How to Query AWS EC2 Instance Status by IP Address: A DevOps Automation Guide


2 views

When managing dynamic AWS environments with frequent instance launches/terminations, tracking instance status becomes crucial for certificate management in configuration tools like Puppet. The key pain point is mapping ephemeral IP addresses to instance IDs for proper certificate cleanup.

For running instances, you can query AWS's instance metadata service directly from within the instance:

curl http://169.254.169.254/latest/meta-data/instance-id
curl http://169.254.169.254/latest/meta-data/local-ipv4

For instances you can't access directly, use AWS CLI filters with describe-instances:

aws ec2 describe-instances \
  --filters "Name=private-ip-address,Values=10.0.0.123" \
  --query 'Reservations[*].Instances[*].[InstanceId,State.Name]' \
  --output text

Create a shell script to process multiple IPs from a file:

#!/bin/bash
while read ip; do
  instance_info=$(aws ec2 describe-instances \
    --filters "Name=private-ip-address,Values=$ip" \
    --query 'Reservations[*].Instances[*].[InstanceId,State.Name]' \
    --output text)
    
  echo "$ip : $instance_info"
done < ip_list.txt

Integrate with Puppet's certificate management commands:

#!/bin/bash
# First get terminated instances
terminated_instances=$(aws ec2 describe-instances \
  --filters "Name=instance-state-name,Values=terminated" \
  --query 'Reservations[*].Instances[*].PrivateIpAddress' \
  --output text)

# Clean puppet certs
for ip in $terminated_instances; do
  puppet cert clean ${ip}.example.com
done

Tag your instances and use resource group queries:

aws resourcegroupstaggingapi get-resources \
  --tag-filters Key=Environment,Values=Production \
  --resource-type-filters ec2:instance \
  --query 'ResourceTagMappingList[*].ResourceARN'

For large-scale environments, consider AWS Config with custom rules:

aws config put-config-rule \
  --config-rule file://puppet-cert-rule.json

When managing hundreds of EC2 instances with Puppet in an auto-scaling environment, stale certificates from terminated instances can accumulate in your PuppetMaster. The fundamental problem is mapping ephemeral IP addresses to instance IDs to determine their current state.

Here are three reliable methods to achieve this:

# Method 1: AWS CLI with describe-instances filter
aws ec2 describe-instances \
  --filters "Name=private-ip-address,Values=10.0.1.25" \
  --query "Reservations[].Instances[].InstanceId" \
  --output text

For processing multiple IPs programmatically:

#!/bin/bash
IP_LIST="10.0.1.25 10.0.2.178 10.0.3.42"

for ip in $IP_LIST; do
  instance_id=$(aws ec2 describe-instances \
    --filters "Name=private-ip-address,Values=$ip" \
    --query "Reservations[].Instances[].InstanceId" \
    --output text)
    
  if [ -z "$instance_id" ]; then
    echo "IP $ip: No running instance found - safe to revoke certificate"
    puppet cert clean $ip
  else
    instance_state=$(aws ec2 describe-instances \
      --instance-ids $instance_id \
      --query "Reservations[].Instances[].State.Name" \
      --output text)
    echo "IP $ip: Instance $instance_id is $instance_state"
  fi
done

For more robust instance tracking:

# Install SSM Agent on instances
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

Direct integration with PuppetDB for certificate management:

# Puppet query to find inactive nodes
puppet query 'nodes { deactivated is not null }'
  • Works for both private and public IPs (use different filter names)
  • Consider VPC peering limitations if IPs span multiple VPCs
  • For Elastic IPs, check the 'AssociationId' field