fix(aws-batch): Support omitting ComputeEnvironment security groups so that they can be specified in Launch Template #21579
Conversation
|
|
tcutts
changed the title
There was a problem hiding this comment.
@tcutts thanks for taking the time to create this PR! Unfortunately the union type is not currently supported in CDK so I don't think this solution will work.
Without looking into this too much, I think the ideal solution is probably a much bigger effort. I'm thinking that we need to:
- Add support for network interfaces in the L2 ec2.LaunchTemplate construct.
- Update the batch.ComputeEnvironment construct to take a
ILaunchTemplateinstead of the name/id. - Check the
ILaunchTemplatefor whether theComputeEnvironmentneeds to create any security groups.
|
On 15 Aug 2022, at 13:30, Cory Hall ***@***.***> wrote:
@corymhall requested changes on this pull request.
@tcutts <https://github.com/tcutts> thanks for taking the time to create this PR! Unfortunately the union type is not currently supported in CDK so I don't think this solution will work.
Ah, I didn’t know that. It did feel a bit dirty. :-)
Without looking into this too much, I think the ideal solution is probably a much bigger effort. I'm thinking that we need to:
Add support for network interfaces in the L2 ec2.LaunchTemplate construct
Update the batch.ComputeEnvironment construct to take a ILaunchTemplate instead of the name/id.
That would be a breaking change, wouldn’t it? I suppose the API is currently experimental, so that doesn’t matter quite so much...
Check the ILaunchTemplate for whether the ComputeEnvironment needs to create any security groups.
… I agree with this, because the combination of all three steps allows us to put a validation in.
…
In ***@***.***/aws-batch/lib/compute-environment.ts <#21579 (comment)>:
> @@ -142,7 +161,7 @@ export interface ComputeResources {
*
* @default - AWS default security group.
*/
- readonly securityGroups?: ec2.ISecurityGroup[];
+ readonly securityGroups?: ec2.ISecurityGroup[] | ComputeEnvironmentSecurityGroups;
Unfortunately we can't use union types due to limitations with JSII.
—
Reply to this email directly, view it on GitHub <#21579 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AASQ7CWR6NMK7FQZDAJXUDDVZIZ4VANCNFSM56LNXTZQ>.
You are receiving this because you were mentioned.
|
|
This is potentially an enormous can of worms. CDK has no abstraction for networkInterfaces at all, anywhere. That needs to be done first before anything else that ought to support them can do so (Instance, AutoScalingGroup). This is way beyond my relatively hobbyist ability to implement. |
|
What I could do is revert to a simpler change, which is to change what happens if the user specifies const computeEnvironmentEFA = new batch.ComputeEnvironment(stack, 'EFAComputeEnv', {
managed: true,
computeResources: {
securityGroups: [],
vpc,
launchTemplate: {
launchTemplateName: launchTemplateEFA.launchTemplateName as string,
},
},
});which I don't like very much, but would achieve the desired outcome. Arguably, ComputeEnvironment needs updating to do this anyway, because emitting an empty list in a set SecurityGroupIds property doesn't seem to be the right behaviour to me. |
I agree that this isn't what we want, but since this package is experimental and given the complexity of the preferred solution I think I'm fine with this as an interim solution. |
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
…in favour of empty list
tcutts
changed the title
github-actions
bot
added
the
effort/small
tcutts
changed the title
tcutts
changed the title
mergify
bot
dismissed
corymhall’s stale review
Pull request has been modified.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…o that they can be specified in Launch Template (aws#21579) HPC Batch applications frequently require Elastic Fabric Adapters for low-latency networking. Currently, the `ComputeEnvironment` construct always automatically defines a set of `SecurityGroupIds` in the CloudFormation it generates, and this prevents the stack deploying if the LaunchTemplate contains network interface definitions; Batch does not allow SecurityGroups at the `ComputeEnvironment` level if there are network interfaces defined in the `CfnLaunchTemplate`. Since we do not currently have support for network interfaces this PR adds a new boolean property in `launchTemplate` called `useNetworkInterfaceSecurityGroups`. When this is enabled we will assume that security groups are being provided by the launch template. A long term solution may be to: - Add support for network interfaces in the L2 ec2.LaunchTemplate construct. - Update the batch.ComputeEnvironment construct to take a ILaunchTemplate instead of the name/id. - Check the ILaunchTemplate for whether the ComputeEnvironment needs to create any security groups. closes aws#21577 ---- ### All Submissions: * [yes] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [no] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [yes] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [yes] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
HPC Batch applications frequently require Elastic Fabric Adapters for low-latency networking. Currently, the
ComputeEnvironmentconstruct always automatically defines a set ofSecurityGroupIdsin the CloudFormation it generates, and this prevents the stack deploying if the LaunchTemplate contains network interface definitions; Batch does not allow SecurityGroups at theComputeEnvironmentlevel if there are network interfaces defined in theCfnLaunchTemplate.Since we do not currently have support for network interfaces this PR adds a new boolean property in
launchTemplatecalleduseNetworkInterfaceSecurityGroups. When this is enabled we will assume that security groups are being provided by the launch template.A long term solution may be to:
closes #21577
All Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license