jtroberts83 · March 28, 2018 15:56
diff --git a/c7n-org-userdata.sh b/c7n-org-userdata.sh
 #!/bin/bash


 ASGName='YOUR_CUSTODIAN_AUTOSCALING_GROUP_NAME'
 RESOURCE_BUCKET='S3_BUCKET_CONTAINING_YOUR_POLICIES_AND_CONFIG'

 ## Sets up proxy for instance run
 export no_proxy="169.254.169.254"
 export http_proxy='http://PROXYADDRESSHERE.com:9090'
 export https_proxy="$http_proxy"
 export NO_PROXY="$no_proxy"
 export HTTP_PROXY="$http_proxy"
 export HTTPS_PROXY="$http_proxy"
 export AWS_DEFAULT_REGION='us-east-1'


 ## Install updates, git, dos2unix, clone down custodian repo and install custodian and c7n-org tool
 yum update -y
 yum install git -y
 yum install dos2unix -y
 cd /root
 git clone -b 0.8.28.0 https://github.com/capitalone/cloud-custodian
 cd cloud-custodian
 make install
 source bin/activate
 cd tools/c7n_org
 python setup.py develop



 mkdir /opt/c7n_org_policies
 mkdir /opt/c7n_org_policies/regional
 mkdir /opt/c7n_org_logs
 mkdir /opt/c7n_org_logs/regional


 ## Download all of the cloud custodian policies from S3
 aws s3 sync s3://$RESOURCE_BUCKET/policies/regional-poll/ /opt/c7n_org_policies/regional/
 aws s3 sync s3://$RESOURCE_BUCKET/policies/regional-lambda/ /opt/c7n_org_policies/regional/

 cd /opt/c7n_org_policies/regional/

 dos2unix *.yaml
 ## Pipe all individual policy files into 1 large policy file
 cat *.yaml > /tmp/allregional.yaml


 ## replace/remove all of the 'policies:' in the new large policy file with nothing
 sed -i -e 's/policies://g' /tmp/allregional.yaml


 ## Add the 'policies:' bit back to the top of the file
 echo 'policies:' | cat - /tmp/allregional.yaml > temp && mv temp /tmp/allregional.yaml -f


 ## Download the c7n-org config file
 aws s3 cp s3://$RESOURCE_BUCKET/C7n-Org-Config.yaml /root/C7n-Org-Config.yaml


 ## Get credentials from the instance profile and save them to the AWS creds file.  This allows for c7n-org to run much faster as it doesn't have to query the local metadata server for every policy.
 creds_file="/root/.aws/credentials"
 instance_profile=`curl --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/`

 aws_access_key_id=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
 aws_secret_access_key=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
 aws_session_token=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep Token | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`

 aws configure set aws_access_key_id $aws_access_key_id
 aws configure set aws_secret_access_key $aws_secret_access_key
 aws configure set aws_session_token $aws_session_token


 ## Counts the number of accounts in the c7n-org config file and upload a file to S3 with the count.  This lets us know the custodian run has started and how many accounts it's running against
 NumberOfAccounts="$(grep -c 'name' /root/C7n-Org-Config.yaml)"
 touch /root/start-$NumberOfAccounts.txt
 aws s3 cp /root/start-$NumberOfAccounts.txt s3://$RESOURCE_BUCKET/Logs/start-$NumberOfAccounts.txt

 ## Execute c7n-org against all accounts
 c7n-org run -c /root/C7n-Org-Config.yaml -u /tmp/allregional.yaml -s /opt/org-log --metrics --region us-east-1 --region eu-west-1

 ## Uploads log files to S3.  You can also send logs directly to S3 from the custodian command if you wanted to
 aws s3 sync /opt/org-log/ s3://$RESOURCE_BUCKET/Logs/regional/

 ## Creates a blank file called end.txt and uploads to S3.  This lets us know that it's finished
 touch /opt/end.txt
 aws s3 cp /opt/end.txt s3://$RESOURCE_BUCKET/Logs/end.txt

 ## Set the Autoscaling Group to 0 instances which effectively turns this instance off
 aws autoscaling update-auto-scaling-group --region us-east-1 --auto-scaling-group-name $ASGName --min-size 0 --max-size 0 --desired-capacity 0
	#!/bin/bash


	ASGName='YOUR_CUSTODIAN_AUTOSCALING_GROUP_NAME'
	RESOURCE_BUCKET='S3_BUCKET_CONTAINING_YOUR_POLICIES_AND_CONFIG'

	## Sets up proxy for instance run
	export no_proxy="169.254.169.254"
	export http_proxy='http://PROXYADDRESSHERE.com:9090'
	export https_proxy="$http_proxy"
	export NO_PROXY="$no_proxy"
	export HTTP_PROXY="$http_proxy"
	export HTTPS_PROXY="$http_proxy"
	export AWS_DEFAULT_REGION='us-east-1'


	## Install updates, git, dos2unix, clone down custodian repo and install custodian and c7n-org tool
	yum update -y
	yum install git -y
	yum install dos2unix -y
	cd /root
	git clone -b 0.8.28.0 https://github.com/capitalone/cloud-custodian
	cd cloud-custodian
	make install
	source bin/activate
	cd tools/c7n_org
	python setup.py develop



	mkdir /opt/c7n_org_policies
	mkdir /opt/c7n_org_policies/regional
	mkdir /opt/c7n_org_logs
	mkdir /opt/c7n_org_logs/regional


	## Download all of the cloud custodian policies from S3
	aws s3 sync s3://$RESOURCE_BUCKET/policies/regional-poll/ /opt/c7n_org_policies/regional/
	aws s3 sync s3://$RESOURCE_BUCKET/policies/regional-lambda/ /opt/c7n_org_policies/regional/

	cd /opt/c7n_org_policies/regional/

	dos2unix *.yaml
	## Pipe all individual policy files into 1 large policy file
	cat *.yaml > /tmp/allregional.yaml


	## replace/remove all of the 'policies:' in the new large policy file with nothing
	sed -i -e 's/policies://g' /tmp/allregional.yaml


	## Add the 'policies:' bit back to the top of the file
	echo 'policies:' \| cat - /tmp/allregional.yaml > temp && mv temp /tmp/allregional.yaml -f


	## Download the c7n-org config file
	aws s3 cp s3://$RESOURCE_BUCKET/C7n-Org-Config.yaml /root/C7n-Org-Config.yaml


	## Get credentials from the instance profile and save them to the AWS creds file. This allows for c7n-org to run much faster as it doesn't have to query the local metadata server for every policy.
	creds_file="/root/.aws/credentials"
	instance_profile=`curl --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/`

	aws_access_key_id=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep AccessKeyId \| cut -d':' -f2 \| sed 's/[^0-9A-Z]*//g'`
	aws_secret_access_key=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep SecretAccessKey \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`
	aws_session_token=`curl -s --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} \| grep Token \| cut -d':' -f2 \| sed 's/[^0-9A-Za-z/+=]*//g'`

	aws configure set aws_access_key_id $aws_access_key_id
	aws configure set aws_secret_access_key $aws_secret_access_key
	aws configure set aws_session_token $aws_session_token


	## Counts the number of accounts in the c7n-org config file and upload a file to S3 with the count. This lets us know the custodian run has started and how many accounts it's running against
	NumberOfAccounts="$(grep -c 'name' /root/C7n-Org-Config.yaml)"
	touch /root/start-$NumberOfAccounts.txt
	aws s3 cp /root/start-$NumberOfAccounts.txt s3://$RESOURCE_BUCKET/Logs/start-$NumberOfAccounts.txt

	## Execute c7n-org against all accounts
	c7n-org run -c /root/C7n-Org-Config.yaml -u /tmp/allregional.yaml -s /opt/org-log --metrics --region us-east-1 --region eu-west-1

	## Uploads log files to S3. You can also send logs directly to S3 from the custodian command if you wanted to
	aws s3 sync /opt/org-log/ s3://$RESOURCE_BUCKET/Logs/regional/

	## Creates a blank file called end.txt and uploads to S3. This lets us know that it's finished
	touch /opt/end.txt
	aws s3 cp /opt/end.txt s3://$RESOURCE_BUCKET/Logs/end.txt

	## Set the Autoscaling Group to 0 instances which effectively turns this instance off
	aws autoscaling update-auto-scaling-group --region us-east-1 --auto-scaling-group-name $ASGName --min-size 0 --max-size 0 --desired-capacity 0