](media/lights-off-aws-architecture-and-flow.png?raw=true "Architecture diagram and flowchart for Lights Off, AWS!")
19 |
20 | > Most of all, this tool is lightweight. Not counting blanks, comments, or
21 | tests, AWS's
22 | [Instance Scheduler](https://github.com/aws-solutions/instance-scheduler-on-aws)
23 | has over 9,500 lines of Python! At about 600 lines of Python, Lights Off is
24 | easy to understand, maintain, and extend.
25 |
26 | Jump to:
27 | [Quick Start](#quick-start)
28 | •
29 | [Tags](#tag-keys-operations)
30 | •
31 | [Schedules](#tag-values-schedules)
32 | •
33 | [Multi-Account, Multi-Region](#multi-account-multi-region-cloudformation-stackset)
34 | •
35 | [Security](#security)
36 |
37 | ## Quick Start
38 |
39 | 1. Log in to the AWS Console as an administrator.
40 |
41 | 2. Tag a running, non-essential
42 | [EC2 instance](https://console.aws.amazon.com/ec2/home#Instances)
43 | with:
44 |
45 | - `sched-stop` : `d=_ H:M=11:30` , replacing 11:30 with the
46 | [current UTC time](https://www.timeanddate.com/worldclock/timezone/utc) +
47 | 20 minutes, rounded upward to :00, :10, :20, :30, :40, or :50.
48 |
49 | 3. Create a
50 | [CloudFormation stack](https://console.aws.amazon.com/cloudformation/home).
51 | Select Upload a template file, then select Choose file and navigate to a
52 | locally-saved copy of
53 | [lights_off_aws.yaml](/cloudformation/lights_off_aws.yaml?raw=true)
54 | [right-click to save as...]. On the next page, set:
55 |
56 | - Stack name: `LightsOff`
57 |
58 | 59 |
60 |
72 |
73 | 4. After about 20 minutes, check whether the EC2 instance is stopped. Restart
74 | it and delete the `sched-stop` tag.
75 |
76 | Jump to:
77 | [Extra Setup](#extra-setup)
78 | •
79 | [Multi-Account, Multi-Region](#multi-account-multi-region-cloudformation-stackset)
80 |
81 | ## Tag Keys (Operations)
82 |
83 | ||`sched-stop`|`sched-hibernate`|`sched-backup`|
84 | |:---|:---:|:---:|:---:|
85 | ||**`sched-start`**|||
86 | |EC2:||||
87 | |[Instance](https://console.aws.amazon.com/ec2/home#Instances)|[✓](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html)|[✓](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/hibernating-prerequisites.html)|→ Image (AMI)|
88 | |[EBS Volume](https://console.aws.amazon.com/ec2/home#Volumes)|||→ Snapshot|
89 | |RDS and Aurora:||||
90 | |[Database Instance](https://console.aws.amazon.com/rds/home#databases:)|[✓](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_StopInstance.html)||→ Snapshot|
91 | |[Database Cluster](https://console.aws.amazon.com/rds/home#databases:)|[✓](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-cluster-stop-start.html)||→ Snapshot|
92 |
93 | > Whether a database operation is at the cluster or instance level depends on
94 | your choice of Aurora or RDS, and for RDS, on your database's configuration.
95 |
96 | ## Tag Values (Schedules)
97 |
98 | ### Work Week Examples
99 |
100 | These cover Monday to Friday daytime work hours, 07:30 to 19:30, year-round
101 | (see
102 | [time zone converter](https://www.timeanddate.com/worldclock/converter.html?p1=1440&p2=103&p3=224&p4=75&p5=64&p6=179&p7=175&p8=136&p9=133&p10=195&p11=367&p12=54)).
103 |
104 | |Locations|Hours Saved|`sched-start`|`sched-stop`|
105 | |:---|:---:|:---:|:---:|
106 | |USA Mainland|**> 50%**|`u=1 u=2 u=3 u=4 u=5 H:M=11:30`|`u=2 u=3 u=4 u=5 u=6 H:M=03:30`|
107 | |North America (Hawaii to Newfoundland)|**> 40%**|`u=1 u=2 u=3 u=4 u=5 H:M=10:00`|`u=2 u=3 u=4 u=5 u=6 H:M=05:30`|
108 | |Europe|**> 50%**|`u=1 u=2 u=3 u=4 u=5 H:M=04:30`|`u=1 u=2 u=3 u=4 u=5 H:M=19:30`|
109 | |India|**> 60%**|`u=1 u=2 u=3 u=4 u=5 H:M=02:00`|`u=1 u=2 u=3 u=4 u=5 H:M=14:00`|
110 | |North America + Europe|**> 20%**|`u=1 H:M=04:30`|`u=6 H:M=05:30`|
111 | |North America + Europe + India|**> 20%**|`u=1 H:M=02:00`|`u=6 H:M=05:30`|
112 | |Europe + India|**> 40%**|`u=1 u=2 u=3 u=4 u=5 H:M=02:00`|`u=1 u=2 u=3 u=4 u=5 H:M=19:30`|
113 |
114 | #### Stopping an RDS or Aurora Database Longer than 7 Days
115 |
116 | If stack creation fails with an UnreservedConcurrentExecution error...
61 | 62 | Request that 63 | [Service Quotas → AWS services → AWS Lambda → Concurrent executions](https://console.aws.amazon.com/servicequotas/home/services/lambda/quotas/L-B99A9384) 64 | be increased. The default is `1000` . 65 | 66 | Lights Off needs 1 unit for a time-critical function. New AWS accounts 67 | start with a quota of 10, but Lambda always holds back 10, which leaves 0 68 | available! Within a given AWS account, the quota is set separately for 69 | each region. 70 | 71 |
117 |
152 |
153 | ### Rules
154 |
155 | - Coordinated Universal Time (UTC)
156 | - 24-hour clock
157 | - Days before times, hours before minutes
158 | - The day, the hour and the minute must all be resolved
159 | - Multiple operations on the same resource at the same time are _all_ canceled
160 |
161 | Space was chosen as the separator and underscore, as the wildcard, because
162 | [RDS does not allow commas or asterisks](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#Overview.Tagging).
163 |
164 | ### Single Terms
165 |
166 | |Type|Literal Values ([strftime](http://manpages.ubuntu.com/manpages/noble/man3/strftime.3.html#description))|Wildcard|
167 | |:---|:---:|:---:|
168 | |Day of month|`d=01` ... `d=31`|`d=_`|
169 | |Day of week ([ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Week_dates))|`u=1` (Monday) ... `u=7` (Sunday)||
170 | |Hour|`H=00` ... `H=23`|`H=_`|
171 | |Minute (multiple of 10)|`M=00` , `M=10` , `M=20` , `M=30` , `M=40` , `M=50`||
172 |
173 | ### Compound Terms
174 |
175 | |Type|Note|Literal Values|
176 | |:---|:---:|:---:|
177 | |Once a day|d=_ or d=_NN_ or u=_N_ first!|`H:M=00:00` ... `H:M=23:50`|
178 | |Once a week||`uTH:M=1T00:00` ... `uTH:M=7T23:50`|
179 | |Once a month||`dTH:M=01T00:00` ... `dTH:M=31T23:50`|
180 |
181 | ### Backup Examples
182 |
183 | |`sched-backup`|Description|
184 | |:---:|:---:|
185 | |`d=01 d=15 H=03 H=19 M=00`|Traditional cron: 1st and 15th days of the month, at 03:00 and 19:00|
186 | |`d=_ H:M=03:00 H=_ M=15 M=45`|Every day, at 03:00 _plus_ every hour at 15 and 45 minutes after the hour|
187 | |`dTH:M=01T00:00`|Start of month _(instead of end of month)_|
188 | |`dTH:M=01T03:00 uTH:M=5T19:00 d=_ H=11 M=15`|1st day of the month at 03:00, _plus_ Friday at 19:00, _plus_ every day at 11:15|
189 |
190 | ## Extra Setup
191 |
192 | ### Starting EC2 Instances with Encrypted EBS Volumes
193 |
194 | In most cases, you can use the `sched-start` tag without setup.
195 |
196 | Solutions for stopping a database indefinitely...
118 | 119 | RDS and Aurora automatically start stopped databases after 7 days. 120 | 121 | For a work-around, check out 122 | [github.com/sqlxpert/stay-stopped-aws-rds-aurora](https://github.com/sqlxpert/stay-stopped-aws-rds-aurora/#stay-stopped-rds-and-aurora) 123 | , or modify of the `sched-stop` schedules above and set a once-a-week 124 | `sched-start` schedule that leaves enough time for the database to finish 125 | starting before it will be stopped again. The database will be started, and 126 | stopped again, at least once every 7 days. 127 | 128 | - Change the `sched-start` time to an earlier time if the database routinely 129 | takes more than 1 hour to start. (You may also have to change the weekday to 130 | be 1 day earlier.) 131 | - One or two days are added to `sched-stop` so that a slow-starting database 132 | will receive an extra stop attempt 24 hours after the first attempt (and, 133 | where possible, 48 hours after, as well). Stopping a database that has 134 | already been stopped is harmless. 135 | - For North America + Europe or North America + Europe + India, if you start 136 | the database manually, be sure to stop it manually when you are finished 137 | using it. Elsewhere, it will be stopped at the end of the usual work day. 138 | - To keep up with updates, it is a good practice to set a database's weekly 139 | maintenance window to a time period when the database will be running. 140 | 141 | |Locations|`sched-start`|`sched-stop`| 142 | |:---|:---:|:---:| 143 | |USA Mainland|`uTH:M=6T02:30`|`d=_ H:M=03:30`| 144 | |North America (Hawaii to Newfoundland)|`uTH:M=6T04:30`|`d=_ H:M=05:30`| 145 | |Europe|`uTH:M=5T18:30`|`d=_ H:M=19:30`| 146 | |India|`uTH:M=5T13:00`|`d=_ H:M=14:00`| 147 | |North America + Europe|`uTH:M=6T04:30`|`u=6 u=7 H:M=05:30`| 148 | |North America + Europe + India|`uTH:M=6T04:30`|`u=6 u=7 H:M=05:30`| 149 | |Europe + India|`uTH:M=5T18:30`|`d=_ H:M=19:30`| 150 | 151 |
197 |
248 |
249 | ### Making Backups
250 |
251 | You can use the `sched-backup` tag with minimal setup if you work in a small
252 | number of regions and/or AWS accounts. Use the AWS Console to view the
253 | [list of AWS Backup vaults](https://console.aws.amazon.com/backup/home#/backupvaults)
254 | one time in each AWS account and region. Make one backup in each AWS account
255 | ([AWS Backup](https://console.aws.amazon.com/backup/home#) → My account
256 | → Dashboard → On-demand backup). If you use _custom_ KMS keys, they
257 | must be in the same AWS account as the disks and databases encrypted with
258 | them.
259 |
260 | If you use custom KMS encryption keys from a different AWS account...
198 | 199 | The `sched-start` tag works for EC2 instances with EBS volumes if: 200 | 201 | - Your EBS volumes are unencrypted, or 202 | - You use the default, AWS-managed `aws/ebs` encryption key, or 203 | - You use custom keys in the same AWS account as each EC2 instance, the key 204 | policies contain the default `"Enable IAM User Permissions"` statement, and 205 | they do not contain `"Deny"` statements. 206 | 207 | Because your custom keys are in a different AWS account than your EC2 208 | instances, you must add a statement like the following to the key policies: 209 | 210 | ```json 211 | { 212 | "Sid": "LightsOffEc2StartInstancesWithEncryptedEbsVolumes", 213 | "Effect": "Allow", 214 | "Principal": "*", 215 | "Action": "kms:CreateGrant", 216 | "Resource": "*", 217 | "Condition": { 218 | "ForAnyValue:StringLike": { 219 | "aws:PrincipalOrgPaths": "o-ORG_ID/r-ROOT_ID/ou-PARENT_ORG_UNIT_ID/*" 220 | }, 221 | "ArnLike": { 222 | "aws:PrincipalArn": "arn:aws:iam::ACCOUNT:role/*LightsOff*-DoLambdaFnRole-*" 223 | }, 224 | "StringLike": { 225 | "kms:ViaService": "ec2.*.amazonaws.com" 226 | }, 227 | "Bool": { 228 | "kms:GrantIsForAWSResource": "true" 229 | } 230 | } 231 | } 232 | ``` 233 | 234 | - One account: Delete the entire `"ForAnyValue:StringLike"` section and 235 | replace _ACCOUNT_ with the account number of the AWS account in which you 236 | have installed Lights Off. 237 | 238 | - AWS Organizations: Replace _ACCOUNT_ with `*` and _o-ORG_ID_ , _r-ROOT_ID_ , 239 | and _ou-PARENT_ORG_UNIT_ID_ with the identifiers of your organization, your 240 | organization root, and the organizational unit in which you have installed 241 | Lights Off. `/*` at the end of this organization path stands for child OUs, 242 | if any. Do not use a path less specific than `"o-ORG_ID/*"` . 243 | 244 | > If an EC2 instance does not start as scheduled, a KMS key permissions error 245 | is possible. 246 | 247 |
261 |
314 |
315 | ### Hidden Policies
316 |
317 | Service and resource control policies (SCPs and RCPs), permissions boundaries,
318 | and session policies can interfere with the installation or usage of Lights
319 | Off. Check with your AWS administrator!
320 |
321 | ## Accessing Backups
322 |
323 | |Goal|Services|
324 | |:---|:---:|
325 | |List backups|AWS Backup|
326 | |View underlying images and/or snapshots|EC2 and RDS|
327 | |Restore (create new resources from) backups|EC2 and RDS, or AWS Backup|
328 | |Delete backups|AWS Backup|
329 |
330 | AWS Backup copies resource tags to backups. Lights Off adds `sched-time` to
331 | indicate when the backup was _scheduled_ to occur, in
332 | [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations)
333 | basic format (example: `20241231T1400Z`).
334 |
335 | ## On/Off Switch
336 |
337 | - You can toggle the `Enable` parameter of your Lights Off CloudFormation
338 | stack.
339 | - While Enable is `false`, scheduled operations do not happen; they are
340 | skipped permanently.
341 |
342 | ## Logging
343 |
344 | - Check the
345 | [LightsOff CloudWatch log groups](https://console.aws.amazon.com/cloudwatch/home#logsV2:log-groups$3FlogGroupNameFilter$3DLightsOff-).
346 | - Log entries are JSON objects.
347 | - Lights Off includes `"level"` , `"type"` and `"value"` keys.
348 | - Other software components may use different keys.
349 | - For more data, change the `LogLevel` in CloudFormation.
350 | - Scrutinize log entries at the `ERROR` level.
351 | - Both logs:
352 | Entries with the `"stackTrace"` key represent unexpected exceptions that
353 | require correction. These are unusual.
354 | - "Find" log:
355 | All other entries at the `ERROR` level require correction.
356 | - "Do" log:
357 | Some other entries at the `ERROR` level do not require correction.
358 | If you work across many regions and/or AWS accounts...
262 | 263 | Because you want to use the `sched-backup` tag in a complex AWS environment, 264 | you must address the following AWS Backup requirements: 265 | 266 | 1. Vault 267 | 268 | AWS Backup creates the `Default` vault the first time you open the 269 | [list of vaults](https://console.aws.amazon.com/backup/home#/backupvaults) 270 | in a given AWS account and region, using the AWS Console. Otherwise, see 271 | [Backup vault creation](https://docs.aws.amazon.com/aws-backup/latest/devguide/create-a-vault.html) 272 | and 273 | [AWS::Backup::BackupVault](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-backup-backupvault.html) 274 | or 275 | [aws_backup_vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) 276 | . Update the `BackupVaultName` CloudFormation stack parameter if necessary. 277 | 278 | 2. Vault policy 279 | 280 | If you have added `"Deny"` statements, be sure that `DoLambdaFnRole` still 281 | has access. 282 | 283 | 3. Backup role 284 | 285 | AWS Backup creates `AWSBackupDefaultServiceRole` the first time you make a 286 | backup in a given AWS account using the AWS Console 287 | ([AWS Backup](https://console.aws.amazon.com/backup/home#) → My 288 | account → Dashboard → On-demand backup). Otherwise, see 289 | [Default service role for AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html#default-service-roles). 290 | Update `BackupRoleName` in CloudFormation if necessary. 291 | 292 | 4. KMS key policies 293 | 294 | `AWSBackupDefaultServiceRole` works if: 295 | 296 | - Your EBS volumes and RDS/Aurora databases are unencrypted, or 297 | - You use the default, AWS-managed `aws/ebs` and `aws/rds` encryption keys, or 298 | - You use custom keys in the same AWS account as each disk and database, 299 | the key policies contain the default `"Enable IAM User Permissions"` 300 | statement, and they do not contain `"Deny"` statements. 301 | 302 | If your custom keys are in a different AWS account than your disks and 303 | databases, you must modify the key policies. See 304 | [Encryption for backups in AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/encryption.html), 305 | [How EBS uses KMS](https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html), 306 | [Overview of encrypting RDS resources](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Overview), 307 | and 308 | [Key policies in KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). 309 | 310 | > If no backup jobs appear in AWS Backup, or if jobs do not start, a 311 | permissions problem is likely. 312 | 313 |
359 |
376 | - Check the `ErrorQueue`
377 | [SQS queue](https://console.aws.amazon.com/sqs/v3/home#/queues)
378 | for "Find" and "Do" events that were not delivered, or not fully processed.
379 | - Check CloudTrail for the final stages of `sched-start` and `sched-backup`
380 | operations.
381 |
382 | ## Advanced Installation
383 |
384 | ### Multi-Account, Multi-Region (CloudFormation StackSet)
385 |
386 | For reliability, Lights Off works completely independently in each AWS
387 | account+region combination. To deploy to multiple regions and/or AWS accounts,
388 |
389 | 1. Delete any standalone Lights Off CloudFormation _stacks_ in the target AWS
390 | accounts and regions.
391 |
392 | 2. Complete the prerequisites for creating a _StackSet_ with
393 | [service-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html).
394 |
395 | 3. Make sure that the AWS Lambda `Concurrent executions` quota is sufficient
396 | in every target AWS account, in every target region. See the note at the
397 | end of [Quick Start](#quick-start) Step 3.
398 |
399 | 4. In the management AWS account (or a delegated administrator account),
400 | create a
401 | [CloudFormation StackSet](https://console.aws.amazon.com/cloudformation/home#/stacksets).
402 | Select Upload a template file, then select Choose file and upload a
403 | locally-saved copy of
404 | [lights_off_aws.yaml](/cloudformation/lights_off_aws.yaml?raw=true)
405 | [right-click to save as...]. On the next page, set:
406 |
407 | - StackSet name: `LightsOff`
408 |
409 | 5. Two pages later, under Deployment targets, select Deploy to Organizational
410 | Units (OUs). Enter the AWS OU ID of the target Organizational Unit. Lights
411 | Off will be deployed to all AWS accounts within this Organizational Unit.
412 | Toward the bottom of the page, specify the target regions.
413 |
414 | ### Least-Privilege Installation
415 |
416 | What to consider when evaluating errors...
360 | 361 | The state of an AWS resource might change between the "Find" and "Do" 362 | steps; this sequence is fundamentally non-atomic. An operation might 363 | also be repeated due to queue message delivery logic; operations are 364 | idempotent. If a state change is favorable or an operation is repeated, 365 | Lights Off logs success responses or expected exceptions (depending on 366 | the AWS service) at the `INFO` level. For RDS database _instance_ 367 | start/stop operations, however, Lights Off logs expected exceptions at 368 | the `ERROR` level because it cannot determine whether they represent 369 | actual errors or harmless repetition (such as trying to start a 370 | database instance that has already been started). 371 | 372 | For complete details, see the technical article 373 | [Idempotence: Doing It More than Once](https://sqlxpert.github.io/2025/05/17/idempotence-doing-it-more-than-once.html). 374 | 375 |
417 |
438 |
439 | ### Installation with Terraform
440 |
441 | Terraform users are often willing to wrap a CloudFormation stack in HashiCorp
442 | Configuration Language, because AWS supplies tools in the form of
443 | CloudFormation templates. See
444 | [aws_cloudformation_stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack)
445 | .
446 |
447 | Wrapping a CloudFormation StackSet in HCL is much easier than configuring and
448 | using Terraform to deploy and maintain identical resources in multiple regions
449 | and/or AWS accounts. See
450 | [aws_cloudformation_stack_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set)
451 | .
452 |
453 | ## Security
454 |
455 | > In accordance with the software license, nothing in this section creates a
456 | warranty, an indemnification, an assumption of liability, etc. Use this
457 | software at your own risk. You are encouraged to evaluate the source code.
458 |
459 | Least-privilege installation details...
418 | 419 | You can use a 420 | [CloudFormation service role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) 421 | to delegate only the privileges needed to create the Lights Off stack. First, 422 | create the `LightsOffPrereq` stack from 423 | [lights_off_aws_prereq.yaml](/cloudformation/lights_off_aws_prereq.yaml?raw=true) 424 | . Next, when you create the `LightsOff` stack from 425 | [lights_off_aws.yaml](/cloudformation/lights_off_aws.yaml?raw=true) , set IAM 426 | role - optional to `LightsOffPrereq-DeploymentRole` . If your own privileges 427 | are limited, you might need permission to pass the deployment role to 428 | CloudFormation. See the `LightsOffPrereq-SampleDeploymentRolePassRolePol` IAM 429 | policy for an example. 430 | 431 | For a CloudFormation StackSet, you can use 432 | [self-managed permissions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs-self-managed.html) 433 | by copying the inline IAM policy of `LightsOffPrereq-DeploymentRole` to a 434 | customer-managed IAM policy, attaching your policy to 435 | `AWSCloudFormationStackSetExecutionRole` and propagating the policy and the 436 | role policy attachment to all target AWS accounts. 437 |
460 |
517 |
518 | ## Advice
519 |
520 | - Test Lights Off in your AWS environment. Please
521 | [report bugs](https://github.com/sqlxpert/lights-off-aws/issues).
522 |
523 | - Test your backups! Are they finishing on-schedule? Can they be restored?
524 | [AWS Backup restore testing](https://docs.aws.amazon.com/aws-backup/latest/devguide/restore-testing.html)
525 | can help.
526 |
527 | - Be aware: of charges for AWS Lambda functions, SQS queues, CloudWatch Logs,
528 | KMS, backup storage, and early deletion from cold storage; of the minimum
529 | charge when you stop an EC2 instance or RDS database with a commercial
530 | license; of the resumption of charges when RDS or Aurora restarts a stopped
531 | database after 7 days; and of ongoing storage charges while EC2 instances
532 | and RDS/Aurora databases are stopped. Have we missed anything?
533 |
534 | ## Bonus: Delete and Recreate Expensive Resources on a Schedule
535 |
536 | Security details...
461 | 462 | ### Security Design Goals 463 | 464 | - Least-privilege roles for the AWS Lambda functions that find resources and 465 | do scheduled operations. The "Do" function is authorized to perform a small 466 | set of operations, and at that, only when a resource has the correct tag 467 | key. (AWS Backup creates backups, using a role that you can configure.) 468 | 469 | - A least-privilege queue policy. The operation queue can only consume 470 | messages from the "Find" function and produce messages for the "Do" function 471 | (or an error queue, if an operation fails). Encryption in transit is 472 | required. 473 | 474 | - Readable IAM policies, formatted as CloudFormation YAML rather than JSON, 475 | and broken down into discrete statements by service, resource or principal. 476 | 477 | - Optional encryption at rest with the AWS Key Management System (KMS), for 478 | queue message bodies (may contain resource identifiers) and for logs (may 479 | contain resource metadata). 480 | 481 | - No data storage other than in queues and logs, with short or configurable 482 | retention periods. 483 | 484 | - Tolerance for clock drift in a distributed system. The "Find" function 485 | starts 1 minute into the 10-minute cycle and operation queue entries expire 486 | 9 minutes in. 487 | 488 | - An optional CloudFormation service role for least-privilege deployment. 489 | 490 | ### Security Steps You Can Take 491 | 492 | - Only allow trusted people and services to tag AWS resources. You can 493 | deny the right to add, change and delete `sched-` tags by including the 494 | [aws:TagKeys condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys) 495 | in a permissions boundary. 496 | 497 | - Prevent people who can set the `sched-backup` tag from deleting backups. 498 | 499 | - Prevent people from modifying components, most of which can be identified by 500 | `LightsOff` in ARNs and in the automatic `aws:cloudformation:stack-name` 501 | tag. Limiting permissions so that the deployment role is _necessary_ for 502 | stack modifications is ideal. 503 | 504 | - Prevent people from directly invoking the AWS Lambda functions and from 505 | passing the function roles to arbitrary functions. 506 | 507 | - Log infrastructure changes using AWS CloudTrail, and set up alerts. 508 | 509 | - Automatically copy backups to an AWS Backup vault in an isolated account. 510 | 511 | - Separate production workloads. You might choose not to deploy Lights Off to 512 | AWS accounts used for production, or you might add a custom policy to the 513 | "Do" function's role, denying authority to stop production resources ( 514 | `AttachLocalPolicy` in CloudFormation). 515 | 516 |
537 |
571 |
572 | ## Extensibility
573 |
574 | Scheduled CloudFormation stack update details...
538 | 539 | Lights Off can delete and recreate many types of expensive AWS infrastructure 540 | in your own CloudFormation stacks, based on cron schedules in stack tags. 541 | 542 | Deleting AWS Client VPN resources overnight, while developers are asleep, is 543 | a sample use case. See 544 | [10-minute AWS Client VPN](https://github.com/sqlxpert/10-minute-aws-client-vpn#automatic-scheduling). 545 | 546 | To make your own CloudFormation template compatible, see 547 | [lights_off_aws_bonus_cloudformation_example.yaml](/cloudformation/lights_off_aws_bonus_cloudformation_example.yaml) 548 | . 549 | 550 | Not every resource needs to be deleted and recreated; condition the creation 551 | of _expensive_ resources on the `Enable` parameter. In the AWS Client VPN 552 | stack, the VPN endpoints and VPC security groups are not deleted, because they 553 | do not cost anything. The VPN attachments can be deleted and recreated with no 554 | need to reconfigure VPN clients. 555 | 556 | Set the `sched-set-Enable-true` and `sched-set-Enable-false` tags on 557 | your own CloudFormation stack and make sure that the 558 | `EnableSchedCloudFormationOps` parameter of the _LightsOff stack or StackSet_ 559 | is set to `true` (the default). At the scheduled times, Lights Off will 560 | perform a stack update, toggling the value of the `Enable` parameter to `true` 561 | or `false`. (Capitalize **E**nable in the tag keys, to match the parameter 562 | name.) 563 | 564 | If your stack's status is other than `CREATE_COMPLETE` or `UPDATE_COMPLETE` at 565 | the scheduled time, Lights Off logs an error of `"type"` 566 | `STACK_STATUS_IRREGULAR` in the "Find" [log](#logging) instead of attempting 567 | an update that is likely to fail and require a rollback. To resume scheduled 568 | stack updates, resolve the underlying template error or permissions error and 569 | successfully complete one manual stack update. 570 |
575 |
624 |
625 | ## Progress
626 |
627 | Paul wrote TagSchedOps, the first version of this tool, before Systems
628 | Manager, Data Lifecycle Manager or AWS Backup existed. The tool remains a
629 | simple alternative to
630 | [Systems Manager Automation runbooks for
631 | stopping EC2 instances](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-stopec2instance.html),
632 | etc. It is now integrated with AWS Backup, leveraging the security and
633 | management benefits (including backup retention lifecycle policies) but
634 | offering a simple alternative to
635 | [backup plans](https://docs.aws.amazon.com/aws-backup/latest/devguide/about-backup-plans.html).
636 |
637 | |Year|AWS Lambda Python Lines|Core CloudFormation YAML Lines|
638 | |:---:|:---:|:---:|
639 | |2017|≈ 775|≈ 2,140|
640 | |2022|630|800 ✓|
641 | |2025|610 ✓|980|
642 |
643 | ## Dedication
644 |
645 | This project is dedicated to ej, Marianne and Régis, Ivan, and to the
646 | wonderful colleagues whom Paul has worked with over the years. Thank you to
647 | Corey for sharing it with the AWS user community in _Last Week in AWS_
648 | newsletter issues
649 | [286 (October 3, 2022)](https://www.lastweekinaws.com/newsletter/amazon-file-cash/#h-tools)
650 | and
651 | 424 (May 27, 2025),
652 | and to Lee for suggesting the new name.
653 |
654 | ## Licenses
655 |
656 | |Scope|Link|Included Copy|
657 | |:---|:---:|:---:|
658 | |Source code files, and source code embedded in documentation files|[GNU General Public License (GPL) 3.0](http://www.gnu.org/licenses/gpl-3.0.html)|[LICENSE-CODE.md](/LICENSE-CODE.md)|
659 | |Documentation files (including this readme file)|[GNU Free Documentation License (FDL) 1.3](http://www.gnu.org/licenses/fdl-1.3.html)|[LICENSE-DOC.md](/LICENSE-DOC.md)|
660 |
661 | Copyright Paul Marcelin
662 |
663 | Contact: `marcelin` at `cmu.edu` (replace "at" with `@`)
664 |
--------------------------------------------------------------------------------
/cloudformation/.cfnlintrc.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Start, stop and back up AWS resources tagged with cron schedules
3 | # github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
4 |
5 | ignore_checks:
6 | - W2510
7 | # W2510: Lambda Memory Size parameters should use MinValue, MaxValue or
8 | # AllowedValues: See comment about "underlying APIs"
9 |
--------------------------------------------------------------------------------
/cloudformation/.yamllint.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # Start, stop and back up AWS resources tagged with cron schedules.
3 | # github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
4 |
5 | extends: default
6 |
7 | rules:
8 | braces:
9 | level: warning
10 | max-spaces-inside: 1 # AWS CloudFormation convention
11 | brackets:
12 | level: warning
13 | max-spaces-inside: 1 # AWS CloudFormation convention
14 | line-length:
15 | max: 79
16 | level: warning
17 | allow-non-breakable-words: true
18 | allow-non-breakable-inline-mappings: true
19 | # No suitable option for some unavoidably long lines, like ones containing
20 | # ARNs. Leave warning in place as a reminder for other cases.
21 |
--------------------------------------------------------------------------------
/cloudformation/lights_off_aws_bonus_cloudformation_example.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | AWSTemplateFormatVersion: "2010-09-09"
3 |
4 | Description: |-
5 | Demonstrates deleting and recreating AWS resources in your own
6 | CloudFormation stack, based on cron schedules in stack tags.
7 |
8 | github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
9 |
10 | # STEP 0 #####################################################################
11 | #
12 | # Note that CloudFormation "transforms" are not currently compatible. Search
13 | # for "transforms" in lights_off_aws.py .
14 | #
15 | # STEP 1 #####################################################################
16 | #
17 | # Define a service role that allows CloudFormation to create, tag, update,
18 | # untag, and delete ALL of the resources in your template. See
19 | # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html
20 | #
21 | # For this example template, create an IAM role in the AWS Console. Leave
22 | # Trusted entity type set to AWS service. From Service or use case, near the
23 | # bottom, select CloudFormation. On the next page, search for the
24 | # AmazonEC2FullAccess policy and check the box to the left of that policy.
25 | # It is not least-privilege, and is only suitable for testing.
26 | #
27 | # You MUST select your deployment role when you create a CloudFormation stack
28 | # from your template. Scroll to the Permissions section and set IAM role -
29 | # optional . Otherwise, stack updates triggered by Lights Off will fail.
30 | #
31 | # About resource tagging: CloudFormation needs permission to get/list, create,
32 | # update, and delete arbitrary resource tags, due to the automatic propagation
33 | # of stack tags. Because CloudFormation is regularly updated to propagate
34 | # stack tags to more resource types, provide tagging privileges for all of the
35 | # resource types in your template, even if CloudFormation doesn't yet
36 | # propagate stack tags to them.
37 | ##############################################################################
38 |
39 | Parameters:
40 |
41 | PlaceholderSuggestedStackName:
42 | Type: String
43 | Default: "LightsOffBonusCloudFormationExample"
44 |
45 | PlaceholderHelp:
46 | Type: String
47 | Default: "github.com/sqlxpert/lights-off-aws#bonus-delete-and-recreate-expensive-resources-on-a-schedule"
48 |
49 | PlaceholderTimeZoneConverter:
50 | Type: String
51 | Default: "www.timeanddate.com/worldclock/timezone/utc"
52 |
53 | PlaceholderSuggestedStackTags:
54 | Type: String
55 | Description: >-
56 | Copy this pair of on/off stack tags to get started. Update the times.
57 | Times must be in UTC. Minute values must be multiples of 10.
58 | Default: "sched-set-Enable-true : d=_ H:M=07:30 , sched-set-Enable-false : d=_ H:M=07:40"
59 |
60 | VpcId:
61 | Type: AWS::EC2::VPC::Id
62 | Description: >-
63 | Identifier of the Virtual Private Cloud in which the sample security
64 | groups will be created
65 |
66 | # STEP 2 ###################################################################
67 | #
68 | # Add this parameter to your template:
69 | Enable: # Do not change the parameter name or the capitalization!
70 | Type: String # No Boolean parameter type is available
71 | Description: >-
72 | Whether to create expensive resources. Lights Off will automatically
73 | update the stack, causing the resources to be created or deleted based
74 | on the schedules in the stack's "sched-set-Enable-true" and
75 | "sched-set-Enable-false" tags. See
76 | https://github.com/sqlxpert/lights-off-aws
77 | AllowedValues:
78 | - "false"
79 | - "true"
80 | Default: "false" # Start without the expensive resources
81 | ##########################################################################
82 |
83 | Metadata: # Optional section, for AWS Console users
84 |
85 | AWS::CloudFormation::Interface:
86 | ParameterGroups: # Orders parameters and groups them into sections
87 | - Label:
88 | default: For Reference
89 | Parameters:
90 | - PlaceholderSuggestedStackName
91 | - PlaceholderHelp
92 | - PlaceholderTimeZoneConverter
93 | - PlaceholderSuggestedStackTags
94 | - Label:
95 | default: Essential
96 | Parameters:
97 | - Enable
98 | - VpcId
99 | ParameterLabels:
100 | PlaceholderSuggestedStackName:
101 | default: Suggested stack name
102 | PlaceholderHelp:
103 | default: For help with this stack, see
104 | PlaceholderTimeZoneConverter:
105 | default: To convert local time to UTC, see
106 | PlaceholderSuggestedStackTags:
107 | default: Suggested stack tags
108 | Enable:
109 | default: Enabled?
110 | VpcId:
111 | default: VPC
112 |
113 | Conditions:
114 |
115 | # STEP 3 ###################################################################
116 | #
117 | # Review
118 | # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html
119 | # and add this condition to your template:
120 | EnableTrue:
121 | !Equals [!Ref Enable, "true"]
122 | ##########################################################################
123 |
124 | Resources:
125 |
126 | ConditionalSecGrp:
127 | Type: AWS::EC2::SecurityGroup
128 | # STEP 4 #################################################################
129 | #
130 | # Add this property to each conditionally-created resource. There is no
131 | # need to add it to free or low-cost resources.
132 | Condition: EnableTrue
133 | ##########################################################################
134 | Properties:
135 | GroupDescription:
136 | Fn::Sub: >-
137 | Demonstrates deletion and recreation of a resource (this security
138 | group) based on schedules in the
139 | sched-set-Enable-true/-false stack tags of ${AWS::StackName}
140 | Tags:
141 | - Key: Name
142 | Value: !Sub "${AWS::StackName}-ConditionalSecGrp"
143 | VpcId: !Ref VpcId
144 |
145 | SecGrpWithConditionalRule:
146 | Type: AWS::EC2::SecurityGroup
147 | Properties:
148 | GroupDescription:
149 | Fn::Sub: >-
150 | Demonstrates deletion and recreation of a resource property (a
151 | security group ingress rule) based on schedules in the
152 | sched-set-Enable-true/-false stack tags of ${AWS::StackName}
153 | Tags:
154 | - Key: Name
155 | Value: !Sub "${AWS::StackName}-SecGrpWithConditionalRule"
156 | VpcId: !Ref VpcId
157 | SecurityGroupIngress:
158 | - Description: Permanent rule
159 | IpProtocol: tcp
160 | FromPort: 53
161 | ToPort: 53
162 | CidrIp: 8.8.8.8/32
163 | # STEP 5 #############################################################
164 | #
165 | # If you need to conditionally set a resource property or
166 | # conditionally add or remove a list item, use:
167 | # Fn::If: [ EnableTrue, VALUE_IF_ENABLED, VALUE_IF_NOT_ENABLED ]
168 | #
169 | # If a resource property is to be omitted entirely when Enable is
170 | # false, specify !Ref AWS::NoValue for VALUE_IF_NOT_ENABLED .
171 | # See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html#cfn-pseudo-param-novalue
172 | - Fn::If:
173 | - EnableTrue
174 | - Description: Conditional rule
175 | IpProtocol: tcp
176 | FromPort: 53
177 | ToPort: 53
178 | SourceSecurityGroupId: !Ref ConditionalSecGrp
179 | - !Ref AWS::NoValue
180 | # STEP 6 #####################################################################
181 | #
182 | # Test your deployment role and your stack. Try a manual stack update in which
183 | # you change the Enable parameter from false to true, and anoter in which you
184 | # change it from true to false.
185 | #
186 | # STEP 7 #####################################################################
187 | #
188 | # Refer to
189 | # https://github.com/sqlxpert/lights-off-aws#tag-values-schedules .
190 | #
191 | # Make sure that the EnableSchedCloudFormationOps is set to "true" in your
192 | # main LightsOff CloudFormation stack or StackSet.
193 | #
194 | # Add schedule tags to your own stack:
195 | # - sched-set-Enable-true
196 | # - sched-set-Enable-false
197 | #
198 | # Wait for the scheduled times, then check the list of events for your own
199 | # CloudFormation stack. In the AWS Console, the Client request token column
200 | # shows operations ("sched-set-Enable-true" or "sched-set-Enable-false") and
201 | # scheduled times, in ISO 8601 basic form ("20250115T0730Z", for example).
202 | ##############################################################################
203 |
--------------------------------------------------------------------------------
/cloudformation/lights_off_aws_prereq.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | AWSTemplateFormatVersion: "2010-09-09"
3 |
4 | Description: |-
5 | CloudFormation service role to deploy
6 |
7 | github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
8 |
9 | Parameters:
10 |
11 | PlaceholderSuggestedStackName:
12 | Type: String
13 | Default: "LightsOffPrereq"
14 |
15 | PlaceholderHelp:
16 | Type: String
17 | Default: "github.com/sqlxpert/lights-off-aws#least-privilege-installation"
18 |
19 | PlaceholderAdvancedParameters:
20 | Type: String
21 | Default: ""
22 | AllowedValues:
23 | - ""
24 |
25 | StackNameLike:
26 | Type: String
27 | Description: >-
28 | When a stack is created using the deployment role, its name must match
29 | this StringLike/ArnLike pattern. Examples: "LightsOff" only allows a
30 | stack of that name; "LightsOff*" also allows stacks with names such as
31 | "LightsOff2" and "LightsOffTest"; and "StackSet-LightsOff-*" allows a
32 | StackSet named "LightsOff", whose StackSet instances receive names
33 | beginning "StackSet-LightsOff-". See
34 | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
35 | Default: "LightsOff*"
36 |
37 | Metadata:
38 |
39 | AWS::CloudFormation::Interface:
40 | ParameterGroups:
41 | - Label:
42 | default: For Reference
43 | Parameters:
44 | - PlaceholderSuggestedStackName
45 | - PlaceholderHelp
46 | - Label:
47 | default: Advanced Options
48 | Parameters:
49 | - PlaceholderAdvancedParameters
50 | - Label:
51 | default: For stacks created using the deployment role...
52 | Parameters:
53 | - StackNameLike
54 | ParameterLabels:
55 | PlaceholderHelp:
56 | default: For help with this stack, see
57 | PlaceholderSuggestedStackName:
58 | default: Suggested stack name
59 | PlaceholderAdvancedParameters:
60 | default: Do not change parameters below, unless necessary!
61 | StackNameLike:
62 | default: Allowed stack name pattern
63 |
64 | Resources:
65 |
66 | DeploymentRole:
67 | Type: AWS::IAM::Role
68 | Properties:
69 | Description: >-
70 | Resources in Lights Off CloudFormation stack: create, update, delete
71 | AssumeRolePolicyDocument:
72 | Version: 2012-10-17
73 | Statement:
74 | - Effect: Allow
75 | Principal: { Service: cloudformation.amazonaws.com }
76 | Action: sts:AssumeRole
77 | # In-line policies apply only to this role, which, in turn, can only be
78 | # assumed by CloudFormation. Separate, "managed" policies could be
79 | # attached to other roles or users, allowing permission escalation.
80 | # Administrator should restrict iam:PassRole to prevent use of this role
81 | # with arbitrary CloudFormation stacks.
82 | Policies:
83 | - PolicyName: LightsOffCloudFormationStackDeploy
84 | PolicyDocument:
85 | Version: "2012-10-17"
86 | Statement:
87 |
88 | - Effect: Allow
89 | Action:
90 | - lambda:CreateFunction # Also iam:PassRole
91 | - lambda:GetFunction
92 | - lambda:DeleteFunction
93 | - lambda:UpdateFunctionCode
94 | - lambda:GetFunctionConfiguration
95 | - lambda:UpdateFunctionConfiguration
96 | - lambda:AddPermission
97 | - lambda:RemovePermission
98 | - lambda:PutFunctionConcurrency
99 | - lambda:DeleteFunctionConcurrency
100 | - lambda:TagResource
101 | - lambda:UntagResource
102 | Resource:
103 | - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:${StackNameLike}-*"
104 | - Effect: Allow
105 | Action:
106 | - lambda:CreateEventSourceMapping
107 | - lambda:GetEventSourceMapping
108 | - lambda:UpdateEventSourceMapping
109 | - lambda:DeleteEventSourceMapping
110 | Resource: "*"
111 | Condition:
112 | ArnLikeIfExists:
113 | "lambda:FunctionArn":
114 | - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:${StackNameLike}-*"
115 | - Effect: Allow
116 | Action:
117 | - lambda:TagResource
118 | - lambda:UntagResource
119 | Resource:
120 | - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:event-source-mapping:*"
121 | - Effect: Allow
122 | Action:
123 | - lambda:ListTags
124 | Resource: "*"
125 |
126 | - Effect: Allow
127 | Action:
128 | - logs:CreateLogGroup
129 | - logs:DeleteLogGroup
130 | - logs:PutRetentionPolicy
131 | - logs:DeleteRetentionPolicy
132 | - logs:AssociateKmsKey
133 | - logs:DisassociateKmsKey
134 | - logs:TagLogGroup
135 | - logs:TagResource
136 | - logs:UntagLogGroup
137 | - logs:UntagResource
138 | Resource:
139 | - !Sub "arn:${AWS::Partition}:logs:*:${AWS::AccountId}:log-group:${StackNameLike}-*"
140 | - Effect: Allow
141 | Action:
142 | - logs:DescribeLogGroups
143 | - logs:ListTagsForResource
144 | Resource: "*"
145 |
146 | - Effect: Allow
147 | Action:
148 | - scheduler:CreateScheduleGroup
149 | - scheduler:DeleteScheduleGroup
150 | - scheduler:TagResource
151 | - scheduler:UntagResource
152 | Resource:
153 | - !Sub "arn:${AWS::Partition}:scheduler:*:${AWS::AccountId}:schedule-group/${StackNameLike}-*"
154 | - Effect: Allow
155 | Action:
156 | - scheduler:CreateSchedule # Also iam:PassRole
157 | - scheduler:UpdateSchedule # Also iam:PassRole
158 | - scheduler:DeleteSchedule
159 | # Possible future requirement:
160 | - scheduler:TagResource
161 | - scheduler:UntagResource
162 | Resource:
163 | # Compare CloudWatch Logs and EventBridge Scheduler.
164 | # Right-trimming the stream name from a LogStream ARN gives
165 | # the ARN of the parent LogGroup, but unfortunately,
166 | # right-trimming the schedule name from a schedule ARN does
167 | # not give the ARN of the parent ScheduleGroup.
168 | # arn:PARTITION:logs:REGION:ACCOUNT:log-group:GROUP_NAME:log-stream:STREAM_NAME
169 | # arn:PARTITION:scheduler:REGION:ACCOUNT:schedule-group/GROUP_NAME
170 | # arn:PARTITION:scheduler:REGION:ACCOUNT:schedule/GROUP_NAME/SCHED_NAME
171 | - !Sub "arn:${AWS::Partition}:scheduler:*:${AWS::AccountId}:schedule/${StackNameLike}-*/*"
172 | - Effect: Allow
173 | Action:
174 | - scheduler:ListScheduleGroups
175 | - scheduler:GetScheduleGroup
176 | - scheduler:ListSchedules
177 | - scheduler:GetSchedule
178 | - scheduler:ListTagsForResource
179 | Resource: "*"
180 |
181 | # Left so that existing users can maintain, and eventually,
182 | # delete, the old EventBridge rule (replaced by an EventBridge
183 | # schedule)
184 | - Effect: Allow
185 | Action:
186 | - events:PutRule
187 | - events:DescribeRule
188 | - events:EnableRule
189 | - events:DisableRule
190 | - events:DeleteRule
191 | - events:PutTargets
192 | - events:ListTargetsByRule
193 | - events:RemoveTargets
194 | - events:TagResource
195 | - events:UntagResource
196 | Resource:
197 | - !Sub "arn:${AWS::Partition}:events:*:${AWS::AccountId}:rule/${StackNameLike}-*"
198 | - Effect: Allow
199 | Action:
200 | - events:ListTagsForResource
201 | Resource: "*"
202 |
203 | - Effect: Allow
204 | Action:
205 | - sqs:CreateQueue
206 | - sqs:SetQueueAttributes
207 | - sqs:GetQueueAttributes
208 | - sqs:GetQueueUrl
209 | - sqs:ListDeadLetterSourceQueues
210 | - sqs:DeleteQueue
211 | - sqs:AddPermission
212 | - sqs:RemovePermission
213 | - sqs:TagQueue
214 | - sqs:UntagQueue
215 | Resource:
216 | - !Sub "arn:${AWS::Partition}:sqs:*:${AWS::AccountId}:${StackNameLike}-*"
217 | - Effect: Allow
218 | Action:
219 | - sqs:ListQueues
220 | - sqs:ListQueueTags
221 | Resource: "*"
222 |
223 | - Effect: Allow
224 | Action: iam:PassRole
225 | Resource:
226 | - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${StackNameLike}-*"
227 | Condition:
228 | StringEquals:
229 | "iam:PassedToService":
230 | - lambda.amazonaws.com
231 | - scheduler.amazonaws.com
232 | ArnLike:
233 | "iam:AssociatedResourceArn":
234 | - !Sub "arn:${AWS::Partition}:lambda:*:${AWS::AccountId}:function:${StackNameLike}-*"
235 | - !Sub "arn:${AWS::Partition}:scheduler:*:${AWS::AccountId}:schedule/${StackNameLike}-*/${StackNameLike}-*"
236 | - Effect: Allow
237 | Action:
238 | - iam:CreateRole
239 | - iam:UpdateRoleDescription
240 | - iam:GetRole
241 | - iam:DeleteRole
242 | - iam:UpdateAssumeRolePolicy
243 | - iam:ListRolePolicies
244 | - iam:GetRolePolicy
245 | - iam:AttachRolePolicy
246 | - iam:DetachRolePolicy
247 | - iam:PutRolePolicy
248 | - iam:DeleteRolePolicy
249 | - iam:ListEntitiesForPolicy
250 | - iam:TagRole
251 | - iam:UntagRole
252 | Resource:
253 | - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${StackNameLike}-*"
254 | - Effect: Allow
255 | Action:
256 | - iam:ListRoles
257 | - iam:ListRoleTags
258 | - iam:ListAttachedRolePolicies
259 | Resource: "*"
260 |
261 | - Effect: Allow
262 | Action:
263 | - kms:ListKeys
264 | - kms:ListAliases
265 | - kms:ListResourceTags
266 | - kms:DescribeKey
267 | Resource: "*"
268 |
269 | SampleDeploymentRolePassRolePol:
270 | Type: "AWS::IAM::ManagedPolicy"
271 | Properties:
272 | Description:
273 | Fn::Sub: >-
274 | ${DeploymentRole}: pass to CloudFormation. Demonstrates a privilege
275 | that non-adminstrators need before they can create a Lights Off
276 | CloudFormation stack using the deployment role.
277 | PolicyDocument:
278 | Version: "2012-10-17"
279 | Statement:
280 | - Effect: Allow
281 | Action: "iam:PassRole"
282 | Resource: !GetAtt DeploymentRole.Arn
283 |
--------------------------------------------------------------------------------
/lights_off_aws.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """Start, stop and back up AWS resources tagged with cron schedules
3 |
4 | github.com/sqlxpert/lights-off-aws GPLv3 Copyright Paul Marcelin
5 | """
6 |
7 | import os
8 | import logging
9 | import datetime
10 | import re
11 | import json
12 | import botocore
13 | import boto3
14 |
15 | logger = logging.getLogger()
16 | # Skip "credentials in environment" INFO message, unavoidable in AWS Lambda:
17 | logging.getLogger("botocore").setLevel(logging.WARNING)
18 |
19 |
20 | def environ_int(environ_var_name):
21 | """Take name of an environment variable, return its integer value
22 | """
23 | return int(os.environ[environ_var_name])
24 |
25 |
26 | SCHED_DELIMS = r"\ +" # Exposed space must be escaped for re.VERBOSE
27 | SCHED_TERMS = rf"([^ ]+{SCHED_DELIMS})*" # Unescaped space inside char class
28 | SCHED_REGEXP_STRFTIME_FMT = rf"""
29 | (^|{SCHED_DELIMS})
30 | (
31 | # Specific monthly or weekly day and time, or...
32 | (dTH:M=%d|uTH:M=%u)T%H:%M
33 | |
34 | # Day wildcard, specific day, or specific weekday, any other terms, and...
35 | (d=(_|%d)|u=%u){SCHED_DELIMS}{SCHED_TERMS}
36 | (
37 | # Specific daily time, or...
38 | H:M=%H:%M
39 | |
40 | # Hour wildcard or specific hour, any other terms, and specific minute.
41 | H=(_|%H){SCHED_DELIMS}{SCHED_TERMS}M=%M
42 | )
43 | )
44 | ({SCHED_DELIMS}|$)
45 | """
46 |
47 | QUEUE_URL = os.environ["QUEUE_URL"]
48 | QUEUE_MSG_BYTES_MAX = environ_int("QUEUE_MSG_BYTES_MAX")
49 | QUEUE_MSG_FMT_VERSION = "01"
50 |
51 | ARN_DELIM = ":"
52 | BACKUP_ROLE_ARN = os.environ["BACKUP_ROLE_ARN"]
53 | ARN_PARTS = BACKUP_ROLE_ARN.split(ARN_DELIM)
54 | # arn:partition:service:region:account-id:resource-type/resource-id
55 | # [0] [1] [2] [3] [4] [5]
56 | # https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime
57 | ARN_PARTS[3] = os.environ.get("AWS_REGION", os.environ["AWS_DEFAULT_REGION"])
58 |
59 |
60 | # 1. Helpers #################################################################
61 |
62 |
63 | def log(entry_type, entry_value, log_level=logging.INFO):
64 | """Take type and value, and emit a JSON-format log entry
65 | """
66 | entry_value_out = json.loads(json.dumps(entry_value, default=str))
67 | # Avoids "Object of type datetime is not JSON serializable" in
68 | # https://github.com/aws/aws-lambda-python-runtime-interface-client/blob/9efb462/awslambdaric/lambda_runtime_log_utils.py#L109-L135
69 | #
70 | # The JSON encoder in the AWS Lambda Python runtime isn't configured to
71 | # serialize datatime values in responses returned by AWS's own Python SDK!
72 | #
73 | # Alternative considered:
74 | # https://docs.powertools.aws.dev/lambda/python/latest/core/logger/
75 |
76 | logger.log(
77 | log_level, "", extra={"type": entry_type, "value": entry_value_out}
78 | )
79 |
80 |
81 | def sqs_send_message_log(
82 | cycle_start_str, send_kwargs, result, result_type, log_level
83 | ):
84 | """Log scheduled start (on error), send_message kwargs, and outcome
85 | """
86 | if log_level > logging.INFO:
87 | log("START", cycle_start_str, log_level)
88 | log("KWARGS_SQS_SEND_MESSAGE", send_kwargs, log_level)
89 | log(result_type, result, log_level)
90 |
91 |
92 | def op_log(event, op_msg, result, result_type, log_level):
93 | """Log Lambda event (on error), SQS message (operation), and outcome
94 | """
95 | if log_level > logging.INFO:
96 | log("LAMBDA_EVENT", event, log_level)
97 | log("SQS_MESSAGE", op_msg, log_level)
98 | log(result_type, result, log_level)
99 |
100 |
101 | def assess_op_msg(op_msg):
102 | """Take an operation queue message, return error message, type, retry flag
103 | """
104 | result = None
105 | result_type = ""
106 | retry = True
107 |
108 | if msg_attr_str_decode(op_msg, "version") != QUEUE_MSG_FMT_VERSION:
109 | result = "Unrecognized operation queue message format"
110 | result_type = "WRONG_QUEUE_MSG_FMT"
111 | retry = False
112 |
113 | elif (
114 | int(msg_attr_str_decode(op_msg, "expires"))
115 | < int(datetime.datetime.now(datetime.timezone.utc).timestamp())
116 | ):
117 | result = (
118 | "Schedule fewer operations per 10-minute cycle or "
119 | "increase DoLambdaFnMaximumConcurrency in CloudFormation"
120 | )
121 | result_type = "EXPIRED_OP"
122 | retry = False
123 |
124 | return (result, result_type, retry)
125 |
126 |
127 | def assess_op_except(svc, op_method_name, misc_except):
128 | """Take an operation and an exception, return retry flag and log level
129 |
130 | botocore.exceptions.ClientError is general but statically-defined, making
131 | comparison easier, in a multi-service context, than for service-specific but
132 | dynamically-defined exceptions like
133 | boto3.Client("rds").exceptions.InvalidDBClusterStateFault and
134 | boto3.Client("rds").exceptions.InvalidDBInstanceStateFault
135 |
136 | https://boto3.amazonaws.com/v1/documentation/api/latest/guide/error-handling.html#parsing-error-responses-and-catching-exceptions-from-aws-services
137 | """
138 | retry = True
139 | log_level = logging.ERROR
140 |
141 | if isinstance(misc_except, botocore.exceptions.ClientError):
142 | verb = op_method_name.split("_")[0]
143 | err_dict = getattr(misc_except, "response", {}).get("Error", {})
144 | err_msg = err_dict.get("Message")
145 |
146 | match (svc, err_dict.get("Code")):
147 |
148 | case ("cloudformation", "ValidationError") if (
149 | "No updates are to be performed." == err_msg
150 | ):
151 | retry = False
152 | log_level = logging.INFO
153 | # Idempotent update_stack (after a recent external update)
154 |
155 | case ("rds", "InvalidDBClusterStateFault") if (
156 | ((verb == "start") and "is in available" in err_msg)
157 | or f"is in {verb}" in err_msg
158 | ):
159 | retry = False
160 | log_level = logging.INFO
161 | # Idempotent
162 | # start_db_cluster "in available[ state]" or "in start[ing state]" or
163 | # stop__db_cluster "in stop[ped state]" or "in stop[ping state]"
164 |
165 | case ("rds", "InvalidDBInstanceState"): # Fault suffix is missing here!
166 | retry = False
167 | # Can't decide between idempotent start_db_instance / stop_db_instance
168 | # (common) or truly erroneous state (rare), because message does not
169 | # mention current, invalid state. Log as potential error, but do not
170 | # retry (avoids a duplicate error queue entry).
171 |
172 | return (retry, log_level)
173 |
174 |
175 | def tag_key_join(tag_key_words):
176 | """Take a tuple of strings, add a prefix, join, and return a tag key
177 | """
178 | return "-".join(("sched", ) + tag_key_words)
179 |
180 |
181 | def cycle_start_end(datetime_in, cycle_minutes=10, cutoff_minutes=9):
182 | """Take a datetime, return 10-minute floor and ceiling less 1 minute
183 | """
184 | cycle_minutes_int = int(cycle_minutes)
185 | cycle_start = datetime_in.replace(
186 | minute=(datetime_in.minute // cycle_minutes_int) * cycle_minutes_int,
187 | second=0,
188 | microsecond=0,
189 | )
190 | cycle_cutoff = cycle_start + datetime.timedelta(minutes=cutoff_minutes)
191 | return (cycle_start, cycle_cutoff)
192 |
193 |
194 | def msg_attrs_str_encode(attr_pairs):
195 | """Take list of string name, value pairs, return SQS MessageAttributes dict
196 | """
197 | return {
198 | attr_name: {"DataType": "String", "StringValue": attr_value}
199 | for (attr_name, attr_value) in attr_pairs
200 | }
201 |
202 |
203 | def msg_attr_str_decode(msg, attr_name):
204 | """Take an SQS message, return value of a string attribute (must be present)
205 | """
206 | return msg["messageAttributes"][attr_name]["stringValue"]
207 |
208 |
209 | svc_clients = {}
210 |
211 |
212 | def svc_client_get(svc):
213 | """Take an AWS service, return a boto3 client, creating it if needed
214 |
215 | boto3 method references can only be resolved at run-time, against an
216 | instance of an AWS service's Client class.
217 | http://boto3.readthedocs.io/en/latest/guide/events.html#extensibility-guide
218 |
219 | Alternatives considered:
220 | https://github.com/boto/boto3/issues/3197#issue-1175578228
221 | https://github.com/aws-samples/boto-session-manager-project
222 | """
223 | if svc not in svc_clients:
224 | svc_clients[svc] = boto3.client(
225 | svc, config=botocore.config.Config(retries={"mode": "standard"})
226 | )
227 | return svc_clients[svc]
228 |
229 |
230 | # 2. Custom Classes ##########################################################
231 |
232 | # See rsrc_types_init() for usage examples.
233 |
234 |
235 | class AWSRsrcType(): # pylint: disable=too-many-instance-attributes
236 | """AWS resource type, with identification properties and various operations
237 | """
238 | members = {}
239 |
240 | # pylint: disable=too-many-arguments,too-many-positional-arguments
241 | def __init__(
242 | self,
243 | svc,
244 | rsrc_type_words,
245 | ops_dict,
246 | rsrc_id_key_suffix="Id",
247 | arn_key_suffix="Arn",
248 | tags_key="Tags",
249 | status_filter_pair=()
250 | ):
251 | self.svc = svc
252 | self.name_in_methods = "_".join(rsrc_type_words).lower()
253 |
254 | self.name_in_keys = "".join(rsrc_type_words)
255 | self.rsrc_id_key = f"{self.name_in_keys}{rsrc_id_key_suffix}"
256 | if arn_key_suffix:
257 | self.arn_prefix = ""
258 | self.arn_key = f"{self.name_in_keys}{arn_key_suffix}"
259 | else:
260 | self.arn_prefix = ARN_DELIM.join(
261 | ARN_PARTS[0:2] + [svc] + ARN_PARTS[3:5] + [f"{self.name_in_methods}/"]
262 | )
263 | self.arn_key = self.rsrc_id_key
264 | self.tags_key = tags_key
265 |
266 | self.ops = {}
267 | for (op_tag_key_words, op_properties) in ops_dict.items():
268 | op = AWSOp.new(self, op_tag_key_words, **op_properties)
269 | self.ops[op.tag_key] = op
270 |
271 | self.describe_kwargs = {}
272 | if status_filter_pair:
273 | self.describe_kwargs["Filters"] = [
274 | {"Name": filter_name, "Values": list(filter_values)}
275 | for (filter_name, filter_values)
276 | in [status_filter_pair, ("tag-key", self.ops_tag_keys)]
277 | ]
278 |
279 | self.__class__.members[(svc, self.name_in_keys)] = self # Register me!
280 |
281 | def __str__(self):
282 | return " ".join([self.__class__.__name__, self.svc, self.name_in_keys])
283 |
284 | @property
285 | def ops_tag_keys(self):
286 | """Return tag keys for all operations on this resource type
287 | """
288 | return self.ops.keys()
289 |
290 | def rsrc_id(self, rsrc):
291 | """Take 1 describe_ result, return the resource ID
292 | """
293 | return rsrc[self.rsrc_id_key]
294 |
295 | def arn(self, rsrc):
296 | """Take 1 describe_ result, return the ARN
297 | """
298 | return f"{self.arn_prefix}{rsrc[self.arn_key]}"
299 |
300 | def get_describe_pages(self):
301 | """Return an iterator over pages of boto3 describe_ responses
302 | """
303 | return svc_client_get(self.svc).get_paginator(
304 | f"describe_{self.name_in_methods}s"
305 | ).paginate(**self.describe_kwargs)
306 |
307 | def get_rsrcs(self):
308 | """Return an iterator over individual boto3 describe_ items
309 | """
310 | return (
311 | rsrc
312 | for page in self.get_describe_pages()
313 | for rsrc in page.get(f"{self.name_in_keys}s", [])
314 | )
315 |
316 | def rsrc_tags_list(self, rsrc):
317 | """Take 1 describe_ result, return raw resource tags
318 | """
319 | return rsrc.get(self.tags_key, []) # Key may be missing if no tags
320 |
321 | def op_tags_match(self, rsrc, sched_regexp):
322 | """Scan 1 resource's tags to find operations scheduled for current cycle
323 | """
324 | ops_tag_keys = self.ops_tag_keys
325 | op_tags_matched = []
326 | for tag_dict in self.rsrc_tags_list(rsrc):
327 | tag_key = tag_dict["Key"]
328 | if tag_key in ops_tag_keys and sched_regexp.search(tag_dict["Value"]):
329 | op_tags_matched.append(tag_key)
330 | return op_tags_matched
331 |
332 | def rsrcs_find(self, sched_regexp, cycle_start_str, cycle_cutoff_epoch_str):
333 | """Find resources to operate on, and send details to queue
334 | """
335 | for rsrc in self.get_rsrcs():
336 | op_tags_matched = self.op_tags_match(rsrc, sched_regexp)
337 | op_tags_matched_count = len(op_tags_matched)
338 |
339 | if op_tags_matched_count == 1:
340 | op = self.ops[op_tags_matched[0]]
341 | op.msg_send_to_queue(rsrc, cycle_start_str, cycle_cutoff_epoch_str)
342 | elif op_tags_matched_count > 1:
343 | log("START", cycle_start_str, logging.ERROR)
344 | log(
345 | "MULTIPLE_OPS",
346 | {"arn": self.arn(rsrc), "tag_keys": op_tags_matched},
347 | logging.ERROR
348 | )
349 |
350 |
351 | class AWSRsrcTypeEc2Inst(AWSRsrcType):
352 | """EC2 instance
353 | """
354 | def get_rsrcs(self):
355 | return (
356 | instance
357 | for page in self.get_describe_pages()
358 | for reservation in page.get("Reservations", [])
359 | for instance in reservation.get("Instances", [])
360 | )
361 |
362 |
363 | class AWSOp():
364 | """Operation on 1 AWS resource
365 | """
366 | def __init__(self, rsrc_type, tag_key_words, **kwargs):
367 | self.tag_key = tag_key_join(tag_key_words)
368 | self.svc = rsrc_type.svc
369 | self.rsrc_id = rsrc_type.rsrc_id
370 | verb = kwargs.get("verb", tag_key_words[0]) # Default: 1st word
371 | self.method_name = f"{verb}_{rsrc_type.name_in_methods}"
372 | self.kwarg_rsrc_id_key = rsrc_type.rsrc_id_key
373 | self.kwargs_add = kwargs.get("kwargs_add", {})
374 |
375 | @staticmethod
376 | def new(rsrc_type, tag_key_words, **kwargs):
377 | """Create an op of the requested, appropriate, or default (sub)class
378 | """
379 | if "class" in kwargs:
380 | op_class = kwargs["class"]
381 | elif tag_key_words == ("backup", ):
382 | op_class = AWSOpBackUp
383 | else:
384 | op_class = AWSOp
385 | return op_class(rsrc_type, tag_key_words, **kwargs)
386 |
387 | def kwarg_rsrc_id(self, rsrc):
388 | """Transfer resource ID from a describe_ result to another method's kwarg
389 | """
390 | return {self.kwarg_rsrc_id_key: self.rsrc_id(rsrc)}
391 |
392 | def op_kwargs(self, rsrc, cycle_start_str): # pylint: disable=unused-argument
393 | """Take a describe_ result, return another method's kwargs
394 | """
395 | op_kwargs_out = self.kwarg_rsrc_id(rsrc)
396 | op_kwargs_out.update(self.kwargs_add)
397 | return op_kwargs_out
398 |
399 | def msg_send_to_queue(self, rsrc, cycle_start_str, cycle_cutoff_epoch_str):
400 | """Send 1 operation message to the SQS queue
401 | """
402 | op_kwargs = self.op_kwargs(rsrc, cycle_start_str)
403 | if op_kwargs:
404 | send_kwargs = {
405 | "QueueUrl": QUEUE_URL,
406 | "MessageAttributes": msg_attrs_str_encode((
407 | ("version", QUEUE_MSG_FMT_VERSION),
408 | ("expires", cycle_cutoff_epoch_str),
409 | ("start", cycle_start_str),
410 | ("svc", self.svc),
411 | ("op_method_name", self.method_name),
412 | )),
413 | "MessageBody": op_kwargs,
414 | # Raw only for logging in case of an exception during JSON encoding
415 | }
416 |
417 | result = None
418 | result_type = ""
419 |
420 | log_level = logging.ERROR
421 |
422 | try:
423 | msg_body = json.dumps(op_kwargs)
424 | send_kwargs.update({"MessageBody": msg_body, })
425 |
426 | if QUEUE_MSG_BYTES_MAX < len(bytes(msg_body, "utf-8")):
427 | result = "Increase QueueMessageBytesMax in CloudFormation"
428 | result_type = "QUEUE_MSG_TOO_LONG"
429 |
430 | else:
431 | result = svc_client_get("sqs").send_message(**send_kwargs)
432 | result_type = "AWS_RESPONSE"
433 | log_level = logging.INFO
434 |
435 | except Exception as misc_except: # pylint: disable=broad-exception-caught
436 | result = misc_except
437 | result_type = "EXCEPTION"
438 |
439 | sqs_send_message_log(
440 | cycle_start_str, send_kwargs, result, result_type, log_level
441 | )
442 |
443 | def __str__(self):
444 | return " ".join([
445 | self.__class__.__name__, self.tag_key, self.svc, self.method_name
446 | ])
447 |
448 |
449 | class AWSOpMultipleRsrcs(AWSOp):
450 | """Operation on multiple AWS resources of the same type
451 | """
452 | def __init__(self, rsrc_type, tag_key_words, **kwargs):
453 | super().__init__(rsrc_type, tag_key_words, **kwargs)
454 | self.method_name = self.method_name + "s"
455 |
456 | def kwarg_rsrc_id(self, rsrc):
457 | """Transfer resource ID from a describe_ result to a singleton list kwarg
458 |
459 | One at a time for consistency and to avoid partial completion risk
460 | """
461 | return {f"{self.kwarg_rsrc_id_key}s": [self.rsrc_id(rsrc)]}
462 |
463 |
464 | class AWSOpUpdateStack(AWSOp):
465 | """CloudFormation stack update operation
466 | """
467 | def __init__(self, rsrc_type, tag_key_words, **kwargs):
468 | super().__init__(rsrc_type, tag_key_words, verb="update", **kwargs)
469 |
470 | # Use of final template instead of original makes this incompatible with
471 | # CloudFormation "transforms". describe_stacks does not return templates.
472 | self.kwargs_add.update({
473 | "UsePreviousTemplate": True,
474 | "RetainExceptOnCreate": True,
475 | })
476 |
477 | # Use previous parameter values, except for:
478 | # Param Value
479 | # Key Out
480 | # tag_key sched-set-Enable-true
481 | # tag_key sched-set-Enable-false
482 | # tag_key_words [-2] [-1]
483 | self.changing_param_key = tag_key_words[-2]
484 | self.changing_param_value_out = tag_key_words[-1]
485 |
486 | def op_kwargs(self, rsrc, cycle_start_str):
487 | """Take 1 describe_stacks result, return update_stack kwargs
488 |
489 | An empty dict indicates that no stack update is needed.
490 | """
491 | op_kwargs_out = {}
492 | params_out = []
493 |
494 | if rsrc.get("StackStatus") in (
495 | "UPDATE_COMPLETE",
496 | "CREATE_COMPLETE",
497 | ):
498 | for param in rsrc.get("Parameters", []):
499 | param_key = param["ParameterKey"]
500 | param_out = {
501 | "ParameterKey": param_key,
502 | "UsePreviousValue": True,
503 | }
504 |
505 | if param_key == self.changing_param_key:
506 | if param.get("ParameterValue") == self.changing_param_value_out:
507 | break
508 |
509 | # One time, if changing_param is present and not already up-to-date
510 | param_out.update({
511 | "UsePreviousValue": False,
512 | "ParameterValue": self.changing_param_value_out,
513 | })
514 | op_kwargs_out = super().op_kwargs(rsrc, cycle_start_str)
515 | op_kwargs_out.update({
516 | "ClientRequestToken": f"{self.tag_key}-{cycle_start_str}",
517 | "Parameters": params_out, # Continue updating dict in-place
518 | })
519 | capabilities = rsrc.get("Capabilities")
520 | if capabilities:
521 | op_kwargs_out["Capabilities"] = capabilities
522 |
523 | params_out.append(param_out)
524 |
525 | else:
526 | log(
527 | "STACK_STATUS_IRREGULAR",
528 | "Fix manually until UPDATE_COMPLETE",
529 | logging.ERROR
530 | )
531 | log("AWS_RESPONSE_PART", rsrc, logging.ERROR)
532 |
533 | return op_kwargs_out
534 |
535 |
536 | class AWSOpBackUp(AWSOp):
537 | """On-demand AWS Backup operation
538 | """
539 | backup_kwargs_add = None
540 | lifecycle_base = None
541 |
542 | @classmethod
543 | def backup_kwargs_add_init(cls):
544 | """Populate start_backup_job kwargs and base lifecycle, if not yet done
545 | """
546 | if not cls.backup_kwargs_add:
547 | cls.backup_kwargs_add = {
548 | "IamRoleArn": BACKUP_ROLE_ARN,
549 | "BackupVaultName": os.environ["BACKUP_VAULT_NAME"],
550 | "StartWindowMinutes": environ_int("BACKUP_START_WINDOW_MINUTES"),
551 | "CompleteWindowMinutes": environ_int(
552 | "BACKUP_COMPLETE_WINDOW_MINUTES"
553 | ),
554 | }
555 |
556 | cls.lifecycle_base = {}
557 | cold_storage_after_days = environ_int("BACKUP_COLD_STORAGE_AFTER_DAYS")
558 | if cold_storage_after_days > 0:
559 | cls.lifecycle_base.update({
560 | "OptInToArchiveForSupportedResources": True,
561 | "MoveToColdStorageAfterDays": cold_storage_after_days,
562 | })
563 | delete_after_days = environ_int("BACKUP_DELETE_AFTER_DAYS")
564 | if delete_after_days > 0:
565 | cls.lifecycle_base["DeleteAfterDays"] = delete_after_days # pylint: disable=unsupported-assignment-operation
566 |
567 | def __init__(self, rsrc_type, tag_key_words, **kwargs):
568 | super().__init__(rsrc_type, tag_key_words, **kwargs)
569 | self.rsrc_id = rsrc_type.arn
570 | self.svc = "backup"
571 | self.method_name = "start_backup_job"
572 | self.kwarg_rsrc_id_key = "ResourceArn"
573 | self.__class__.backup_kwargs_add_init()
574 | self.kwargs_add.update(self.__class__.backup_kwargs_add)
575 |
576 | def op_kwargs(self, rsrc, cycle_start_str):
577 | """Take a describe_ result, return start_backup_job kwargs
578 | """
579 | op_kwargs_out = super().op_kwargs(rsrc, cycle_start_str)
580 | op_kwargs_out.update({
581 | "IdempotencyToken": f"{cycle_start_str},{self.rsrc_id(rsrc)}",
582 | # As of May, 2025, AWS Backup treats calls to back up different
583 | # resources as identical so long as IdempotencyToken matches! This is
584 | # contrary to the documentation ("otherwise identical calls"). To assure
585 | # uniqueness, combine scheduled start time, ARN.
586 | # https://docs.aws.amazon.com/aws-backup/latest/devguide/API_StartBackupJob.html#Backup-StartBackupJob-request-IdempotencyToken
587 |
588 | "RecoveryPointTags": {tag_key_join(("time", )): cycle_start_str},
589 | })
590 | lifecycle = dict(self.lifecycle_base) # Updatable copy (future need)
591 | if lifecycle:
592 | op_kwargs_out["Lifecycle"] = lifecycle
593 | return op_kwargs_out
594 |
595 |
596 | # 3. Data-Driven Specifications ##############################################
597 |
598 |
599 | def rsrc_types_init():
600 | """Create AWS resource type objects when needed, if not already done
601 | """
602 |
603 | if not AWSRsrcType.members:
604 | AWSRsrcTypeEc2Inst(
605 | "ec2",
606 | ("Instance", ),
607 | {
608 | ("start", ): {"class": AWSOpMultipleRsrcs},
609 | ("stop", ): {"class": AWSOpMultipleRsrcs},
610 | ("hibernate", ): {
611 | "class": AWSOpMultipleRsrcs,
612 | "verb": "stop",
613 | "kwargs_add": {"Hibernate": True},
614 | },
615 | ("backup", ): {},
616 | },
617 | arn_key_suffix=None,
618 | status_filter_pair=(
619 | "instance-state-name", ("running", "stopping", "stopped")
620 | )
621 | )
622 |
623 | AWSRsrcType(
624 | "ec2",
625 | ("Volume", ),
626 | {("backup", ): {}},
627 | arn_key_suffix=None,
628 | status_filter_pair=("status", ("available", "in-use")),
629 | )
630 |
631 | AWSRsrcType(
632 | "rds",
633 | ("DB", "Instance"),
634 | {
635 | ("start", ): {},
636 | ("stop", ): {},
637 | ("backup", ): {},
638 | },
639 | rsrc_id_key_suffix="Identifier",
640 | tags_key="TagList",
641 | )
642 |
643 | AWSRsrcType(
644 | "rds",
645 | ("DB", "Cluster"),
646 | {
647 | ("start", ): {},
648 | ("stop", ): {},
649 | ("backup", ): {},
650 | },
651 | rsrc_id_key_suffix="Identifier",
652 | tags_key="TagList",
653 | )
654 |
655 | if "ENABLE_SCHED_CLOUDFORMATION_OPS" in os.environ:
656 | AWSRsrcType(
657 | "cloudformation",
658 | ("Stack", ),
659 | {
660 | ("set", "Enable", "true"): {"class": AWSOpUpdateStack},
661 | ("set", "Enable", "false"): {"class": AWSOpUpdateStack},
662 | },
663 | rsrc_id_key_suffix="Name",
664 | arn_key_suffix="Id",
665 | )
666 |
667 |
668 | # 4. Find Resources Lambda Function Handler ##################################
669 |
670 |
671 | def lambda_handler_find(event, context): # pylint: disable=unused-argument
672 | """Find and queue AWS resources for scheduled operations, based on tags
673 | """
674 | log("LAMBDA_EVENT", event)
675 | (cycle_start, cycle_cutoff) = cycle_start_end(
676 | datetime.datetime.now(datetime.timezone.utc)
677 | )
678 |
679 | # ISO 8601 basic, no puctuation (downstream requirement)
680 | cycle_start_str = cycle_start.strftime("%Y%m%dT%H%MZ")
681 |
682 | cycle_cutoff_epoch_str = str(int(cycle_cutoff.timestamp()))
683 | sched_regexp = re.compile(
684 | cycle_start.strftime(SCHED_REGEXP_STRFTIME_FMT), re.VERBOSE
685 | )
686 | log("START", cycle_start_str)
687 | log("SCHED_REGEXP_VERBOSE", sched_regexp.pattern, logging.DEBUG)
688 | rsrc_types_init()
689 | for rsrc_type in AWSRsrcType.members.values():
690 | try:
691 | rsrc_type.rsrcs_find(
692 | sched_regexp, cycle_start_str, cycle_cutoff_epoch_str
693 | )
694 | except Exception as misc_except: # pylint: disable=broad-exception-caught
695 | log("EXCEPTION", misc_except, logging.ERROR)
696 | # Allow continue to next describe_ call (likely that permissions differ)
697 |
698 | # 5. "Do" Operations Lambda Function Handler #################################
699 |
700 |
701 | def lambda_handler_do(event, context): # pylint: disable=unused-argument
702 | """Perform a queued operation on an AWS resource
703 | """
704 | batch_item_failures = []
705 |
706 | for op_msg in event.get("Records", []):
707 | sqs_msg_id = ""
708 |
709 | result = None
710 | result_type = ""
711 | retry = True
712 |
713 | log_level = logging.ERROR
714 |
715 | try:
716 | sqs_msg_id = op_msg["messageId"]
717 | (result, result_type, retry) = assess_op_msg(op_msg)
718 | if not result_type:
719 | svc = msg_attr_str_decode(op_msg, "svc")
720 | op_method_name = msg_attr_str_decode(op_msg, "op_method_name")
721 | op_kwargs = json.loads(op_msg["body"])
722 | op_method = getattr(svc_client_get(svc), op_method_name)
723 | result = op_method(**op_kwargs)
724 | result_type = "AWS_RESPONSE"
725 | retry = False
726 | log_level = logging.INFO
727 |
728 | except Exception as misc_except: # pylint: disable=broad-exception-caught
729 | result = misc_except
730 | result_type = "EXCEPTION"
731 | (retry, log_level) = assess_op_except(svc, op_method_name, misc_except)
732 |
733 | op_log(event, op_msg, result, result_type, log_level)
734 |
735 | if retry and sqs_msg_id:
736 | batch_item_failures.append({"itemIdentifier": sqs_msg_id, })
737 |
738 | # https://repost.aws/knowledge-center/lambda-sqs-report-batch-item-failures
739 | return {"batchItemFailures": batch_item_failures, }
740 |
--------------------------------------------------------------------------------
/media/lights-off-aws-architecture-and-flow-thumb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sqlxpert/lights-off-aws/024e4eb448b9c0595316a4a0d6f48032ec6bcfb1/media/lights-off-aws-architecture-and-flow-thumb.png
--------------------------------------------------------------------------------
/media/lights-off-aws-architecture-and-flow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sqlxpert/lights-off-aws/024e4eb448b9c0595316a4a0d6f48032ec6bcfb1/media/lights-off-aws-architecture-and-flow.png
--------------------------------------------------------------------------------
/pylintrc:
--------------------------------------------------------------------------------
1 | # Start, stop and back up AWS resources tagged with cron schedules
2 | # github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
3 |
4 | [MAIN]
5 |
6 | load-plugins=pylint.extensions.no_self_use
7 |
8 | [MESSAGES CONTROL]
9 |
10 | disable=fixme,locally-disabled
11 |
12 | [REPORTS]
13 |
14 | reports=no
15 |
16 | [VARIABLES]
17 |
18 | max-locals=25
19 |
20 | [BASIC]
21 |
22 | argument-rgx=[a-z_][a-z0-9_]{1,30}$
23 | variable-rgx=[a-z_][a-z0-9_]{1,30}$
24 |
25 | [FORMAT]
26 |
27 | indent-string=" "
28 | indent-after-paren=2
29 | max-line-length=80
30 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | # Start, stop and back up AWS resources tagged with cron schedules
2 | # github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
3 |
4 | boto3
5 | botocore
6 |
--------------------------------------------------------------------------------
/setup.cfg:
--------------------------------------------------------------------------------
1 | # Start, stop and back up AWS resources tagged with cron schedules
2 | # github.com/sqlxpert/lights-off-aws/ GPLv3 Copyright Paul Marcelin
3 |
4 | [pycodestyle]
5 | ignore = E111, E121, E122, E131, E114, E251, E501, W503
6 | # E501: Let pylint, which allows temporary, inline disabling, check line length
7 | # max-line-length = 80
8 | # E122, E251: These checks interfere with readable formatting of blocks of
9 | # argparse option help text
10 | # E131 forces hanging indents
11 |
--------------------------------------------------------------------------------