-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ec2): NatInstanceProviderV2
improvements
#29729
Conversation
[using NAT instances](test/integ.nat-instances.lit.ts) [Deprecated] | ||
|
||
The construct will use the AWS official NAT instance AMI, which has already | ||
The V1 `NatProvider.instance` construct will use the AWS official NAT instance AMI, which has already | ||
reached EOL on Dec 31, 2023. For more information, see the following blog post: | ||
[Amazon Linux AMI end of life](https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
> **Warning** | ||
> The NAT instances created using this method will be **unmonitored**. | ||
> They are not part of an Auto Scaling Group, | ||
> and if they become unavailable or are terminated for any reason, | ||
> will not be restarted or replaced. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've ran into this issue in the past, https://github.com/fonzcastellanos/cdk-nat-asg-provider tries to bridge that gap. It might be worth a mention here
// Unusuable in its current state | ||
// The VPC is required to create the security group, | ||
// but the NAT Provider is required to create the VPC | ||
// See https://github.com/aws/aws-cdk/issues/27527 | ||
// securityGroup, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't see a possible use for securityGroup
, it might be worth just deprecating it
packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the thorough integration tests proving functionality. 👍🏼
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thank you for making the change. I created the NatInstanceProviderV2
and simply thought of it as a replacement for the V1. Glad to see it getting improvements and more customization capability.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
### Issue # (if applicable) Closes #27527 ### Reason for this change The current `NatInstanceProviderV2.securityGroup` property is unusable, given the dependency loop between the construct props (`NatInstanceProviderV2` > `VPC` > `SecurityGroup` > `NatInstanceProviderV2`). When creating the integration for #29729, adding a getter for the instances generated by the provider to update the instance role was required to test the `userData` overload. This solution also allows to bypass the circular dependency describe above, given that both the VPC and the instances are generated once the VPC is created with the `natGatewayProvider`. ### Description of changes * Deprecate `NatInstanceProviderV2.securityGroup` * Add `@example` tag to demo `NatInstanceProviderV2.gatewayInstances` * Update `README` to demo setting the security group * Update integ to test the demo ### Description of how you validated changes Updated integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Issue # (if applicable)
Closes #29720
Might fix other issues, will need check the backlog
Reason for this change
The user data script used to initialize NAT instances was at present incorrect, assuming an incorrect default interface name. I wanted to both update this script, and allow CDK users to update this user data if needed in the future, both in case of an issue with the script or just to extend/override the initialization procedure.
Description of changes
Apologies for the non-atomic PR, as I was working on the unit and integration tests, I noticed additional issues and missing features. These are the initially targeted changes:
userData
field toNatInstanceProps
, allowing the user to overwrite the NAT instances initialization scriptNatInstanceProps.DEFAULT_USER_DATA_COMMANDS
field, allowing the user to more easily extend the default scriptuserData
to query the instancedefault
network interface, instead of always usingeth0
These were found along the way:
gatewayInstances
method toNatInstanceProps
, allowing the user to interact with the created NAT instances once they're attached to the VPCcreditSpecification
not being implemented correctlyREADME
about potential issues with NAT instances as is implementedDescription of how you validated changes
I've updated and added unit and integration tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license