lox
commented
5 years ago Yup, I'm totally all for option 2.
Closed tduffield closed 3 years ago
lox
commented
5 years ago Yup, I'm totally all for option 2.
xiaket
commented
5 years ago @lox We have a strong need for option 2. Do you mind if I open a PR for it?
lox
commented
5 years ago We would love that @xiaket!
xiaket
commented
5 years ago Hey @lox ! I just gave it a go and would like some input on a few details from you and the community before I finalize a PR:
Thanks!
jamesholmes-linktree
commented
4 years ago Hey @lox ! I just gave it a go and would like some input on a few details from you and the community before I finalize a PR:
- Do we want to enable SSM session access by default or do we want to provide a flag as a parameter and allow user to enable it?
SSM by default, with an appropriate IAM policy.
- Since we are going towards a setup where no keypair is assigned to the ASG, I think we should also explicitly disable SSH service, what is your opinion on this?
I would, yes. SSM should provide enough access without having to do SSH or port forwarding sessions.
lox
commented
4 years ago @pda @yob and @chloeruka will be able to assist!
yob
commented
4 years ago @jamesholmes-linktree's feedback looks reasonable to me. If someone was to pick this up, I think we'd be happy to have enabling SSM and disabling SSH within the same PR.
This is an issue to track the discussion that started in https://github.com/buildkite/elastic-ci-stack-for-aws/pull/598.
Right now, SSH is open by default on Linux instances, but no such RDP access is made available for Windows. Ideally, we'd want access behavior to be consistent between the two platforms.
There were two solutions thrown out in the PR linked above:
It seems that consensus was moving towards option 2 at the time of issue creation.