Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-ec2: Missing parameter options #20796

Closed
2 tasks
DBS-RoSe opened this issue Jun 20, 2022 · 2 comments
Closed
2 tasks

aws-cdk-lib/aws-ec2: Missing parameter options #20796

DBS-RoSe opened this issue Jun 20, 2022 · 2 comments
Assignees
@corymhall
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved.

Comments

@DBS-RoSe
Copy link

Describe the feature

  1. Missing parameter option for eni - network interface like in cloudformation:
    Server:
    Type: AWS::EC2::Instance
    Properties:
    ...
    NetworkInterfaces:
    - NetworkInterfaceId:
    Fn::ImportValue: !Sub "${ApplicationName}-${Environment}2-ENIID"
    DeviceIndex: '0'
    my solution:
    // Add networkinterface via addPropertyOverride
    (ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyOverride("NetworkInterfaces", [{ NetworkInterfaceId: eni.ref, DeviceIndex: 0 }]);
    // Delete property SubnetId because of an error in cdk synth
    (ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyDeletionOverride("SubnetId");
  2. Default security groups creation
    If i create a network interface on my own then i have to add the security groups to my ENI.
    But if i didn't add any security groups to my ec2 instance, then the ec2 instance will create a default security group on their own.
    So i have overridden these parameter:
    (ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyDeletionOverride("SecurityGroupIds");

BUT now i have a empty security group that i didn't use and that per stack.s

Use Case

Because it's ugly to have an empty default security group, without any use case and i would like to have the same possibilities like in cloudformation.

Proposed Solution

new parameter option and deactivate the default securitygroup, if an ENI is handed over
My own workaround is mentioned above

Other Information

Code snippet:
import { Size, Tags, Duration, Stack } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as cdk from 'aws-cdk-lib';
import * as kms from 'aws-cdk-lib/aws-kms';
import * as dbs from '@cdkdbs/enterprise-library';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ct from '../bin/constants';
import * as iam from 'aws-cdk-lib/aws-iam';
import * as r53 from 'aws-cdk-lib/aws-route53';
import * as ssm from 'aws-cdk-lib/aws-ssm';
import * as sns from 'aws-cdk-lib/aws-sns';
import * as cw from 'aws-cdk-lib/aws-cloudwatch';
import * as cwac from 'aws-cdk-lib/aws-cloudwatch-actions';

const namePrefix = ct.AppShortName + '-' + props.dbsEnvironment;
const KMSKey = cdk.Fn.importValue(namePrefix + '-kms-key-arn');
const IKMSKey = kms.Key.fromKeyArn(this, 'KMSKey', KMSKey);
const EC2SG = cdk.Fn.importValue(namePrefix + '-ec2-sg');
const EC2CSIRTSG = cdk.Fn.importValue('XXX');
const IEC2IR = iam.Role.fromRoleArn(this, 'IAMRole', EC2IR);
const IImage = new ec2.LookupMachineImage({
  name: 'amzn2-ami-hvm-2.0.20220426.0-x86_64-gp2',
});

const subnetId = this.vpc.isolatedSubnets[0].subnetId;
const eni = new ec2.CfnNetworkInterface(this, 'ENI', {
  subnetId,
  groupSet: [EC2SG, EC2CSIRTSG],
})


const ec2Instance = new ec2.Instance(this, 'ec2-instance', {
  vpc: this.vpc,
  role: IEC2IR,
  instanceType: props.Config.InstanceType,
  machineImage: IImage,
  keyName: cfnKeyPair.keyName,
  propagateTagsToVolumeOnCreation: true,
  instanceName: namePrefix + '-app-1',

});
(ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyOverride("NetworkInterfaces", [{ NetworkInterfaceId: eni.ref, DeviceIndex: 0 }]);
(ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyDeletionOverride("SubnetId");
(ec2Instance.node.defaultChild as ec2.CfnInstance).addPropertyDeletionOverride("SecurityGroupIds");

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.25.0

Environment details (OS name and version, etc.)

Amazon Linux 2
@DBS-RoSe DBS-RoSe added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jun 20, 2022
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jun 20, 2022
@corymhall
Copy link
Contributor

corymhall commented Jun 23, 2022
edited
Loading

@DBS-RoSe it looks like we have an open issue for adding support for providing the NetworkInterfaces property. Until then escape hatches are the only workaround. I'll close this issue and use the linked issue to track.

If you want to try and remove the security group that is created you can do something like

instance.node.tryRemoveChild('InstanceSecurityGroup');

@corymhall corymhall removed the needs-triage This issue or PR still needs to be triaged. label Jun 23, 2022
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corymhall corymhall

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corymhall @DBS-RoSe