search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.62k stars 9k forks source link

How to disable the source destination check in autoscaling groups? #16496

Open chowmean opened 3 years ago

chowmean commented 3 years ago

Description

It is possible to disable the source-destination check through autoscaling groups. I didn't find any code related to this.

New or Affected Resource(s)

If not present can this be implemented as I am not able to find this in autoscaling group templates in boto APIs?

ljluestc commented 9 months ago

Disabling the source/destination check (often referred to as "EC2 ClassicLink") is a VPC-specific configuration, and it is not directly managed by an Auto Scaling group. Therefore, you need to modify the underlying EC2 instances' network interfaces to disable this setting.

Here's a step-by-step approach to achieve this:

  1. Create Launch Configuration: Ensure that you have an AWS Launch Configuration that defines how your EC2 instances are launched. If you don't have one, create it.

  2. Modify Network Interface: To disable the source/destination check, you need to modify the network interface settings when launching instances. Add the source_dest_check attribute to your Launch Configuration. Set it to false to disable source/destination checking for the instances.

Here's an example using AWS CLI to modify an existing Launch Configuration:

aws autoscaling create-launch-configuration --launch-configuration-name my-launch-config \
    --image-id ami-0123456789abcdef0 \
    --instance-type t2.micro \
    --security-groups sg-0123456789abcdef0 \
    --key-name my-key-pair \
    --user-data "your-user-data-script" \
    --no-source-dest-check  # This disables source/destination checks
  1. Update Auto Scaling Group: Once you've updated the Launch Configuration, you need to update your Auto Scaling group to use the new Launch Configuration. You can do this using the AWS CLI or Terraform.

Here's an example using Terraform to update an Auto Scaling group:

resource "aws_autoscaling_group" "example" {
  name                 = "example"
  launch_configuration = aws_launch_configuration.my_launch_config.name
  # Other Auto Scaling group settings
}

resource "aws_launch_configuration" "my_launch_config" {
  name_prefix          = "my-launch-config"
  image_id             = "ami-0123456789abcdef0"
  instance_type        = "t2.micro"
  security_groups      = ["sg-0123456789abcdef0"]
  key_name             = "my-key-pair"
  user_data            = "your-user-data-script"
  source_dest_check    = false  # Disable source/destination checks
}
  1. Launch New Instances: As your Auto Scaling group scales, new instances will be launched with the updated Launch Configuration, which includes the source_dest_check attribute set to false.

Keep in mind that the ability to disable source/destination checks depends on the specific VPC configuration and instance types you are using. It's also important to understand the security implications of disabling source/destination checks in your network environment.

awalker125 commented 1 week ago

I'm not sure if the last comment is a suggestion on how it could be implemented but it doesnt seem to work.

There is a workaround on stack overflow here which involves adding this to the userdata script of the ec2

ws ec2 modify-instance-attribute --no-source-dest-check --instance-id $EC2_INSTANCE_ID --region <REGION-WHERE-EC2-INSTANCE-IS-LAUNCHED>

I dont think this works unless you have internet access via internet/nat gateway.

Being able to set the source dest check in the autoscale group would be useful for setting up gateway loadbalancers in 2 arm mode. I believe you need source dest check disable in that scenario.

awalker125 commented 1 week ago

I think this cant be currently implemented see #29561