Open iamgabeortiz opened 1 year ago
Yes, maybe we could add an optional iam.IRole
at ConfigureNatOptions
And use the passed in role rather than always create a new one: https://github.com/aws/aws-cdk/blob/642b4ac8188561df9f31fde984e844ce4c98efd4/packages/%40aws-cdk/aws-ec2/lib/nat.ts#L296-L300
However, there might be other options though. Are you interested to submit a PR for this?
Describe the bug
There is no way to interact with the Instance Profile generated for the NAT in order to attach the AmazonSSMManagedInstanceCore policy so that Security Hub SSM.1 | EC2 instances should be managed by AWS Systems Manager will be happy. :)
Expected Behavior
There would be some way to access or set the Instance Profile the NAT instance will use.
Current Behavior
There is no way to access it or replace the NAT instance profile.
Reproduction Steps
Build a NAT instance as part of a VPC and the instance profile it creates has no policies attached and there is no way to access them via the CDK.
Possible Solution
Make an instance_profile parameter on NatInstanceProvider Class. Or attach the SSM policy by default.
Additional Information/Context
https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/NatInstanceProvider.html
CDK CLI Version
2.61.1 (build d319d9c)
Framework Version
No response
Node.js Version
v14.17.0
OS
WSL: 20.04.5 LTS (Focal Fossa)
Language
Python
Language Version
Python 3.8.10
Other information
No response