feat(ec2): NatInstanceProviderV2 improvements
#29729
Conversation
github-actions
bot
added
bug
| [using NAT instances](test/integ.nat-instances.lit.ts) [Deprecated] | ||
|
|
||
| The construct will use the AWS official NAT instance AMI, which has already | ||
| The V1 `NatProvider.instance` construct will use the AWS official NAT instance AMI, which has already | ||
| reached EOL on Dec 31, 2023. For more information, see the following blog post: | ||
| [Amazon Linux AMI end of life](https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/). | ||
|
|
There was a problem hiding this comment.
I find the end of this chapter (starting from the deprecated example) to be confusing, I've tried to clear it up a bit. It's also not terribly useful, given it's describing a deprecated behavior. I'd be happy to remove it completely:
| > **Warning** | ||
| > The NAT instances created using this method will be **unmonitored**. | ||
| > They are not part of an Auto Scaling Group, | ||
| > and if they become unavailable or are terminated for any reason, | ||
| > will not be restarted or replaced. |
There was a problem hiding this comment.
I've ran into this issue in the past, https://github.com/fonzcastellanos/cdk-nat-asg-provider tries to bridge that gap. It might be worth a mention here
| // Unusuable in its current state | ||
| // The VPC is required to create the security group, | ||
| // but the NAT Provider is required to create the VPC | ||
| // See https://github.com/aws/aws-cdk/issues/27527 | ||
| // securityGroup, |
There was a problem hiding this comment.
I can't see a possible use for securityGroup, it might be worth just deprecating it
aws-cdk-automation
added
the
pr/needs-community-review
packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2-custom.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.nat-instances-v2.ts
Outdated
Show resolved
Hide resolved
aws-cdk-automation
added
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
### Issue # (if applicable) Closes #27527 ### Reason for this change The current `NatInstanceProviderV2.securityGroup` property is unusable, given the dependency loop between the construct props (`NatInstanceProviderV2` > `VPC` > `SecurityGroup` > `NatInstanceProviderV2`). When creating the integration for #29729, adding a getter for the instances generated by the provider to update the instance role was required to test the `userData` overload. This solution also allows to bypass the circular dependency describe above, given that both the VPC and the instances are generated once the VPC is created with the `natGatewayProvider`. ### Description of changes * Deprecate `NatInstanceProviderV2.securityGroup` * Add `@example` tag to demo `NatInstanceProviderV2.gatewayInstances` * Update `README` to demo setting the security group * Update integ to test the demo ### Description of how you validated changes Updated integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Issue # (if applicable)
Closes #29720
Might fix other issues, will need check the backlog
Reason for this change
The user data script used to initialize NAT instances was at present incorrect, assuming an incorrect default interface name. I wanted to both update this script, and allow CDK users to update this user data if needed in the future, both in case of an issue with the script or just to extend/override the initialization procedure.
Description of changes
Apologies for the non-atomic PR, as I was working on the unit and integration tests, I noticed additional issues and missing features. These are the initially targeted changes:
userDatafield toNatInstanceProps, allowing the user to overwrite the NAT instances initialization scriptNatInstanceProps.DEFAULT_USER_DATA_COMMANDSfield, allowing the user to more easily extend the default scriptuserDatato query the instancedefaultnetwork interface, instead of always usingeth0These were found along the way:
gatewayInstancesmethod toNatInstanceProps, allowing the user to interact with the created NAT instances once they're attached to the VPCcreditSpecificationnot being implemented correctlyREADMEabout potential issues with NAT instances as is implementedDescription of how you validated changes
I've updated and added unit and integration tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license