MENU
Architecting AWS with CloudFormation
  1. Home
  2. AWS_EN
  3. AWS-PatchAsgInstance to patch instances in the AutoScaling group in turn

AWS-PatchAsgInstance to patch instances in the AutoScaling group in turn

TOC

AWS-PatchAsgInstance to patch instances in the AutoScaling group in turn

The following pages cover how to schedule the application of patches to EC2 instances using the Maintenance Window.

あわせて読みたい
Set up a Maintenance Window to schedule SSM Patch Manager 【Set up a Maintenance Window to schedule SSM Patch Manager】 The following pages discuss the patch baseline. https://awstut.com/en/2022/01/22/create-a-custo...

In this case, we will consider targeting EC2 instances in the Auto Scaling group.

This can be accomplished by using the SSM Automation runbook AWS-PatchAsgInstance.

Patch EC2 instances in an Auto Scaling group.

About the AWS-RunPatchBaseline SSM document

Use CloudFormation to build an environment to run AWS-PatchAsgInstance.

Environment

Diagram of AWS-PatchAsgInstance to patch instances in Auto Scaling Group in turn.

Create an Auto Scaling group in a private subnet.
The instance to be created in the group will be Amazon Linux 2.

Set up a maintenance window.
The content is to periodically run the SSM Automation runbook AWS-PatchAsgInstance.
Running this runbook will cause the AWS-RunPatchBaseline to be run for each EC2 instance in the Auto Scaling group in turn.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation templates are placed at the following URL

https://github.com/awstut-an-r/awstut-fa/tree/main/115

Explanation of key points of template files

When setting up a maintenance window, set up the following three resources

  • Maintenance Window
  • Maintenance Window Target
  • Maintenance Window Task

Maintenance Window

Resources:
  MaintenanceWindow:
    Type: AWS::SSM::MaintenanceWindow
    Properties:
      AllowUnassociatedTargets: false
      Cutoff: 1
      Duration: 2
      Name: !Sub "${Prefix}-MaintenanceWindow"
      Schedule: rate(30 minutes)
      ScheduleTimezone: Asia/Tokyo
Code language: YAML (yaml)

Set the task to run every 60 minutes with a RATE expression.

Maintenance Window Target

Resources:
  MaintenanceWindowTarget:
    Type: AWS::SSM::MaintenanceWindowTarget
    Properties:
      Name: !Sub "${Prefix}-MaintenanceWindowTarget"
      ResourceType: INSTANCE
      Targets:
        - Key: tag:aws:autoscaling:groupName
          Values:
            - !Ref AutoScalingGroup
      WindowId: !Ref MaintenanceWindow
Code language: YAML (yaml)

If an instance in an Auto Scaling group is to be the maintenance window, the ResourceType property should be “INSTANCE”.

Instances in an Auto Scaling group have tags that are set automatically.

The Auto Scaling group automatically adds a tag to instances with a key of aws:autoscaling:groupName and a value of the Auto Scaling group name.

Tag Auto Scaling groups and instances

In this case, this is specified in the Targets property.
When specifying a tag name in the Key property, use the format “tag:[tag name]”.

Maintenance Window Task

Resources:
  MaintenanceWindowTask:
    Type: AWS::SSM::MaintenanceWindowTask
    Properties:
      MaxConcurrency: 1
      MaxErrors: 0
      Name: !Sub "${Prefix}-MaintenanceWindowTask"
      Priority: 10
      ServiceRoleArn: !GetAtt SSMAutomationRole.Arn
      Targets:
        - Key: WindowTargetIds
          Values:
            - !Ref MaintenanceWindowTarget
      TaskArn: AWS-PatchAsgInstance
      TaskInvocationParameters:
        MaintenanceWindowAutomationParameters:
          Parameters:
            InstanceId:
              - "{{RESOURCE_ID}}"
      TaskType: AUTOMATION
      WindowId: !Ref MaintenanceWindow
Code language: YAML (yaml)

The task to be created is to execute AWS-PatchAsgInstance.

The TaskType property should be “AUTOMATION” and the Targets property should be the maintenance window ID mentioned earlier.

The TaskInvocationParameters property allows you to set parameters for running AWS-PatchAsgInstance.
Please refer to the following page for more information about parameters.

https://docs.aws.amazon.com/ja_jp/systems-manager-automation-runbooks/latest/userguide/automation-aws-patchasginstance.html

This time, only the required parameter, InstanceId, is set.
This parameter specifies the ID of an instance in the Auto Scaling group.
This means that it is different for each instance.
For this one, you can specify a pseudo-parameter.

You can use pseudo parameter values in the required input parameter fields to dynamically reference the resource IDs that the maintenance window targets. Pseudo parameters, such as {{RESOURCE_ID}}, allow you to target multiple resources without entering each resource ID individually.

How do I add parameters when registering an Automation task with Systems Manager maintenance windows?

This time, specify “{{RESOURCE_ID}}” according to the above.

(Reference) ALB and Auo Scaling Group

This page focuses on setting up a maintenance window to run AWS-PatchAsgInstance periodically.

For information on how to create an Auto Scaling group in a private subnet and attach it to an ALB, please see the following page.

あわせて読みたい
Introduction to EC2 Auto Scaling – No Scaling Policy 【Introduction to EC2 Auto Scaling - No Scaling Policy】 EC2 Auto Scaling allows you to launch any number of EC2 instances to increase the availability of yo...

Architecting

Use CloudFormation to build this environment and check its actual behavior.

Create CloudFormation stacks and check the resources in the stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following pages.

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

After reviewing the resources in each stack, information on the main resources created in this case is as follows

  • Maintenance window: 0dd5b473dd8357e1b
  • Auto Scaling Group: fa-115-AutoScalingGroup
  • ALB DNS name: fa-115-alb-905077433.ap-northeast-1.elb.amazonaws.com

Check each resource from the AWS Management Console.

Check the maintenance window.

Detail of SSM 1.

You can see that the task is set to run every 5 minutes.

Detail of SSM 2.

The content of the task indicates that the content is to execute AWS-PatchAsgInstance.

Detail of SSM 3.

Instances with the tag key “aws:autoscaling:groupName” and value “fa-115-AutoScalingGroup” are the target of the maintenance window.

Check the Auto Scaling group.

Detail of Auto Scaling 1.

A group is created with a minimum value of 1, a maximum value of 2, and a desired value of 2.

Detail of Auto Scaling 2.

Indeed, two instances are created in the group, both “InService”.

Operation Check

Now that it is ready, check its operation.

Detail of SSM 4.

Indeed, the AWS-PatchAsgInstance task is executed.
The steps are executed for one of the instances in the Auto Scaling group in turn, and the patching is performed.

Detail of SSM 5.

Looking at the Auto Scaling group again, the status of one instance has indeed changed to “Standby”.
This means that no traffic from the ALB is routed to this instance.

Detail of Auto Scaling 3.

When accessing ALB, the instance that is not currently subject to patching responded.
Since patching is not performed on all instances in the group at the same time, the application is not stopped.

After a short wait, the execution of all steps is completed.

Detail of SSM 6.

Check the Auto Scaling group again.

Detail of Auto Scaling 4.

The status of the instance that has been patched has returned to “InService”.

Detail of Auto Scaling 5.

After the first instance is completed, the other instance will be subject to patching.

In this way, AWS-PatchAsgInstance can be used to apply patches to instances in an Auto Scaling group in sequence.

Summary

We have created an environment to run AWS-PatchAsgInstance.

AWS_EN
ALB_EN Auto Scaling_EN EC2(Linux)_EN S3_EN SSM Document_EN SSM Patch Manager_EN
TOC