I am looking for some guidance from the serverfault community.
We are spinning up several new AWS instances (windows server 2008/2012) over the next few days. We have a naming convention in place for AWS, and tags so we can keep track of owner, date created, domain joined and cost center.
I am trying to figure out a good method to 'auto-tag' instances.
The use case would go like this:
Script (powershell/or app of some sort) would poll AWS each night at midnight and look for instances missing tags. Once the instance(s) have been found, it would then attempt to append the IP address of the instance as the AWS name and a predetermined set of default tags to keep track of the previously 'untagged' instance(s).
Anyone familiar with this? I am not very good at scripting, but am willing to try-but am unsure where to look.
Thanks
Best Answer
First, before I get to the real answer, I'm going to explain why I'm not directly answering your question. Sure, you could likely write up some script that would do what you wanted. It would solve this problem, but would do nothing at all to solve the dozens of other potential problems you'll run into sooner or later.
So with that, here's the real answer...
You've run afoul of the most important rule when using AWS for anything serious: the web console is for inspection only, not making changes. It is just plain too easy to forget steps, mess things up, terminate the wrong instance, etc. when using the web console.
When creating instances, you and your staff should only be using one of the many technologies AWS provides to create resources in a controlled, reliable, repeatable manner.
At the very least, get to know the AWS Powershell Tools. After you've familiarized yourseif with them, create, publish, and distribute to your staff a standard method of interacting with AWS.
Ideally, you would create a wrapper around their API, which your staff can use, which would force them to provide relevant tag info before instance creation.
Additionally, ensure that all of your staff are using their own IAM user. Do not, under any circumstances, permit anyone other than the account owner have the account root credentials - even that person should only use those credentials for the bare minimum of tasks, instead using an IAM user as well.