search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.33k stars 3.76k forks source link

aws_cdk.aws_ec2.NatInstanceProvider: Access NAT Instance Profile #23894

Open iamgabeortiz opened 1 year ago

iamgabeortiz commented 1 year ago

Describe the bug

There is no way to interact with the Instance Profile generated for the NAT in order to attach the AmazonSSMManagedInstanceCore policy so that Security Hub SSM.1 | EC2 instances should be managed by AWS Systems Manager will be happy. :)

Expected Behavior

There would be some way to access or set the Instance Profile the NAT instance will use.

Current Behavior

There is no way to access it or replace the NAT instance profile.

Reproduction Steps

Build a NAT instance as part of a VPC and the instance profile it creates has no policies attached and there is no way to access them via the CDK.

Possible Solution

Make an instance_profile parameter on NatInstanceProvider Class. Or attach the SSM policy by default.

Additional Information/Context

https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/NatInstanceProvider.html

CDK CLI Version

2.61.1 (build d319d9c)

Framework Version

No response

Node.js Version

v14.17.0

OS

WSL: 20.04.5 LTS (Focal Fossa)

Language

Python

Language Version

Python 3.8.10

Other information

No response

pahud commented 1 year ago

Yes, maybe we could add an optional iam.IRole at ConfigureNatOptions

And use the passed in role rather than always create a new one: https://github.com/aws/aws-cdk/blob/642b4ac8188561df9f31fde984e844ce4c98efd4/packages/%40aws-cdk/aws-ec2/lib/nat.ts#L296-L300

However, there might be other options though. Are you interested to submit a PR for this?