Data Lifecycle Manager 前置和后置脚本的其他使用场景
除了使用前置和后置脚本自动生成应用程序一致性快照外,您还可以同时或单独使用前置和后置脚本,以在创建快照之前或之后自动执行其他管理任务。例如:
-
创建快照之前使用前置脚本来应用补丁。这可以帮助您在应用每周或每月定期软件更新后创建快照。
注意
如果您选择仅运行前置脚本,则默认情况下会启用默认创建崩溃一致性快照。
-
创建快照后使用后置脚本应用补丁。这可以帮助您在应用每周或每月定期软件更新之前创建快照。
其他用例入门
本节介绍将前置和/或后置脚本用于应用程序一致性快照以外的用例中时需要执行的步骤。
为前置和/或后置脚本准备目标实例
-
在目标实例上安装 SSM Agent(如果尚未安装)。如果目标实例上已安装 SSM Agent,请跳过此步骤。
-
(Windows 实例)在适用于 Windows 的 Amazon EC2 实例上手动安装 SSM Agent
-
确保 SSM Agent 正在运行。有关更多信息,请参阅正在检查 SSM Agent 状态并启动代理。
-
为 Amazon EC2 实例设置 Systems Manager。有关更多信息,请参阅《AWS Systems Manager 用户指南》中的为 Amazon EC2 实例设置 Systems Manager。
您必须创建一个 SSM 命令文档,其中包含要运行的命令的前置和/或后置脚本。
您可以使用下面的 SSM 文档空白模板创建 SSM 文档,并在相应的文档部分中添加前置和后置脚本命令。
请注意以下几点:
-
您负责确保 SSM 文档为工作负载执行正确和必需的操作。
-
SSM 文档必须包含
allowedValues的必填字段,包括pre-script、post-script和dry-run。Amazon Data Lifecycle Manager 将根据这些部分的内容在您的实例上执行命令。如果您的 SSM 文档没有这些部分,则 Amazon Data Lifecycle Manager 会将其视为执行失败。
###===============================================================================### # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # Permission is hereby granted, free of charge, to any person obtaining a copy of this # software and associated documentation files (the "Software"), to deal in the Software # without restriction, including without limitation the rights to use, copy, modify, # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to # permit persons to whom the Software is furnished to do so. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ###===============================================================================### schemaVersion: '2.2' description: SSM Document Template for Amazon Data Lifecycle Manager Pre/Post script feature parameters: executionId: type: String default: None description: (Required) Specifies the unique identifier associated with a pre and/or post execution allowedPattern: ^(None|[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})$ command: # Data Lifecycle Manager will trigger the pre-script and post-script actions during policy execution. # 'dry-run' option is intended for validating the document execution without triggering any commands # on the instance. The following allowedValues will allow Data Lifecycle Manager to successfully # trigger pre and post script actions. type: String default: 'dry-run' description: (Required) Specifies whether pre-script and/or post-script should be executed. allowedValues: - pre-script - post-script - dry-run mainSteps: - action: aws:runShellScript description: Run Database freeze/thaw commands name: run_pre_post_scripts precondition: StringEquals: - platformType - Linux inputs: runCommand: - | #!/bin/bash ###===============================================================================### ### Error Codes ###===============================================================================### # The following Error codes will inform Data Lifecycle Manager of the type of error # and help guide handling of the error. # The Error code will also be emitted via AWS Eventbridge events in the 'cause' field. # 1 Pre-script failed during execution - 201 # 2 Post-script failed during execution - 202 # 3 Auto thaw occurred before post-script was initiated - 203 # 4 Pre-script initiated while post-script was expected - 204 # 5 Post-script initiated while pre-script was expected - 205 # 6 Application not ready for pre or post-script initiation - 206 ###===============================================================================### ### Global variables ###===============================================================================### START=$(date +%s) # For testing this script locally, replace the below with OPERATION=$1. OPERATION={{ command }} # Add all pre-script actions to be performed within the function below execute_pre_script() { echo "INFO: Start execution of pre-script" } # Add all post-script actions to be performed within the function below execute_post_script() { echo "INFO: Start execution of post-script" } # Debug logging for parameters passed to the SSM document echo "INFO: ${OPERATION} starting at $(date) with executionId: ${EXECUTION_ID}" # Based on the command parameter value execute the function that supports # pre-script/post-script operation case ${OPERATION} in pre-script) execute_pre_script ;; post-script) execute_post_script ;; dry-run) echo "INFO: dry-run option invoked - taking no action" ;; *) echo "ERROR: Invalid command parameter passed. Please use either pre-script, post-script, dry-run." exit 1 # return failure ;; esac END=$(date +%s) # Debug Log for profiling the script time echo "INFO: ${OPERATION} completed at $(date). Total runtime: $((${END} - ${START})) seconds."
注意
如果出现以下情况,则需要执行此步骤:
-
创建或更新使用自定义 IAM 角色的启用前置/后置脚本的快照策略。
-
使用命令行创建或更新使用默认值的启用前置/后置脚本的快照策略。
如果您使用控制台创建或更新启用前置/后置脚本的快照策略,该策略使用默认角色管理快照(AWSDataLifecycleManagerDefaultRole),请跳过此步骤。在这种情况下,我们会自动将 AWSDataLifecycleManagerSSMFullAccess 策略附加到该角色。
您必须确保用于策略的 IAM 角色授予 Amazon Data Lifecycle Manager 权限,以执行在策略作为目标的实例上运行前置和后置脚本所需的 SSM 操作的权限。
Amazon Data Lifecycle Manager 提供了包含所需权限的托管策略(AWSDataLifecycleManagerSSMFullAccess)。您可以将此策略附加到您的 IAM 角色以管理快照,从而确保其包含这些权限。
重要
在使用前置和后置脚本时,AWSDataLifecycleManagerSSMFullAccess 托管策略使用 aws:ResourceTag 条件键来限制对特定 SSM 文档的访问权限。要允许 Amazon Data Lifecycle Manager 访问 SSM 文档,您必须确保您的 SSM 文档带有 DLMScriptsAccess:true 标签。
或者,您可以手动创建自定义策略或将所需权限直接分配给您使用的 IAM 角色。您可以使用 AWSDataLifecycleManagerSSMFullAccess 托管策略中定义的相同权限,但是,aws:ResourceTag 条件键是可选的。如果您决定不使用该条件键,则无需使用 DLMScriptsAccess:true 标记您的 SSM 文档。
使用以下方法之一将 AWSDataLifecycleManagerSSMFullAccess 策略添加到您的 IAM 角色。
