Launch EC2 instance 2 (Logstash server)

"Instance 2" will be the Logstash server.

Environment variables

ESTEST_INSTANCE_2_KEYPAIR=/Users/tranjim/Desktop/data/tools/__credentials/jtkeypair_pdx.pem
ESTEST_INSTANCE_2_NAME=ESTEST_Instance_2-$(date "+%M%S")
ESTEST_INSTANCE_2_AMI=ami-5189a661 # Ubuntu server

ESTEST_INSTANCE_2_IAM_ROLE_NAME=ESTEST_Instance2-IAM_Role
ESTEST_INSTANCE_2_IAM_POLICY_NAME=ESTEST_Instance2-IAM_Policy
ESTEST_INSTANCE_2_PROFILE_NAME=ESTEST_Instance2-Instance_Profile

Create an IAM Role for EC2

The IAM Role will only permit access to the Elasticsearch HTTP-based data-plane operations, so that Logstash can ship logs to the Elasticsearch domain. The IAM Role will not permit cluster configuration of the Elasticsearch domain.

aws iam create-role \
        --role-name "$ESTEST_INSTANCE_2_IAM_ROLE_NAME" \
        --output text \
        --query 'Role.Arn' \
        --assume-role-policy-document '{
              "Version": "2012-10-17",
              "Statement": [{
                  "Effect": "Allow",
                  "Principal": { "Service": "ec2.amazonaws.com"},
                  "Action": "sts:AssumeRole"
              }]
            }'

ESTEST_INSTANCE_1_IAM_ROLE_ARN=arn:aws:iam::$ESTEST_ACCOUNT_ID:role/$ESTEST_INSTANCE_2_IAM_ROLE_NAME    

ESTEST_REGION=us-west-2
ESTEST_ACCOUNT_ID=075452263468

cat << EOF > /tmp/iam_policy.json
{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect": "Allow",
      "Resource": [ "arn:aws:es:$ESTEST_REGION:$ESTEST_ACCOUNT_ID:domain:$ESTEST_ELASTICSEARCH_DOMAIN/*" ],
      "Action": [
        "es:ESHttpDelete",
        "es:ESHttpGet",
        "es:ESHttpHead",
        "es:ESHttpPost",
        "es:ESHttpPut"
      ]
  }]
}
EOF

aws iam put-role-policy \
        --role-name   "$ESTEST_INSTANCE_2_IAM_ROLE_NAME"   \
        --policy-name "$ESTEST_INSTANCE_2_IAM_POLICY_NAME" \
        --policy-document file:///tmp/iam_policy.json

aws iam create-instance-profile --instance-profile-name $ESTEST_INSTANCE_2_PROFILE_NAME

aws iam add-role-to-instance-profile \
    --instance-profile-name $ESTEST_INSTANCE_2_PROFILE_NAME \
    --role-name $ESTEST_INSTANCE_2_IAM_ROLE_NAME

Create a security group, to allow ingress TCP traffic on ports 22 and 5044

aws ec2 create-security-group --group-name $ESTEST_INSTANCE_2_NAME --description "$ESTEST_INSTANCE_2_NAME"
aws ec2 authorize-security-group-ingress --group-name $ESTEST_INSTANCE_2_NAME --protocol tcp --port 22 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name $ESTEST_INSTANCE_2_NAME --protocol tcp --port 5044 --cidr 0.0.0.0/0

Launch the instance, and tag the instance

ESTEST_INSTANCE_2_ID=$(aws ec2 run-instances \
         --image-id $ESTEST_INSTANCE_2_AMI \
         --count 1 \
         --instance-type m3.medium \
         --key-name jtkeypair_pdx \
         --security-groups $ESTEST_INSTANCE_2_NAME \
         --iam-instance-profile Name=$ESTEST_INSTANCE_2_IAM_INSTANCE_PROFILE_NAME \
         --region us-west-2 \
         | jq --raw-output .Instances[0].InstanceId) && echo $ESTEST_INSTANCE_2_ID

aws ec2 create-tags --resources $ESTEST_INSTANCE_2_ID --tags Key=Name,Value=$ESTEST_INSTANCE_2_NAME