Stop Tagged EC2 Instances

This task stops any running EC2 instances in a chosen region that contain all the supplied tags.

You can run this task interactively or from a PPA schedule.

It requires an AWS API key that has permissions to read & stop instances in EC2.

Playbook Files

# The task was built to work with these plugin versions.
plugins:
  aws: ~3.4
  ppa: ~6
  ppa_tools: ~6
  hashicorp_vault: ~5

steps:

  - name: Check Start Type
    actions:

      - ppa.task.started_by_user:
        save: interactive


  - name: Establish Region if Headless
    when: not interactive
    actions:
      # If the task was started by a schedule or API call, look for the EC2 region in the task payload.

      - ppa.task.get_payload_values:
          keys:
            - name: ec2_region
        save: payload

      - set:
          name: region
          value: "{{ payload.ec2_region }}"

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.ppa.full }}


            ### AWS - Stop Development Instances


            This task was started by {{ "a __schedule__" if globals.task.trigger == "job" else "an __API__ call" }}.


            Using EC2 region __{{ region }}__ specified in the payload.


  - name: Introduction
    when: interactive
    actions:
      # If the task was triggered interactively, present the markdown intro & ask for an EC2 region.

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.ppa.full }}


            ### AWS - Stop Development EC2 Instances


            This task stops all running instances tagged as __development__.


            You will need to:


            - Select an EC2 region

            - Choose whether to email the report


      - ppa.ui.input_accept:
          text: Start

      - aws.ec2.regions.select:
          text: Select an EC2 Region
        save: region


  - name: Get AWS Secrets
    actions:

      - hashicorp_vault.key_value.read_secret_keys:
          secret: aws
          keys:
            - name: aws_access_key_id
            - name: aws_secret_access_key
              sensitive: true
          create_missing: true
        save: aws_secrets


  - name: Supply Tags if Interactive
    when: interactive
    until: tags_supplied
    actions:

      - ppa.ui.input_text:
          text: Tag name
          required: true
        save: tag_name

      - ppa.ui.input_text:
          text: Tag value
          required: true
        save: tag_value

      - ppa.ui.output_markdown:
         doc: >

          __Name:__ _{{ tag_name }}_

          __Value:__ _{{ tag_value }}_

      - ppa.ui.input_confirm:
          text: Is this correct?
          confirm: Yes
          cancel: No
        save: confirm_tag

      - ppa_tools.dictionaries.insert:
        load:
          name: tag_name
          value: tag_value
          dictionary: tags
        save: tags
        when: confirm_tag

      - ppa.ui.output_error:
          text: The supplied tag will be not be used.
        when: not confirm_tag

      - ppa.ui.input_confirm:
          text: Add another tag?
          confirm: Yes
          cancel: No
        save: add_another

      - set:
          name: tags_supplied
          value: true
        when: not add_another

      - set:
          name: tags_supplied
          value: false
        when: add_another


  - name: Interactive Confirmation
    when: interactive
    actions:

      - ppa.ui.output_markdown:
          doc: >
            ### Operation Summary

            PPA will _stop_ any running instances with _all_ the tags below:

            {% for name, value in tags.items() %}

            - __{{ name }}__: {{ value }}

            {% endfor %}

      - ppa.ui.input_accept:
          text: OK


  - name: Find Tagged Instances
    actions:

      - ppa.ui.output_progress:
          text: Finding instances with the supplied tags...
          percent: null
          element_id: finding_instances

      - aws.ec2.instances.get_by_tags:
        load:
          tags: tags
          region_name: region
          aws_client: aws_secrets
        save: tagged_instances

      - count:
        load:
          item: tagged_instances
        save: tagged_instance_count

      - ppa.ui.output_progress:
          text: Found {{ tagged_instance_count }} instance(s) with the supplied tags
          percent: 100
          element_id: finding_instances

      - ppa.ui.output_progress:
          text: Filtering instances by state...
          percent: null
          element_id: filtering_instances

      - ppa_tools.dictionaries.filter_from_list:
          filters:
            - type: not_equal
              key: state
              value: running
        load:
          dictionaries: tagged_instances
        save: running_instances

      - count:
        load:
          item: running_instances
        save: running_instance_count

      - ppa.ui.output_progress:
          text: Found {{ running_instance_count }} tagged instance(s) running
          percent: 100
          element_id: filtering_instances


  - name: Exit if No Instances Found
    when: running_instance_count == 0
    actions:

      - ppa.ui.output_info:
          text: No running instances with the supplied tags found in EC2 region {{ region }}.

      - exit:
          exit_code: 0


  - name: Show Instances if Interactive
    when: interactive
    actions:

      - aws.ec2.instances.output_table:
          text: Running Tagged Instances
        load:
          instances: tagged_instances

      - ppa.ui.input_accept:
          text: Stop {{ running_instance_count }} Instances


  - name: Stop Instances
    sequence: running_instances
    actions:

      - ppa.ui.output_progress:
          text: Stopping {{ running_instance_count }} instances...
          percent: null
          element_id: stopping_instances

      - aws.ec2.instances.stop:
        load:
          instance_id: loop.step.item.value.instance_id
          region_name: region
          aws_client: aws_secrets

      - ppa.ui.output_progress:
          text: Stopped {{ running_instance_count }} instances
          percent: 100
          element_id: stopping_instances
        when: loop.step.item.index + 1 == running_instance_count


  - name: Generate Report
    actions:

      # Create a 2d-array of each untagged instance so an HTML table can be generated from it.
      - ppa_tools.generate.table_from_dictionaries:
          header:
            - ID
            - Private DNS Address
            - Public DNS Address
            - Type
            - VPC ID
          keys:
            - instance_id
            - private_dns_name
            - public_dns_name
            - instance_type
            - vpc_id
        load:
          dictionaries: running_instances
        save: instances_table

      - ppa_tools.generate.html_table:
        load:
          header: instances_table.header
          rows: instances_table.rows
        save: instances_html

      # Format the instance & region data into the report template configured at the bottom of the Playbook.
      - format_template:
          key_values:
            icon: "{{ globals.icons.ppa.full }}"
            region: "{{ region }}"
            tags: "{{ tags }}"
            development_instances_table: "{{ instances_html }}"
        load:
          template: report_template
        save: formatted_report

      - ppa.ui.output_table:
          text: Stopped Instances ({{ region }})
        load:
          header: instances_table.header
          rows: instances_table.rows

      - ppa.ui.input_confirm:
          text: Send email report?
          confirm: Yes
          cancel: No
        save: send_email_report
        when: interactive

      # Always send the report email if the task was started from a schedule or API call.
      - set:
          name: send_email_report
          value: true
        when: not interactive


  - name: Send Email Report
    when: send_email_report
    actions:

      - ppa.ui.input_email:
          text: Please supply an email address for reporting
        save: recipient
        when: interactive

      - set:
          name: recipient
        load:
          value: payload.email_address
        when: not interactive

      - ppa.events.send_email:
          subject: PPA - Stop Tagged EC2 Instance Report
          reason: Sending stopped instance report email
          recipients:
            - "{{ recipient }}"
        load:
          html: formatted_report
        rescue:
          - ppa.ui.output_error:
              text: Failed to send email report. SMTP is not configured in PPA.
            when: rescue.type == "EventNotConfigured"
          - exit:
              exit_code: 2
            when: rescue.type == "EventNotConfigured"
          - ppa.ui.output_error:
              text: Failed to send email report. Please view the logs for more information.
          - exit:
              exit_code: 3


set:
  tags: {}   # This is populated when the task runs.
  report_template: >
    <html>
      <head>
          <p style="text-align:center;">
              {icon}
          </p>
          <br/>
      </head>

      <body>
          <p style="text-align: center; font-weight: bold; font-size: 20;">
            AWS EC2 Instances Stopped by PPA
          </p>

          <p style="text-align:center; font-size: 19;">
            <strong>EC2 region:</strong> {region}
          </p>

          <p style="text-align:center; font-size: 19;">
            <strong>Tags:</strong> {tags}
          </p>


          <p style="text-align:center; font-size: 19;">
            The following tagged instances were found to be running, and have been stopped by PPA:
          </p>

          <div style="margin: auto;">
            {development_instances_table}
          </div>

          <footer>
            <br/>
            <br/>
            <p style="text-align:center;font-weight:lighter;font-size:10;">
              Email generated and delivered by Osirium PPA.
            </p>
          </footer>

      </body>
    </html>

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface, Task, & Events
Hashicorp Vault Key-Value engine
AWS EC2 Instances

EC2 Region & Instance Tags

The region & instance tags are supplied either:

By the user if the task is started interactively
In a schedule payload (see API/Schedule Payload below)

Required PPA Configuration

As this task emails a report, you must have SMTP configured in PPA.

Required Vault Details

AWS

Access key ID
Secret access key

The key must have permissions to read instance details from EC2.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

API/Schedule Payload

To run this task from a schedule or API call, you'll need to supply the following in the payload:

The EC2 region
Instance tags
Reporting email address

The payload should be in this format:

{
  "region_name": "ec2-region-name",
  "email_address": "example@domain.com",
  "tags": {
    "environment": "development",
    "team": "engineering"
  }
}

You can use the example payload above as a template.

What the Task Does

Interactive

When run interactively this task will:

Ask the user to select an EC2 region, & supply any number of tag names & values
Find running EC2 instances in the selected region with all the supplied tags
Display them in a table & wait for the user to confirm
Stop the running instances
Ask the user whether to send an email report

Schedule/API

When started from a schedule or API call, this task will:

Find running EC2 instances using both the region_name & tags defined in the task payload
Stop the running instances
Send an email report

Audit Failure Messages (optional)

This task can supply a message to the Activity page if sending the report email fails.

To test this do the following in PPA after you've built & tested the task:

Navigate to the Playbook Editor
Click the burger menu for your Playbook
Select Edit Metadata
Expand the Advanced section
Paste the JSON below into the Exit Codes section
Click Save

{
  "2": "Failed to send email report. SMTP is not configured in PPA.",
  "3": "Failed to send email report. Please view the logs for more information."
}

You can see how this is done below:

set-exit-codes

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.