particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cloud/awscloud: switch ec2 to v2 sdk

Browse source
This commit is contained in:
Sanne Raymaekers 2024-08-01 16:36:00 +02:00
parent 8d158f6031
commit 810e9133e8
3 changed files with 434 additions and 406 deletions
Download patch file Download diff file Expand all files Collapse all files

366
internal/cloud/awscloud/secure-instance.go
View file

@ -1,13 +1,18 @@
package awscloud
import (
"context"
"encoding/base64"
"errors"
"fmt"
"strings"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
"github.com/aws/aws-sdk-go-v2/service/ec2"
ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
smithy "github.com/aws/smithy-go"
"github.com/sirupsen/logrus"
)
@ -15,7 +20,7 @@ type SecureInstance struct {
FleetID string
SGID string
LTID string
Instance *ec2.Instance
Instance *ec2types.Instance
InstanceID string
}
@ -47,17 +52,20 @@ write_files:
// Runs an instance with a security group that only allows traffic to
// the host. Will replace resources if they already exists.
func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname string) (*SecureInstance, error) {
identity, err := a.ec2metadata.GetInstanceIdentityDocument()
identity, err := a.ec2imds.GetInstanceIdentityDocument(context.Background(), &imds.GetInstanceIdentityDocumentInput{})
if err != nil {
logrus.Errorf("Error getting the identity document, %s", err)
return nil, err
}
descrInstancesOutput, err := a.ec2.DescribeInstances(&ec2.DescribeInstancesInput{
InstanceIds: []*string{
aws.String(identity.InstanceID),
descrInstancesOutput, err := a.ec2.DescribeInstances(
context.Background(),
&ec2.DescribeInstancesInput{
InstanceIds: []string{
identity.InstanceID,
},
},
})
)
if err != nil {
return nil, err
}
@ -66,7 +74,6 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname s
}
vpcID := *descrInstancesOutput.Reservations[0].Instances[0].VpcId
imageID := *descrInstancesOutput.Reservations[0].Instances[0].ImageId
instanceType := *descrInstancesOutput.Reservations[0].Instances[0].InstanceType
subnetID := *descrInstancesOutput.Reservations[0].Instances[0].SubnetId
secureInstance := &SecureInstance{}
@ -96,7 +103,7 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname s
return nil, err
}
ltID, err := a.createOrReplaceLT(identity.InstanceID, imageID, sgID, instanceType, iamProfile, keyName, cloudWatchGroup, hostname)
ltID, err := a.createOrReplaceLT(identity.InstanceID, imageID, sgID, iamProfile, keyName, cloudWatchGroup, hostname)
if ltID != "" {
secureInstance.LTID = ltID
}
@ -104,16 +111,18 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname s
return nil, err
}
descrSubnetsOutput, err := a.ec2.DescribeSubnets(&ec2.DescribeSubnetsInput{
Filters: []*ec2.Filter{
&ec2.Filter{
Name: aws.String("vpc-id"),
Values: []*string{
aws.String(vpcID),
descrSubnetsOutput, err := a.ec2.DescribeSubnets(
context.Background(),
&ec2.DescribeSubnetsInput{
Filters: []ec2types.Filter{
ec2types.Filter{
Name: aws.String("vpc-id"),
Values: []string{
vpcID,
},
},
},
},
})
})
if err != nil {
return nil, err
}
@ -122,59 +131,66 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname s
}
createFleetOutput, err := a.createFleet(&ec2.CreateFleetInput{
LaunchTemplateConfigs: []*ec2.FleetLaunchTemplateConfigRequest{
&ec2.FleetLaunchTemplateConfigRequest{
LaunchTemplateSpecification: &ec2.FleetLaunchTemplateSpecificationRequest{
LaunchTemplateConfigs: []ec2types.FleetLaunchTemplateConfigRequest{
ec2types.FleetLaunchTemplateConfigRequest{
LaunchTemplateSpecification: &ec2types.FleetLaunchTemplateSpecificationRequest{
LaunchTemplateId: aws.String(secureInstance.LTID),
Version: aws.String("1"),
},
Overrides: []*ec2.FleetLaunchTemplateOverridesRequest{
&ec2.FleetLaunchTemplateOverridesRequest{
Overrides: []ec2types.FleetLaunchTemplateOverridesRequest{
ec2types.FleetLaunchTemplateOverridesRequest{
SubnetId: aws.String(subnetID),
},
},
},
},
TagSpecifications: []*ec2.TagSpecification{
&ec2.TagSpecification{
ResourceType: aws.String(ec2.ResourceTypeInstance),
Tags: []*ec2.Tag{
&ec2.Tag{
TagSpecifications: []ec2types.TagSpecification{
ec2types.TagSpecification{
ResourceType: ec2types.ResourceTypeInstance,
Tags: []ec2types.Tag{
ec2types.Tag{
Key: aws.String("parent"),
Value: aws.String(identity.InstanceID),
},
},
},
},
TargetCapacitySpecification: &ec2.TargetCapacitySpecificationRequest{
DefaultTargetCapacityType: aws.String(ec2.DefaultTargetCapacityTypeSpot),
TotalTargetCapacity: aws.Int64(1),
TargetCapacitySpecification: &ec2types.TargetCapacitySpecificationRequest{
DefaultTargetCapacityType: ec2types.DefaultTargetCapacityTypeSpot,
TotalTargetCapacity: aws.Int32(1),
},
SpotOptions: &ec2.SpotOptionsRequest{
AllocationStrategy: aws.String(ec2.SpotAllocationStrategyPriceCapacityOptimized),
SpotOptions: &ec2types.SpotOptionsRequest{
AllocationStrategy: ec2types.SpotAllocationStrategyPriceCapacityOptimized,
},
Type: aws.String(ec2.FleetTypeInstant),
Type: ec2types.FleetTypeInstant,
})
if err != nil {
return nil, err
}
secureInstance.FleetID = *createFleetOutput.FleetId
secureInstance.InstanceID = createFleetOutput.Instances[0].InstanceIds[0]
secureInstance.InstanceID = *createFleetOutput.Instances[0].InstanceIds[0]
err = a.ec2.WaitUntilInstanceStatusOk(&ec2.DescribeInstanceStatusInput{
InstanceIds: []*string{
aws.String(secureInstance.InstanceID),
instWaiter := ec2.NewInstanceStatusOkWaiter(a.ec2)
err = instWaiter.Wait(
context.Background(),
&ec2.DescribeInstanceStatusInput{
InstanceIds: []string{
secureInstance.InstanceID,
},
},
})
time.Hour,
)
if err != nil {
return nil, err
}
descrInstOutput, err := a.ec2.DescribeInstances(&ec2.DescribeInstancesInput{
InstanceIds: []*string{
aws.String(secureInstance.InstanceID),
},
})
descrInstOutput, err := a.ec2.DescribeInstances(
context.Background(),
&ec2.DescribeInstancesInput{
InstanceIds: []string{
secureInstance.InstanceID,
},
})
if err != nil {
return nil, err
}
@ -184,7 +200,7 @@ func (a *AWS) RunSecureInstance(iamProfile, keyName, cloudWatchGroup, hostname s
if len(descrInstOutput.Reservations[0].Instances) != 1 {
return nil, fmt.Errorf("Expected exactly 1 instance for instance: %s, got %d", secureInstance.InstanceID, len(descrInstOutput.Reservations[0].Instances))
}
secureInstance.Instance = descrInstOutput.Reservations[0].Instances[0]
secureInstance.Instance = &descrInstOutput.Reservations[0].Instances[0]
return secureInstance, nil
}
@ -205,14 +221,16 @@ func (a *AWS) TerminateSecureInstance(si *SecureInstance) error {
}
func (a *AWS) terminatePreviousSI(hostInstanceID string) (string, error) {
descrInstancesOutput, err := a.ec2.DescribeInstances(&ec2.DescribeInstancesInput{
Filters: []*ec2.Filter{
&ec2.Filter{
Name: aws.String("tag:parent"),
Values: []*string{aws.String(hostInstanceID)},
descrInstancesOutput, err := a.ec2.DescribeInstances(
context.Background(),
&ec2.DescribeInstancesInput{
Filters: []ec2types.Filter{
ec2types.Filter{
Name: aws.String("tag:parent"),
Values: []string{hostInstanceID},
},
},
},
})
})
if err != nil {
return "", err
}
@ -220,29 +238,39 @@ func (a *AWS) terminatePreviousSI(hostInstanceID string) (string, error) {
return "", nil
}
if *descrInstancesOutput.Reservations[0].Instances[0].State.Name == ec2.InstanceStateNameTerminated {
if descrInstancesOutput.Reservations[0].Instances[0].State.Name == ec2types.InstanceStateNameTerminated {
return "", nil
}
instanceID := descrInstancesOutput.Reservations[0].Instances[0].InstanceId
_, err = a.ec2.TerminateInstances(&ec2.TerminateInstancesInput{
InstanceIds: []*string{instanceID},
})
instanceID := *descrInstancesOutput.Reservations[0].Instances[0].InstanceId
_, err = a.ec2.TerminateInstances(
context.Background(),
&ec2.TerminateInstancesInput{
InstanceIds: []string{instanceID},
},
)
if err != nil {
return *instanceID, err
return instanceID, err
}
err = a.ec2.WaitUntilInstanceTerminated(&ec2.DescribeInstancesInput{
InstanceIds: []*string{instanceID},
})
instTermWaiter := ec2.NewInstanceTerminatedWaiter(a.ec2)
err = instTermWaiter.Wait(
context.Background(),
&ec2.DescribeInstancesInput{
InstanceIds: []string{instanceID},
},
time.Hour,
)
if err != nil {
return *instanceID, err
return instanceID, err
}
return *instanceID, nil
return instanceID, nil
}
func isInvalidGroupNotFoundErr(err error) bool {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "InvalidGroup.NotFound" {
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if apiErr.ErrorCode() == "InvalidGroup.NotFound" {
return true
}
}
@ -251,53 +279,63 @@ func isInvalidGroupNotFoundErr(err error) bool {
func (a *AWS) createOrReplaceSG(hostInstanceID, hostIP, vpcID string) (string, error) {
sgName := fmt.Sprintf("SG for %s (%s)", hostInstanceID, hostIP)
descrSGOutput, err := a.ec2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{
Filters: []*ec2.Filter{
&ec2.Filter{
Name: aws.String("group-name"),
Values: []*string{
aws.String(sgName),
descrSGOutput, err := a.ec2.DescribeSecurityGroups(
context.Background(),
&ec2.DescribeSecurityGroupsInput{
Filters: []ec2types.Filter{
ec2types.Filter{
Name: aws.String("group-name"),
Values: []string{
sgName,
},
},
},
},
})
})
if err != nil && !isInvalidGroupNotFoundErr(err) {
return "", err
}
for _, sg := range descrSGOutput.SecurityGroups {
_, err := a.ec2.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{
GroupId: sg.GroupId,
})
_, err := a.ec2.DeleteSecurityGroup(
context.Background(),
&ec2.DeleteSecurityGroupInput{
GroupId: sg.GroupId,
},
)
if err != nil {
return "", err
}
}
cSGOutput, err := a.ec2.CreateSecurityGroup(&ec2.CreateSecurityGroupInput{
Description: aws.String(sgName),
GroupName: aws.String(sgName),
VpcId: aws.String(vpcID),
})
cSGOutput, err := a.ec2.CreateSecurityGroup(
context.Background(),
&ec2.CreateSecurityGroupInput{
Description: aws.String(sgName),
GroupName: aws.String(sgName),
VpcId: aws.String(vpcID),
},
)
if err != nil {
return "", err
}
sgID := *cSGOutput.GroupId
sgIngressOutput, err := a.ec2.AuthorizeSecurityGroupIngress(&ec2.AuthorizeSecurityGroupIngressInput{
GroupId: aws.String(sgID),
IpPermissions: []*ec2.IpPermission{
&ec2.IpPermission{
IpProtocol: aws.String(ec2.ProtocolTcp),
FromPort: aws.Int64(1),
ToPort: aws.Int64(65535),
IpRanges: []*ec2.IpRange{
&ec2.IpRange{
CidrIp: aws.String(fmt.Sprintf("%s/32", hostIP)),
sgIngressOutput, err := a.ec2.AuthorizeSecurityGroupIngress(
context.Background(),
&ec2.AuthorizeSecurityGroupIngressInput{
GroupId: aws.String(sgID),
IpPermissions: []ec2types.IpPermission{
ec2types.IpPermission{
IpProtocol: aws.String(string(ec2types.ProtocolTcp)),
FromPort: aws.Int32(1),
ToPort: aws.Int32(65535),
IpRanges: []ec2types.IpRange{
ec2types.IpRange{
CidrIp: aws.String(fmt.Sprintf("%s/32", hostIP)),
},
},
},
},
},
})
})
if err != nil {
return sgID, err
}
@ -305,11 +343,14 @@ func (a *AWS) createOrReplaceSG(hostInstanceID, hostIP, vpcID string) (string, e
return sgID, fmt.Errorf("Unable to attach ingress rules to SG")
}
describeSGOutput, err := a.ec2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{
GroupIds: []*string{
aws.String(sgID),
describeSGOutput, err := a.ec2.DescribeSecurityGroups(
context.Background(),
&ec2.DescribeSecurityGroupsInput{
GroupIds: []string{
sgID,
},
},
})
)
if err != nil {
return sgID, err
}
@ -324,26 +365,32 @@ func (a *AWS) createOrReplaceSG(hostInstanceID, hostIP, vpcID string) (string, e
}
func isLaunchTemplateNotFoundError(err error) bool {
if awsErr, ok := err.(awserr.Error); ok {
if awsErr.Code() == "InvalidLaunchTemplateId.NotFound" || awsErr.Code() == "InvalidLaunchTemplateName.NotFoundException" {
var apiErr smithy.APIError
if errors.As(err, &apiErr) {
if apiErr.ErrorCode() == "InvalidLaunchTemplateId.NotFound" || apiErr.ErrorCode() == "InvalidLaunchTemplateName.NotFoundException" {
return true
}
}
return false
}
func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iamProfile, keyName, cloudWatchGroup, hostname string) (string, error) {
func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, iamProfile, keyName, cloudWatchGroup, hostname string) (string, error) {
ltName := fmt.Sprintf("launch-template-for-%s-runner-instance", hostInstanceID)
descrLTOutput, err := a.ec2.DescribeLaunchTemplates(&ec2.DescribeLaunchTemplatesInput{
LaunchTemplateNames: []*string{
aws.String(ltName),
descrLTOutput, err := a.ec2.DescribeLaunchTemplates(
context.Background(),
&ec2.DescribeLaunchTemplatesInput{
LaunchTemplateNames: []string{
ltName,
},
},
})
)
if len(descrLTOutput.LaunchTemplates) == 1 {
_, err := a.ec2.DeleteLaunchTemplate(&ec2.DeleteLaunchTemplateInput{
LaunchTemplateId: descrLTOutput.LaunchTemplates[0].LaunchTemplateId,
})
_, err := a.ec2.DeleteLaunchTemplate(
context.Background(),
&ec2.DeleteLaunchTemplateInput{
LaunchTemplateId: descrLTOutput.LaunchTemplates[0].LaunchTemplateId,
},
)
if err != nil {
return "", err
}
@ -353,46 +400,46 @@ func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iam
}
input := &ec2.CreateLaunchTemplateInput{
LaunchTemplateData: &ec2.RequestLaunchTemplateData{
LaunchTemplateData: &ec2types.RequestLaunchTemplateData{
ImageId: aws.String(imageID),
InstanceInitiatedShutdownBehavior: aws.String(ec2.ShutdownBehaviorTerminate),
InstanceRequirements: &ec2.InstanceRequirementsRequest{
AcceleratorCount: &ec2.AcceleratorCountRequest{
Max: aws.Int64(0),
InstanceInitiatedShutdownBehavior: ec2types.ShutdownBehaviorTerminate,
InstanceRequirements: &ec2types.InstanceRequirementsRequest{
AcceleratorCount: &ec2types.AcceleratorCountRequest{
Max: aws.Int32(0),
},
BareMetal: aws.String(ec2.BareMetalExcluded),
MemoryMiB: &ec2.MemoryMiBRequest{
Min: aws.Int64(4096),
BareMetal: ec2types.BareMetalExcluded,
MemoryMiB: &ec2types.MemoryMiBRequest{
Min: aws.Int32(4096),
},
NetworkInterfaceCount: &ec2.NetworkInterfaceCountRequest{
Min: aws.Int64(1),
NetworkInterfaceCount: &ec2types.NetworkInterfaceCountRequest{
Min: aws.Int32(1),
},
SpotMaxPricePercentageOverLowestPrice: aws.Int64(200),
VCpuCount: &ec2.VCpuCountRangeRequest{
Min: aws.Int64(2),
SpotMaxPricePercentageOverLowestPrice: aws.Int32(200),
VCpuCount: &ec2types.VCpuCountRangeRequest{
Min: aws.Int32(2),
},
},
BlockDeviceMappings: []*ec2.LaunchTemplateBlockDeviceMappingRequest{
&ec2.LaunchTemplateBlockDeviceMappingRequest{
BlockDeviceMappings: []ec2types.LaunchTemplateBlockDeviceMappingRequest{
ec2types.LaunchTemplateBlockDeviceMappingRequest{
DeviceName: aws.String("/dev/sda1"),
Ebs: &ec2.LaunchTemplateEbsBlockDeviceRequest{
Ebs: &ec2types.LaunchTemplateEbsBlockDeviceRequest{
DeleteOnTermination: aws.Bool(true),
Encrypted: aws.Bool(true),
VolumeSize: aws.Int64(50),
VolumeType: aws.String(ec2.VolumeTypeGp3),
VolumeSize: aws.Int32(50),
VolumeType: ec2types.VolumeTypeGp3,
},
},
},
SecurityGroupIds: []*string{
aws.String(sgID),
SecurityGroupIds: []string{
sgID,
},
UserData: aws.String(base64.StdEncoding.EncodeToString([]byte(SecureInstanceUserData(cloudWatchGroup, hostname)))),
},
TagSpecifications: []*ec2.TagSpecification{
&ec2.TagSpecification{
ResourceType: aws.String(ec2.ResourceTypeLaunchTemplate),
Tags: []*ec2.Tag{
&ec2.Tag{
TagSpecifications: []ec2types.TagSpecification{
ec2types.TagSpecification{
ResourceType: ec2types.ResourceTypeLaunchTemplate,
Tags: []ec2types.Tag{
ec2types.Tag{
Key: aws.String("parent"),
Value: aws.String(hostInstanceID),
},
@ -403,7 +450,7 @@ func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iam
}
if iamProfile != "" {
input.LaunchTemplateData.IamInstanceProfile = &ec2.LaunchTemplateIamInstanceProfileSpecificationRequest{
input.LaunchTemplateData.IamInstanceProfile = &ec2types.LaunchTemplateIamInstanceProfileSpecificationRequest{
Name: aws.String(iamProfile),
}
}
@ -412,7 +459,7 @@ func (a *AWS) createOrReplaceLT(hostInstanceID, imageID, sgID, instanceType, iam
input.LaunchTemplateData.KeyName = aws.String(keyName)
}
createLaunchTemplateOutput, err := a.ec2.CreateLaunchTemplate(input)
createLaunchTemplateOutput, err := a.ec2.CreateLaunchTemplate(context.Background(), input)
if err != nil {
return "", err
}
@ -424,12 +471,14 @@ func (a *AWS) deleteFleetIfExists(si *SecureInstance) error {
return nil
}
delFlOutput, err := a.ec2.DeleteFleets(&ec2.DeleteFleetsInput{
FleetIds: []*string{
aws.String(si.FleetID),
},
TerminateInstances: aws.Bool(true),
})
delFlOutput, err := a.ec2.DeleteFleets(
context.Background(),
&ec2.DeleteFleetsInput{
FleetIds: []string{
si.FleetID,
},
TerminateInstances: aws.Bool(true),
})
if err != nil {
return err
}
@ -438,11 +487,14 @@ func (a *AWS) deleteFleetIfExists(si *SecureInstance) error {
}
if si.InstanceID != "" {
err = a.ec2.WaitUntilInstanceTerminated(&ec2.DescribeInstancesInput{
InstanceIds: []*string{
aws.String(si.InstanceID),
instTermWaiter := ec2.NewInstanceTerminatedWaiter(a.ec2)
err = instTermWaiter.Wait(
context.Background(),
&ec2.DescribeInstancesInput{
InstanceIds: []string{si.InstanceID},
},
})
time.Hour,
)
if err != nil {
return err
}
@ -456,9 +508,12 @@ func (a *AWS) deleteLTIfExists(si *SecureInstance) error {
return nil
}
_, err := a.ec2.DeleteLaunchTemplate(&ec2.DeleteLaunchTemplateInput{
LaunchTemplateId: aws.String(si.LTID),
})
_, err := a.ec2.DeleteLaunchTemplate(
context.Background(),
&ec2.DeleteLaunchTemplateInput{
LaunchTemplateId: aws.String(si.LTID),
},
)
if err == nil {
si.LTID = ""
}
@ -470,9 +525,12 @@ func (a *AWS) deleteSGIfExists(si *SecureInstance) error {
return nil
}
_, err := a.ec2.DeleteSecurityGroup(&ec2.DeleteSecurityGroupInput{
GroupId: aws.String(si.SGID),
})
_, err := a.ec2.DeleteSecurityGroup(
context.Background(),
&ec2.DeleteSecurityGroupInput{
GroupId: aws.String(si.SGID),
},
)
if err == nil {
si.SGID = ""
}
@ -480,7 +538,7 @@ func (a *AWS) deleteSGIfExists(si *SecureInstance) error {
}
func (a *AWS) createFleet(input *ec2.CreateFleetInput) (*ec2.CreateFleetOutput, error) {
createFleetOutput, err := a.ec2.CreateFleet(input)
createFleetOutput, err := a.ec2.CreateFleet(context.Background(), input)
if err != nil {
return nil, fmt.Errorf("Unable to create spot fleet: %w", err)
}
@ -488,7 +546,7 @@ func (a *AWS) createFleet(input *ec2.CreateFleetInput) (*ec2.CreateFleetOutput,
if len(createFleetOutput.Errors) > 0 && createFleetOutput.Errors[0].ErrorCode == aws.String("UnfillableCapacity") {
logrus.Warn("Received UnfillableCapacity from CreateFleet, retrying CreateFleet with OnDemand instance")
input.SpotOptions = nil
createFleetOutput, err = a.ec2.CreateFleet(input)
createFleetOutput, err = a.ec2.CreateFleet(context.Background(), input)
}
if err != nil {
return nil, fmt.Errorf("Unable to create on-demand fleet: %w", err)