search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.72k stars 3.94k forks source link

(ec2): reference to IVolume.grantAttachVolumeToSelf #23028

Open maddenp opened 2 years ago

maddenp commented 2 years ago

Describe the issue

The IVolume API docs state

CAUTION: Granting an instance permission to attach to itself using this method will lead to an unresolvable circular reference between the instance role and the instance. Use {@link IVolume.grantAttachVolumeToSelf} to grant an instance permission to attach this volume to itself.

I cannot find a method grantAttachVolumeToSelf (or the Python equivalent) when inspecting a Volume object. Is this something that was removed, or maybe not yet implemented? Or have I misunderstood?

I am trying to resolve such a circular reference, cannot find a reasonable way, and am thinking that I will have to resort to working with CfnInstance instead of Instance, as mounting an existing EBS volume to a new EC2 instance at instance creation time was straightforward using CloudFormation directly in the past.

Thanks in advance for any feedback or ideas.

Links

https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/IVolume.html https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.IVolume.html

maddenp commented 2 years ago

The description of method grant_attach_volume_by_resource_tag (just below grant_attach_volume whose text I quoted above) says

If you are looking to grant an Instance, AutoScalingGroup, EC2-Fleet, SpotFleet, ECS host, etc the ability to attach this volume to itself then this is the method you want to use.

So, this may address my original problem. Should the reference to grantAttachVolumeToSelf be updated to point to this method instead?

peterwoodworth commented 2 years ago

Yes @maddenp, try out this method grant_attach_volume_by_resource_tag and let me know if it suits your use case. We should properly document what method should actually be used, thanks for reporting!

maddenp commented 2 years ago

Hi @peterwoodworth, and thanks for the fast response. I can confirm that grant_attach_volume_by_resource_tag resolves the circular reference issue. (For anyone finding this ticket looking for a solution, example code is available in the docs here: https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/README.html#instances-attaching-volumes-to-themselves.) So, I suspect that the pages referenced in the description (and those for other languages) just need an update to point to this method instead of the seemingly non-existent grantAttachVolumeToSelf.

FWIW, I do miss in Volume the ability present in raw CFN to actually perform the volume attachment; using grant_attach_volume_by_resource_tag provides the permissions to attach the volume, but then separate code has to be provided, calling aws sts or similar, to be run on the EC2 instance to actually perform the attachment. It looks like the CfnInstance construct still supports automated attachment, so it would be nice if that could be supported in the higher-level Volume construct.