There are times when you want to be notified when a FSx for ONTAP file system, or one of its volumes, is reaching its capacity. AWS CloudWatch has metrics that can give you this information. The only problem is that they are on a per instance basis. This means as you add and delete file systems and/or volumes, you have to add and delete alarms. This can be tedious, and error prone. This script will automate the creation of AWS CloudWatch alarms that monitor the utilization of the file system and its volumes. It will also create alarms to monitor the CPU utilization of the file system. And if a volume or file system is removed, it will remove the associated alarms.
To implement this, you might think to just create EventBridge rules that trigger on the creation or deletion of an FSx Volume. This would kind of work, but since you have command line access to the FSx for ONTAP file system, you can create and delete volumes without generating any CloudTrail events. So, depending on CloudTrail events would not be reliable. Therefore, instead of relying on those events, this script will scan all the file systems and volumes in all the regions then create and delete alarms as needed.
The preferred way to run this script is as a Lambda function. That is because it is very inexpensive to run without having
to maintain any compute resources. You can use an EventBridge Schedule
to run it on a regular basis to
ensure that all the CloudWatch alarms are kept up to date. Since there are several steps involved in setting up a Lambda function,
a CloudFormation template is included in the repo, named cloudlformation.yaml
, that will do the following steps for you:
- Create a role that will allow the Lambda function to:
- List AWS regions. This is so it can get a list of all the regions, so it can know which regions to scan for FSx for ONTAP file systems and volumes.
- List the FSx for ONTAP file systems.
- List the FSx volumes.
- List the CloudWatch alarms.
- List tags for the resources. This is so you can customize the thresholds for the alarms on a per instance basis. More on that below.
- Create CloudWatch alarms.
- Delete CloudWatch alarms that it has created (based on alarm names).
- Create a Lambda function with the Python program.
- Create an EventBridge schedule that will run the Lambda function on a user defined basis.
- Create a role that will allow the EventBridge schedule to trigger the Lambda function.
To use the CloudFormation template perform the following steps:
- Download the
cloudformation.yaml
file from this repo. - Go to the
CloudFormation
services page in the AWS console and selectCreate Stack -> With new resources (standard)
. - Select
Choose an existing template
andUpload a template file
. - Click
Choose file
and select thecloudformation.yaml
file you downloaded in step 1. - Click
Next
and fill in the parameters presented on the next page. The parameters are:Stack name
- The name of the CloudFormation stack. Note this name is also used as a base name for some of the resources that are created, to make them unique, so you must keep this string under 25 characters, so the resource names don't exceed their name length limit.SNStopic
- The SNS Topic name where CloudWatch will send alerts to. Note that since CloudWatch can't send messages to an SNS topic residing in a different region, it is assumed that the SNS topic, with the same name, will exist in all the regions where alarms are to be created.accountId
- The AWS account ID associated with the SNS topic. This is only used to compute the ARN to the SNS Topic set above.customerId
- This is optional. If provided the string entered is included in the description of every alarm created.defaultCPUThreshold
- This will define a default CPU utilization threshold. You can override the default by having a specific tag associated with the file system (see below for more information).defaultSSDThreshold
- This will define a default SSD (aggregate) utilization threshold. You can override the default by having a specific tag associated with the file system (see below for more information).defaultVolumeThreshold
- This will define the default Volume utilization threshold. You can override the default by having a specific tag associated with the volume (see below for more information).checkInterval
- This is the interval in minutes that the program will run.alarmPrefixString
- This defines the string that will be prepended to every CloudWatch alarm name that the program creates. Having a known prefix is how it knows it is the one maintaining the alarm.regions
- This is a comma separated list of AWS region names (e.g. us-east-1) that the program will act on. If not specified, the program will scan on all regions that support an FSx for ONTAP file system. Note that no checking is performed to ensure that the regions you provide are valid.
- Click
Next
. There aren't any recommended changes to make to any of the proceeding pages, so just clickNext
again. - On the final page, check the box that says
I acknowledge that AWS CloudFormation might create IAM resources with custom names.
and then clickSubmit
.
If you prefer, you can run this Python program on any UNIX based computer that has Python installed. See the "Running on a computer" section below for more information.
If you use the CloudFormation template to deploy the program, it will create the appropriate environment variables for you. However, if you didn't use the CloudFormation template, you will need to configure the program yourself. Here are the various ways you can do so:
- By editing the top part of the program itself where there are the following variable definitions.
- By setting environment variables with the same names as the variables in the program.
- If running it as a standalone program, via some command line options.
💡 NOTE: The CloudFormation template will prompt for these values when you create the stack and will set the appropriate environment variables for you.
Here is the list of variables, and what they define:
Variable | Description | Command Line Option |
---|---|---|
SNStopic | The SNS Topic name where CloudWatch will send alerts to. Note that it is assumed that the SNS topic, with the same name, will exist in all the regions where alarms are to be created. | -s SNS_Topic_Name |
accountId | The AWS account ID associated with the SNS topic. This is only used to compute the ARN to the SNS Topic. | -a Account_number |
customerId | This is just an optional string that will be added to the alarm description. | -c Customer_String |
defaultCPUThreshold | This will define the default CPU utilization threshold. You can override the default by having a specific tag associated with the file system. See below for more information. | -C number |
defaultSSDThreshold | This will define the default SSD (aggregate) utilization threshold. You can override the default by having a specific tag associated with the file system. See below for more information. | -S number |
defaultVolumeThreshold | This will define the default Volume utilization threshold. You can override the default by having a specific tag associated with the volume. See below for more information. | -V number |
alarmPrefixCPU | This defines the string that will be put in front of the name of every CPU utilization CloudWatch alarm that the program creates. Having a known prefix is how it knows it is the one maintaining the alarm. | N/A |
alarmPrefixSSD | This defines the string that will be put in front of the name of every SSD utilization CloudWatch alarm that the program creates. Having a known prefix is how it knows it is the one maintaining the alarm. | N/A |
alarmPrefixVolume | This defines the string that will be put in front of the name of every volume utilization CloudWatch alarm that the program creates. Having a known prefix is how it knows it is the one maintaining the alarm. | N/A |
regions | This is a comma separated list of AWS region names (e.g. us-east-1) that the program will act on. If not specified, the program will scan on all regions that support an FSx for ONTAP file system. Note that no checking is performed to ensure that the regions you provide are valid. | -r region -r region ... |
There are a few command line options that don't have a corresponding variable:
Option | Description |
---|---|
-d | This option will cause the program to run in "Dry Run" mode. In this mode, the program will only display messages showing what it would have done, and not really create or delete any CloudWatch alarms. |
-F filesystem_ID | This option will cause the program to only add or remove alarms that are associated with the filesystem_ID. |
As mentioned with the threshold variables, you can create a tag on the specific resource to override the default value set by the associated threshold variable. Here is the list of tags and where they should be located:
Tag | Description | Location |
---|---|---|
alarm_threshold | Sets the volume utilization threshold. | Volume |
cpu_alarm_threshold | Sets the CPU utilization threshold. | File System |
ssd_alarm_threshold | Sets the SSD utilization threshold. | File System |
💡 NOTE: When the alarm threshold is set to 100, the alarm will not be created. So, if you set the default to 100, then you can selectively add alarms by setting the appropriate tag.
To run the program on a computer, you must have Python installed. You will also need to install the boto3 library. You can do that by running the following command:
pip install boto3
Once you have Python and boto3 installed, you can run the program by executing the following command:
python3 auto_add_cw_alarms.py
This will run the program based on all the variables set at the top. If you want to change the behavior without
having to edit the program, you can either use the Command Line Option specified in the table above or you can
set the appropriate environment variable. Note that you can give a -h
(or --help
) command line option
and the program will display a list of all the available options.
You can limit the regions that the program will act on by using the -r region
option. You can specify that option
multiple times to act on multiple regions.
You can run the program in "Dry Run" mode by specifying the -d
(or --dryRun
) option. This will cause the program to only display
messages showing what it would have done, and not really create or delete any CloudWatch alarms.
A CloudFormation template is included in the repo that will do the steps below. If you don't want to use that, here are the detailed steps required to install the program as a Lambda function.
- Download the
auto_add_cw_alarms.py
file from this repo. - Create a new Lambda function in the AWS console by going to the Lambda services page and clicking on the
Create function
button. - Choose
Author from scratch
and give the function a name. For exampleauto_add_cw_alarms
. - Choose the latest version of Python (currently Python 3.11) as the runtime and click on
Create function
. - In the function code section, copy and paste the contents of the
auto_add_cw_alarms.py
file into the code editor. - Click on the
Deploy
button to save the function. - Click on the Configuration tag and then the "General configuration" sub tab and set the "Timeout" to be at least 3 minutes.
- Click on the "Environment variables" tab and add the following environment variables:
SNStopic
- The SNS Topic name where CloudWatch will send alerts to.accountId
- The AWS account ID associated with the SNS topic.customerId
- This is optional. If provided the string entered is included in the description of every alarm created.defaultCPUThreshold
- This will define a default CPU utilization threshold.defaultSSDThreshold
- This will define a default SSD (aggregate) utilization threshold.defaultVolumeThreshold
- This will define the default Volume utilization threshold.alarmPrefixString
- This defines the string that will be prepended to every CloudWatch alarm name that the program creates.regions
- This is an optional comma separated list of AWS region names (e.g. us-east-1) that the program will act on. If not specified, the program will scan on all regions that support an FSx for ONTAP file system.
You will also need to set up the appropriate permissions for the Lambda function to run. It doesn't need many permissions. It just needs to be able to:
- List the FSx for ONTAP file systems.
- List the FSx volume names.
- List tags associated with an FSx file system or volume.
- List the CloudWatch alarms.
- List all the AWS regions.
- Create CloudWatch alarms.
- Delete CloudWatch alarms. You can set resource to
arn:aws:cloudwatch:*:
AccountId:alarm:
alarmPrefixString*
to limit the deletion to only the alarms that it creates. - Create CloudWatch Log Groups and Log Streams in case you need to diagnose an issue.
The following is an example AWS policy that has all the required permissions to run the script (although you could narrow the "Resource" specification to suit your needs.) Note it assumes that the alarmPrefixString is set to "FSx-ONTAP-Auto".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"fsx:DescribeFilesystems",
"fsx:DescribeVolumes",
"fsx:ListTagsForResource",
"cloudwatch:DescribeAlarms"
"cloudwatch:DescribeAlarmsForMetric",
"ec2:DescribeRegions",
"cloudwatch:PutMetricAlarm",
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteAlarms"
],
"Resource": "arn:aws:cloudwatch:*:*:alarm:FSx-ONTAP-Auto*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:*:log-stream:*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:log-group:*"
}
]
}
Once you have deployed the Lambda function it is recommended to set up a schedule to run it on a regular basis. The easiest way to do that is:
- Click on the
Add trigger
button from the Lambda function page. - Select
EventBridge (CloudWatch Events)
as the trigger type. - Click on the
Create a new rule
button. - Give the rule a name and a description.
- Set the
Schedule expression
to be the interval you want the function to run. For example, if you want it to run every 15 minutes, you would set the expression torate(15 minutes)
. - Click on the
Add
button
Once the script has been configured and invoked, it will:
- Scan for every FSx for ONTAP file systems in every region, unless you have specified a specific list of regions to scan. For every file system that it finds it will:
- Create a CPU utilization CloudWatch alarm, unless the threshold value is set to 100 for the specific alarm.
- Create an SSD utilization CloudWatch alarm, unless the threshold value is set to 100 for the specific alarm.
- Scan for every FSx for ONTAP volume in every region, unless you have specified a specific list of regions to scan. For every volume it finds it will:
- Create a Volume Utilization CloudWatch alarm, unless the threshold value is set to 100 for the specific alarm.
- Scan for the CloudWatch alarms and remove any alarms that the associated resource doesn't exist anymore.
If you decide you don't want to use this program anymore, you can delete the CloudFormation stack that you created. This will remove the Lambda function, the EventBridge schedule, and the roles that were created for you. If you did not use the CloudFormation template, you will have to do these steps yourself.
Once you have removed the program, you can remove all the CloudWatch alarms that were created by the program by running the following command:
region=us-west-2
aws cloudwatch describe-alarms --region=$region --alarm-name-prefix "FSx-ONTAP-Auto" --query "MetricAlarms[*].AlarmName" --output text | xargs -n 50 aws cloudwatch delete-alarms --region $region --alarm-names
This command will remove all the alarms that have an alarm name that starts with "FSx-ONTAP-Auto" in the us-west-2 region.
Make sure to adjust the alarm-name-prefix to match the AlarmPrefix you set when you deployed the program.
You will also need to adjust the region variable and run the aws
command again for each region where you have alarms in.
This repository is maintained by the contributors listed on GitHub.
Licensed under the Apache License, Version 2.0 (the "License").
You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
© 2024 NetApp, Inc. All Rights Reserved.