View Untagged EC2 Instances

This task reports on untagged EC2 instances from all VPCs in a chosen region.

You can run this task interactively, from a schedule, or via an API call to PPA.

It requires an AWS API key that has permissions to read instance details from EC2.

Playbook Files

# The task was built to work with these plugin versions.
plugins:
  aws: ~3.4
  ppa: ~6
  ppa_tools: ~6
  hashicorp_vault: ~5

steps:

  - name: Check Start Type
    actions:

      - ppa.task.started_by_user:
        save: interactive


  - name: Establish Region If Not Interactive
    when: not interactive
    actions:
      # If the task was started by a schedule or API call, look for the EC2 region in the task payload.

      - ppa.task.get_payload_values:
          keys:
            - name: ec2_region
            - name: email_recipient
        save: payload

      - set:
          name: region
          value: "{{ payload.ec2_region }}"

      - set:
          name: email_recipient
          value: "{{ payload.email_recipient }}"

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.ppa.full }}


            ### AWS - Untagged EC2 Instance Report


            This task was started by {{ "a __schedule__" if globals.task.trigger == "job" else "an __API__ call" }}.


            Using EC2 region __{{ region }}__ specified in the payload.


  - name: Introduction
    when: interactive
    actions:
      # If the task was triggered interactively, present the markdown intro & ask for an EC2 region.

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.ppa.full }}


            ### AWS - Untagged EC2 Instance Report


            This task finds untagged instances in an EC2 region & displays them in a table.


            You will need to:


            - Select an EC2 region

            - Choose whether to email the report

            - Provide an email recipient (if applicable)

      - ppa.ui.input_accept:
          text: Start

      - aws.ec2.regions.select:
          text: Select an EC2 Region
        save: region


  - name: Get AWS Secrets
    actions:

      - hashicorp_vault.key_value.read_secret_keys:
          secret: aws
          keys:
            - name: aws_access_key_id
            - name: aws_secret_access_key
              sensitive: true
          create_missing: true
        save: aws_secrets


  - name: Find Untagged Instances
    actions:

      - ppa.ui.output_progress:
          text: Finding untagged instances...
          element_id: finding_instances

      - aws.ec2.instances.get_untagged:
        load:
          region_name: region
          aws_client: aws_secrets
        save: untagged_instances

      - count:
        load:
          item: untagged_instances
        save: instance_count

      - ppa.ui.output_progress:
          text: Found {{ instance_count }} untagged instance(s)
          percent: 100
          element_id: finding_instances


  - name: Exit if No Instances Found
    when: instance_count == 0
    actions:

      - ppa.ui.output_info:
          text: No untagged EC2 instances were found!

      - exit:
          exit_code: 0


  - name: Generate Report
    actions:

      # Create a 2d-array of each untagged instance so an HTML table can be generated from it.
      - ppa_tools.generate.table_from_dictionaries:
          header:
            - ID
            - Type
            - State
            - VPC ID
          keys:
            - instance_id
            - instance_type
            - state
            - vpc_id
        load:
          dictionaries: untagged_instances
        save: untagged_instances_table

      - ppa_tools.generate.html_table:
        load:
          header: untagged_instances_table.header
          rows: untagged_instances_table.rows
        save: untagged_instances_html

      - ppa_tools.files.read_text_file:
          name: email.html
        save: email

      # Format the instance & region data into the report template configured at the bottom of the Playbook.
      - format_template:
          key_values:
            icon: "{{ globals.icons.ppa.full }}"
            region: "{{ region }}"
            untagged_instances_table: "{{ untagged_instances_html }}"
        load:
          template: email
        save: formatted_email

      - ppa.ui.output_table:
          text: Untagged Instances ({{ region }})
        load:
          header: untagged_instances_table.header
          rows: untagged_instances_table.rows

      - ppa.ui.input_confirm:
          text: Send email report?
        save: send_email_report
        when: interactive

      # Always send the report email if the task was started from a schedule or API call.
      - set:
          name: send_email_report
          value: true
        when: not interactive


  - name: Send Email Report
    when: send_email_report
    actions:

      - ppa.ui.input_email:
          text: Please supply an email address for reporting
        save: email_recipient
        when: interactive  # when not interactive the recipient is supplied via the payload.

      - ppa.events.send_email:
          subject: PPA - AWS Untagged EC2 Instance Report
          reason: Sending untagged instance report email
          recipients:
            - "{{ email_recipient }}"
        load:
          html: formatted_email
        rescue:
          - ppa.ui.output_error:
              text: Failed to send email report. SMTP is not configured in PPA.
            when: rescue.type == "EventNotConfigured"
          - exit:
              exit_code: 2
            when: rescue.type == "EventNotConfigured"
          - ppa.ui.output_error:
              text: Failed to send email report. Please view the logs for more information.
          - exit:
              exit_code: 3

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface & Events
Hashicorp Vault Key-Value engine
AWS EC2 Instances

Required PPA Configuration

If you run start this task from a schedule or API call, the untagged instance report will be sent via email.

When started interactively the user will have the choice to email the report.

To email this report you must have SMTP configured in PPA.

Required Vault Details

AWS

Access key ID
Secret access key

The key must have permissions to read instance details from EC2.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

API/Schedule Payload

To run this task from a schedule or API call, you'll need to supply the following in the payload:

The EC2 region
Reporting email address

The payload should be in this format:

{
  "ec2_region": "ec2-region-name",
  "email_recipient": "example@domain.com",
}

You can use the example payload above as a template.

What the Task Does

Interactive

When run interactively this task will:

Ask the user to select an EC2 region
Find all untagged EC2 instances in the selected region
Display them in a table
Ask the user whether to send the report in an email

Schedule/API

When started from a schedule or API call, this task will:

Find all untagged EC2 instances in the region defined in the task payload
Display them in a table
Send the report in an email

Audit Failure Messages (optional)

This task can supply a message to the Activity page if sending the report email fails.

To test this do the following in PPA after you've built & tested the task:

Navigate to the Playbook Editor
Click the burger menu for your Playbook
Select Edit Metadata
Expand the Advanced section
Paste the JSON below into the Exit Codes section
Click Save

{
  "2": "Failed to send email report. SMTP is not configured in PPA.",
  "3": "Failed to send email report. Please view the logs for more information."
}

You can see how this is done below:

set-exit-codes

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.