cdk icon indicating copy to clipboard operation
cdk copied to clipboard
verified publisher icon guardian

Support building AMI images via GuCDK

Open AshCorr opened this issue 1 year ago • 1 comments

What does this change?

Adds L2 constructs for ImageBuilder to facilitate building AMI images for our EC2 applications.

These L2 constructs provide a number of optional defaults that I considered sensible such as:

  • Unless specified AMIs will use Amazon Linux 2023 as their base image.
  • Recipes default to version 1.0.0, versioning recipes isn't really compatible with our "pick the latest AMI" deployment model.
  • Most names follow the format of STACK-STAGE-APP, haven't tested to see if imagebuilder cares if theres 2 recipes with the same name, I imagine it does, and this could cause issues if we have more than 1 image per app. I'd like to include a random identifier at the end of names but I can't figure out how to do that with CDK!

Why

If we can get ImageBuilder working correctly it allows us to sunset Amigo meaning:

  • Reduced infra cost, ImageBuilder will spin up an instance to build the AMI and then spin back down again. This has the added benefit that ImageBuilder scales so we'll no longer have that issue where too many Amigo builds are happening at once causing some to fail.
  • Reduced maintenance burden, we won't need to maintain a play app and all the multi account infrastructure that goes along with it.
  • Progress towards next quarter OKRs Easier to setup new AWS accounts as we won't need to deploy a bunch of Amigo infrastructure for each new account.

Issues

Can't deploy both AMI and Infra at the same time

Like Amigo it won't really be possible to build AMIs at deployment time due to the long time it takes to build an AMI. This will mean 2 things:

  • New stacks will need to deploy and build their AMI first before they can deploy an EC2 app
  • Some parts of your CDK won't exactly match production, your non AMI infra will be updated immediately, whereas your AMI infra might not get updated until the next deployment.

Cloudformation file size limits

Custom components (aka "roles" in Amigoland) are limited to 64KB of YAML which could potentially limit how complex each component can be, haven't done any baselines to figure out how limiting this is. In any case, AWS allows requesting a larger limit if this does prove to be too small.

What could be more problematic is the Cloudformation YAML limit, assuming 2 image pipelines per app (CODE & PROD) and maybe 2-3 custom components, this might result in quite a lot of YAML, again, haven't tested this yet so it may be a non issue.

Usage


import { Ami } from "@guardian/cdk/lib/constructs/imagebuilder"
import { Java } from "@guardian/cdk/lib/constructs/imagebuilder/components"

...

const ami = Ami.from(stack, "AMI")
    .withParentImage("arn:aws:imagebuilder:eu-west-1:aws:image/amazon-linux-2023-arm64/2024.6.7")
    .withComponent(Java.JRE_11)
    .build()


...

// TODO: Not implemented yet.
new GuPlayApp(stack, "App", {
   ...
   imageRecipe: ami.recipeName
   ...
});

TODO (maybe not this PR)

  • [ ] Schedule AMI builds
    • [ ] By default build once per day
    • [ ] Additionally, have riffraff trigger a build on deploy
    • [ ] Aditional additionally, have riffraff wait for an AMI build to complete before updating a stacks AMI parameter
  • [ ] Support Encrypted AMIs
    • [ ] Provision KMS Keypairs per AMI/Recipe
    • [ ] Apply "Encrypted" tag to resulting image
  • [ ] Support DevX logging
  • [ ] Build in support for commonly used roles:
    • [ ] Node
    • [ ] Java (non-aws)
    • [ ] apt
  • [ ] Integrate into our EC2 patterns
  • [ ] Documentation

How to test

Checklist

  • [ ] I have listed any breaking changes, along with a migration path [^1]
  • [ ] I have updated the documentation as required for the described changes [^2]

[^1]: Consider whether this is something that will mean changes to projects that have already been migrated, or to the CDK CLI tool. If changes are required, consider adding a checklist here and/or linking to related PRs. [^2]: If you are adding a new construct or pattern, has new documentation been added? If you are amending defaults or changing behaviour, are the existing docs still valid?

AshCorr avatar Jun 17 '24 12:06 AshCorr

⚠️ No Changeset found

Latest commit: 3685fa8773cf2c22caac72d530e79727a87c4a65

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

changeset-bot[bot] avatar Jun 17 '24 12:06 changeset-bot[bot]

This PR is stale because it has been open 30 days with no activity. Unless a comment is added or the “stale” label removed, this will be closed in 3 days

github-actions[bot] avatar Aug 22 '24 06:08 github-actions[bot]

This PR was closed because it has been stalled for 3 days with no activity.

github-actions[bot] avatar Aug 26 '24 06:08 github-actions[bot]