(aws-batch): ComputeEnvironment should implement IConnectable #20983
Comments
yoshizawa56
added
feature-request
indrora
added
needs-design
|
I encountered this issue when working on a PoC for a customer. declare const fs: efs.FileSystem;
fs.connections.allowDefaultPortFromAnyIpv4();which is clearly very bad practice, even if it's all in a private subnet. The security groups which which the Batch construct creates for each ComputeEnvironment need to be available, so I agree that ComputeEnvironment needs to implement IConnectable. I have implemented this, in a way which does not seem to have added any integration problems. I also added an integration test, but I'm not 💯 % comfortable this is the right design, it's not quite high level enough to make this really suitable for the user. For a start, the computeEnvironments are not exposed by the JobQueue that contains them, so with my implementation the user still has to create the environments themselves and alter them before creating the batch queue as follows, which seems a bit cumbersome: const computeEnvironments = [
{
computeEnvironment: new batch.ComputeEnvironment(stack, 'batch-demand-compute-env-launch-template', {
managed: true,
computeResources: {
type: batch.ComputeResourceType.ON_DEMAND,
vpc,
launchTemplate: {
launchTemplateName: launchTemplate.launchTemplateName as string,
},
},
}),
order: 2,
},
{
computeEnvironment: new batch.ComputeEnvironment(stack, 'batch-spot-compute-env', {
managed: true,
computeResources: {
type: batch.ComputeResourceType.SPOT,
vpc,
bidPercentage: 80,
},
}),
order: 3,
},
];
// at least with ComputeEnvironment implementing IConnectable, we now have sensible ingress rules:
computeEnvironments.forEach((ce) => {
fs.connections.allowDefaultPortFrom(ce.computeEnvironment);
});
new batch.JobQueue(stack, 'batch-job-queue', { computeEnvironments });I'll link a pull request to this issue, to show what I've done, although I'm not expecting it to be the final design that gets merged, more that it's food for thought about how this could be implemented. |
closes #20983 ComputeEnvironments have embedded security groups in them. These are currently difficult to reach and modify in CDK stacks, which forces users into undesirable practices when integrating batch queues with other services such as as EFS filesystems or RDS instances. Ideally, it should be possible to use compute environments as a target: ```ts something.connections.allowDefaultPortFrom(computeEnvironment); ``` but this isn't currently possible, so the user may try to work around it by allowing from any IPv4, or by having to use an escape hatch, which is not simple. This pull request adds ec2.IConnectable to batch.ComputeEnvironment. It still seems to pass all the existing tests and integration tests, so I don't think it's a breaking change, but I suspect it could be done in a better way than I've done it, to make things even simpler for the user. ---- ### All Submissions: * [yes] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [no] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [yes] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [yes] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
closes aws#20983 ComputeEnvironments have embedded security groups in them. These are currently difficult to reach and modify in CDK stacks, which forces users into undesirable practices when integrating batch queues with other services such as as EFS filesystems or RDS instances. Ideally, it should be possible to use compute environments as a target: ```ts something.connections.allowDefaultPortFrom(computeEnvironment); ``` but this isn't currently possible, so the user may try to work around it by allowing from any IPv4, or by having to use an escape hatch, which is not simple. This pull request adds ec2.IConnectable to batch.ComputeEnvironment. It still seems to pass all the existing tests and integration tests, so I don't think it's a breaking change, but I suspect it could be done in a better way than I've done it, to make things even simpler for the user. ---- ### All Submissions: * [yes] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [no] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [yes] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [yes] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the feature
Once a ComputeEnvironment is created, there is no way to access the security group associated with it. We would like to implement IConectable interface in the ComputeEnvironment to more easily control connections from the batch container.
Use Case
Current implementation requires 3 steps below when creating batch with db connection.
db.connections.allowFrom(sg, ...)If ComputeEnvironment implements IConnectable, it become more simple
db.connections.allowFrom(computeEnv, ...)Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
2.24
Environment details (OS name and version, etc.)
ubuntu 18.04
The text was updated successfully, but these errors were encountered: