-
Notifications
You must be signed in to change notification settings - Fork 1
/
fis_experiment_ec2.yml
121 lines (121 loc) · 4.57 KB
/
fis_experiment_ec2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
AWSTemplateFormatVersion: '2010-09-09'
Description: v1.0 FIS experiment template
###############################################################
# Parameters
###############################################################
Parameters:
EC2NameTag:
Type: String
ConstraintDescription: Name Tag of EC2 Instances
Default: 'ec2-web-asg'
###############################################################
# Resources
###############################################################
Resources:
ExperimentTemplate:
Type: 'AWS::FIS::ExperimentTemplate'
Properties:
Actions:
'terminate-asg':
ActionId: 'aws:ec2:terminate-instances'
Targets:
Instances: asg # Instances seems to be an undocumented magic value
Description: 'terminate ec2 instances'
RoleArn: !GetAtt 'Role.Arn'
Targets:
asg:
ResourceTags:
'Name': !Ref EC2NameTag # select resource by name tag, value given as parameter
ResourceType: 'aws:ec2:instance'
SelectionMode: 'COUNT(2)' # terminate 2 instances
StopConditions:
- Source: 'aws:cloudwatch:alarm'
Value: !GetAtt 'Alarm.Arn'
Tags: # required field for unknown reasons
Environment: Dev
Alarm:
Type: 'AWS::CloudWatch::Alarm'
Properties:
AlarmDescription: 'FIS stop condition'
Namespace: 'AWS/SQS'
MetricName: ApproximateAgeOfOldestMessage
Dimensions:
- Name: QueueName
Value: 'FISStopQueue'
Statistic: Maximum
Period: 60
EvaluationPeriods: 1
Threshold: 300 # 5 minutes
ComparisonOperator: GreaterThanOrEqualToThreshold
TreatMissingData: notBreaching
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'fis.amazonaws.com'
Action: 'sts:AssumeRole'
Policies:
- PolicyName: fis
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowFISExperimentRoleReadOnly
Effect: Allow
Action:
- 'ec2:DescribeInstances'
- 'ecs:DescribeClusters'
- 'ecs:ListContainerInstances'
- 'eks:DescribeNodegroup'
- 'iam:ListRoles'
- 'rds:DescribeDBInstances'
- 'rds:DescribeDbClusters'
- 'ssm:ListCommands'
Resource: '*'
- Sid: AllowFISExperimentRoleEC2Actions
Effect: Allow
Action:
- 'ec2:RebootInstances'
- 'ec2:StopInstances'
- 'ec2:StartInstances'
- 'ec2:TerminateInstances'
Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
- Sid: AllowFISExperimentRoleECSActions
Effect: Allow
Action:
- 'ecs:UpdateContainerInstancesState'
- 'ecs:ListContainerInstances'
Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*'
- Sid: AllowFISExperimentRoleEKSActions
Effect: Allow
Action: 'ec2:TerminateInstances'
Resource: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
- Sid: AllowFISExperimentRoleFISActions
Effect: Allow
Action:
- 'fis:InjectApiInternalError'
- 'fis:InjectApiThrottleError'
- 'fis:InjectApiUnavailableError'
Resource: !Sub 'arn:${AWS::Partition}:fis:${AWS::Region}:${AWS::AccountId}:experiment/*'
- Sid: AllowFISExperimentRoleRDSReboot
Effect: Allow
Action: 'rds:RebootDBInstance'
Resource: !Sub 'arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:db:*'
- Sid: AllowFISExperimentRoleRDSFailOver
Effect: Allow
Action: 'rds:FailoverDBCluster'
Resource: !Sub 'arn:${AWS::Partition}:rds:${AWS::Region}:${AWS::AccountId}:cluster:*'
- Sid: AllowFISExperimentRoleSSMSendCommand
Effect: Allow
Action: 'ssm:SendCommand'
Resource:
- !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:instance/*'
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}::document/*' # AWS managed documents
- !Sub 'arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:document/*'
- Sid: AllowFISExperimentRoleSSMCancelCommand
Effect: Allow
Action: 'ssm:CancelCommand'
Resource: '*'