sf-r53-update

This is an open source project published by The Scale Factory.

We currently consider this project to be archived.

⚠️ We’re no longer using or working on this project. It remains available for posterity or reference, but we’re no longer accepting issues or pull requests.

About

This is a script to maintain Route53 resource record sets and health checks according to the addresses of server instances in Autoscaling Groups.

Usage

Usage: sf-r53-update [options]
    -c, --config file   Path to YAML config file (default /etc/sf-r53-update.yaml)
    -d, --debug         Log debug messages
    -n, --noop          Don't make any real changes

Configuration

AWS Credentials

This script will attempt to use a machine's IAM role to identify itself to the AWS APIs, and this is the recommended method of operation.

Absent an IAM role, it will fall back to looking up the credentials in the environment. Use AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_REGION variables.

The IAM role will need the following permissions, though you can constrain the Resource match for additional security if required.

{
    "Version": "2012-10-17",
    "Statement": [
            {
                "Action": [
                    "ec2:DescribeInstances",
                    "route53:DeleteHealthCheck",
                    "route53:ChangeTagsForResource",
                    "route53:CreateHealthCheck",
                    "route53:ChangeResourceRecordSets",
                    "route53:ListResourceRecordSets",
                    "route53:ListHostedZonesByName",
                    "route53:ListTagsForResource",
                    "route53:ListHealthChecks"
                ],
                "Effect": "Allow",
                "Resource": [
                    "*"
                ]
            }
    ]
}

Script Configuration

The configuration should be in YAML format:

---
instance_asg_name:         example_asg
instance_address_property: public_ip_address
hosted_zone:               example.com.
record_set:                '*.example.com'
health_check_tag:          example_health_check
startup_delay_random:      60

health_check_config:
    :port:              80
    :type:              TCP
    :request_interval:  10
    :failure_threshold: 3

This configuration will cause the script to work in the following way:

• Wait between 0 and 60 seconds (optional; avoids "thundering herd" effects)
• Enumerate all hosts in the example_asg autoscaling group.
• Obtain their public IP address
• Create health checks following the health_check_config settings for each IP (if these don't exist), tagging them with example_health_check.
• Create record sets of *.example.com for each address, associated with the appropriate healthcheck.
• Remove any record sets or healthchecks that don't match the list of instances.

Health checks without a matching tag won't be touched.

The 'health_check_config' hash is used as-is in http://docs.aws.amazon.com/sdkforruby/api/Aws/Route53/Client.html#create_health_check-instance_method and can therefore support HTTP, TCP and HTTPS checks.

Known Limitations

If the resource record set for an IP already exists, its healthcheck ID won't be updated.

If the script is run simultaneously for a given configuration, for example from cron with an indentical schedule on two EC2 instances, the results can be unpredictable. If running the script from cron on multiple instances, stagger the cron schedule so script invocations do not overlap.