-
Notifications
You must be signed in to change notification settings - Fork 1
/
adcleanup.yml
207 lines (204 loc) · 7.09 KB
/
adcleanup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
---
AWSTemplateFormatVersion: '2010-09-09'
Description: EC2 Decommission Process, please delete the duplicate SSM document created by the stack when you run the CFN template in Non Prod and Prod.
Parameters:
Docname:
Description: SSM Document Name of the Services Account or where the DC is. Needed only for Non-Prod and Prod.
Type: String
LocalArn:
Description: LocalArn value of the CrossAccount Role created.Needed only for Non-Prod and Prod
Type: String
Rolename:
Description: Rolename of the CrossAccount role created.Needed only for Non-Prod and Prod
Type: String
instanceid1:
Description: Instance id of the DC
Type: String
instanceid2:
Description: Instance id of the DC
Type: String
instanceid3:
Description: Instance id of the DC
Type: String
instanceid4:
Description: Instance id of the DC
Type: String
instanceid5:
Description: Instance id of the DC
Type: String
instanceid6:
Description: Instance id of the DC
Type: String
account:
Description: Give the account name i.e. Services,Prod or Nonprod
Type: String
Resources:
document:
Type: AWS::SSM::Document
Properties:
Content:
schemaVersion: '1.2'
description: Remove computer object by name from Active Directory. This should
only be run on a domain controller.
parameters:
name:
type: String
description: "(Required) The object name. Do not send multiple objects
at once, instead call this multiple times."
displayType: textarea
runtimeConfig:
aws:runPowerShellScript:
properties:
- id: 0.aws:runPowerShellScript
runCommand:
- Remove-ADComputer -Identity "{{ name }}" -confirm:$false
timeoutSeconds:
- '60'
DecommissionEC2:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Role:
Fn::GetAtt:
- LambdaRole
- Arn
Code:
ZipFile:
Fn::Join:
- ''
- - 'import json
'
- 'import boto3
'
- 'def lambda_handler(event, context):
'
- " r=event\n"
- ' accountid= "'
- Ref: account
- "\"\n list=[]\n"
- ' id6 = "'
- Ref: instanceid6
- "\"\n instance_id=[]\n"
- ' id1 = "'
- Ref: instanceid1
- "\"\n s=json.dumps(r)\n"
- ' id2 = "'
- Ref: instanceid2
- "\"\n a=json.loads(s)\n"
- ' id3 = "'
- Ref: instanceid3
- "\"\n t=a['detail']['instance-id']\n"
- " id=t[4:]\n"
- ' id4= "'
- Ref: instanceid4
- "\"\n print ('Received id to be deleted')\n"
- ' id5 = "'
- Ref: instanceid5
- "\"\n print (id)\n"
- " if accountid=='Services':\n"
- " list=[id1,id2,id3,id4,id5,id6]\n"
- " for i in list:\n"
- " if i is not '':\n"
- " instance_id.append(i)\n"
- " ec2=boto3.resource('ec2')\n"
- " ec2instance=ec2.Instance(t)\n"
- " if ec2instance.tags is not None:\n"
- " for tags in ec2instance.tags:\n"
- " tags['Key']=='Hostname' \n"
- " instance_name=tags['Value']\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: document
- "\",Parameters={'name': [instance_name]})\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: document
- "\",Parameters={'name': [id]})\n"
- " else:\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: document
- "\",Parameters={'name': [id]})\n"
- " else:\n"
- ' Rolenameac =("'
- Ref: Rolename
- "\")\n sts_client = boto3.client('sts')\n"
- ' LocalRoleArn =("'
- Ref: LocalArn
- "\")\n assumedRoleObject = sts_client.assume_role(RoleArn=LocalRoleArn,RoleSessionName=Rolenameac)\n"
- " credentials = assumedRoleObject['Credentials']\n"
- " client = boto3.client('ssm',aws_access_key_id = credentials['AccessKeyId'],aws_secret_access_key = credentials['SecretAccessKey'],aws_session_token = credentials['SessionToken'])\n"
- " list=[id1,id2,id3,id4,id5,id6]\n"
- " for i in list:\n"
- " if i is not '':\n"
- " instance_id.append(i)\n"
- " ec2=boto3.resource('ec2')\n"
- " ec2instance=ec2.Instance(t)\n"
- " if ec2instance.tags is not None:\n"
- " for tags in ec2instance.tags:\n"
- " tags['Key']=='Hostname' \n"
- " instance_name=tags['Value']\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: Docname
- "\",Parameters={'name': [instance_name]})\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: Docname
- "\",Parameters={'name': [id]})\n"
- " else:\n"
- ' response = client.send_command(InstanceIds=instance_id,DocumentName="'
- Ref: Docname
- "\",Parameters={'name': [id]})\n"
Runtime: python3.6
Timeout: '25'
TracingConfig:
Mode: Active
EventRule:
Type: AWS::Events::Rule
Properties:
Description: Catchterminatedinstance
EventPattern:
source:
- aws.ec2
detail-type:
- EC2 Instance State-change Notification
detail:
state:
- terminated
State: ENABLED
Targets:
- Arn:
Fn::GetAtt:
- DecommissionEC2
- Arn
Id: TargetFunctionV1
PermissionForEventsToInvokeLambda:
Type: AWS::Lambda::Permission
Properties:
FunctionName:
Ref: DecommissionEC2
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
SourceArn:
Fn::GetAtt:
- EventRule
- Arn
LambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2FullAccess
- arn:aws:iam::aws:policy/CloudWatchFullAccess
- arn:aws:iam::aws:policy/AmazonSSMFullAccess
- arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
- arn:aws:iam::aws:policy/IAMFullAccess
- arn:aws:iam::aws:policy/AdministratorAccess
Outputs:
autodeleteADdocumentName:
Description: The SSM Document name
Value: !Ref document