-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make KeyName optional #444
Conversation
If this is left blank, then SSH will be disabled on agents. This provides an additional level of agent security, and the existing CloudWatch logs provide a good level of debuggability/diagnostics.
Awesome 1000 |
This is looking great, thanks for this @zsims. My only feedback is that the conditional SSH ingress needs to also take into account |
ec618a9
to
fae13f2
Compare
Thanks for the review @lox, have updated the PR with your suggestion |
templates/buildkite-elastic.yml
Outdated
- { Condition: HasKeyName } | ||
- { Condition : CreateSecurityGroup } | ||
# Enable ingress if authorized users (keys) can be specified another way | ||
- "Fn::Not": [ "Fn::Equals": [ { Ref: AuthorizedUsersUrl }, "" ] ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably needs to be in an Fn::Or
, or am I booleaning wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well that's embarrassing, good catch! I've pushed up a fix
Cool, works for me! |
This closes #413, by making the
KeyName
parameter optional. The parameter type has to be changed toString
as theAWS::EC2::KeyPair::KeyName
typed parameter means a valid key name must be specified.If no
KeyName
is specified, then the SSH ingress rule will not be created.Some tests:
With a new stack
Against an existing 3.2.1 stack