Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ec2: Expose userDataCausesReplacement in BastionHostLinuxProps #31348

Open
1 task
jamre opened this issue Sep 6, 2024 · 1 comment · May be fixed by #31416
Open
1 task

aws-ec2: Expose userDataCausesReplacement in BastionHostLinuxProps #31348

jamre opened this issue Sep 6, 2024 · 1 comment · May be fixed by #31416
Assignees
@ashishdhingra
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@jamre
Copy link

jamre commented Sep 6, 2024

Describe the bug

When creating a bastion host, I use the instance's userData to write approved public keys to .ssh/authorized_keys. However, when changing the list of authorized keys, it does not trigger the instance to be replaced, so the modification has no effect.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Changing userData would (optionally) cause the bastion host instance to be replaced.

Current Behavior

Changing userData has no effect on the bastion host instance.

Reproduction Steps

const vpc = new ec2.Vpc(this, 'Vpc', {
  ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16')
});

const bastionHost = new BastionHostLinux(this, 'Bastion', {
  vpc,
});

const sshKeys = ['foo', 'bar'];
bastionHost.instance.addUserData(
  ...sshKeys.map(key =>
  `echo ${key} >> ~ec2-user/.ssh/authorized_keys`,
  ),
);
  1. Deploy the bastion host
  2. Change the sshKeys collection
  3. Deploy the bastion host
  4. Note that the bastion host is not replaced
  5. Check .ssh/authorized_keys and see that the authorized keys have not been updated

Possible Solution

Exposing the userDataCausesReplacement property in BastionHostLinuxProps and passing that to the Instance would fix this.

e.g.

const bastionHost = new BastionHostLinux(this, 'Bastion', {
  vpc,
  userDataCausesReplacement: true,
});

Additional Information/Context

As a workaround, I have been adding the init and initOptions properties to BastionHostLinuxProps since their existence will force the instance to be replaced when userData changes.

const bastionHost = new BastionHostLinux(this, 'Bastion', {
  vpc,
  init: CloudFormationInit.fromElements(),
  initOptions: {},
});

CDK CLI Version

2.149.0 (build c8e5924)

Framework Version

No response

Node.js Version

v18.20.2

OS

Ubuntu 20.04

Language

TypeScript

Language Version

No response

Other information

No response
@jamre jamre added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 6, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Sep 6, 2024
This was referenced Sep 9, 2024
Open
Open
@ashishdhingra ashishdhingra self-assigned this Sep 9, 2024
@ashishdhingra ashishdhingra added p2 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-triage This issue or PR still needs to be triaged. labels Sep 9, 2024
@ashishdhingra
Copy link
Contributor

  • Reproducible using code below: 
    import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';

export class CdktestStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = ec2.Vpc.fromLookup(this, 'Vpc', {
      isDefault: true
    });
  
    const bastionHost = new ec2.BastionHostLinux(this, 'Bastion', {
      vpc,
    });
  
    const sshKeys = ['foo', 'bar'];
    bastionHost.instance.addUserData(
      ...sshKeys.map(key =>
      `echo ${key} >> ~ec2-user/.ssh/authorized_keys`,
      ),
    );
  }
}
  • The BastionHost instance could be connected in AWS EC2 console via Session Manager.
  • The keys could be listed in Session Manager terminal prompt by executing command sudo cat ~ec2-user/.ssh/authorized_keys.
  • Changing the sshKeys to let's say ['foo_modified', 'bar_modified'] and running cdk deploy appears to update the CloudFormation stack (which stops and reruns the instance), but it doesn't appear to replace the instance (which could be verified by connecting via Session Manager and displaying the keys using command sudo cat ~ec2-user/.ssh/authorized_keys).

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Sep 10, 2024
@ashishdhingra ashishdhingra linked a pull request Sep 12, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashishdhingra ashishdhingra

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): exposed userDataCausesReplacement in BastionHostLinuxProps ashishdhingra/aws-cdk
2 participants
@jamre @ashishdhingra