run on amazon linux 2023 (#379)

* run on amazon linux 2023 * encrypt ebs and use arm * formatting and tests
moia-oss · Jan 15, 2024 · ae12400 · ae12400
1 parent 6a9ca52
commit ae12400
Show file tree

Hide file tree

Showing 8 changed files with 70 additions and 20 deletions.
diff --git a/.gitignore b/.gitignore
@@ -8,6 +8,7 @@ tags
 dist/
 test/__snapshots__/
 # CDK asset staging directory
+tsconfig.tsbuildinfo
 .cdk.staging
 cdk.out
 .idea/
diff --git a/lib/bastion-host-forward.ts b/lib/bastion-host-forward.ts
@@ -12,7 +12,18 @@
 */
 
 import { Fn } from 'aws-cdk-lib';
-import { BastionHostLinux, MachineImage, SecurityGroup, UserData } from 'aws-cdk-lib/aws-ec2';
+import {
+  AmazonLinuxCpuType,
+  AmazonLinuxGeneration,
+  AmazonLinuxImage,
+  BastionHostLinux,
+  BlockDeviceVolume,
+  InstanceClass,
+  InstanceSize,
+  InstanceType,
+  SecurityGroup,
+  UserData,
+} from 'aws-cdk-lib/aws-ec2';
 import type { CfnInstance, ISecurityGroup } from 'aws-cdk-lib/aws-ec2';
 import { Construct } from 'constructs';
 
@@ -62,7 +73,7 @@ Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment; filename="userdata.txt"
 #!/bin/bash
 mount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc
-yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
+yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm
 yum install -y haproxy
 echo "${generateHaProxyBaseConfig(config)}" > /etc/haproxy/haproxy.cfg
 service haproxy restart
@@ -103,7 +114,19 @@ export class BastionHostForward extends Construct {
     this.bastionHost = new BastionHostLinux(this, 'BastionHost', {
       requireImdsv2: true,
       instanceName: props.name ?? 'BastionHost',
-      machineImage: MachineImage.latestAmazonLinux2(),
+      machineImage: new AmazonLinuxImage({
+        cpuType: AmazonLinuxCpuType.ARM_64,
+        generation: AmazonLinuxGeneration.AMAZON_LINUX_2023,
+      }),
+      instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
+      blockDevices: [
+        {
+          deviceName: '/dev/xvda',
+          volume: BlockDeviceVolume.ebs(10, {
+            encrypted: true,
+          }),
+        },
+      ],
       vpc: props.vpc,
       securityGroup: this.securityGroup,
     });

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -47,7 +47,7 @@
     "@types/jest": "^27.4.1",
     "@types/node": "20.10.1",
     "constructs": "10.3.0",
-    "aws-cdk-lib": "2.117.0",
+    "aws-cdk-lib": "2.121.1",
     "eslint": "^8.6.0",
     "jest": "^27.4.7",
     "jsii": "^5.0.3",
@@ -59,8 +59,8 @@
     "typescript": "^4.5.2"
   },
   "peerDependencies": {
-    "constructs": "^10.2.1",
-    "aws-cdk-lib": "^2.76.0"
+    "constructs": "^10.3.0",
+    "aws-cdk-lib": "^2.121.1"
   },
   "dependencies": {}
 }
diff --git a/test/aurora-serverless.test.ts b/test/aurora-serverless.test.ts
@@ -45,7 +45,7 @@ test('Bastion Host created for normal username/password access', () => {
         'Fn::Join': [
           '',
           [
-            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
+            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
             {
               'Fn::GetAtt': ['TestAurora252434E9', 'Endpoint.Port'],
             },
@@ -97,7 +97,7 @@ test('Bastion Host created with extended Role for IAM Connection', () => {
         'Fn::Join': [
           '',
           [
-            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
+            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
             {
               'Fn::GetAtt': ['TestAurora252434E9', 'Endpoint.Port'],
             },

diff --git a/test/generic-bastion-host-forward.test.ts b/test/generic-bastion-host-forward.test.ts
@@ -37,7 +37,7 @@ test('Bastion Host created for normal access', () => {
   template.hasResourceProperties('AWS::EC2::Instance', {
     UserData: {
       'Fn::Base64':
-        'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:6379\n  timeout connect 10s\n  timeout client 20m\n  timeout server 50m\n  mode tcp\n  server service 127.0.0.1:6379\n" > /etc/haproxy/haproxy.cfg\nservice haproxy restart\n--//',
+        'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:6379\n  timeout connect 10s\n  timeout client 20m\n  timeout server 50m\n  mode tcp\n  server service 127.0.0.1:6379\n" > /etc/haproxy/haproxy.cfg\nservice haproxy restart\n--//',
     },
     Tags: [
       {
@@ -72,3 +72,30 @@ test('Bastion Host with own securityGroup', () => {
   assert.equal(securityGroup.securityGroupId, bastionHostSecurityGroup.securityGroupId);
   assert.equal(securityGroup.allowAllOutbound, bastionHostSecurityGroup.allowAllOutbound);
 });
+
+test('Bastion Host has encrypted EBS', () => {
+  const app = new App();
+  const stack = new Stack(app, 'TestStack');
+  const testVpc = new Vpc(stack, 'TestVpc');
+
+  // WHEN
+  new GenericBastionHostForward(stack, 'MyTestConstruct', {
+    vpc: testVpc,
+    address: '127.0.0.1',
+    port: '6379',
+  });
+
+  const template = Template.fromStack(stack);
+
+  // THEN
+  template.hasResourceProperties('AWS::EC2::Instance', {
+    BlockDeviceMappings: [
+      {
+        DeviceName: '/dev/xvda',
+        Ebs: {
+          Encrypted: true,
+        },
+      },
+    ],
+  });
+});
diff --git a/test/rds.test.ts b/test/rds.test.ts
@@ -46,7 +46,7 @@ test('Bastion Host created for normal username/password access', () => {
         'Fn::Join': [
           '',
           [
-            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
+            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
             {
               'Fn::GetAtt': ['TestRDSDF309CB7', 'Endpoint.Port'],
             },
@@ -99,7 +99,7 @@ test('Bastion Host created with extended Role for IAM RDS Connection', () => {
         'Fn::Join': [
           '',
           [
-            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
+            'Content-Type: multipart/mixed; boundary="//"\nMIME-Version: 1.0\n--//\nContent-Type: text/cloud-config; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="cloud-config.txt"\n#cloud-config\ncloud_final_modules:\n- [scripts-user, always]\n--//\nContent-Type: text/x-shellscript; charset="us-ascii"\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Disposition: attachment; filename="userdata.txt"\n#!/bin/bash\nmount -o remount,rw,nosuid,nodev,noexec,relatime,hidepid=2 /proc\nyum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_arm64/amazon-ssm-agent.rpm\nyum install -y haproxy\necho "listen database\n  bind 0.0.0.0:',
             {
               'Fn::GetAtt': ['TestRDSDF309CB7', 'Endpoint.Port'],
             },

diff --git a/tsconfig.tsbuildinfo b/tsconfig.tsbuildinfo