-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auto Scaling Group - Turn UserData into rich object #623
Comments
I think that would be a great idea. I'd even like to keep the logicalId out of that. Can we not do something like this: asg.userData.addCommand('echo Hello')
asg.userData.addCommand('rm -rf /')
asg.userData.addSignalCommand() // Will do the right thing Don't know if that makes sense, and in how many use cases you'd really need the
Exists: https://github.com/awslabs/aws-cdk/blob/master/packages/%40aws-cdk/aws-ec2/lib/security-group.ts#L64 (might have been added in a later version than the one you're using?) So you should totally be able to do: const sg = SecurityGroupRef.import(this, 'SG', {
securityGroupId: new SecurityGroupId('sg-12345')
});
asg.connections.allowFrom(sg, new TcpPort(22), 'SSH access'); (My apologies for upcoming API breakage in advance--the |
Yes. I think the underlying call attached to operating system will need to support some parameters and some may have to to be exposed in ASG. For AmazonLinux we know where Re: Security Group If my security group is all I can put some code up here to clarify, but I need to sanitize this a bit and figure out where my HEAD is on the git tree. |
Also I think we might need to expose the
I added this little block to the constructor of the newer ASG. |
Really? The |
Hmm, good point, it's on the Just seems to make more sense to me on the main resource. But okay, the problem might be with |
Make a new construct to manager User Data, which should make it easier to apply the features correctly. Fixes #623 and 777.
The signal command btw. shouldn't be a manual action. If signaling is enabled for the securitygroup, appropriate signaling commands should automatically be added in such a way that they trigger both for success and for failure, while the rest of the script should probably behave as
Should work. |
While doing this -- the automatic configuration of the right type of (unconfigured) UserData should come from the MachineImage, not the consuming construct (EC2 instance or AutoScalingGroup) |
User Data objects currently only supports adding commands by providing the full command as a string. This commit hopes to address this by adding the following functionality: * On Exit Commands - Both bash and powershell have the concepts of trap functions which can be used to force a function to run when a an exception is run. Using this we are able to set up a script block that will always run at the end of the script. * add Signal Command - Using the above on Exit commands we are able to make it so the User data will send a signal to a specific resource (eg. Instance/Auto scaling group) with the results of the last command. * Download and Execute a file from S3 - This writes a function into the user data which can be used for repeated calls to download and execute a file from s3 with a list of arguments. This was tested by launching instances which pulled a script from an S3 asset then signaling on completion. Fixes aws#623
User Data objects currently only supports adding commands by providing the full command as a string. This commit hopes to address this by adding the following functionality: * On Exit Commands - Both bash and powershell have the concepts of trap functions which can be used to force a function to run when a an exception is run. Using this we are able to set up a script block that will always run at the end of the script. * add Signal Command - Using the above on Exit commands we are able to make it so the User data will send a signal to a specific resource (eg. Instance/Auto scaling group) with the results of the last command. * Download S3 File Command - This adds commands to download the specified file using the aws cli on linux and AWS powershell utility on windows * Execute File Command - This adds commands to ensure that the specified file is executable then executes the file with specified arguments. Fixes #623
I am having a few challenges with the new ASG (will be 0.8.3?).
I have a simple pattern using cfn-signal for a basic rolling update. The issue is I need the logical ID of the ASG for the command. If I use CDK ASG construct (not the CloudFormation one). I have no means to get the LogicalId of the ASG. There might be some tricks in the rename functions, but I'm pretty sure we want an elegant solution here. I added a method to the ASG to get logical ID and that will work. I think I would prefer to model the cfn-* functions actually in the
OperatingSystem
implementations, similar tocreateUserData(..)
.The security group pattern via
Connections
has a lot of great features, but I think I might still need access to either assign additional security groups or export the default one assigned. The primary use case is a bastion pattern. We have exported the bastion node security group and other instances use cross stack references to allow inbound port 22 from the security group on the bastion node. We could add an export function for the security group to solve this. Alternatively we could enable users to insert the initial security group or add security groups to the configuration. As teams migrate to CDK I think many users may have legacy Security Groups managed by central teams (or stacksets) for IP whitelisting patterns (sadly even with Private Link we still have a few use cases that don't fit).Are there solutions to these problems that I missed? Reasons we wouldn't want to add them?
The text was updated successfully, but these errors were encountered: