Add support for full EBS device configuration

Author: shreyasdamle

packages/@aws-cdk/aws-ec2/README.md

@@ -545,9 +545,14 @@ with the command `aws ec2-instance-connect send-ssh-public-key` to provide your
 
 EBS volume for the bastion host can be encrypted like:
 ```ts
-    new BastionHostLinux(stack, 'Bastion', {
+    const host = new ec2.BastionHostLinux(stack, 'BastionHost', {
       vpc,
-      ebsVolumeEncryption: true
+      blockDevices: [{
+        deviceName: 'EBSBastionHost',
+        volume: BlockDeviceVolume.ebs(10, {
+          encrypted: true,
+        }),
+      }],
     });
 ```
 

packages/@aws-cdk/aws-ec2/lib/bastion-host.ts

@@ -7,7 +7,7 @@ import { IMachineImage, MachineImage } from './machine-image';
 import { IPeer } from './peer';
 import { Port } from './port';
 import { ISecurityGroup } from './security-group';
-import { BlockDeviceVolume } from './volume';
+import { BlockDevice } from './volume';
 import { IVpc, SubnetSelection } from './vpc';
 
 /**
@@ -67,12 +67,18 @@ export interface BastionHostLinuxProps {
   readonly machineImage?: IMachineImage;
 
   /**
-   * Encryption for EBS volume
-   * If true, encrypted volume will be created with a default voulme size of 10 GiB.
+   * Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes.
    *
-   * @default false
+   * Each instance that is launched has an associated root device volume,
+   * either an Amazon EBS volume or an instance store volume.
+   * You can use block device mappings to specify additional EBS volumes or
+   * instance store volumes to attach to an instance when it is launched.
+   *
+   * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html
+   *
+   * @default - Uses the block device mapping of the AMI
    */
-  readonly ebsVolumeEncryption?: boolean;
+  readonly blockDevices?: BlockDevice[];
 }
 
 /**
@@ -139,33 +145,16 @@ export class BastionHostLinux extends Construct implements IInstance {
     super(scope, id);
     this.stack = Stack.of(scope);
 
-    if (props.ebsVolumeEncryption) {
-      this.instance = new Instance(this, 'Resource', {
-        vpc: props.vpc,
-        availabilityZone: props.availabilityZone,
-        securityGroup: props.securityGroup,
-        instanceName: props.instanceName ?? 'BastionHost',
-        instanceType: props.instanceType ?? InstanceType.of(InstanceClass.T3, InstanceSize.NANO),
-        machineImage: props.machineImage ?? MachineImage.latestAmazonLinux({ generation: AmazonLinuxGeneration.AMAZON_LINUX_2 }),
-        vpcSubnets: props.subnetSelection ?? {},
-        blockDevices: [{
-          deviceName: 'EBSBastionHost',
-          volume: BlockDeviceVolume.ebs(10, {
-            encrypted: props.ebsVolumeEncryption ?? false,
-          }),
-        }],
-      });
-    } else {
-      this.instance = new Instance(this, 'Resource', {
-        vpc: props.vpc,
-        availabilityZone: props.availabilityZone,
-        securityGroup: props.securityGroup,
-        instanceName: props.instanceName ?? 'BastionHost',
-        instanceType: props.instanceType ?? InstanceType.of(InstanceClass.T3, InstanceSize.NANO),
-        machineImage: props.machineImage ?? MachineImage.latestAmazonLinux({ generation: AmazonLinuxGeneration.AMAZON_LINUX_2 }),
-        vpcSubnets: props.subnetSelection ?? {},
-      });
-    }
+    this.instance = new Instance(this, 'Resource', {
+      vpc: props.vpc,
+      availabilityZone: props.availabilityZone,
+      securityGroup: props.securityGroup,
+      instanceName: props.instanceName ?? 'BastionHost',
+      instanceType: props.instanceType ?? InstanceType.of(InstanceClass.T3, InstanceSize.NANO),
+      machineImage: props.machineImage ?? MachineImage.latestAmazonLinux({ generation: AmazonLinuxGeneration.AMAZON_LINUX_2 }),
+      vpcSubnets: props.subnetSelection ?? {},
+      blockDevices: props.blockDevices ?? undefined,
+    });
     this.instance.addToRolePolicy(new PolicyStatement({
       actions: [
         'ssmmessages:*',

packages/@aws-cdk/aws-ec2/test/test.bastion-host.ts

@@ -1,7 +1,7 @@
 import { expect, haveResource } from '@aws-cdk/assert';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
-import { BastionHostLinux, SubnetType, Vpc } from '../lib';
+import { BastionHostLinux, BlockDeviceVolume, SubnetType, Vpc } from '../lib';
 
 export = {
   'default instance is created in basic'(test: Test) {
@@ -62,7 +62,12 @@ export = {
     // WHEN
     new BastionHostLinux(stack, 'Bastion', {
       vpc,
-      ebsVolumeEncryption: true,
+      blockDevices: [{
+        deviceName: 'EBSBastionHost',
+        volume: BlockDeviceVolume.ebs(10, {
+          encrypted: true,
+        }),
+      }],
     });
 
     // THEN