¶ Description
In an effort to keep compute costs low and benefit from the elasticity provided by the cloud, we have instituted a function that runs to shut down VMs after operating hours. Machines will be scanned every hour and will be shutdown or will start up depending on the timeframe. Operating hours are defined as 06:00 EST - 23:00 EST. All machines tagged with Schedule:ncr-office-hours will be affected. This tag will be forced via policy and users can remove it to opt-out.
¶ Implementation
The solution in place uses a modified version of the AWS Instance Scheduler. The main scheduler is deployed to the Operations Account as a CloudFormation Template. A stackset is also deployed in the Management account that pushes a role to use for the startup and shutdown in all Experimental, NonSensitive and Sensitive accounts. Only EC2 instances are being shutdown at this time. The original solution was modified to allow access to the ASEA EBS key as you cannot shutdown VMs with an encrypted volume unless you have kms:CreateGrant. This is done with an IaM policy attached to the roles used by the scheduler rather than update the ASEA key directly.
¶ Post Deployment
Each new account will have a role deployed through the stackset. You must grab the output of the stack to get the role name and then add it to the scheduler stack in the operation account through an update as a parameter.
