private-cloud/ec2.ts at master · codeocean/private-cloud · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
import * as fs from "fs"

import * as aws from "@pulumi/aws"
import * as pulumi from "@pulumi/pulumi"
import * as handlebars from "handlebars"

import * as cloudwatch from "./cloudwatch"
import * as config from "./config"
import * as ebs from "./ebs"
import * as efs from "./efs"
import * as iam from "./iam"
import * as rds from "./rds"
import * as s3 from "./s3"
import * as vpc from "./vpc"

export const servicesInstance = new aws.ec2.Instance("services", {
    ami: config.ami.services[config.aws.region],
    ebsOptimized: true,
    ebsBlockDevices: [{
        deviceName: "/dev/sdf",
        encrypted: true,
        volumeSize: 100,
        volumeType: "gp2",
    }],
    iamInstanceProfile: iam.servicesInstanceProfile,
    instanceType: aws.ec2.InstanceTypes.M5_Large,
    keyName: config.aws.keyPair,
    metadataOptions: {
        httpEndpoint: "enabled",
        httpPutResponseHopLimit: 2,
        httpTokens: "required",
    },
    rootBlockDevice: {
        encrypted: true,
    },
    subnetId: pulumi.output(vpc.vpc.privateSubnetIds).apply(subnets => subnets[0]),
    tags: {
        Name: "codeocean-services",
        deployment: config.deploymentName,
        role: "services",
    },
    userData: pulumi.all([
        s3.configBucket.bucket,
        efs.capsuleCache?.id,
        efs.datasets.id,
        config.stackname,
    ]).apply(([
        configBucketName,
        capsuleCacheEfsId,
        datasetsEfsId,
        pulumiStackName,
    ]) => {
        const template = handlebars.compile(fs.readFileSync("ec2-init-services.sh", "utf8"))
        return template({
            configBucketName,
            capsuleCacheEfsId,
            datasetsEfsId,
            pulumiStackName,
        })
    }),
    vpcSecurityGroupIds: [vpc.sgServices.id],
}, {
    dependsOn: pulumi.all([
        vpc.vpc.natGateways,
        vpc.vpc.internetGateway,
    ]).apply(([
        natGateways,
        internetGateway,
    ]) => [
        ...natGateways,
        internetGateway!,
        efs.capsuleCache,
        efs.datasets,
        rds.analytics,
        s3.configBucket,
        cloudwatch.instancesLogGroup,
        cloudwatch.servicesLogGroup,
    ]),
    // XXX Terraform & Pulumi have an issue with mixing ebsBlockDevices and VolumeAttachment which will
    // cause them to recreate the instance on each update, which we sadly do here. So we ignore
    // changes on ebsBlockDevices to workaround this, until they will hopefully fix this limitation
    // one day. You will need to force a replacment if you change ebsBlockDevices which you might
    // have to do even without this as Terraform & Pulumi seem to have an issue of not detecting
    // changes in ebsBLockDevices anyhow.
    //
    // https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ec2/#VolumeAttachment
    // https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/ec2/#block-devices
    ignoreChanges: ["ebsBlockDevices"],
})

export const servicesDataVolume = new aws.ec2.VolumeAttachment("services-data-volume", {
    instanceId: servicesInstance.id,
    volumeId: ebs.dataVolume.id,
    deviceName: "/dev/sde",
}, {
    deleteBeforeReplace: true,
})