Automatically apply Name tags to instances in an ASG based on their custom tags.

Names that appear in the AWS console beside EC2 instances are set by creating a special tag Name. When members of an ASG start, they are not given any names, so often what happens is that instance is allowed to name itself inside of user data. However, if user data fails for any reason, the instance will never name itself and it can be difficult to find the instance's purpose in the AWS console.

The issue with an instance naming itself is that the instance profile (and underlying IAM role) provides the instance with the ec2:CreateTags permission, which cannot have a scoped Resource declaration. This violates least privilege and provides the instance with the ability to create (and overwrite) tags on any instance in the same AWS account.

This project creates a CloudWatch Event rule that watches for AutoScaling events, specifically the successful launch of new EC2 instances, and names them based on their tags. Thus, only the Lambda function that backs the CloudWatch Event rule has the abiility to name EC2 instances, and only in a specific format.

The resources created under this CloudFormation template will cost either very little or nothing. The only element that costs anything is the Lambda function, and Amazon has a generous free tier that should cover just about everyone's use case for this tool, making it free to run.

The instances are named based on the following convention:

<project>-<environment>-<instance_id>

The tags project and environment must be available on the instance and given a non-empty string value. The instance_id is already known by the auto-scaling group during launch, so you do not need to provide it.

The instance_id is stripped of its i- prefix, leaving only the unique ID.

The resulting name is then limited to 255 characters, as that is the limit of tag values.

An example of this is, using a project donny and environment staging is:

donny-staging-029d0202d1a

• Ansible (optional, but useful)

• Amazon Web Services account

• Permissions to create AWS resources:

  Specifically: CloudFormation, CloudWatch Events, Lambda, IAM roles

The stack must be launched in any region where auto-scaling groups are used and you want to name its members. However, CloudWatch Event rules may not be available in every region, so the following Ansible playbook ensures that the stack is launched only in the regions where all AWS services are supported.

$ ansible-playbook -i localhost.inventory -e 'stack_env=production' create-stack.yml

tl;dr MIT license.

Please read LICENSE to view the license for this project.