Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(@aws-ec2): Using require_imdsv2=True creates non-unique launch templates #17656

Closed
scottbisker opened this issue Nov 23, 2021 · 5 comments · Fixed by #17766
Closed

(@aws-ec2): Using require_imdsv2=True creates non-unique launch templates #17656

scottbisker opened this issue Nov 23, 2021 · 5 comments · Fixed by #17766
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@scottbisker
Copy link

What is the problem?

When creating an EC2 instance that has require_imdsv2=True, the module utilizes ASG Launch templates to enforce the IMDSv2 configuration by creating a Launch Template. The Launch Template name is identical to the ID parameter passed during the instance creation. If you have more than one stack in the same account/region that utilizes a standard code base where the id parameters are identical, the second stack will always fail to create complaining of duplicate Launch Template names.

Reproduction Steps

Attempt to deploy two stacks with bastion instances that incorporates this code.

Bastion EC2 Instance

    self.bastion_instance = ec2.Instance(self,"BastionInstance",
        instance_name = self.node.try_get_context(env_context)["BastionInternalHostname"], 
        instance_type = ec2.InstanceType(self.node.try_get_context(env_context)["BastionInstanceType"]),
        role = bastion_instance_role,
        machine_image = linux_images,
        require_imdsv2=True,
        vpc = self.vpc,
        vpc_subnets = ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
        security_group = bastion_security_group,
        #user_data = ec2.UserData.custom(user_data_bastion),
        block_devices=[
            ec2.BlockDevice(
                device_name="/dev/sda1",
                volume=ec2.BlockDeviceVolume.ebs(
                    32,
                    encrypted=True,
                    volume_type=ec2.EbsDeviceVolumeType.GP3
                )
            )
        ],
    )

What did you expect to happen?

When the launch template is created it would prefix or suffix the Launch Template with stack unique identifiers to avoid duplicate names.

What actually happened?

The second stack attempted to create a Launch Template with an identical name.

BastionInstanceLaunchTemplate already exists in stack ......

CDK CLI Version

1.33.0

Framework Version

No response

Node.js Version

14.16.1

OS

MacOS

Language

Python

Language Version

Python 3.9

Other information

No response
@scottbisker scottbisker added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 23, 2021
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Nov 23, 2021
@peterwoodworth
Copy link
Contributor

The stacks creating resources with identical names is intentional! With the instance_name parameter, you are setting the physical name of the resource without any additional identifiers.

Let me know if this clears up the confusion

@peterwoodworth peterwoodworth added guidance Question that needs advice or information. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 23, 2021
@scottbisker
Copy link
Author

instance_name isn't the issue in this case. I understand that by setting instance_name, I'm setting the Name tag for the instant being created. The problem is that if you specify require_imdsv2=True, then a Launch Template is created to apply the IMDSv2 configuration. When the Launch Template is created, it is created using the second parameter "BastionInstance". It creates a Launch Template with the name "BastionInstanceLaunchTemplate". There should at least be a stack identifier applied to the Launch Template name to avoid possible duplication.

@peterwoodworth
Copy link
Contributor

Ah I see, my apologies for misunderstanding.

This is the line that determines the launch template name:

aws-cdk/packages/@aws-cdk/aws-ec2/lib/aspects/require-imdsv2-aspect.ts

Line 86 in dd5e12d

const name = `${node.node.id}LaunchTemplate`;

@jericht @rix0rrr is there any reason to specify the physical name of the launch template?

aws-cdk/packages/@aws-cdk/aws-ec2/lib/aspects/require-imdsv2-aspect.ts

Line 93 in dd5e12d

launchTemplateName: name,

@peterwoodworth peterwoodworth added bug This issue is a bug. p2 effort/small Small work item – less than a day of effort and removed guidance Question that needs advice or information. labels Nov 24, 2021
@peterwoodworth peterwoodworth removed their assignment Nov 24, 2021
@jericht
Copy link
Contributor

jericht commented Nov 30, 2021

@peterwoodworth There is. In my testing, I noticed the CfnLaunchTemplate construct does not auto-generate a name for the launch template. Because of this, since Instance.launchTemplate requires either a LaunchTemplateId or LaunchTemplateName, we need to supply one when we create the launch template. I believe we can fix this by changing the launch template name to a unique ID generated with Names.uniqueId (ref).

I missed these use cases in my original implementation, so I'll make a PR to fix it.

@jericht jericht mentioned this issue Nov 30, 2021
Merged
@mergify mergify bot closed this as completed in #17766 Jan 18, 2022
mergify bot pushed a commit that referenced this issue Jan 18, 2022
@jericht
fix(ec2): launch template names in imdsv2 not unique across stacks (u…
2a80e4b 
…nder feature flag) (#17766)

Fixes #17656

### Notes
Changes the name for the `LaunchTemplate` created in the aspect that enforces IMDSv2 on EC2 instances to a unique name.

Introduces a new feature flag (`@aws-cdk/aws-ec2:uniqueImdsv2TemplateName`) to change the launch template name.

### Testing
Added a unit test

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@jericht @TikiTDO
fix(ec2): launch template names in imdsv2 not unique across stacks (u…
4982c2d 
…nder feature flag) (aws#17766)

Fixes aws#17656

### Notes
Changes the name for the `LaunchTemplate` created in the aspect that enforces IMDSv2 on EC2 instances to a unique name.

Introduces a new feature flag (`@aws-cdk/aws-ec2:uniqueImdsv2TemplateName`) to change the launch template name.

### Testing
Added a unit test

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
4 participants
@njlynch @scottbisker @peterwoodworth @jericht