Error encountered. Attempting to clean up resources..." if [ -n "$DB_INSTANCE_ID" ]; then echo "Deleting DB instance $DB_INSTANCE_ID..." aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot echo "Waiting for DB instance to be deleted..." aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID" fi if [ -n "$DB_SUBNET_GROUP_NAME" ] && [ "$CREATED_SUBNET_GROUP" = "true" ]; then echo "Deleting DB subnet group $DB_SUBNET_GROUP_NAME..." aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" fi if [ -n "$SECURITY_GROUP_ID" ] && [ "$CREATED_SECURITY_GROUP" = "true" ]; then echo "Deleting security group $SECURITY_GROUP_ID..." aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" fi echo "Cleanup completed." } # Generate a random identifier for resources RANDOM_ID=$(openssl rand -hex 4) DB_INSTANCE_ID="mydb-${RANDOM_ID}" DB_SUBNET_GROUP_NAME="mydbsubnet-${RANDOM_ID}" SECURITY_GROUP_NAME="mydbsg-${RANDOM_ID}" # Track created resources CREATED_SECURITY_GROUP="false" CREATED_SUBNET_GROUP="false" # Array to store created resources for display declare -a CREATED_RESOURCES echo "Step 1: Checking for default VPC..." VPC_OUTPUT=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true") check_error "$VPC_OUTPUT" "aws ec2 describe-vpcs" # Extract VPC ID VPC_ID=$(echo "$VPC_OUTPUT" | grep -o '"VpcId": "[^"]*' | cut -d'"' -f4) if [ -z "$VPC_ID" ]; then echo "No default VPC found. Please create a VPC before running this script." exit 1 fi echo "Using VPC: $VPC_ID" echo "Step 2: Getting subnets from the VPC..." SUBNET_OUTPUT=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID") check_error "$SUBNET_OUTPUT" "aws ec2 describe-subnets" # Extract subnet IDs (we need at least 2 in different AZs) SUBNET_IDS=($(echo "$SUBNET_OUTPUT" | grep -o '"SubnetId": "[^"]*' | cut -d'"' -f4)) if [ ${#SUBNET_IDS[@]} -lt 2 ]; then echo "Error: Need at least 2 subnets in different AZs. Found ${#SUBNET_IDS[@]} subnets." exit 1 fi echo "Found ${#SUBNET_IDS[@]} subnets: ${SUBNET_IDS[*]}" echo "Step 3: Creating security group for RDS..." SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "$SECURITY_GROUP_NAME" \ --description "Security group for RDS database access" \ --vpc-id "$VPC_ID") check_error "$SG_OUTPUT" "aws ec2 create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*' | cut -d'"' -f4) CREATED_SECURITY_GROUP="true" CREATED_RESOURCES+=("Security Group: $SECURITY_GROUP_ID ($SECURITY_GROUP_NAME)") echo "Created security group: $SECURITY_GROUP_ID" echo "Step 4: Adding inbound rule to security group..." # Note: In a production environment, you should restrict this to specific IP ranges # We're using the local machine's IP address for this example MY_IP=$(curl -s https://checkip.amazonaws.com) check_error "$MY_IP" "curl -s https://checkip.amazonaws.com" INGRESS_OUTPUT=$(aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 3306 \ --cidr "${MY_IP}/32") check_error "$INGRESS_OUTPUT" "aws ec2 authorize-security-group-ingress" echo "Added inbound rule to allow MySQL connections from ${MY_IP}/32" echo "Step 5: Creating DB subnet group..." # Select the first two subnets for the DB subnet group SUBNET1=${SUBNET_IDS[0]} SUBNET2=${SUBNET_IDS[1]} SUBNET_GROUP_OUTPUT=$(aws rds create-db-subnet-group \ --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \ --db-subnet-group-description "Subnet group for RDS tutorial" \ --subnet-ids "$SUBNET1" "$SUBNET2") check_error "$SUBNET_GROUP_OUTPUT" "aws rds create-db-subnet-group" CREATED_SUBNET_GROUP="true" CREATED_RESOURCES+=("DB Subnet Group: $DB_SUBNET_GROUP_NAME") echo "Created DB subnet group: $DB_SUBNET_GROUP_NAME" echo "Step 6: Creating a secure password in AWS Secrets Manager..." SECRET_NAME="rds-db-credentials-${RANDOM_ID}" SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "RDS DB credentials for $DB_INSTANCE_ID" \ --secret-string '{"username":"adminuser","password":"'"$(openssl rand -base64 16)"'"}') check_error "$SECRET_OUTPUT" "aws secretsmanager create-secret" SECRET_ARN=$(echo "$SECRET_OUTPUT" | grep -o '"ARN": "[^"]*' | cut -d'"' -f4) CREATED_RESOURCES+=("Secret: $SECRET_ARN ($SECRET_NAME)") echo "Created secret: $SECRET_NAME" echo "Step 7: Retrieving the username and password from the secret..." SECRET_VALUE_OUTPUT=$(aws secretsmanager get-secret-value --secret-id "$SECRET_NAME" --query 'SecretString' --output text) check_error "$SECRET_VALUE_OUTPUT" "aws secretsmanager get-secret-value" DB_USERNAME=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"username":"[^"]*' | cut -d'"' -f4) DB_PASSWORD=$(echo "$SECRET_VALUE_OUTPUT" | grep -o '"password":"[^"]*' | cut -d'"' -f4) echo "Retrieved database credentials" echo "Step 8: Creating RDS DB instance..." echo "This may take several minutes..." DB_OUTPUT=$(aws rds create-db-instance \ --db-instance-identifier "$DB_INSTANCE_ID" \ --db-instance-class db.t3.micro \ --engine mysql \ --master-username "$DB_USERNAME" \ --master-user-password "$DB_PASSWORD" \ --allocated-storage 20 \ --vpc-security-group-ids "$SECURITY_GROUP_ID" \ --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" \ --backup-retention-period 7 \ --no-publicly-accessible \ --no-multi-az) check_error "$DB_OUTPUT" "aws rds create-db-instance" CREATED_RESOURCES+=("DB Instance: $DB_INSTANCE_ID") echo "DB instance creation initiated: $DB_INSTANCE_ID" echo "Waiting for DB instance to become available..." echo "This may take 5-10 minutes..." aws rds wait db-instance-available --db-instance-identifier "$DB_INSTANCE_ID" DB_STATUS=$? if [ $DB_STATUS -ne 0 ]; then echo "Error waiting for DB instance to become available" cleanup_on_error exit 1 fi echo "DB instance is now available!" echo "Step 9: Getting connection information..." ENDPOINT_INFO=$(aws rds describe-db-instances \ --db-instance-identifier "$DB_INSTANCE_ID" \ --query 'DBInstances[0].[Endpoint.Address,Endpoint.Port,MasterUsername]' \ --output text) check_error "$ENDPOINT_INFO" "aws rds describe-db-instances" DB_ENDPOINT=$(echo "$ENDPOINT_INFO" | awk '{print $1}') DB_PORT=$(echo "$ENDPOINT_INFO" | awk '{print $2}') DB_USER=$(echo "$ENDPOINT_INFO" | awk '{print $3}') echo "==============================================" echo "DB Instance successfully created!" echo "==============================================" echo "Connection Information:" echo " Endpoint: $DB_ENDPOINT" echo " Port: $DB_PORT" echo " Username: $DB_USER" echo " Password: [Stored in AWS Secrets Manager - $SECRET_NAME]" echo "" echo "To connect using the mysql client:" echo "mysql -h $DB_ENDPOINT -P $DB_PORT -u $DB_USER -p" echo "==============================================" echo "" echo "Resources created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" # Ask user if they want to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy] ]]; then echo "Starting cleanup process..." echo "Step 1: Deleting DB instance $DB_INSTANCE_ID..." aws rds delete-db-instance --db-instance-identifier "$DB_INSTANCE_ID" --skip-final-snapshot echo "Waiting for DB instance to be deleted..." aws rds wait db-instance-deleted --db-instance-identifier "$DB_INSTANCE_ID" echo "Step 2: Deleting secret $SECRET_NAME..." aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery echo "Step 3: Deleting DB subnet group $DB_SUBNET_GROUP_NAME..." aws rds delete-db-subnet-group --db-subnet-group-name "$DB_SUBNET_GROUP_NAME" echo "Step 4: Deleting security group $SECURITY_GROUP_ID..." aws ec2 delete-security-group --group-id "$SECURITY_GROUP_ID" echo "Cleanup completed successfully!" else echo "Skipping cleanup. Resources will remain in your AWS account." echo "To clean up later, you'll need to delete these resources manually." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbInstance) + [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/CreateDbSubnetGroup) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbInstance) + [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DeleteDbSubnetGroup) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/DescribeDbInstances) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/rds-2014-10-31/Wait) ### Get started with Redshift Serverless The following code example shows how to: + Use secrets-manager CreateSecret + Use secrets-manager DeleteSecret + Use secrets-manager GetSecretValue + Use redshift CreateNamespace + Use redshift CreateWorkgroup + Use redshift DeleteNamespace + Use iam CreateRole **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/038-redshift-serverless) repository. ``` #!/bin/bash # Amazon Redshift Serverless Tutorial Script with Secrets Manager (No jq dependency) # This script creates a Redshift Serverless environment, loads sample data, and runs queries # Uses AWS Secrets Manager for secure password management without requiring jq # Set up logging LOG_FILE="redshift-serverless-tutorial-v4.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon Redshift Serverless tutorial script at $(date)" echo "All commands and outputs will be logged to $LOG_FILE" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "Output: $output" cleanup_resources exit 1 fi } # Function to generate a secure password that meets Redshift requirements generate_secure_password() { # Redshift password requirements: # - 8-64 characters # - At least one uppercase letter # - At least one lowercase letter # - At least one decimal digit # - Can contain printable ASCII characters except /, ", ', \, @, space local password="" local valid=false local attempts=0 local max_attempts=10 while [[ "$valid" == false && $attempts -lt $max_attempts ]]; do # Generate base password with safe characters local base=$(openssl rand -base64 12 | tr -d '/+=' | head -c 12) # Ensure we have at least one of each required character type local upper=$(echo "ABCDEFGHIJKLMNOPQRSTUVWXYZ" | fold -w1 | shuf -n1) local lower=$(echo "abcdefghijklmnopqrstuvwxyz" | fold -w1 | shuf -n1) local digit=$(echo "0123456789" | fold -w1 | shuf -n1) local special=$(echo "!#$%&*()_+-=[]{}|;:,.<>?" | fold -w1 | shuf -n1) # Combine and shuffle password="${base}${upper}${lower}${digit}${special}" password=$(echo "$password" | fold -w1 | shuf | tr -d '\n') # Validate password meets requirements if [[ ${#password} -ge 8 && ${#password} -le 64 ]] && \ [[ "$password" =~ [A-Z] ]] && \ [[ "$password" =~ [a-z] ]] && \ [[ "$password" =~ [0-9] ]] && \ [[ ! "$password" =~ [/\"\'\\@[:space:]] ]]; then valid=true fi ((attempts++)) done if [[ "$valid" == false ]]; then echo "ERROR: Failed to generate valid password after $max_attempts attempts" exit 1 fi echo "$password" } # Function to create secret in AWS Secrets Manager create_secret() { local secret_name=$1 local username=$2 local password=$3 local description=$4 echo "Creating secret in AWS Secrets Manager: $secret_name" # Create the secret using AWS CLI without jq local secret_output=$(aws secretsmanager create-secret \ --name "$secret_name" \ --description "$description" \ --secret-string "{\"username\":\"$username\",\"password\":\"$password\"}" 2>&1) if echo "$secret_output" | grep -i "error\|exception\|fail" > /dev/null; then echo "ERROR: Failed to create secret: $secret_output" return 1 fi echo "Secret created successfully: $secret_name" return 0 } # Function to retrieve password from AWS Secrets Manager get_password_from_secret() { local secret_name=$1 # Get the secret value and extract password using sed/grep instead of jq local secret_value=$(aws secretsmanager get-secret-value \ --secret-id "$secret_name" \ --query 'SecretString' \ --output text 2>/dev/null) if [[ $? -eq 0 ]]; then # Extract password from JSON using sed echo "$secret_value" | sed -n 's/.*"password":"$[^"]*$".*/\1/p' else echo "" fi } # Function to wait for a resource to be available wait_for_resource() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be available..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>/dev/null) local status=$(echo "$output" | grep -o '"Status": "[^"]*' | cut -d'"' -f4 || echo "") if [[ "$status" == "AVAILABLE" ]]; then echo "$resource_type $resource_name is now available" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name status: $status. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be available" return 1 } # Function to wait for a resource to be deleted wait_for_resource_deletion() { local resource_type=$1 local resource_name=$2 local max_attempts=$3 local wait_seconds=$4 local check_cmd=$5 echo "Waiting for $resource_type $resource_name to be deleted..." for ((i=1; i<=$max_attempts; i++)); do local output=$($check_cmd 2>&1) if echo "$output" | grep -i "not found\|does not exist" > /dev/null; then echo "$resource_type $resource_name has been deleted" return 0 fi echo "Attempt $i/$max_attempts: $resource_type $resource_name is still being deleted. Waiting $wait_seconds seconds..." sleep $wait_seconds done echo "ERROR: Timed out waiting for $resource_type $resource_name to be deleted" return 1 } # Function to clean up resources cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "The following resources were created:" echo "- Redshift Serverless Workgroup: $WORKGROUP_NAME" echo "- Redshift Serverless Namespace: $NAMESPACE_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secrets Manager Secret: $SECRET_NAME" echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "${CLEANUP_CHOICE,,}" == "y" ]]; then echo "Cleaning up resources..." # Delete the workgroup echo "Deleting Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_DELETE_OUTPUT=$(aws redshift-serverless delete-workgroup --workgroup-name "$WORKGROUP_NAME" 2>&1) echo "$WORKGROUP_DELETE_OUTPUT" # Wait for workgroup to be deleted before deleting namespace wait_for_resource_deletion "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Delete the namespace echo "Deleting Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_DELETE_OUTPUT=$(aws redshift-serverless delete-namespace --namespace-name "$NAMESPACE_NAME" 2>&1) echo "$NAMESPACE_DELETE_OUTPUT" # Wait for namespace to be deleted wait_for_resource_deletion "namespace" "$NAMESPACE_NAME" 20 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Delete the IAM role policy echo "Deleting IAM role policy..." POLICY_DELETE_OUTPUT=$(aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name S3Access 2>&1) echo "$POLICY_DELETE_OUTPUT" # Delete the IAM role echo "Deleting IAM role $ROLE_NAME..." ROLE_DELETE_OUTPUT=$(aws iam delete-role --role-name "$ROLE_NAME" 2>&1) echo "$ROLE_DELETE_OUTPUT" # Delete the secret echo "Deleting Secrets Manager secret $SECRET_NAME..." SECRET_DELETE_OUTPUT=$(aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery 2>&1) echo "$SECRET_DELETE_OUTPUT" echo "Cleanup completed." else echo "Cleanup skipped. Resources will remain in your AWS account." fi } # Check if required tools are available if ! command -v openssl &> /dev/null; then echo "ERROR: openssl is required but not installed. Please install openssl to continue." exit 1 fi # Generate unique names for resources RANDOM_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | head -c 6) NAMESPACE_NAME="rs-namespace-${RANDOM_SUFFIX}" WORKGROUP_NAME="rs-workgroup-${RANDOM_SUFFIX}" ROLE_NAME="RedshiftServerlessS3Role-${RANDOM_SUFFIX}" SECRET_NAME="redshift-serverless-admin-${RANDOM_SUFFIX}" DB_NAME="dev" ADMIN_USERNAME="admin" # Generate secure password echo "Generating secure password..." ADMIN_PASSWORD=$(generate_secure_password) # Create secret in AWS Secrets Manager create_secret "$SECRET_NAME" "$ADMIN_USERNAME" "$ADMIN_PASSWORD" "Admin credentials for Redshift Serverless namespace $NAMESPACE_NAME" if [[ $? -ne 0 ]]; then echo "ERROR: Failed to create secret in AWS Secrets Manager" exit 1 fi # Track created resources CREATED_RESOURCES=() echo "Using the following resource names:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- IAM Role: $ROLE_NAME" echo "- Secret: $SECRET_NAME" echo "- Database: $DB_NAME" echo "- Admin Username: $ADMIN_USERNAME" echo "- Admin Password: [STORED IN SECRETS MANAGER]" # Step 1: Create IAM role for S3 access echo "Creating IAM role for Redshift Serverless S3 access..." # Create trust policy document cat > redshift-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift-serverless.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create S3 access policy document cat > redshift-s3-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::redshift-downloads", "arn:aws:s3:::redshift-downloads/*" ] } ] } EOF # Create IAM role echo "Creating IAM role $ROLE_NAME..." ROLE_OUTPUT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://redshift-trust-policy.json 2>&1) echo "$ROLE_OUTPUT" check_error "$ROLE_OUTPUT" "aws iam create-role" CREATED_RESOURCES+=("IAM Role: $ROLE_NAME") # Attach S3 policy to the role echo "Attaching S3 access policy to role $ROLE_NAME..." POLICY_OUTPUT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name S3Access --policy-document file://redshift-s3-policy.json 2>&1) echo "$POLICY_OUTPUT" check_error "$POLICY_OUTPUT" "aws iam put-role-policy" # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" # Step 2: Create a namespace echo "Creating Redshift Serverless namespace $NAMESPACE_NAME..." NAMESPACE_OUTPUT=$(aws redshift-serverless create-namespace \ --namespace-name "$NAMESPACE_NAME" \ --admin-username "$ADMIN_USERNAME" \ --admin-user-password "$ADMIN_PASSWORD" \ --db-name "$DB_NAME" 2>&1) echo "$NAMESPACE_OUTPUT" check_error "$NAMESPACE_OUTPUT" "aws redshift-serverless create-namespace" CREATED_RESOURCES+=("Redshift Serverless Namespace: $NAMESPACE_NAME") # Wait for namespace to be available wait_for_resource "namespace" "$NAMESPACE_NAME" 10 30 "aws redshift-serverless get-namespace --namespace-name $NAMESPACE_NAME" # Associate IAM role with namespace echo "Associating IAM role with namespace..." UPDATE_NAMESPACE_OUTPUT=$(aws redshift-serverless update-namespace \ --namespace-name "$NAMESPACE_NAME" \ --iam-roles "$ROLE_ARN" 2>&1) echo "$UPDATE_NAMESPACE_OUTPUT" check_error "$UPDATE_NAMESPACE_OUTPUT" "aws redshift-serverless update-namespace" # Step 3: Create a workgroup echo "Creating Redshift Serverless workgroup $WORKGROUP_NAME..." WORKGROUP_OUTPUT=$(aws redshift-serverless create-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --namespace-name "$NAMESPACE_NAME" \ --base-capacity 8 2>&1) echo "$WORKGROUP_OUTPUT" check_error "$WORKGROUP_OUTPUT" "aws redshift-serverless create-workgroup" CREATED_RESOURCES+=("Redshift Serverless Workgroup: $WORKGROUP_NAME") # Wait for workgroup to be available wait_for_resource "workgroup" "$WORKGROUP_NAME" 20 30 "aws redshift-serverless get-workgroup --workgroup-name $WORKGROUP_NAME" # Get workgroup endpoint WORKGROUP_ENDPOINT=$(aws redshift-serverless get-workgroup \ --workgroup-name "$WORKGROUP_NAME" \ --query 'workgroup.endpoint.address' \ --output text) echo "Workgroup endpoint: $WORKGROUP_ENDPOINT" # Wait additional time for the endpoint to be fully operational echo "Waiting for endpoint to be fully operational..." sleep 60 # Step 4: Create tables for sample data echo "Creating tables for sample data..." # Create users table echo "Creating users table..." USERS_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE users( userid INTEGER NOT NULL DISTKEY SORTKEY, username CHAR(8), firstname VARCHAR(30), lastname VARCHAR(30), city VARCHAR(30), state CHAR(2), email VARCHAR(100), phone CHAR(14), likesports BOOLEAN, liketheatre BOOLEAN, likeconcerts BOOLEAN, likejazz BOOLEAN, likeclassical BOOLEAN, likeopera BOOLEAN, likerock BOOLEAN, likevegas BOOLEAN, likebroadway BOOLEAN, likemusicals BOOLEAN );" 2>&1) echo "$USERS_TABLE_OUTPUT" check_error "$USERS_TABLE_OUTPUT" "aws redshift-data execute-statement (users table)" USERS_QUERY_ID=$(echo "$USERS_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for users table creation to complete..." sleep 5 # Create event table echo "Creating event table..." EVENT_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE event( eventid INTEGER NOT NULL DISTKEY, venueid SMALLINT NOT NULL, catid SMALLINT NOT NULL, dateid SMALLINT NOT NULL SORTKEY, eventname VARCHAR(200), starttime TIMESTAMP );" 2>&1) echo "$EVENT_TABLE_OUTPUT" check_error "$EVENT_TABLE_OUTPUT" "aws redshift-data execute-statement (event table)" EVENT_QUERY_ID=$(echo "$EVENT_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for event table creation to complete..." sleep 5 # Create sales table echo "Creating sales table..." SALES_TABLE_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "CREATE TABLE sales( salesid INTEGER NOT NULL, listid INTEGER NOT NULL DISTKEY, sellerid INTEGER NOT NULL, buyerid INTEGER NOT NULL, eventid INTEGER NOT NULL, dateid SMALLINT NOT NULL SORTKEY, qtysold SMALLINT NOT NULL, pricepaid DECIMAL(8,2), commission DECIMAL(8,2), saletime TIMESTAMP );" 2>&1) echo "$SALES_TABLE_OUTPUT" check_error "$SALES_TABLE_OUTPUT" "aws redshift-data execute-statement (sales table)" SALES_QUERY_ID=$(echo "$SALES_TABLE_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for tables to be created echo "Waiting for tables to be created..." sleep 10 # Step 5: Load sample data from Amazon S3 echo "Loading sample data from Amazon S3..." # Load data into users table echo "Loading data into users table..." USERS_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY users FROM 's3://redshift-downloads/tickit/allusers_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$USERS_LOAD_OUTPUT" check_error "$USERS_LOAD_OUTPUT" "aws redshift-data execute-statement (load users)" USERS_LOAD_QUERY_ID=$(echo "$USERS_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for users data loading to complete..." sleep 10 # Load data into event table echo "Loading data into event table..." EVENT_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY event FROM 's3://redshift-downloads/tickit/allevents_pipe.txt' DELIMITER '|' TIMEFORMAT 'YYYY-MM-DD HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$EVENT_LOAD_OUTPUT" check_error "$EVENT_LOAD_OUTPUT" "aws redshift-data execute-statement (load event)" EVENT_LOAD_QUERY_ID=$(echo "$EVENT_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for event data loading to complete..." sleep 10 # Load data into sales table echo "Loading data into sales table..." SALES_LOAD_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "COPY sales FROM 's3://redshift-downloads/tickit/sales_tab.txt' DELIMITER '\t' TIMEFORMAT 'MM/DD/YYYY HH:MI:SS' IGNOREHEADER 1 IAM_ROLE '$ROLE_ARN';" 2>&1) echo "$SALES_LOAD_OUTPUT" check_error "$SALES_LOAD_OUTPUT" "aws redshift-data execute-statement (load sales)" SALES_LOAD_QUERY_ID=$(echo "$SALES_LOAD_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for data loading to complete echo "Waiting for sales data loading to complete..." sleep 30 # Step 6: Run sample queries echo "Running sample queries..." # Query 1: Find top 10 buyers by quantity echo "Running query: Find top 10 buyers by quantity..." QUERY1_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT firstname, lastname, total_quantity FROM (SELECT buyerid, sum(qtysold) total_quantity FROM sales GROUP BY buyerid ORDER BY total_quantity desc limit 10) Q, users WHERE Q.buyerid = userid ORDER BY Q.total_quantity desc;" 2>&1) echo "$QUERY1_OUTPUT" check_error "$QUERY1_OUTPUT" "aws redshift-data execute-statement (query 1)" QUERY1_ID=$(echo "$QUERY1_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 1 to complete..." sleep 10 # Get query 1 results echo "Getting results for query 1..." QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) echo "$QUERY1_STATUS_OUTPUT" check_error "$QUERY1_STATUS_OUTPUT" "aws redshift-data describe-statement (query 1)" QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is not yet complete. Status: $QUERY1_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY1_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY1_ID" 2>&1) QUERY1_STATUS=$(echo "$QUERY1_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY1_STATUS" == "FINISHED" ]; then QUERY1_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY1_ID" 2>&1) echo "Query 1 Results:" echo "$QUERY1_RESULTS" else echo "Query 1 is still not complete. Status: $QUERY1_STATUS" fi fi # Query 2: Find events in the 99.9 percentile in terms of all time total sales echo "Running query: Find events in the 99.9 percentile in terms of all time total sales..." QUERY2_OUTPUT=$(aws redshift-data execute-statement \ --database "$DB_NAME" \ --workgroup-name "$WORKGROUP_NAME" \ --sql "SELECT eventname, total_price FROM (SELECT eventid, total_price, ntile(1000) over(order by total_price desc) as percentile FROM (SELECT eventid, sum(pricepaid) total_price FROM sales GROUP BY eventid)) Q, event E WHERE Q.eventid = E.eventid AND percentile = 1 ORDER BY total_price desc;" 2>&1) echo "$QUERY2_OUTPUT" check_error "$QUERY2_OUTPUT" "aws redshift-data execute-statement (query 2)" QUERY2_ID=$(echo "$QUERY2_OUTPUT" | grep -o '"Id": "[^"]*' | cut -d'"' -f4) # Wait for query to complete echo "Waiting for query 2 to complete..." sleep 10 # Get query 2 results echo "Getting results for query 2..." QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) echo "$QUERY2_STATUS_OUTPUT" check_error "$QUERY2_STATUS_OUTPUT" "aws redshift-data describe-statement (query 2)" QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is not yet complete. Status: $QUERY2_STATUS" echo "Waiting additional time for query to complete..." sleep 20 # Check again QUERY2_STATUS_OUTPUT=$(aws redshift-data describe-statement --id "$QUERY2_ID" 2>&1) QUERY2_STATUS=$(echo "$QUERY2_STATUS_OUTPUT" | grep -o '"Status": "[^"]*' | cut -d'"' -f4) if [ "$QUERY2_STATUS" == "FINISHED" ]; then QUERY2_RESULTS=$(aws redshift-data get-statement-result --id "$QUERY2_ID" 2>&1) echo "Query 2 Results:" echo "$QUERY2_RESULTS" else echo "Query 2 is still not complete. Status: $QUERY2_STATUS" fi fi # Summary echo "" echo "===========================================" echo "TUTORIAL SUMMARY" echo "===========================================" echo "You have successfully:" echo "1. Created a Redshift Serverless namespace and workgroup" echo "2. Created an IAM role with S3 access permissions" echo "3. Stored admin credentials securely in AWS Secrets Manager" echo "4. Created tables for sample data" echo "5. Loaded sample data from Amazon S3" echo "6. Run sample queries on the data" echo "" echo "Redshift Serverless Resources:" echo "- Namespace: $NAMESPACE_NAME" echo "- Workgroup: $WORKGROUP_NAME" echo "- Database: $DB_NAME" echo "- Endpoint: $WORKGROUP_ENDPOINT" echo "- Credentials Secret: $SECRET_NAME" echo "" echo "To connect to your Redshift Serverless database using SQL tools:" echo "- Host: $WORKGROUP_ENDPOINT" echo "- Database: $DB_NAME" echo "- Username: $ADMIN_USERNAME" echo "- Password: Retrieve from AWS Secrets Manager secret '$SECRET_NAME'" echo "" echo "To retrieve the password from Secrets Manager (without jq):" echo "aws secretsmanager get-secret-value --secret-id $SECRET_NAME --query 'SecretString' --output text | sed -n 's/.*\"password\":\"$[^\"]*$\".*/\1/p'" echo "" # Clean up temporary files rm -f redshift-trust-policy.json redshift-s3-policy.json # Clean up resources cleanup_resources echo "Tutorial completed at $(date)" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateNamespace) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [CreateWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/CreateWorkgroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DeleteWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/DeleteWorkgroup) + [GetNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetNamespace) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [GetWorkgroup](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/GetWorkgroup) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [UpdateNamespace](https://docs.aws.amazon.com/goto/aws-cli/redshift-2012-12-01/UpdateNamespace) ### Getting started with Amazon DocumentDB The following code example shows how to: + Create a DB subnet group + Create a DocumentDB cluster + Create a DocumentDB instance + Configure security and connectivity + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/025-documentdb-gs) repository. ``` #!/bin/bash # Amazon DocumentDB - Getting Started # This script creates a DocumentDB cluster with encrypted storage, stores the # master password in Secrets Manager, and displays connection information. set -eE ############################################################################### # Configuration ############################################################################### SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) CLUSTER_ID="docdb-gs-${SUFFIX}" INSTANCE_ID="${CLUSTER_ID}-inst" SUBNET_GROUP_NAME="docdb-subnet-${SUFFIX}" SECRET_NAME="docdb-secret-${SUFFIX}" MASTER_USER="docdbadmin" ENGINE_VERSION="5.0.0" INSTANCE_CLASS="db.t3.medium" DOCDB_PORT=27017 WAIT_TIMEOUT=900 TEMP_DIR=$(mktemp -d) LOG_FILE="${TEMP_DIR}/documentdb-gs.log" CREATED_RESOURCES=() ############################################################################### # Logging ############################################################################### exec > >(tee -a "$LOG_FILE") 2>&1 echo "Log file: $LOG_FILE" echo "" ############################################################################### # Region pre-check ############################################################################### CONFIGURED_REGION=$(aws configure get region 2>/dev/null || true) if [ -z "$CONFIGURED_REGION" ] && [ -z "$AWS_DEFAULT_REGION" ] && [ -z "$AWS_REGION" ]; then echo "ERROR: No AWS region configured." echo "Run 'aws configure set region ' or export AWS_DEFAULT_REGION." exit 1 fi REGION="${AWS_REGION:-${AWS_DEFAULT_REGION:-$CONFIGURED_REGION}}" echo "Using region: $REGION" echo "" ############################################################################### # Error handler ############################################################################### handle_error() { echo "" echo "===========================================" echo "ERROR at $1" echo "===========================================" echo "" if [ ${#CREATED_RESOURCES[@]} -gt 0 ]; then echo "Resources created before error:" for r in "${CREATED_RESOURCES[@]}"; do echo " - $r" done echo "" echo "Attempting cleanup..." cleanup_resources fi rm -rf "$TEMP_DIR" exit 1 } trap 'handle_error "line $LINENO"' ERR ############################################################################### # Wait function ############################################################################### wait_for_status() { local resource_type="$1" local resource_id="$2" local target_status="$3" local timeout="${4:-$WAIT_TIMEOUT}" local elapsed=0 local interval=30 echo "Waiting for $resource_type '$resource_id' to reach '$target_status'..." while true; do local current_status="" if [ "$resource_type" = "cluster" ]; then current_status=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$resource_id" \ --query "DBClusters[0].Status" --output text 2>&1) elif [ "$resource_type" = "instance" ]; then current_status=$(aws docdb describe-db-instances \ --db-instance-identifier "$resource_id" \ --query "DBInstances[0].DBInstanceStatus" --output text 2>&1) fi if echo "$current_status" | grep -iq "error"; then echo "ERROR checking status: $current_status" return 1 fi echo " Status: $current_status ($elapsed/${timeout}s)" if [ "$current_status" = "$target_status" ]; then echo " $resource_type '$resource_id' is now '$target_status'." return 0 fi if [ "$elapsed" -ge "$timeout" ]; then echo "ERROR: Timed out after ${timeout}s waiting for $resource_type '$resource_id'." return 1 fi sleep "$interval" elapsed=$((elapsed + interval)) done } ############################################################################### # Wait for deletion ############################################################################### wait_for_deletion() { local resource_type="$1" local resource_id="$2" local timeout="${3:-$WAIT_TIMEOUT}" local elapsed=0 local interval=30 echo "Waiting for $resource_type '$resource_id' to be deleted..." while true; do local result="" if [ "$resource_type" = "cluster" ]; then result=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$resource_id" \ --query "DBClusters[0].Status" --output text 2>&1) || true elif [ "$resource_type" = "instance" ]; then result=$(aws docdb describe-db-instances \ --db-instance-identifier "$resource_id" \ --query "DBInstances[0].DBInstanceStatus" --output text 2>&1) || true fi if echo "$result" | grep -iq "DBClusterNotFoundFault\|DBInstanceNotFound\|not found"; then echo " $resource_type '$resource_id' deleted." return 0 fi echo " Still deleting... ($elapsed/${timeout}s)" if [ "$elapsed" -ge "$timeout" ]; then echo "WARNING: Timed out waiting for $resource_type '$resource_id' deletion." return 1 fi sleep "$interval" elapsed=$((elapsed + interval)) done } ############################################################################### # Cleanup ############################################################################### cleanup_resources() { echo "" echo "Cleaning up resources..." echo "" # Revoke security group ingress rule if [ -n "${SG_ID:-}" ] && [ -n "${MY_IP:-}" ]; then echo "Revoking security group ingress rule..." aws ec2 revoke-security-group-ingress \ --group-id "$SG_ID" \ --protocol tcp \ --port "$DOCDB_PORT" \ --cidr "${MY_IP}/32" 2>&1 || echo "WARNING: Failed to revoke SG ingress rule." fi # Delete instance (must be deleted before cluster) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "instance:"; then echo "Deleting instance '${INSTANCE_ID}'..." aws docdb delete-db-instance \ --db-instance-identifier "$INSTANCE_ID" 2>&1 || echo "WARNING: Failed to delete instance." wait_for_deletion "instance" "$INSTANCE_ID" || true fi # Delete cluster (skip final snapshot) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "cluster:"; then echo "Deleting cluster '${CLUSTER_ID}'..." aws docdb delete-db-cluster \ --db-cluster-identifier "$CLUSTER_ID" \ --skip-final-snapshot 2>&1 || echo "WARNING: Failed to delete cluster." wait_for_deletion "cluster" "$CLUSTER_ID" || true fi # Delete subnet group (must wait for cluster deletion) if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "subnet-group:"; then echo "Deleting subnet group '${SUBNET_GROUP_NAME}'..." aws docdb delete-db-subnet-group \ --db-subnet-group-name "$SUBNET_GROUP_NAME" 2>&1 || echo "WARNING: Failed to delete subnet group." fi # Delete secret if printf '%s\n' "${CREATED_RESOURCES[@]}" | grep -q "secret:"; then echo "Deleting secret '${SECRET_NAME}'..." aws secretsmanager delete-secret \ --secret-id "$SECRET_NAME" \ --force-delete-without-recovery 2>&1 || echo "WARNING: Failed to delete secret." fi echo "" echo "Cleanup complete." } ############################################################################### # Step 1: Generate password and store in Secrets Manager ############################################################################### echo "===========================================" echo "Step 1: Create master password in Secrets Manager" echo "===========================================" echo "" # Generate a safe password (no / @ " or spaces) MASTER_PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!#$%^&*()_+=-' | fold -w 20 | head -n 1) SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "DocumentDB master password for ${CLUSTER_ID}" \ --secret-string "$MASTER_PASSWORD" \ --output text --query "ARN" 2>&1) if echo "$SECRET_OUTPUT" | grep -iq "error"; then echo "ERROR creating secret: $SECRET_OUTPUT" exit 1 fi SECRET_ARN="$SECRET_OUTPUT" CREATED_RESOURCES+=("secret:${SECRET_NAME}") echo "Secret created: $SECRET_NAME" echo "Secret ARN: $SECRET_ARN" echo "" ############################################################################### # Step 2: Find default VPC and subnets ############################################################################### echo "===========================================" echo "Step 2: Find default VPC and subnets" echo "===========================================" echo "" VPC_ID=$(aws ec2 describe-vpcs \ --filters "Name=isDefault,Values=true" \ --query "Vpcs[0].VpcId" --output text 2>&1) if echo "$VPC_ID" | grep -iq "error"; then echo "ERROR finding default VPC: $VPC_ID" exit 1 fi if [ "$VPC_ID" = "None" ] || [ -z "$VPC_ID" ]; then echo "ERROR: No default VPC found. Create one with 'aws ec2 create-default-vpc'." exit 1 fi echo "Default VPC: $VPC_ID" # Get subnets in at least 2 different AZs (space-separated) SUBNET_INFO=$(aws ec2 describe-subnets \ --filters "Name=vpc-id,Values=${VPC_ID}" "Name=default-for-az,Values=true" \ --query "Subnets[*].[SubnetId,AvailabilityZone]" --output text 2>&1) if echo "$SUBNET_INFO" | grep -iq "error"; then echo "ERROR finding subnets: $SUBNET_INFO" exit 1 fi # Collect unique AZs and their subnet IDs declare -A AZ_SUBNETS while IFS=$'\t' read -r sid az; do if [ -z "${AZ_SUBNETS[$az]+x}" ]; then AZ_SUBNETS[$az]="$sid" fi done <<< "$SUBNET_INFO" AZ_COUNT=${#AZ_SUBNETS[@]} if [ "$AZ_COUNT" -lt 2 ]; then echo "ERROR: DocumentDB requires subnets in at least 2 AZs. Found $AZ_COUNT." exit 1 fi # Build space-separated subnet ID list SUBNET_IDS="" for az in "${!AZ_SUBNETS[@]}"; do if [ -n "$SUBNET_IDS" ]; then SUBNET_IDS="${SUBNET_IDS} ${AZ_SUBNETS[$az]}" else SUBNET_IDS="${AZ_SUBNETS[$az]}" fi done echo "Subnets (${AZ_COUNT} AZs): $SUBNET_IDS" echo "" ############################################################################### # Step 3: Create subnet group ############################################################################### echo "===========================================" echo "Step 3: Create DocumentDB subnet group" echo "===========================================" echo "" SUBNET_GROUP_OUTPUT=$(aws docdb create-db-subnet-group \ --db-subnet-group-name "$SUBNET_GROUP_NAME" \ --db-subnet-group-description "Subnet group for DocumentDB getting started" \ --subnet-ids $SUBNET_IDS \ --query "DBSubnetGroup.DBSubnetGroupName" --output text 2>&1) if echo "$SUBNET_GROUP_OUTPUT" | grep -iq "error"; then echo "ERROR creating subnet group: $SUBNET_GROUP_OUTPUT" exit 1 fi CREATED_RESOURCES+=("subnet-group:${SUBNET_GROUP_NAME}") echo "Subnet group created: $SUBNET_GROUP_NAME" echo "" ############################################################################### # Step 4: Create DocumentDB cluster ############################################################################### echo "===========================================" echo "Step 4: Create DocumentDB cluster" echo "===========================================" echo "" CLUSTER_OUTPUT=$(aws docdb create-db-cluster \ --db-cluster-identifier "$CLUSTER_ID" \ --engine docdb \ --engine-version "$ENGINE_VERSION" \ --master-username "$MASTER_USER" \ --master-user-password "$MASTER_PASSWORD" \ --db-subnet-group-name "$SUBNET_GROUP_NAME" \ --storage-encrypted \ --no-deletion-protection \ --query "DBCluster.DBClusterIdentifier" --output text 2>&1) if echo "$CLUSTER_OUTPUT" | grep -iq "error"; then echo "ERROR creating cluster: $CLUSTER_OUTPUT" exit 1 fi CREATED_RESOURCES+=("cluster:${CLUSTER_ID}") echo "Cluster created: $CLUSTER_ID" echo "" wait_for_status "cluster" "$CLUSTER_ID" "available" echo "" ############################################################################### # Step 5: Create DocumentDB instance ############################################################################### echo "===========================================" echo "Step 5: Create DocumentDB instance" echo "===========================================" echo "" INSTANCE_OUTPUT=$(aws docdb create-db-instance \ --db-instance-identifier "$INSTANCE_ID" \ --db-instance-class "$INSTANCE_CLASS" \ --db-cluster-identifier "$CLUSTER_ID" \ --engine docdb \ --query "DBInstance.DBInstanceIdentifier" --output text 2>&1) if echo "$INSTANCE_OUTPUT" | grep -iq "error"; then echo "ERROR creating instance: $INSTANCE_OUTPUT" exit 1 fi CREATED_RESOURCES+=("instance:${INSTANCE_ID}") echo "Instance created: $INSTANCE_ID" echo "" wait_for_status "instance" "$INSTANCE_ID" "available" echo "" ############################################################################### # Step 6: Get cluster endpoint and security group ############################################################################### echo "===========================================" echo "Step 6: Get cluster endpoint and security group" echo "===========================================" echo "" CLUSTER_DETAILS=$(aws docdb describe-db-clusters \ --db-cluster-identifier "$CLUSTER_ID" \ --query "DBClusters[0].[Endpoint,VpcSecurityGroups[0].VpcSecurityGroupId]" \ --output text 2>&1) if echo "$CLUSTER_DETAILS" | grep -iq "error"; then echo "ERROR getting cluster details: $CLUSTER_DETAILS" exit 1 fi CLUSTER_ENDPOINT=$(echo "$CLUSTER_DETAILS" | awk '{print $1}') SG_ID=$(echo "$CLUSTER_DETAILS" | awk '{print $2}') echo "Cluster endpoint: $CLUSTER_ENDPOINT" echo "Security group: $SG_ID" echo "" ############################################################################### # Step 7: Add security group ingress for port 27017 from user's IP ############################################################################### echo "===========================================" echo "Step 7: Add security group ingress rule" echo "===========================================" echo "" # Get the user's public IP MY_IP=$(curl -s https://checkip.amazonaws.com 2>&1) if echo "$MY_IP" | grep -iq "error\|could not\|failed"; then echo "ERROR: Could not determine public IP address." exit 1 fi # Trim whitespace MY_IP=$(echo "$MY_IP" | tr -d '[:space:]') echo "Your public IP: $MY_IP" SG_RULE_OUTPUT=$(aws ec2 authorize-security-group-ingress \ --group-id "$SG_ID" \ --protocol tcp \ --port "$DOCDB_PORT" \ --cidr "${MY_IP}/32" 2>&1) if echo "$SG_RULE_OUTPUT" | grep -iq "error"; then # Ignore if rule already exists if echo "$SG_RULE_OUTPUT" | grep -iq "Duplicate"; then echo "Ingress rule already exists." else echo "ERROR adding ingress rule: $SG_RULE_OUTPUT" exit 1 fi else echo "Ingress rule added: TCP ${DOCDB_PORT} from ${MY_IP}/32" fi CREATED_RESOURCES+=("sg-rule:${SG_ID}:${MY_IP}") echo "" ############################################################################### # Step 8: Download CA certificate ############################################################################### echo "===========================================" echo "Step 8: Download Amazon DocumentDB CA certificate" echo "===========================================" echo "" CA_CERT_PATH="${TEMP_DIR}/global-bundle.pem" curl -s -o "$CA_CERT_PATH" https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem 2>&1 if [ ! -s "$CA_CERT_PATH" ]; then echo "WARNING: Failed to download CA certificate." else echo "CA certificate downloaded to: $CA_CERT_PATH" fi echo "" ############################################################################### # Step 9: Display connection information ############################################################################### echo "===========================================" echo "CONNECTION INFORMATION" echo "===========================================" echo "" echo "Cluster endpoint : $CLUSTER_ENDPOINT" echo "Port : $DOCDB_PORT" echo "Master username : $MASTER_USER" echo "Secret name : $SECRET_NAME (contains password)" echo "Security group : $SG_ID" echo "CA certificate : $CA_CERT_PATH" echo "" echo "To connect with mongosh:" echo " mongosh --tls --host ${CLUSTER_ENDPOINT} --tlsCAFile ${CA_CERT_PATH} \\" echo " --retryWrites false --username ${MASTER_USER} --password \$(aws secretsmanager get-secret-value --secret-id ${SECRET_NAME} --query SecretString --output text)" echo "" ############################################################################### # Step 10: Cleanup ############################################################################### echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "" echo "Resources created:" for r in "${CREATED_RESOURCES[@]}"; do echo " - $r" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [ "$CLEANUP_CHOICE" = "y" ] || [ "$CLEANUP_CHOICE" = "Y" ]; then cleanup_resources else echo "" echo "Resources were NOT deleted. To clean up manually, run:" echo "" echo " # Revoke security group ingress rule" echo " aws ec2 revoke-security-group-ingress --group-id ${SG_ID} --protocol tcp --port ${DOCDB_PORT} --cidr ${MY_IP}/32" echo "" echo " # Delete instance (wait for it to finish before deleting cluster)" echo " aws docdb delete-db-instance --db-instance-identifier ${INSTANCE_ID}" echo " aws docdb wait db-instance-deleted --db-instance-identifier ${INSTANCE_ID}" echo "" echo " # Delete cluster" echo " aws docdb delete-db-cluster --db-cluster-identifier ${CLUSTER_ID} --skip-final-snapshot" echo "" echo " # Delete subnet group (after cluster is deleted)" echo " aws docdb delete-db-subnet-group --db-subnet-group-name ${SUBNET_GROUP_NAME}" echo "" echo " # Delete secret" echo " aws secretsmanager delete-secret --secret-id ${SECRET_NAME} --force-delete-without-recovery" echo "" fi rm -rf "$TEMP_DIR" echo "Done." ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbCluster) + [CreateDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbInstance) + [CreateDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/CreateDbSubnetGroup) + [CreateDefaultVpc](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateDefaultVpc) + [CreateSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/CreateSecret) + [DeleteDbCluster](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbCluster) + [DeleteDbInstance](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbInstance) + [DeleteDbSubnetGroup](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DeleteDbSubnetGroup) + [DeleteSecret](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/DeleteSecret) + [DescribeDbClusters](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbClusters) + [DescribeDbInstances](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/DescribeDbInstances) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [GetSecretValue](https://docs.aws.amazon.com/goto/aws-cli/secretsmanager-2017-10-17/GetSecretValue) + [RevokeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/RevokeSecurityGroupIngress) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/docdb-2014-10-31/Wait) ### Moving hardcoded secrets to Secrets Manager The following code example shows how to: + Create IAM roles + Create a secret in Secrets Manager + Update your application code + Update the secret + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/073-aws-secrets-manager-gs) repository. ``` #!/bin/bash # Script to move hardcoded secrets to AWS Secrets Manager # This script demonstrates how to create IAM roles, store a secret in AWS Secrets Manager, # and set up appropriate permissions # Set up logging LOG_FILE="secrets_manager_tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS Secrets Manager tutorial script at $(date)" echo "======================================================" # Function to check for errors in command output check_error() { local output=$1 local cmd=$2 if echo "$output" | grep -i "error" > /dev/null; then echo "ERROR: Command failed: $cmd" echo "$output" cleanup_resources exit 1 fi } # Function to generate a random identifier generate_random_id() { echo "sm$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)" } # Function to clean up resources cleanup_resources() { echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" if [ -n "$SECRET_NAME" ]; then echo "Secret: $SECRET_NAME" fi if [ -n "$RUNTIME_ROLE_NAME" ]; then echo "IAM Role: $RUNTIME_ROLE_NAME" fi if [ -n "$ADMIN_ROLE_NAME" ]; then echo "IAM Role: $ADMIN_ROLE_NAME" fi echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." # Delete secret if it exists if [ -n "$SECRET_NAME" ]; then echo "Deleting secret: $SECRET_NAME" aws secretsmanager delete-secret --secret-id "$SECRET_NAME" --force-delete-without-recovery fi # Detach policies and delete runtime role if it exists if [ -n "$RUNTIME_ROLE_NAME" ]; then echo "Deleting IAM role: $RUNTIME_ROLE_NAME" aws iam delete-role --role-name "$RUNTIME_ROLE_NAME" fi # Detach policies and delete admin role if it exists if [ -n "$ADMIN_ROLE_NAME" ]; then echo "Detaching policy from role: $ADMIN_ROLE_NAME" aws iam detach-role-policy --role-name "$ADMIN_ROLE_NAME" --policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite" echo "Deleting IAM role: $ADMIN_ROLE_NAME" aws iam delete-role --role-name "$ADMIN_ROLE_NAME" fi echo "Cleanup completed." else echo "Resources will not be deleted." fi } # Trap to ensure cleanup on script exit trap 'echo "Script interrupted. Running cleanup..."; cleanup_resources' INT TERM # Generate random identifiers for resources ADMIN_ROLE_NAME="SecretsManagerAdmin-$(generate_random_id)" RUNTIME_ROLE_NAME="RoleToRetrieveSecretAtRuntime-$(generate_random_id)" SECRET_NAME="MyAPIKey-$(generate_random_id)" echo "Using the following resource names:" echo "Admin Role: $ADMIN_ROLE_NAME" echo "Runtime Role: $RUNTIME_ROLE_NAME" echo "Secret Name: $SECRET_NAME" echo "" # Step 1: Create IAM roles echo "Creating IAM roles..." # Create the SecretsManagerAdmin role echo "Creating admin role: $ADMIN_ROLE_NAME" ADMIN_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$ADMIN_ROLE_NAME" \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }') check_error "$ADMIN_ROLE_OUTPUT" "create-role for admin" echo "$ADMIN_ROLE_OUTPUT" # Attach the SecretsManagerReadWrite policy to the admin role echo "Attaching SecretsManagerReadWrite policy to admin role" ATTACH_POLICY_OUTPUT=$(aws iam attach-role-policy \ --role-name "$ADMIN_ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/SecretsManagerReadWrite") check_error "$ATTACH_POLICY_OUTPUT" "attach-role-policy for admin" echo "$ATTACH_POLICY_OUTPUT" # Create the RoleToRetrieveSecretAtRuntime role echo "Creating runtime role: $RUNTIME_ROLE_NAME" RUNTIME_ROLE_OUTPUT=$(aws iam create-role \ --role-name "$RUNTIME_ROLE_NAME" \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }') check_error "$RUNTIME_ROLE_OUTPUT" "create-role for runtime" echo "$RUNTIME_ROLE_OUTPUT" # Wait for roles to be fully created echo "Waiting for IAM roles to be fully created..." sleep 10 # Step 2: Create a secret in AWS Secrets Manager echo "Creating secret in AWS Secrets Manager..." CREATE_SECRET_OUTPUT=$(aws secretsmanager create-secret \ --name "$SECRET_NAME" \ --description "API key for my application" \ --secret-string '{"ClientID":"my_client_id","ClientSecret":"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"}') check_error "$CREATE_SECRET_OUTPUT" "create-secret" echo "$CREATE_SECRET_OUTPUT" # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID_OUTPUT=$(aws sts get-caller-identity --query "Account" --output text) check_error "$ACCOUNT_ID_OUTPUT" "get-caller-identity" ACCOUNT_ID=$ACCOUNT_ID_OUTPUT echo "Account ID: $ACCOUNT_ID" # Add resource policy to the secret echo "Adding resource policy to secret..." RESOURCE_POLICY=$(cat < The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon SES. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Setting up Amazon Simple Email Service (SES) The following code example shows how to: + Verify an email address + Verify a domain (optional) + Check your sending limits + Send a test email + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/033-ses-gs) repository. ``` #!/bin/bash # Amazon SES Setup Script (v2) # This script helps you set up Amazon SES for sending emails # Initialize log file LOG_FILE="ses-setup.log" echo "Starting Amazon SES setup at $(date)" > "$LOG_FILE" # Function to log commands and their output log_cmd() { echo "Running: $1" | tee -a "$LOG_FILE" eval "$1" 2>&1 | tee -a "$LOG_FILE" return ${PIPESTATUS[0]} } # Function to check for errors in command output check_error() { local cmd_output="$1" local cmd_status="$2" local error_msg="$3" local ignore_error="${4:-false}" if [[ $cmd_status -ne 0 || "$cmd_output" =~ [Ee][Rr][Rr][Oo][Rr] ]]; then echo "ERROR: $error_msg" | tee -a "$LOG_FILE" if [[ "$ignore_error" != "true" ]]; then cleanup_resources exit 1 fi fi } # Function to clean up resources cleanup_resources() { echo "Cleaning up resources..." | tee -a "$LOG_FILE" # No physical resources to clean up for SES setup # Email identities can be deleted if needed if [[ -n "$EMAIL_ADDRESS" ]]; then echo "Deleting email identity: $EMAIL_ADDRESS" | tee -a "$LOG_FILE" log_cmd "aws ses delete-identity --identity \"$EMAIL_ADDRESS\"" fi if [[ -n "$RECIPIENT_EMAIL" && "$RECIPIENT_EMAIL" != "$EMAIL_ADDRESS" ]]; then echo "Deleting recipient email identity: $RECIPIENT_EMAIL" | tee -a "$LOG_FILE" log_cmd "aws ses delete-identity --identity \"$RECIPIENT_EMAIL\"" fi if [[ -n "$DOMAIN_NAME" ]]; then echo "Deleting domain identity: $DOMAIN_NAME" | tee -a "$LOG_FILE" log_cmd "aws ses delete-identity --identity \"$DOMAIN_NAME\"" fi } # Track created resources CREATED_RESOURCES=() # Welcome message echo "=============================================" echo "Amazon SES Setup Script" echo "=============================================" echo "This script will help you set up Amazon SES for sending emails." echo "You'll need to verify at least one email address that you own." echo "" echo "NOTE: New SES accounts are placed in the sandbox environment." echo "In the sandbox, both sender AND recipient email addresses must be verified." echo "" # Get email address to verify echo "Please enter an email address that you own and can access:" read -r EMAIL_ADDRESS # Verify email identity echo "Verifying email address: $EMAIL_ADDRESS" | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses verify-email-identity --email-address \"$EMAIL_ADDRESS\"") check_error "$OUTPUT" $? "Failed to verify email address" CREATED_RESOURCES+=("Email identity: $EMAIL_ADDRESS") echo "A verification email has been sent to $EMAIL_ADDRESS." echo "Please check your inbox and click the verification link before continuing." echo "" echo "Press Enter after you've verified your email address..." read -r # Check verification status echo "Checking verification status..." | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses list-identities --identity-type EmailAddress") check_error "$OUTPUT" $? "Failed to list identities" OUTPUT=$(log_cmd "aws ses get-identity-verification-attributes --identities \"$EMAIL_ADDRESS\"") check_error "$OUTPUT" $? "Failed to get verification attributes" # Check if the email is verified VERIFICATION_STATUS=$(echo "$OUTPUT" | grep -o '"VerificationStatus": "[^"]*' | cut -d'"' -f4) if [[ "$VERIFICATION_STATUS" != "Success" ]]; then echo "Email address $EMAIL_ADDRESS is not verified yet. Please check your inbox and verify before continuing." echo "Exiting script..." exit 1 fi # Ask if user wants to verify a domain echo "" echo "Do you want to verify a domain for sending emails? (y/n):" read -r VERIFY_DOMAIN if [[ "$VERIFY_DOMAIN" =~ ^[Yy] ]]; then echo "Please enter the domain name you want to verify:" read -r DOMAIN_NAME # Verify domain identity echo "Verifying domain: $DOMAIN_NAME" | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses verify-domain-identity --domain \"$DOMAIN_NAME\"") check_error "$OUTPUT" $? "Failed to verify domain identity" # Extract verification token VERIFICATION_TOKEN=$(echo "$OUTPUT" | grep -o '"VerificationToken": "[^"]*' | cut -d'"' -f4) CREATED_RESOURCES+=("Domain identity: $DOMAIN_NAME") echo "" echo "=============================================" echo "Domain Verification Instructions" echo "=============================================" echo "To verify your domain ownership, you need to add a TXT record" echo "to your domain's DNS settings with the following values:" echo "" echo "Record Type: TXT" echo "Record Name: _amazonses.$DOMAIN_NAME" echo "Record Value: $VERIFICATION_TOKEN" echo "" echo "After adding this DNS record, verification may take up to 72 hours." echo "" # Set up DKIM for the domain echo "Setting up DKIM for domain: $DOMAIN_NAME" | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses verify-domain-dkim --domain \"$DOMAIN_NAME\"") check_error "$OUTPUT" $? "Failed to set up DKIM" # Extract DKIM tokens DKIM_TOKENS=$(echo "$OUTPUT" | grep -o '"DkimTokens": \[[^]]*\]' | sed 's/"DkimTokens": \[\|\]//g' | sed 's/,//g' | sed 's/"//g') echo "=============================================" echo "DKIM Configuration Instructions" echo "=============================================" echo "To configure DKIM for your domain, add the following CNAME records" echo "to your domain's DNS settings:" echo "" for token in $DKIM_TOKENS; do echo "Record Type: CNAME" echo "Record Name: ${token}._domainkey.$DOMAIN_NAME" echo "Record Value: ${token}.dkim.amazonses.com" echo "" done echo "After adding these DNS records, DKIM verification may take up to 72 hours." echo "" fi # Check sending limits echo "Checking your SES sending limits..." | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses get-send-quota") check_error "$OUTPUT" $? "Failed to get sending quota" # Extract quota information MAX_SEND_RATE=$(echo "$OUTPUT" | grep -o '"MaxSendRate": [0-9.]*' | cut -d' ' -f2) MAX_24_HOUR_SEND=$(echo "$OUTPUT" | grep -o '"Max24HourSend": [0-9.]*' | cut -d' ' -f2) SENT_LAST_24_HOURS=$(echo "$OUTPUT" | grep -o '"SentLast24Hours": [0-9.]*' | cut -d' ' -f2) echo "" echo "=============================================" echo "Your SES Sending Limits" echo "=============================================" echo "Maximum send rate: $MAX_SEND_RATE emails/second" echo "Maximum 24-hour send: $MAX_24_HOUR_SEND emails" echo "Sent in the last 24 hours: $SENT_LAST_24_HOURS emails" echo "" # Ask if user wants to send a test email echo "Do you want to send a test email? (y/n):" read -r SEND_TEST if [[ "$SEND_TEST" =~ ^[Yy] ]]; then echo "" echo "=============================================" echo "SANDBOX ENVIRONMENT NOTICE" echo "=============================================" echo "Your account is likely in the SES sandbox environment." echo "In the sandbox, you can only send emails to verified email addresses." echo "" echo "Do you want to:" echo "1. Send a test email to the same verified address ($EMAIL_ADDRESS)" echo "2. Verify another email address to use as recipient" echo "" echo "Enter your choice (1 or 2):" read -r RECIPIENT_CHOICE if [[ "$RECIPIENT_CHOICE" == "1" ]]; then RECIPIENT_EMAIL="$EMAIL_ADDRESS" else echo "Please enter the recipient email address you want to verify:" read -r RECIPIENT_EMAIL # Verify recipient email identity if different from sender if [[ "$RECIPIENT_EMAIL" != "$EMAIL_ADDRESS" ]]; then echo "Verifying recipient email address: $RECIPIENT_EMAIL" | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses verify-email-identity --email-address \"$RECIPIENT_EMAIL\"") check_error "$OUTPUT" $? "Failed to verify recipient email address" CREATED_RESOURCES+=("Email identity: $RECIPIENT_EMAIL") echo "A verification email has been sent to $RECIPIENT_EMAIL." echo "Please check the inbox and click the verification link before continuing." echo "" echo "Press Enter after you've verified the recipient email address..." read -r # Check recipient verification status OUTPUT=$(log_cmd "aws ses get-identity-verification-attributes --identities \"$RECIPIENT_EMAIL\"") check_error "$OUTPUT" $? "Failed to get recipient verification attributes" # Check if the recipient email is verified RECIPIENT_VERIFICATION_STATUS=$(echo "$OUTPUT" | grep -o '"VerificationStatus": "[^"]*' | cut -d'"' -f4) if [[ "$RECIPIENT_VERIFICATION_STATUS" != "Success" ]]; then echo "Recipient email address $RECIPIENT_EMAIL is not verified yet." echo "You can try sending the email anyway, but it may fail." fi fi fi echo "Sending test email from $EMAIL_ADDRESS to $RECIPIENT_EMAIL..." | tee -a "$LOG_FILE" OUTPUT=$(log_cmd "aws ses send-email \ --from \"$EMAIL_ADDRESS\" \ --destination \"ToAddresses=$RECIPIENT_EMAIL\" \ --message \"Subject={Data=SES Test Email,Charset=UTF-8},Body={Text={Data=This is a test email sent from Amazon SES using the AWS CLI,Charset=UTF-8}}\"") # Don't exit on send email error, just report it check_error "$OUTPUT" $? "Failed to send test email" "true" # Check if the email was sent successfully if [[ "$OUTPUT" =~ "MessageId" ]]; then # Extract message ID MESSAGE_ID=$(echo "$OUTPUT" | grep -o '"MessageId": "[^"]*' | cut -d'"' -f4) echo "Test email sent successfully! Message ID: $MESSAGE_ID" else echo "Failed to send test email. This is likely because your account is in the sandbox environment." echo "In the sandbox, both sender AND recipient email addresses must be verified." fi echo "" fi # Summary of created resources echo "" echo "=============================================" echo "Setup Complete - Resources Created" echo "=============================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "" # Ask if user wants to clean up resources echo "=============================================" echo "CLEANUP CONFIRMATION" echo "=============================================" echo "Do you want to clean up all created resources? (y/n):" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy] ]]; then cleanup_resources echo "Cleanup completed." else echo "Resources have been preserved." fi echo "" echo "=============================================" echo "Amazon SES Setup Complete" echo "=============================================" echo "For production use, you may need to request to be moved out of the SES sandbox." echo "Visit the SES console and navigate to 'Account dashboard' to request production access." echo "" echo "Log file: $LOG_FILE" echo "=============================================" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [DeleteIdentity](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/DeleteIdentity) + [GetIdentityVerificationAttributes](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/GetIdentityVerificationAttributes) + [GetSendQuota](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/GetSendQuota) + [ListIdentities](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/ListIdentities) + [SendEmail](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/SendEmail) + [VerifyDomainDkim](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/VerifyDomainDkim) + [VerifyDomainIdentity](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/VerifyDomainIdentity) + [VerifyEmailIdentity](https://docs.aws.amazon.com/goto/aws-cli/email-2010-12-01/VerifyEmailIdentity) # Amazon SNS examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Amazon SNS. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Create an Amazon SNS topic and publish messages The following code example shows how to: + Create an Amazon SNS topic + Subscribe an email endpoint to the topic + Verify your subscription + Publish a message to the topic + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/048-amazon-simple-notification-service-gs) repository. ``` #!/bin/bash # Amazon SNS Getting Started Script # This script demonstrates how to create an SNS topic, subscribe to it, publish a message, # and clean up resources. # Set up logging LOG_FILE="sns-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon SNS Getting Started Tutorial..." echo "$(date)" echo "==============================================" # Function to handle errors handle_error() { echo "ERROR: $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Function to clean up resources cleanup_resources() { if [ -n "$SUBSCRIPTION_ARN" ] && [ "$SUBSCRIPTION_ARN" != "pending confirmation" ]; then echo "Deleting subscription: $SUBSCRIPTION_ARN" aws sns unsubscribe --subscription-arn "$SUBSCRIPTION_ARN" fi if [ -n "$TOPIC_ARN" ]; then echo "Deleting topic: $TOPIC_ARN" aws sns delete-topic --topic-arn "$TOPIC_ARN" fi } # Generate a random topic name suffix RANDOM_SUFFIX=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) TOPIC_NAME="my-topic-${RANDOM_SUFFIX}" # Step 1: Create an SNS topic echo "Creating SNS topic: $TOPIC_NAME" TOPIC_RESULT=$(aws sns create-topic --name "$TOPIC_NAME") # Check for errors if echo "$TOPIC_RESULT" | grep -i "error" > /dev/null; then handle_error "Failed to create SNS topic: $TOPIC_RESULT" fi # Extract the topic ARN TOPIC_ARN=$(echo "$TOPIC_RESULT" | grep -o '"TopicArn": "[^"]*' | cut -d'"' -f4) if [ -z "$TOPIC_ARN" ]; then handle_error "Failed to extract topic ARN from result: $TOPIC_RESULT" fi echo "Successfully created topic with ARN: $TOPIC_ARN" # Step 2: Subscribe to the topic echo "" echo "==============================================" echo "EMAIL SUBSCRIPTION" echo "==============================================" echo "Please enter your email address to subscribe to the topic:" read -r EMAIL_ADDRESS echo "Subscribing email: $EMAIL_ADDRESS to topic" SUBSCRIPTION_RESULT=$(aws sns subscribe \ --topic-arn "$TOPIC_ARN" \ --protocol email \ --notification-endpoint "$EMAIL_ADDRESS") # Check for errors if echo "$SUBSCRIPTION_RESULT" | grep -i "error" > /dev/null; then handle_error "Failed to create subscription: $SUBSCRIPTION_RESULT" fi # Extract the subscription ARN (will be "pending confirmation") SUBSCRIPTION_ARN=$(echo "$SUBSCRIPTION_RESULT" | grep -o '"SubscriptionArn": "[^"]*' | cut -d'"' -f4) echo "Subscription created: $SUBSCRIPTION_ARN" echo "A confirmation email has been sent to $EMAIL_ADDRESS" echo "Please check your email and confirm the subscription." echo "" echo "Waiting for you to confirm the subscription..." echo "Press Enter after you have confirmed the subscription to continue:" read -r # Step 3: List subscriptions to verify echo "Listing subscriptions for topic: $TOPIC_ARN" SUBSCRIPTIONS=$(aws sns list-subscriptions-by-topic --topic-arn "$TOPIC_ARN") # Check for errors if echo "$SUBSCRIPTIONS" | grep -i "error" > /dev/null; then handle_error "Failed to list subscriptions: $SUBSCRIPTIONS" fi echo "Current subscriptions:" echo "$SUBSCRIPTIONS" # Get the confirmed subscription ARN SUBSCRIPTION_ARN=$(echo "$SUBSCRIPTIONS" | grep -o '"SubscriptionArn": "[^"]*' | grep -v "pending confirmation" | head -1 | cut -d'"' -f4) if [ -z "$SUBSCRIPTION_ARN" ] || [ "$SUBSCRIPTION_ARN" == "pending confirmation" ]; then echo "Warning: No confirmed subscription found. You may not have confirmed the subscription yet." echo "The script will continue, but you may not receive the test message." fi # Step 4: Publish a message to the topic echo "" echo "Publishing a test message to the topic" MESSAGE="Hello from Amazon SNS! This is a test message sent at $(date)." PUBLISH_RESULT=$(aws sns publish \ --topic-arn "$TOPIC_ARN" \ --message "$MESSAGE") # Check for errors if echo "$PUBLISH_RESULT" | grep -i "error" > /dev/null; then handle_error "Failed to publish message: $PUBLISH_RESULT" fi MESSAGE_ID=$(echo "$PUBLISH_RESULT" | grep -o '"MessageId": "[^"]*' | cut -d'"' -f4) echo "Message published successfully with ID: $MESSAGE_ID" echo "Check your email for the message." # Pause to allow the user to check their email echo "" echo "Pausing for 10 seconds to allow message delivery..." sleep 10 # Step 5: Clean up resources echo "" echo "==============================================" echo "CLEANUP CONFIRMATION" echo "==============================================" echo "Resources created:" echo "- SNS Topic: $TOPIC_ARN" echo "- Subscription: $SUBSCRIPTION_ARN" echo "" echo "Do you want to clean up all created resources? (y/n):" read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "Cleanup completed successfully." else echo "Skipping cleanup. Resources will remain in your AWS account." echo "To clean up later, use the following commands:" echo "aws sns unsubscribe --subscription-arn $SUBSCRIPTION_ARN" echo "aws sns delete-topic --topic-arn $TOPIC_ARN" fi echo "" echo "Tutorial completed successfully!" echo "$(date)" echo "==============================================" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [ListSubscriptionsByTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/ListSubscriptionsByTopic) + [Publish](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/Publish) + [Subscribe](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/Subscribe) + [Unsubscribe](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/Unsubscribe) ### Getting Started with IoT Device Defender The following code example shows how to: + Create Required IAM Roles + Enable IoT Device Defender Audit Checks + Run an On-Demand Audit + Create a Mitigation Action + Apply Mitigation Actions to Findings + Set Up SNS Notifications (Optional) + Enable IoT Logging **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/079-aws-iot-device-defender-gs) repository. ``` #!/bin/bash # AWS IoT Device Defender Getting Started Script # This script demonstrates how to use AWS IoT Device Defender to enable audit checks, # view audit results, create mitigation actions, and apply them to findings. # Set up logging LOG_FILE="iot-device-defender-script-$(date +%Y%m%d%H%M%S).log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "===================================================" echo "AWS IoT Device Defender Getting Started Script" echo "===================================================" echo "Starting script execution at $(date)" echo "" # Function to check for errors in command output check_error() { if echo "$1" | grep -i "An error occurred\|Exception\|Failed\|usage: aws" > /dev/null; then echo "ERROR: Command failed with the following output:" echo "$1" return 1 fi return 0 } # Function to create IAM roles create_iam_role() { local ROLE_NAME=$1 local TRUST_POLICY=$2 local MANAGED_POLICY=$3 echo "Creating IAM role: $ROLE_NAME" # Check if role already exists ROLE_EXISTS=$(aws iam get-role --role-name "$ROLE_NAME" 2>&1 || echo "NOT_EXISTS") if echo "$ROLE_EXISTS" | grep -i "NoSuchEntity" > /dev/null; then # Create the role with trust policy ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document "$TRUST_POLICY" 2>&1) if ! check_error "$ROLE_RESULT"; then echo "Failed to create role $ROLE_NAME" return 1 fi # For IoT logging role, create an inline policy instead of using a managed policy if [[ "$ROLE_NAME" == "AWSIoTLoggingRole" ]]; then LOGGING_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter", "logs:PutRetentionPolicy", "logs:GetLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$LOGGING_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi elif [[ "$ROLE_NAME" == "IoTMitigationActionErrorLoggingRole" ]]; then MITIGATION_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:UpdateCACertificate", "iot:UpdateCertificate", "iot:SetV2LoggingOptions", "iot:SetLoggingOptions", "iot:AddThingToThingGroup", "iot:PublishToTopic" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "iot.amazonaws.com" } } } ] }' POLICY_RESULT=$(aws iam put-role-policy \ --role-name "$ROLE_NAME" \ --policy-name "${ROLE_NAME}Policy" \ --policy-document "$MITIGATION_POLICY" 2>&1) if ! check_error "$POLICY_RESULT"; then echo "Failed to attach inline policy to role $ROLE_NAME" return 1 fi else # Attach managed policy to role if provided if [ -n "$MANAGED_POLICY" ]; then ATTACH_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$MANAGED_POLICY" 2>&1) if ! check_error "$ATTACH_RESULT"; then echo "Failed to attach policy to role $ROLE_NAME" return 1 fi fi fi echo "Role $ROLE_NAME created successfully" else echo "Role $ROLE_NAME already exists, skipping creation" fi # Get the role ARN ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text) echo "Role ARN: $ROLE_ARN" return 0 } # Array to store created resources for cleanup declare -a CREATED_RESOURCES # Step 1: Create IAM roles needed for the tutorial echo "===================================================" echo "Step 1: Creating required IAM roles" echo "===================================================" # Create IoT Device Defender Audit role IOT_DEFENDER_AUDIT_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTDeviceDefenderAuditRole" "$IOT_DEFENDER_AUDIT_TRUST_POLICY" "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" AUDIT_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTDeviceDefenderAuditRole") # Create IoT Logging role IOT_LOGGING_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "AWSIoTLoggingRole" "$IOT_LOGGING_TRUST_POLICY" "" LOGGING_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: AWSIoTLoggingRole") # Create IoT Mitigation Action role IOT_MITIGATION_TRUST_POLICY='{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iot.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' create_iam_role "IoTMitigationActionErrorLoggingRole" "$IOT_MITIGATION_TRUST_POLICY" "" MITIGATION_ROLE_ARN=$ROLE_ARN CREATED_RESOURCES+=("IAM Role: IoTMitigationActionErrorLoggingRole") # Step 2: Enable audit checks echo "" echo "===================================================" echo "Step 2: Enabling AWS IoT Device Defender audit checks" echo "===================================================" # Get current audit configuration echo "Getting current audit configuration..." CURRENT_CONFIG=$(aws iot describe-account-audit-configuration) echo "$CURRENT_CONFIG" # Enable specific audit checks echo "Enabling audit checks..." UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --role-arn "$AUDIT_ROLE_ARN" \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":true}}') if ! check_error "$UPDATE_RESULT"; then echo "Failed to update audit configuration" exit 1 fi echo "Audit checks enabled successfully" # Step 3: Run an on-demand audit echo "" echo "===================================================" echo "Step 3: Running an on-demand audit" echo "===================================================" echo "Starting on-demand audit task..." AUDIT_TASK_RESULT=$(aws iot start-on-demand-audit-task \ --target-check-names LOGGING_DISABLED_CHECK) if ! check_error "$AUDIT_TASK_RESULT"; then echo "Failed to start on-demand audit task" exit 1 fi TASK_ID=$(echo "$AUDIT_TASK_RESULT" | grep -o '"taskId": "[^"]*' | cut -d'"' -f4) echo "Audit task started with ID: $TASK_ID" CREATED_RESOURCES+=("Audit Task: $TASK_ID") # Wait for the audit task to complete echo "Waiting for audit task to complete (this may take a few minutes)..." TASK_STATUS="IN_PROGRESS" while [ "$TASK_STATUS" != "COMPLETED" ]; do sleep 10 TASK_DETAILS=$(aws iot describe-audit-task --task-id "$TASK_ID") TASK_STATUS=$(echo "$TASK_DETAILS" | grep -o '"taskStatus": "[^"]*' | cut -d'"' -f4) echo "Current task status: $TASK_STATUS" if [ "$TASK_STATUS" == "FAILED" ]; then echo "Audit task failed" exit 1 fi done echo "Audit task completed successfully" # Get audit findings echo "Getting audit findings..." FINDINGS=$(aws iot list-audit-findings \ --task-id "$TASK_ID") echo "Audit findings:" echo "$FINDINGS" # Check if we have any non-compliant findings if echo "$FINDINGS" | grep -q '"findingId"'; then FINDING_ID=$(echo "$FINDINGS" | grep -o '"findingId": "[^"]*' | head -1 | cut -d'"' -f4) echo "Found non-compliant finding with ID: $FINDING_ID" HAS_FINDINGS=true else echo "No non-compliant findings detected" HAS_FINDINGS=false fi # Step 4: Create a mitigation action echo "" echo "===================================================" echo "Step 4: Creating a mitigation action" echo "===================================================" # Check if mitigation action already exists MITIGATION_EXISTS=$(aws iot list-mitigation-actions --action-name "EnableErrorLoggingAction" 2>&1) if echo "$MITIGATION_EXISTS" | grep -q "EnableErrorLoggingAction"; then echo "Mitigation action 'EnableErrorLoggingAction' already exists, deleting it first..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Wait a moment for deletion to complete sleep 5 fi echo "Creating mitigation action to enable AWS IoT logging..." MITIGATION_RESULT=$(aws iot create-mitigation-action \ --action-name "EnableErrorLoggingAction" \ --role-arn "$MITIGATION_ROLE_ARN" \ --action-params "{\"enableIoTLoggingParams\":{\"roleArnForLogging\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}}") echo "$MITIGATION_RESULT" if ! check_error "$MITIGATION_RESULT"; then echo "Failed to create mitigation action" exit 1 fi echo "Mitigation action created successfully" CREATED_RESOURCES+=("Mitigation Action: EnableErrorLoggingAction") # Step 5: Apply mitigation action to findings (if any) if [ "$HAS_FINDINGS" = true ]; then echo "" echo "===================================================" echo "Step 5: Applying mitigation action to findings" echo "===================================================" MITIGATION_TASK_ID="MitigationTask-$(date +%s)" echo "Starting mitigation actions task with ID: $MITIGATION_TASK_ID" MITIGATION_TASK_RESULT=$(aws iot start-audit-mitigation-actions-task \ --task-id "$MITIGATION_TASK_ID" \ --target "{\"findingIds\":[\"$FINDING_ID\"]}" \ --audit-check-to-actions-mapping "{\"LOGGING_DISABLED_CHECK\":[\"EnableErrorLoggingAction\"]}") if ! check_error "$MITIGATION_TASK_RESULT"; then echo "Failed to start mitigation actions task" exit 1 fi echo "Mitigation actions task started successfully" CREATED_RESOURCES+=("Mitigation Task: $MITIGATION_TASK_ID") # Wait for the mitigation task to complete echo "Waiting for mitigation task to complete..." sleep 10 # Use a more reliable date format for the API call START_TIME=$(date -u -d 'today' '+%Y-%m-%dT%H:%M:%S.000Z') END_TIME=$(date -u '+%Y-%m-%dT%H:%M:%S.000Z') MITIGATION_TASKS=$(aws iot list-audit-mitigation-actions-tasks \ --start-time "$START_TIME" \ --end-time "$END_TIME" 2>&1) if check_error "$MITIGATION_TASKS"; then echo "Mitigation tasks:" echo "$MITIGATION_TASKS" else echo "Could not retrieve mitigation task status, but task was started successfully" fi else echo "" echo "===================================================" echo "Step 5: Skipping mitigation action application (no findings)" echo "===================================================" fi # Step 6: Set up SNS notifications (optional) echo "" echo "===================================================" echo "Step 6: Setting up SNS notifications" echo "===================================================" # Check if SNS topic already exists SNS_TOPICS=$(aws sns list-topics) if echo "$SNS_TOPICS" | grep -q "IoTDDNotifications"; then echo "SNS topic 'IoTDDNotifications' already exists, using existing topic..." TOPIC_ARN=$(echo "$SNS_TOPICS" | grep -o '"TopicArn": "[^"]*IoTDDNotifications' | cut -d'"' -f4) else echo "Creating SNS topic for notifications..." SNS_RESULT=$(aws sns create-topic --name "IoTDDNotifications") if ! check_error "$SNS_RESULT"; then echo "Failed to create SNS topic" exit 1 fi TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o '"TopicArn": "[^"]*' | cut -d'"' -f4) echo "SNS topic created with ARN: $TOPIC_ARN" CREATED_RESOURCES+=("SNS Topic: IoTDDNotifications") fi echo "Updating audit configuration to enable SNS notifications..." SNS_UPDATE_RESULT=$(aws iot update-account-audit-configuration \ --audit-notification-target-configurations "{\"SNS\":{\"targetArn\":\"$TOPIC_ARN\",\"roleArn\":\"$AUDIT_ROLE_ARN\",\"enabled\":true}}") if ! check_error "$SNS_UPDATE_RESULT"; then echo "Failed to update audit configuration for SNS notifications" exit 1 fi echo "SNS notifications enabled successfully" # Step 7: Enable AWS IoT logging echo "" echo "===================================================" echo "Step 7: Enabling AWS IoT logging" echo "===================================================" echo "Setting up AWS IoT logging options..." # Create the logging options payload LOGGING_OPTIONS_PAYLOAD="{\"roleArn\":\"$LOGGING_ROLE_ARN\",\"logLevel\":\"ERROR\"}" LOGGING_RESULT=$(aws iot set-v2-logging-options \ --role-arn "$LOGGING_ROLE_ARN" \ --default-log-level "ERROR" 2>&1) if ! check_error "$LOGGING_RESULT"; then echo "Failed to set up AWS IoT v2 logging, trying v1 logging..." # Try the older set-logging-options command with proper payload format LOGGING_RESULT_V1=$(aws iot set-logging-options \ --logging-options-payload "$LOGGING_OPTIONS_PAYLOAD" 2>&1) if ! check_error "$LOGGING_RESULT_V1"; then echo "Failed to set up AWS IoT logging with both v1 and v2 methods" echo "V2 result: $LOGGING_RESULT" echo "V1 result: $LOGGING_RESULT_V1" exit 1 else echo "AWS IoT v1 logging enabled successfully" fi else echo "AWS IoT v2 logging enabled successfully" fi # Verify logging is enabled echo "Verifying logging configuration..." LOGGING_CONFIG=$(aws iot get-v2-logging-options 2>&1) if check_error "$LOGGING_CONFIG"; then echo "V2 Logging configuration:" echo "$LOGGING_CONFIG" else echo "Checking v1 logging configuration..." LOGGING_CONFIG_V1=$(aws iot get-logging-options 2>&1) if check_error "$LOGGING_CONFIG_V1"; then echo "V1 Logging configuration:" echo "$LOGGING_CONFIG_V1" else echo "Could not retrieve logging configuration" fi fi # Script completed successfully echo "" echo "===================================================" echo "AWS IoT Device Defender setup completed successfully!" echo "===================================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "" # Ask if user wants to clean up resources echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ $CLEANUP_CHOICE =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Disable AWS IoT logging echo "Disabling AWS IoT logging..." # Try to disable v2 logging first DISABLE_V2_RESULT=$(aws iot set-v2-logging-options \ --default-log-level "DISABLED" 2>&1) if ! check_error "$DISABLE_V2_RESULT"; then echo "Failed to disable v2 logging, trying v1..." # Try v1 logging disable DISABLE_V1_RESULT=$(aws iot set-logging-options \ --logging-options-payload "{\"logLevel\":\"DISABLED\"}" 2>&1) if ! check_error "$DISABLE_V1_RESULT"; then echo "Warning: Could not disable logging through either v1 or v2 methods" else echo "V1 logging disabled successfully" fi else echo "V2 logging disabled successfully" fi # Delete mitigation action echo "Deleting mitigation action..." aws iot delete-mitigation-action --action-name "EnableErrorLoggingAction" # Reset audit configuration echo "Resetting IoT Device Defender audit configuration..." aws iot update-account-audit-configuration \ --audit-check-configurations '{"LOGGING_DISABLED_CHECK":{"enabled":false}}' 2>&1 | grep -qi "error" && echo "Warning: Failed to disable audit check" aws iot delete-account-audit-configuration --delete-scheduled-audits 2>&1 | grep -qi "error" && echo "Warning: Failed to delete audit configuration" # Delete SNS topic echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$TOPIC_ARN" # Detach policies from roles and delete roles (in reverse order) echo "Cleaning up IAM roles..." # Check if policies exist before trying to delete them ROLE_POLICIES=$(aws iam list-role-policies --role-name "IoTMitigationActionErrorLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "IoTMitigationActionErrorLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "IoTMitigationActionErrorLoggingRole" \ --policy-name "IoTMitigationActionErrorLoggingRolePolicy" fi fi aws iam delete-role --role-name "IoTMitigationActionErrorLoggingRole" ROLE_POLICIES=$(aws iam list-role-policies --role-name "AWSIoTLoggingRole" 2>&1) if ! echo "$ROLE_POLICIES" | grep -q "NoSuchEntity"; then if echo "$ROLE_POLICIES" | grep -q "AWSIoTLoggingRolePolicy"; then aws iam delete-role-policy \ --role-name "AWSIoTLoggingRole" \ --policy-name "AWSIoTLoggingRolePolicy" fi fi aws iam delete-role --role-name "AWSIoTLoggingRole" aws iam detach-role-policy \ --role-name "AWSIoTDeviceDefenderAuditRole" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit" aws iam delete-role --role-name "AWSIoTDeviceDefenderAuditRole" echo "Cleanup completed successfully" else echo "Skipping cleanup. Resources will remain in your AWS account." fi echo "" echo "Script execution completed at $(date)" echo "Log file: $LOG_FILE" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/CreateMitigationAction) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteAccountAuditConfiguration) + [DeleteMitigationAction](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DeleteMitigationAction) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAccountAuditConfiguration) + [DescribeAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/DescribeAuditTask) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetLoggingOptions) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [GetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/GetV2LoggingOptions) + [ListAuditFindings](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditFindings) + [ListAuditMitigationActionsTasks](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListAuditMitigationActionsTasks) + [ListMitigationActions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/ListMitigationActions) + [ListRolePolicies](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/ListRolePolicies) + [ListTopics](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/ListTopics) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [SetLoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetLoggingOptions) + [SetV2LoggingOptions](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/SetV2LoggingOptions) + [StartAuditMitigationActionsTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartAuditMitigationActionsTask) + [StartOnDemandAuditTask](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/StartOnDemandAuditTask) + [UpdateAccountAuditConfiguration](https://docs.aws.amazon.com/goto/aws-cli/iot-2015-05-28/UpdateAccountAuditConfiguration) ### Getting started with Config The following code example shows how to: + Create an Amazon S3 bucket + Create an Amazon SNS topic + Create an IAM role for Config + Set up the Config configuration recorder + Set up the Config delivery channel + Start the configuration recorder + Verify the Config setup **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/053-aws-config-gs) repository. ``` #!/bin/bash # AWS Config Setup Script (v2) # This script sets up AWS Config with the AWS CLI # Error handling set -e LOGFILE="aws-config-setup-v2.log" touch $LOGFILE exec > >(tee -a $LOGFILE) exec 2>&1 # Function to handle errors handle_error() { echo "ERROR: An error occurred at line $1" echo "Attempting to clean up resources..." cleanup_resources exit 1 } # Set trap for error handling trap 'handle_error $LINENO' ERR # Function to generate random identifier generate_random_id() { echo $(openssl rand -hex 6) } # Function to check if command was successful check_command() { if echo "$1" | grep -i "error" > /dev/null; then echo "ERROR: $1" return 1 fi return 0 } # Function to clean up resources cleanup_resources() { if [ -n "$CONFIG_RECORDER_NAME" ]; then echo "Stopping configuration recorder..." aws configservice stop-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi # Check if we created a new delivery channel before trying to delete it if [ -n "$DELIVERY_CHANNEL_NAME" ] && [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Deleting delivery channel..." aws configservice delete-delivery-channel --delivery-channel-name "$DELIVERY_CHANNEL_NAME" 2>/dev/null || true fi if [ -n "$CONFIG_RECORDER_NAME" ] && [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Deleting configuration recorder..." aws configservice delete-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME" 2>/dev/null || true fi if [ -n "$ROLE_NAME" ]; then if [ -n "$POLICY_NAME" ]; then echo "Detaching custom policy from role..." aws iam delete-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" 2>/dev/null || true fi if [ -n "$MANAGED_POLICY_ARN" ]; then echo "Detaching managed policy from role..." aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN" 2>/dev/null || true fi echo "Deleting IAM role..." aws iam delete-role --role-name "$ROLE_NAME" 2>/dev/null || true fi if [ -n "$SNS_TOPIC_ARN" ]; then echo "Deleting SNS topic..." aws sns delete-topic --topic-arn "$SNS_TOPIC_ARN" 2>/dev/null || true fi if [ -n "$S3_BUCKET_NAME" ]; then echo "Emptying S3 bucket..." aws s3 rm "s3://$S3_BUCKET_NAME" --recursive 2>/dev/null || true echo "Deleting S3 bucket..." aws s3api delete-bucket --bucket "$S3_BUCKET_NAME" 2>/dev/null || true fi } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" echo "S3 Bucket: $S3_BUCKET_NAME" echo "SNS Topic ARN: $SNS_TOPIC_ARN" echo "IAM Role: $ROLE_NAME" if [ "$CREATED_NEW_CONFIG_RECORDER" = "true" ]; then echo "Configuration Recorder: $CONFIG_RECORDER_NAME (newly created)" else echo "Configuration Recorder: $CONFIG_RECORDER_NAME (existing)" fi if [ "$CREATED_NEW_DELIVERY_CHANNEL" = "true" ]; then echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (newly created)" else echo "Delivery Channel: $DELIVERY_CHANNEL_NAME (existing)" fi echo "===========================================" } # Get AWS account ID echo "Getting AWS account ID..." ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) if [ -z "$ACCOUNT_ID" ]; then echo "ERROR: Failed to get AWS account ID" exit 1 fi echo "AWS Account ID: $ACCOUNT_ID" # Generate random identifier for resources RANDOM_ID=$(generate_random_id) echo "Generated random identifier: $RANDOM_ID" # Step 1: Create an S3 bucket S3_BUCKET_NAME="configservice-${RANDOM_ID}" echo "Creating S3 bucket: $S3_BUCKET_NAME" # Get the current region AWS_REGION=$(aws configure get region) if [ -z "$AWS_REGION" ]; then AWS_REGION="us-east-1" # Default to us-east-1 if no region is configured fi echo "Using AWS Region: $AWS_REGION" # Create bucket with appropriate command based on region if [ "$AWS_REGION" = "us-east-1" ]; then BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME") else BUCKET_RESULT=$(aws s3api create-bucket --bucket "$S3_BUCKET_NAME" --create-bucket-configuration LocationConstraint="$AWS_REGION") fi check_command "$BUCKET_RESULT" echo "S3 bucket created: $S3_BUCKET_NAME" # Block public access for the bucket aws s3api put-public-access-block \ --bucket "$S3_BUCKET_NAME" \ --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" echo "Public access blocked for bucket" # Step 2: Create an SNS topic TOPIC_NAME="config-topic-${RANDOM_ID}" echo "Creating SNS topic: $TOPIC_NAME" SNS_RESULT=$(aws sns create-topic --name "$TOPIC_NAME") check_command "$SNS_RESULT" SNS_TOPIC_ARN=$(echo "$SNS_RESULT" | grep -o 'arn:aws:sns:[^"]*') echo "SNS topic created: $SNS_TOPIC_ARN" # Step 3: Create an IAM role for AWS Config ROLE_NAME="config-role-${RANDOM_ID}" POLICY_NAME="config-delivery-permissions" MANAGED_POLICY_ARN="arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" echo "Creating trust policy document..." cat > config-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role --role-name "$ROLE_NAME" --assume-role-policy-document file://config-trust-policy.json) check_command "$ROLE_RESULT" ROLE_ARN=$(echo "$ROLE_RESULT" | grep -o 'arn:aws:iam::[^"]*' | head -1) echo "IAM role created: $ROLE_ARN" echo "Attaching AWS managed policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy --role-name "$ROLE_NAME" --policy-arn "$MANAGED_POLICY_ARN") check_command "$ATTACH_RESULT" echo "AWS managed policy attached" echo "Creating custom policy document for S3 and SNS access..." cat > config-delivery-permissions.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}/AWSLogs/${ACCOUNT_ID}/*", "Condition": { "StringLike": { "s3:x-amz-acl": "bucket-owner-full-control" } } }, { "Effect": "Allow", "Action": [ "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::${S3_BUCKET_NAME}" }, { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": "${SNS_TOPIC_ARN}" } ] } EOF echo "Attaching custom policy to role..." POLICY_RESULT=$(aws iam put-role-policy --role-name "$ROLE_NAME" --policy-name "$POLICY_NAME" --policy-document file://config-delivery-permissions.json) check_command "$POLICY_RESULT" echo "Custom policy attached" # Wait for IAM role to propagate echo "Waiting for IAM role to propagate (15 seconds)..." sleep 15 # Step 4: Check if configuration recorder already exists CONFIG_RECORDER_NAME="default" CREATED_NEW_CONFIG_RECORDER="false" echo "Checking for existing configuration recorder..." EXISTING_RECORDERS=$(aws configservice describe-configuration-recorders 2>/dev/null || echo "") if echo "$EXISTING_RECORDERS" | grep -q "name"; then echo "Configuration recorder already exists. Will update it." # Get the name of the existing recorder CONFIG_RECORDER_NAME=$(echo "$EXISTING_RECORDERS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing configuration recorder: $CONFIG_RECORDER_NAME" else echo "No existing configuration recorder found. Will create a new one." CREATED_NEW_CONFIG_RECORDER="true" fi echo "Creating configuration recorder configuration..." cat > configurationRecorder.json << EOF { "name": "${CONFIG_RECORDER_NAME}", "roleARN": "${ROLE_ARN}", "recordingMode": { "recordingFrequency": "CONTINUOUS" } } EOF echo "Creating recording group configuration..." cat > recordingGroup.json << EOF { "allSupported": true, "includeGlobalResourceTypes": true } EOF echo "Setting up configuration recorder..." RECORDER_RESULT=$(aws configservice put-configuration-recorder --configuration-recorder file://configurationRecorder.json --recording-group file://recordingGroup.json) check_command "$RECORDER_RESULT" echo "Configuration recorder set up" # Step 5: Check if delivery channel already exists DELIVERY_CHANNEL_NAME="default" CREATED_NEW_DELIVERY_CHANNEL="false" echo "Checking for existing delivery channel..." EXISTING_CHANNELS=$(aws configservice describe-delivery-channels 2>/dev/null || echo "") if echo "$EXISTING_CHANNELS" | grep -q "name"; then echo "Delivery channel already exists." # Get the name of the existing channel DELIVERY_CHANNEL_NAME=$(echo "$EXISTING_CHANNELS" | grep -o '"name": "[^"]*"' | head -1 | cut -d'"' -f4) echo "Using existing delivery channel: $DELIVERY_CHANNEL_NAME" # Update the existing delivery channel echo "Creating delivery channel configuration for update..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Updating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel updated" else echo "No existing delivery channel found. Will create a new one." CREATED_NEW_DELIVERY_CHANNEL="true" echo "Creating delivery channel configuration..." cat > deliveryChannel.json << EOF { "name": "${DELIVERY_CHANNEL_NAME}", "s3BucketName": "${S3_BUCKET_NAME}", "snsTopicARN": "${SNS_TOPIC_ARN}", "configSnapshotDeliveryProperties": { "deliveryFrequency": "Six_Hours" } } EOF echo "Creating delivery channel..." CHANNEL_RESULT=$(aws configservice put-delivery-channel --delivery-channel file://deliveryChannel.json) check_command "$CHANNEL_RESULT" echo "Delivery channel created" fi # Step 6: Start the configuration recorder echo "Checking configuration recorder status..." RECORDER_STATUS=$(aws configservice describe-configuration-recorder-status 2>/dev/null || echo "") if echo "$RECORDER_STATUS" | grep -q '"recording": true'; then echo "Configuration recorder is already running." else echo "Starting configuration recorder..." START_RESULT=$(aws configservice start-configuration-recorder --configuration-recorder-name "$CONFIG_RECORDER_NAME") check_command "$START_RESULT" echo "Configuration recorder started" fi # Step 7: Verify the AWS Config setup echo "Verifying delivery channel..." VERIFY_CHANNEL=$(aws configservice describe-delivery-channels) check_command "$VERIFY_CHANNEL" echo "$VERIFY_CHANNEL" echo "Verifying configuration recorder..." VERIFY_RECORDER=$(aws configservice describe-configuration-recorders) check_command "$VERIFY_RECORDER" echo "$VERIFY_RECORDER" echo "Verifying configuration recorder status..." VERIFY_STATUS=$(aws configservice describe-configuration-recorder-status) check_command "$VERIFY_STATUS" echo "$VERIFY_STATUS" # Display created resources display_resources # Ask if user wants to clean up resources echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Cleaning up resources..." cleanup_resources echo "Cleanup completed." else echo "Resources will not be cleaned up. You can manually clean them up later." fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/CreateBucket) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/CreateTopic) + [DeleteBucket](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/DeleteBucket) + [DeleteConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteConfigurationRecorder) + [DeleteDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DeleteDeliveryChannel) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRolePolicy) + [DeleteTopic](https://docs.aws.amazon.com/goto/aws-cli/sns-2010-03-31/DeleteTopic) + [DescribeConfigurationRecorderStatus](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorderStatus) + [DescribeConfigurationRecorders](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeConfigurationRecorders) + [DescribeDeliveryChannels](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/DescribeDeliveryChannels) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [PutConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutConfigurationRecorder) + [PutDeliveryChannel](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/PutDeliveryChannel) + [PutPublicAccessBlock](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/PutPublicAccessBlock) + [PutRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutRolePolicy) + [Rm](https://docs.aws.amazon.com/goto/aws-cli/s3-2006-03-01/Rm) + [StartConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StartConfigurationRecorder) + [StopConfigurationRecorder](https://docs.aws.amazon.com/goto/aws-cli/config-2014-11-12/StopConfigurationRecorder) # Step Functions examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with Step Functions. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Scenarios](#scenarios) ## Scenarios ### Getting started with Step Functions The following code example shows how to: + Create an IAM role for Step Functions + Create your first state machine + Start your state machine execution + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/080-aws-step-functions-gs) repository. ``` #!/bin/bash # AWS Step Functions Getting Started Tutorial Script # This script creates and runs a Step Functions state machine based on the AWS Step Functions Getting Started tutorial # Parse command line arguments AUTO_CLEANUP=false while [[ $# -gt 0 ]]; do case $1 in --auto-cleanup) AUTO_CLEANUP=true shift ;; -h|--help) echo "Usage: $0 [--auto-cleanup] [--help]" echo " --auto-cleanup: Automatically clean up resources without prompting" echo " --help: Show this help message" exit 0 ;; *) echo "Unknown option: $1" echo "Use --help for usage information" exit 1 ;; esac done # Set up logging LOG_FILE="step-functions-tutorial.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting AWS Step Functions Getting Started Tutorial..." echo "Logging to $LOG_FILE" # Check if jq is available for better JSON parsing if ! command -v jq &> /dev/null; then echo "WARNING: jq is not installed. Using basic JSON parsing which may be less reliable." echo "Consider installing jq for better error handling: brew install jq (macOS) or apt-get install jq (Ubuntu)" USE_JQ=false else USE_JQ=true fi # Use fixed region that supports Amazon Comprehend CURRENT_REGION="us-west-2" echo "Using fixed AWS region: $CURRENT_REGION (supports Amazon Comprehend)" # Set AWS CLI to use the fixed region for all commands export AWS_DEFAULT_REGION="$CURRENT_REGION" # Amazon Comprehend is available in us-west-2, so we can always enable it echo "Amazon Comprehend is available in region $CURRENT_REGION" SKIP_COMPREHEND=false # Function to check for API errors in JSON response check_api_error() { local response="$1" local operation="$2" if [[ "$USE_JQ" == "true" ]]; then # Use jq for more reliable JSON parsing if echo "$response" | jq -e '.Error' > /dev/null 2>&1; then local error_message=$(echo "$response" | jq -r '.Error.Message // .Error.Code // "Unknown error"') handle_error "$operation failed: $error_message" fi else # Fallback to grep-based detection if echo "$response" | grep -q '"Error":\|"error":'; then handle_error "$operation failed: $response" fi fi } # Function to wait for resource propagation with exponential backoff wait_for_propagation() { local resource_type="$1" local wait_time="${2:-10}" echo "Waiting for $resource_type to propagate ($wait_time seconds)..." sleep "$wait_time" } # Function to handle errors handle_error() { echo "ERROR: $1" echo "Resources created:" if [ -n "$STATE_MACHINE_ARN" ]; then echo "- State Machine: $STATE_MACHINE_ARN" fi if [ -n "$ROLE_NAME" ]; then echo "- IAM Role: $ROLE_NAME" fi if [ -n "$POLICY_ARN" ]; then echo "- IAM Policy: $POLICY_ARN" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ]; then echo "- Step Functions Policy: $STEPFUNCTIONS_POLICY_ARN" fi echo "Attempting to clean up resources..." cleanup exit 1 } # Function to clean up resources cleanup() { echo "Cleaning up resources..." # Delete state machine if it exists if [ -n "$STATE_MACHINE_ARN" ]; then echo "Deleting state machine: $STATE_MACHINE_ARN" aws stepfunctions delete-state-machine --state-machine-arn "$STATE_MACHINE_ARN" || echo "Failed to delete state machine" fi # Detach and delete policies if they exist if [ -n "$POLICY_ARN" ] && [ -n "$ROLE_NAME" ]; then echo "Detaching Comprehend policy $POLICY_ARN from role $ROLE_NAME" aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$POLICY_ARN" || echo "Failed to detach Comprehend policy" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ] && [ -n "$ROLE_NAME" ]; then echo "Detaching Step Functions policy $STEPFUNCTIONS_POLICY_ARN from role $ROLE_NAME" aws iam detach-role-policy --role-name "$ROLE_NAME" --policy-arn "$STEPFUNCTIONS_POLICY_ARN" || echo "Failed to detach Step Functions policy" fi # Delete custom policies if they exist if [ -n "$POLICY_ARN" ]; then echo "Deleting Comprehend policy: $POLICY_ARN" aws iam delete-policy --policy-arn "$POLICY_ARN" || echo "Failed to delete Comprehend policy" fi if [ -n "$STEPFUNCTIONS_POLICY_ARN" ]; then echo "Deleting Step Functions policy: $STEPFUNCTIONS_POLICY_ARN" aws iam delete-policy --policy-arn "$STEPFUNCTIONS_POLICY_ARN" || echo "Failed to delete Step Functions policy" fi # Delete role if it exists if [ -n "$ROLE_NAME" ]; then echo "Deleting role: $ROLE_NAME" aws iam delete-role --role-name "$ROLE_NAME" || echo "Failed to delete role" fi # Remove temporary files echo "Removing temporary files" rm -f hello-world.json updated-hello-world.json sentiment-hello-world.json step-functions-trust-policy.json comprehend-policy.json stepfunctions-policy.json input.json sentiment-input.json } # Generate a random identifier for resource names RANDOM_ID=$(openssl rand -hex 4) ROLE_NAME="StepFunctionsHelloWorldRole-${RANDOM_ID}" POLICY_NAME="DetectSentimentPolicy-${RANDOM_ID}" STATE_MACHINE_NAME="MyFirstStateMachine-${RANDOM_ID}" echo "Using random identifier: $RANDOM_ID" echo "Role name: $ROLE_NAME" echo "Policy name: $POLICY_NAME" echo "State machine name: $STATE_MACHINE_NAME" # Step 1: Create the state machine definition echo "Creating state machine definition..." cat > hello-world.json << 'EOF' { "Comment": "A Hello World example of the Amazon States Language using a Pass state", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Result": { "IsHelloWorldExample": true, "ExecutionWaitTimeInSeconds": 10 }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "FailState" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" }, "FailState": { "Type": "Fail", "Error": "NotHelloWorldExample", "Cause": "The IsHelloWorldExample value was false" } } } EOF # Create IAM role trust policy echo "Creating IAM role trust policy..." cat > step-functions-trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "states.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role echo "Creating IAM role: $ROLE_NAME" ROLE_RESULT=$(aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://step-functions-trust-policy.json) check_api_error "$ROLE_RESULT" "Create IAM role" echo "Role created successfully" # Get the role ARN if [[ "$USE_JQ" == "true" ]]; then ROLE_ARN=$(echo "$ROLE_RESULT" | jq -r '.Role.Arn') else ROLE_ARN=$(echo "$ROLE_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$ROLE_ARN" ]; then handle_error "Failed to extract role ARN" fi echo "Role ARN: $ROLE_ARN" # Create a custom policy for Step Functions echo "Creating custom policy for Step Functions..." cat > stepfunctions-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "states:*" ], "Resource": "*" } ] } EOF # Create the policy echo "Creating Step Functions policy..." STEPFUNCTIONS_POLICY_RESULT=$(aws iam create-policy \ --policy-name "StepFunctionsPolicy-${RANDOM_ID}" \ --policy-document file://stepfunctions-policy.json) check_api_error "$STEPFUNCTIONS_POLICY_RESULT" "Create Step Functions policy" echo "Step Functions policy created successfully" # Get the policy ARN if [[ "$USE_JQ" == "true" ]]; then STEPFUNCTIONS_POLICY_ARN=$(echo "$STEPFUNCTIONS_POLICY_RESULT" | jq -r '.Policy.Arn') else STEPFUNCTIONS_POLICY_ARN=$(echo "$STEPFUNCTIONS_POLICY_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$STEPFUNCTIONS_POLICY_ARN" ]; then handle_error "Failed to extract Step Functions policy ARN" fi echo "Step Functions policy ARN: $STEPFUNCTIONS_POLICY_ARN" # Attach policy to the role echo "Attaching Step Functions policy to role..." ATTACH_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$STEPFUNCTIONS_POLICY_ARN") if [ $? -ne 0 ]; then handle_error "Failed to attach Step Functions policy to role" fi # Wait for role to propagate (IAM changes can take time to propagate) wait_for_propagation "IAM role" 10 # Create state machine echo "Creating state machine: $STATE_MACHINE_NAME" SM_RESULT=$(aws stepfunctions create-state-machine \ --name "$STATE_MACHINE_NAME" \ --definition file://hello-world.json \ --role-arn "$ROLE_ARN" \ --type STANDARD) check_api_error "$SM_RESULT" "Create state machine" echo "State machine created successfully" # Get the state machine ARN if [[ "$USE_JQ" == "true" ]]; then STATE_MACHINE_ARN=$(echo "$SM_RESULT" | jq -r '.stateMachineArn') else STATE_MACHINE_ARN=$(echo "$SM_RESULT" | grep "stateMachineArn" | cut -d'"' -f4) fi if [ -z "$STATE_MACHINE_ARN" ]; then handle_error "Failed to extract state machine ARN" fi echo "State machine ARN: $STATE_MACHINE_ARN" # Step 2: Start the state machine execution echo "Starting state machine execution..." EXEC_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello001-${RANDOM_ID}") check_api_error "$EXEC_RESULT" "Start execution" echo "Execution started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION_ARN=$(echo "$EXEC_RESULT" | jq -r '.executionArn') else EXECUTION_ARN=$(echo "$EXEC_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION_ARN" # Wait for execution to complete (the workflow has a 10-second wait state) echo "Waiting for execution to complete (15 seconds)..." sleep 15 # Check execution status echo "Checking execution status..." EXEC_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION_ARN") echo "Execution status: $EXEC_STATUS" # Step 3: Update state machine to process external input echo "Updating state machine to process external input..." cat > updated-hello-world.json << 'EOF' { "Comment": "A Hello World example of the Amazon States Language using a Pass state", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Parameters": { "IsHelloWorldExample.$": "$.hello_world", "ExecutionWaitTimeInSeconds.$": "$.wait" }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "FailState" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" }, "FailState": { "Type": "Fail", "Error": "NotHelloWorldExample", "Cause": "The IsHelloWorldExample value was false" } } } EOF # Update state machine echo "Updating state machine..." UPDATE_RESULT=$(aws stepfunctions update-state-machine \ --state-machine-arn "$STATE_MACHINE_ARN" \ --definition file://updated-hello-world.json \ --role-arn "$ROLE_ARN") check_api_error "$UPDATE_RESULT" "Update state machine" echo "State machine updated successfully" # Create input file echo "Creating input file..." cat > input.json << 'EOF' { "wait": 5, "hello_world": true } EOF # Start execution with input echo "Starting execution with input..." EXEC2_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello002-${RANDOM_ID}" \ --input file://input.json) check_api_error "$EXEC2_RESULT" "Start execution with input" echo "Execution with input started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION2_ARN=$(echo "$EXEC2_RESULT" | jq -r '.executionArn') else EXECUTION2_ARN=$(echo "$EXEC2_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION2_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION2_ARN" # Wait for execution to complete (the workflow has a 5-second wait state) echo "Waiting for execution to complete (10 seconds)..." sleep 10 # Check execution status echo "Checking execution status..." EXEC2_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION2_ARN") echo "Execution status: $EXEC2_STATUS" # Step 4: Integrate Amazon Comprehend for sentiment analysis (if available) if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo "Creating policy for Amazon Comprehend access..." cat > comprehend-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:DetectSentiment" ], "Resource": "*" } ] } EOF # Create policy echo "Creating IAM policy: $POLICY_NAME" POLICY_RESULT=$(aws iam create-policy \ --policy-name "$POLICY_NAME" \ --policy-document file://comprehend-policy.json) check_api_error "$POLICY_RESULT" "Create Comprehend policy" echo "Comprehend policy created successfully" # Get policy ARN if [[ "$USE_JQ" == "true" ]]; then POLICY_ARN=$(echo "$POLICY_RESULT" | jq -r '.Policy.Arn') else POLICY_ARN=$(echo "$POLICY_RESULT" | grep "Arn" | cut -d'"' -f4) fi if [ -z "$POLICY_ARN" ]; then handle_error "Failed to extract policy ARN" fi echo "Policy ARN: $POLICY_ARN" # Attach policy to role echo "Attaching policy to role..." ATTACH2_RESULT=$(aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "$POLICY_ARN") if [ $? -ne 0 ]; then handle_error "Failed to attach policy to role" fi # Create updated state machine definition with sentiment analysis echo "Creating updated state machine definition with sentiment analysis..." cat > sentiment-hello-world.json << 'EOF' { "Comment": "A Hello World example with sentiment analysis", "StartAt": "SetVariables", "States": { "SetVariables": { "Type": "Pass", "Parameters": { "IsHelloWorldExample.$": "$.hello_world", "ExecutionWaitTimeInSeconds.$": "$.wait", "FeedbackComment.$": "$.feedback_comment" }, "Next": "IsHelloWorldExample" }, "IsHelloWorldExample": { "Type": "Choice", "Choices": [ { "Variable": "$.IsHelloWorldExample", "BooleanEquals": true, "Next": "WaitState" } ], "Default": "DetectSentiment" }, "WaitState": { "Type": "Wait", "SecondsPath": "$.ExecutionWaitTimeInSeconds", "Next": "ParallelProcessing" }, "ParallelProcessing": { "Type": "Parallel", "Branches": [ { "StartAt": "Process1", "States": { "Process1": { "Type": "Pass", "Result": { "message": "Processing task 1" }, "End": true } } }, { "StartAt": "Process2", "States": { "Process2": { "Type": "Pass", "Result": { "message": "Processing task 2" }, "End": true } } } ], "Next": "CheckpointState" }, "CheckpointState": { "Type": "Pass", "Result": { "CheckpointMessage": "Workflow completed successfully!" }, "Next": "SuccessState" }, "DetectSentiment": { "Type": "Task", "Resource": "arn:aws:states:::aws-sdk:comprehend:detectSentiment", "Parameters": { "LanguageCode": "en", "Text.$": "$.FeedbackComment" }, "Next": "SuccessState" }, "SuccessState": { "Type": "Succeed" } } } EOF # Wait for IAM changes to propagate wait_for_propagation "IAM changes" 10 # Update state machine echo "Updating state machine with sentiment analysis..." UPDATE2_RESULT=$(aws stepfunctions update-state-machine \ --state-machine-arn "$STATE_MACHINE_ARN" \ --definition file://sentiment-hello-world.json \ --role-arn "$ROLE_ARN") check_api_error "$UPDATE2_RESULT" "Update state machine with sentiment analysis" echo "State machine updated with sentiment analysis successfully" # Create input file with feedback comment echo "Creating input file with feedback comment..." cat > sentiment-input.json << 'EOF' { "hello_world": false, "wait": 5, "feedback_comment": "This getting started with Step Functions workshop is a challenge!" } EOF # Start execution with sentiment analysis input echo "Starting execution with sentiment analysis input..." EXEC3_RESULT=$(aws stepfunctions start-execution \ --state-machine-arn "$STATE_MACHINE_ARN" \ --name "hello003-${RANDOM_ID}" \ --input file://sentiment-input.json) check_api_error "$EXEC3_RESULT" "Start execution with sentiment analysis" echo "Execution with sentiment analysis started successfully" # Get the execution ARN if [[ "$USE_JQ" == "true" ]]; then EXECUTION3_ARN=$(echo "$EXEC3_RESULT" | jq -r '.executionArn') else EXECUTION3_ARN=$(echo "$EXEC3_RESULT" | grep "executionArn" | cut -d'"' -f4) fi if [ -z "$EXECUTION3_ARN" ]; then handle_error "Failed to extract execution ARN" fi echo "Execution ARN: $EXECUTION3_ARN" # Wait for execution to complete echo "Waiting for execution to complete (5 seconds)..." sleep 5 # Check execution status echo "Checking execution status..." EXEC3_STATUS=$(aws stepfunctions describe-execution \ --execution-arn "$EXECUTION3_ARN") echo "Execution status: $EXEC3_STATUS" else echo "Skipping Amazon Comprehend integration (not available in $CURRENT_REGION)" EXECUTION3_ARN="" fi # Display summary of resources created echo "" echo "===========================================" echo "RESOURCES CREATED" echo "===========================================" echo "State Machine: $STATE_MACHINE_ARN" echo "IAM Role: $ROLE_NAME" echo "Step Functions Policy: StepFunctionsPolicy-${RANDOM_ID} ($STEPFUNCTIONS_POLICY_ARN)" if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo "Comprehend Policy: $POLICY_NAME ($POLICY_ARN)" fi echo "Executions:" echo " - hello001-${RANDOM_ID}: $EXECUTION_ARN" echo " - hello002-${RANDOM_ID}: $EXECUTION2_ARN" if [[ "$SKIP_COMPREHEND" == "false" ]]; then echo " - hello003-${RANDOM_ID}: $EXECUTION3_ARN" fi echo "===========================================" # Prompt for cleanup echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" if [[ "$AUTO_CLEANUP" == "true" ]]; then echo "Auto-cleanup enabled. Cleaning up resources..." cleanup echo "All resources have been cleaned up." else echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup echo "All resources have been cleaned up." else echo "Resources were not cleaned up. You can manually clean them up later." echo "To view the state machine in the AWS console, visit:" echo "https://console.aws.amazon.com/states/home?region=$CURRENT_REGION" fi fi echo "Script completed successfully!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/CreateStateMachine) + [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/DeleteStateMachine) + [DescribeExecution](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/DescribeExecution) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [StartExecution](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/StartExecution) + [UpdateStateMachine](https://docs.aws.amazon.com/goto/aws-cli/states-2016-11-23/UpdateStateMachine) # AWS STS examples using AWS CLI with Bash script The following code examples show you how to perform actions and implement common scenarios by using the AWS Command Line Interface with Bash script with AWS STS. *Actions* are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios. *Scenarios* are code examples that show you how to accomplish specific tasks by calling multiple functions within a service or combined with other AWS services. Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context. **Topics** + [Actions](#actions) + [Scenarios](#scenarios) ## Actions ### `AssumeRole` The following code example shows how to use `AssumeRole`. **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples). ``` ############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function sts_assume_role # # This function assumes a role in the AWS account and returns the temporary # credentials. # # Parameters: # -n role_session_name -- The name of the session. # -r role_arn -- The ARN of the role to assume. # # Returns: # [access_key_id, secret_access_key, session_token] # And: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function sts_assume_role() { local role_session_name role_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function sts_assume_role" echo "Assumes a role in the AWS account and returns the temporary credentials:" echo " -n role_session_name -- The name of the session." echo " -r role_arn -- The ARN of the role to assume." echo "" } while getopts n:r:h option; do case "${option}" in n) role_session_name=${OPTARG} ;; r) role_arn=${OPTARG} ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done response=$(aws sts assume-role \ --role-session-name "$role_session_name" \ --role-arn "$role_arn" \ --output text \ --query "Credentials.[AccessKeyId, SecretAccessKey, SessionToken]") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-role operation failed.\n$response" return 1 fi echo "$response" return 0 } ``` + For API details, see [AssumeRole](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/AssumeRole) in *AWS CLI Command Reference*. ## Scenarios ### Configure Amazon ECS Service Connect The following code example shows how to: + Create the VPC infrastructure + Set up logging + Create the ECS cluster + Configure IAM roles + Create the service with Service Connect + Verify the deployment + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/085-amazon-ecs-service-connect) repository. ``` #!/bin/bash # ECS Service Connect Tutorial Script v4 - Modified to use Default VPC # This script creates an ECS cluster with Service Connect and deploys an nginx service # Uses the default VPC to avoid VPC limits set -e # Exit on any error # Configuration SCRIPT_NAME="ECS Service Connect Tutorial" LOG_FILE="ecs-service-connect-tutorial-v4-default-vpc.log" REGION=${AWS_DEFAULT_REGION:-${AWS_REGION:-$(aws configure get region 2>/dev/null)}} if [ -z "$REGION" ]; then echo "ERROR: No AWS region configured." echo "Set one with: aws configure set region us-east-1" exit 1 fi ENV_PREFIX="tutorial" CLUSTER_NAME="${ENV_PREFIX}-cluster" NAMESPACE_NAME="service-connect" # Generate random suffix for unique resource names RANDOM_SUFFIX=$(openssl rand -hex 6) # Arrays to track created resources for cleanup declare -a CREATED_RESOURCES=() # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Error handling function handle_error() { log "ERROR: Script failed at line $1" log "Attempting to clean up resources..." cleanup_resources exit 1 } # Set up error handling trap 'handle_error $LINENO' ERR # Function to add resource to tracking array track_resource() { CREATED_RESOURCES+=("$1") log "Tracking resource: $1" } # Function to check if command output contains actual errors check_for_errors() { local output="$1" local command_name="$2" # Check for specific AWS CLI error patterns, not just any occurrence of "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameterException\|AccessDenied\|ValidationException\|ResourceNotFoundException"; then log "ERROR in $command_name: $output" return 1 fi return 0 } # Function to get AWS account ID get_account_id() { ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) log "Using AWS Account ID: $ACCOUNT_ID" } # Function to wait for resources to be ready wait_for_resource() { local resource_type="$1" local resource_id="$2" case "$resource_type" in "cluster") log "Waiting for cluster $resource_id to be active..." local attempt=1 local max_attempts=30 while [ $attempt -le $max_attempts ]; do local status=$(aws ecs describe-clusters --clusters "$resource_id" --query 'clusters[0].status' --output text) if [ "$status" = "ACTIVE" ]; then log "Cluster is now active" return 0 fi log "Cluster status: $status (attempt $attempt/$max_attempts)" sleep 10 ((attempt++)) done log "ERROR: Cluster did not become active within expected time" return 1 ;; "service") log "Waiting for service $resource_id to be stable..." aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" ;; "nat-gateway") log "Waiting for NAT Gateway $resource_id to be available..." aws ec2 wait nat-gateway-available --nat-gateway-ids "$resource_id" ;; esac } # Function to use default VPC infrastructure setup_default_vpc_infrastructure() { log "Using default VPC infrastructure..." # Get default VPC VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[0].VpcId' --output text) if [[ "$VPC_ID" == "None" || -z "$VPC_ID" ]]; then log "ERROR: No default VPC found. Please create a default VPC first." exit 1 fi log "Using default VPC: $VPC_ID" # Get default subnets SUBNETS=$(aws ec2 describe-subnets --filters "Name=vpc-id,Values=$VPC_ID" "Name=default-for-az,Values=true" --query 'Subnets[].SubnetId' --output text) SUBNET_ARRAY=($SUBNETS) if [ ${#SUBNET_ARRAY[@]} -lt 2 ]; then log "ERROR: Need at least 2 subnets for ECS Service Connect. Found: ${#SUBNET_ARRAY[@]}" exit 1 fi PUBLIC_SUBNET1=${SUBNET_ARRAY[0]} PUBLIC_SUBNET2=${SUBNET_ARRAY[1]} log "Using subnets: $PUBLIC_SUBNET1, $PUBLIC_SUBNET2" # Create security group for ECS tasks SG_OUTPUT=$(aws ec2 create-security-group \ --group-name "${ENV_PREFIX}-ecs-sg-${RANDOM_SUFFIX}" \ --description "Security group for ECS Service Connect tutorial" \ --vpc-id "$VPC_ID" 2>&1) check_for_errors "$SG_OUTPUT" "create-security-group" SECURITY_GROUP_ID=$(echo "$SG_OUTPUT" | grep -o '"GroupId": "[^"]*"' | cut -d'"' -f4) track_resource "SG:$SECURITY_GROUP_ID" log "Created security group: $SECURITY_GROUP_ID" # Add inbound rules to security group aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true aws ec2 authorize-security-group-ingress \ --group-id "$SECURITY_GROUP_ID" \ --protocol tcp \ --port 443 \ --cidr 0.0.0.0/0 >/dev/null 2>&1 || true log "Default VPC infrastructure setup completed" } # Function to create CloudWatch log groups create_log_groups() { log "Creating CloudWatch log groups..." # Create log group for nginx container aws logs create-log-group --log-group-name "/ecs/service-connect-nginx" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-nginx created" track_resource "LOG_GROUP:/ecs/service-connect-nginx" else log "Log group /ecs/service-connect-nginx already exists" fi } # Create log group for service connect proxy aws logs create-log-group --log-group-name "/ecs/service-connect-proxy" 2>&1 | grep -v "ResourceAlreadyExistsException" || { if [ ${PIPESTATUS[0]} -eq 0 ]; then log "Log group /ecs/service-connect-proxy created" track_resource "LOG_GROUP:/ecs/service-connect-proxy" else log "Log group /ecs/service-connect-proxy already exists" fi } } # Function to create ECS cluster with Service Connect create_ecs_cluster() { log "Creating ECS cluster with Service Connect..." CLUSTER_OUTPUT=$(aws ecs create-cluster \ --cluster-name "$CLUSTER_NAME" \ --service-connect-defaults namespace="$NAMESPACE_NAME" \ --tags key=Environment,value=tutorial 2>&1) check_for_errors "$CLUSTER_OUTPUT" "create-cluster" track_resource "CLUSTER:$CLUSTER_NAME" log "Created ECS cluster: $CLUSTER_NAME" wait_for_resource "cluster" "$CLUSTER_NAME" # Track the Service Connect namespace that gets created # Wait a moment for the namespace to be created sleep 5 NAMESPACE_ID=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_ID" && "$NAMESPACE_ID" != "None" ]]; then track_resource "NAMESPACE:$NAMESPACE_ID" log "Service Connect namespace created: $NAMESPACE_ID" fi } # Function to create IAM roles create_iam_roles() { log "Creating IAM roles..." # Check if ecsTaskExecutionRole exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then log "IAM role ecsTaskExecutionRole exists" else log "Creating ecsTaskExecutionRole..." aws iam create-role \ --role-name ecsTaskExecutionRole \ --assume-role-policy-document '{ "Version":"2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ecs-tasks.amazonaws.com"}, "Action": "sts:AssumeRole" }] }' >/dev/null 2>&1 aws iam attach-role-policy \ --role-name ecsTaskExecutionRole \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy >/dev/null 2>&1 track_resource "ROLE:ecsTaskExecutionRole" log "Created ecsTaskExecutionRole" sleep 10 fi # Check if ecsTaskRole exists, create if not if aws iam get-role --role-name ecsTaskRole >/dev/null 2>&1; then log "IAM role ecsTaskRole exists" else log "IAM role ecsTaskRole does not exist, will create it" # Create trust policy for ECS tasks cat > /tmp/ecs-task-trust-policy.json << EOF { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role \ --role-name ecsTaskRole \ --assume-role-policy-document file:///tmp/ecs-task-trust-policy.json >/dev/null track_resource "IAM_ROLE:ecsTaskRole" log "Created ecsTaskRole" # Wait for role to be available sleep 10 fi } # Function to create task definition create_task_definition() { log "Creating task definition..." # Create task definition JSON cat > /tmp/task-definition.json << EOF { "family": "service-connect-nginx", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole", "taskRoleArn": "arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskRole", "containerDefinitions": [ { "name": "nginx", "image": "public.ecr.aws/docker/library/nginx:latest", "portMappings": [ { "containerPort": 80, "protocol": "tcp", "name": "nginx-port" } ], "essential": true, "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-nginx", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs" } } } ] } EOF TASK_DEF_OUTPUT=$(aws ecs register-task-definition --cli-input-json file:///tmp/task-definition.json 2>&1) check_for_errors "$TASK_DEF_OUTPUT" "register-task-definition" TASK_DEF_ARN=$(echo "$TASK_DEF_OUTPUT" | grep -o '"taskDefinitionArn": "[^"]*"' | cut -d'"' -f4) track_resource "TASK_DEF:service-connect-nginx" log "Created task definition: $TASK_DEF_ARN" # Clean up temporary file rm -f /tmp/task-definition.json } # Function to create ECS service with Service Connect create_ecs_service() { log "Creating ECS service with Service Connect..." # Create service definition JSON cat > /tmp/service-definition.json << EOF { "serviceName": "service-connect-nginx-service", "cluster": "${CLUSTER_NAME}", "taskDefinition": "service-connect-nginx", "desiredCount": 1, "launchType": "FARGATE", "networkConfiguration": { "awsvpcConfiguration": { "subnets": ["${PUBLIC_SUBNET1}", "${PUBLIC_SUBNET2}"], "securityGroups": ["${SECURITY_GROUP_ID}"], "assignPublicIp": "ENABLED" } }, "serviceConnectConfiguration": { "enabled": true, "namespace": "${NAMESPACE_NAME}", "services": [ { "portName": "nginx-port", "discoveryName": "nginx", "clientAliases": [ { "port": 80, "dnsName": "nginx" } ] } ], "logConfiguration": { "logDriver": "awslogs", "options": { "awslogs-group": "/ecs/service-connect-proxy", "awslogs-region": "${REGION}", "awslogs-stream-prefix": "ecs-service-connect" } } }, "tags": [ { "key": "Environment", "value": "tutorial" } ] } EOF SERVICE_OUTPUT=$(aws ecs create-service --cli-input-json file:///tmp/service-definition.json 2>&1) check_for_errors "$SERVICE_OUTPUT" "create-service" track_resource "SERVICE:service-connect-nginx-service" log "Created ECS service: service-connect-nginx-service" wait_for_resource "service" "service-connect-nginx-service" # Clean up temporary file rm -f /tmp/service-definition.json } # Function to verify deployment verify_deployment() { log "Verifying deployment..." # Check service status SERVICE_STATUS=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].status' --output text) log "Service status: $SERVICE_STATUS" # Check running tasks RUNNING_COUNT=$(aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].runningCount' --output text) log "Running tasks: $RUNNING_COUNT" # Get task ARN TASK_ARN=$(aws ecs list-tasks \ --cluster "$CLUSTER_NAME" \ --service-name "service-connect-nginx-service" \ --query 'taskArns[0]' --output text) if [[ "$TASK_ARN" != "None" && -n "$TASK_ARN" ]]; then log "Task ARN: $TASK_ARN" # Try to get task IP address TASK_IP=$(aws ecs describe-tasks \ --cluster "$CLUSTER_NAME" \ --tasks "$TASK_ARN" \ --query 'tasks[0].attachments[0].details[?name==`privateIPv4Address`].value' \ --output text 2>/dev/null || echo "") if [[ -n "$TASK_IP" && "$TASK_IP" != "None" ]]; then log "Task IP address: $TASK_IP" else log "Could not retrieve task IP address" fi fi # Check Service Connect namespace NAMESPACE_STATUS=$(aws servicediscovery list-namespaces \ --filters Name=TYPE,Values=HTTP \ --query "Namespaces[?Name=='$NAMESPACE_NAME'].Id" --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_STATUS" && "$NAMESPACE_STATUS" != "None" ]]; then log "Service Connect namespace '$NAMESPACE_NAME' is active" else log "Service Connect namespace '$NAMESPACE_NAME' not found or not active" fi # Display Service Connect configuration log "Service Connect configuration:" aws ecs describe-services \ --cluster "$CLUSTER_NAME" \ --services "service-connect-nginx-service" \ --query 'services[0].serviceConnectConfiguration' 2>/dev/null || true } # Function to display created resources display_resources() { echo "" echo "===========================================" echo "CREATED RESOURCES" echo "===========================================" for resource in "${CREATED_RESOURCES[@]}"; do echo "- $resource" done echo "===========================================" echo "" } # Function to cleanup resources cleanup_resources() { log "Starting cleanup process..." # Delete resources in reverse order of creation for ((i=${#CREATED_RESOURCES[@]}-1; i>=0; i--)); do resource="${CREATED_RESOURCES[i]}" resource_type=$(echo "$resource" | cut -d':' -f1) resource_id=$(echo "$resource" | cut -d':' -f2) log "Cleaning up $resource_type: $resource_id" case "$resource_type" in "SERVICE") aws ecs update-service --cluster "$CLUSTER_NAME" --service "$resource_id" --desired-count 0 2>&1 | grep -qi "error" && log "Warning: Failed to scale down service $resource_id" aws ecs wait services-stable --cluster "$CLUSTER_NAME" --services "$resource_id" 2>/dev/null || true aws ecs delete-service --cluster "$CLUSTER_NAME" --service "$resource_id" --force 2>&1 | grep -qi "error" && log "Warning: Failed to delete service $resource_id" ;; "TASK_DEF") TASK_DEF_ARNS=$(aws ecs list-task-definitions --family-prefix "$resource_id" --query 'taskDefinitionArns' --output text 2>/dev/null) for arn in $TASK_DEF_ARNS; do aws ecs deregister-task-definition --task-definition "$arn" >/dev/null 2>&1 || true done ;; "ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "IAM_ROLE") aws iam detach-role-policy --role-name "$resource_id" --policy-arn "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" 2>/dev/null || true aws iam delete-role --role-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete role $resource_id" ;; "CLUSTER") aws ecs delete-cluster --cluster "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete cluster $resource_id" ;; "SG") for attempt in 1 2 3 4 5; do if aws ec2 delete-security-group --group-id "$resource_id" 2>/dev/null; then break fi log "Security group $resource_id still has dependencies, retrying in 30s ($attempt/5)..." sleep 30 done ;; "LOG_GROUP") aws logs delete-log-group --log-group-name "$resource_id" 2>&1 | grep -qi "error" && log "Warning: Failed to delete log group $resource_id" ;; "NAMESPACE") # First, delete any services in the namespace NAMESPACE_SERVICES=$(aws servicediscovery list-services \ --filters Name=NAMESPACE_ID,Values="$resource_id" \ --query 'Services[].Id' --output text 2>/dev/null || echo "") if [[ -n "$NAMESPACE_SERVICES" && "$NAMESPACE_SERVICES" != "None" ]]; then for service_id in $NAMESPACE_SERVICES; do aws servicediscovery delete-service --id "$service_id" >/dev/null 2>&1 || true sleep 2 done fi # Then delete the namespace aws servicediscovery delete-namespace --id "$resource_id" >/dev/null 2>&1 || true ;; esac sleep 2 # Brief pause between deletions done # Clean up temporary files rm -f /tmp/ecs-task-trust-policy.json rm -f /tmp/task-definition.json rm -f /tmp/service-definition.json log "Cleanup completed" } # Main execution main() { log "Starting $SCRIPT_NAME v4 (Default VPC)" log "Region: $REGION" log "Log file: $LOG_FILE" # Get AWS account ID get_account_id # Setup infrastructure using default VPC setup_default_vpc_infrastructure # Create CloudWatch log groups create_log_groups # Create ECS cluster create_ecs_cluster # Create IAM roles create_iam_roles # Create task definition create_task_definition # Create ECS service create_ecs_service # Verify deployment verify_deployment log "Tutorial completed successfully!" # Display created resources display_resources # Ask user if they want to clean up echo "" echo "===========================================" echo "CLEANUP CONFIRMATION" echo "===========================================" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then cleanup_resources log "All resources have been cleaned up" else log "Resources left intact. You can clean them up later by running the cleanup function." echo "" echo "To clean up resources later, you can use the AWS CLI commands or the AWS Management Console." echo "Remember to delete resources in the correct order to avoid dependency issues." fi } # Make script executable and run chmod +x "$0" main "$@" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [AuthorizeSecurityGroupIngress](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/AuthorizeSecurityGroupIngress) + [CreateCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateCluster) + [CreateLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/CreateLogGroup) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [CreateSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/CreateSecurityGroup) + [CreateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/CreateService) + [DeleteCluster](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeleteCluster) + [DeleteLogGroup](https://docs.aws.amazon.com/goto/aws-cli/logs-2014-03-28/DeleteLogGroup) + [DeleteNamespace](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteNamespace) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DeleteSecurityGroup](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DeleteSecurityGroup) + [DeleteService](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/DeleteService) + [DeregisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DeregisterTaskDefinition) + [DescribeClusters](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeClusters) + [DescribeServices](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeServices) + [DescribeSubnets](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeSubnets) + [DescribeTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/DescribeTasks) + [DescribeVpcs](https://docs.aws.amazon.com/goto/aws-cli/ec2-2016-11-15/DescribeVpcs) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/GetRole) + [ListNamespaces](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListNamespaces) + [ListServices](https://docs.aws.amazon.com/goto/aws-cli/servicediscovery-2017-03-14/ListServices) + [ListTaskDefinitions](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTaskDefinitions) + [ListTasks](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/ListTasks) + [RegisterTaskDefinition](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/RegisterTaskDefinition) + [UpdateService](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/UpdateService) + [Wait](https://docs.aws.amazon.com/goto/aws-cli/ecs-2014-11-13/Wait) ### Create a REST API with Lambda proxy integration The following code example shows how to: + Create an IAM role for Lambda execution + Create and deploy a Lambda function + Create a REST API + Configure Lambda proxy integration + Deploy and test the API + Clean up resources **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/087-apigateway-lambda-integration) repository. ``` #!/bin/bash # Simple API Gateway Lambda Integration Script # This script creates a REST API with Lambda proxy integration # Generate random identifiers FUNCTION_NAME="GetStartedLambdaProxyIntegration-$(openssl rand -hex 4)" ROLE_NAME="GetStartedLambdaBasicExecutionRole-$(openssl rand -hex 4)" API_NAME="LambdaProxyAPI-$(openssl rand -hex 4)" # Get AWS account info ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) REGION=$(aws configure get region || echo "us-east-1") echo "Creating Lambda function code..." # Create Lambda function code cat > lambda_function.py << 'EOF' import json def lambda_handler(event, context): print(event) greeter = 'World' try: if (event['queryStringParameters']) and (event['queryStringParameters']['greeter']) and ( event['queryStringParameters']['greeter'] is not None): greeter = event['queryStringParameters']['greeter'] except KeyError: print('No greeter') try: if (event['multiValueHeaders']) and (event['multiValueHeaders']['greeter']) and ( event['multiValueHeaders']['greeter'] is not None): greeter = " and ".join(event['multiValueHeaders']['greeter']) except KeyError: print('No greeter') try: if (event['headers']) and (event['headers']['greeter']) and ( event['headers']['greeter'] is not None): greeter = event['headers']['greeter'] except KeyError: print('No greeter') if (event['body']) and (event['body'] is not None): body = json.loads(event['body']) try: if (body['greeter']) and (body['greeter'] is not None): greeter = body['greeter'] except KeyError: print('No greeter') res = { "statusCode": 200, "headers": { "Content-Type": "*/*" }, "body": "Hello, " + greeter + "!" } return res EOF # Create deployment package zip function.zip lambda_function.py echo "Creating IAM role..." # Create IAM trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # Create IAM role aws iam create-role \ --role-name "$ROLE_NAME" \ --assume-role-policy-document file://trust-policy.json # Attach execution policy aws iam attach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" # Wait for role propagation sleep 15 echo "Creating Lambda function..." # Create Lambda function aws lambda create-function \ --function-name "$FUNCTION_NAME" \ --runtime python3.9 \ --role "arn:aws:iam::$ACCOUNT_ID:role/$ROLE_NAME" \ --handler lambda_function.lambda_handler \ --zip-file fileb://function.zip echo "Creating API Gateway..." # Create REST API aws apigateway create-rest-api \ --name "$API_NAME" \ --endpoint-configuration types=REGIONAL # Get API ID API_ID=$(aws apigateway get-rest-apis --query "items[?name=='$API_NAME'].id" --output text) # Get root resource ID ROOT_RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query 'items[?path==`/`].id' --output text) # Create helloworld resource aws apigateway create-resource \ --rest-api-id "$API_ID" \ --parent-id "$ROOT_RESOURCE_ID" \ --path-part helloworld # Get resource ID RESOURCE_ID=$(aws apigateway get-resources --rest-api-id "$API_ID" --query "items[?pathPart=='helloworld'].id" --output text) # Create ANY method aws apigateway put-method \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --authorization-type NONE # Set up Lambda proxy integration LAMBDA_URI="arn:aws:apigateway:$REGION:lambda:path/2015-03-31/functions/arn:aws:lambda:$REGION:$ACCOUNT_ID:function:$FUNCTION_NAME/invocations" aws apigateway put-integration \ --rest-api-id "$API_ID" \ --resource-id "$RESOURCE_ID" \ --http-method ANY \ --type AWS_PROXY \ --integration-http-method POST \ --uri "$LAMBDA_URI" # Grant API Gateway permission to invoke Lambda SOURCE_ARN="arn:aws:execute-api:$REGION:$ACCOUNT_ID:$API_ID/*/*" aws lambda add-permission \ --function-name "$FUNCTION_NAME" \ --statement-id "apigateway-invoke-$(openssl rand -hex 4)" \ --action lambda:InvokeFunction \ --principal apigateway.amazonaws.com \ --source-arn "$SOURCE_ARN" # Deploy API aws apigateway create-deployment \ --rest-api-id "$API_ID" \ --stage-name test echo "Testing API..." # Test the API INVOKE_URL="https://$API_ID.execute-api.$REGION.amazonaws.com/test/helloworld" echo "API URL: $INVOKE_URL" # Test with query parameter echo "Testing with query parameter:" curl -X GET "$INVOKE_URL?greeter=John" echo "" # Test with header echo "Testing with header:" curl -X GET "$INVOKE_URL" \ -H 'content-type: application/json' \ -H 'greeter: John' echo "" # Test with body echo "Testing with POST body:" curl -X POST "$INVOKE_URL" \ -H 'content-type: application/json' \ -d '{ "greeter": "John" }' echo "" echo "Tutorial completed! API is available at: $INVOKE_URL" # Cleanup echo "Cleaning up resources..." # Delete API aws apigateway delete-rest-api --rest-api-id "$API_ID" # Delete Lambda function aws lambda delete-function --function-name "$FUNCTION_NAME" # Detach policy and delete role aws iam detach-role-policy \ --role-name "$ROLE_NAME" \ --policy-arn "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" aws iam delete-role --role-name "$ROLE_NAME" # Clean up local files rm -f lambda_function.py function.zip trust-policy.json echo "Cleanup completed!" ``` + For API details, see the following topics in *AWS CLI Command Reference*. + [AddPermission](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/AddPermission) + [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy) + [CreateDeployment](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateDeployment) + [CreateFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/CreateFunction) + [CreateResource](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateResource) + [CreateRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/CreateRestApi) + [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole) + [DeleteFunction](https://docs.aws.amazon.com/goto/aws-cli/lambda-2015-03-31/DeleteFunction) + [DeleteRestApi](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/DeleteRestApi) + [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole) + [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy) + [GetCallerIdentity](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/GetCallerIdentity) + [GetResources](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetResources) + [GetRestApis](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/GetRestApis) + [PutIntegration](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutIntegration) + [PutMethod](https://docs.aws.amazon.com/goto/aws-cli/apigateway-2015-07-09/PutMethod) ### Create an Amazon ECS Linux task for the Fargate launch type The following code example shows how to: + Create the cluster + Create a task definition + Create the service + Clean up **AWS CLI with Bash script** There's more on GitHub. Find the complete example and learn how to set up and run in the [Sample developer tutorials](https://github.com/aws-samples/sample-developer-tutorials/tree/main/tuts/086-amazon-ecs-fargate-linux) repository. ``` #!/bin/bash # Amazon ECS Fargate Tutorial Script - Version 5 # This script creates an ECS cluster, task definition, and service using Fargate launch type # Fixed version with proper resource dependency handling during cleanup set -e # Exit on any error # Initialize logging LOG_FILE="ecs-fargate-tutorial-v5.log" exec > >(tee -a "$LOG_FILE") 2>&1 echo "Starting Amazon ECS Fargate tutorial at $(date)" echo "Log file: $LOG_FILE" # Generate random identifier for unique resource names RANDOM_ID=$(openssl rand -hex 6) CLUSTER_NAME="fargate-cluster-${RANDOM_ID}" SERVICE_NAME="fargate-service-${RANDOM_ID}" TASK_FAMILY="sample-fargate-${RANDOM_ID}" SECURITY_GROUP_NAME="ecs-fargate-sg-${RANDOM_ID}" # Array to track created resources for cleanup CREATED_RESOURCES=() # Function to log and execute commands execute_command() { local cmd="$1" local description="$2" echo "" echo "==========================================" echo "EXECUTING: $description" echo "COMMAND: $cmd" echo "==========================================" local output local exit_code set +e # Temporarily disable exit on error output=$(eval "$cmd" 2>&1) exit_code=$? set -e # Re-enable exit on error if [[ $exit_code -eq 0 ]]; then echo "SUCCESS: $description" echo "OUTPUT: $output" return 0 else echo "FAILED: $description" echo "EXIT CODE: $exit_code" echo "OUTPUT: $output" return 1 fi } # Function to check for actual AWS API errors in command output check_for_aws_errors() { local output="$1" local description="$2" # Look for specific AWS error patterns, not just the word "error" if echo "$output" | grep -qi "An error occurred\|InvalidParameter\|AccessDenied\|ResourceNotFound\|ValidationException"; then echo "AWS API ERROR detected in output for: $description" echo "Output: $output" return 1 fi return 0 } # Function to wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup() { local security_group_id="$1" local max_attempts=30 local attempt=1 echo "Waiting for network interfaces to be cleaned up..." while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Checking for dependent network interfaces..." # Check if there are any network interfaces still using this security group local eni_count eni_count=$(aws ec2 describe-network-interfaces \ --filters "Name=group-id,Values=$security_group_id" \ --query "length(NetworkInterfaces)" \ --output text 2>/dev/null || echo "0") if [[ "$eni_count" == "0" ]]; then echo "No network interfaces found using security group $security_group_id" return 0 else echo "Found $eni_count network interface(s) still using security group $security_group_id" echo "Waiting 10 seconds before next check..." sleep 10 ((attempt++)) fi done echo "WARNING: Network interfaces may still be attached after $max_attempts attempts" echo "This is normal and the security group deletion will be retried" return 1 } # Function to retry security group deletion with exponential backoff retry_security_group_deletion() { local security_group_id="$1" local max_attempts=10 local attempt=1 local wait_time=5 while [[ $attempt -le $max_attempts ]]; do echo "Attempt $attempt/$max_attempts: Trying to delete security group $security_group_id" if execute_command "aws ec2 delete-security-group --group-id $security_group_id" "Delete security group (attempt $attempt)"; then echo "Successfully deleted security group $security_group_id" return 0 else if [[ $attempt -eq $max_attempts ]]; then echo "FAILED: Could not delete security group $security_group_id after $max_attempts attempts" echo "This may be due to network interfaces that are still being cleaned up by AWS" echo "You can manually delete it later using: aws ec2 delete-security-group --group-id $security_group_id" return 1 else echo "Waiting $wait_time seconds before retry..." sleep $wait_time wait_time=$((wait_time * 2)) # Exponential backoff ((attempt++)) fi fi done } # Function to cleanup resources with proper dependency handling cleanup_resources() { echo "" echo "===========================================" echo "CLEANUP PROCESS" echo "===========================================" echo "The following resources were created:" for resource in "${CREATED_RESOURCES[@]}"; do echo " - $resource" done echo "" echo "Do you want to clean up all created resources? (y/n): " read -r CLEANUP_CHOICE if [[ "$CLEANUP_CHOICE" =~ ^[Yy]$ ]]; then echo "Starting cleanup process..." # Step 1: Scale service to 0 tasks first, then delete service if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Service: $SERVICE_NAME " ]]; then echo "" echo "Step 1: Scaling service to 0 tasks..." if execute_command "aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" "Scale service to 0 tasks"; then echo "Waiting for service to stabilize after scaling to 0..." execute_command "aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" "Wait for service to stabilize" echo "Deleting service..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" "Delete ECS service" else echo "WARNING: Failed to scale service. Attempting to delete anyway..." execute_command "aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --force" "Force delete ECS service" fi fi # Step 2: Wait a bit for tasks to fully terminate echo "" echo "Step 2: Waiting for tasks to fully terminate..." sleep 15 # Step 3: Delete cluster if [[ " ${CREATED_RESOURCES[*]} " =~ " ECS Cluster: $CLUSTER_NAME " ]]; then echo "" echo "Step 3: Deleting cluster..." execute_command "aws ecs delete-cluster --cluster $CLUSTER_NAME" "Delete ECS cluster" fi # Step 4: Wait for network interfaces to be cleaned up, then delete security group if [[ -n "$SECURITY_GROUP_ID" ]]; then echo "" echo "Step 4: Cleaning up security group..." # First, wait for network interfaces to be cleaned up wait_for_network_interfaces_cleanup "$SECURITY_GROUP_ID" # Then retry security group deletion with backoff retry_security_group_deletion "$SECURITY_GROUP_ID" fi # Step 5: Clean up task definition (deregister all revisions) if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "" echo "Step 5: Deregistering task definition revisions..." # Get all revisions of the task definition local revisions revisions=$(aws ecs list-task-definitions --family-prefix "$TASK_FAMILY" --query "taskDefinitionArns" --output text 2>/dev/null || echo "") if [[ -n "$revisions" && "$revisions" != "None" ]]; then for revision_arn in $revisions; do echo "Deregistering task definition: $revision_arn" execute_command "aws ecs deregister-task-definition --task-definition $revision_arn" "Deregister task definition $revision_arn" || true done else echo "No task definition revisions found to deregister" fi fi echo "" echo "===========================================" echo "CLEANUP COMPLETED" echo "===========================================" echo "All resources have been cleaned up successfully!" else echo "Cleanup skipped. Resources remain active." echo "" echo "To clean up manually later, use the following commands in order:" echo "1. Scale service to 0: aws ecs update-service --cluster $CLUSTER_NAME --service $SERVICE_NAME --desired-count 0" echo "2. Wait for stability: aws ecs wait services-stable --cluster $CLUSTER_NAME --services $SERVICE_NAME" echo "3. Delete service: aws ecs delete-service --cluster $CLUSTER_NAME --service $SERVICE_NAME" echo "4. Delete cluster: aws ecs delete-cluster --cluster $CLUSTER_NAME" echo "5. Wait 2-3 minutes, then delete security group: aws ec2 delete-security-group --group-id $SECURITY_GROUP_ID" if [[ " ${CREATED_RESOURCES[*]} " =~ " Task Definition: $TASK_FAMILY " ]]; then echo "6. Deregister task definitions: aws ecs list-task-definitions --family-prefix $TASK_FAMILY" echo " Then for each ARN: aws ecs deregister-task-definition --task-definition " fi fi } # Trap to handle script interruption trap cleanup_resources EXIT echo "Using random identifier: $RANDOM_ID" echo "Cluster name: $CLUSTER_NAME" echo "Service name: $SERVICE_NAME" echo "Task family: $TASK_FAMILY" # Step 1: Ensure ECS task execution role exists echo "" echo "===========================================" echo "STEP 1: VERIFY ECS TASK EXECUTION ROLE" echo "===========================================" ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) EXECUTION_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/ecsTaskExecutionRole" # Check if role exists if aws iam get-role --role-name ecsTaskExecutionRole >/dev/null 2>&1; then echo "ECS task execution role already exists" else echo "Creating ECS task execution role..." # Create trust policy cat > trust-policy.json << 'EOF' { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF execute_command "aws iam create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://trust-policy.json" "Create ECS task execution role" execute_command "aws iam attach-role-policy --role-name ecsTaskExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" "Attach ECS task execution policy" # Clean up temporary file rm -f trust-policy.json CREATED_RESOURCES+=("IAM Role: ecsTaskExecutionRole") fi # Step 2: Create ECS cluster echo "" echo "===========================================" echo "STEP 2: CREATE ECS CLUSTER" echo "===========================================" CLUSTER_OUTPUT=$(execute_command "aws ecs create-cluster --cluster-name $CLUSTER_NAME" "Create ECS cluster") check_for_aws_errors "$CLUSTER_OUTPUT" "Create ECS cluster" CREATED_RESOURCES+=("ECS Cluster: $CLUSTER_NAME") # Step 3: Create task definition echo "" echo "===========================================" echo "STEP 3: CREATE TASK DEFINITION" echo "===========================================" # Create task definition JSON cat > task-definition.json << EOF { "family": "$TASK_FAMILY", "networkMode": "awsvpc", "requiresCompatibilities": ["FARGATE"], "cpu": "256", "memory": "512", "executionRoleArn": "$EXECUTION_ROLE_ARN", "containerDefinitions": [ { "name": "fargate-app", "image": "public.ecr.aws/docker/library/httpd:latest", "portMappings": [ { "containerPort": 80, "hostPort": 80, "protocol": "tcp" } ], "essential": true, "entryPoint": ["sh", "-c"], "command": [ "/bin/sh -c \"echo ' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.