kung-foo/ec2_tags.py

## ec2_tags.py
#!/usr/bin/env python
"""

# copied from https://github.com/saltstack/salt-contrib/blob/master/grains/ec2_tags.py

ec2_tags.py - exports all EC2 tags in an 'ec2_tags' grain and splits 'Role' tag
              into a list on 'ec2_roles' grain.

To use it:

  1. Place ec2_tags.py in <salt_root>/_grains/
  2. Make sure boto version >= 2.8.0
  3. There are four ways of supplying AWS credentials used to fetch instance tags:

    i. Define them in AWS_CREDENTIALS below
    ii. Define AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables
    iii. Provide them in the minion config like this:

        ec2_tags:
          aws:
            access_key: ABC123
            secret_key: abc123
    iv. Use IAM instance roles, the following policy will work:
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "Stmt1429127179000",
                    "Effect": "Allow",
                    "Action": [
                        "ec2:DescribeTags"
                    ],
                    "Resource": [
                        "*"
                    ]
                }
            ]
        }

  4. Test it

    $ salt '*' saltutil.sync_grains
    $ salt '*' grains.get ec2_tags
    $ salt '*' grains.get ec2_roles

Author: Emil Stenqvist <emsten@gmail.com>
Licensed under Apache License (https://raw.github.com/saltstack/salt/develop/LICENSE)

(Inspired by https://github.com/dginther/ec2-tags-salt-grain)
"""

import os
import logging
from distutils.version import StrictVersion

import boto.ec2
import boto.utils
import salt.log

log = logging.getLogger(__name__)

AWS_CREDENTIALS = {
    'access_key': None,
    'secret_key': None,
}


def _get_instance_info():
    identity = boto.utils.get_instance_identity()['document']
    return identity['instanceId'], identity['region']


def _on_ec2():
    m = boto.utils.get_instance_metadata(timeout=0.1, num_retries=1)
    return bool(m)


def _get_credentials():
    creds = AWS_CREDENTIALS.copy()

    # Minion config
    if '__opts__' in globals():
        conf = __opts__.get('ec2_tags', {})
        aws = conf.get('aws', {})
        if aws.get('access_key') and aws.get('secret_key'):
            creds.update(aws)

    # 3. Get from environment
    access_key = os.environ.get('AWS_ACCESS_KEY') or os.environ.get('AWS_ACCESS_KEY_ID')
    secret_key = os.environ.get('AWS_SECRET_KEY') or os.environ.get('AWS_SECRET_ACCESS_KEY')
    if access_key and secret_key:
        creds.update(dict(access_key=access_key, secret_key=secret_key))

    return creds


def ec2_tags():
    boto_version = StrictVersion(boto.__version__)
    required_boto_version = StrictVersion('2.8.0')
    if boto_version < required_boto_version:
        log.error("Installed boto version %s < %s, can't find ec2_tags",
                  boto_version, required_boto_version)
        return None

    if not _on_ec2():
        log.info("Not an EC2 instance, skipping")
        return None

    instance_id, region = _get_instance_info()
    credentials = _get_credentials()

    # Connect to EC2 and parse the Roles tags for this instance
    try:
        conn = boto.ec2.connect_to_region(
            region,
            aws_access_key_id=credentials['access_key'],
            aws_secret_access_key=credentials['secret_key'],
        )
    except Exception, e:
        log.error("Could not get AWS connection: %s", e)
        return None

    ec2_tags = {}
    try:
        tags = conn.get_all_tags(filters={'resource-type': 'instance',
                                          'resource-id': instance_id})
        for tag in tags:
            ec2_tags[tag.name] = tag.value
    except Exception, e:
        log.error("Couldn't retrieve instance tags: %s", e)
        return None

    ret = dict(ec2_tags=ec2_tags)

    # Provide ec2_tags_roles functionality
    if 'Roles' in ec2_tags:
        ret['ec2_roles'] = ec2_tags['Roles'].split(',')

    return ret


if __name__ == '__main__':
    print ec2_tags()

## reactor.conf
reactor:
  - 'minion_start':
    - /srv/reactor/sync_grains.sls

## sync_grains.sls
sync_grains:
  local.saltutil.sync_grains:
    - tgt: {{ data['id'] }}
	#!/usr/bin/env python
	"""

	# copied from https://github.com/saltstack/salt-contrib/blob/master/grains/ec2_tags.py

	ec2_tags.py - exports all EC2 tags in an 'ec2_tags' grain and splits 'Role' tag
	into a list on 'ec2_roles' grain.

	To use it:

	1. Place ec2_tags.py in <salt_root>/_grains/
	2. Make sure boto version >= 2.8.0
	3. There are four ways of supplying AWS credentials used to fetch instance tags:

	i. Define them in AWS_CREDENTIALS below
	ii. Define AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables
	iii. Provide them in the minion config like this:

	ec2_tags:
	aws:
	access_key: ABC123
	secret_key: abc123
	iv. Use IAM instance roles, the following policy will work:
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "Stmt1429127179000",
	"Effect": "Allow",
	"Action": [
	"ec2:DescribeTags"
	],
	"Resource": [
	"*"
	]
	}
	]
	}

	4. Test it

	$ salt '*' saltutil.sync_grains
	$ salt '*' grains.get ec2_tags
	$ salt '*' grains.get ec2_roles

	Author: Emil Stenqvist <emsten@gmail.com>
	Licensed under Apache License (https://raw.github.com/saltstack/salt/develop/LICENSE)

	(Inspired by https://github.com/dginther/ec2-tags-salt-grain)
	"""

	import os
	import logging
	from distutils.version import StrictVersion

	import boto.ec2
	import boto.utils
	import salt.log

	log = logging.getLogger(__name__)

	AWS_CREDENTIALS = {
	'access_key': None,
	'secret_key': None,
	}


	def _get_instance_info():
	identity = boto.utils.get_instance_identity()['document']
	return identity['instanceId'], identity['region']


	def _on_ec2():
	m = boto.utils.get_instance_metadata(timeout=0.1, num_retries=1)
	return bool(m)


	def _get_credentials():
	creds = AWS_CREDENTIALS.copy()

	# Minion config
	if '__opts__' in globals():
	conf = __opts__.get('ec2_tags', {})
	aws = conf.get('aws', {})
	if aws.get('access_key') and aws.get('secret_key'):
	creds.update(aws)

	# 3. Get from environment
	access_key = os.environ.get('AWS_ACCESS_KEY') or os.environ.get('AWS_ACCESS_KEY_ID')
	secret_key = os.environ.get('AWS_SECRET_KEY') or os.environ.get('AWS_SECRET_ACCESS_KEY')
	if access_key and secret_key:
	creds.update(dict(access_key=access_key, secret_key=secret_key))

	return creds


	def ec2_tags():
	boto_version = StrictVersion(boto.__version__)
	required_boto_version = StrictVersion('2.8.0')
	if boto_version < required_boto_version:
	log.error("Installed boto version %s < %s, can't find ec2_tags",
	boto_version, required_boto_version)
	return None

	if not _on_ec2():
	log.info("Not an EC2 instance, skipping")
	return None

	instance_id, region = _get_instance_info()
	credentials = _get_credentials()

	# Connect to EC2 and parse the Roles tags for this instance
	try:
	conn = boto.ec2.connect_to_region(
	region,
	aws_access_key_id=credentials['access_key'],
	aws_secret_access_key=credentials['secret_key'],
	)
	except Exception, e:
	log.error("Could not get AWS connection: %s", e)
	return None

	ec2_tags = {}
	try:
	tags = conn.get_all_tags(filters={'resource-type': 'instance',
	'resource-id': instance_id})
	for tag in tags:
	ec2_tags[tag.name] = tag.value
	except Exception, e:
	log.error("Couldn't retrieve instance tags: %s", e)
	return None

	ret = dict(ec2_tags=ec2_tags)

	# Provide ec2_tags_roles functionality
	if 'Roles' in ec2_tags:
	ret['ec2_roles'] = ec2_tags['Roles'].split(',')

	return ret


	if __name__ == '__main__':
	print ec2_tags()
	sync_grains:
	local.saltutil.sync_grains:
	- tgt: {{ data['id'] }}