AWS Launch Templates

Please note that you should only proceed with this if you have AWS EC2 configured as a cloud provider.

AWS uses launch templates to specify instance configuration information. Launch templates are the successor of launch configurations. This means that any new instance configuration feature from AWS will only be supported by launch templates.

Spinnaker still supports launch configurations for backwards compatbility, but recommends enabling launch templates to access any new features that AWS adds.

Setup Steps

This section summarizes the steps required to set up launch templates if you are new to using AWS in Spinnaker or if you have already been using AWS as one of your cloud providers.

New to AWS

If you are new to Spinnaker or even just new to AWS in Spinnaker, we recommend immediately enabling launch template support for all applications.

  1. Update your clouddriver configuration file, usually clouddriver.yml, to enable launch templates for all applications.
     aws.features.launch-templates.enabled: true
     aws.features.launch-templates.all-applications.enabled: true
    
  2. Read through the available launch template supported features to determine which make sense for your users.
  3. Update AWS settings in deck to include the features you identified. Ensure that enableLaunchTemplates is true.
     providers: {
       aws: {
         serverGroups: {
           enableLaunchTemplates: true,
           enableIPv6: true,
           enableIMDSv2: true,
         }
       }
     }
    

Current AWS User

If you already use AWS as a cloud provider in Spinnaker, we recommend migrating to launch templates. Since there may be pre-existing dependencies on launch configurations, we have created some rollout configurations you can utilize for testing and/or migration.

  1. Update your clouddriver configuration file, usually clouddriver.yml, to enable launch template support.
     aws.features.launch-templates.enabled: true
    
  2. Review the rollout configurations and determine which of these you can temporarily utilize for your rollout. If you do not need to rollout, stop here and follow the new AWS users steps instead.
  3. Update coulddriver.yml. This step can be repeated as needed throughout your rollout. This is an example config where launch templates is rolled out to two applications in production and all of the test account. It also excludes one application completely:
     aws.features.launch-templates.enabled: true
     aws.features.launch-templates.allowed-applications: "myapp:prod:us-east-1,anotherapp:prod:us-east-1"
     aws.features.launch-templates.allowed-accounts: "test"
     aws.features.launch-templates.excluded-applications: "dangerousapp"
     aws.features.launch-templates.all-applicaitons.enabled: false
    
  4. Read through the available features to determine which make sense for your use cases.
  5. Update AWS settings in deck to include the features you identified. Ensure that enableLaunchTemplates is true.
     providers: {
       aws: {
         serverGroups: {
           enableLaunchTemplates: true,
           enableIPv6: true,
           enableIMDSv2: true,
         }
       }
     }
    
  6. When you are ready for a complete rollout, enable launch templates for all applications and clean up rollout config in clouddriver.yml.
     aws.features.launch-templates.enabled: true
     aws.features.launch-templates.all-applications.enabled: true
    

Rollout Configuration

If you already use AWS, then your applications may have some dependencies on launch configurations that prevent simple feature enabling. The configuration options beflow were created to aid with testing or a rollout period. Feel free to use whatever combination is best for you. If you would prefer to skip a rollout, use the configuration in New to AWS.

Config Type Description Example
allowed-applications String A comma-separated list of one or more allowed applications scoped by account-region pairs ("app:account:region"). This helps with preliminary controlled testing on a handful of applications. "testapp:prod:us-east-1"
allowed-accounts-regions String A comma-separated list of allowed account-region pairs. This is good for incrementally rolling out to regions within accounts. "test:us-east-1"
allowed-accounts String A comma-separated list of allowed accounts. This is good for incrementally rolling out launch templates from test to production accounts. "test"
excluded-accounts String A comma-separated list of accounts to exclude from rollout. "prod"
excluded-applications String A comma-separated list of applications to exclude from rollout. This helps prevent any edge cases from delaying a wide rollout.. "myapp1,myapp2"
all-applications.enabled Boolean Allows launch tempaltes on any application, except for those that have been excluded. This will override any of the allowed lists, and widely rollout launch templates. true

Feature Configuration

Once launch templates are enabled in clouddriver, a new set of features are unlocked. Review the table of features below to determine which features you want to enable in the UI. Users will see enabled features as options when configuring a server group.

Feature Description Deck Config
IPv6 ASGs can associate an IPv6 address to their instances. enableIPv6
IMDSv2 Helps mitigate AWS credential theft from the exploitation of SSRF vulnerabilities in web applications. This is only supported by modern SDKs. Learn more from AWS. enableIMDSv2