How can I tag a root volume from an instance created by AWS CloudFormation?

Last updated: 2019-11-15

How can I tag the root volume of my Amazon Elastic Compute Cloud (Amazon EC2) instances that are created through AWS CloudFormation?

Short Description

The tag property of the Amazon EC2 instance resource doesn't extend to the volumes that are created through AWS CloudFormation. Tagging can restrict the control that you have over your instances. This helps you manage the costs of specific resources, restrict AWS Identity and Access Management (IAM) policies, and exert similar control over other resources.

Bootstrapping with AWS CloudFormation allows you to tag the Amazon Elastic Block Store (Amazon EBS) root volume of your instance. The bootstrapping method is done through the UserData property of the AWS::EC2::Instance resource. To perform bootstrapping, use AWS Command Line Interface (AWS CLI) commands or standard PowerShell commands after creating your instance.

Resolution

Create an instance with an AWS CloudFormation template

1.    Open the AWS CloudFormation console.

2.    Choose Create Stack, and then choose Design template.

3.    In the code editor, on the Parameters tab, choose Template.

4.    For Choose template language, choose YAML.

5.    Copy the sample template that's appropriate for your operating system, and then paste it into the code editor.

6.    In the UserData section of the template, update --tags Key=Name,Value=newAMI to match your business requirements for a Linux instance. For a Windows instance, update $tag.key="MyRootTag" and $tag.value="MyRootVolumesValue".

See the following example of the UserData section of a template for Linux and Windows:

    #Linux UserData

    UserData: 
      Fn::Base64: !Sub |
          AWS_AVAIL_ZONE=$(curl http://169.254.169.254/latest/meta-data/placement/availability-zone)
          AWS_REGION="`echo \"$AWS_AVAIL_ZONE\" | sed 's/[a-z]$//'`"
          AWS_INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id)
          ROOT_VOLUME_IDS=$(aws ec2 describe-instances --region $AWS_REGION --instance-id $AWS_INSTANCE_ID --output text --query Reservations[0].Instances[0].BlockDeviceMappings[0].Ebs.VolumeId)
          aws ec2 create-tags --resources $ROOT_VOLUME_IDS --region $AWS_REGION --tags Key=MyRootTag,Value=MyRootVolumesValue
          
      #Windows UserData with standard Powershell commands (no AWS CLI installed)
      
      UserData: 
        Fn::Base64: !Sub |
          <powershell>
            $AWS_AVAIL_ZONE=(curl http://169.254.169.254/latest/meta-data/placement/availability-zone).Content
            $AWS_REGION=$AWS_AVAIL_ZONE.Substring(0,$AWS_AVAIL_ZONE.length-1)
            $AWS_INSTANCE_ID=(curl http://169.254.169.254/latest/meta-data/instance-id).Content
            $ROOT_VOLUME_IDS=((Get-EC2Instance -Region $AWS_REGION -InstanceId $AWS_INSTANCE_ID).Instances.BlockDeviceMappings | where-object DeviceName -match '/dev/sda1').Ebs.VolumeId
            $tag = New-Object Amazon.EC2.Model.Tag
            $tag.key = "MyRootTag"
            $tag.value = "MyRootVolumesValue"
            New-EC2Tag -Resource $ROOT_VOLUME_IDS -Region $AWS_REGION -Tag $tag
          </powershell>

Note: For UserData to use the AWS CLI commands, you must install the AWS CLI within the Amazon Machine Image (AMI) of your EC2 instances. The AWS CLI is installed by default on all Amazon Linux AMIs. You must also attach an instance profile to your EC2 instances. The instance profile includes the permissions to call the ec2:DescribeInstances and ec2:CreateTags APIs. For an example of an instance profile with these permissions, refer to line 103 in this sample AWS CloudFormation template from step 5.

7.    Choose the Create stack icon.

8.    For Stack name, enter a name for your stack.

9.    In the Parameters section, enter the appropriate information based on the needs of your environment, including your instance type, EC2 key pair, and AMI.

10.    Choose Next.

11.    In the Options section, enter the appropriate information for your stack, and then choose Next.

12.    To enable the AWS CloudFormation stack to create an IAM resource, select the "I acknowledge that AWS CloudFormation might create IAM resources" check box.

13.    Choose Create.

Tag the root volume of the instance

1.    Open the Amazon EC2 console.

2.    In the navigation pane, in the Elastic Block Store section, choose Volumes.

3.    In the Filter bar, enter the tag that you set in the AWS CloudFormation stack to confirm that the volume has been tagged.


Did this article help you?

Anything we could improve?


Need more help?