cloud/awscloud: specify subnets when creating secure instance

For non-default VPCs, AWS needs the subnets it can launch the instance in, otherwise it will try to launch the instance in the default VPC, even if the supplied security groups are attached to a non-default VPC. Furthermore there can only be 1 subnet specified per availability zone, so query the subnets in the VPC of the host (as the instance needs to be launched in the same network), and pick 1 of the VPC's subnets per AZ.
2024-02-14 12:06:26 +01:00 · 2024-02-14 12:06:26 +01:00 · 7fd150b938
commit 7fd150b938
parent d5fd1bbbf0
1 changed files with 32 additions and 0 deletions
--- a/internal/cloud/awscloud/secure-instance.go
+++ b/internal/cloud/awscloud/secure-instance.go
@ -73,6 +73,37 @@ func (a *AWS) RunSecureInstance(iamProfile string) (*SecureInstance, error) {
 		return nil, err
 	}

+	descrSubnetsOutput, err := a.ec2.DescribeSubnets(&ec2.DescribeSubnetsInput{
+		Filters: []*ec2.Filter{
+			&ec2.Filter{
+				Name: aws.String("vpc-id"),
+				Values: []*string{
+					aws.String(vpcID),
+				},
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+	if len(descrSubnetsOutput.Subnets) == 0 {
+		return nil, fmt.Errorf("Expected at least 1 subnet in the VPC, got 0")
+	}
+
+	// For creating a fleet in a non-default VPC, AWS needs the subnets, and at most 1 subnet per AZ.
+	// If a VPC has multiple subnets for a single AZ, only pick the first one.
+	overrides := []*ec2.FleetLaunchTemplateOverridesRequest{}
+	availZones := map[string]struct{}{}
+	for _, subnet := range descrSubnetsOutput.Subnets {
+		az := *subnet.AvailabilityZone
+		if _, ok := availZones[az]; !ok {
+			overrides = append(overrides, &ec2.FleetLaunchTemplateOverridesRequest{
+				SubnetId: subnet.SubnetId,
+			})
+			availZones[az] = struct{}{}
+		}
+	}
+
 	createFleetOutput, err := a.ec2.CreateFleet(&ec2.CreateFleetInput{
 		LaunchTemplateConfigs: []*ec2.FleetLaunchTemplateConfigRequest{
 			&ec2.FleetLaunchTemplateConfigRequest{
@ -80,6 +111,7 @@ func (a *AWS) RunSecureInstance(iamProfile string) (*SecureInstance, error) {
 					LaunchTemplateId: aws.String(secureInstance.LTID),
 					Version:          aws.String("1"),
 				},
+				Overrides: overrides,
 			},
 		},
 		TagSpecifications: []*ec2.TagSpecification{