feat(ec2): Volume construct
#8219
Conversation
TestingAside from a pile of unit tests, I also deployed the following and used the AWS CLI to attach/detach the volume. With the Volume attached, I also mounted it, formatted, and wrote/read data to/from it to ensure that the instance could write/read the Volume. import * as cdk from '@aws-cdk/core';
import * as kms from '@aws-cdk/aws-kms';
import * as ec2 from '@aws-cdk/aws-ec2';
import { EbsDeviceVolumeType } from '@aws-cdk/aws-ec2';
const app = new cdk.App();
const env = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION
}
const network = new cdk.Stack(app, 'CDKTestNetwork', { env });
const vpc = new ec2.Vpc(network, 'Vpc');
const key = new kms.Key(network, 'Key', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
const testing = new cdk.Stack(app, 'CDKTestTest', { env });
const instance = new ec2.BastionHostLinux(testing, 'MountInstance', {
vpc,
instanceType: new ec2.InstanceType('t3.small'),
subnetSelection: {
subnetType: ec2.SubnetType.PRIVATE,
},
});
const bastion = new ec2.BastionHostLinux(testing, 'Bastion', {
vpc,
instanceType: new ec2.InstanceType('t3.small'),
subnetSelection: {
subnetType: ec2.SubnetType.PRIVATE,
},
});
const volume1 = new ec2.Volume(testing, 'Volume', {
availabilityZone: `${env.region}a`,
sizeGiB: 8,
encrypted: true,
encryptionKey: key,
autoEnableIo: true,
volumeType: EbsDeviceVolumeType.GENERAL_PURPOSE_SSD,
})
volume1.grantAttachVolume(bastion, instance);
volume1.grantDetachVolume(bastion, instance);
app.synth(); |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@rix0rrr This is ready & waiting for your feedback. |
| public abstract readonly encryptionKey?: IKey; | ||
|
|
||
| public grantAttachVolume(grantee: IGrantable, instance?: IInstance): Grant { |
There was a problem hiding this comment.
Is IGrantable here ever expected to be anything other than an instance role?
In fact, is this ever anything other than an instance you would want to grant this to?
Also, in what cases would you want to grant attach separately from detach?
There was a problem hiding this comment.
Lack of imagination on my part seems safer to assume that there may be use-cases outside of an instance wanting to do the attach/detach. For instance, maybe there's a reason to have a lambda that's driving some external logic around moving/sharing an EBS volume between instances.
edit: Along that line of thought... maybe the instance arg should be an array of instances...
Also, in what cases would you want to grant attach separately from detach?
Yeah, one of the uses that I have for this is exactly that case. It's an ASG instance that will re-attach an EBS volume if it's replaced by the ASG, but never needs to detach it. The detachment happens automatically when the instance is terminated.
|
@rix0rrr All set for another round of review. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@rix0rrr This is now ready for, hopefully, final review. I've sorted out the IAM permissions for the KMS key used for encryption. Access to the EBS volume & the KMS key is now properly separated -- you cannot attach the volume without access to the KMS key. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
packages/@aws-cdk/aws-ec2/README.md
Outdated
|
|
||
| The following is a sample skeleton of a script that can be used to attach a Volume to the Linux instance that it is running on: | ||
|
|
||
| ```bash |
There was a problem hiding this comment.
Can you turn this example into an instance.userData.addCommand()-style example?
People would benefit from the automatic interpolation of EBS_VOL_ID, for example.
This changes the permissions appended to the KMS key policy such they are as minimal as possible. Permissions are split between a grant when creating the volume -- a grant that allows the Volume to be created -- and a grant when allowing attachment of the Volume. This properly restricts use of the CMK-encrypted volume to only those users that have access to both the EBS volume and, separately, the CMK used for encryption.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| * Defaults to a hash calculated from this volume. | ||
| */ | ||
| grantAttachVolumeToSelf(instance: Instance, tagKeySuffix?: string): Grant; |
There was a problem hiding this comment.
I'm thinking that I should change this, and similarly the corresponding grantDetachVolumeFromSelf(), to grantAttachVolumeByTag(grantee: IGrantable, constructs: Construct[], tagKeySuffix?: string): Grant
Reason being that there are other instance-sources that this will not cover as it's implemented -- ASGs, EC2-Fleets, and SpotFleetRequests to name a few.
Implementation would be, essentially, the same except that the tag value would be applied to all given constructs.
| Tag.add(instance, tagKey, tagValue); |
There was a problem hiding this comment.
Can you explain in a comment why the tag needs to be applied on this? That one surpised me.
For the other, don't forget to set { appliesToLaunchedInstances: true } (or whatever the option is), otherwise this still won't work for ASGs.
There was a problem hiding this comment.
Can you explain in a comment why the tag needs to be applied on
this? That one surpised me.
Sure. It's a resource tag. So, all resources involved in the call must have the tag.
For the other, don't forget to set
{ appliesToLaunchedInstances: true }(or whatever the option is), otherwise this still won't work for ASGs.
Fortunately, it's true by default: https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_core.TagProps.html#applytolaunchedinstances
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
rix0rrr
changed the title
Volume construct
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This adds an L2 construct for AWS::EC2:Volume that supports encryption with a customer-owned KMS key, or service-owned key. It provides methods for importing an existing Volume to the stack, and for granting
AttachVolumeandDetachVolumeto a role.Resolves #8218
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license