machine icon indicating copy to clipboard operation
machine copied to clipboard

Published 20 hours ago verified publisher icon docker

Set EC2 tags on Create API call rather than afterwards

Open LordMike opened this issue 7 years ago • 6 comments
trafficstars

In order to create a minimal IAM policy, as outlined here (#1655), could Docker-Machine be changed to tag instances in EC2 with the requested tags on the RunInstances API call, rather than afterwards?

LordMike avatar Jan 20 '18 21:01 LordMike

Note that the docs say that TagSpecifications apply to all resources created by the call, which is a difference to setting the tags on the instance only after the fact.

simonbuchan avatar Jan 30 '18 02:01 simonbuchan

They have a split per resource type. Currently, they support volume and instance (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TagSpecification.html).

Does a RunInstances create more than a volume and an instance?

LordMike avatar Jan 30 '18 09:01 LordMike

This would be great! For additional information, please see documentation for AWS Go SDK method EC2.RunInstances https://docs.aws.amazon.com/sdk-for-go/api/service/ec2/#EC2.RunInstances and https://docs.aws.amazon.com/sdk-for-go/api/service/ec2/#RunInstancesInput. Notice that as mentioned, the method can tag the instance on creation by passing the tags as part of the RunInstancesInput object.

ivanfuglo-ge avatar Feb 12 '18 02:02 ivanfuglo-ge

Looking a little closer, the docker-machine godeps file is locked on v1.4.10 of the aws-sdk (https://github.com/docker/machine/blob/master/Godeps/Godeps.json#L125). That is an old version of the SDK from 2016. The ability to tag EC2 instances on creation was not introduced until 2017 (https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/).

This means that fixing this issue would involve bumping the version of the aws sdk dependency to at least v1.8.4 (https://github.com/aws/aws-sdk-go/releases/tag/v1.8.4). Is such a version bump planned or feasible?

ivanfuglo-ge avatar Feb 12 '18 04:02 ivanfuglo-ge

this fork/commit does that: https://github.com/likewhatevs/machine/commit/22a797ae3e8525ed4e04475da77c417079737349

likewhatevs avatar Sep 30 '19 02:09 likewhatevs

This has more impacts than just creation of minimal IAM policies. We have a corporate policy that a mandatory tag has to exist on certain resources, including EC2 instances, so the create fails because it doesn't include that tag, even if it is specified at the docker-machine command line using the --amazonec2-tags flag.

tfmorris avatar May 17 '21 19:05 tfmorris