Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ec2.BastionHostLinux: No easy way to pass in keyName to ssh in from this class

See original GitHub issue

What is the problem?

  const host = new ec2.BastionHostLinux(this, 'cdk-bastion', {
    vpc,
    instanceName: 'cdk-bastion',
    instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
    machineImage: machineImage,
    securityGroup: public_sg,
    subnetSelection: {subnets:[vpc.publicSubnets[0]]}
  });

I expected keyName to be a top level property at construction. If i want to create a Bastion with ssh Key, then I have to use regular Image class since it is a construct prop.

I am using Typecript.

Reproduction Steps

import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Peer, Port } from 'aws-cdk-lib/aws-ec2';

export class CdkVpcStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const vpc = new ec2.Vpc(this, 'cdk-vpc', {
      cidr: "10.0.0.0/16",
      enableDnsHostnames: true,
      enableDnsSupport: true,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'cdk-sb-public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
        {
          cidrMask: 20,
          name: 'cdk-sb-private',
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        }

      ] 
   });

  const public_sg = new ec2.SecurityGroup(this, 'cdk-public-sg', {
    vpc: vpc,
  });
 
  public_sg.addIngressRule(Peer.anyIpv4(),Port.tcp(22),"SSH Bastion",false);
  public_sg.addEgressRule(Peer.anyIpv4(),Port.allTraffic(),"SSH Bastion",false);

  const machineImage = ec2.MachineImage.latestAmazonLinux();

  const host = new ec2.BastionHostLinux(this, 'cdk-bastion', {
    vpc,
    instanceName: 'cdk-bastion',
    instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.MICRO),
    machineImage: machineImage,
    securityGroup: public_sg,
    subnetSelection: {subnets:[vpc.publicSubnets[0]]}
  });
  
}

   
}

What did you expect to happen?

Simple property to add keyName.

What actually happened?

keyName cannot be set cause Image is private

CDK CLI Version

2.8.0

Framework Version

2.8.0

Node.js Version

v16.13.1

OS

Mac OS

Language

Typescript

Language Version

3.9.7

Other information

No response

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (5 by maintainers)

Top GitHub Comments

2reactions

hoegertncommented, Jan 26, 2022

Not adding the keyName was a decision when writing this construct.

The recommended way to connect to this bastion host is to use session manager and not use SSH, that is why there is also no ingress rule for port 22 by default
Using the keyName prop of an instance means that there is ONE key to connect which normally is not what you want as you want to have personalized keys for people connecting to this box.

As the BastionHost is a level 2.5 construct it is opinionated as does not solve all use cases somebody might have

0reactions

NGL321commented, Jan 31, 2022

@hoegertn @njlynch,

If this was an intentional design consideration, should we suspend further conversation about adjusting the construct?