Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-visit how we apply the AmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules #8969

Open
2 tasks
richgreen-moj opened this issue Jan 15, 2025 · 2 comments
Open
2 tasks

Re-visit how we apply the AmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules #8969

richgreen-moj opened this issue Jan 15, 2025 · 2 comments
Assignees
@markgov
Labels
member request Feature requested by a member to enhance the platform experience

Comments

@richgreen-moj
Copy link
Contributor

richgreen-moj commented Jan 15, 2025
edited
Loading

User Story

As a user of the modules
I want to use the latest versions of the ec2-autoscaling-group and ec2-instance modules v3.0.0, which remediates a deprecation in the way polices are attached to roles
So that the update can be made as smoothly as possible and there is no significant impact to multiple workloads currently using the module

Value / Purpose

v3.0.0 for these modules were released earlier this year to fix a deprecation in the way that policies are attached to roles. @robertsweetman has been attempting to use this to update multiple workloads that are dependant on the module but is finding that with the current implementation , our attempts to force use of the AmazonSSMManagedInstanceCore policy are causing a duplication on a Terraform plan as they are already passing in AmazonSSMManagedInstanceCore using the modules var.instance_profile_policies variable.

In v2.5.0 of the ec2-instance module and v2.6.0 of the ec2-autoscaling-group modules we made changes so that the AmazonSSMManagedInstanceCore policy was always applied regardless of whether the user specifies it. This was part of #7412 to ensure all MP instances are connected to SSM where possible by default.

There is a suggestion from @drobinson-moj here which we could use where the SSM policy is just used as a default value to the variable. We should consider if this is the best way forward being that this is the main userbase of these modules and they are going to pass in the policy anyway.

Context / Background

https://mojdt.slack.com/archives/C01A7QK5VM1/p1733488497868419 << this Slack thread documents the discussion and everything that has taken place so far.

Note some of the options I documented here

Useful Contacts

No response

Additional Information

No response

Definition of Done

  • Review approaches and discuss with team to agree best approach
  • Implement and test approach in coordination with @robertsweetman
@richgreen-moj richgreen-moj added member request Feature requested by a member to enhance the platform experience needs refining labels Jan 15, 2025
@richgreen-moj richgreen-moj changed the title Rev-visit how we applyAmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules Re-visit how we applyAmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules Jan 15, 2025
@richgreen-moj richgreen-moj changed the title Re-visit how we applyAmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules Re-visit how we apply the AmazonSSMManagedInstanceCore in the ec2-instance and ec2-autoscaling-group modules Jan 15, 2025
@markgov markgov self-assigned this Jan 24, 2025
@markgov markgov moved this from To Do to In Progress in Modernisation Platform Jan 29, 2025
@markgov
Copy link
Contributor

markgov commented Feb 4, 2025

Talked with rich about this agreed to bring it up after stand up tomorrow

@markgov markgov mentioned this issue Feb 5, 2025
Open
@markgov
Copy link
Contributor

markgov commented Feb 5, 2025

After talking with the team i have decided to add a boolen to allow users to skip adding the ssm policy see
ministryofjustice/modernisation-platform-terraform-ec2-autoscaling-group#536

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markgov markgov

Labels
member request Feature requested by a member to enhance the platform experience
Projects
Modernisation Platform
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markgov @SimonPPledger @richgreen-moj