# Cenários para o IAM usando AWS SDKs
Os exemplos de código a seguir mostram como implementar cenários comuns no IAM com AWS SDKs. Esses cenários mostram como realizar tarefas específicas chamando várias funções dentro do IAM ou combinadas com outros Serviços da AWS. Cada cenário inclui um link para o código-fonte completo, em que você pode encontrar instruções sobre como configurar e executar o código.
Os cenários têm como alvo um nível intermediário de experiência para ajudar você a compreender ações de serviço em contexto.
**Topics**
+ [Criar e gerenciar um serviço resiliente](iam_example_cross_ResilientService_section.md)
+ [Criar usuários somente leitura e leitura/gravação usando](iam_example_iam_Scenario_UserPolicies_section.md)
+ [Gerenciar chaves de acesso](iam_example_iam_Scenario_ManageAccessKeys_section.md)
+ [Políticas gerenciadas](iam_example_iam_Scenario_PolicyManagement_section.md)
+ [Gerenciar funções](iam_example_iam_Scenario_RoleManagement_section.md)
+ [Gerenciar sua conta](iam_example_iam_Scenario_AccountManagement_section.md)
+ [A política de permissão permite que a automação AWS Compute Optimizer aplique as ações recomendadas](iam_example_iam-policies.AWSMettleDocs.latest.userguide.managed-policies.xml.10_section.md)
+ [Política de permissão para permitir a automação em toda a sua organização](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.2_section.md)
+ [Política de permissão para permitir a automação em sua conta](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.1_section.md)
+ [Política de permissão para conceder acesso total ao Compute Optimizer Automation para uma conta gerencial de uma organização](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.5_section.md)
+ [Política de permissão para conceder acesso total ao Compute Optimizer Automation para contas autônomas da AWS](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.3_section.md)
+ [Política de permissão para conceder acesso somente leitura ao Compute Optimizer Automation para uma conta gerencial de uma organização](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.6_section.md)
+ [Política de permissão para conceder acesso somente leitura ao Compute Optimizer Automation para contas autônomas da AWS](iam_example_iam-policies.AWSMettleDocs.latest.userguide.automation.xml.4_section.md)
+ [Política de permissão para conceder permissões de perfil vinculado ao serviço para o Compute Optimization Automation](iam_example_iam-policies.AWSMettleDocs.latest.userguide.slr-automation.xml.1_section.md)
+ [Reverter uma versão de política](iam_example_iam_Scenario_RollbackPolicyVersion_section.md)
+ [Configuração do controle de acesso por atributo](iam_example_dynamodb_Scenario_ABACSetup_section.md)
+ [Trabalho com os fluxos e com a vida útil](iam_example_dynamodb_Scenario_StreamsAndTTL_section.md)
+ [Trabalhar com a API IAM Policy Builder](iam_example_iam_Scenario_IamPolicyBuilder_section.md)
# Criar e gerenciar um serviço resiliente usando um AWS SDK
Os exemplos de código a seguir mostram como criar um serviço da Web com carga balanceada que retorna recomendações de livros, filmes e músicas. O exemplo mostra como o serviço responde a falhas e como é possível reestruturá-lo para gerar mais resiliência em caso de falhas.
+ Use um grupo do Amazon EC2 Auto Scaling para criar instâncias do Amazon Elastic Compute Cloud (Amazon EC2) com base em um modelo de execução e para manter o número de instâncias em um intervalo especificado.
+ Gerencie e distribua solicitações HTTP com o Elastic Load Balancing.
+ Monitore a integridade das instâncias em um grupo do Auto Scaling e encaminhe solicitações somente para instâncias íntegras.
+ Execute um servidor Web Python em cada instância do EC2 para lidar com solicitações HTTP. O servidor Web responde com recomendações e verificações de integridade.
+ Simule um serviço de recomendação com uma tabela do Amazon DynamoDB.
+ Controle a resposta do servidor Web às solicitações e verificações de integridade atualizando os parâmetros do AWS Systems Manager.
------
#### [ .NET ]
**SDK para .NET**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService#code-examples).
Execute o cenário interativo em um prompt de comando.
```
static async Task Main(string[] args)
{
_configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally, load local settings.
.Build();
// Set up dependency injection for the AWS services.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddAWSService()
.AddTransient()
.AddTransient()
.AddTransient()
.AddTransient()
.AddSingleton(_configuration)
)
.Build();
ServicesSetup(host);
ResourcesSetup();
try
{
Console.WriteLine(new string('-', 80));
Console.WriteLine("Welcome to the Resilient Architecture Example Scenario.");
Console.WriteLine(new string('-', 80));
await Deploy(true);
Console.WriteLine("Now let's begin the scenario.");
Console.WriteLine(new string('-', 80));
await Demo(true);
Console.WriteLine(new string('-', 80));
Console.WriteLine("Finally, let's clean up our resources.");
Console.WriteLine(new string('-', 80));
await DestroyResources(true);
Console.WriteLine(new string('-', 80));
Console.WriteLine("Resilient Architecture Example Scenario is complete.");
Console.WriteLine(new string('-', 80));
}
catch (Exception ex)
{
Console.WriteLine(new string('-', 80));
Console.WriteLine($"There was a problem running the scenario: {ex.Message}");
await DestroyResources(true);
Console.WriteLine(new string('-', 80));
}
}
///
/// Setup any common resources, also used for integration testing.
///
public static void ResourcesSetup()
{
_httpClient = new HttpClient();
}
///
/// Populate the services for use within the console application.
///
/// The services host.
private static void ServicesSetup(IHost host)
{
_elasticLoadBalancerWrapper = host.Services.GetRequiredService();
_iamClient = host.Services.GetRequiredService();
_recommendations = host.Services.GetRequiredService();
_autoScalerWrapper = host.Services.GetRequiredService();
_smParameterWrapper = host.Services.GetRequiredService();
}
///
/// Deploy necessary resources for the scenario.
///
/// True to run as interactive.
/// True if successful.
public static async Task Deploy(bool interactive)
{
var protocol = "HTTP";
var port = 80;
var sshPort = 22;
Console.WriteLine(
"\nFor this demo, we'll use the AWS SDK for .NET to create several AWS resources\n" +
"to set up a load-balanced web service endpoint and explore some ways to make it resilient\n" +
"against various kinds of failures.\n\n" +
"Some of the resources create by this demo are:\n");
Console.WriteLine(
"\t* A DynamoDB table that the web service depends on to provide book, movie, and song recommendations.");
Console.WriteLine(
"\t* An EC2 launch template that defines EC2 instances that each contain a Python web server.");
Console.WriteLine(
"\t* An EC2 Auto Scaling group that manages EC2 instances across several Availability Zones.");
Console.WriteLine(
"\t* An Elastic Load Balancing (ELB) load balancer that targets the Auto Scaling group to distribute requests.");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to start deploying resources.");
if (interactive)
Console.ReadLine();
// Create and populate the DynamoDB table.
var databaseTableName = _configuration["databaseName"];
var recommendationsPath = Path.Join(_configuration["resourcePath"],
"recommendations_objects.json");
Console.WriteLine($"Creating and populating a DynamoDB table named {databaseTableName}.");
await _recommendations.CreateDatabaseWithName(databaseTableName);
await _recommendations.PopulateDatabase(databaseTableName, recommendationsPath);
Console.WriteLine(new string('-', 80));
// Create the EC2 Launch Template.
Console.WriteLine(
$"Creating an EC2 launch template that runs 'server_startup_script.sh' when an instance starts.\n"
+ "\nThis script starts a Python web server defined in the `server.py` script. The web server\n"
+ "listens to HTTP requests on port 80 and responds to requests to '/' and to '/healthcheck'.\n"
+ "For demo purposes, this server is run as the root user. In production, the best practice is to\n"
+ "run a web server, such as Apache, with least-privileged credentials.");
Console.WriteLine(
"\nThe template also defines an IAM policy that each instance uses to assume a role that grants\n"
+ "permissions to access the DynamoDB recommendation table and Systems Manager parameters\n"
+ "that control the flow of the demo.");
var startupScriptPath = Path.Join(_configuration["resourcePath"],
"server_startup_script.sh");
var instancePolicyPath = Path.Join(_configuration["resourcePath"],
"instance_policy.json");
await _autoScalerWrapper.CreateTemplate(startupScriptPath, instancePolicyPath);
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"Creating an EC2 Auto Scaling group that maintains three EC2 instances, each in a different\n"
+ "Availability Zone.\n");
var zones = await _autoScalerWrapper.DescribeAvailabilityZones();
await _autoScalerWrapper.CreateGroupOfSize(3, _autoScalerWrapper.GroupName, zones);
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"At this point, you have EC2 instances created. Once each instance starts, it listens for\n"
+ "HTTP requests. You can see these instances in the console or continue with the demo.\n");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to continue.");
if (interactive)
Console.ReadLine();
Console.WriteLine("Creating variables that control the flow of the demo.");
await _smParameterWrapper.Reset();
Console.WriteLine(
"\nCreating an Elastic Load Balancing target group and load balancer. The target group\n"
+ "defines how the load balancer connects to instances. The load balancer provides a\n"
+ "single endpoint where clients connect and dispatches requests to instances in the group.");
var defaultVpc = await _autoScalerWrapper.GetDefaultVpc();
var subnets = await _autoScalerWrapper.GetAllVpcSubnetsForZones(defaultVpc.VpcId, zones);
var subnetIds = subnets.Select(s => s.SubnetId).ToList();
var targetGroup = await _elasticLoadBalancerWrapper.CreateTargetGroupOnVpc(_elasticLoadBalancerWrapper.TargetGroupName, protocol, port, defaultVpc.VpcId);
await _elasticLoadBalancerWrapper.CreateLoadBalancerAndListener(_elasticLoadBalancerWrapper.LoadBalancerName, subnetIds, targetGroup);
await _autoScalerWrapper.AttachLoadBalancerToGroup(_autoScalerWrapper.GroupName, targetGroup.TargetGroupArn);
Console.WriteLine("\nVerifying access to the load balancer endpoint...");
var endPoint = await _elasticLoadBalancerWrapper.GetEndpointForLoadBalancerByName(_elasticLoadBalancerWrapper.LoadBalancerName);
var loadBalancerAccess = await _elasticLoadBalancerWrapper.VerifyLoadBalancerEndpoint(endPoint);
if (!loadBalancerAccess)
{
Console.WriteLine("\nCouldn't connect to the load balancer, verifying that the port is open...");
var ipString = await _httpClient.GetStringAsync("https://checkip.amazonaws.com");
ipString = ipString.Trim();
var defaultSecurityGroup = await _autoScalerWrapper.GetDefaultSecurityGroupForVpc(defaultVpc);
var portIsOpen = _autoScalerWrapper.VerifyInboundPortForGroup(defaultSecurityGroup, port, ipString);
var sshPortIsOpen = _autoScalerWrapper.VerifyInboundPortForGroup(defaultSecurityGroup, sshPort, ipString);
if (!portIsOpen)
{
Console.WriteLine(
"\nFor this example to work, the default security group for your default VPC must\n"
+ "allows access from this computer. You can either add it automatically from this\n"
+ "example or add it yourself using the AWS Management Console.\n");
if (!interactive || GetYesNoResponse(
"Do you want to add a rule to the security group to allow inbound traffic from your computer's IP address?"))
{
await _autoScalerWrapper.OpenInboundPort(defaultSecurityGroup.GroupId, port, ipString);
}
}
if (!sshPortIsOpen)
{
if (!interactive || GetYesNoResponse(
"Do you want to add a rule to the security group to allow inbound SSH traffic for debugging from your computer's IP address?"))
{
await _autoScalerWrapper.OpenInboundPort(defaultSecurityGroup.GroupId, sshPort, ipString);
}
}
loadBalancerAccess = await _elasticLoadBalancerWrapper.VerifyLoadBalancerEndpoint(endPoint);
}
if (loadBalancerAccess)
{
Console.WriteLine("Your load balancer is ready. You can access it by browsing to:");
Console.WriteLine($"\thttp://{endPoint}\n");
}
else
{
Console.WriteLine(
"\nCouldn't get a successful response from the load balancer endpoint. Troubleshoot by\n"
+ "manually verifying that your VPC and security group are configured correctly and that\n"
+ "you can successfully make a GET request to the load balancer endpoint:\n");
Console.WriteLine($"\thttp://{endPoint}\n");
}
Console.WriteLine(new string('-', 80));
Console.WriteLine("Press Enter when you're ready to continue with the demo.");
if (interactive)
Console.ReadLine();
return true;
}
///
/// Demonstrate the steps of the scenario.
///
/// True to run as an interactive scenario.
/// Async task.
public static async Task Demo(bool interactive)
{
var ssmOnlyPolicy = Path.Join(_configuration["resourcePath"],
"ssm_only_policy.json");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Resetting parameters to starting values for demo.");
await _smParameterWrapper.Reset();
Console.WriteLine("\nThis part of the demonstration shows how to toggle different parts of the system\n" +
"to create situations where the web service fails, and shows how using a resilient\n" +
"architecture can keep the web service running in spite of these failures.");
Console.WriteLine(new string('-', 88));
Console.WriteLine("At the start, the load balancer endpoint returns recommendations and reports that all targets are healthy.");
if (interactive)
await DemoActionChoices();
Console.WriteLine($"The web service running on the EC2 instances gets recommendations by querying a DynamoDB table.\n" +
$"The table name is contained in a Systems Manager parameter named '{_smParameterWrapper.TableParameter}'.\n" +
$"To simulate a failure of the recommendation service, let's set this parameter to name a non-existent table.\n");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, "this-is-not-a-table");
Console.WriteLine("\nNow, sending a GET request to the load balancer endpoint returns a failure code. But, the service reports as\n" +
"healthy to the load balancer because shallow health checks don't check for failure of the recommendation service.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("Instead of failing when the recommendation service fails, the web service can return a static response.");
Console.WriteLine("While this is not a perfect solution, it presents the customer with a somewhat better experience than failure.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.FailureResponseParameter, "static");
Console.WriteLine("\nNow, sending a GET request to the load balancer endpoint returns a static response.");
Console.WriteLine("The service still reports as healthy because health checks are still shallow.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("Let's reinstate the recommendation service.\n");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, _smParameterWrapper.TableName);
Console.WriteLine(
"\nLet's also substitute bad credentials for one of the instances in the target group so that it can't\n" +
"access the DynamoDB recommendation table.\n"
);
await _autoScalerWrapper.CreateInstanceProfileWithName(
_autoScalerWrapper.BadCredsPolicyName,
_autoScalerWrapper.BadCredsRoleName,
_autoScalerWrapper.BadCredsProfileName,
ssmOnlyPolicy,
new List { "AmazonSSMManagedInstanceCore" }
);
var instances = await _autoScalerWrapper.GetInstancesByGroupName(_autoScalerWrapper.GroupName);
var badInstanceId = instances.First();
var instanceProfile = await _autoScalerWrapper.GetInstanceProfile(badInstanceId);
Console.WriteLine(
$"Replacing the profile for instance {badInstanceId} with a profile that contains\n" +
"bad credentials...\n"
);
await _autoScalerWrapper.ReplaceInstanceProfile(
badInstanceId,
_autoScalerWrapper.BadCredsProfileName,
instanceProfile.AssociationId
);
Console.WriteLine(
"Now, sending a GET request to the load balancer endpoint returns either a recommendation or a static response,\n" +
"depending on which instance is selected by the load balancer.\n"
);
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nLet's implement a deep health check. For this demo, a deep health check tests whether");
Console.WriteLine("the web service can access the DynamoDB table that it depends on for recommendations. Note that");
Console.WriteLine("the deep health check is only for ELB routing and not for Auto Scaling instance health.");
Console.WriteLine("This kind of deep health check is not recommended for Auto Scaling instance health, because it");
Console.WriteLine("risks accidental termination of all instances in the Auto Scaling group when a dependent service fails.");
Console.WriteLine("\nBy implementing deep health checks, the load balancer can detect when one of the instances is failing");
Console.WriteLine("and take that instance out of rotation.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.HealthCheckParameter, "deep");
Console.WriteLine($"\nNow, checking target health indicates that the instance with bad credentials ({badInstanceId})");
Console.WriteLine("is unhealthy. Note that it might take a minute or two for the load balancer to detect the unhealthy");
Console.WriteLine("instance. Sending a GET request to the load balancer endpoint always returns a recommendation, because");
Console.WriteLine("the load balancer takes unhealthy instances out of its rotation.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nBecause the instances in this demo are controlled by an auto scaler, the simplest way to fix an unhealthy");
Console.WriteLine("instance is to terminate it and let the auto scaler start a new instance to replace it.");
await _autoScalerWrapper.TryTerminateInstanceById(badInstanceId);
Console.WriteLine($"\nEven while the instance is terminating and the new instance is starting, sending a GET");
Console.WriteLine("request to the web service continues to get a successful recommendation response because");
Console.WriteLine("starts and reports as healthy, it is included in the load balancing rotation.");
Console.WriteLine("Note that terminating and replacing an instance typically takes several minutes, during which time you");
Console.WriteLine("can see the changing health check status until the new instance is running and healthy.");
if (interactive)
await DemoActionChoices();
Console.WriteLine("\nIf the recommendation service fails now, deep health checks mean all instances report as unhealthy.");
await _smParameterWrapper.PutParameterByName(_smParameterWrapper.TableParameter, "this-is-not-a-table");
Console.WriteLine($"\nWhen all instances are unhealthy, the load balancer continues to route requests even to");
Console.WriteLine("unhealthy instances, allowing them to fail open and return a static response rather than fail");
Console.WriteLine("closed and report failure to the customer.");
if (interactive)
await DemoActionChoices();
await _smParameterWrapper.Reset();
Console.WriteLine(new string('-', 80));
return true;
}
///
/// Clean up the resources from the scenario.
///
/// True to ask the user for cleanup.
/// Async task.
public static async Task DestroyResources(bool interactive)
{
Console.WriteLine(new string('-', 80));
Console.WriteLine(
"To keep things tidy and to avoid unwanted charges on your account, we can clean up all AWS resources\n" +
"that were created for this demo."
);
if (!interactive || GetYesNoResponse("Do you want to clean up all demo resources? (y/n) "))
{
await _elasticLoadBalancerWrapper.DeleteLoadBalancerByName(_elasticLoadBalancerWrapper.LoadBalancerName);
await _elasticLoadBalancerWrapper.DeleteTargetGroupByName(_elasticLoadBalancerWrapper.TargetGroupName);
await _autoScalerWrapper.TerminateAndDeleteAutoScalingGroupWithName(_autoScalerWrapper.GroupName);
await _autoScalerWrapper.DeleteKeyPairByName(_autoScalerWrapper.KeyPairName);
await _autoScalerWrapper.DeleteTemplateByName(_autoScalerWrapper.LaunchTemplateName);
await _autoScalerWrapper.DeleteInstanceProfile(
_autoScalerWrapper.BadCredsProfileName,
_autoScalerWrapper.BadCredsRoleName
);
await _recommendations.DestroyDatabaseByName(_recommendations.TableName);
}
else
{
Console.WriteLine(
"Ok, we'll leave the resources intact.\n" +
"Don't forget to delete them when you're done with them or you might incur unexpected charges."
);
}
Console.WriteLine(new string('-', 80));
return true;
}
```
Crie uma classe que envolva ações do Auto Scaling e do Amazon EC2.
```
///
/// Encapsulates Amazon EC2 Auto Scaling and EC2 management methods.
///
public class AutoScalerWrapper
{
private readonly IAmazonAutoScaling _amazonAutoScaling;
private readonly IAmazonEC2 _amazonEc2;
private readonly IAmazonSimpleSystemsManagement _amazonSsm;
private readonly IAmazonIdentityManagementService _amazonIam;
private readonly ILogger _logger;
private readonly string _instanceType = "";
private readonly string _amiParam = "";
private readonly string _launchTemplateName = "";
private readonly string _groupName = "";
private readonly string _instancePolicyName = "";
private readonly string _instanceRoleName = "";
private readonly string _instanceProfileName = "";
private readonly string _badCredsProfileName = "";
private readonly string _badCredsRoleName = "";
private readonly string _badCredsPolicyName = "";
private readonly string _keyPairName = "";
public string GroupName => _groupName;
public string KeyPairName => _keyPairName;
public string LaunchTemplateName => _launchTemplateName;
public string InstancePolicyName => _instancePolicyName;
public string BadCredsProfileName => _badCredsProfileName;
public string BadCredsRoleName => _badCredsRoleName;
public string BadCredsPolicyName => _badCredsPolicyName;
///
/// Constructor for the AutoScalerWrapper.
///
/// The injected AutoScaling client.
/// The injected EC2 client.
/// The injected IAM client.
/// The injected SSM client.
public AutoScalerWrapper(
IAmazonAutoScaling amazonAutoScaling,
IAmazonEC2 amazonEc2,
IAmazonSimpleSystemsManagement amazonSsm,
IAmazonIdentityManagementService amazonIam,
IConfiguration configuration,
ILogger logger)
{
_amazonAutoScaling = amazonAutoScaling;
_amazonEc2 = amazonEc2;
_amazonSsm = amazonSsm;
_amazonIam = amazonIam;
_logger = logger;
var prefix = configuration["resourcePrefix"];
_instanceType = configuration["instanceType"];
_amiParam = configuration["amiParam"];
_launchTemplateName = prefix + "-template";
_groupName = prefix + "-group";
_instancePolicyName = prefix + "-pol";
_instanceRoleName = prefix + "-role";
_instanceProfileName = prefix + "-prof";
_badCredsPolicyName = prefix + "-bc-pol";
_badCredsRoleName = prefix + "-bc-role";
_badCredsProfileName = prefix + "-bc-prof";
_keyPairName = prefix + "-key-pair";
}
///
/// Create a policy, role, and profile that is associated with instances with a specified name.
/// An instance's associated profile defines a role that is assumed by the
/// instance.The role has attached policies that specify the AWS permissions granted to
/// clients that run on the instance.
///
/// Name to use for the policy.
/// Name to use for the role.
/// Name to use for the profile.
/// Path to a policy file for SSM.
/// AWS Managed policies to be attached to the role.
/// The Arn of the profile.
public async Task CreateInstanceProfileWithName(
string policyName,
string roleName,
string profileName,
string ssmOnlyPolicyFile,
List? awsManagedPolicies = null)
{
var assumeRoleDoc = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
"\"Service\": [" +
"\"ec2.amazonaws.com\"" +
"]" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
var policyDocument = await File.ReadAllTextAsync(ssmOnlyPolicyFile);
var policyArn = "";
try
{
var createPolicyResult = await _amazonIam.CreatePolicyAsync(
new CreatePolicyRequest
{
PolicyName = policyName,
PolicyDocument = policyDocument
});
policyArn = createPolicyResult.Policy.Arn;
}
catch (EntityAlreadyExistsException)
{
// The policy already exists, so we look it up to get the Arn.
var policiesPaginator = _amazonIam.Paginators.ListPolicies(
new ListPoliciesRequest()
{
Scope = PolicyScopeType.Local
});
// Get the entire list using the paginator.
await foreach (var policy in policiesPaginator.Policies)
{
if (policy.PolicyName.Equals(policyName))
{
policyArn = policy.Arn;
}
}
if (policyArn == null)
{
throw new InvalidOperationException("Policy not found");
}
}
try
{
await _amazonIam.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRoleDoc,
});
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policyArn
});
if (awsManagedPolicies != null)
{
foreach (var awsPolicy in awsManagedPolicies)
{
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
PolicyArn = $"arn:aws:iam::aws:policy/{awsPolicy}",
RoleName = roleName
});
}
}
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Role already exists.");
}
string profileArn = "";
try
{
var profileCreateResponse = await _amazonIam.CreateInstanceProfileAsync(
new CreateInstanceProfileRequest()
{
InstanceProfileName = profileName
});
// Allow time for the profile to be ready.
profileArn = profileCreateResponse.InstanceProfile.Arn;
Thread.Sleep(10000);
await _amazonIam.AddRoleToInstanceProfileAsync(
new AddRoleToInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Policy already exists.");
var profileGetResponse = await _amazonIam.GetInstanceProfileAsync(
new GetInstanceProfileRequest()
{
InstanceProfileName = profileName
});
profileArn = profileGetResponse.InstanceProfile.Arn;
}
return profileArn;
}
///
/// Create a new key pair and save the file.
///
/// The name of the new key pair.
/// Async task.
public async Task CreateKeyPair(string newKeyPairName)
{
try
{
var keyResponse = await _amazonEc2.CreateKeyPairAsync(
new CreateKeyPairRequest() { KeyName = newKeyPairName });
await File.WriteAllTextAsync($"{newKeyPairName}.pem",
keyResponse.KeyPair.KeyMaterial);
Console.WriteLine($"Created key pair {newKeyPairName}.");
}
catch (AlreadyExistsException)
{
Console.WriteLine("Key pair already exists.");
}
}
///
/// Delete the key pair and file by name.
///
/// The key pair to delete.
/// Async task.
public async Task DeleteKeyPairByName(string deleteKeyPairName)
{
try
{
await _amazonEc2.DeleteKeyPairAsync(
new DeleteKeyPairRequest() { KeyName = deleteKeyPairName });
File.Delete($"{deleteKeyPairName}.pem");
}
catch (FileNotFoundException)
{
Console.WriteLine($"Key pair {deleteKeyPairName} not found.");
}
}
///
/// Creates an Amazon EC2 launch template to use with Amazon EC2 Auto Scaling.
/// The launch template specifies a Bash script in its user data field that runs after
/// the instance is started. This script installs the Python packages and starts a Python
/// web server on the instance.
///
/// The path to a Bash script file that is run.
/// The path to a permissions policy to create and attach to the profile.
/// The template object.
public async Task CreateTemplate(string startupScriptPath, string instancePolicyPath)
{
try
{
await CreateKeyPair(_keyPairName);
await CreateInstanceProfileWithName(_instancePolicyName, _instanceRoleName,
_instanceProfileName, instancePolicyPath);
var startServerText = await File.ReadAllTextAsync(startupScriptPath);
var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(startServerText);
var amiLatest = await _amazonSsm.GetParameterAsync(
new GetParameterRequest() { Name = _amiParam });
var amiId = amiLatest.Parameter.Value;
var launchTemplateResponse = await _amazonEc2.CreateLaunchTemplateAsync(
new CreateLaunchTemplateRequest()
{
LaunchTemplateName = _launchTemplateName,
LaunchTemplateData = new RequestLaunchTemplateData()
{
InstanceType = _instanceType,
ImageId = amiId,
IamInstanceProfile =
new
LaunchTemplateIamInstanceProfileSpecificationRequest()
{
Name = _instanceProfileName
},
KeyName = _keyPairName,
UserData = System.Convert.ToBase64String(plainTextBytes)
}
});
return launchTemplateResponse.LaunchTemplate;
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidLaunchTemplateName.AlreadyExistsException")
{
_logger.LogError($"Could not create the template, the name {_launchTemplateName} already exists. " +
$"Please try again with a unique name.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while creating the template.: {ex.Message}");
throw;
}
}
///
/// Get a list of Availability Zones in the AWS Region of the Amazon EC2 Client.
///
/// A list of availability zones.
public async Task> DescribeAvailabilityZones()
{
try
{
var zoneResponse = await _amazonEc2.DescribeAvailabilityZonesAsync(
new DescribeAvailabilityZonesRequest());
return zoneResponse.AvailabilityZones.Select(z => z.ZoneName).ToList();
}
catch (AmazonEC2Exception ec2Exception)
{
_logger.LogError($"An Amazon EC2 error occurred while listing availability zones.: {ec2Exception.Message}");
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while listing availability zones.: {ex.Message}");
throw;
}
}
///
/// Create an EC2 Auto Scaling group of a specified size and name.
///
/// The size for the group.
/// The name for the group.
/// The availability zones for the group.
/// Async task.
public async Task CreateGroupOfSize(int groupSize, string groupName, List availabilityZones)
{
try
{
await _amazonAutoScaling.CreateAutoScalingGroupAsync(
new CreateAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName,
AvailabilityZones = availabilityZones,
LaunchTemplate =
new Amazon.AutoScaling.Model.LaunchTemplateSpecification()
{
LaunchTemplateName = _launchTemplateName,
Version = "$Default"
},
MaxSize = groupSize,
MinSize = groupSize
});
Console.WriteLine($"Created EC2 Auto Scaling group {groupName} with size {groupSize}.");
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine($"EC2 Auto Scaling group {groupName} already exists.");
}
}
///
/// Get the default VPC for the account.
///
/// The default VPC object.
public async Task GetDefaultVpc()
{
try
{
var vpcResponse = await _amazonEc2.DescribeVpcsAsync(
new DescribeVpcsRequest()
{
Filters = new List()
{
new("is-default", new List() { "true" })
}
});
return vpcResponse.Vpcs[0];
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "UnauthorizedOperation")
{
_logger.LogError(ec2Exception, $"You do not have the necessary permissions to describe VPCs.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while describing the vpcs.: {ex.Message}");
throw;
}
}
///
/// Get all the subnets for a Vpc in a set of availability zones.
///
/// The Id of the Vpc.
/// The list of availability zones.
/// The collection of subnet objects.
public async Task> GetAllVpcSubnetsForZones(string vpcId, List availabilityZones)
{
try
{
var subnets = new List();
var subnetPaginator = _amazonEc2.Paginators.DescribeSubnets(
new DescribeSubnetsRequest()
{
Filters = new List()
{
new("vpc-id", new List() { vpcId }),
new("availability-zone", availabilityZones),
new("default-for-az", new List() { "true" })
}
});
// Get the entire list using the paginator.
await foreach (var subnet in subnetPaginator.Subnets)
{
subnets.Add(subnet);
}
return subnets;
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidVpcID.NotFound")
{
_logger.LogError(ec2Exception, $"The specified VPC ID {vpcId} does not exist.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while describing the subnets.: {ex.Message}");
throw;
}
}
///
/// Delete a launch template by name.
///
/// The name of the template to delete.
/// Async task.
public async Task DeleteTemplateByName(string templateName)
{
try
{
await _amazonEc2.DeleteLaunchTemplateAsync(
new DeleteLaunchTemplateRequest()
{
LaunchTemplateName = templateName
});
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidLaunchTemplateName.NotFoundException")
{
_logger.LogError(
$"Could not delete the template, the name {_launchTemplateName} was not found.");
}
throw;
}
catch (Exception ex)
{
_logger.LogError($"An error occurred while deleting the template.: {ex.Message}");
throw;
}
}
///
/// Detaches a role from an instance profile, detaches policies from the role,
/// and deletes all the resources.
///
/// The name of the profile to delete.
/// The name of the role to delete.
/// Async task.
public async Task DeleteInstanceProfile(string profileName, string roleName)
{
try
{
await _amazonIam.RemoveRoleFromInstanceProfileAsync(
new RemoveRoleFromInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
await _amazonIam.DeleteInstanceProfileAsync(
new DeleteInstanceProfileRequest() { InstanceProfileName = profileName });
var attachedPolicies = await _amazonIam.ListAttachedRolePoliciesAsync(
new ListAttachedRolePoliciesRequest() { RoleName = roleName });
foreach (var policy in attachedPolicies.AttachedPolicies)
{
await _amazonIam.DetachRolePolicyAsync(
new DetachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policy.PolicyArn
});
// Delete the custom policies only.
if (!policy.PolicyArn.StartsWith("arn:aws:iam::aws"))
{
await _amazonIam.DeletePolicyAsync(
new Amazon.IdentityManagement.Model.DeletePolicyRequest()
{
PolicyArn = policy.PolicyArn
});
}
}
await _amazonIam.DeleteRoleAsync(
new DeleteRoleRequest() { RoleName = roleName });
}
catch (NoSuchEntityException)
{
Console.WriteLine($"Instance profile {profileName} does not exist.");
}
}
///
/// Gets data about the instances in an EC2 Auto Scaling group by its group name.
///
/// The name of the auto scaling group.
/// A collection of instance Ids.
public async Task> GetInstancesByGroupName(string group)
{
var instanceResponse = await _amazonAutoScaling.DescribeAutoScalingGroupsAsync(
new DescribeAutoScalingGroupsRequest()
{
AutoScalingGroupNames = new List() { group }
});
var instanceIds = instanceResponse.AutoScalingGroups.SelectMany(
g => g.Instances.Select(i => i.InstanceId));
return instanceIds;
}
///
/// Get the instance profile association data for an instance.
///
/// The Id of the instance.
/// Instance profile associations data.
public async Task GetInstanceProfile(string instanceId)
{
try
{
var response = await _amazonEc2.DescribeIamInstanceProfileAssociationsAsync(
new DescribeIamInstanceProfileAssociationsRequest()
{
Filters = new List()
{
new("instance-id", new List() { instanceId })
},
});
return response.IamInstanceProfileAssociations[0];
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidInstanceID.NotFound")
{
_logger.LogError(ec2Exception, $"Instance {instanceId} not found");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while creating the template.: {ex.Message}");
throw;
}
}
///
/// Replace the profile associated with a running instance. After the profile is replaced, the instance
/// is rebooted to ensure that it uses the new profile. When the instance is ready, Systems Manager is
/// used to restart the Python web server.
///
/// The Id of the instance to update.
/// The name of the new profile to associate with the specified instance.
/// The Id of the existing profile association for the instance.
/// Async task.
public async Task ReplaceInstanceProfile(string instanceId, string credsProfileName, string associationId)
{
try
{
await _amazonEc2.ReplaceIamInstanceProfileAssociationAsync(
new ReplaceIamInstanceProfileAssociationRequest()
{
AssociationId = associationId,
IamInstanceProfile = new IamInstanceProfileSpecification()
{
Name = credsProfileName
}
});
// Allow time before resetting.
Thread.Sleep(25000);
await _amazonEc2.RebootInstancesAsync(
new RebootInstancesRequest(new List() { instanceId }));
Thread.Sleep(25000);
var instanceReady = false;
var retries = 5;
while (retries-- > 0 && !instanceReady)
{
var instancesPaginator =
_amazonSsm.Paginators.DescribeInstanceInformation(
new DescribeInstanceInformationRequest());
// Get the entire list using the paginator.
await foreach (var instance in instancesPaginator.InstanceInformationList)
{
instanceReady = instance.InstanceId == instanceId;
if (instanceReady)
{
break;
}
}
}
Console.WriteLine("Waiting for instance to be running.");
await WaitForInstanceState(instanceId, InstanceStateName.Running);
Console.WriteLine("Instance ready.");
Console.WriteLine($"Sending restart command to instance {instanceId}");
await _amazonSsm.SendCommandAsync(
new SendCommandRequest()
{
InstanceIds = new List() { instanceId },
DocumentName = "AWS-RunShellScript",
Parameters = new Dictionary>()
{
{
"commands",
new List() { "cd / && sudo python3 server.py 80" }
}
}
});
Console.WriteLine($"Restarted the web server on instance {instanceId}");
}
catch (AmazonEC2Exception ec2Exception)
{
if (ec2Exception.ErrorCode == "InvalidInstanceID.NotFound")
{
_logger.LogError(ec2Exception, $"Instance {instanceId} not found");
}
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, $"An error occurred while replacing the template.: {ex.Message}");
throw;
}
}
///
/// Try to terminate an instance by its Id.
///
/// The Id of the instance to terminate.
/// Async task.
public async Task TryTerminateInstanceById(string instanceId)
{
var stopping = false;
Console.WriteLine($"Stopping {instanceId}...");
while (!stopping)
{
try
{
await _amazonAutoScaling.TerminateInstanceInAutoScalingGroupAsync(
new TerminateInstanceInAutoScalingGroupRequest()
{
InstanceId = instanceId,
ShouldDecrementDesiredCapacity = false
});
stopping = true;
}
catch (ScalingActivityInProgressException)
{
Console.WriteLine($"Scaling activity in progress for {instanceId}. Waiting...");
Thread.Sleep(10000);
}
}
}
///
/// Tries to delete the EC2 Auto Scaling group. If the group is in use or in progress,
/// waits and retries until the group is successfully deleted.
///
/// The name of the group to try to delete.
/// Async task.
public async Task TryDeleteGroupByName(string groupName)
{
var stopped = false;
while (!stopped)
{
try
{
await _amazonAutoScaling.DeleteAutoScalingGroupAsync(
new DeleteAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName
});
stopped = true;
}
catch (Exception e)
when ((e is ScalingActivityInProgressException)
|| (e is Amazon.AutoScaling.Model.ResourceInUseException))
{
Console.WriteLine($"Some instances are still running. Waiting...");
Thread.Sleep(10000);
}
}
}
///
/// Terminate instances and delete the Auto Scaling group by name.
///
/// The name of the group to delete.
/// Async task.
public async Task TerminateAndDeleteAutoScalingGroupWithName(string groupName)
{
var describeGroupsResponse = await _amazonAutoScaling.DescribeAutoScalingGroupsAsync(
new DescribeAutoScalingGroupsRequest()
{
AutoScalingGroupNames = new List() { groupName }
});
if (describeGroupsResponse.AutoScalingGroups.Any())
{
// Update the size to 0.
await _amazonAutoScaling.UpdateAutoScalingGroupAsync(
new UpdateAutoScalingGroupRequest()
{
AutoScalingGroupName = groupName,
MinSize = 0
});
var group = describeGroupsResponse.AutoScalingGroups[0];
foreach (var instance in group.Instances)
{
await TryTerminateInstanceById(instance.InstanceId);
}
await TryDeleteGroupByName(groupName);
}
else
{
Console.WriteLine($"No groups found with name {groupName}.");
}
}
///
/// Get the default security group for a specified Vpc.
///
/// The Vpc to search.
/// The default security group.
public async Task GetDefaultSecurityGroupForVpc(Vpc vpc)
{
var groupResponse = await _amazonEc2.DescribeSecurityGroupsAsync(
new DescribeSecurityGroupsRequest()
{
Filters = new List()
{
new ("group-name", new List() { "default" }),
new ("vpc-id", new List() { vpc.VpcId })
}
});
return groupResponse.SecurityGroups[0];
}
///
/// Verify the default security group of a Vpc allows ingress from the calling computer.
/// This can be done by allowing ingress from this computer's IP address.
/// In some situations, such as connecting from a corporate network, you must instead specify
/// a prefix list Id. You can also temporarily open the port to any IP address while running this example.
/// If you do, be sure to remove public access when you're done.
///
/// The group to check.
/// The port to verify.
/// This computer's IP address.
/// True if the ip address is allowed on the group.
public bool VerifyInboundPortForGroup(SecurityGroup group, int port, string ipAddress)
{
var portIsOpen = false;
foreach (var ipPermission in group.IpPermissions)
{
if (ipPermission.FromPort == port)
{
foreach (var ipRange in ipPermission.Ipv4Ranges)
{
var cidr = ipRange.CidrIp;
if (cidr.StartsWith(ipAddress) || cidr == "0.0.0.0/0")
{
portIsOpen = true;
}
}
if (ipPermission.PrefixListIds.Any())
{
portIsOpen = true;
}
if (!portIsOpen)
{
Console.WriteLine("The inbound rule does not appear to be open to either this computer's IP\n" +
"address, to all IP addresses (0.0.0.0/0), or to a prefix list ID.");
}
else
{
break;
}
}
}
return portIsOpen;
}
///
/// Add an ingress rule to the specified security group that allows access on the
/// specified port from the specified IP address.
///
/// The Id of the security group to modify.
/// The port to open.
/// The IP address to allow access.
/// Async task.
public async Task OpenInboundPort(string groupId, int port, string ipAddress)
{
await _amazonEc2.AuthorizeSecurityGroupIngressAsync(
new AuthorizeSecurityGroupIngressRequest()
{
GroupId = groupId,
IpPermissions = new List()
{
new IpPermission()
{
FromPort = port,
ToPort = port,
IpProtocol = "tcp",
Ipv4Ranges = new List()
{
new IpRange() { CidrIp = $"{ipAddress}/32" }
}
}
}
});
}
///
/// Attaches an Elastic Load Balancing (ELB) target group to this EC2 Auto Scaling group.
/// The
///
/// The name of the Auto Scaling group.
/// The Arn for the target group.
/// Async task.
public async Task AttachLoadBalancerToGroup(string autoScalingGroupName, string targetGroupArn)
{
await _amazonAutoScaling.AttachLoadBalancerTargetGroupsAsync(
new AttachLoadBalancerTargetGroupsRequest()
{
AutoScalingGroupName = autoScalingGroupName,
TargetGroupARNs = new List() { targetGroupArn }
});
}
///
/// Wait until an EC2 instance is in a specified state.
///
/// The instance Id.
/// The state to wait for.
/// A Boolean value indicating the success of the action.
public async Task WaitForInstanceState(string instanceId, InstanceStateName stateName)
{
var request = new DescribeInstancesRequest
{
InstanceIds = new List { instanceId }
};
// Wait until the instance is in the specified state.
var hasState = false;
do
{
// Wait 5 seconds.
Thread.Sleep(5000);
// Check for the desired state.
var response = await _amazonEc2.DescribeInstancesAsync(request);
var instance = response.Reservations[0].Instances[0];
hasState = instance.State.Name == stateName;
Console.Write(". ");
} while (!hasState);
return hasState;
}
}
```
Crie uma classe que envolva ações do Elastic Load Balancing.
```
///
/// Encapsulates Elastic Load Balancer actions.
///
public class ElasticLoadBalancerWrapper
{
private readonly IAmazonElasticLoadBalancingV2 _amazonElasticLoadBalancingV2;
private string? _endpoint = null;
private readonly string _targetGroupName = "";
private readonly string _loadBalancerName = "";
HttpClient _httpClient = new();
public string TargetGroupName => _targetGroupName;
public string LoadBalancerName => _loadBalancerName;
///
/// Constructor for the Elastic Load Balancer wrapper.
///
/// The injected load balancing v2 client.
/// The injected configuration.
public ElasticLoadBalancerWrapper(
IAmazonElasticLoadBalancingV2 amazonElasticLoadBalancingV2,
IConfiguration configuration)
{
_amazonElasticLoadBalancingV2 = amazonElasticLoadBalancingV2;
var prefix = configuration["resourcePrefix"];
_targetGroupName = prefix + "-tg";
_loadBalancerName = prefix + "-lb";
}
///
/// Get the HTTP Endpoint of a load balancer by its name.
///
/// The name of the load balancer.
/// The HTTP endpoint.
public async Task GetEndpointForLoadBalancerByName(string loadBalancerName)
{
if (_endpoint == null)
{
var endpointResponse =
await _amazonElasticLoadBalancingV2.DescribeLoadBalancersAsync(
new DescribeLoadBalancersRequest()
{
Names = new List() { loadBalancerName }
});
_endpoint = endpointResponse.LoadBalancers[0].DNSName;
}
return _endpoint;
}
///
/// Return the GET response for an endpoint as text.
///
/// The endpoint for the request.
/// The request response.
public async Task GetEndPointResponse(string endpoint)
{
var endpointResponse = await _httpClient.GetAsync($"http://{endpoint}");
var textResponse = await endpointResponse.Content.ReadAsStringAsync();
return textResponse!;
}
///
/// Get the target health for a group by name.
///
/// The name of the group.
/// The collection of health descriptions.
public async Task> CheckTargetHealthForGroup(string groupName)
{
List result = null!;
try
{
var groupResponse =
await _amazonElasticLoadBalancingV2.DescribeTargetGroupsAsync(
new DescribeTargetGroupsRequest()
{
Names = new List() { groupName }
});
var healthResponse =
await _amazonElasticLoadBalancingV2.DescribeTargetHealthAsync(
new DescribeTargetHealthRequest()
{
TargetGroupArn = groupResponse.TargetGroups[0].TargetGroupArn
});
;
result = healthResponse.TargetHealthDescriptions;
}
catch (TargetGroupNotFoundException)
{
Console.WriteLine($"Target group {groupName} not found.");
}
return result;
}
///
/// Create an Elastic Load Balancing target group. The target group specifies how the load balancer forwards
/// requests to instances in the group and how instance health is checked.
///
/// To speed up this demo, the health check is configured with shortened times and lower thresholds. In production,
/// you might want to decrease the sensitivity of your health checks to avoid unwanted failures.
///
/// The name for the group.
/// The protocol, such as HTTP.
/// The port to use to forward requests, such as 80.
/// The Id of the Vpc in which the load balancer exists.
/// The new TargetGroup object.
public async Task CreateTargetGroupOnVpc(string groupName, ProtocolEnum protocol, int port, string vpcId)
{
var createResponse = await _amazonElasticLoadBalancingV2.CreateTargetGroupAsync(
new CreateTargetGroupRequest()
{
Name = groupName,
Protocol = protocol,
Port = port,
HealthCheckPath = "/healthcheck",
HealthCheckIntervalSeconds = 10,
HealthCheckTimeoutSeconds = 5,
HealthyThresholdCount = 2,
UnhealthyThresholdCount = 2,
VpcId = vpcId
});
var targetGroup = createResponse.TargetGroups[0];
return targetGroup;
}
///
/// Create an Elastic Load Balancing load balancer that uses the specified subnets
/// and forwards requests to the specified target group.
///
/// The name for the new load balancer.
/// Subnets for the load balancer.
/// Target group for forwarded requests.
/// The new LoadBalancer object.
public async Task CreateLoadBalancerAndListener(string name, List subnetIds, TargetGroup targetGroup)
{
var createLbResponse = await _amazonElasticLoadBalancingV2.CreateLoadBalancerAsync(
new CreateLoadBalancerRequest()
{
Name = name,
Subnets = subnetIds
});
var loadBalancerArn = createLbResponse.LoadBalancers[0].LoadBalancerArn;
// Wait for load balancer to be available.
var loadBalancerReady = false;
while (!loadBalancerReady)
{
try
{
var describeResponse =
await _amazonElasticLoadBalancingV2.DescribeLoadBalancersAsync(
new DescribeLoadBalancersRequest()
{
Names = new List() { name }
});
var loadBalancerState = describeResponse.LoadBalancers[0].State.Code;
loadBalancerReady = loadBalancerState == LoadBalancerStateEnum.Active;
}
catch (LoadBalancerNotFoundException)
{
loadBalancerReady = false;
}
Thread.Sleep(10000);
}
// Create the listener.
await _amazonElasticLoadBalancingV2.CreateListenerAsync(
new CreateListenerRequest()
{
LoadBalancerArn = loadBalancerArn,
Protocol = targetGroup.Protocol,
Port = targetGroup.Port,
DefaultActions = new List()
{
new Action()
{
Type = ActionTypeEnum.Forward,
TargetGroupArn = targetGroup.TargetGroupArn
}
}
});
return createLbResponse.LoadBalancers[0];
}
///
/// Verify this computer can successfully send a GET request to the
/// load balancer endpoint.
///
/// The endpoint to check.
/// True if successful.
public async Task VerifyLoadBalancerEndpoint(string endpoint)
{
var success = false;
var retries = 3;
while (!success && retries > 0)
{
try
{
var endpointResponse = await _httpClient.GetAsync($"http://{endpoint}");
Console.WriteLine($"Response: {endpointResponse.StatusCode}.");
if (endpointResponse.IsSuccessStatusCode)
{
success = true;
}
else
{
retries = 0;
}
}
catch (HttpRequestException)
{
Console.WriteLine("Connection error, retrying...");
retries--;
Thread.Sleep(10000);
}
}
return success;
}
///
/// Delete a load balancer by its specified name.
///
/// The name of the load balancer to delete.
/// Async task.
public async Task DeleteLoadBalancerByName(string name)
{
try
{
var describeLoadBalancerResponse =
await _amazonElasticLoadBalancingV2.DescribeLoadBalancersAsync(
new DescribeLoadBalancersRequest()
{
Names = new List() { name }
});
var lbArn = describeLoadBalancerResponse.LoadBalancers[0].LoadBalancerArn;
await _amazonElasticLoadBalancingV2.DeleteLoadBalancerAsync(
new DeleteLoadBalancerRequest()
{
LoadBalancerArn = lbArn
}
);
}
catch (LoadBalancerNotFoundException)
{
Console.WriteLine($"Load balancer {name} not found.");
}
}
///
/// Delete a TargetGroup by its specified name.
///
/// Name of the group to delete.
/// Async task.
public async Task DeleteTargetGroupByName(string groupName)
{
var done = false;
while (!done)
{
try
{
var groupResponse =
await _amazonElasticLoadBalancingV2.DescribeTargetGroupsAsync(
new DescribeTargetGroupsRequest()
{
Names = new List() { groupName }
});
var targetArn = groupResponse.TargetGroups[0].TargetGroupArn;
await _amazonElasticLoadBalancingV2.DeleteTargetGroupAsync(
new DeleteTargetGroupRequest() { TargetGroupArn = targetArn });
Console.WriteLine($"Deleted load balancing target group {groupName}.");
done = true;
}
catch (TargetGroupNotFoundException)
{
Console.WriteLine(
$"Target group {groupName} not found, could not delete.");
done = true;
}
catch (ResourceInUseException)
{
Console.WriteLine("Target group not yet released, waiting...");
Thread.Sleep(10000);
}
}
}
}
```
Crie uma classe que use o DynamoDB para simular um serviço de recomendação.
```
///
/// Encapsulates a DynamoDB table to use as a service that recommends books, movies, and songs.
///
public class Recommendations
{
private readonly IAmazonDynamoDB _amazonDynamoDb;
private readonly DynamoDBContext _context;
private readonly string _tableName;
public string TableName => _tableName;
///
/// Constructor for the Recommendations service.
///
/// The injected DynamoDb client.
/// The injected configuration.
public Recommendations(IAmazonDynamoDB amazonDynamoDb, IConfiguration configuration)
{
_amazonDynamoDb = amazonDynamoDb;
_context = new DynamoDBContext(_amazonDynamoDb);
_tableName = configuration["databaseName"]!;
}
///
/// Create the DynamoDb table with a specified name.
///
/// The name for the table.
/// True when ready.
public async Task CreateDatabaseWithName(string tableName)
{
try
{
Console.Write($"Creating table {tableName}...");
var createRequest = new CreateTableRequest()
{
TableName = tableName,
AttributeDefinitions = new List()
{
new AttributeDefinition()
{
AttributeName = "MediaType",
AttributeType = ScalarAttributeType.S
},
new AttributeDefinition()
{
AttributeName = "ItemId",
AttributeType = ScalarAttributeType.N
}
},
KeySchema = new List()
{
new KeySchemaElement()
{
AttributeName = "MediaType",
KeyType = KeyType.HASH
},
new KeySchemaElement()
{
AttributeName = "ItemId",
KeyType = KeyType.RANGE
}
},
ProvisionedThroughput = new ProvisionedThroughput()
{
ReadCapacityUnits = 5,
WriteCapacityUnits = 5
}
};
await _amazonDynamoDb.CreateTableAsync(createRequest);
// Wait until the table is ACTIVE and then report success.
Console.Write("\nWaiting for table to become active...");
var request = new DescribeTableRequest
{
TableName = tableName
};
TableStatus status;
do
{
Thread.Sleep(2000);
var describeTableResponse = await _amazonDynamoDb.DescribeTableAsync(request);
status = describeTableResponse.Table.TableStatus;
Console.Write(".");
}
while (status != "ACTIVE");
return status == TableStatus.ACTIVE;
}
catch (ResourceInUseException)
{
Console.WriteLine($"Table {tableName} already exists.");
return false;
}
}
///
/// Populate the database table with data from a specified path.
///
/// The name of the table.
/// The path of the recommendations data.
/// Async task.
public async Task PopulateDatabase(string databaseTableName, string recommendationsPath)
{
var recommendationsText = await File.ReadAllTextAsync(recommendationsPath);
var records =
JsonSerializer.Deserialize(recommendationsText);
var batchWrite = _context.CreateBatchWrite();
foreach (var record in records!)
{
batchWrite.AddPutItem(record);
}
await batchWrite.ExecuteAsync();
}
///
/// Delete the recommendation table by name.
///
/// The name of the recommendation table.
/// Async task.
public async Task DestroyDatabaseByName(string tableName)
{
try
{
await _amazonDynamoDb.DeleteTableAsync(
new DeleteTableRequest() { TableName = tableName });
Console.WriteLine($"Table {tableName} was deleted.");
}
catch (ResourceNotFoundException)
{
Console.WriteLine($"Table {tableName} not found");
}
}
}
```
Crie uma classe que envolva as ações do Systems Manager.
```
///
/// Encapsulates Systems Manager parameter operations. This example uses these parameters
/// to drive the demonstration of resilient architecture, such as failure of a dependency or
/// how the service responds to a health check.
///
public class SmParameterWrapper
{
private readonly IAmazonSimpleSystemsManagement _amazonSimpleSystemsManagement;
private readonly string _tableParameter = "doc-example-resilient-architecture-table";
private readonly string _failureResponseParameter = "doc-example-resilient-architecture-failure-response";
private readonly string _healthCheckParameter = "doc-example-resilient-architecture-health-check";
private readonly string _tableName = "";
public string TableParameter => _tableParameter;
public string TableName => _tableName;
public string HealthCheckParameter => _healthCheckParameter;
public string FailureResponseParameter => _failureResponseParameter;
///
/// Constructor for the SmParameterWrapper.
///
/// The injected Simple Systems Management client.
/// The injected configuration.
public SmParameterWrapper(IAmazonSimpleSystemsManagement amazonSimpleSystemsManagement, IConfiguration configuration)
{
_amazonSimpleSystemsManagement = amazonSimpleSystemsManagement;
_tableName = configuration["databaseName"]!;
}
///
/// Reset the Systems Manager parameters to starting values for the demo.
///
/// Async task.
public async Task Reset()
{
await this.PutParameterByName(_tableParameter, _tableName);
await this.PutParameterByName(_failureResponseParameter, "none");
await this.PutParameterByName(_healthCheckParameter, "shallow");
}
///
/// Set the value of a named Systems Manager parameter.
///
/// The name of the parameter.
/// The value to set.
/// Async task.
public async Task PutParameterByName(string name, string value)
{
await _amazonSimpleSystemsManagement.PutParameterAsync(
new PutParameterRequest() { Name = name, Value = value, Overwrite = true });
}
}
```
+ Consulte detalhes da API nos tópicos a seguir na *Referência de API do AWS SDK para .NET*.
+ [AttachLoadBalancerTargetGroups](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/AttachLoadBalancerTargetGroups)
+ [CreateAutoScalingGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/CreateAutoScalingGroup)
+ [CreateInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateInstanceProfile)
+ [CreateLaunchTemplate](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/CreateLaunchTemplate)
+ [CreateListener](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/CreateListener)
+ [CreateLoadBalancer](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/CreateLoadBalancer)
+ [CreateTargetGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/CreateTargetGroup)
+ [DeleteAutoScalingGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/DeleteAutoScalingGroup)
+ [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteInstanceProfile)
+ [DeleteLaunchTemplate](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DeleteLaunchTemplate)
+ [DeleteLoadBalancer](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/DeleteLoadBalancer)
+ [DeleteTargetGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/DeleteTargetGroup)
+ [DescribeAutoScalingGroups](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/DescribeAutoScalingGroups)
+ [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DescribeAvailabilityZones)
+ [DescribeIamInstanceProfileAssociations](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DescribeIamInstanceProfileAssociations)
+ [DescribeInstances](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DescribeInstances)
+ [DescribeLoadBalancers](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/DescribeLoadBalancers)
+ [DescribeSubnets](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DescribeSubnets)
+ [DescribeTargetGroups](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/DescribeTargetGroups)
+ [DescribeTargetHealth](https://docs.aws.amazon.com/goto/DotNetSDKV3/elasticloadbalancingv2-2015-12-01/DescribeTargetHealth)
+ [DescribeVpcs](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/DescribeVpcs)
+ [RebootInstances](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/RebootInstances)
+ [ReplaceIamInstanceProfileAssociation](https://docs.aws.amazon.com/goto/DotNetSDKV3/ec2-2016-11-15/ReplaceIamInstanceProfileAssociation)
+ [TerminateInstanceInAutoScalingGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/TerminateInstanceInAutoScalingGroup)
+ [UpdateAutoScalingGroup](https://docs.aws.amazon.com/goto/DotNetSDKV3/autoscaling-2011-01-01/UpdateAutoScalingGroup)
------
#### [ Java ]
**SDK para Java 2.x**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/usecases/resilient_service#code-examples).
Execute o cenário interativo em um prompt de comando.
```
public class Main {
public static final String fileName = "C:\\AWS\\resworkflow\\recommendations.json"; // Modify file location.
public static final String tableName = "doc-example-recommendation-service";
public static final String startScript = "C:\\AWS\\resworkflow\\server_startup_script.sh"; // Modify file location.
public static final String policyFile = "C:\\AWS\\resworkflow\\instance_policy.json"; // Modify file location.
public static final String ssmJSON = "C:\\AWS\\resworkflow\\ssm_only_policy.json"; // Modify file location.
public static final String failureResponse = "doc-example-resilient-architecture-failure-response";
public static final String healthCheck = "doc-example-resilient-architecture-health-check";
public static final String templateName = "doc-example-resilience-template";
public static final String roleName = "doc-example-resilience-role";
public static final String policyName = "doc-example-resilience-pol";
public static final String profileName = "doc-example-resilience-prof";
public static final String badCredsProfileName = "doc-example-resilience-prof-bc";
public static final String targetGroupName = "doc-example-resilience-tg";
public static final String autoScalingGroupName = "doc-example-resilience-group";
public static final String lbName = "doc-example-resilience-lb";
public static final String protocol = "HTTP";
public static final int port = 80;
public static final String DASHES = new String(new char[80]).replace("\0", "-");
public static void main(String[] args) throws IOException, InterruptedException {
Scanner in = new Scanner(System.in);
Database database = new Database();
AutoScaler autoScaler = new AutoScaler();
LoadBalancer loadBalancer = new LoadBalancer();
System.out.println(DASHES);
System.out.println("Welcome to the demonstration of How to Build and Manage a Resilient Service!");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("A - SETUP THE RESOURCES");
System.out.println("Press Enter when you're ready to start deploying resources.");
in.nextLine();
deploy(loadBalancer);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("B - DEMO THE RESILIENCE FUNCTIONALITY");
System.out.println("Press Enter when you're ready.");
in.nextLine();
demo(loadBalancer);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("C - DELETE THE RESOURCES");
System.out.println("""
This concludes the demo of how to build and manage a resilient service.
To keep things tidy and to avoid unwanted charges on your account, we can clean up all AWS resources
that were created for this demo.
""");
System.out.println("\n Do you want to delete the resources (y/n)? ");
String userInput = in.nextLine().trim().toLowerCase(); // Capture user input
if (userInput.equals("y")) {
// Delete resources here
deleteResources(loadBalancer, autoScaler, database);
System.out.println("Resources deleted.");
} else {
System.out.println("""
Okay, we'll leave the resources intact.
Don't forget to delete them when you're done with them or you might incur unexpected charges.
""");
}
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("The example has completed. ");
System.out.println("\n Thanks for watching!");
System.out.println(DASHES);
}
// Deletes the AWS resources used in this example.
private static void deleteResources(LoadBalancer loadBalancer, AutoScaler autoScaler, Database database)
throws IOException, InterruptedException {
loadBalancer.deleteLoadBalancer(lbName);
System.out.println("*** Wait 30 secs for resource to be deleted");
TimeUnit.SECONDS.sleep(30);
loadBalancer.deleteTargetGroup(targetGroupName);
autoScaler.deleteAutoScaleGroup(autoScalingGroupName);
autoScaler.deleteRolesPolicies(policyName, roleName, profileName);
autoScaler.deleteTemplate(templateName);
database.deleteTable(tableName);
}
private static void deploy(LoadBalancer loadBalancer) throws InterruptedException, IOException {
Scanner in = new Scanner(System.in);
System.out.println(
"""
For this demo, we'll use the AWS SDK for Java (v2) to create several AWS resources
to set up a load-balanced web service endpoint and explore some ways to make it resilient
against various kinds of failures.
Some of the resources create by this demo are:
\t* A DynamoDB table that the web service depends on to provide book, movie, and song recommendations.
\t* An EC2 launch template that defines EC2 instances that each contain a Python web server.
\t* An EC2 Auto Scaling group that manages EC2 instances across several Availability Zones.
\t* An Elastic Load Balancing (ELB) load balancer that targets the Auto Scaling group to distribute requests.
""");
System.out.println("Press Enter when you're ready.");
in.nextLine();
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("Creating and populating a DynamoDB table named " + tableName);
Database database = new Database();
database.createTable(tableName, fileName);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("""
Creating an EC2 launch template that runs '{startup_script}' when an instance starts.
This script starts a Python web server defined in the `server.py` script. The web server
listens to HTTP requests on port 80 and responds to requests to '/' and to '/healthcheck'.
For demo purposes, this server is run as the root user. In production, the best practice is to
run a web server, such as Apache, with least-privileged credentials.
The template also defines an IAM policy that each instance uses to assume a role that grants
permissions to access the DynamoDB recommendation table and Systems Manager parameters
that control the flow of the demo.
""");
LaunchTemplateCreator templateCreator = new LaunchTemplateCreator();
templateCreator.createTemplate(policyFile, policyName, profileName, startScript, templateName, roleName);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println(
"Creating an EC2 Auto Scaling group that maintains three EC2 instances, each in a different Availability Zone.");
System.out.println("*** Wait 30 secs for the VPC to be created");
TimeUnit.SECONDS.sleep(30);
AutoScaler autoScaler = new AutoScaler();
String[] zones = autoScaler.createGroup(3, templateName, autoScalingGroupName);
System.out.println("""
At this point, you have EC2 instances created. Once each instance starts, it listens for
HTTP requests. You can see these instances in the console or continue with the demo.
Press Enter when you're ready to continue.
""");
in.nextLine();
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("Creating variables that control the flow of the demo.");
ParameterHelper paramHelper = new ParameterHelper();
paramHelper.reset();
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("""
Creating an Elastic Load Balancing target group and load balancer. The target group
defines how the load balancer connects to instances. The load balancer provides a
single endpoint where clients connect and dispatches requests to instances in the group.
""");
String vpcId = autoScaler.getDefaultVPC();
List subnets = autoScaler.getSubnets(vpcId, zones);
System.out.println("You have retrieved a list with " + subnets.size() + " subnets");
String targetGroupArn = loadBalancer.createTargetGroup(protocol, port, vpcId, targetGroupName);
String elbDnsName = loadBalancer.createLoadBalancer(subnets, targetGroupArn, lbName, port, protocol);
autoScaler.attachLoadBalancerTargetGroup(autoScalingGroupName, targetGroupArn);
System.out.println("Verifying access to the load balancer endpoint...");
boolean wasSuccessul = loadBalancer.verifyLoadBalancerEndpoint(elbDnsName);
if (!wasSuccessul) {
System.out.println("Couldn't connect to the load balancer, verifying that the port is open...");
CloseableHttpClient httpClient = HttpClients.createDefault();
// Create an HTTP GET request to "http://checkip.amazonaws.com"
HttpGet httpGet = new HttpGet("http://checkip.amazonaws.com");
try {
// Execute the request and get the response
HttpResponse response = httpClient.execute(httpGet);
// Read the response content.
String ipAddress = IOUtils.toString(response.getEntity().getContent(), StandardCharsets.UTF_8).trim();
// Print the public IP address.
System.out.println("Public IP Address: " + ipAddress);
GroupInfo groupInfo = autoScaler.verifyInboundPort(vpcId, port, ipAddress);
if (!groupInfo.isPortOpen()) {
System.out.println("""
For this example to work, the default security group for your default VPC must
allow access from this computer. You can either add it automatically from this
example or add it yourself using the AWS Management Console.
""");
System.out.println(
"Do you want to add a rule to security group " + groupInfo.getGroupName() + " to allow");
System.out.println("inbound traffic on port " + port + " from your computer's IP address (y/n) ");
String ans = in.nextLine();
if ("y".equalsIgnoreCase(ans)) {
autoScaler.openInboundPort(groupInfo.getGroupName(), String.valueOf(port), ipAddress);
System.out.println("Security group rule added.");
} else {
System.out.println("No security group rule added.");
}
}
} catch (AutoScalingException e) {
e.printStackTrace();
}
} else if (wasSuccessul) {
System.out.println("Your load balancer is ready. You can access it by browsing to:");
System.out.println("\t http://" + elbDnsName);
} else {
System.out.println("Couldn't get a successful response from the load balancer endpoint. Troubleshoot by");
System.out.println("manually verifying that your VPC and security group are configured correctly and that");
System.out.println("you can successfully make a GET request to the load balancer.");
}
System.out.println("Press Enter when you're ready to continue with the demo.");
in.nextLine();
}
// A method that controls the demo part of the Java program.
public static void demo(LoadBalancer loadBalancer) throws IOException, InterruptedException {
ParameterHelper paramHelper = new ParameterHelper();
System.out.println("Read the ssm_only_policy.json file");
String ssmOnlyPolicy = readFileAsString(ssmJSON);
System.out.println("Resetting parameters to starting values for demo.");
paramHelper.reset();
System.out.println(
"""
This part of the demonstration shows how to toggle different parts of the system
to create situations where the web service fails, and shows how using a resilient
architecture can keep the web service running in spite of these failures.
At the start, the load balancer endpoint returns recommendations and reports that all targets are healthy.
""");
demoChoices(loadBalancer);
System.out.println(
"""
The web service running on the EC2 instances gets recommendations by querying a DynamoDB table.
The table name is contained in a Systems Manager parameter named self.param_helper.table.
To simulate a failure of the recommendation service, let's set this parameter to name a non-existent table.
""");
paramHelper.put(paramHelper.tableName, "this-is-not-a-table");
System.out.println(
"""
\nNow, sending a GET request to the load balancer endpoint returns a failure code. But, the service reports as
healthy to the load balancer because shallow health checks don't check for failure of the recommendation service.
""");
demoChoices(loadBalancer);
System.out.println(
"""
Instead of failing when the recommendation service fails, the web service can return a static response.
While this is not a perfect solution, it presents the customer with a somewhat better experience than failure.
""");
paramHelper.put(paramHelper.failureResponse, "static");
System.out.println("""
Now, sending a GET request to the load balancer endpoint returns a static response.
The service still reports as healthy because health checks are still shallow.
""");
demoChoices(loadBalancer);
System.out.println("Let's reinstate the recommendation service.");
paramHelper.put(paramHelper.tableName, paramHelper.dyntable);
System.out.println("""
Let's also substitute bad credentials for one of the instances in the target group so that it can't
access the DynamoDB recommendation table. We will get an instance id value.
""");
LaunchTemplateCreator templateCreator = new LaunchTemplateCreator();
AutoScaler autoScaler = new AutoScaler();
// Create a new instance profile based on badCredsProfileName.
templateCreator.createInstanceProfile(policyFile, policyName, badCredsProfileName, roleName);
String badInstanceId = autoScaler.getBadInstance(autoScalingGroupName);
System.out.println("The bad instance id values used for this demo is " + badInstanceId);
String profileAssociationId = autoScaler.getInstanceProfile(badInstanceId);
System.out.println("The association Id value is " + profileAssociationId);
System.out.println("Replacing the profile for instance " + badInstanceId
+ " with a profile that contains bad credentials");
autoScaler.replaceInstanceProfile(badInstanceId, badCredsProfileName, profileAssociationId);
System.out.println(
"""
Now, sending a GET request to the load balancer endpoint returns either a recommendation or a static response,
depending on which instance is selected by the load balancer.
""");
demoChoices(loadBalancer);
System.out.println("""
Let's implement a deep health check. For this demo, a deep health check tests whether
the web service can access the DynamoDB table that it depends on for recommendations. Note that
the deep health check is only for ELB routing and not for Auto Scaling instance health.
This kind of deep health check is not recommended for Auto Scaling instance health, because it
risks accidental termination of all instances in the Auto Scaling group when a dependent service fails.
""");
System.out.println("""
By implementing deep health checks, the load balancer can detect when one of the instances is failing
and take that instance out of rotation.
""");
paramHelper.put(paramHelper.healthCheck, "deep");
System.out.println("""
Now, checking target health indicates that the instance with bad credentials
is unhealthy. Note that it might take a minute or two for the load balancer to detect the unhealthy
instance. Sending a GET request to the load balancer endpoint always returns a recommendation, because
the load balancer takes unhealthy instances out of its rotation.
""");
demoChoices(loadBalancer);
System.out.println(
"""
Because the instances in this demo are controlled by an auto scaler, the simplest way to fix an unhealthy
instance is to terminate it and let the auto scaler start a new instance to replace it.
""");
autoScaler.terminateInstance(badInstanceId);
System.out.println("""
Even while the instance is terminating and the new instance is starting, sending a GET
request to the web service continues to get a successful recommendation response because
the load balancer routes requests to the healthy instances. After the replacement instance
starts and reports as healthy, it is included in the load balancing rotation.
Note that terminating and replacing an instance typically takes several minutes, during which time you
can see the changing health check status until the new instance is running and healthy.
""");
demoChoices(loadBalancer);
System.out.println(
"If the recommendation service fails now, deep health checks mean all instances report as unhealthy.");
paramHelper.put(paramHelper.tableName, "this-is-not-a-table");
demoChoices(loadBalancer);
paramHelper.reset();
}
public static void demoChoices(LoadBalancer loadBalancer) throws IOException, InterruptedException {
String[] actions = {
"Send a GET request to the load balancer endpoint.",
"Check the health of load balancer targets.",
"Go to the next part of the demo."
};
Scanner scanner = new Scanner(System.in);
while (true) {
System.out.println("-".repeat(88));
System.out.println("See the current state of the service by selecting one of the following choices:");
for (int i = 0; i < actions.length; i++) {
System.out.println(i + ": " + actions[i]);
}
try {
System.out.print("\nWhich action would you like to take? ");
int choice = scanner.nextInt();
System.out.println("-".repeat(88));
switch (choice) {
case 0 -> {
System.out.println("Request:\n");
System.out.println("GET http://" + loadBalancer.getEndpoint(lbName));
CloseableHttpClient httpClient = HttpClients.createDefault();
// Create an HTTP GET request to the ELB.
HttpGet httpGet = new HttpGet("http://" + loadBalancer.getEndpoint(lbName));
// Execute the request and get the response.
HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
System.out.println("HTTP Status Code: " + statusCode);
// Display the JSON response
BufferedReader reader = new BufferedReader(
new InputStreamReader(response.getEntity().getContent()));
StringBuilder jsonResponse = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
jsonResponse.append(line);
}
reader.close();
// Print the formatted JSON response.
System.out.println("Full Response:\n");
System.out.println(jsonResponse.toString());
// Close the HTTP client.
httpClient.close();
}
case 1 -> {
System.out.println("\nChecking the health of load balancer targets:\n");
List health = loadBalancer.checkTargetHealth(targetGroupName);
for (TargetHealthDescription target : health) {
System.out.printf("\tTarget %s on port %d is %s%n", target.target().id(),
target.target().port(), target.targetHealth().stateAsString());
}
System.out.println("""
Note that it can take a minute or two for the health check to update
after changes are made.
""");
}
case 2 -> {
System.out.println("\nOkay, let's move on.");
System.out.println("-".repeat(88));
return; // Exit the method when choice is 2
}
default -> System.out.println("You must choose a value between 0-2. Please select again.");
}
} catch (java.util.InputMismatchException e) {
System.out.println("Invalid input. Please select again.");
scanner.nextLine(); // Clear the input buffer.
}
}
}
public static String readFileAsString(String filePath) throws IOException {
byte[] bytes = Files.readAllBytes(Paths.get(filePath));
return new String(bytes);
}
}
```
Crie uma classe que envolva ações do Auto Scaling e do Amazon EC2.
```
public class AutoScaler {
private static Ec2Client ec2Client;
private static AutoScalingClient autoScalingClient;
private static IamClient iamClient;
private static SsmClient ssmClient;
private IamClient getIAMClient() {
if (iamClient == null) {
iamClient = IamClient.builder()
.region(Region.US_EAST_1)
.build();
}
return iamClient;
}
private SsmClient getSSMClient() {
if (ssmClient == null) {
ssmClient = SsmClient.builder()
.region(Region.US_EAST_1)
.build();
}
return ssmClient;
}
private Ec2Client getEc2Client() {
if (ec2Client == null) {
ec2Client = Ec2Client.builder()
.region(Region.US_EAST_1)
.build();
}
return ec2Client;
}
private AutoScalingClient getAutoScalingClient() {
if (autoScalingClient == null) {
autoScalingClient = AutoScalingClient.builder()
.region(Region.US_EAST_1)
.build();
}
return autoScalingClient;
}
/**
* Terminates and instances in an EC2 Auto Scaling group. After an instance is
* terminated, it can no longer be accessed.
*/
public void terminateInstance(String instanceId) {
TerminateInstanceInAutoScalingGroupRequest terminateInstanceIRequest = TerminateInstanceInAutoScalingGroupRequest
.builder()
.instanceId(instanceId)
.shouldDecrementDesiredCapacity(false)
.build();
getAutoScalingClient().terminateInstanceInAutoScalingGroup(terminateInstanceIRequest);
System.out.format("Terminated instance %s.", instanceId);
}
/**
* Replaces the profile associated with a running instance. After the profile is
* replaced, the instance is rebooted to ensure that it uses the new profile.
* When
* the instance is ready, Systems Manager is used to restart the Python web
* server.
*/
public void replaceInstanceProfile(String instanceId, String newInstanceProfileName, String profileAssociationId)
throws InterruptedException {
// Create an IAM instance profile specification.
software.amazon.awssdk.services.ec2.model.IamInstanceProfileSpecification iamInstanceProfile = software.amazon.awssdk.services.ec2.model.IamInstanceProfileSpecification
.builder()
.name(newInstanceProfileName) // Make sure 'newInstanceProfileName' is a valid IAM Instance Profile
// name.
.build();
// Replace the IAM instance profile association for the EC2 instance.
ReplaceIamInstanceProfileAssociationRequest replaceRequest = ReplaceIamInstanceProfileAssociationRequest
.builder()
.iamInstanceProfile(iamInstanceProfile)
.associationId(profileAssociationId) // Make sure 'profileAssociationId' is a valid association ID.
.build();
try {
getEc2Client().replaceIamInstanceProfileAssociation(replaceRequest);
// Handle the response as needed.
} catch (Ec2Exception e) {
// Handle exceptions, log, or report the error.
System.err.println("Error: " + e.getMessage());
}
System.out.format("Replaced instance profile for association %s with profile %s.", profileAssociationId,
newInstanceProfileName);
TimeUnit.SECONDS.sleep(15);
boolean instReady = false;
int tries = 0;
// Reboot after 60 seconds
while (!instReady) {
if (tries % 6 == 0) {
getEc2Client().rebootInstances(RebootInstancesRequest.builder()
.instanceIds(instanceId)
.build());
System.out.println("Rebooting instance " + instanceId + " and waiting for it to be ready.");
}
tries++;
try {
TimeUnit.SECONDS.sleep(10);
} catch (InterruptedException e) {
e.printStackTrace();
}
DescribeInstanceInformationResponse informationResponse = getSSMClient().describeInstanceInformation();
List instanceInformationList = informationResponse.instanceInformationList();
for (InstanceInformation info : instanceInformationList) {
if (info.instanceId().equals(instanceId)) {
instReady = true;
break;
}
}
}
SendCommandRequest sendCommandRequest = SendCommandRequest.builder()
.instanceIds(instanceId)
.documentName("AWS-RunShellScript")
.parameters(Collections.singletonMap("commands",
Collections.singletonList("cd / && sudo python3 server.py 80")))
.build();
getSSMClient().sendCommand(sendCommandRequest);
System.out.println("Restarted the Python web server on instance " + instanceId + ".");
}
public void openInboundPort(String secGroupId, String port, String ipAddress) {
AuthorizeSecurityGroupIngressRequest ingressRequest = AuthorizeSecurityGroupIngressRequest.builder()
.groupName(secGroupId)
.cidrIp(ipAddress)
.fromPort(Integer.parseInt(port))
.build();
getEc2Client().authorizeSecurityGroupIngress(ingressRequest);
System.out.format("Authorized ingress to %s on port %s from %s.", secGroupId, port, ipAddress);
}
/**
* Detaches a role from an instance profile, detaches policies from the role,
* and deletes all the resources.
*/
public void deleteInstanceProfile(String roleName, String profileName) {
try {
software.amazon.awssdk.services.iam.model.GetInstanceProfileRequest getInstanceProfileRequest = software.amazon.awssdk.services.iam.model.GetInstanceProfileRequest
.builder()
.instanceProfileName(profileName)
.build();
GetInstanceProfileResponse response = getIAMClient().getInstanceProfile(getInstanceProfileRequest);
String name = response.instanceProfile().instanceProfileName();
System.out.println(name);
RemoveRoleFromInstanceProfileRequest profileRequest = RemoveRoleFromInstanceProfileRequest.builder()
.instanceProfileName(profileName)
.roleName(roleName)
.build();
getIAMClient().removeRoleFromInstanceProfile(profileRequest);
DeleteInstanceProfileRequest deleteInstanceProfileRequest = DeleteInstanceProfileRequest.builder()
.instanceProfileName(profileName)
.build();
getIAMClient().deleteInstanceProfile(deleteInstanceProfileRequest);
System.out.println("Deleted instance profile " + profileName);
DeleteRoleRequest deleteRoleRequest = DeleteRoleRequest.builder()
.roleName(roleName)
.build();
// List attached role policies.
ListAttachedRolePoliciesResponse rolesResponse = getIAMClient()
.listAttachedRolePolicies(role -> role.roleName(roleName));
List attachedPolicies = rolesResponse.attachedPolicies();
for (AttachedPolicy attachedPolicy : attachedPolicies) {
DetachRolePolicyRequest request = DetachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(attachedPolicy.policyArn())
.build();
getIAMClient().detachRolePolicy(request);
System.out.println("Detached and deleted policy " + attachedPolicy.policyName());
}
getIAMClient().deleteRole(deleteRoleRequest);
System.out.println("Instance profile and role deleted.");
} catch (IamException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
public void deleteTemplate(String templateName) {
getEc2Client().deleteLaunchTemplate(name -> name.launchTemplateName(templateName));
System.out.format(templateName + " was deleted.");
}
public void deleteAutoScaleGroup(String groupName) {
DeleteAutoScalingGroupRequest deleteAutoScalingGroupRequest = DeleteAutoScalingGroupRequest.builder()
.autoScalingGroupName(groupName)
.forceDelete(true)
.build();
getAutoScalingClient().deleteAutoScalingGroup(deleteAutoScalingGroupRequest);
System.out.println(groupName + " was deleted.");
}
/*
* Verify the default security group of the specified VPC allows ingress from
* this
* computer. This can be done by allowing ingress from this computer's IP
* address. In some situations, such as connecting from a corporate network, you
* must instead specify a prefix list ID. You can also temporarily open the port
* to
* any IP address while running this example. If you do, be sure to remove
* public
* access when you're done.
*
*/
public GroupInfo verifyInboundPort(String VPC, int port, String ipAddress) {
boolean portIsOpen = false;
GroupInfo groupInfo = new GroupInfo();
try {
Filter filter = Filter.builder()
.name("group-name")
.values("default")
.build();
Filter filter1 = Filter.builder()
.name("vpc-id")
.values(VPC)
.build();
DescribeSecurityGroupsRequest securityGroupsRequest = DescribeSecurityGroupsRequest.builder()
.filters(filter, filter1)
.build();
DescribeSecurityGroupsResponse securityGroupsResponse = getEc2Client()
.describeSecurityGroups(securityGroupsRequest);
String securityGroup = securityGroupsResponse.securityGroups().get(0).groupName();
groupInfo.setGroupName(securityGroup);
for (SecurityGroup secGroup : securityGroupsResponse.securityGroups()) {
System.out.println("Found security group: " + secGroup.groupId());
for (IpPermission ipPermission : secGroup.ipPermissions()) {
if (ipPermission.fromPort() == port) {
System.out.println("Found inbound rule: " + ipPermission);
for (IpRange ipRange : ipPermission.ipRanges()) {
String cidrIp = ipRange.cidrIp();
if (cidrIp.startsWith(ipAddress) || cidrIp.equals("0.0.0.0/0")) {
System.out.println(cidrIp + " is applicable");
portIsOpen = true;
}
}
if (!ipPermission.prefixListIds().isEmpty()) {
System.out.println("Prefix lList is applicable");
portIsOpen = true;
}
if (!portIsOpen) {
System.out
.println("The inbound rule does not appear to be open to either this computer's IP,"
+ " all IP addresses (0.0.0.0/0), or to a prefix list ID.");
} else {
break;
}
}
}
}
} catch (AutoScalingException e) {
System.err.println(e.awsErrorDetails().errorMessage());
}
groupInfo.setPortOpen(portIsOpen);
return groupInfo;
}
/*
* Attaches an Elastic Load Balancing (ELB) target group to this EC2 Auto
* Scaling group.
* The target group specifies how the load balancer forward requests to the
* instances
* in the group.
*/
public void attachLoadBalancerTargetGroup(String asGroupName, String targetGroupARN) {
try {
AttachLoadBalancerTargetGroupsRequest targetGroupsRequest = AttachLoadBalancerTargetGroupsRequest.builder()
.autoScalingGroupName(asGroupName)
.targetGroupARNs(targetGroupARN)
.build();
getAutoScalingClient().attachLoadBalancerTargetGroups(targetGroupsRequest);
System.out.println("Attached load balancer to " + asGroupName);
} catch (AutoScalingException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
// Creates an EC2 Auto Scaling group with the specified size.
public String[] createGroup(int groupSize, String templateName, String autoScalingGroupName) {
// Get availability zones.
software.amazon.awssdk.services.ec2.model.DescribeAvailabilityZonesRequest zonesRequest = software.amazon.awssdk.services.ec2.model.DescribeAvailabilityZonesRequest
.builder()
.build();
DescribeAvailabilityZonesResponse zonesResponse = getEc2Client().describeAvailabilityZones(zonesRequest);
List availabilityZoneNames = zonesResponse.availabilityZones().stream()
.map(software.amazon.awssdk.services.ec2.model.AvailabilityZone::zoneName)
.collect(Collectors.toList());
String availabilityZones = String.join(",", availabilityZoneNames);
LaunchTemplateSpecification specification = LaunchTemplateSpecification.builder()
.launchTemplateName(templateName)
.version("$Default")
.build();
String[] zones = availabilityZones.split(",");
CreateAutoScalingGroupRequest groupRequest = CreateAutoScalingGroupRequest.builder()
.launchTemplate(specification)
.availabilityZones(zones)
.maxSize(groupSize)
.minSize(groupSize)
.autoScalingGroupName(autoScalingGroupName)
.build();
try {
getAutoScalingClient().createAutoScalingGroup(groupRequest);
} catch (AutoScalingException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
System.out.println("Created an EC2 Auto Scaling group named " + autoScalingGroupName);
return zones;
}
public String getDefaultVPC() {
// Define the filter.
Filter defaultFilter = Filter.builder()
.name("is-default")
.values("true")
.build();
software.amazon.awssdk.services.ec2.model.DescribeVpcsRequest request = software.amazon.awssdk.services.ec2.model.DescribeVpcsRequest
.builder()
.filters(defaultFilter)
.build();
DescribeVpcsResponse response = getEc2Client().describeVpcs(request);
return response.vpcs().get(0).vpcId();
}
// Gets the default subnets in a VPC for a specified list of Availability Zones.
public List getSubnets(String vpcId, String[] availabilityZones) {
List subnets = null;
Filter vpcFilter = Filter.builder()
.name("vpc-id")
.values(vpcId)
.build();
Filter azFilter = Filter.builder()
.name("availability-zone")
.values(availabilityZones)
.build();
Filter defaultForAZ = Filter.builder()
.name("default-for-az")
.values("true")
.build();
DescribeSubnetsRequest request = DescribeSubnetsRequest.builder()
.filters(vpcFilter, azFilter, defaultForAZ)
.build();
DescribeSubnetsResponse response = getEc2Client().describeSubnets(request);
subnets = response.subnets();
return subnets;
}
// Gets data about the instances in the EC2 Auto Scaling group.
public String getBadInstance(String groupName) {
DescribeAutoScalingGroupsRequest request = DescribeAutoScalingGroupsRequest.builder()
.autoScalingGroupNames(groupName)
.build();
DescribeAutoScalingGroupsResponse response = getAutoScalingClient().describeAutoScalingGroups(request);
AutoScalingGroup autoScalingGroup = response.autoScalingGroups().get(0);
List instanceIds = autoScalingGroup.instances().stream()
.map(instance -> instance.instanceId())
.collect(Collectors.toList());
String[] instanceIdArray = instanceIds.toArray(new String[0]);
for (String instanceId : instanceIdArray) {
System.out.println("Instance ID: " + instanceId);
return instanceId;
}
return "";
}
// Gets data about the profile associated with an instance.
public String getInstanceProfile(String instanceId) {
Filter filter = Filter.builder()
.name("instance-id")
.values(instanceId)
.build();
DescribeIamInstanceProfileAssociationsRequest associationsRequest = DescribeIamInstanceProfileAssociationsRequest
.builder()
.filters(filter)
.build();
DescribeIamInstanceProfileAssociationsResponse response = getEc2Client()
.describeIamInstanceProfileAssociations(associationsRequest);
return response.iamInstanceProfileAssociations().get(0).associationId();
}
public void deleteRolesPolicies(String policyName, String roleName, String InstanceProfile) {
ListPoliciesRequest listPoliciesRequest = ListPoliciesRequest.builder().build();
ListPoliciesResponse listPoliciesResponse = getIAMClient().listPolicies(listPoliciesRequest);
for (Policy policy : listPoliciesResponse.policies()) {
if (policy.policyName().equals(policyName)) {
// List the entities (users, groups, roles) that are attached to the policy.
software.amazon.awssdk.services.iam.model.ListEntitiesForPolicyRequest listEntitiesRequest = software.amazon.awssdk.services.iam.model.ListEntitiesForPolicyRequest
.builder()
.policyArn(policy.arn())
.build();
ListEntitiesForPolicyResponse listEntitiesResponse = iamClient
.listEntitiesForPolicy(listEntitiesRequest);
if (!listEntitiesResponse.policyGroups().isEmpty() || !listEntitiesResponse.policyUsers().isEmpty()
|| !listEntitiesResponse.policyRoles().isEmpty()) {
// Detach the policy from any entities it is attached to.
DetachRolePolicyRequest detachPolicyRequest = DetachRolePolicyRequest.builder()
.policyArn(policy.arn())
.roleName(roleName) // Specify the name of the IAM role
.build();
getIAMClient().detachRolePolicy(detachPolicyRequest);
System.out.println("Policy detached from entities.");
}
// Now, you can delete the policy.
DeletePolicyRequest deletePolicyRequest = DeletePolicyRequest.builder()
.policyArn(policy.arn())
.build();
getIAMClient().deletePolicy(deletePolicyRequest);
System.out.println("Policy deleted successfully.");
break;
}
}
// List the roles associated with the instance profile
ListInstanceProfilesForRoleRequest listRolesRequest = ListInstanceProfilesForRoleRequest.builder()
.roleName(roleName)
.build();
// Detach the roles from the instance profile
ListInstanceProfilesForRoleResponse listRolesResponse = iamClient.listInstanceProfilesForRole(listRolesRequest);
for (software.amazon.awssdk.services.iam.model.InstanceProfile profile : listRolesResponse.instanceProfiles()) {
RemoveRoleFromInstanceProfileRequest removeRoleRequest = RemoveRoleFromInstanceProfileRequest.builder()
.instanceProfileName(InstanceProfile)
.roleName(roleName) // Remove the extra dot here
.build();
getIAMClient().removeRoleFromInstanceProfile(removeRoleRequest);
System.out.println("Role " + roleName + " removed from instance profile " + InstanceProfile);
}
// Delete the instance profile after removing all roles
DeleteInstanceProfileRequest deleteInstanceProfileRequest = DeleteInstanceProfileRequest.builder()
.instanceProfileName(InstanceProfile)
.build();
getIAMClient().deleteInstanceProfile(r -> r.instanceProfileName(InstanceProfile));
System.out.println(InstanceProfile + " Deleted");
System.out.println("All roles and policies are deleted.");
}
}
```
Crie uma classe que envolva ações do Elastic Load Balancing.
```
public class LoadBalancer {
public ElasticLoadBalancingV2Client elasticLoadBalancingV2Client;
public ElasticLoadBalancingV2Client getLoadBalancerClient() {
if (elasticLoadBalancingV2Client == null) {
elasticLoadBalancingV2Client = ElasticLoadBalancingV2Client.builder()
.region(Region.US_EAST_1)
.build();
}
return elasticLoadBalancingV2Client;
}
// Checks the health of the instances in the target group.
public List checkTargetHealth(String targetGroupName) {
DescribeTargetGroupsRequest targetGroupsRequest = DescribeTargetGroupsRequest.builder()
.names(targetGroupName)
.build();
DescribeTargetGroupsResponse tgResponse = getLoadBalancerClient().describeTargetGroups(targetGroupsRequest);
DescribeTargetHealthRequest healthRequest = DescribeTargetHealthRequest.builder()
.targetGroupArn(tgResponse.targetGroups().get(0).targetGroupArn())
.build();
DescribeTargetHealthResponse healthResponse = getLoadBalancerClient().describeTargetHealth(healthRequest);
return healthResponse.targetHealthDescriptions();
}
// Gets the HTTP endpoint of the load balancer.
public String getEndpoint(String lbName) {
DescribeLoadBalancersResponse res = getLoadBalancerClient()
.describeLoadBalancers(describe -> describe.names(lbName));
return res.loadBalancers().get(0).dnsName();
}
// Deletes a load balancer.
public void deleteLoadBalancer(String lbName) {
try {
// Use a waiter to delete the Load Balancer.
DescribeLoadBalancersResponse res = getLoadBalancerClient()
.describeLoadBalancers(describe -> describe.names(lbName));
ElasticLoadBalancingV2Waiter loadBalancerWaiter = getLoadBalancerClient().waiter();
DescribeLoadBalancersRequest request = DescribeLoadBalancersRequest.builder()
.loadBalancerArns(res.loadBalancers().get(0).loadBalancerArn())
.build();
getLoadBalancerClient().deleteLoadBalancer(
builder -> builder.loadBalancerArn(res.loadBalancers().get(0).loadBalancerArn()));
WaiterResponse waiterResponse = loadBalancerWaiter
.waitUntilLoadBalancersDeleted(request);
waiterResponse.matched().response().ifPresent(System.out::println);
} catch (ElasticLoadBalancingV2Exception e) {
System.err.println(e.awsErrorDetails().errorMessage());
}
System.out.println(lbName + " was deleted.");
}
// Deletes the target group.
public void deleteTargetGroup(String targetGroupName) {
try {
DescribeTargetGroupsResponse res = getLoadBalancerClient()
.describeTargetGroups(describe -> describe.names(targetGroupName));
getLoadBalancerClient()
.deleteTargetGroup(builder -> builder.targetGroupArn(res.targetGroups().get(0).targetGroupArn()));
} catch (ElasticLoadBalancingV2Exception e) {
System.err.println(e.awsErrorDetails().errorMessage());
}
System.out.println(targetGroupName + " was deleted.");
}
// Verify this computer can successfully send a GET request to the load balancer
// endpoint.
public boolean verifyLoadBalancerEndpoint(String elbDnsName) throws IOException, InterruptedException {
boolean success = false;
int retries = 3;
CloseableHttpClient httpClient = HttpClients.createDefault();
// Create an HTTP GET request to the ELB.
HttpGet httpGet = new HttpGet("http://" + elbDnsName);
try {
while ((!success) && (retries > 0)) {
// Execute the request and get the response.
HttpResponse response = httpClient.execute(httpGet);
int statusCode = response.getStatusLine().getStatusCode();
System.out.println("HTTP Status Code: " + statusCode);
if (statusCode == 200) {
success = true;
} else {
retries--;
System.out.println("Got connection error from load balancer endpoint, retrying...");
TimeUnit.SECONDS.sleep(15);
}
}
} catch (org.apache.http.conn.HttpHostConnectException e) {
System.out.println(e.getMessage());
}
System.out.println("Status.." + success);
return success;
}
/*
* Creates an Elastic Load Balancing target group. The target group specifies
* how
* the load balancer forward requests to instances in the group and how instance
* health is checked.
*/
public String createTargetGroup(String protocol, int port, String vpcId, String targetGroupName) {
CreateTargetGroupRequest targetGroupRequest = CreateTargetGroupRequest.builder()
.healthCheckPath("/healthcheck")
.healthCheckTimeoutSeconds(5)
.port(port)
.vpcId(vpcId)
.name(targetGroupName)
.protocol(protocol)
.build();
CreateTargetGroupResponse targetGroupResponse = getLoadBalancerClient().createTargetGroup(targetGroupRequest);
String targetGroupArn = targetGroupResponse.targetGroups().get(0).targetGroupArn();
String targetGroup = targetGroupResponse.targetGroups().get(0).targetGroupName();
System.out.println("The " + targetGroup + " was created with ARN" + targetGroupArn);
return targetGroupArn;
}
/*
* Creates an Elastic Load Balancing load balancer that uses the specified
* subnets
* and forwards requests to the specified target group.
*/
public String createLoadBalancer(List subnetIds, String targetGroupARN, String lbName, int port,
String protocol) {
try {
List subnetIdStrings = subnetIds.stream()
.map(Subnet::subnetId)
.collect(Collectors.toList());
CreateLoadBalancerRequest balancerRequest = CreateLoadBalancerRequest.builder()
.subnets(subnetIdStrings)
.name(lbName)
.scheme("internet-facing")
.build();
// Create and wait for the load balancer to become available.
CreateLoadBalancerResponse lsResponse = getLoadBalancerClient().createLoadBalancer(balancerRequest);
String lbARN = lsResponse.loadBalancers().get(0).loadBalancerArn();
ElasticLoadBalancingV2Waiter loadBalancerWaiter = getLoadBalancerClient().waiter();
DescribeLoadBalancersRequest request = DescribeLoadBalancersRequest.builder()
.loadBalancerArns(lbARN)
.build();
System.out.println("Waiting for Load Balancer " + lbName + " to become available.");
WaiterResponse waiterResponse = loadBalancerWaiter
.waitUntilLoadBalancerAvailable(request);
waiterResponse.matched().response().ifPresent(System.out::println);
System.out.println("Load Balancer " + lbName + " is available.");
// Get the DNS name (endpoint) of the load balancer.
String lbDNSName = lsResponse.loadBalancers().get(0).dnsName();
System.out.println("*** Load Balancer DNS Name: " + lbDNSName);
// Create a listener for the load balance.
Action action = Action.builder()
.targetGroupArn(targetGroupARN)
.type("forward")
.build();
CreateListenerRequest listenerRequest = CreateListenerRequest.builder()
.loadBalancerArn(lsResponse.loadBalancers().get(0).loadBalancerArn())
.defaultActions(action)
.port(port)
.protocol(protocol)
.build();
getLoadBalancerClient().createListener(listenerRequest);
System.out.println("Created listener to forward traffic from load balancer " + lbName + " to target group "
+ targetGroupARN);
// Return the load balancer DNS name.
return lbDNSName;
} catch (ElasticLoadBalancingV2Exception e) {
e.printStackTrace();
}
return "";
}
}
```
Crie uma classe que use o DynamoDB para simular um serviço de recomendação.
```
public class Database {
private static DynamoDbClient dynamoDbClient;
public static DynamoDbClient getDynamoDbClient() {
if (dynamoDbClient == null) {
dynamoDbClient = DynamoDbClient.builder()
.region(Region.US_EAST_1)
.build();
}
return dynamoDbClient;
}
// Checks to see if the Amazon DynamoDB table exists.
private boolean doesTableExist(String tableName) {
try {
// Describe the table and catch any exceptions.
DescribeTableRequest describeTableRequest = DescribeTableRequest.builder()
.tableName(tableName)
.build();
getDynamoDbClient().describeTable(describeTableRequest);
System.out.println("Table '" + tableName + "' exists.");
return true;
} catch (ResourceNotFoundException e) {
System.out.println("Table '" + tableName + "' does not exist.");
} catch (DynamoDbException e) {
System.err.println("Error checking table existence: " + e.getMessage());
}
return false;
}
/*
* Creates a DynamoDB table to use a recommendation service. The table has a
* hash key named 'MediaType' that defines the type of media recommended, such
* as
* Book or Movie, and a range key named 'ItemId' that, combined with the
* MediaType,
* forms a unique identifier for the recommended item.
*/
public void createTable(String tableName, String fileName) throws IOException {
// First check to see if the table exists.
boolean doesExist = doesTableExist(tableName);
if (!doesExist) {
DynamoDbWaiter dbWaiter = getDynamoDbClient().waiter();
CreateTableRequest createTableRequest = CreateTableRequest.builder()
.tableName(tableName)
.attributeDefinitions(
AttributeDefinition.builder()
.attributeName("MediaType")
.attributeType(ScalarAttributeType.S)
.build(),
AttributeDefinition.builder()
.attributeName("ItemId")
.attributeType(ScalarAttributeType.N)
.build())
.keySchema(
KeySchemaElement.builder()
.attributeName("MediaType")
.keyType(KeyType.HASH)
.build(),
KeySchemaElement.builder()
.attributeName("ItemId")
.keyType(KeyType.RANGE)
.build())
.provisionedThroughput(
ProvisionedThroughput.builder()
.readCapacityUnits(5L)
.writeCapacityUnits(5L)
.build())
.build();
getDynamoDbClient().createTable(createTableRequest);
System.out.println("Creating table " + tableName + "...");
// Wait until the Amazon DynamoDB table is created.
DescribeTableRequest tableRequest = DescribeTableRequest.builder()
.tableName(tableName)
.build();
WaiterResponse waiterResponse = dbWaiter.waitUntilTableExists(tableRequest);
waiterResponse.matched().response().ifPresent(System.out::println);
System.out.println("Table " + tableName + " created.");
// Add records to the table.
populateTable(fileName, tableName);
}
}
public void deleteTable(String tableName) {
getDynamoDbClient().deleteTable(table -> table.tableName(tableName));
System.out.println("Table " + tableName + " deleted.");
}
// Populates the table with data located in a JSON file using the DynamoDB
// enhanced client.
public void populateTable(String fileName, String tableName) throws IOException {
DynamoDbEnhancedClient enhancedClient = DynamoDbEnhancedClient.builder()
.dynamoDbClient(getDynamoDbClient())
.build();
ObjectMapper objectMapper = new ObjectMapper();
File jsonFile = new File(fileName);
JsonNode rootNode = objectMapper.readTree(jsonFile);
DynamoDbTable mappedTable = enhancedClient.table(tableName,
TableSchema.fromBean(Recommendation.class));
for (JsonNode currentNode : rootNode) {
String mediaType = currentNode.path("MediaType").path("S").asText();
int itemId = currentNode.path("ItemId").path("N").asInt();
String title = currentNode.path("Title").path("S").asText();
String creator = currentNode.path("Creator").path("S").asText();
// Create a Recommendation object and set its properties.
Recommendation rec = new Recommendation();
rec.setMediaType(mediaType);
rec.setItemId(itemId);
rec.setTitle(title);
rec.setCreator(creator);
// Put the item into the DynamoDB table.
mappedTable.putItem(rec); // Add the Recommendation to the list.
}
System.out.println("Added all records to the " + tableName);
}
}
```
Crie uma classe que envolva as ações do Systems Manager.
```
public class ParameterHelper {
String tableName = "doc-example-resilient-architecture-table";
String dyntable = "doc-example-recommendation-service";
String failureResponse = "doc-example-resilient-architecture-failure-response";
String healthCheck = "doc-example-resilient-architecture-health-check";
public void reset() {
put(dyntable, tableName);
put(failureResponse, "none");
put(healthCheck, "shallow");
}
public void put(String name, String value) {
SsmClient ssmClient = SsmClient.builder()
.region(Region.US_EAST_1)
.build();
PutParameterRequest parameterRequest = PutParameterRequest.builder()
.name(name)
.value(value)
.overwrite(true)
.type("String")
.build();
ssmClient.putParameter(parameterRequest);
System.out.printf("Setting demo parameter %s to '%s'.", name, value);
}
}
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK for Java 2.x*.
+ [AttachLoadBalancerTargetGroups](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/AttachLoadBalancerTargetGroups)
+ [CreateAutoScalingGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/CreateAutoScalingGroup)
+ [CreateInstanceProfile](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateInstanceProfile)
+ [CreateLaunchTemplate](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/CreateLaunchTemplate)
+ [CreateListener](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/CreateListener)
+ [CreateLoadBalancer](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/CreateLoadBalancer)
+ [CreateTargetGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/CreateTargetGroup)
+ [DeleteAutoScalingGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/DeleteAutoScalingGroup)
+ [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteInstanceProfile)
+ [DeleteLaunchTemplate](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DeleteLaunchTemplate)
+ [DeleteLoadBalancer](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/DeleteLoadBalancer)
+ [DeleteTargetGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/DeleteTargetGroup)
+ [DescribeAutoScalingGroups](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/DescribeAutoScalingGroups)
+ [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DescribeAvailabilityZones)
+ [DescribeIamInstanceProfileAssociations](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DescribeIamInstanceProfileAssociations)
+ [DescribeInstances](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DescribeInstances)
+ [DescribeLoadBalancers](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/DescribeLoadBalancers)
+ [DescribeSubnets](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DescribeSubnets)
+ [DescribeTargetGroups](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/DescribeTargetGroups)
+ [DescribeTargetHealth](https://docs.aws.amazon.com/goto/SdkForJavaV2/elasticloadbalancingv2-2015-12-01/DescribeTargetHealth)
+ [DescribeVpcs](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/DescribeVpcs)
+ [RebootInstances](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/RebootInstances)
+ [ReplaceIamInstanceProfileAssociation](https://docs.aws.amazon.com/goto/SdkForJavaV2/ec2-2016-11-15/ReplaceIamInstanceProfileAssociation)
+ [TerminateInstanceInAutoScalingGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/TerminateInstanceInAutoScalingGroup)
+ [UpdateAutoScalingGroup](https://docs.aws.amazon.com/goto/SdkForJavaV2/autoscaling-2011-01-01/UpdateAutoScalingGroup)
------
#### [ JavaScript ]
**SDK para JavaScript (v3)**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples).
Execute o cenário interativo em um prompt de comando.
```
#!/usr/bin/env node
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
import {
Scenario,
parseScenarioArgs,
} from "@aws-doc-sdk-examples/lib/scenario/index.js";
/**
* The workflow steps are split into three stages:
* - deploy
* - demo
* - destroy
*
* Each of these stages has a corresponding file prefixed with steps-*.
*/
import { deploySteps } from "./steps-deploy.js";
import { demoSteps } from "./steps-demo.js";
import { destroySteps } from "./steps-destroy.js";
/**
* The context is passed to every scenario. Scenario steps
* will modify the context.
*/
const context = {};
/**
* Three Scenarios are created for the workflow. A Scenario is an orchestration class
* that simplifies running a series of steps.
*/
export const scenarios = {
// Deploys all resources necessary for the workflow.
deploy: new Scenario("Resilient Workflow - Deploy", deploySteps, context),
// Demonstrates how a fragile web service can be made more resilient.
demo: new Scenario("Resilient Workflow - Demo", demoSteps, context),
// Destroys the resources created for the workflow.
destroy: new Scenario("Resilient Workflow - Destroy", destroySteps, context),
};
// Call function if run directly
import { fileURLToPath } from "node:url";
if (process.argv[1] === fileURLToPath(import.meta.url)) {
parseScenarioArgs(scenarios, {
name: "Resilient Workflow",
synopsis:
"node index.js --scenario [-h|--help] [-y|--yes] [-v|--verbose]",
description: "Deploy and interact with scalable EC2 instances.",
});
}
```
Criar etapas para implantar todos os recursos.
```
import { join } from "node:path";
import { readFileSync, writeFileSync } from "node:fs";
import axios from "axios";
import {
BatchWriteItemCommand,
CreateTableCommand,
DynamoDBClient,
waitUntilTableExists,
} from "@aws-sdk/client-dynamodb";
import {
EC2Client,
CreateKeyPairCommand,
CreateLaunchTemplateCommand,
DescribeAvailabilityZonesCommand,
DescribeVpcsCommand,
DescribeSubnetsCommand,
DescribeSecurityGroupsCommand,
AuthorizeSecurityGroupIngressCommand,
} from "@aws-sdk/client-ec2";
import {
IAMClient,
CreatePolicyCommand,
CreateRoleCommand,
CreateInstanceProfileCommand,
AddRoleToInstanceProfileCommand,
AttachRolePolicyCommand,
waitUntilInstanceProfileExists,
} from "@aws-sdk/client-iam";
import { SSMClient, GetParameterCommand } from "@aws-sdk/client-ssm";
import {
CreateAutoScalingGroupCommand,
AutoScalingClient,
AttachLoadBalancerTargetGroupsCommand,
} from "@aws-sdk/client-auto-scaling";
import {
CreateListenerCommand,
CreateLoadBalancerCommand,
CreateTargetGroupCommand,
ElasticLoadBalancingV2Client,
waitUntilLoadBalancerAvailable,
} from "@aws-sdk/client-elastic-load-balancing-v2";
import {
ScenarioOutput,
ScenarioInput,
ScenarioAction,
} from "@aws-doc-sdk-examples/lib/scenario/index.js";
import { saveState } from "@aws-doc-sdk-examples/lib/scenario/steps-common.js";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { MESSAGES, NAMES, RESOURCES_PATH, ROOT } from "./constants.js";
import { initParamsSteps } from "./steps-reset-params.js";
/**
* @type {import('@aws-doc-sdk-examples/lib/scenario.js').Step[]}
*/
export const deploySteps = [
new ScenarioOutput("introduction", MESSAGES.introduction, { header: true }),
new ScenarioInput("confirmDeployment", MESSAGES.confirmDeployment, {
type: "confirm",
}),
new ScenarioAction(
"handleConfirmDeployment",
(c) => c.confirmDeployment === false && process.exit(),
),
new ScenarioOutput(
"creatingTable",
MESSAGES.creatingTable.replace("${TABLE_NAME}", NAMES.tableName),
),
new ScenarioAction("createTable", async () => {
const client = new DynamoDBClient({});
await client.send(
new CreateTableCommand({
TableName: NAMES.tableName,
ProvisionedThroughput: {
ReadCapacityUnits: 5,
WriteCapacityUnits: 5,
},
AttributeDefinitions: [
{
AttributeName: "MediaType",
AttributeType: "S",
},
{
AttributeName: "ItemId",
AttributeType: "N",
},
],
KeySchema: [
{
AttributeName: "MediaType",
KeyType: "HASH",
},
{
AttributeName: "ItemId",
KeyType: "RANGE",
},
],
}),
);
await waitUntilTableExists({ client }, { TableName: NAMES.tableName });
}),
new ScenarioOutput(
"createdTable",
MESSAGES.createdTable.replace("${TABLE_NAME}", NAMES.tableName),
),
new ScenarioOutput(
"populatingTable",
MESSAGES.populatingTable.replace("${TABLE_NAME}", NAMES.tableName),
),
new ScenarioAction("populateTable", () => {
const client = new DynamoDBClient({});
/**
* @type {{ default: import("@aws-sdk/client-dynamodb").PutRequest['Item'][] }}
*/
const recommendations = JSON.parse(
readFileSync(join(RESOURCES_PATH, "recommendations.json")),
);
return client.send(
new BatchWriteItemCommand({
RequestItems: {
[NAMES.tableName]: recommendations.map((item) => ({
PutRequest: { Item: item },
})),
},
}),
);
}),
new ScenarioOutput(
"populatedTable",
MESSAGES.populatedTable.replace("${TABLE_NAME}", NAMES.tableName),
),
new ScenarioOutput(
"creatingKeyPair",
MESSAGES.creatingKeyPair.replace("${KEY_PAIR_NAME}", NAMES.keyPairName),
),
new ScenarioAction("createKeyPair", async () => {
const client = new EC2Client({});
const { KeyMaterial } = await client.send(
new CreateKeyPairCommand({
KeyName: NAMES.keyPairName,
}),
);
writeFileSync(`${NAMES.keyPairName}.pem`, KeyMaterial, { mode: 0o600 });
}),
new ScenarioOutput(
"createdKeyPair",
MESSAGES.createdKeyPair.replace("${KEY_PAIR_NAME}", NAMES.keyPairName),
),
new ScenarioOutput(
"creatingInstancePolicy",
MESSAGES.creatingInstancePolicy.replace(
"${INSTANCE_POLICY_NAME}",
NAMES.instancePolicyName,
),
),
new ScenarioAction("createInstancePolicy", async (state) => {
const client = new IAMClient({});
const {
Policy: { Arn },
} = await client.send(
new CreatePolicyCommand({
PolicyName: NAMES.instancePolicyName,
PolicyDocument: readFileSync(
join(RESOURCES_PATH, "instance_policy.json"),
),
}),
);
state.instancePolicyArn = Arn;
}),
new ScenarioOutput("createdInstancePolicy", (state) =>
MESSAGES.createdInstancePolicy
.replace("${INSTANCE_POLICY_NAME}", NAMES.instancePolicyName)
.replace("${INSTANCE_POLICY_ARN}", state.instancePolicyArn),
),
new ScenarioOutput(
"creatingInstanceRole",
MESSAGES.creatingInstanceRole.replace(
"${INSTANCE_ROLE_NAME}",
NAMES.instanceRoleName,
),
),
new ScenarioAction("createInstanceRole", () => {
const client = new IAMClient({});
return client.send(
new CreateRoleCommand({
RoleName: NAMES.instanceRoleName,
AssumeRolePolicyDocument: readFileSync(
join(ROOT, "assume-role-policy.json"),
),
}),
);
}),
new ScenarioOutput(
"createdInstanceRole",
MESSAGES.createdInstanceRole.replace(
"${INSTANCE_ROLE_NAME}",
NAMES.instanceRoleName,
),
),
new ScenarioOutput(
"attachingPolicyToRole",
MESSAGES.attachingPolicyToRole
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName)
.replace("${INSTANCE_POLICY_NAME}", NAMES.instancePolicyName),
),
new ScenarioAction("attachPolicyToRole", async (state) => {
const client = new IAMClient({});
await client.send(
new AttachRolePolicyCommand({
RoleName: NAMES.instanceRoleName,
PolicyArn: state.instancePolicyArn,
}),
);
}),
new ScenarioOutput(
"attachedPolicyToRole",
MESSAGES.attachedPolicyToRole
.replace("${INSTANCE_POLICY_NAME}", NAMES.instancePolicyName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName),
),
new ScenarioOutput(
"creatingInstanceProfile",
MESSAGES.creatingInstanceProfile.replace(
"${INSTANCE_PROFILE_NAME}",
NAMES.instanceProfileName,
),
),
new ScenarioAction("createInstanceProfile", async (state) => {
const client = new IAMClient({});
const {
InstanceProfile: { Arn },
} = await client.send(
new CreateInstanceProfileCommand({
InstanceProfileName: NAMES.instanceProfileName,
}),
);
state.instanceProfileArn = Arn;
await waitUntilInstanceProfileExists(
{ client },
{ InstanceProfileName: NAMES.instanceProfileName },
);
}),
new ScenarioOutput("createdInstanceProfile", (state) =>
MESSAGES.createdInstanceProfile
.replace("${INSTANCE_PROFILE_NAME}", NAMES.instanceProfileName)
.replace("${INSTANCE_PROFILE_ARN}", state.instanceProfileArn),
),
new ScenarioOutput(
"addingRoleToInstanceProfile",
MESSAGES.addingRoleToInstanceProfile
.replace("${INSTANCE_PROFILE_NAME}", NAMES.instanceProfileName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName),
),
new ScenarioAction("addRoleToInstanceProfile", () => {
const client = new IAMClient({});
return client.send(
new AddRoleToInstanceProfileCommand({
RoleName: NAMES.instanceRoleName,
InstanceProfileName: NAMES.instanceProfileName,
}),
);
}),
new ScenarioOutput(
"addedRoleToInstanceProfile",
MESSAGES.addedRoleToInstanceProfile
.replace("${INSTANCE_PROFILE_NAME}", NAMES.instanceProfileName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName),
),
...initParamsSteps,
new ScenarioOutput("creatingLaunchTemplate", MESSAGES.creatingLaunchTemplate),
new ScenarioAction("createLaunchTemplate", async () => {
const ssmClient = new SSMClient({});
const { Parameter } = await ssmClient.send(
new GetParameterCommand({
Name: "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
}),
);
const ec2Client = new EC2Client({});
await ec2Client.send(
new CreateLaunchTemplateCommand({
LaunchTemplateName: NAMES.launchTemplateName,
LaunchTemplateData: {
InstanceType: "t3.micro",
ImageId: Parameter.Value,
IamInstanceProfile: { Name: NAMES.instanceProfileName },
UserData: readFileSync(
join(RESOURCES_PATH, "server_startup_script.sh"),
).toString("base64"),
KeyName: NAMES.keyPairName,
},
}),
);
}),
new ScenarioOutput(
"createdLaunchTemplate",
MESSAGES.createdLaunchTemplate.replace(
"${LAUNCH_TEMPLATE_NAME}",
NAMES.launchTemplateName,
),
),
new ScenarioOutput(
"creatingAutoScalingGroup",
MESSAGES.creatingAutoScalingGroup.replace(
"${AUTO_SCALING_GROUP_NAME}",
NAMES.autoScalingGroupName,
),
),
new ScenarioAction("createAutoScalingGroup", async (state) => {
const ec2Client = new EC2Client({});
const { AvailabilityZones } = await ec2Client.send(
new DescribeAvailabilityZonesCommand({}),
);
state.availabilityZoneNames = AvailabilityZones.map((az) => az.ZoneName);
const autoScalingClient = new AutoScalingClient({});
await retry({ intervalInMs: 1000, maxRetries: 30 }, () =>
autoScalingClient.send(
new CreateAutoScalingGroupCommand({
AvailabilityZones: state.availabilityZoneNames,
AutoScalingGroupName: NAMES.autoScalingGroupName,
LaunchTemplate: {
LaunchTemplateName: NAMES.launchTemplateName,
Version: "$Default",
},
MinSize: 3,
MaxSize: 3,
}),
),
);
}),
new ScenarioOutput(
"createdAutoScalingGroup",
/**
* @param {{ availabilityZoneNames: string[] }} state
*/
(state) =>
MESSAGES.createdAutoScalingGroup
.replace("${AUTO_SCALING_GROUP_NAME}", NAMES.autoScalingGroupName)
.replace(
"${AVAILABILITY_ZONE_NAMES}",
state.availabilityZoneNames.join(", "),
),
),
new ScenarioInput("confirmContinue", MESSAGES.confirmContinue, {
type: "confirm",
}),
new ScenarioOutput("loadBalancer", MESSAGES.loadBalancer),
new ScenarioOutput("gettingVpc", MESSAGES.gettingVpc),
new ScenarioAction("getVpc", async (state) => {
const client = new EC2Client({});
const { Vpcs } = await client.send(
new DescribeVpcsCommand({
Filters: [{ Name: "is-default", Values: ["true"] }],
}),
);
state.defaultVpc = Vpcs[0].VpcId;
}),
new ScenarioOutput("gotVpc", (state) =>
MESSAGES.gotVpc.replace("${VPC_ID}", state.defaultVpc),
),
new ScenarioOutput("gettingSubnets", MESSAGES.gettingSubnets),
new ScenarioAction("getSubnets", async (state) => {
const client = new EC2Client({});
const { Subnets } = await client.send(
new DescribeSubnetsCommand({
Filters: [
{ Name: "vpc-id", Values: [state.defaultVpc] },
{ Name: "availability-zone", Values: state.availabilityZoneNames },
{ Name: "default-for-az", Values: ["true"] },
],
}),
);
state.subnets = Subnets.map((subnet) => subnet.SubnetId);
}),
new ScenarioOutput(
"gotSubnets",
/**
* @param {{ subnets: string[] }} state
*/
(state) =>
MESSAGES.gotSubnets.replace("${SUBNETS}", state.subnets.join(", ")),
),
new ScenarioOutput(
"creatingLoadBalancerTargetGroup",
MESSAGES.creatingLoadBalancerTargetGroup.replace(
"${TARGET_GROUP_NAME}",
NAMES.loadBalancerTargetGroupName,
),
),
new ScenarioAction("createLoadBalancerTargetGroup", async (state) => {
const client = new ElasticLoadBalancingV2Client({});
const { TargetGroups } = await client.send(
new CreateTargetGroupCommand({
Name: NAMES.loadBalancerTargetGroupName,
Protocol: "HTTP",
Port: 80,
HealthCheckPath: "/healthcheck",
HealthCheckIntervalSeconds: 10,
HealthCheckTimeoutSeconds: 5,
HealthyThresholdCount: 2,
UnhealthyThresholdCount: 2,
VpcId: state.defaultVpc,
}),
);
const targetGroup = TargetGroups[0];
state.targetGroupArn = targetGroup.TargetGroupArn;
state.targetGroupProtocol = targetGroup.Protocol;
state.targetGroupPort = targetGroup.Port;
}),
new ScenarioOutput(
"createdLoadBalancerTargetGroup",
MESSAGES.createdLoadBalancerTargetGroup.replace(
"${TARGET_GROUP_NAME}",
NAMES.loadBalancerTargetGroupName,
),
),
new ScenarioOutput(
"creatingLoadBalancer",
MESSAGES.creatingLoadBalancer.replace("${LB_NAME}", NAMES.loadBalancerName),
),
new ScenarioAction("createLoadBalancer", async (state) => {
const client = new ElasticLoadBalancingV2Client({});
const { LoadBalancers } = await client.send(
new CreateLoadBalancerCommand({
Name: NAMES.loadBalancerName,
Subnets: state.subnets,
}),
);
state.loadBalancerDns = LoadBalancers[0].DNSName;
state.loadBalancerArn = LoadBalancers[0].LoadBalancerArn;
await waitUntilLoadBalancerAvailable(
{ client },
{ Names: [NAMES.loadBalancerName] },
);
}),
new ScenarioOutput("createdLoadBalancer", (state) =>
MESSAGES.createdLoadBalancer
.replace("${LB_NAME}", NAMES.loadBalancerName)
.replace("${DNS_NAME}", state.loadBalancerDns),
),
new ScenarioOutput(
"creatingListener",
MESSAGES.creatingLoadBalancerListener
.replace("${LB_NAME}", NAMES.loadBalancerName)
.replace("${TARGET_GROUP_NAME}", NAMES.loadBalancerTargetGroupName),
),
new ScenarioAction("createListener", async (state) => {
const client = new ElasticLoadBalancingV2Client({});
const { Listeners } = await client.send(
new CreateListenerCommand({
LoadBalancerArn: state.loadBalancerArn,
Protocol: state.targetGroupProtocol,
Port: state.targetGroupPort,
DefaultActions: [
{ Type: "forward", TargetGroupArn: state.targetGroupArn },
],
}),
);
const listener = Listeners[0];
state.loadBalancerListenerArn = listener.ListenerArn;
}),
new ScenarioOutput("createdListener", (state) =>
MESSAGES.createdLoadBalancerListener.replace(
"${LB_LISTENER_ARN}",
state.loadBalancerListenerArn,
),
),
new ScenarioOutput(
"attachingLoadBalancerTargetGroup",
MESSAGES.attachingLoadBalancerTargetGroup
.replace("${TARGET_GROUP_NAME}", NAMES.loadBalancerTargetGroupName)
.replace("${AUTO_SCALING_GROUP_NAME}", NAMES.autoScalingGroupName),
),
new ScenarioAction("attachLoadBalancerTargetGroup", async (state) => {
const client = new AutoScalingClient({});
await client.send(
new AttachLoadBalancerTargetGroupsCommand({
AutoScalingGroupName: NAMES.autoScalingGroupName,
TargetGroupARNs: [state.targetGroupArn],
}),
);
}),
new ScenarioOutput(
"attachedLoadBalancerTargetGroup",
MESSAGES.attachedLoadBalancerTargetGroup,
),
new ScenarioOutput("verifyingInboundPort", MESSAGES.verifyingInboundPort),
new ScenarioAction(
"verifyInboundPort",
/**
*
* @param {{ defaultSecurityGroup: import('@aws-sdk/client-ec2').SecurityGroup}} state
*/
async (state) => {
const client = new EC2Client({});
const { SecurityGroups } = await client.send(
new DescribeSecurityGroupsCommand({
Filters: [{ Name: "group-name", Values: ["default"] }],
}),
);
if (!SecurityGroups) {
state.verifyInboundPortError = new Error(MESSAGES.noSecurityGroups);
}
state.defaultSecurityGroup = SecurityGroups[0];
/**
* @type {string}
*/
const ipResponse = (await axios.get("http://checkip.amazonaws.com")).data;
state.myIp = ipResponse.trim();
const myIpRules = state.defaultSecurityGroup.IpPermissions.filter(
({ IpRanges }) =>
IpRanges.some(
({ CidrIp }) =>
CidrIp.startsWith(state.myIp) || CidrIp === "0.0.0.0/0",
),
)
.filter(({ IpProtocol }) => IpProtocol === "tcp")
.filter(({ FromPort }) => FromPort === 80);
state.myIpRules = myIpRules;
},
),
new ScenarioOutput(
"verifiedInboundPort",
/**
* @param {{ myIpRules: any[] }} state
*/
(state) => {
if (state.myIpRules.length > 0) {
return MESSAGES.foundIpRules.replace(
"${IP_RULES}",
JSON.stringify(state.myIpRules, null, 2),
);
}
return MESSAGES.noIpRules;
},
),
new ScenarioInput(
"shouldAddInboundRule",
/**
* @param {{ myIpRules: any[] }} state
*/
(state) => {
if (state.myIpRules.length > 0) {
return false;
}
return MESSAGES.noIpRules;
},
{ type: "confirm" },
),
new ScenarioAction(
"addInboundRule",
/**
* @param {{ defaultSecurityGroup: import('@aws-sdk/client-ec2').SecurityGroup }} state
*/
async (state) => {
if (!state.shouldAddInboundRule) {
return;
}
const client = new EC2Client({});
await client.send(
new AuthorizeSecurityGroupIngressCommand({
GroupId: state.defaultSecurityGroup.GroupId,
CidrIp: `${state.myIp}/32`,
FromPort: 80,
ToPort: 80,
IpProtocol: "tcp",
}),
);
},
),
new ScenarioOutput("addedInboundRule", (state) => {
if (state.shouldAddInboundRule) {
return MESSAGES.addedInboundRule.replace("${IP_ADDRESS}", state.myIp);
}
return false;
}),
new ScenarioOutput("verifyingEndpoint", (state) =>
MESSAGES.verifyingEndpoint.replace("${DNS_NAME}", state.loadBalancerDns),
),
new ScenarioAction("verifyEndpoint", async (state) => {
try {
const response = await retry({ intervalInMs: 2000, maxRetries: 30 }, () =>
axios.get(`http://${state.loadBalancerDns}`),
);
state.endpointResponse = JSON.stringify(response.data, null, 2);
} catch (e) {
state.verifyEndpointError = e;
}
}),
new ScenarioOutput("verifiedEndpoint", (state) => {
if (state.verifyEndpointError) {
console.error(state.verifyEndpointError);
} else {
return MESSAGES.verifiedEndpoint.replace(
"${ENDPOINT_RESPONSE}",
state.endpointResponse,
);
}
}),
saveState,
];
```
Criar etapas para executar a demonstração.
```
import { readFileSync } from "node:fs";
import { join } from "node:path";
import axios from "axios";
import {
DescribeTargetGroupsCommand,
DescribeTargetHealthCommand,
ElasticLoadBalancingV2Client,
} from "@aws-sdk/client-elastic-load-balancing-v2";
import {
DescribeInstanceInformationCommand,
PutParameterCommand,
SSMClient,
SendCommandCommand,
} from "@aws-sdk/client-ssm";
import {
IAMClient,
CreatePolicyCommand,
CreateRoleCommand,
AttachRolePolicyCommand,
CreateInstanceProfileCommand,
AddRoleToInstanceProfileCommand,
waitUntilInstanceProfileExists,
} from "@aws-sdk/client-iam";
import {
AutoScalingClient,
DescribeAutoScalingGroupsCommand,
TerminateInstanceInAutoScalingGroupCommand,
} from "@aws-sdk/client-auto-scaling";
import {
DescribeIamInstanceProfileAssociationsCommand,
EC2Client,
RebootInstancesCommand,
ReplaceIamInstanceProfileAssociationCommand,
} from "@aws-sdk/client-ec2";
import {
ScenarioAction,
ScenarioInput,
ScenarioOutput,
} from "@aws-doc-sdk-examples/lib/scenario/scenario.js";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { MESSAGES, NAMES, RESOURCES_PATH } from "./constants.js";
import { findLoadBalancer } from "./shared.js";
const getRecommendation = new ScenarioAction(
"getRecommendation",
async (state) => {
const loadBalancer = await findLoadBalancer(NAMES.loadBalancerName);
if (loadBalancer) {
state.loadBalancerDnsName = loadBalancer.DNSName;
try {
state.recommendation = (
await axios.get(`http://${state.loadBalancerDnsName}`)
).data;
} catch (e) {
state.recommendation = e instanceof Error ? e.message : e;
}
} else {
throw new Error(MESSAGES.demoFindLoadBalancerError);
}
},
);
const getRecommendationResult = new ScenarioOutput(
"getRecommendationResult",
(state) =>
`Recommendation:\n${JSON.stringify(state.recommendation, null, 2)}`,
{ preformatted: true },
);
const getHealthCheck = new ScenarioAction("getHealthCheck", async (state) => {
const client = new ElasticLoadBalancingV2Client({});
const { TargetGroups } = await client.send(
new DescribeTargetGroupsCommand({
Names: [NAMES.loadBalancerTargetGroupName],
}),
);
const { TargetHealthDescriptions } = await client.send(
new DescribeTargetHealthCommand({
TargetGroupArn: TargetGroups[0].TargetGroupArn,
}),
);
state.targetHealthDescriptions = TargetHealthDescriptions;
});
const getHealthCheckResult = new ScenarioOutput(
"getHealthCheckResult",
/**
* @param {{ targetHealthDescriptions: import('@aws-sdk/client-elastic-load-balancing-v2').TargetHealthDescription[]}} state
*/
(state) => {
const status = state.targetHealthDescriptions
.map((th) => `${th.Target.Id}: ${th.TargetHealth.State}`)
.join("\n");
return `Health check:\n${status}`;
},
{ preformatted: true },
);
const loadBalancerLoop = new ScenarioAction(
"loadBalancerLoop",
getRecommendation.action,
{
whileConfig: {
whileFn: ({ loadBalancerCheck }) => loadBalancerCheck,
input: new ScenarioInput(
"loadBalancerCheck",
MESSAGES.demoLoadBalancerCheck,
{
type: "confirm",
},
),
output: getRecommendationResult,
},
},
);
const healthCheckLoop = new ScenarioAction(
"healthCheckLoop",
getHealthCheck.action,
{
whileConfig: {
whileFn: ({ healthCheck }) => healthCheck,
input: new ScenarioInput("healthCheck", MESSAGES.demoHealthCheck, {
type: "confirm",
}),
output: getHealthCheckResult,
},
},
);
const statusSteps = [
getRecommendation,
getRecommendationResult,
getHealthCheck,
getHealthCheckResult,
];
/**
* @type {import('@aws-doc-sdk-examples/lib/scenario.js').Step[]}
*/
export const demoSteps = [
new ScenarioOutput("header", MESSAGES.demoHeader, { header: true }),
new ScenarioOutput("sanityCheck", MESSAGES.demoSanityCheck),
...statusSteps,
new ScenarioInput(
"brokenDependencyConfirmation",
MESSAGES.demoBrokenDependencyConfirmation,
{ type: "confirm" },
),
new ScenarioAction("brokenDependency", async (state) => {
if (!state.brokenDependencyConfirmation) {
process.exit();
} else {
const client = new SSMClient({});
state.badTableName = `fake-table-${Date.now()}`;
await client.send(
new PutParameterCommand({
Name: NAMES.ssmTableNameKey,
Value: state.badTableName,
Overwrite: true,
Type: "String",
}),
);
}
}),
new ScenarioOutput("testBrokenDependency", (state) =>
MESSAGES.demoTestBrokenDependency.replace(
"${TABLE_NAME}",
state.badTableName,
),
),
...statusSteps,
new ScenarioInput(
"staticResponseConfirmation",
MESSAGES.demoStaticResponseConfirmation,
{ type: "confirm" },
),
new ScenarioAction("staticResponse", async (state) => {
if (!state.staticResponseConfirmation) {
process.exit();
} else {
const client = new SSMClient({});
await client.send(
new PutParameterCommand({
Name: NAMES.ssmFailureResponseKey,
Value: "static",
Overwrite: true,
Type: "String",
}),
);
}
}),
new ScenarioOutput("testStaticResponse", MESSAGES.demoTestStaticResponse),
...statusSteps,
new ScenarioInput(
"badCredentialsConfirmation",
MESSAGES.demoBadCredentialsConfirmation,
{ type: "confirm" },
),
new ScenarioAction("badCredentialsExit", (state) => {
if (!state.badCredentialsConfirmation) {
process.exit();
}
}),
new ScenarioAction("fixDynamoDBName", async () => {
const client = new SSMClient({});
await client.send(
new PutParameterCommand({
Name: NAMES.ssmTableNameKey,
Value: NAMES.tableName,
Overwrite: true,
Type: "String",
}),
);
}),
new ScenarioAction(
"badCredentials",
/**
* @param {{ targetInstance: import('@aws-sdk/client-auto-scaling').Instance }} state
*/
async (state) => {
await createSsmOnlyInstanceProfile();
const autoScalingClient = new AutoScalingClient({});
const { AutoScalingGroups } = await autoScalingClient.send(
new DescribeAutoScalingGroupsCommand({
AutoScalingGroupNames: [NAMES.autoScalingGroupName],
}),
);
state.targetInstance = AutoScalingGroups[0].Instances[0];
const ec2Client = new EC2Client({});
const { IamInstanceProfileAssociations } = await ec2Client.send(
new DescribeIamInstanceProfileAssociationsCommand({
Filters: [
{ Name: "instance-id", Values: [state.targetInstance.InstanceId] },
],
}),
);
state.instanceProfileAssociationId =
IamInstanceProfileAssociations[0].AssociationId;
await retry({ intervalInMs: 1000, maxRetries: 30 }, () =>
ec2Client.send(
new ReplaceIamInstanceProfileAssociationCommand({
AssociationId: state.instanceProfileAssociationId,
IamInstanceProfile: { Name: NAMES.ssmOnlyInstanceProfileName },
}),
),
);
await ec2Client.send(
new RebootInstancesCommand({
InstanceIds: [state.targetInstance.InstanceId],
}),
);
const ssmClient = new SSMClient({});
await retry({ intervalInMs: 20000, maxRetries: 15 }, async () => {
const { InstanceInformationList } = await ssmClient.send(
new DescribeInstanceInformationCommand({}),
);
const instance = InstanceInformationList.find(
(info) => info.InstanceId === state.targetInstance.InstanceId,
);
if (!instance) {
throw new Error("Instance not found.");
}
});
await ssmClient.send(
new SendCommandCommand({
InstanceIds: [state.targetInstance.InstanceId],
DocumentName: "AWS-RunShellScript",
Parameters: { commands: ["cd / && sudo python3 server.py 80"] },
}),
);
},
),
new ScenarioOutput(
"testBadCredentials",
/**
* @param {{ targetInstance: import('@aws-sdk/client-ssm').InstanceInformation}} state
*/
(state) =>
MESSAGES.demoTestBadCredentials.replace(
"${INSTANCE_ID}",
state.targetInstance.InstanceId,
),
),
loadBalancerLoop,
new ScenarioInput(
"deepHealthCheckConfirmation",
MESSAGES.demoDeepHealthCheckConfirmation,
{ type: "confirm" },
),
new ScenarioAction("deepHealthCheckExit", (state) => {
if (!state.deepHealthCheckConfirmation) {
process.exit();
}
}),
new ScenarioAction("deepHealthCheck", async () => {
const client = new SSMClient({});
await client.send(
new PutParameterCommand({
Name: NAMES.ssmHealthCheckKey,
Value: "deep",
Overwrite: true,
Type: "String",
}),
);
}),
new ScenarioOutput("testDeepHealthCheck", MESSAGES.demoTestDeepHealthCheck),
healthCheckLoop,
loadBalancerLoop,
new ScenarioInput(
"killInstanceConfirmation",
/**
* @param {{ targetInstance: import('@aws-sdk/client-ssm').InstanceInformation }} state
*/
(state) =>
MESSAGES.demoKillInstanceConfirmation.replace(
"${INSTANCE_ID}",
state.targetInstance.InstanceId,
),
{ type: "confirm" },
),
new ScenarioAction("killInstanceExit", (state) => {
if (!state.killInstanceConfirmation) {
process.exit();
}
}),
new ScenarioAction(
"killInstance",
/**
* @param {{ targetInstance: import('@aws-sdk/client-ssm').InstanceInformation }} state
*/
async (state) => {
const client = new AutoScalingClient({});
await client.send(
new TerminateInstanceInAutoScalingGroupCommand({
InstanceId: state.targetInstance.InstanceId,
ShouldDecrementDesiredCapacity: false,
}),
);
},
),
new ScenarioOutput("testKillInstance", MESSAGES.demoTestKillInstance),
healthCheckLoop,
loadBalancerLoop,
new ScenarioInput("failOpenConfirmation", MESSAGES.demoFailOpenConfirmation, {
type: "confirm",
}),
new ScenarioAction("failOpenExit", (state) => {
if (!state.failOpenConfirmation) {
process.exit();
}
}),
new ScenarioAction("failOpen", () => {
const client = new SSMClient({});
return client.send(
new PutParameterCommand({
Name: NAMES.ssmTableNameKey,
Value: `fake-table-${Date.now()}`,
Overwrite: true,
Type: "String",
}),
);
}),
new ScenarioOutput("testFailOpen", MESSAGES.demoFailOpenTest),
healthCheckLoop,
loadBalancerLoop,
new ScenarioInput(
"resetTableConfirmation",
MESSAGES.demoResetTableConfirmation,
{ type: "confirm" },
),
new ScenarioAction("resetTableExit", (state) => {
if (!state.resetTableConfirmation) {
process.exit();
}
}),
new ScenarioAction("resetTable", async () => {
const client = new SSMClient({});
await client.send(
new PutParameterCommand({
Name: NAMES.ssmTableNameKey,
Value: NAMES.tableName,
Overwrite: true,
Type: "String",
}),
);
}),
new ScenarioOutput("testResetTable", MESSAGES.demoTestResetTable),
healthCheckLoop,
loadBalancerLoop,
];
async function createSsmOnlyInstanceProfile() {
const iamClient = new IAMClient({});
const { Policy } = await iamClient.send(
new CreatePolicyCommand({
PolicyName: NAMES.ssmOnlyPolicyName,
PolicyDocument: readFileSync(
join(RESOURCES_PATH, "ssm_only_policy.json"),
),
}),
);
await iamClient.send(
new CreateRoleCommand({
RoleName: NAMES.ssmOnlyRoleName,
AssumeRolePolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: { Service: "ec2.amazonaws.com" },
Action: "sts:AssumeRole",
},
],
}),
}),
);
await iamClient.send(
new AttachRolePolicyCommand({
RoleName: NAMES.ssmOnlyRoleName,
PolicyArn: Policy.Arn,
}),
);
await iamClient.send(
new AttachRolePolicyCommand({
RoleName: NAMES.ssmOnlyRoleName,
PolicyArn: "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
}),
);
const { InstanceProfile } = await iamClient.send(
new CreateInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
}),
);
await waitUntilInstanceProfileExists(
{ client: iamClient },
{ InstanceProfileName: NAMES.ssmOnlyInstanceProfileName },
);
await iamClient.send(
new AddRoleToInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
RoleName: NAMES.ssmOnlyRoleName,
}),
);
return InstanceProfile;
}
```
Criar etapas para destruir todos os recursos.
```
import { unlinkSync } from "node:fs";
import { DynamoDBClient, DeleteTableCommand } from "@aws-sdk/client-dynamodb";
import {
EC2Client,
DeleteKeyPairCommand,
DeleteLaunchTemplateCommand,
RevokeSecurityGroupIngressCommand,
} from "@aws-sdk/client-ec2";
import {
IAMClient,
DeleteInstanceProfileCommand,
RemoveRoleFromInstanceProfileCommand,
DeletePolicyCommand,
DeleteRoleCommand,
DetachRolePolicyCommand,
paginateListPolicies,
} from "@aws-sdk/client-iam";
import {
AutoScalingClient,
DeleteAutoScalingGroupCommand,
TerminateInstanceInAutoScalingGroupCommand,
UpdateAutoScalingGroupCommand,
paginateDescribeAutoScalingGroups,
} from "@aws-sdk/client-auto-scaling";
import {
DeleteLoadBalancerCommand,
DeleteTargetGroupCommand,
DescribeTargetGroupsCommand,
ElasticLoadBalancingV2Client,
} from "@aws-sdk/client-elastic-load-balancing-v2";
import {
ScenarioOutput,
ScenarioInput,
ScenarioAction,
} from "@aws-doc-sdk-examples/lib/scenario/index.js";
import { loadState } from "@aws-doc-sdk-examples/lib/scenario/steps-common.js";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { MESSAGES, NAMES } from "./constants.js";
import { findLoadBalancer } from "./shared.js";
/**
* @type {import('@aws-doc-sdk-examples/lib/scenario.js').Step[]}
*/
export const destroySteps = [
loadState,
new ScenarioInput("destroy", MESSAGES.destroy, { type: "confirm" }),
new ScenarioAction(
"abort",
(state) => state.destroy === false && process.exit(),
),
new ScenarioAction("deleteTable", async (c) => {
try {
const client = new DynamoDBClient({});
await client.send(new DeleteTableCommand({ TableName: NAMES.tableName }));
} catch (e) {
c.deleteTableError = e;
}
}),
new ScenarioOutput("deleteTableResult", (state) => {
if (state.deleteTableError) {
console.error(state.deleteTableError);
return MESSAGES.deleteTableError.replace(
"${TABLE_NAME}",
NAMES.tableName,
);
}
return MESSAGES.deletedTable.replace("${TABLE_NAME}", NAMES.tableName);
}),
new ScenarioAction("deleteKeyPair", async (state) => {
try {
const client = new EC2Client({});
await client.send(
new DeleteKeyPairCommand({ KeyName: NAMES.keyPairName }),
);
unlinkSync(`${NAMES.keyPairName}.pem`);
} catch (e) {
state.deleteKeyPairError = e;
}
}),
new ScenarioOutput("deleteKeyPairResult", (state) => {
if (state.deleteKeyPairError) {
console.error(state.deleteKeyPairError);
return MESSAGES.deleteKeyPairError.replace(
"${KEY_PAIR_NAME}",
NAMES.keyPairName,
);
}
return MESSAGES.deletedKeyPair.replace(
"${KEY_PAIR_NAME}",
NAMES.keyPairName,
);
}),
new ScenarioAction("detachPolicyFromRole", async (state) => {
try {
const client = new IAMClient({});
const policy = await findPolicy(NAMES.instancePolicyName);
if (!policy) {
state.detachPolicyFromRoleError = new Error(
`Policy ${NAMES.instancePolicyName} not found.`,
);
} else {
await client.send(
new DetachRolePolicyCommand({
RoleName: NAMES.instanceRoleName,
PolicyArn: policy.Arn,
}),
);
}
} catch (e) {
state.detachPolicyFromRoleError = e;
}
}),
new ScenarioOutput("detachedPolicyFromRole", (state) => {
if (state.detachPolicyFromRoleError) {
console.error(state.detachPolicyFromRoleError);
return MESSAGES.detachPolicyFromRoleError
.replace("${INSTANCE_POLICY_NAME}", NAMES.instancePolicyName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName);
}
return MESSAGES.detachedPolicyFromRole
.replace("${INSTANCE_POLICY_NAME}", NAMES.instancePolicyName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName);
}),
new ScenarioAction("deleteInstancePolicy", async (state) => {
const client = new IAMClient({});
const policy = await findPolicy(NAMES.instancePolicyName);
if (!policy) {
state.deletePolicyError = new Error(
`Policy ${NAMES.instancePolicyName} not found.`,
);
} else {
return client.send(
new DeletePolicyCommand({
PolicyArn: policy.Arn,
}),
);
}
}),
new ScenarioOutput("deletePolicyResult", (state) => {
if (state.deletePolicyError) {
console.error(state.deletePolicyError);
return MESSAGES.deletePolicyError.replace(
"${INSTANCE_POLICY_NAME}",
NAMES.instancePolicyName,
);
}
return MESSAGES.deletedPolicy.replace(
"${INSTANCE_POLICY_NAME}",
NAMES.instancePolicyName,
);
}),
new ScenarioAction("removeRoleFromInstanceProfile", async (state) => {
try {
const client = new IAMClient({});
await client.send(
new RemoveRoleFromInstanceProfileCommand({
RoleName: NAMES.instanceRoleName,
InstanceProfileName: NAMES.instanceProfileName,
}),
);
} catch (e) {
state.removeRoleFromInstanceProfileError = e;
}
}),
new ScenarioOutput("removeRoleFromInstanceProfileResult", (state) => {
if (state.removeRoleFromInstanceProfile) {
console.error(state.removeRoleFromInstanceProfileError);
return MESSAGES.removeRoleFromInstanceProfileError
.replace("${INSTANCE_PROFILE_NAME}", NAMES.instanceProfileName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName);
}
return MESSAGES.removedRoleFromInstanceProfile
.replace("${INSTANCE_PROFILE_NAME}", NAMES.instanceProfileName)
.replace("${INSTANCE_ROLE_NAME}", NAMES.instanceRoleName);
}),
new ScenarioAction("deleteInstanceRole", async (state) => {
try {
const client = new IAMClient({});
await client.send(
new DeleteRoleCommand({
RoleName: NAMES.instanceRoleName,
}),
);
} catch (e) {
state.deleteInstanceRoleError = e;
}
}),
new ScenarioOutput("deleteInstanceRoleResult", (state) => {
if (state.deleteInstanceRoleError) {
console.error(state.deleteInstanceRoleError);
return MESSAGES.deleteInstanceRoleError.replace(
"${INSTANCE_ROLE_NAME}",
NAMES.instanceRoleName,
);
}
return MESSAGES.deletedInstanceRole.replace(
"${INSTANCE_ROLE_NAME}",
NAMES.instanceRoleName,
);
}),
new ScenarioAction("deleteInstanceProfile", async (state) => {
try {
const client = new IAMClient({});
await client.send(
new DeleteInstanceProfileCommand({
InstanceProfileName: NAMES.instanceProfileName,
}),
);
} catch (e) {
state.deleteInstanceProfileError = e;
}
}),
new ScenarioOutput("deleteInstanceProfileResult", (state) => {
if (state.deleteInstanceProfileError) {
console.error(state.deleteInstanceProfileError);
return MESSAGES.deleteInstanceProfileError.replace(
"${INSTANCE_PROFILE_NAME}",
NAMES.instanceProfileName,
);
}
return MESSAGES.deletedInstanceProfile.replace(
"${INSTANCE_PROFILE_NAME}",
NAMES.instanceProfileName,
);
}),
new ScenarioAction("deleteAutoScalingGroup", async (state) => {
try {
await terminateGroupInstances(NAMES.autoScalingGroupName);
await retry({ intervalInMs: 60000, maxRetries: 60 }, async () => {
await deleteAutoScalingGroup(NAMES.autoScalingGroupName);
});
} catch (e) {
state.deleteAutoScalingGroupError = e;
}
}),
new ScenarioOutput("deleteAutoScalingGroupResult", (state) => {
if (state.deleteAutoScalingGroupError) {
console.error(state.deleteAutoScalingGroupError);
return MESSAGES.deleteAutoScalingGroupError.replace(
"${AUTO_SCALING_GROUP_NAME}",
NAMES.autoScalingGroupName,
);
}
return MESSAGES.deletedAutoScalingGroup.replace(
"${AUTO_SCALING_GROUP_NAME}",
NAMES.autoScalingGroupName,
);
}),
new ScenarioAction("deleteLaunchTemplate", async (state) => {
const client = new EC2Client({});
try {
await client.send(
new DeleteLaunchTemplateCommand({
LaunchTemplateName: NAMES.launchTemplateName,
}),
);
} catch (e) {
state.deleteLaunchTemplateError = e;
}
}),
new ScenarioOutput("deleteLaunchTemplateResult", (state) => {
if (state.deleteLaunchTemplateError) {
console.error(state.deleteLaunchTemplateError);
return MESSAGES.deleteLaunchTemplateError.replace(
"${LAUNCH_TEMPLATE_NAME}",
NAMES.launchTemplateName,
);
}
return MESSAGES.deletedLaunchTemplate.replace(
"${LAUNCH_TEMPLATE_NAME}",
NAMES.launchTemplateName,
);
}),
new ScenarioAction("deleteLoadBalancer", async (state) => {
try {
const client = new ElasticLoadBalancingV2Client({});
const loadBalancer = await findLoadBalancer(NAMES.loadBalancerName);
await client.send(
new DeleteLoadBalancerCommand({
LoadBalancerArn: loadBalancer.LoadBalancerArn,
}),
);
await retry({ intervalInMs: 1000, maxRetries: 60 }, async () => {
const lb = await findLoadBalancer(NAMES.loadBalancerName);
if (lb) {
throw new Error("Load balancer still exists.");
}
});
} catch (e) {
state.deleteLoadBalancerError = e;
}
}),
new ScenarioOutput("deleteLoadBalancerResult", (state) => {
if (state.deleteLoadBalancerError) {
console.error(state.deleteLoadBalancerError);
return MESSAGES.deleteLoadBalancerError.replace(
"${LB_NAME}",
NAMES.loadBalancerName,
);
}
return MESSAGES.deletedLoadBalancer.replace(
"${LB_NAME}",
NAMES.loadBalancerName,
);
}),
new ScenarioAction("deleteLoadBalancerTargetGroup", async (state) => {
const client = new ElasticLoadBalancingV2Client({});
try {
const { TargetGroups } = await client.send(
new DescribeTargetGroupsCommand({
Names: [NAMES.loadBalancerTargetGroupName],
}),
);
await retry({ intervalInMs: 1000, maxRetries: 30 }, () =>
client.send(
new DeleteTargetGroupCommand({
TargetGroupArn: TargetGroups[0].TargetGroupArn,
}),
),
);
} catch (e) {
state.deleteLoadBalancerTargetGroupError = e;
}
}),
new ScenarioOutput("deleteLoadBalancerTargetGroupResult", (state) => {
if (state.deleteLoadBalancerTargetGroupError) {
console.error(state.deleteLoadBalancerTargetGroupError);
return MESSAGES.deleteLoadBalancerTargetGroupError.replace(
"${TARGET_GROUP_NAME}",
NAMES.loadBalancerTargetGroupName,
);
}
return MESSAGES.deletedLoadBalancerTargetGroup.replace(
"${TARGET_GROUP_NAME}",
NAMES.loadBalancerTargetGroupName,
);
}),
new ScenarioAction("detachSsmOnlyRoleFromProfile", async (state) => {
try {
const client = new IAMClient({});
await client.send(
new RemoveRoleFromInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
RoleName: NAMES.ssmOnlyRoleName,
}),
);
} catch (e) {
state.detachSsmOnlyRoleFromProfileError = e;
}
}),
new ScenarioOutput("detachSsmOnlyRoleFromProfileResult", (state) => {
if (state.detachSsmOnlyRoleFromProfileError) {
console.error(state.detachSsmOnlyRoleFromProfileError);
return MESSAGES.detachSsmOnlyRoleFromProfileError
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${PROFILE_NAME}", NAMES.ssmOnlyInstanceProfileName);
}
return MESSAGES.detachedSsmOnlyRoleFromProfile
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${PROFILE_NAME}", NAMES.ssmOnlyInstanceProfileName);
}),
new ScenarioAction("detachSsmOnlyCustomRolePolicy", async (state) => {
try {
const iamClient = new IAMClient({});
const ssmOnlyPolicy = await findPolicy(NAMES.ssmOnlyPolicyName);
await iamClient.send(
new DetachRolePolicyCommand({
RoleName: NAMES.ssmOnlyRoleName,
PolicyArn: ssmOnlyPolicy.Arn,
}),
);
} catch (e) {
state.detachSsmOnlyCustomRolePolicyError = e;
}
}),
new ScenarioOutput("detachSsmOnlyCustomRolePolicyResult", (state) => {
if (state.detachSsmOnlyCustomRolePolicyError) {
console.error(state.detachSsmOnlyCustomRolePolicyError);
return MESSAGES.detachSsmOnlyCustomRolePolicyError
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${POLICY_NAME}", NAMES.ssmOnlyPolicyName);
}
return MESSAGES.detachedSsmOnlyCustomRolePolicy
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${POLICY_NAME}", NAMES.ssmOnlyPolicyName);
}),
new ScenarioAction("detachSsmOnlyAWSRolePolicy", async (state) => {
try {
const iamClient = new IAMClient({});
await iamClient.send(
new DetachRolePolicyCommand({
RoleName: NAMES.ssmOnlyRoleName,
PolicyArn: "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
}),
);
} catch (e) {
state.detachSsmOnlyAWSRolePolicyError = e;
}
}),
new ScenarioOutput("detachSsmOnlyAWSRolePolicyResult", (state) => {
if (state.detachSsmOnlyAWSRolePolicyError) {
console.error(state.detachSsmOnlyAWSRolePolicyError);
return MESSAGES.detachSsmOnlyAWSRolePolicyError
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${POLICY_NAME}", "AmazonSSMManagedInstanceCore");
}
return MESSAGES.detachedSsmOnlyAWSRolePolicy
.replace("${ROLE_NAME}", NAMES.ssmOnlyRoleName)
.replace("${POLICY_NAME}", "AmazonSSMManagedInstanceCore");
}),
new ScenarioAction("deleteSsmOnlyInstanceProfile", async (state) => {
try {
const iamClient = new IAMClient({});
await iamClient.send(
new DeleteInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
}),
);
} catch (e) {
state.deleteSsmOnlyInstanceProfileError = e;
}
}),
new ScenarioOutput("deleteSsmOnlyInstanceProfileResult", (state) => {
if (state.deleteSsmOnlyInstanceProfileError) {
console.error(state.deleteSsmOnlyInstanceProfileError);
return MESSAGES.deleteSsmOnlyInstanceProfileError.replace(
"${INSTANCE_PROFILE_NAME}",
NAMES.ssmOnlyInstanceProfileName,
);
}
return MESSAGES.deletedSsmOnlyInstanceProfile.replace(
"${INSTANCE_PROFILE_NAME}",
NAMES.ssmOnlyInstanceProfileName,
);
}),
new ScenarioAction("deleteSsmOnlyPolicy", async (state) => {
try {
const iamClient = new IAMClient({});
const ssmOnlyPolicy = await findPolicy(NAMES.ssmOnlyPolicyName);
await iamClient.send(
new DeletePolicyCommand({
PolicyArn: ssmOnlyPolicy.Arn,
}),
);
} catch (e) {
state.deleteSsmOnlyPolicyError = e;
}
}),
new ScenarioOutput("deleteSsmOnlyPolicyResult", (state) => {
if (state.deleteSsmOnlyPolicyError) {
console.error(state.deleteSsmOnlyPolicyError);
return MESSAGES.deleteSsmOnlyPolicyError.replace(
"${POLICY_NAME}",
NAMES.ssmOnlyPolicyName,
);
}
return MESSAGES.deletedSsmOnlyPolicy.replace(
"${POLICY_NAME}",
NAMES.ssmOnlyPolicyName,
);
}),
new ScenarioAction("deleteSsmOnlyRole", async (state) => {
try {
const iamClient = new IAMClient({});
await iamClient.send(
new DeleteRoleCommand({
RoleName: NAMES.ssmOnlyRoleName,
}),
);
} catch (e) {
state.deleteSsmOnlyRoleError = e;
}
}),
new ScenarioOutput("deleteSsmOnlyRoleResult", (state) => {
if (state.deleteSsmOnlyRoleError) {
console.error(state.deleteSsmOnlyRoleError);
return MESSAGES.deleteSsmOnlyRoleError.replace(
"${ROLE_NAME}",
NAMES.ssmOnlyRoleName,
);
}
return MESSAGES.deletedSsmOnlyRole.replace(
"${ROLE_NAME}",
NAMES.ssmOnlyRoleName,
);
}),
new ScenarioAction(
"revokeSecurityGroupIngress",
async (
/** @type {{ myIp: string, defaultSecurityGroup: { GroupId: string } }} */ state,
) => {
const ec2Client = new EC2Client({});
try {
await ec2Client.send(
new RevokeSecurityGroupIngressCommand({
GroupId: state.defaultSecurityGroup.GroupId,
CidrIp: `${state.myIp}/32`,
FromPort: 80,
ToPort: 80,
IpProtocol: "tcp",
}),
);
} catch (e) {
state.revokeSecurityGroupIngressError = e;
}
},
),
new ScenarioOutput("revokeSecurityGroupIngressResult", (state) => {
if (state.revokeSecurityGroupIngressError) {
console.error(state.revokeSecurityGroupIngressError);
return MESSAGES.revokeSecurityGroupIngressError.replace(
"${IP}",
state.myIp,
);
}
return MESSAGES.revokedSecurityGroupIngress.replace("${IP}", state.myIp);
}),
];
/**
* @param {string} policyName
*/
async function findPolicy(policyName) {
const client = new IAMClient({});
const paginatedPolicies = paginateListPolicies({ client }, {});
for await (const page of paginatedPolicies) {
const policy = page.Policies.find((p) => p.PolicyName === policyName);
if (policy) {
return policy;
}
}
}
/**
* @param {string} groupName
*/
async function deleteAutoScalingGroup(groupName) {
const client = new AutoScalingClient({});
try {
await client.send(
new DeleteAutoScalingGroupCommand({
AutoScalingGroupName: groupName,
}),
);
} catch (err) {
if (!(err instanceof Error)) {
throw err;
}
console.log(err.name);
throw err;
}
}
/**
* @param {string} groupName
*/
async function terminateGroupInstances(groupName) {
const autoScalingClient = new AutoScalingClient({});
const group = await findAutoScalingGroup(groupName);
await autoScalingClient.send(
new UpdateAutoScalingGroupCommand({
AutoScalingGroupName: group.AutoScalingGroupName,
MinSize: 0,
}),
);
for (const i of group.Instances) {
await retry({ intervalInMs: 1000, maxRetries: 30 }, () =>
autoScalingClient.send(
new TerminateInstanceInAutoScalingGroupCommand({
InstanceId: i.InstanceId,
ShouldDecrementDesiredCapacity: true,
}),
),
);
}
}
async function findAutoScalingGroup(groupName) {
const client = new AutoScalingClient({});
const paginatedGroups = paginateDescribeAutoScalingGroups({ client }, {});
for await (const page of paginatedGroups) {
const group = page.AutoScalingGroups.find(
(g) => g.AutoScalingGroupName === groupName,
);
if (group) {
return group;
}
}
throw new Error(`Auto scaling group ${groupName} not found.`);
}
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para JavaScript*.
+ [AttachLoadBalancerTargetGroups](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/AttachLoadBalancerTargetGroupsCommand)
+ [CreateAutoScalingGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/CreateAutoScalingGroupCommand)
+ [CreateInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateInstanceProfileCommand)
+ [CreateLaunchTemplate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/CreateLaunchTemplateCommand)
+ [CreateListener](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/CreateListenerCommand)
+ [CreateLoadBalancer](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/CreateLoadBalancerCommand)
+ [CreateTargetGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/CreateTargetGroupCommand)
+ [DeleteAutoScalingGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/DeleteAutoScalingGroupCommand)
+ [DeleteInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteInstanceProfileCommand)
+ [DeleteLaunchTemplate](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DeleteLaunchTemplateCommand)
+ [DeleteLoadBalancer](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/DeleteLoadBalancerCommand)
+ [DeleteTargetGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/DeleteTargetGroupCommand)
+ [DescribeAutoScalingGroups](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/DescribeAutoScalingGroupsCommand)
+ [DescribeAvailabilityZones](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DescribeAvailabilityZonesCommand)
+ [DescribeIamInstanceProfileAssociations](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DescribeIamInstanceProfileAssociationsCommand)
+ [DescribeInstances](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DescribeInstancesCommand)
+ [DescribeLoadBalancers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/DescribeLoadBalancersCommand)
+ [DescribeSubnets](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DescribeSubnetsCommand)
+ [DescribeTargetGroups](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/DescribeTargetGroupsCommand)
+ [DescribeTargetHealth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/elastic-load-balancing-v2/command/DescribeTargetHealthCommand)
+ [DescribeVpcs](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/DescribeVpcsCommand)
+ [RebootInstances](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/RebootInstancesCommand)
+ [ReplaceIamInstanceProfileAssociation](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/ec2/command/ReplaceIamInstanceProfileAssociationCommand)
+ [TerminateInstanceInAutoScalingGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/TerminateInstanceInAutoScalingGroupCommand)
+ [UpdateAutoScalingGroup](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/auto-scaling/command/UpdateAutoScalingGroupCommand)
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/cross_service/resilient_service#code-examples).
Execute o cenário interativo em um prompt de comando.
```
class Runner:
"""
Manages the deployment, demonstration, and destruction of resources for the resilient service.
"""
def __init__(
self,
resource_path: str,
recommendation: RecommendationService,
autoscaler: AutoScalingWrapper,
loadbalancer: ElasticLoadBalancerWrapper,
param_helper: ParameterHelper,
):
"""
Initializes the Runner class with the necessary parameters.
:param resource_path: The path to resource files used by this example, such as IAM policies and instance scripts.
:param recommendation: An instance of the RecommendationService class.
:param autoscaler: An instance of the AutoScaler class.
:param loadbalancer: An instance of the LoadBalancer class.
:param param_helper: An instance of the ParameterHelper class.
"""
self.resource_path = resource_path
self.recommendation = recommendation
self.autoscaler = autoscaler
self.loadbalancer = loadbalancer
self.param_helper = param_helper
self.protocol = "HTTP"
self.port = 80
self.ssh_port = 22
prefix = "doc-example-resilience"
self.target_group_name = f"{prefix}-tg"
self.load_balancer_name = f"{prefix}-lb"
def deploy(self) -> None:
"""
Deploys the resources required for the resilient service, including the DynamoDB table,
EC2 instances, Auto Scaling group, and load balancer.
"""
recommendations_path = f"{self.resource_path}/recommendations.json"
startup_script = f"{self.resource_path}/server_startup_script.sh"
instance_policy = f"{self.resource_path}/instance_policy.json"
logging.info("Starting deployment of resources for the resilient service.")
logging.info(
"Creating and populating DynamoDB table '%s'.",
self.recommendation.table_name,
)
self.recommendation.create()
self.recommendation.populate(recommendations_path)
logging.info(
"Creating an EC2 launch template with the startup script '%s'.",
startup_script,
)
self.autoscaler.create_template(startup_script, instance_policy)
logging.info(
"Creating an EC2 Auto Scaling group across multiple Availability Zones."
)
zones = self.autoscaler.create_autoscaling_group(3)
logging.info("Creating variables that control the flow of the demo.")
self.param_helper.reset()
logging.info("Creating Elastic Load Balancing target group and load balancer.")
vpc = self.autoscaler.get_default_vpc()
subnets = self.autoscaler.get_subnets(vpc["VpcId"], zones)
target_group = self.loadbalancer.create_target_group(
self.target_group_name, self.protocol, self.port, vpc["VpcId"]
)
self.loadbalancer.create_load_balancer(
self.load_balancer_name, [subnet["SubnetId"] for subnet in subnets]
)
self.loadbalancer.create_listener(self.load_balancer_name, target_group)
self.autoscaler.attach_load_balancer_target_group(target_group)
logging.info("Verifying access to the load balancer endpoint.")
endpoint = self.loadbalancer.get_endpoint(self.load_balancer_name)
lb_success = self.loadbalancer.verify_load_balancer_endpoint(endpoint)
current_ip_address = requests.get("http://checkip.amazonaws.com").text.strip()
if not lb_success:
logging.warning(
"Couldn't connect to the load balancer. Verifying that the port is open..."
)
sec_group, port_is_open = self.autoscaler.verify_inbound_port(
vpc, self.port, current_ip_address
)
sec_group, ssh_port_is_open = self.autoscaler.verify_inbound_port(
vpc, self.ssh_port, current_ip_address
)
if not port_is_open:
logging.warning(
"The default security group for your VPC must allow access from this computer."
)
if q.ask(
f"Do you want to add a rule to security group {sec_group['GroupId']} to allow\n"
f"inbound traffic on port {self.port} from your computer's IP address of {current_ip_address}? (y/n) ",
q.is_yesno,
):
self.autoscaler.open_inbound_port(
sec_group["GroupId"], self.port, current_ip_address
)
if not ssh_port_is_open:
if q.ask(
f"Do you want to add a rule to security group {sec_group['GroupId']} to allow\n"
f"inbound SSH traffic on port {self.ssh_port} for debugging from your computer's IP address of {current_ip_address}? (y/n) ",
q.is_yesno,
):
self.autoscaler.open_inbound_port(
sec_group["GroupId"], self.ssh_port, current_ip_address
)
lb_success = self.loadbalancer.verify_load_balancer_endpoint(endpoint)
if lb_success:
logging.info(
"Load balancer is ready. Access it at: http://%s", current_ip_address
)
else:
logging.error(
"Couldn't get a successful response from the load balancer endpoint. Please verify your VPC and security group settings."
)
def demo_choices(self) -> None:
"""
Presents choices for interacting with the deployed service, such as sending requests to
the load balancer or checking the health of the targets.
"""
actions = [
"Send a GET request to the load balancer endpoint.",
"Check the health of load balancer targets.",
"Go to the next part of the demo.",
]
choice = 0
while choice != 2:
logging.info("Choose an action to interact with the service.")
choice = q.choose("Which action would you like to take? ", actions)
if choice == 0:
logging.info("Sending a GET request to the load balancer endpoint.")
endpoint = self.loadbalancer.get_endpoint(self.load_balancer_name)
logging.info("GET http://%s", endpoint)
response = requests.get(f"http://{endpoint}")
logging.info("Response: %s", response.status_code)
if response.headers.get("content-type") == "application/json":
pp(response.json())
elif choice == 1:
logging.info("Checking the health of load balancer targets.")
health = self.loadbalancer.check_target_health(self.target_group_name)
for target in health:
state = target["TargetHealth"]["State"]
logging.info(
"Target %s on port %d is %s",
target["Target"]["Id"],
target["Target"]["Port"],
state,
)
if state != "healthy":
logging.warning(
"%s: %s",
target["TargetHealth"]["Reason"],
target["TargetHealth"]["Description"],
)
logging.info(
"Note that it can take a minute or two for the health check to update."
)
elif choice == 2:
logging.info("Proceeding to the next part of the demo.")
def demo(self) -> None:
"""
Runs the demonstration, showing how the service responds to different failure scenarios
and how a resilient architecture can keep the service running.
"""
ssm_only_policy = f"{self.resource_path}/ssm_only_policy.json"
logging.info("Resetting parameters to starting values for the demo.")
self.param_helper.reset()
logging.info(
"Starting demonstration of the service's resilience under various failure conditions."
)
self.demo_choices()
logging.info(
"Simulating failure by changing the Systems Manager parameter to a non-existent table."
)
self.param_helper.put(self.param_helper.table, "this-is-not-a-table")
logging.info("Sending GET requests will now return failure codes.")
self.demo_choices()
logging.info("Switching to static response mode to mitigate failure.")
self.param_helper.put(self.param_helper.failure_response, "static")
logging.info("Sending GET requests will now return static responses.")
self.demo_choices()
logging.info("Restoring normal operation of the recommendation service.")
self.param_helper.put(self.param_helper.table, self.recommendation.table_name)
logging.info(
"Introducing a failure by assigning bad credentials to one of the instances."
)
self.autoscaler.create_instance_profile(
ssm_only_policy,
self.autoscaler.bad_creds_policy_name,
self.autoscaler.bad_creds_role_name,
self.autoscaler.bad_creds_profile_name,
["AmazonSSMManagedInstanceCore"],
)
instances = self.autoscaler.get_instances()
bad_instance_id = instances[0]
instance_profile = self.autoscaler.get_instance_profile(bad_instance_id)
logging.info(
"Replacing instance profile with bad credentials for instance %s.",
bad_instance_id,
)
self.autoscaler.replace_instance_profile(
bad_instance_id,
self.autoscaler.bad_creds_profile_name,
instance_profile["AssociationId"],
)
logging.info(
"Sending GET requests may return either a valid recommendation or a static response."
)
self.demo_choices()
logging.info("Implementing deep health checks to detect unhealthy instances.")
self.param_helper.put(self.param_helper.health_check, "deep")
logging.info("Checking the health of the load balancer targets.")
self.demo_choices()
logging.info(
"Terminating the unhealthy instance to let the auto scaler replace it."
)
self.autoscaler.terminate_instance(bad_instance_id)
logging.info("The service remains resilient during instance replacement.")
self.demo_choices()
logging.info("Simulating a complete failure of the recommendation service.")
self.param_helper.put(self.param_helper.table, "this-is-not-a-table")
logging.info(
"All instances will report as unhealthy, but the service will still return static responses."
)
self.demo_choices()
self.param_helper.reset()
def destroy(self, automation=False) -> None:
"""
Destroys all resources created for the demo, including the load balancer, Auto Scaling group,
EC2 instances, and DynamoDB table.
"""
logging.info(
"This concludes the demo. Preparing to clean up all AWS resources created during the demo."
)
if automation:
cleanup = True
else:
cleanup = q.ask(
"Do you want to clean up all demo resources? (y/n) ", q.is_yesno
)
if cleanup:
logging.info("Deleting load balancer and related resources.")
self.loadbalancer.delete_load_balancer(self.load_balancer_name)
self.loadbalancer.delete_target_group(self.target_group_name)
self.autoscaler.delete_autoscaling_group(self.autoscaler.group_name)
self.autoscaler.delete_key_pair()
self.autoscaler.delete_template()
self.autoscaler.delete_instance_profile(
self.autoscaler.bad_creds_profile_name,
self.autoscaler.bad_creds_role_name,
)
logging.info("Deleting DynamoDB table and other resources.")
self.recommendation.destroy()
else:
logging.warning(
"Resources have not been deleted. Ensure you clean them up manually to avoid unexpected charges."
)
def main() -> None:
"""
Main function to parse arguments and run the appropriate actions for the demo.
"""
parser = argparse.ArgumentParser()
parser.add_argument(
"--action",
required=True,
choices=["all", "deploy", "demo", "destroy"],
help="The action to take for the demo. When 'all' is specified, resources are\n"
"deployed, the demo is run, and resources are destroyed.",
)
parser.add_argument(
"--resource_path",
default="../../../scenarios/features/resilient_service/resources",
help="The path to resource files used by this example, such as IAM policies and\n"
"instance scripts.",
)
args = parser.parse_args()
logging.info("Starting the Resilient Service demo.")
prefix = "doc-example-resilience"
# Service Clients
ddb_client = boto3.client("dynamodb")
elb_client = boto3.client("elbv2")
autoscaling_client = boto3.client("autoscaling")
ec2_client = boto3.client("ec2")
ssm_client = boto3.client("ssm")
iam_client = boto3.client("iam")
# Wrapper instantiations
recommendation = RecommendationService(
"doc-example-recommendation-service", ddb_client
)
autoscaling_wrapper = AutoScalingWrapper(
prefix,
"t3.micro",
"/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2",
autoscaling_client,
ec2_client,
ssm_client,
iam_client,
)
elb_wrapper = ElasticLoadBalancerWrapper(elb_client)
param_helper = ParameterHelper(recommendation.table_name, ssm_client)
# Demo invocation
runner = Runner(
args.resource_path,
recommendation,
autoscaling_wrapper,
elb_wrapper,
param_helper,
)
actions = [args.action] if args.action != "all" else ["deploy", "demo", "destroy"]
for action in actions:
if action == "deploy":
runner.deploy()
elif action == "demo":
runner.demo()
elif action == "destroy":
runner.destroy()
logging.info("Demo completed successfully.")
if __name__ == "__main__":
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
main()
```
Crie uma classe que envolva ações do Auto Scaling e do Amazon EC2.
```
class AutoScalingWrapper:
"""
Encapsulates Amazon EC2 Auto Scaling and EC2 management actions.
"""
def __init__(
self,
resource_prefix: str,
inst_type: str,
ami_param: str,
autoscaling_client: boto3.client,
ec2_client: boto3.client,
ssm_client: boto3.client,
iam_client: boto3.client,
):
"""
Initializes the AutoScaler class with the necessary parameters.
:param resource_prefix: The prefix for naming AWS resources that are created by this class.
:param inst_type: The type of EC2 instance to create, such as t3.micro.
:param ami_param: The Systems Manager parameter used to look up the AMI that is created.
:param autoscaling_client: A Boto3 EC2 Auto Scaling client.
:param ec2_client: A Boto3 EC2 client.
:param ssm_client: A Boto3 Systems Manager client.
:param iam_client: A Boto3 IAM client.
"""
self.inst_type = inst_type
self.ami_param = ami_param
self.autoscaling_client = autoscaling_client
self.ec2_client = ec2_client
self.ssm_client = ssm_client
self.iam_client = iam_client
sts_client = boto3.client("sts")
self.account_id = sts_client.get_caller_identity()["Account"]
self.key_pair_name = f"{resource_prefix}-key-pair"
self.launch_template_name = f"{resource_prefix}-template-"
self.group_name = f"{resource_prefix}-group"
# Happy path
self.instance_policy_name = f"{resource_prefix}-pol"
self.instance_role_name = f"{resource_prefix}-role"
self.instance_profile_name = f"{resource_prefix}-prof"
# Failure mode
self.bad_creds_policy_name = f"{resource_prefix}-bc-pol"
self.bad_creds_role_name = f"{resource_prefix}-bc-role"
self.bad_creds_profile_name = f"{resource_prefix}-bc-prof"
def create_policy(self, policy_file: str, policy_name: str) -> str:
"""
Creates a new IAM policy or retrieves the ARN of an existing policy.
:param policy_file: The path to a JSON file that contains the policy definition.
:param policy_name: The name to give the created policy.
:return: The ARN of the created or existing policy.
"""
with open(policy_file) as file:
policy_doc = file.read()
try:
response = self.iam_client.create_policy(
PolicyName=policy_name, PolicyDocument=policy_doc
)
policy_arn = response["Policy"]["Arn"]
log.info(f"Policy '{policy_name}' created successfully. ARN: {policy_arn}")
return policy_arn
except ClientError as err:
if err.response["Error"]["Code"] == "EntityAlreadyExists":
# If the policy already exists, get its ARN
response = self.iam_client.get_policy(
PolicyArn=f"arn:aws:iam::{self.account_id}:policy/{policy_name}"
)
policy_arn = response["Policy"]["Arn"]
log.info(f"Policy '{policy_name}' already exists. ARN: {policy_arn}")
return policy_arn
log.error(f"Full error:\n\t{err}")
def create_role(self, role_name: str, assume_role_doc: dict) -> str:
"""
Creates a new IAM role or retrieves the ARN of an existing role.
:param role_name: The name to give the created role.
:param assume_role_doc: The assume role policy document that specifies which
entities can assume the role.
:return: The ARN of the created or existing role.
"""
try:
response = self.iam_client.create_role(
RoleName=role_name, AssumeRolePolicyDocument=json.dumps(assume_role_doc)
)
role_arn = response["Role"]["Arn"]
log.info(f"Role '{role_name}' created successfully. ARN: {role_arn}")
return role_arn
except ClientError as err:
if err.response["Error"]["Code"] == "EntityAlreadyExists":
# If the role already exists, get its ARN
response = self.iam_client.get_role(RoleName=role_name)
role_arn = response["Role"]["Arn"]
log.info(f"Role '{role_name}' already exists. ARN: {role_arn}")
return role_arn
log.error(f"Full error:\n\t{err}")
def attach_policy(
self,
role_name: str,
policy_arn: str,
aws_managed_policies: Tuple[str, ...] = (),
) -> None:
"""
Attaches an IAM policy to a role and optionally attaches additional AWS-managed policies.
:param role_name: The name of the role to attach the policy to.
:param policy_arn: The ARN of the policy to attach.
:param aws_managed_policies: A tuple of AWS-managed policy names to attach to the role.
"""
try:
self.iam_client.attach_role_policy(RoleName=role_name, PolicyArn=policy_arn)
for aws_policy in aws_managed_policies:
self.iam_client.attach_role_policy(
RoleName=role_name,
PolicyArn=f"arn:aws:iam::aws:policy/{aws_policy}",
)
log.info(f"Attached policy {policy_arn} to role {role_name}.")
except ClientError as err:
log.error(f"Failed to attach policy {policy_arn} to role {role_name}.")
log.error(f"Full error:\n\t{err}")
def create_instance_profile(
self,
policy_file: str,
policy_name: str,
role_name: str,
profile_name: str,
aws_managed_policies: Tuple[str, ...] = (),
) -> str:
"""
Creates a policy, role, and profile that is associated with instances created by
this class. An instance's associated profile defines a role that is assumed by the
instance. The role has attached policies that specify the AWS permissions granted to
clients that run on the instance.
:param policy_file: The name of a JSON file that contains the policy definition to
create and attach to the role.
:param policy_name: The name to give the created policy.
:param role_name: The name to give the created role.
:param profile_name: The name to the created profile.
:param aws_managed_policies: Additional AWS-managed policies that are attached to
the role, such as AmazonSSMManagedInstanceCore to grant
use of Systems Manager to send commands to the instance.
:return: The ARN of the profile that is created.
"""
assume_role_doc = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
policy_arn = self.create_policy(policy_file, policy_name)
self.create_role(role_name, assume_role_doc)
self.attach_policy(role_name, policy_arn, aws_managed_policies)
try:
profile_response = self.iam_client.create_instance_profile(
InstanceProfileName=profile_name
)
waiter = self.iam_client.get_waiter("instance_profile_exists")
waiter.wait(InstanceProfileName=profile_name)
time.sleep(10) # wait a little longer
profile_arn = profile_response["InstanceProfile"]["Arn"]
self.iam_client.add_role_to_instance_profile(
InstanceProfileName=profile_name, RoleName=role_name
)
log.info("Created profile %s and added role %s.", profile_name, role_name)
except ClientError as err:
if err.response["Error"]["Code"] == "EntityAlreadyExists":
prof_response = self.iam_client.get_instance_profile(
InstanceProfileName=profile_name
)
profile_arn = prof_response["InstanceProfile"]["Arn"]
log.info(
"Instance profile %s already exists, nothing to do.", profile_name
)
log.error(f"Full error:\n\t{err}")
return profile_arn
def get_instance_profile(self, instance_id: str) -> Dict[str, Any]:
"""
Gets data about the profile associated with an instance.
:param instance_id: The ID of the instance to look up.
:return: The profile data.
"""
try:
response = self.ec2_client.describe_iam_instance_profile_associations(
Filters=[{"Name": "instance-id", "Values": [instance_id]}]
)
if not response["IamInstanceProfileAssociations"]:
log.info(f"No instance profile found for instance {instance_id}.")
profile_data = response["IamInstanceProfileAssociations"][0]
log.info(f"Retrieved instance profile for instance {instance_id}.")
return profile_data
except ClientError as err:
log.error(
f"Failed to retrieve instance profile for instance {instance_id}."
)
error_code = err.response["Error"]["Code"]
if error_code == "InvalidInstanceID.NotFound":
log.error(f"The instance ID '{instance_id}' does not exist.")
log.error(f"Full error:\n\t{err}")
def replace_instance_profile(
self,
instance_id: str,
new_instance_profile_name: str,
profile_association_id: str,
) -> None:
"""
Replaces the profile associated with a running instance. After the profile is
replaced, the instance is rebooted to ensure that it uses the new profile. When
the instance is ready, Systems Manager is used to restart the Python web server.
:param instance_id: The ID of the instance to restart.
:param new_instance_profile_name: The name of the new profile to associate with
the specified instance.
:param profile_association_id: The ID of the existing profile association for the
instance.
"""
try:
self.ec2_client.replace_iam_instance_profile_association(
IamInstanceProfile={"Name": new_instance_profile_name},
AssociationId=profile_association_id,
)
log.info(
"Replaced instance profile for association %s with profile %s.",
profile_association_id,
new_instance_profile_name,
)
time.sleep(5)
self.ec2_client.reboot_instances(InstanceIds=[instance_id])
log.info("Rebooting instance %s.", instance_id)
waiter = self.ec2_client.get_waiter("instance_running")
log.info("Waiting for instance %s to be running.", instance_id)
waiter.wait(InstanceIds=[instance_id])
log.info("Instance %s is now running.", instance_id)
self.ssm_client.send_command(
InstanceIds=[instance_id],
DocumentName="AWS-RunShellScript",
Parameters={"commands": ["cd / && sudo python3 server.py 80"]},
)
log.info(f"Restarted the Python web server on instance '{instance_id}'.")
except ClientError as err:
log.error("Failed to replace instance profile.")
error_code = err.response["Error"]["Code"]
if error_code == "InvalidAssociationID.NotFound":
log.error(
f"Association ID '{profile_association_id}' does not exist."
"Please check the association ID and try again."
)
if error_code == "InvalidInstanceId":
log.error(
f"The specified instance ID '{instance_id}' does not exist or is not available for SSM. "
f"Please verify the instance ID and try again."
)
log.error(f"Full error:\n\t{err}")
def delete_instance_profile(self, profile_name: str, role_name: str) -> None:
"""
Detaches a role from an instance profile, detaches policies from the role,
and deletes all the resources.
:param profile_name: The name of the profile to delete.
:param role_name: The name of the role to delete.
"""
try:
self.iam_client.remove_role_from_instance_profile(
InstanceProfileName=profile_name, RoleName=role_name
)
self.iam_client.delete_instance_profile(InstanceProfileName=profile_name)
log.info("Deleted instance profile %s.", profile_name)
attached_policies = self.iam_client.list_attached_role_policies(
RoleName=role_name
)
for pol in attached_policies["AttachedPolicies"]:
self.iam_client.detach_role_policy(
RoleName=role_name, PolicyArn=pol["PolicyArn"]
)
if not pol["PolicyArn"].startswith("arn:aws:iam::aws"):
self.iam_client.delete_policy(PolicyArn=pol["PolicyArn"])
log.info("Detached and deleted policy %s.", pol["PolicyName"])
self.iam_client.delete_role(RoleName=role_name)
log.info("Deleted role %s.", role_name)
except ClientError as err:
log.error(
f"Couldn't delete instance profile {profile_name} or detach "
f"policies and delete role {role_name}: {err}"
)
if err.response["Error"]["Code"] == "NoSuchEntity":
log.info(
"Instance profile %s doesn't exist, nothing to do.", profile_name
)
def create_key_pair(self, key_pair_name: str) -> None:
"""
Creates a new key pair.
:param key_pair_name: The name of the key pair to create.
"""
try:
response = self.ec2_client.create_key_pair(KeyName=key_pair_name)
with open(f"{key_pair_name}.pem", "w") as file:
file.write(response["KeyMaterial"])
chmod(f"{key_pair_name}.pem", 0o600)
log.info("Created key pair %s.", key_pair_name)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(f"Failed to create key pair {key_pair_name}.")
if error_code == "InvalidKeyPair.Duplicate":
log.error(f"A key pair with the name '{key_pair_name}' already exists.")
log.error(f"Full error:\n\t{err}")
def delete_key_pair(self) -> None:
"""
Deletes a key pair.
"""
try:
self.ec2_client.delete_key_pair(KeyName=self.key_pair_name)
remove(f"{self.key_pair_name}.pem")
log.info("Deleted key pair %s.", self.key_pair_name)
except ClientError as err:
log.error(f"Couldn't delete key pair '{self.key_pair_name}'.")
log.error(f"Full error:\n\t{err}")
except FileNotFoundError as err:
log.info("Key pair %s doesn't exist, nothing to do.", self.key_pair_name)
log.error(f"Full error:\n\t{err}")
def create_template(
self, server_startup_script_file: str, instance_policy_file: str
) -> Dict[str, Any]:
"""
Creates an Amazon EC2 launch template to use with Amazon EC2 Auto Scaling. The
launch template specifies a Bash script in its user data field that runs after
the instance is started. This script installs Python packages and starts a
Python web server on the instance.
:param server_startup_script_file: The path to a Bash script file that is run
when an instance starts.
:param instance_policy_file: The path to a file that defines a permissions policy
to create and attach to the instance profile.
:return: Information about the newly created template.
"""
template = {}
try:
# Create key pair and instance profile
self.create_key_pair(self.key_pair_name)
self.create_instance_profile(
instance_policy_file,
self.instance_policy_name,
self.instance_role_name,
self.instance_profile_name,
)
# Read the startup script
with open(server_startup_script_file) as file:
start_server_script = file.read()
# Get the latest AMI ID
ami_latest = self.ssm_client.get_parameter(Name=self.ami_param)
ami_id = ami_latest["Parameter"]["Value"]
# Create the launch template
lt_response = self.ec2_client.create_launch_template(
LaunchTemplateName=self.launch_template_name,
LaunchTemplateData={
"InstanceType": self.inst_type,
"ImageId": ami_id,
"IamInstanceProfile": {"Name": self.instance_profile_name},
"UserData": base64.b64encode(
start_server_script.encode(encoding="utf-8")
).decode(encoding="utf-8"),
"KeyName": self.key_pair_name,
},
)
template = lt_response["LaunchTemplate"]
log.info(
f"Created launch template {self.launch_template_name} for AMI {ami_id} on {self.inst_type}."
)
except ClientError as err:
log.error(f"Failed to create launch template {self.launch_template_name}.")
error_code = err.response["Error"]["Code"]
if error_code == "InvalidLaunchTemplateName.AlreadyExistsException":
log.info(
f"Launch template {self.launch_template_name} already exists, nothing to do."
)
log.error(f"Full error:\n\t{err}")
return template
def delete_template(self):
"""
Deletes a launch template.
"""
try:
self.ec2_client.delete_launch_template(
LaunchTemplateName=self.launch_template_name
)
self.delete_instance_profile(
self.instance_profile_name, self.instance_role_name
)
log.info("Launch template %s deleted.", self.launch_template_name)
except ClientError as err:
if (
err.response["Error"]["Code"]
== "InvalidLaunchTemplateName.NotFoundException"
):
log.info(
"Launch template %s does not exist, nothing to do.",
self.launch_template_name,
)
log.error(f"Full error:\n\t{err}")
def get_availability_zones(self) -> List[str]:
"""
Gets a list of Availability Zones in the AWS Region of the Amazon EC2 client.
:return: The list of Availability Zones for the client Region.
"""
try:
response = self.ec2_client.describe_availability_zones()
zones = [zone["ZoneName"] for zone in response["AvailabilityZones"]]
log.info(f"Retrieved {len(zones)} availability zones: {zones}.")
except ClientError as err:
log.error("Failed to retrieve availability zones.")
log.error(f"Full error:\n\t{err}")
else:
return zones
def create_autoscaling_group(self, group_size: int) -> List[str]:
"""
Creates an EC2 Auto Scaling group with the specified size.
:param group_size: The number of instances to set for the minimum and maximum in
the group.
:return: The list of Availability Zones specified for the group.
"""
try:
zones = self.get_availability_zones()
self.autoscaling_client.create_auto_scaling_group(
AutoScalingGroupName=self.group_name,
AvailabilityZones=zones,
LaunchTemplate={
"LaunchTemplateName": self.launch_template_name,
"Version": "$Default",
},
MinSize=group_size,
MaxSize=group_size,
)
log.info(
f"Created EC2 Auto Scaling group {self.group_name} with availability zones {zones}."
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
if error_code == "AlreadyExists":
log.info(
f"EC2 Auto Scaling group {self.group_name} already exists, nothing to do."
)
else:
log.error(f"Failed to create EC2 Auto Scaling group {self.group_name}.")
log.error(f"Full error:\n\t{err}")
else:
return zones
def get_instances(self) -> List[str]:
"""
Gets data about the instances in the EC2 Auto Scaling group.
:return: A list of instance IDs in the Auto Scaling group.
"""
try:
as_response = self.autoscaling_client.describe_auto_scaling_groups(
AutoScalingGroupNames=[self.group_name]
)
instance_ids = [
i["InstanceId"]
for i in as_response["AutoScalingGroups"][0]["Instances"]
]
log.info(
f"Retrieved {len(instance_ids)} instances for Auto Scaling group {self.group_name}."
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to retrieve instances for Auto Scaling group {self.group_name}."
)
if error_code == "ResourceNotFound":
log.error(f"The Auto Scaling group '{self.group_name}' does not exist.")
log.error(f"Full error:\n\t{err}")
else:
return instance_ids
def terminate_instance(self, instance_id: str, decrementsetting=False) -> None:
"""
Terminates an instance in an EC2 Auto Scaling group. After an instance is
terminated, it can no longer be accessed.
:param instance_id: The ID of the instance to terminate.
:param decrementsetting: If True, do not replace terminated instances.
"""
try:
self.autoscaling_client.terminate_instance_in_auto_scaling_group(
InstanceId=instance_id,
ShouldDecrementDesiredCapacity=decrementsetting,
)
log.info("Terminated instance %s.", instance_id)
# Adding a waiter to ensure the instance is terminated
waiter = self.ec2_client.get_waiter("instance_terminated")
log.info("Waiting for instance %s to be terminated...", instance_id)
waiter.wait(InstanceIds=[instance_id])
log.info(
f"Instance '{instance_id}' has been terminated and will be replaced."
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(f"Failed to terminate instance '{instance_id}'.")
if error_code == "ScalingActivityInProgressFault":
log.error(
"Scaling activity is currently in progress. "
"Wait for the scaling activity to complete before attempting to terminate the instance again."
)
elif error_code == "ResourceContentionFault":
log.error(
"The request failed due to a resource contention issue. "
"Ensure that no conflicting operations are being performed on the resource."
)
log.error(f"Full error:\n\t{err}")
def attach_load_balancer_target_group(
self, lb_target_group: Dict[str, Any]
) -> None:
"""
Attaches an Elastic Load Balancing (ELB) target group to this EC2 Auto Scaling group.
The target group specifies how the load balancer forwards requests to the instances
in the group.
:param lb_target_group: Data about the ELB target group to attach.
"""
try:
self.autoscaling_client.attach_load_balancer_target_groups(
AutoScalingGroupName=self.group_name,
TargetGroupARNs=[lb_target_group["TargetGroupArn"]],
)
log.info(
"Attached load balancer target group %s to auto scaling group %s.",
lb_target_group["TargetGroupName"],
self.group_name,
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to attach load balancer target group '{lb_target_group['TargetGroupName']}'."
)
if error_code == "ResourceContentionFault":
log.error(
"The request failed due to a resource contention issue. "
"Ensure that no conflicting operations are being performed on the resource."
)
elif error_code == "ServiceLinkedRoleFailure":
log.error(
"The operation failed because the service-linked role is not ready or does not exist. "
"Check that the service-linked role exists and is correctly configured."
)
log.error(f"Full error:\n\t{err}")
def delete_autoscaling_group(self, group_name: str) -> None:
"""
Terminates all instances in the group, then deletes the EC2 Auto Scaling group.
:param group_name: The name of the group to delete.
"""
try:
response = self.autoscaling_client.describe_auto_scaling_groups(
AutoScalingGroupNames=[group_name]
)
groups = response.get("AutoScalingGroups", [])
if len(groups) > 0:
self.autoscaling_client.update_auto_scaling_group(
AutoScalingGroupName=group_name, MinSize=0
)
instance_ids = [inst["InstanceId"] for inst in groups[0]["Instances"]]
for inst_id in instance_ids:
self.terminate_instance(inst_id)
# Wait for all instances to be terminated
if instance_ids:
waiter = self.ec2_client.get_waiter("instance_terminated")
log.info("Waiting for all instances to be terminated...")
waiter.wait(InstanceIds=instance_ids)
log.info("All instances have been terminated.")
else:
log.info(f"No groups found named '{group_name}'! Nothing to do.")
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(f"Failed to delete Auto Scaling group '{group_name}'.")
if error_code == "ScalingActivityInProgressFault":
log.error(
"Scaling activity is currently in progress. "
"Wait for the scaling activity to complete before attempting to delete the group again."
)
elif error_code == "ResourceContentionFault":
log.error(
"The request failed due to a resource contention issue. "
"Ensure that no conflicting operations are being performed on the group."
)
log.error(f"Full error:\n\t{err}")
def get_default_vpc(self) -> Dict[str, Any]:
"""
Gets the default VPC for the account.
:return: Data about the default VPC.
"""
try:
response = self.ec2_client.describe_vpcs(
Filters=[{"Name": "is-default", "Values": ["true"]}]
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error("Failed to retrieve the default VPC.")
if error_code == "UnauthorizedOperation":
log.error(
"You do not have the necessary permissions to describe VPCs. "
"Ensure that your AWS IAM user or role has the correct permissions."
)
elif error_code == "InvalidParameterValue":
log.error(
"One or more parameters are invalid. Check the request parameters."
)
log.error(f"Full error:\n\t{err}")
else:
if "Vpcs" in response and response["Vpcs"]:
log.info(f"Retrieved default VPC: {response['Vpcs'][0]['VpcId']}")
return response["Vpcs"][0]
else:
pass
def verify_inbound_port(
self, vpc: Dict[str, Any], port: int, ip_address: str
) -> Tuple[Dict[str, Any], bool]:
"""
Verify the default security group of the specified VPC allows ingress from this
computer. This can be done by allowing ingress from this computer's IP
address. In some situations, such as connecting from a corporate network, you
must instead specify a prefix list ID. You can also temporarily open the port to
any IP address while running this example. If you do, be sure to remove public
access when you're done.
:param vpc: The VPC used by this example.
:param port: The port to verify.
:param ip_address: This computer's IP address.
:return: The default security group of the specified VPC, and a value that indicates
whether the specified port is open.
"""
try:
response = self.ec2_client.describe_security_groups(
Filters=[
{"Name": "group-name", "Values": ["default"]},
{"Name": "vpc-id", "Values": [vpc["VpcId"]]},
]
)
sec_group = response["SecurityGroups"][0]
port_is_open = False
log.info(f"Found default security group {sec_group['GroupId']}.")
for ip_perm in sec_group["IpPermissions"]:
if ip_perm.get("FromPort", 0) == port:
log.info(f"Found inbound rule: {ip_perm}")
for ip_range in ip_perm["IpRanges"]:
cidr = ip_range.get("CidrIp", "")
if cidr.startswith(ip_address) or cidr == "0.0.0.0/0":
port_is_open = True
if ip_perm["PrefixListIds"]:
port_is_open = True
if not port_is_open:
log.info(
f"The inbound rule does not appear to be open to either this computer's IP "
f"address of {ip_address}, to all IP addresses (0.0.0.0/0), or to a prefix list ID."
)
else:
break
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to verify inbound rule for port {port} for VPC {vpc['VpcId']}."
)
if error_code == "InvalidVpcID.NotFound":
log.error(
f"The specified VPC ID '{vpc['VpcId']}' does not exist. Please check the VPC ID."
)
log.error(f"Full error:\n\t{err}")
else:
return sec_group, port_is_open
def open_inbound_port(self, sec_group_id: str, port: int, ip_address: str) -> None:
"""
Add an ingress rule to the specified security group that allows access on the
specified port from the specified IP address.
:param sec_group_id: The ID of the security group to modify.
:param port: The port to open.
:param ip_address: The IP address that is granted access.
"""
try:
self.ec2_client.authorize_security_group_ingress(
GroupId=sec_group_id,
CidrIp=f"{ip_address}/32",
FromPort=port,
ToPort=port,
IpProtocol="tcp",
)
log.info(
"Authorized ingress to %s on port %s from %s.",
sec_group_id,
port,
ip_address,
)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to authorize ingress to security group '{sec_group_id}' on port {port} from {ip_address}."
)
if error_code == "InvalidGroupId.Malformed":
log.error(
"The security group ID is malformed. "
"Please verify that the security group ID is correct."
)
elif error_code == "InvalidPermission.Duplicate":
log.error(
"The specified rule already exists in the security group. "
"Check the existing rules for this security group."
)
log.error(f"Full error:\n\t{err}")
def get_subnets(self, vpc_id: str, zones: List[str] = None) -> List[Dict[str, Any]]:
"""
Gets the default subnets in a VPC for a specified list of Availability Zones.
:param vpc_id: The ID of the VPC to look up.
:param zones: The list of Availability Zones to look up.
:return: The list of subnets found.
"""
# Ensure that 'zones' is a list, even if None is passed
if zones is None:
zones = []
try:
paginator = self.ec2_client.get_paginator("describe_subnets")
page_iterator = paginator.paginate(
Filters=[
{"Name": "vpc-id", "Values": [vpc_id]},
{"Name": "availability-zone", "Values": zones},
{"Name": "default-for-az", "Values": ["true"]},
]
)
subnets = []
for page in page_iterator:
subnets.extend(page["Subnets"])
log.info("Found %s subnets for the specified zones.", len(subnets))
return subnets
except ClientError as err:
log.error(
f"Failed to retrieve subnets for VPC '{vpc_id}' in zones {zones}."
)
error_code = err.response["Error"]["Code"]
if error_code == "InvalidVpcID.NotFound":
log.error(
"The specified VPC ID does not exist. "
"Please check the VPC ID and try again."
)
# Add more error-specific handling as needed
log.error(f"Full error:\n\t{err}")
```
Crie uma classe que envolva ações do Elastic Load Balancing.
```
class ElasticLoadBalancerWrapper:
"""Encapsulates Elastic Load Balancing (ELB) actions."""
def __init__(self, elb_client: boto3.client):
"""
Initializes the LoadBalancer class with the necessary parameters.
"""
self.elb_client = elb_client
def create_target_group(
self, target_group_name: str, protocol: str, port: int, vpc_id: str
) -> Dict[str, Any]:
"""
Creates an Elastic Load Balancing target group. The target group specifies how
the load balancer forwards requests to instances in the group and how instance
health is checked.
To speed up this demo, the health check is configured with shortened times and
lower thresholds. In production, you might want to decrease the sensitivity of
your health checks to avoid unwanted failures.
:param target_group_name: The name of the target group to create.
:param protocol: The protocol to use to forward requests, such as 'HTTP'.
:param port: The port to use to forward requests, such as 80.
:param vpc_id: The ID of the VPC in which the load balancer exists.
:return: Data about the newly created target group.
"""
try:
response = self.elb_client.create_target_group(
Name=target_group_name,
Protocol=protocol,
Port=port,
HealthCheckPath="/healthcheck",
HealthCheckIntervalSeconds=10,
HealthCheckTimeoutSeconds=5,
HealthyThresholdCount=2,
UnhealthyThresholdCount=2,
VpcId=vpc_id,
)
target_group = response["TargetGroups"][0]
log.info(f"Created load balancing target group '{target_group_name}'.")
return target_group
except ClientError as err:
log.error(
f"Couldn't create load balancing target group '{target_group_name}'."
)
error_code = err.response["Error"]["Code"]
if error_code == "DuplicateTargetGroupName":
log.error(
f"Target group name {target_group_name} already exists. "
"Check if the target group already exists."
"Consider using a different name or deleting the existing target group if appropriate."
)
elif error_code == "TooManyTargetGroups":
log.error(
"Too many target groups exist in the account. "
"Consider deleting unused target groups to create space for new ones."
)
log.error(f"Full error:\n\t{err}")
def delete_target_group(self, target_group_name) -> None:
"""
Deletes the target group.
"""
try:
# Describe the target group to get its ARN
response = self.elb_client.describe_target_groups(Names=[target_group_name])
tg_arn = response["TargetGroups"][0]["TargetGroupArn"]
# Delete the target group
self.elb_client.delete_target_group(TargetGroupArn=tg_arn)
log.info("Deleted load balancing target group %s.", target_group_name)
# Use a custom waiter to wait until the target group is no longer available
self.wait_for_target_group_deletion(self.elb_client, tg_arn)
log.info("Target group %s successfully deleted.", target_group_name)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(f"Failed to delete target group '{target_group_name}'.")
if error_code == "TargetGroupNotFound":
log.error(
"Load balancer target group either already deleted or never existed. "
"Verify the name and check that the resource exists in the AWS Console."
)
elif error_code == "ResourceInUseException":
log.error(
"Target group still in use by another resource. "
"Ensure that the target group is no longer associated with any load balancers or resources.",
)
log.error(f"Full error:\n\t{err}")
def wait_for_target_group_deletion(
self, elb_client, target_group_arn, max_attempts=10, delay=30
):
for attempt in range(max_attempts):
try:
elb_client.describe_target_groups(TargetGroupArns=[target_group_arn])
print(
f"Attempt {attempt + 1}: Target group {target_group_arn} still exists."
)
except ClientError as e:
if e.response["Error"]["Code"] == "TargetGroupNotFound":
print(
f"Target group {target_group_arn} has been successfully deleted."
)
return
else:
raise
time.sleep(delay)
raise TimeoutError(
f"Target group {target_group_arn} was not deleted after {max_attempts * delay} seconds."
)
def create_load_balancer(
self,
load_balancer_name: str,
subnet_ids: List[str],
) -> Dict[str, Any]:
"""
Creates an Elastic Load Balancing load balancer that uses the specified subnets
and forwards requests to the specified target group.
:param load_balancer_name: The name of the load balancer to create.
:param subnet_ids: A list of subnets to associate with the load balancer.
:return: Data about the newly created load balancer.
"""
try:
response = self.elb_client.create_load_balancer(
Name=load_balancer_name, Subnets=subnet_ids
)
load_balancer = response["LoadBalancers"][0]
log.info(f"Created load balancer '{load_balancer_name}'.")
waiter = self.elb_client.get_waiter("load_balancer_available")
log.info(
f"Waiting for load balancer '{load_balancer_name}' to be available..."
)
waiter.wait(Names=[load_balancer_name])
log.info(f"Load balancer '{load_balancer_name}' is now available!")
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to create load balancer '{load_balancer_name}'. Error code: {error_code}, Message: {err.response['Error']['Message']}"
)
if error_code == "DuplicateLoadBalancerNameException":
log.error(
f"A load balancer with the name '{load_balancer_name}' already exists. "
"Load balancer names must be unique within the AWS region. "
"Please choose a different name and try again."
)
if error_code == "TooManyLoadBalancersException":
log.error(
"The maximum number of load balancers has been reached in this account and region. "
"You can delete unused load balancers or request an increase in the service quota from AWS Support."
)
log.error(f"Full error:\n\t{err}")
else:
return load_balancer
def create_listener(
self,
load_balancer_name: str,
target_group: Dict[str, Any],
) -> Dict[str, Any]:
"""
Creates a listener for the specified load balancer that forwards requests to the
specified target group.
:param load_balancer_name: The name of the load balancer to create a listener for.
:param target_group: An existing target group that is added as a listener to the
load balancer.
:return: Data about the newly created listener.
"""
try:
# Retrieve the load balancer ARN
load_balancer_response = self.elb_client.describe_load_balancers(
Names=[load_balancer_name]
)
load_balancer_arn = load_balancer_response["LoadBalancers"][0][
"LoadBalancerArn"
]
# Create the listener
response = self.elb_client.create_listener(
LoadBalancerArn=load_balancer_arn,
Protocol=target_group["Protocol"],
Port=target_group["Port"],
DefaultActions=[
{
"Type": "forward",
"TargetGroupArn": target_group["TargetGroupArn"],
}
],
)
log.info(
f"Created listener to forward traffic from load balancer '{load_balancer_name}' to target group '{target_group['TargetGroupName']}'."
)
return response["Listeners"][0]
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Failed to add a listener on '{load_balancer_name}' for target group '{target_group['TargetGroupName']}'."
)
if error_code == "ListenerNotFoundException":
log.error(
f"The listener could not be found for the load balancer '{load_balancer_name}'. "
"Please check the load balancer name and target group configuration."
)
if error_code == "InvalidConfigurationRequestException":
log.error(
f"The configuration provided for the listener on load balancer '{load_balancer_name}' is invalid. "
"Please review the provided protocol, port, and target group settings."
)
log.error(f"Full error:\n\t{err}")
def delete_load_balancer(self, load_balancer_name) -> None:
"""
Deletes a load balancer.
:param load_balancer_name: The name of the load balancer to delete.
"""
try:
response = self.elb_client.describe_load_balancers(
Names=[load_balancer_name]
)
lb_arn = response["LoadBalancers"][0]["LoadBalancerArn"]
self.elb_client.delete_load_balancer(LoadBalancerArn=lb_arn)
log.info("Deleted load balancer %s.", load_balancer_name)
waiter = self.elb_client.get_waiter("load_balancers_deleted")
log.info("Waiting for load balancer to be deleted...")
waiter.wait(Names=[load_balancer_name])
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(
f"Couldn't delete load balancer '{load_balancer_name}'. Error code: {error_code}, Message: {err.response['Error']['Message']}"
)
if error_code == "LoadBalancerNotFoundException":
log.error(
f"The load balancer '{load_balancer_name}' does not exist. "
"Please check the name and try again."
)
log.error(f"Full error:\n\t{err}")
def get_endpoint(self, load_balancer_name) -> str:
"""
Gets the HTTP endpoint of the load balancer.
:return: The endpoint.
"""
try:
response = self.elb_client.describe_load_balancers(
Names=[load_balancer_name]
)
return response["LoadBalancers"][0]["DNSName"]
except ClientError as err:
log.error(
f"Couldn't get the endpoint for load balancer {load_balancer_name}"
)
error_code = err.response["Error"]["Code"]
if error_code == "LoadBalancerNotFoundException":
log.error(
"Verify load balancer name and ensure it exists in the AWS console."
)
log.error(f"Full error:\n\t{err}")
@staticmethod
def verify_load_balancer_endpoint(endpoint) -> bool:
"""
Verify this computer can successfully send a GET request to the load balancer endpoint.
:param endpoint: The endpoint to verify.
:return: True if the GET request is successful, False otherwise.
"""
retries = 3
verified = False
while not verified and retries > 0:
try:
lb_response = requests.get(f"http://{endpoint}")
log.info(
"Got response %s from load balancer endpoint.",
lb_response.status_code,
)
if lb_response.status_code == 200:
verified = True
else:
retries = 0
except requests.exceptions.ConnectionError:
log.info(
"Got connection error from load balancer endpoint, retrying..."
)
retries -= 1
time.sleep(10)
return verified
def check_target_health(self, target_group_name: str) -> List[Dict[str, Any]]:
"""
Checks the health of the instances in the target group.
:return: The health status of the target group.
"""
try:
tg_response = self.elb_client.describe_target_groups(
Names=[target_group_name]
)
health_response = self.elb_client.describe_target_health(
TargetGroupArn=tg_response["TargetGroups"][0]["TargetGroupArn"]
)
except ClientError as err:
log.error(f"Couldn't check health of {target_group_name} target(s).")
error_code = err.response["Error"]["Code"]
if error_code == "LoadBalancerNotFoundException":
log.error(
"Load balancer associated with the target group was not found. "
"Ensure the load balancer exists, is in the correct AWS region, and "
"that you have the necessary permissions to access it.",
)
elif error_code == "TargetGroupNotFoundException":
log.error(
"Target group was not found. "
"Verify the target group name, check that it exists in the correct region, "
"and ensure it has not been deleted or created in a different account.",
)
log.error(f"Full error:\n\t{err}")
else:
return health_response["TargetHealthDescriptions"]
```
Crie uma classe que use o DynamoDB para simular um serviço de recomendação.
```
class RecommendationService:
"""
Encapsulates a DynamoDB table to use as a service that recommends books, movies,
and songs.
"""
def __init__(self, table_name: str, dynamodb_client: boto3.client):
"""
Initializes the RecommendationService class with the necessary parameters.
:param table_name: The name of the DynamoDB recommendations table.
:param dynamodb_client: A Boto3 DynamoDB client.
"""
self.table_name = table_name
self.dynamodb_client = dynamodb_client
def create(self) -> Dict[str, Any]:
"""
Creates a DynamoDB table to use as a recommendation service. The table has a
hash key named 'MediaType' that defines the type of media recommended, such as
Book or Movie, and a range key named 'ItemId' that, combined with the MediaType,
forms a unique identifier for the recommended item.
:return: Data about the newly created table.
:raises RecommendationServiceError: If the table creation fails.
"""
try:
response = self.dynamodb_client.create_table(
TableName=self.table_name,
AttributeDefinitions=[
{"AttributeName": "MediaType", "AttributeType": "S"},
{"AttributeName": "ItemId", "AttributeType": "N"},
],
KeySchema=[
{"AttributeName": "MediaType", "KeyType": "HASH"},
{"AttributeName": "ItemId", "KeyType": "RANGE"},
],
ProvisionedThroughput={"ReadCapacityUnits": 5, "WriteCapacityUnits": 5},
)
log.info("Creating table %s...", self.table_name)
waiter = self.dynamodb_client.get_waiter("table_exists")
waiter.wait(TableName=self.table_name)
log.info("Table %s created.", self.table_name)
except ClientError as err:
if err.response["Error"]["Code"] == "ResourceInUseException":
log.info("Table %s exists, nothing to be done.", self.table_name)
else:
raise RecommendationServiceError(
self.table_name, f"ClientError when creating table: {err}."
)
else:
return response
def populate(self, data_file: str) -> None:
"""
Populates the recommendations table from a JSON file.
:param data_file: The path to the data file.
:raises RecommendationServiceError: If the table population fails.
"""
try:
with open(data_file) as data:
items = json.load(data)
batch = [{"PutRequest": {"Item": item}} for item in items]
self.dynamodb_client.batch_write_item(RequestItems={self.table_name: batch})
log.info(
"Populated table %s with items from %s.", self.table_name, data_file
)
except ClientError as err:
raise RecommendationServiceError(
self.table_name, f"Couldn't populate table from {data_file}: {err}"
)
def destroy(self) -> None:
"""
Deletes the recommendations table.
:raises RecommendationServiceError: If the table deletion fails.
"""
try:
self.dynamodb_client.delete_table(TableName=self.table_name)
log.info("Deleting table %s...", self.table_name)
waiter = self.dynamodb_client.get_waiter("table_not_exists")
waiter.wait(TableName=self.table_name)
log.info("Table %s deleted.", self.table_name)
except ClientError as err:
if err.response["Error"]["Code"] == "ResourceNotFoundException":
log.info("Table %s does not exist, nothing to do.", self.table_name)
else:
raise RecommendationServiceError(
self.table_name, f"ClientError when deleting table: {err}."
)
```
Crie uma classe que envolva as ações do Systems Manager.
```
class ParameterHelper:
"""
Encapsulates Systems Manager parameters. This example uses these parameters to drive
the demonstration of resilient architecture, such as failure of a dependency or
how the service responds to a health check.
"""
table: str = "doc-example-resilient-architecture-table"
failure_response: str = "doc-example-resilient-architecture-failure-response"
health_check: str = "doc-example-resilient-architecture-health-check"
def __init__(self, table_name: str, ssm_client: boto3.client):
"""
Initializes the ParameterHelper class with the necessary parameters.
:param table_name: The name of the DynamoDB table that is used as a recommendation
service.
:param ssm_client: A Boto3 Systems Manager client.
"""
self.ssm_client = ssm_client
self.table_name = table_name
def reset(self) -> None:
"""
Resets the Systems Manager parameters to starting values for the demo.
These are the name of the DynamoDB recommendation table, no response when a
dependency fails, and shallow health checks.
"""
self.put(self.table, self.table_name)
self.put(self.failure_response, "none")
self.put(self.health_check, "shallow")
def put(self, name: str, value: str) -> None:
"""
Sets the value of a named Systems Manager parameter.
:param name: The name of the parameter.
:param value: The new value of the parameter.
:raises ParameterHelperError: If the parameter value cannot be set.
"""
try:
self.ssm_client.put_parameter(
Name=name, Value=value, Overwrite=True, Type="String"
)
log.info("Setting parameter %s to '%s'.", name, value)
except ClientError as err:
error_code = err.response["Error"]["Code"]
log.error(f"Failed to set parameter {name}.")
if error_code == "ParameterLimitExceeded":
log.error(
"The parameter limit has been exceeded. "
"Consider deleting unused parameters or request a limit increase."
)
elif error_code == "ParameterAlreadyExists":
log.error(
"The parameter already exists and overwrite is set to False. "
"Use Overwrite=True to update the parameter."
)
log.error(f"Full error:\n\t{err}")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [AttachLoadBalancerTargetGroups](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/AttachLoadBalancerTargetGroups)
+ [CreateAutoScalingGroup](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/CreateAutoScalingGroup)
+ [CreateInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateInstanceProfile)
+ [CreateLaunchTemplate](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/CreateLaunchTemplate)
+ [CreateListener](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/CreateListener)
+ [CreateLoadBalancer](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/CreateLoadBalancer)
+ [CreateTargetGroup](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/CreateTargetGroup)
+ [DeleteAutoScalingGroup](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/DeleteAutoScalingGroup)
+ [DeleteInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteInstanceProfile)
+ [DeleteLaunchTemplate](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DeleteLaunchTemplate)
+ [DeleteLoadBalancer](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/DeleteLoadBalancer)
+ [DeleteTargetGroup](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/DeleteTargetGroup)
+ [DescribeAutoScalingGroups](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/DescribeAutoScalingGroups)
+ [DescribeAvailabilityZones](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DescribeAvailabilityZones)
+ [DescribeIamInstanceProfileAssociations](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DescribeIamInstanceProfileAssociations)
+ [DescribeInstances](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DescribeInstances)
+ [DescribeLoadBalancers](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/DescribeLoadBalancers)
+ [DescribeSubnets](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DescribeSubnets)
+ [DescribeTargetGroups](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/DescribeTargetGroups)
+ [DescribeTargetHealth](https://docs.aws.amazon.com/goto/boto3/elasticloadbalancingv2-2015-12-01/DescribeTargetHealth)
+ [DescribeVpcs](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/DescribeVpcs)
+ [RebootInstances](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/RebootInstances)
+ [ReplaceIamInstanceProfileAssociation](https://docs.aws.amazon.com/goto/boto3/ec2-2016-11-15/ReplaceIamInstanceProfileAssociation)
+ [TerminateInstanceInAutoScalingGroup](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/TerminateInstanceInAutoScalingGroup)
+ [UpdateAutoScalingGroup](https://docs.aws.amazon.com/goto/boto3/autoscaling-2011-01-01/UpdateAutoScalingGroup)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Criar usuários do IAM somente leitura e leitura/gravação usando um AWS SDK
Os exemplos de código a seguir mostram como criar usuários e anexar políticas a eles.
**Atenção**
Para evitar riscos de segurança, não use usuários do IAM para autenticação ao desenvolver software com propósito específico ou trabalhar com dados reais. Em vez disso, use federação com um provedor de identidade, como [Centro de Identidade do AWS IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
+ Criar dois usuários do IAM.
+ Anexe uma política para um usuário obter e colocar objetos em um bucket do Amazon S3.
+ Anexar uma política para o segundo usuário para obter objetos do bucket.
+ Obter outras permissões para o bucket com base nas credenciais do usuário.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Crie a funções que envolvam ações do usuário do IAM.
```
import logging
import time
import boto3
from botocore.exceptions import ClientError
import access_key_wrapper
import policy_wrapper
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def create_user(user_name):
"""
Creates a user. By default, a user has no permissions or access keys.
:param user_name: The name of the user.
:return: The newly created user.
"""
try:
user = iam.create_user(UserName=user_name)
logger.info("Created user %s.", user.name)
except ClientError:
logger.exception("Couldn't create user %s.", user_name)
raise
else:
return user
def update_user(user_name, new_user_name):
"""
Updates a user's name.
:param user_name: The current name of the user to update.
:param new_user_name: The new name to assign to the user.
:return: The updated user.
"""
try:
user = iam.User(user_name)
user.update(NewUserName=new_user_name)
logger.info("Renamed %s to %s.", user_name, new_user_name)
except ClientError:
logger.exception("Couldn't update name for user %s.", user_name)
raise
return user
def list_users():
"""
Lists the users in the current account.
:return: The list of users.
"""
try:
users = list(iam.users.all())
logger.info("Got %s users.", len(users))
except ClientError:
logger.exception("Couldn't get users.")
raise
else:
return users
def delete_user(user_name):
"""
Deletes a user. Before a user can be deleted, all associated resources,
such as access keys and policies, must be deleted or detached.
:param user_name: The name of the user.
"""
try:
iam.User(user_name).delete()
logger.info("Deleted user %s.", user_name)
except ClientError:
logger.exception("Couldn't delete user %s.", user_name)
raise
def attach_policy(user_name, policy_arn):
"""
Attaches a policy to a user.
:param user_name: The name of the user.
:param policy_arn: The Amazon Resource Name (ARN) of the policy.
"""
try:
iam.User(user_name).attach_policy(PolicyArn=policy_arn)
logger.info("Attached policy %s to user %s.", policy_arn, user_name)
except ClientError:
logger.exception("Couldn't attach policy %s to user %s.", policy_arn, user_name)
raise
def detach_policy(user_name, policy_arn):
"""
Detaches a policy from a user.
:param user_name: The name of the user.
:param policy_arn: The Amazon Resource Name (ARN) of the policy.
"""
try:
iam.User(user_name).detach_policy(PolicyArn=policy_arn)
logger.info("Detached policy %s from user %s.", policy_arn, user_name)
except ClientError:
logger.exception(
"Couldn't detach policy %s from user %s.", policy_arn, user_name
)
raise
```
Crie a funções que envolvam ações de política do IAM.
```
import json
import logging
import operator
import pprint
import time
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def create_policy(name, description, actions, resource_arn):
"""
Creates a policy that contains a single statement.
:param name: The name of the policy to create.
:param description: The description of the policy.
:param actions: The actions allowed by the policy. These typically take the
form of service:action, such as s3:PutObject.
:param resource_arn: The Amazon Resource Name (ARN) of the resource this policy
applies to. This ARN can contain wildcards, such as
'arn:aws:s3:::amzn-s3-demo-bucket/*' to allow actions on all objects
in the bucket named 'amzn-s3-demo-bucket'.
:return: The newly created policy.
"""
policy_doc = {
"Version":"2012-10-17",
"Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}],
}
try:
policy = iam.create_policy(
PolicyName=name,
Description=description,
PolicyDocument=json.dumps(policy_doc),
)
logger.info("Created policy %s.", policy.arn)
except ClientError:
logger.exception("Couldn't create policy %s.", name)
raise
else:
return policy
def delete_policy(policy_arn):
"""
Deletes a policy.
:param policy_arn: The ARN of the policy to delete.
"""
try:
iam.Policy(policy_arn).delete()
logger.info("Deleted policy %s.", policy_arn)
except ClientError:
logger.exception("Couldn't delete policy %s.", policy_arn)
raise
```
Crie funções que envolvam ações de chave de acesso do IAM.
```
import logging
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def create_key(user_name):
"""
Creates an access key for the specified user. Each user can have a
maximum of two keys.
:param user_name: The name of the user.
:return: The created access key.
"""
try:
key_pair = iam.User(user_name).create_access_key_pair()
logger.info(
"Created access key pair for %s. Key ID is %s.",
key_pair.user_name,
key_pair.id,
)
except ClientError:
logger.exception("Couldn't create access key pair for %s.", user_name)
raise
else:
return key_pair
def delete_key(user_name, key_id):
"""
Deletes a user's access key.
:param user_name: The user that owns the key.
:param key_id: The ID of the key to delete.
"""
try:
key = iam.AccessKey(user_name, key_id)
key.delete()
logger.info("Deleted access key %s for %s.", key.id, key.user_name)
except ClientError:
logger.exception("Couldn't delete key %s for %s", key_id, user_name)
raise
```
Use as funções de wrapper para criar usuários com políticas diferentes e use as credenciais deles para acessar um bucket do Amazon S3.
```
def usage_demo():
"""
Shows how to manage users, keys, and policies.
This demonstration creates two users: one user who can put and get objects in an
Amazon S3 bucket, and another user who can only get objects from the bucket.
The demo then shows how the users can perform only the actions they are permitted
to perform.
"""
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the AWS Identity and Account Management user demo.")
print("-" * 88)
print(
"Users can have policies and roles attached to grant them specific "
"permissions."
)
s3 = boto3.resource("s3")
bucket = s3.create_bucket(
Bucket=f"demo-iam-bucket-{time.time_ns()}",
CreateBucketConfiguration={
"LocationConstraint": s3.meta.client.meta.region_name
},
)
print(f"Created an Amazon S3 bucket named {bucket.name}.")
user_read_writer = create_user("demo-iam-read-writer")
user_reader = create_user("demo-iam-reader")
print(f"Created two IAM users: {user_read_writer.name} and {user_reader.name}")
update_user(user_read_writer.name, "demo-iam-creator")
update_user(user_reader.name, "demo-iam-getter")
users = list_users()
user_read_writer = next(
user for user in users if user.user_id == user_read_writer.user_id
)
user_reader = next(user for user in users if user.user_id == user_reader.user_id)
print(
f"Changed the names of the users to {user_read_writer.name} "
f"and {user_reader.name}."
)
read_write_policy = policy_wrapper.create_policy(
"demo-iam-read-write-policy",
"Grants rights to create and get an object in the demo bucket.",
["s3:PutObject", "s3:GetObject"],
f"arn:aws:s3:::{bucket.name}/*",
)
print(
f"Created policy {read_write_policy.policy_name} with ARN: {read_write_policy.arn}"
)
print(read_write_policy.description)
read_policy = policy_wrapper.create_policy(
"demo-iam-read-policy",
"Grants rights to get an object from the demo bucket.",
"s3:GetObject",
f"arn:aws:s3:::{bucket.name}/*",
)
print(f"Created policy {read_policy.policy_name} with ARN: {read_policy.arn}")
print(read_policy.description)
attach_policy(user_read_writer.name, read_write_policy.arn)
print(f"Attached {read_write_policy.policy_name} to {user_read_writer.name}.")
attach_policy(user_reader.name, read_policy.arn)
print(f"Attached {read_policy.policy_name} to {user_reader.name}.")
user_read_writer_key = access_key_wrapper.create_key(user_read_writer.name)
print(f"Created access key pair for {user_read_writer.name}.")
user_reader_key = access_key_wrapper.create_key(user_reader.name)
print(f"Created access key pair for {user_reader.name}.")
s3_read_writer_resource = boto3.resource(
"s3",
aws_access_key_id=user_read_writer_key.id,
aws_secret_access_key=user_read_writer_key.secret,
)
demo_object_key = f"object-{time.time_ns()}"
demo_object = None
while demo_object is None:
try:
demo_object = s3_read_writer_resource.Bucket(bucket.name).put_object(
Key=demo_object_key, Body=b"AWS IAM demo object content!"
)
except ClientError as error:
if error.response["Error"]["Code"] == "InvalidAccessKeyId":
print("Access key not yet available. Waiting...")
time.sleep(1)
else:
raise
print(
f"Put {demo_object_key} into {bucket.name} using "
f"{user_read_writer.name}'s credentials."
)
read_writer_object = s3_read_writer_resource.Bucket(bucket.name).Object(
demo_object_key
)
read_writer_content = read_writer_object.get()["Body"].read()
print(f"Got object {read_writer_object.key} using read-writer user's credentials.")
print(f"Object content: {read_writer_content}")
s3_reader_resource = boto3.resource(
"s3",
aws_access_key_id=user_reader_key.id,
aws_secret_access_key=user_reader_key.secret,
)
demo_content = None
while demo_content is None:
try:
demo_object = s3_reader_resource.Bucket(bucket.name).Object(demo_object_key)
demo_content = demo_object.get()["Body"].read()
print(f"Got object {demo_object.key} using reader user's credentials.")
print(f"Object content: {demo_content}")
except ClientError as error:
if error.response["Error"]["Code"] == "InvalidAccessKeyId":
print("Access key not yet available. Waiting...")
time.sleep(1)
else:
raise
try:
demo_object.delete()
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("-" * 88)
print(
"Tried to delete the object using the reader user's credentials. "
"Got expected AccessDenied error because the reader is not "
"allowed to delete objects."
)
print("-" * 88)
access_key_wrapper.delete_key(user_reader.name, user_reader_key.id)
detach_policy(user_reader.name, read_policy.arn)
policy_wrapper.delete_policy(read_policy.arn)
delete_user(user_reader.name)
print(f"Deleted keys, detached and deleted policy, and deleted {user_reader.name}.")
access_key_wrapper.delete_key(user_read_writer.name, user_read_writer_key.id)
detach_policy(user_read_writer.name, read_write_policy.arn)
policy_wrapper.delete_policy(read_write_policy.arn)
delete_user(user_read_writer.name)
print(
f"Deleted keys, detached and deleted policy, and deleted {user_read_writer.name}."
)
bucket.objects.delete()
bucket.delete()
print(f"Emptied and deleted {bucket.name}.")
print("Thanks for watching!")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [AttachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachUserPolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)
+ [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)
+ [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)
+ [DetachUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachUserPolicy)
+ [ListUsers](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListUsers)
+ [UpdateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateUser)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Gerenciar chaves de acesso do IAM usando um AWS SDK
O exemplo de código a seguir mostra como gerenciar chaves de acesso.
**Atenção**
Para evitar riscos de segurança, não use usuários do IAM para autenticação ao desenvolver software com propósito específico ou trabalhar com dados reais. Em vez disso, use federação com um provedor de identidade, como [Centro de Identidade do AWS IAM](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
+ Criar e listar chaves de acesso.
+ Descobrir quando e como a chave de acesso foi usada pela última vez.
+ Atualizar e excluir chaves de acesso.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Crie a funções que envolvam ações de chave de acesso do IAM.
```
import logging
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def list_keys(user_name):
"""
Lists the keys owned by the specified user.
:param user_name: The name of the user.
:return: The list of keys owned by the user.
"""
try:
keys = list(iam.User(user_name).access_keys.all())
logger.info("Got %s access keys for %s.", len(keys), user_name)
except ClientError:
logger.exception("Couldn't get access keys for %s.", user_name)
raise
else:
return keys
def create_key(user_name):
"""
Creates an access key for the specified user. Each user can have a
maximum of two keys.
:param user_name: The name of the user.
:return: The created access key.
"""
try:
key_pair = iam.User(user_name).create_access_key_pair()
logger.info(
"Created access key pair for %s. Key ID is %s.",
key_pair.user_name,
key_pair.id,
)
except ClientError:
logger.exception("Couldn't create access key pair for %s.", user_name)
raise
else:
return key_pair
def get_last_use(key_id):
"""
Gets information about when and how a key was last used.
:param key_id: The ID of the key to look up.
:return: Information about the key's last use.
"""
try:
response = iam.meta.client.get_access_key_last_used(AccessKeyId=key_id)
last_used_date = response["AccessKeyLastUsed"].get("LastUsedDate", None)
last_service = response["AccessKeyLastUsed"].get("ServiceName", None)
logger.info(
"Key %s was last used by %s on %s to access %s.",
key_id,
response["UserName"],
last_used_date,
last_service,
)
except ClientError:
logger.exception("Couldn't get last use of key %s.", key_id)
raise
else:
return response
def update_key(user_name, key_id, activate):
"""
Updates the status of a key.
:param user_name: The user that owns the key.
:param key_id: The ID of the key to update.
:param activate: When True, the key is activated. Otherwise, the key is deactivated.
"""
try:
key = iam.User(user_name).AccessKey(key_id)
if activate:
key.activate()
else:
key.deactivate()
logger.info("%s key %s.", "Activated" if activate else "Deactivated", key_id)
except ClientError:
logger.exception(
"Couldn't %s key %s.", "Activate" if activate else "Deactivate", key_id
)
raise
def delete_key(user_name, key_id):
"""
Deletes a user's access key.
:param user_name: The user that owns the key.
:param key_id: The ID of the key to delete.
"""
try:
key = iam.AccessKey(user_name, key_id)
key.delete()
logger.info("Deleted access key %s for %s.", key.id, key.user_name)
except ClientError:
logger.exception("Couldn't delete key %s for %s", key_id, user_name)
raise
```
Use a funções de wrapper para executar ações de chave de acesso para o usuário atual.
```
def usage_demo():
"""Shows how to create and manage access keys."""
def print_keys():
"""Gets and prints the current keys for a user."""
current_keys = list_keys(current_user_name)
print("The current user's keys are now:")
print(*[f"{key.id}: {key.status}" for key in current_keys], sep="\n")
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the AWS Identity and Account Management access key demo.")
print("-" * 88)
current_user_name = iam.CurrentUser().user_name
print(
f"This demo creates an access key for the current user "
f"({current_user_name}), manipulates the key in a few ways, and then "
f"deletes it."
)
all_keys = list_keys(current_user_name)
if len(all_keys) == 2:
print(
"The current user already has the maximum of 2 access keys. To run "
"this demo, either delete one of the access keys or use a user "
"that has only 1 access key."
)
else:
new_key = create_key(current_user_name)
print(f"Created a new key with id {new_key.id} and secret {new_key.secret}.")
print_keys()
existing_key = next(key for key in all_keys if key != new_key)
last_use = get_last_use(existing_key.id)["AccessKeyLastUsed"]
print(
f"Key {all_keys[0].id} was last used to access {last_use['ServiceName']} "
f"on {last_use['LastUsedDate']}"
)
update_key(current_user_name, new_key.id, False)
print(f"Key {new_key.id} is now deactivated.")
print_keys()
delete_key(current_user_name, new_key.id)
print_keys()
print("Thanks for watching!")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)
+ [GetAccessKeyLastUsed](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccessKeyLastUsed)
+ [ListAccessKeys](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccessKeys)
+ [UpdateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/UpdateAccessKey)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Gerenciar políticas do IAM usando um AWS SDK
O código de exemplo abaixo mostra como:
+ Criar e listar políticas.
+ Criar e obter versões de políticas.
+ Reverter uma política para uma versão anterior.
+ Excluir políticas.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Crie a funções que envolvam ações de política do IAM.
```
import json
import logging
import operator
import pprint
import time
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def create_policy(name, description, actions, resource_arn):
"""
Creates a policy that contains a single statement.
:param name: The name of the policy to create.
:param description: The description of the policy.
:param actions: The actions allowed by the policy. These typically take the
form of service:action, such as s3:PutObject.
:param resource_arn: The Amazon Resource Name (ARN) of the resource this policy
applies to. This ARN can contain wildcards, such as
'arn:aws:s3:::amzn-s3-demo-bucket/*' to allow actions on all objects
in the bucket named 'amzn-s3-demo-bucket'.
:return: The newly created policy.
"""
policy_doc = {
"Version":"2012-10-17",
"Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}],
}
try:
policy = iam.create_policy(
PolicyName=name,
Description=description,
PolicyDocument=json.dumps(policy_doc),
)
logger.info("Created policy %s.", policy.arn)
except ClientError:
logger.exception("Couldn't create policy %s.", name)
raise
else:
return policy
def list_policies(scope):
"""
Lists the policies in the current account.
:param scope: Limits the kinds of policies that are returned. For example,
'Local' specifies that only locally managed policies are returned.
:return: The list of policies.
"""
try:
policies = list(iam.policies.filter(Scope=scope))
logger.info("Got %s policies in scope '%s'.", len(policies), scope)
except ClientError:
logger.exception("Couldn't get policies for scope '%s'.", scope)
raise
else:
return policies
def create_policy_version(policy_arn, actions, resource_arn, set_as_default):
"""
Creates a policy version. Policies can have up to five versions. The default
version is the one that is used for all resources that reference the policy.
:param policy_arn: The ARN of the policy.
:param actions: The actions to allow in the policy version.
:param resource_arn: The ARN of the resource this policy version applies to.
:param set_as_default: When True, this policy version is set as the default
version for the policy. Otherwise, the default
is not changed.
:return: The newly created policy version.
"""
policy_doc = {
"Version":"2012-10-17",
"Statement": [{"Effect": "Allow", "Action": actions, "Resource": resource_arn}],
}
try:
policy = iam.Policy(policy_arn)
policy_version = policy.create_version(
PolicyDocument=json.dumps(policy_doc), SetAsDefault=set_as_default
)
logger.info(
"Created policy version %s for policy %s.",
policy_version.version_id,
policy_version.arn,
)
except ClientError:
logger.exception("Couldn't create a policy version for %s.", policy_arn)
raise
else:
return policy_version
def get_default_policy_statement(policy_arn):
"""
Gets the statement of the default version of the specified policy.
:param policy_arn: The ARN of the policy to look up.
:return: The statement of the default policy version.
"""
try:
policy = iam.Policy(policy_arn)
# To get an attribute of a policy, the SDK first calls get_policy.
policy_doc = policy.default_version.document
policy_statement = policy_doc.get("Statement", None)
logger.info("Got default policy doc for %s.", policy.policy_name)
logger.info(policy_doc)
except ClientError:
logger.exception("Couldn't get default policy statement for %s.", policy_arn)
raise
else:
return policy_statement
def rollback_policy_version(policy_arn):
"""
Rolls back to the previous default policy, if it exists.
1. Gets the list of policy versions in order by date.
2. Finds the default.
3. Makes the previous policy the default.
4. Deletes the old default version.
:param policy_arn: The ARN of the policy to roll back.
:return: The default version of the policy after the rollback.
"""
try:
policy_versions = sorted(
iam.Policy(policy_arn).versions.all(),
key=operator.attrgetter("create_date"),
)
logger.info("Got %s versions for %s.", len(policy_versions), policy_arn)
except ClientError:
logger.exception("Couldn't get versions for %s.", policy_arn)
raise
default_version = None
rollback_version = None
try:
while default_version is None:
ver = policy_versions.pop()
if ver.is_default_version:
default_version = ver
rollback_version = policy_versions.pop()
rollback_version.set_as_default()
logger.info("Set %s as the default version.", rollback_version.version_id)
default_version.delete()
logger.info("Deleted original default version %s.", default_version.version_id)
except IndexError:
if default_version is None:
logger.warning("No default version found for %s.", policy_arn)
elif rollback_version is None:
logger.warning(
"Default version %s found for %s, but no previous version exists, so "
"nothing to roll back to.",
default_version.version_id,
policy_arn,
)
except ClientError:
logger.exception("Couldn't roll back version for %s.", policy_arn)
raise
else:
return rollback_version
def delete_policy(policy_arn):
"""
Deletes a policy.
:param policy_arn: The ARN of the policy to delete.
"""
try:
iam.Policy(policy_arn).delete()
logger.info("Deleted policy %s.", policy_arn)
except ClientError:
logger.exception("Couldn't delete policy %s.", policy_arn)
raise
```
Use a funções de wrapper para criar políticas, atualizar versões e obter informações sobre elas.
```
def usage_demo():
"""Shows how to use the policy functions."""
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the AWS Identity and Account Management policy demo.")
print("-" * 88)
print(
"Policies let you define sets of permissions that can be attached to "
"other IAM resources, like users and roles."
)
bucket_arn = f"arn:aws:s3:::amzn-s3-demo-bucket"
policy = create_policy(
"demo-iam-policy",
"Policy for IAM demonstration.",
["s3:ListObjects"],
bucket_arn,
)
print(f"Created policy {policy.policy_name}.")
policies = list_policies("Local")
print(f"Your account has {len(policies)} managed policies:")
print(*[pol.policy_name for pol in policies], sep=", ")
time.sleep(1)
policy_version = create_policy_version(
policy.arn, ["s3:PutObject"], bucket_arn, True
)
print(
f"Added policy version {policy_version.version_id} to policy "
f"{policy.policy_name}."
)
default_statement = get_default_policy_statement(policy.arn)
print(f"The default policy statement for {policy.policy_name} is:")
pprint.pprint(default_statement)
rollback_version = rollback_policy_version(policy.arn)
print(
f"Rolled back to version {rollback_version.version_id} for "
f"{policy.policy_name}."
)
default_statement = get_default_policy_statement(policy.arn)
print(f"The default policy statement for {policy.policy_name} is now:")
pprint.pprint(default_statement)
delete_policy(policy.arn)
print(f"Deleted policy {policy.policy_name}.")
print("Thanks for watching!")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)
+ [CreatePolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicyVersion)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)
+ [DeletePolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicyVersion)
+ [GetPolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetPolicyVersion)
+ [ListPolicies](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicies)
+ [ListPolicyVersions](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicyVersions)
+ [SetDefaultPolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/SetDefaultPolicyVersion)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Gerenciar perfis do IAM usando um AWS SDK
O código de exemplo abaixo mostra como:
+ Criar um perfil do IAM.
+ Anexar e separar políticas para um perfil.
+ Excluir um perfil.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Criar perfis que envolvam ações de perfil do IAM.
```
import json
import logging
import pprint
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def create_role(role_name, allowed_services):
"""
Creates a role that lets a list of specified services assume the role.
:param role_name: The name of the role.
:param allowed_services: The services that can assume the role.
:return: The newly created role.
"""
trust_policy = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": service},
"Action": "sts:AssumeRole",
}
for service in allowed_services
],
}
try:
role = iam.create_role(
RoleName=role_name, AssumeRolePolicyDocument=json.dumps(trust_policy)
)
logger.info("Created role %s.", role.name)
except ClientError:
logger.exception("Couldn't create role %s.", role_name)
raise
else:
return role
def attach_policy(role_name, policy_arn):
"""
Attaches a policy to a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Role(role_name).attach_policy(PolicyArn=policy_arn)
logger.info("Attached policy %s to role %s.", policy_arn, role_name)
except ClientError:
logger.exception("Couldn't attach policy %s to role %s.", policy_arn, role_name)
raise
def detach_policy(role_name, policy_arn):
"""
Detaches a policy from a role.
:param role_name: The name of the role. **Note** this is the name, not the ARN.
:param policy_arn: The ARN of the policy.
"""
try:
iam.Role(role_name).detach_policy(PolicyArn=policy_arn)
logger.info("Detached policy %s from role %s.", policy_arn, role_name)
except ClientError:
logger.exception(
"Couldn't detach policy %s from role %s.", policy_arn, role_name
)
raise
def delete_role(role_name):
"""
Deletes a role.
:param role_name: The name of the role to delete.
"""
try:
iam.Role(role_name).delete()
logger.info("Deleted role %s.", role_name)
except ClientError:
logger.exception("Couldn't delete role %s.", role_name)
raise
```
Use a funções de wrapper para criar uma função, depois, anexe e desanexe uma política.
```
def usage_demo():
"""Shows how to use the role functions."""
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the AWS Identity and Account Management role demo.")
print("-" * 88)
print(
"Roles let you define sets of permissions and can be assumed by "
"other entities, like users and services."
)
print("The first 10 roles currently in your account are:")
roles = list_roles(10)
print(f"The inline policies for role {roles[0].name} are:")
list_policies(roles[0].name)
role = create_role(
"demo-iam-role", ["lambda.amazonaws.com", "batchoperations.s3.amazonaws.com"]
)
print(f"Created role {role.name}, with trust policy:")
pprint.pprint(role.assume_role_policy_document)
policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
attach_policy(role.name, policy_arn)
print(f"Attached policy {policy_arn} to {role.name}.")
print(f"Policies attached to role {role.name} are:")
list_attached_policies(role.name)
detach_policy(role.name, policy_arn)
print(f"Detached policy {policy_arn} from {role.name}.")
delete_role(role.name)
print(f"Deleted {role.name}.")
print("Thanks for watching!")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)
+ [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Gerenciar a conta do IAM usando um AWS SDK
O código de exemplo abaixo mostra como:
+ Obter e atualizar o alias da conta.
+ Gerar um relatório de usuários e credenciais.
+ Obter um resumo da utilização da conta.
+ Obtenha detalhes de todos os usuários, grupos, perfis e políticas em sua conta, incluindo as relações uns com os outros.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Crie funções que envolvam ações de conta do IAM.
```
import logging
import pprint
import sys
import time
import boto3
from botocore.exceptions import ClientError
logger = logging.getLogger(__name__)
iam = boto3.resource("iam")
def list_aliases():
"""
Gets the list of aliases for the current account. An account has at most one alias.
:return: The list of aliases for the account.
"""
try:
response = iam.meta.client.list_account_aliases()
aliases = response["AccountAliases"]
if len(aliases) > 0:
logger.info("Got aliases for your account: %s.", ",".join(aliases))
else:
logger.info("Got no aliases for your account.")
except ClientError:
logger.exception("Couldn't list aliases for your account.")
raise
else:
return response["AccountAliases"]
def create_alias(alias):
"""
Creates an alias for the current account. The alias can be used in place of the
account ID in the sign-in URL. An account can have only one alias. When a new
alias is created, it replaces any existing alias.
:param alias: The alias to assign to the account.
"""
try:
iam.create_account_alias(AccountAlias=alias)
logger.info("Created an alias '%s' for your account.", alias)
except ClientError:
logger.exception("Couldn't create alias '%s' for your account.", alias)
raise
def delete_alias(alias):
"""
Removes the alias from the current account.
:param alias: The alias to remove.
"""
try:
iam.meta.client.delete_account_alias(AccountAlias=alias)
logger.info("Removed alias '%s' from your account.", alias)
except ClientError:
logger.exception("Couldn't remove alias '%s' from your account.", alias)
raise
def generate_credential_report():
"""
Starts generation of a credentials report about the current account. After
calling this function to generate the report, call get_credential_report
to get the latest report. A new report can be generated a minimum of four hours
after the last one was generated.
"""
try:
response = iam.meta.client.generate_credential_report()
logger.info(
"Generating credentials report for your account. " "Current state is %s.",
response["State"],
)
except ClientError:
logger.exception("Couldn't generate a credentials report for your account.")
raise
else:
return response
def get_credential_report():
"""
Gets the most recently generated credentials report about the current account.
:return: The credentials report.
"""
try:
response = iam.meta.client.get_credential_report()
logger.debug(response["Content"])
except ClientError:
logger.exception("Couldn't get credentials report.")
raise
else:
return response["Content"]
def get_summary():
"""
Gets a summary of account usage.
:return: The summary of account usage.
"""
try:
summary = iam.AccountSummary()
logger.debug(summary.summary_map)
except ClientError:
logger.exception("Couldn't get a summary for your account.")
raise
else:
return summary.summary_map
def get_authorization_details(response_filter):
"""
Gets an authorization detail report for the current account.
:param response_filter: A list of resource types to include in the report, such
as users or roles. When not specified, all resources
are included.
:return: The authorization detail report.
"""
try:
account_details = iam.meta.client.get_account_authorization_details(
Filter=response_filter
)
logger.debug(account_details)
except ClientError:
logger.exception("Couldn't get details for your account.")
raise
else:
return account_details
```
Chame funções de wrapper para alterar o alias da conta e obter relatórios sobre a conta.
```
def usage_demo():
"""Shows how to use the account functions."""
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the AWS Identity and Account Management account demo.")
print("-" * 88)
print(
"Setting an account alias lets you use the alias in your sign-in URL "
"instead of your account number."
)
old_aliases = list_aliases()
if len(old_aliases) > 0:
print(f"Your account currently uses '{old_aliases[0]}' as its alias.")
else:
print("Your account currently has no alias.")
for index in range(1, 3):
new_alias = f"alias-{index}-{time.time_ns()}"
print(f"Setting your account alias to {new_alias}")
create_alias(new_alias)
current_aliases = list_aliases()
print(f"Your account alias is now {current_aliases}.")
delete_alias(current_aliases[0])
print(f"Your account now has no alias.")
if len(old_aliases) > 0:
print(f"Restoring your original alias back to {old_aliases[0]}...")
create_alias(old_aliases[0])
print("-" * 88)
print("You can get various reports about your account.")
print("Let's generate a credentials report...")
report_state = None
while report_state != "COMPLETE":
cred_report_response = generate_credential_report()
old_report_state = report_state
report_state = cred_report_response["State"]
if report_state != old_report_state:
print(report_state, sep="")
else:
print(".", sep="")
sys.stdout.flush()
time.sleep(1)
print()
cred_report = get_credential_report()
col_count = 3
print(f"Got credentials report. Showing only the first {col_count} columns.")
cred_lines = [
line.split(",")[:col_count] for line in cred_report.decode("utf-8").split("\n")
]
col_width = max([len(item) for line in cred_lines for item in line]) + 2
for line in cred_report.decode("utf-8").split("\n"):
print(
"".join(element.ljust(col_width) for element in line.split(",")[:col_count])
)
print("-" * 88)
print("Let's get an account summary.")
summary = get_summary()
print("Here's your summary:")
pprint.pprint(summary)
print("-" * 88)
print("Let's get authorization details!")
details = get_authorization_details([])
see_details = input("These are pretty long, do you want to see them (y/n)? ")
if see_details.lower() == "y":
pprint.pprint(details)
print("-" * 88)
pw_policy_created = None
see_pw_policy = input("Want to see the password policy for the account (y/n)? ")
if see_pw_policy.lower() == "y":
while True:
if print_password_policy():
break
else:
answer = input(
"Do you want to create a default password policy (y/n)? "
)
if answer.lower() == "y":
pw_policy_created = iam.create_account_password_policy()
else:
break
if pw_policy_created is not None:
answer = input("Do you want to delete the password policy (y/n)? ")
if answer.lower() == "y":
pw_policy_created.delete()
print("Password policy deleted.")
print("The SAML providers for your account are:")
list_saml_providers(10)
print("-" * 88)
print("Thanks for watching.")
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [CreateAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccountAlias)
+ [DeleteAccountAlias](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccountAlias)
+ [GenerateCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GenerateCredentialReport)
+ [GetAccountAuthorizationDetails](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountAuthorizationDetails)
+ [GetAccountSummary](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetAccountSummary)
+ [GetCredentialReport](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/GetCredentialReport)
+ [ListAccountAliases](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListAccountAliases)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Permite que o atributo de automação AWS Compute Optimizer aplique as ações recomendadas
O exemplo de código a seguir mostra como. Esta política baseada em permissões permite que o atributo de automação AWS Compute Optimizer aplique as ações recomendadas
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "aco-automation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para permitir a automação em toda a sua organização
O exemplo de código a seguir mostra como esta política baseada em permissões permite a automação em toda a sua organização
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:AssociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:DisassociateAccounts",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "aco-automation:ListAccounts",
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para permitir a automação na sua conta
O exemplo de código a seguir mostra como esta política baseada em permissões permite a automação na sua conta
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": [
"iam:PutRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
},
{
"Effect": "Allow",
"Action": "aco-automation:UpdateEnrollmentConfiguration",
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para conceder acesso total ao Compute Optimizer Automation para uma conta gerencial de uma organização
O exemplo de código a seguir mostra como esta política baseada em permissões concede acesso total à automação do Compute Optimizer Automation para uma conta gerencial de uma organização
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes",
"organizations:ListAccounts",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:EnableAWSServiceAccess",
"organizations:ListDelegatedAdministrators",
"organizations:RegisterDelegatedAdministrator",
"organizations:DeregisterDelegatedAdministrator"
],
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para conceder acesso total ao Compute Optimizer Automation para contas autônomas da AWS
O exemplo de código a seguir mostra como esta política baseada em permissões concede acesso total ao Compute Optimizer Automation para contas autônomas da AWS
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:*",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para conceder acesso somente leitura ao Compute Optimizer Automation para uma conta gerencial de uma organização
O exemplo de código a seguir mostra como esta política baseada em permissões concede acesso somente leitura ao Compute Optimizer Automation para uma conta gerencial de uma organização
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAccounts",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para conceder acesso somente leitura ao Compute Optimizer Automation para contas autônomas da AWS
O exemplo de código a seguir mostra como esta política baseada em permissões concede acesso somente leitura ao Compute Optimizer Automation para contas autônomas da AWS
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aco-automation:GetEnrollmentConfiguration",
"aco-automation:GetAutomationEvent",
"aco-automation:GetAutomationRule",
"aco-automation:ListAutomationEvents",
"aco-automation:ListAutomationEventSteps",
"aco-automation:ListAutomationEventSummaries",
"aco-automation:ListAutomationRules",
"aco-automation:ListAutomationRulePreview",
"aco-automation:ListAutomationRulePreviewSummaries",
"aco-automation:ListRecommendedActions",
"aco-automation:ListRecommendedActionSummaries",
"aco-automation:ListTagsForResource",
"ec2:DescribeVolumes"
],
"Resource": "*"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Política para conceder permissões de perfil vinculado ao serviço para o Compute Optimization Automation
O exemplo de código a seguir mostra como esta política baseada em permissões concede permissões de perfil vinculado ao serviço para o Compute Optimization Automation
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation",
"Condition": {"StringLike": {"iam:AWSServiceName": "aco-automation.amazonaws.com"}}
},
{
"Effect": "Allow",
"Action": "iam:PutRolePolicy",
"Resource": "arn:aws:iam::*:role/aws-service-role/aco-automation.amazonaws.com/AWSServiceRoleForComputeOptimizerAutomation"
}
]
}
```
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Reverter uma versão de política do IAM usando um AWS SDK
O código de exemplo abaixo mostra como:
+ Obter a lista de versões da política em ordem por data.
+ Encontrar a versão da política padrão.
+ Tornar a versão da política anterior a padrão.
+ Excluir a versão padrão antiga.
------
#### [ Python ]
**SDK para Python (Boto3).**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
```
def rollback_policy_version(policy_arn):
"""
Rolls back to the previous default policy, if it exists.
1. Gets the list of policy versions in order by date.
2. Finds the default.
3. Makes the previous policy the default.
4. Deletes the old default version.
:param policy_arn: The ARN of the policy to roll back.
:return: The default version of the policy after the rollback.
"""
try:
policy_versions = sorted(
iam.Policy(policy_arn).versions.all(),
key=operator.attrgetter("create_date"),
)
logger.info("Got %s versions for %s.", len(policy_versions), policy_arn)
except ClientError:
logger.exception("Couldn't get versions for %s.", policy_arn)
raise
default_version = None
rollback_version = None
try:
while default_version is None:
ver = policy_versions.pop()
if ver.is_default_version:
default_version = ver
rollback_version = policy_versions.pop()
rollback_version.set_as_default()
logger.info("Set %s as the default version.", rollback_version.version_id)
default_version.delete()
logger.info("Deleted original default version %s.", default_version.version_id)
except IndexError:
if default_version is None:
logger.warning("No default version found for %s.", policy_arn)
elif rollback_version is None:
logger.warning(
"Default version %s found for %s, but no previous version exists, so "
"nothing to roll back to.",
default_version.version_id,
policy_arn,
)
except ClientError:
logger.exception("Couldn't roll back version for %s.", policy_arn)
raise
else:
return rollback_version
```
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK para Python (Boto3)*.
+ [DeletePolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicyVersion)
+ [ListPolicyVersions](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/ListPolicyVersions)
+ [SetDefaultPolicyVersion](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/SetDefaultPolicyVersion)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Configuração do controle de acesso por atributo no DynamoDB usando a versão 2 da AWS Command Line Interface
O exemplo de código apresentado a seguir demonstra como implementar o controle de acesso por atributo (ABAC) no DynamoDB.
+ Crie uma política do IAM para o ABAC.
+ Crie tabelas com etiquetas que representem diferentes departamentos.
+ Liste e filtre tabelas com base nas etiquetas.
------
#### [ Bash ]
**AWS CLI com script Bash**
Crie uma política do IAM para o ABAC.
```
# Step 1: Create a policy document for ABAC
cat > abac-policy.json << 'EOF'
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:*:*:table/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}",
"aws:ResourceTag/Environment": "Development"
}
}
}
]
}
EOF
# Step 2: Create the IAM policy
aws iam create-policy \
--policy-name DynamoDBDepartmentBasedAccess \
--policy-document file://abac-policy.json
```
Crie tabelas com etiquetas que representem diferentes departamentos.
```
# Create a DynamoDB table with tags for ABAC
aws dynamodb create-table \
--table-name FinanceData \
--attribute-definitions \
AttributeName=RecordID,AttributeType=S \
--key-schema \
AttributeName=RecordID,KeyType=HASH \
--billing-mode PAY_PER_REQUEST \
--tags \
Key=Department,Value=Finance \
Key=Environment,Value=Development
# Create another table with different tags
aws dynamodb create-table \
--table-name MarketingData \
--attribute-definitions \
AttributeName=RecordID,AttributeType=S \
--key-schema \
AttributeName=RecordID,KeyType=HASH \
--billing-mode PAY_PER_REQUEST \
--tags \
Key=Department,Value=Marketing \
Key=Environment,Value=Production
```
Liste e filtre tabelas com base nas etiquetas.
```
# List all DynamoDB tables
echo "Listing all tables:"
aws dynamodb list-tables
# Get ARNs for all tables
echo -e "\nGetting ARNs for all tables:"
TABLE_ARNS=$(aws dynamodb list-tables --query "TableNames[*]" --output text | xargs -I {} aws dynamodb describe-table --table-name {} --query "Table.TableArn" --output text)
# For each table ARN, list its tags
echo -e "\nListing tags for each table:"
for ARN in $TABLE_ARNS; do
TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}')
echo -e "\nTags for table: $TABLE_NAME"
aws dynamodb list-tags-of-resource --resource-arn $ARN
done
# Example: Find tables with a specific tag
echo -e "\nFinding tables with Environment=Production tag:"
for ARN in $TABLE_ARNS; do
TABLE_NAME=$(echo $ARN | awk -F/ '{print $2}')
TAGS=$(aws dynamodb list-tags-of-resource --resource-arn $ARN --query "Tags[?Key=='Environment' && Value=='Production']" --output text)
if [ ! -z "$TAGS" ]; then
echo "Table with Production tag: $TABLE_NAME"
fi
done
```
+ Consulte detalhes da API nos tópicos a seguir na *Referência de comandos da AWS CLI*.
+ [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)
+ [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable)
+ [ListTables](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/ListTables)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Trabalho com os fluxos e com a vida útil do DynamoDB usando a versão 2 da AWS Command Line Interface
O exemplo de código apresentado a seguir demonstra como gerenciar os recursos de fluxos e de vida útil do DynamoDB.
+ Crie uma tabela com a opção de fluxos habilitada.
+ Descreva os fluxos.
+ Crie uma função do Lambda para processar os fluxos.
+ Habilite a vida útil (TTL) em uma tabela.
+ Adicione itens com atributos de TTL.
+ Descreva as configurações de TTL.
------
#### [ Bash ]
**AWS CLI com script Bash**
Crie uma tabela com a opção de fluxos habilitada.
```
# Create a table with DynamoDB Streams enabled
aws dynamodb create-table \
--table-name StreamsDemo \
--attribute-definitions \
AttributeName=ID,AttributeType=S \
--key-schema \
AttributeName=ID,KeyType=HASH \
--billing-mode PAY_PER_REQUEST \
--stream-specification StreamEnabled=true,StreamViewType=NEW_AND_OLD_IMAGES
```
Descreva os fluxos.
```
# Get information about the stream
aws dynamodb describe-table \
--table-name StreamsDemo \
--query "Table.StreamSpecification"
# Get the stream ARN
STREAM_ARN=$(aws dynamodb describe-table \
--table-name StreamsDemo \
--query "Table.LatestStreamArn" \
--output text)
echo "Stream ARN: $STREAM_ARN"
# Describe the stream
aws dynamodbstreams describe-stream \
--stream-arn $STREAM_ARN
```
Crie uma função do Lambda para os fluxos.
```
# Step 1: Create an IAM role for the Lambda function
cat > trust-policy.json << 'EOF'
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role \
--role-name DynamoDBStreamsLambdaRole \
--assume-role-policy-document file://trust-policy.json
# Step 2: Attach permissions to the role
aws iam attach-role-policy \
--role-name DynamoDBStreamsLambdaRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole
# Step 3: Create a Lambda function (code would be in a separate file)
echo "Lambda function creation would be done separately with appropriate code"
# Step 4: Create an event source mapping
echo "Example command to create event source mapping:"
echo "aws lambda create-event-source-mapping \\"
echo " --function-name ProcessDynamoDBRecords \\"
echo " --event-source $STREAM_ARN \\"
echo " --batch-size 100 \\"
echo " --starting-position LATEST"
```
Habilite a vida útil (TTL) em uma tabela.
```
# Create a table for TTL demonstration
aws dynamodb create-table \
--table-name TTLDemo \
--attribute-definitions \
AttributeName=ID,AttributeType=S \
--key-schema \
AttributeName=ID,KeyType=HASH \
--billing-mode PAY_PER_REQUEST
# Wait for table to become active
aws dynamodb wait table-exists --table-name TTLDemo
# Enable TTL on the table
aws dynamodb update-time-to-live \
--table-name TTLDemo \
--time-to-live-specification "Enabled=true, AttributeName=ExpirationTime"
```
Adicione itens com atributos de TTL.
```
# Calculate expiration time (current time + 1 day in seconds)
EXPIRATION_TIME=$(date -d "+1 day" +%s)
# Add an item with TTL attribute
aws dynamodb put-item \
--table-name TTLDemo \
--item '{
"ID": {"S": "item1"},
"Data": {"S": "This item will expire in 1 day"},
"ExpirationTime": {"N": "'$EXPIRATION_TIME'"}
}'
# Add an item that expires in 1 hour
EXPIRATION_TIME_HOUR=$(date -d "+1 hour" +%s)
aws dynamodb put-item \
--table-name TTLDemo \
--item '{
"ID": {"S": "item2"},
"Data": {"S": "This item will expire in 1 hour"},
"ExpirationTime": {"N": "'$EXPIRATION_TIME_HOUR'"}
}'
```
Descreva as configurações de TTL.
```
# Describe TTL settings for a table
aws dynamodb describe-time-to-live \
--table-name TTLDemo
```
+ Consulte detalhes da API nos tópicos a seguir na *Referência de comandos da AWS CLI*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/CreateTable)
+ [DescribeTable](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTable)
+ [DescribeTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/DescribeTimeToLive)
+ [PutItem](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/PutItem)
+ [UpdateTimeToLive](https://docs.aws.amazon.com/goto/aws-cli/dynamodb-2012-08-10/UpdateTimeToLive)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.
# Trabalhar com a API IAM Policy Builder usando um AWS SDK
O código de exemplo abaixo mostra como:
+ Criar políticas do IAM usando a API orientada por objetos.
+ Use a API IAM Policy Builder com o serviço do IAM.
------
#### [ Java ]
**SDK para Java 2.x**
Há mais no GitHub. Encontre o exemplo completo e saiba como configurar e executar no [AWSCode Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples).
Os exemplos usam as importações a seguir.
```
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.policybuilder.iam.IamConditionOperator;
import software.amazon.awssdk.policybuilder.iam.IamEffect;
import software.amazon.awssdk.policybuilder.iam.IamPolicy;
import software.amazon.awssdk.policybuilder.iam.IamPolicyWriter;
import software.amazon.awssdk.policybuilder.iam.IamPrincipal;
import software.amazon.awssdk.policybuilder.iam.IamPrincipalType;
import software.amazon.awssdk.policybuilder.iam.IamResource;
import software.amazon.awssdk.policybuilder.iam.IamStatement;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.iam.IamClient;
import software.amazon.awssdk.services.iam.model.GetPolicyResponse;
import software.amazon.awssdk.services.iam.model.GetPolicyVersionResponse;
import software.amazon.awssdk.services.sts.StsClient;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.List;
```
Crie uma política com base no tempo.
```
public String timeBasedPolicyExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addAction("dynamodb:GetItem")
.addResource(IamResource.ALL)
.addCondition(b1 -> b1
.operator(IamConditionOperator.DATE_GREATER_THAN)
.key("aws:CurrentTime")
.value("2020-04-01T00:00:00Z"))
.addCondition(b1 -> b1
.operator(IamConditionOperator.DATE_LESS_THAN)
.key("aws:CurrentTime")
.value("2020-06-30T23:59:59Z")))
.build();
// Use an IamPolicyWriter to write out the JSON string to a more readable
// format.
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true)
.build());
}
```
Crie uma política com várias condições.
```
public String multipleConditionsExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addAction("dynamodb:GetItem")
.addAction("dynamodb:BatchGetItem")
.addAction("dynamodb:Query")
.addAction("dynamodb:PutItem")
.addAction("dynamodb:UpdateItem")
.addAction("dynamodb:DeleteItem")
.addAction("dynamodb:BatchWriteItem")
.addResource("arn:aws:dynamodb:*:*:table/table-name")
.addConditions(IamConditionOperator.STRING_EQUALS
.addPrefix("ForAllValues:"),
"dynamodb:Attributes",
List.of("column-name1", "column-name2", "column-name3"))
.addCondition(b1 -> b1
.operator(IamConditionOperator.STRING_EQUALS
.addSuffix("IfExists"))
.key("dynamodb:Select")
.value("SPECIFIC_ATTRIBUTES")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
Use entidades principais em uma política.
```
public String specifyPrincipalsExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.DENY)
.addAction("s3:*")
.addPrincipal(IamPrincipal.ALL)
.addResource("arn:aws:s3:::amzn-s3-demo-bucket/*")
.addResource("arn:aws:s3:::amzn-s3-demo-bucket")
.addCondition(b1 -> b1
.operator(IamConditionOperator.ARN_NOT_EQUALS)
.key("aws:PrincipalArn")
.value("arn:aws:iam::444455556666:user/user-name")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
Permitir o acesso entre contas ao .
```
public String allowCrossAccountAccessExample() {
IamPolicy policy = IamPolicy.builder()
.addStatement(b -> b
.effect(IamEffect.ALLOW)
.addPrincipal(IamPrincipalType.AWS, "111122223333")
.addAction("s3:PutObject")
.addResource("arn:aws:s3:::amzn-s3-demo-bucket/*")
.addCondition(b1 -> b1
.operator(IamConditionOperator.STRING_EQUALS)
.key("s3:x-amz-acl")
.value("bucket-owner-full-control")))
.build();
return policy.toJson(IamPolicyWriter.builder()
.prettyPrint(true).build());
}
```
Crie e carregue uma `IamPolicy`.
```
public String createAndUploadPolicyExample(IamClient iam, String accountID, String policyName) {
// Build the policy.
IamPolicy policy = IamPolicy.builder() // 'version' defaults to "2012-10-17".
.addStatement(IamStatement.builder()
.effect(IamEffect.ALLOW)
.addAction("dynamodb:PutItem")
.addResource("arn:aws:dynamodb:us-east-1:" + accountID
+ ":table/exampleTableName")
.build())
.build();
// Upload the policy.
iam.createPolicy(r -> r.policyName(policyName).policyDocument(policy.toJson()));
return policy.toJson(IamPolicyWriter.builder().prettyPrint(true).build());
}
```
Baixe e trabalhe com uma `IamPolicy`.
```
public String createNewBasedOnExistingPolicyExample(IamClient iam, String accountID, String policyName,
String newPolicyName) {
String policyArn = "arn:aws:iam::" + accountID + ":policy/" + policyName;
GetPolicyResponse getPolicyResponse = iam.getPolicy(r -> r.policyArn(policyArn));
String policyVersion = getPolicyResponse.policy().defaultVersionId();
GetPolicyVersionResponse getPolicyVersionResponse = iam
.getPolicyVersion(r -> r.policyArn(policyArn).versionId(policyVersion));
// Create an IamPolicy instance from the JSON string returned from IAM.
String decodedPolicy = URLDecoder.decode(getPolicyVersionResponse.policyVersion().document(),
StandardCharsets.UTF_8);
IamPolicy policy = IamPolicy.fromJson(decodedPolicy);
/*
* All IamPolicy components are immutable, so use the copy method that creates a
* new instance that
* can be altered in the same method call.
*
* Add the ability to get an item from DynamoDB as an additional action.
*/
IamStatement newStatement = policy.statements().get(0).copy(s -> s.addAction("dynamodb:GetItem"));
// Create a new statement that replaces the original statement.
IamPolicy newPolicy = policy.copy(p -> p.statements(Arrays.asList(newStatement)));
// Upload the new policy. IAM now has both policies.
iam.createPolicy(r -> r.policyName(newPolicyName)
.policyDocument(newPolicy.toJson()));
return newPolicy.toJson(IamPolicyWriter.builder().prettyPrint(true).build());
}
```
+ Para obter mais informações, consulte o [Guia do desenvolvedor do AWS SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/feature-iam-policy-builder.html).
+ Para obter detalhes da API, consulte os tópicos a seguir na *Referência da API AWS SDK for Java 2.x*.
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)
+ [GetPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/GetPolicy)
+ [GetPolicyVersion](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/GetPolicyVersion)
------
Para ver uma lista completa dos guias de desenvolvedor e exemplos de código do SDK da AWS, consulte [Using this service with an AWS SDK](sdk-general-information-section.md). Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.