Automatically mount NVME volumes in AWS EC2 on Windows with Cloudformation and Powershell Userdata

Introduction


This post explains how I go about with AWS Cloudformation and Powershell userdata scripts.

  • attaching EBS volumes to Windows EC2 instances
  • identifying them in the OS
  • initializing them
  • formatting them
  • and assigning labels and drive letters.

Prerequisites

You should know something about Cloudformation and Powershell.
The AWS Image you use for your EC2 instance should be one provided by AWS and should have the following utility already deployed to C:\ProgramData\Amazon\Tools\ebsnvme-id.exe

AWS Cloudformation Step

I typically do not declare EBS Volumes together with the EC2 Instance declaration in Cloudformation but prefer to declare them as separate resources along with their own ebs attachment resources.  Here is an example EC2 instance with three additional volume declarations on top of the root volume which is automatically mounted on C:\ 
 WindowsServerInstance:
    Type: AWS::EC2::Instance
    Properties:
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: 65
            Encrypted: true
            VolumeType: gp3
      ImageId: !Ref WindowsImageId
      KeyName: !Ref WindowsKeyPairName
      InstanceType: !WindowsServerInstanceType
      CreditSpecification:
        CPUCredits: standard
      IamInstanceProfile: !Ref WindowsServerInstanceProfile
      SecurityGroupIds:
        - !Ref ManagementSecurityGroup
        - !Ref ApplicationSecurityGroup
      SubnetId: !Ref WindowsServerSubnetId
      Tags:
        - Key: Name
          Value: WindowsServerInstance
      UserData:
        Fn::Base64: |
          <powershell>
            mkdir C:\setup
            Read-S3Object -BucketName example-bucket -Key /userdata/windows_bootstrap.ps1 -File C:\setup\bootstrap.ps1
            . C:\setup\bootstrap.ps1
          </powershell>

  DataVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      VolumeType: gp3
      Encrypted: true
      AvailabilityZone: !GetAtt WindowsServerInstance.AvailabilityZone
      Tags:
        - Key: Name
          Value: DataVolume
  DataVolumeAttachment:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: !Ref WindowsServerInstance
      VolumeId: !Ref DataVolume
      Device: /dev/sdb

  BackupVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 100
      VolumeType: gp3
      Encrypted: true
      AvailabilityZone: !GetAtt WindowsServerInstance.AvailabilityZone
      Tags:
        - Key: Name
          Value: BackupVolume
  BackupVolumeAttachment:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: !Ref WindowsServerInstance
      VolumeId: !Ref BackupVolume
      Device: /dev/sdc

  ScriptsVolume:
    Type: AWS::EC2::Volume
    Properties:
      Size: 5
      VolumeType: gp3
      Encrypted: true
      AvailabilityZone: !GetAtt WindowsServerInstance.AvailabilityZone
      Tags:
        - Key: Name
          Value: ScriptsVolume
  ScriptsVolumeAttachment:
    Condition: DeployB2BResources
    Type: AWS::EC2::VolumeAttachment
    Properties:
      InstanceId: !Ref WindowsServerInstance
      VolumeId: !Ref ScriptsVolume
      Device: /dev/sdd

When this template builds, a windows instance will be available with 3 additional and un-initialized volumes attached.

The userdata property is configured to pull down a powershell script from S3 as permitted by the WindowsServerInstanceProfile.  I've not bothered to explain how all that works.  I assume if you are reading this, you already know how to allow an EC2 Instance access to objects in S3 via Instance Profiles and Policies.

Userdata Script

The userdata script below, declares a function and calls the function once for each of the volume attachments. 
### Function to format a disk based on the disk number, label and drive letter.
function setup_disk {
	param (
		$DiskNumber,
		$Label,
		$DriveLetter
	)
	Initialize-Disk "$DiskNumber" -PartitionStyle MBR
	New-Partition -DiskNumber "$DiskNumber" -DriveLetter "$DriveLetter" -UseMaximumSize
	Format-Volume -DriveLetter "$DriveLetter" -FileSystem NTFS -NewFileSystemLabel "$Label" -Confirm:$false
}

# Create a hashtable of disk numbers and block device mappings
$hash = $null
$hash = @{}

get-disk | where partitionstyle -eq 'raw' | where-object IsSystem -eq $False| select Number | foreach-Object {
  $num = $_.Number
  $blk = (c:\ProgramData\Amazon\Tools\ebsnvme-id.exe $num | Select-String -Pattern 'Device Name: .*$'| ConvertFrom-String -Delimiter ':' | Select P2).P2
  $blk = $blk -replace '^......'

  $hash.add($blk, $num)
}

# Set up each of the volume attachments
setup_disk $hash.sdb "Data" "D"
setup_disk $hash.sdc "Backup" "E"
setup_disk $hash.sdd "Scripts" "I"

Explanation


The get-disk command returns a list of all the disks attached to the system.   We can use the get-disk command to iterate through each attached disk that is not a system disk (exclude C:\) and then call the AWS Provided ebsnvme-id.exe tool to find out which device name it has and add it to a hashmap called $hash.  This just maps Disk Number to Volume Attachment Device Name.  Unfortunately Windows does not always enumerate disks in the same order so we have to build this map correctly.  As a general rule it is never a good idea to rely on the order of things in computers.

Seeing as though our Cloudformation VolumeAttachment resources declare these device names, we have the mapping we need to proceed.  
PS C:\setup> $hash

Name                           Value
----                           -----
sdb                            2
sdc                            1
sdd                            3


Finally, our little script, calls the setup_disk function with the value of the hash for each volume we want and the parameters for Label and Drive Letter.
Location: Auckland, New Zealand

Comments

Post a Comment

Popular posts from this blog

Python + inotify = Pyinotify [ how to watch folders for file activity ]

Sometimes it just might be handy to be able to watch a folder on a hard disk for changes. For example: A client app might drop small files on a shared folder. A server app might be watching the folder for just such an event. Once the file is created, the server will kick into action and perform whatever tasks are required. This all comes from my CD burning application. I am currently thinking that the client apps will drop small xml files containing information about what to burn onto a folder the webserver has access to and the cdburner service will be watching... The linux kernel provides inotify. This from wikipedia : notify is a Linux kernel subsystem that provides file system event notification. It was written by John McCutchan with help from Robert Love and later Amy Griffis to replace dnotify . It was included in the mainline kernel from release 2.6.13 (2005-06-18), and could be compiled into 2.6.12 and possibly earlier releases by use of a patch . Its function is essen...
Read more

Extending the AD Schema on Samba4 - Part 1

Image
My last post on Samba4 showed how easy it is to install and configure an AD Service on Linux.  If you've not read it then please have a look. ( http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html ) This post show's how to extend the Samba4 Active Directory Schema.  Specifically for YubiKey integration. YubiKey's can be purchased for a relativlely low price from Yubico.  Please visit their website (www.yubico.com) for more information. LDAP Integration is very well covered by Michal Ludvig on his website and github.  ( http://www.logix.cz/michal/devel/yubikey-ldap/ ) In fact we are planning to leverage his implementation at our work and are considering donating towards what's obviously a very good cause. Now seeing as though LDAP and AD are so similar and exhibit many of the same APIs, I began to wonder how this might fit in with Samba4.  Eventually we might end up using Samba4 for our domain and so I needed to figure out if ...
Read more

Extending the AD Schema on Samba4 - Part 2

Importing LDIF files into Samba4 and Active Directory This is part 2 of the Extending AD Schema on Samba4 series.  The examples below are tested using the Samba4 LAB I created.  If you want more information on how that works then please read  http://david-latham.blogspot.co.nz/2012/12/samba4-ga-release-virtualbox-lab.html For part one, please read http://david-latham.blogspot.co.nz/2012/12/extending-ad-schema-on-samba4.html Unfortunately the format of an ldif file for creating new attributes and classes in the Schema Configuration are differ between Samba4 and Microsoft. The tools are slightly different too.  So this article will attempt to make it all clear. Find all the latest versions of code on this post at  https://github.com/linuxplayground/yubikey-ldap/tree/master/microsoft-schema Samba4 - ldbadd & ldbmodify As far as I can tell the only way to create a new class with a custom attribute in Samba4 (on the Linux command line) is first add ...
Read more