Skip to main content

EC2

This check connects to an AWS account with the specified credentials, launch an EC2 instance with an option for userData. This test can be used to check the availability of an ami, account service limits, run backup & restore operations, etc.

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: ec2-check
spec:
  interval: 30
  ec2:
    - name: ec2-check
      ami: ami-04f7efe62f419d9f5
      description: test instance
      accessKeyID:
        valueFrom:
          secretKeyRef:
            name: aws-credentials
            key: AWS_ACCESS_KEY_ID
      secretKey:
        valueFrom:
          secretKeyRef:
            name: aws-credentials
            key: AWS_SECRET_ACCESS_KEY
      region: af-south-1
      userData: |
        #!/bin/bash
        yum install -y httpd
        systemctl start httpd
        systemctl enable httpd
        usermod -a -G apache ec2-user
        chown -R ec2-user:apache /var/www
        chmod 2775 /var/www
        find /var/www -type d -exec chmod 2775 {} \;
        find /var/www -type f -exec chmod 0664 {} \;
      securityGroup: WebAccess
FieldDescriptionSchemeRequired
amiMaster image to create EC2 instance fromstringYes
canaryRefReference Canary object[]v1.LocalObjectReference
keepAliveToggle keepalive with true or falsebool
securityGroupSecurity groups to attach to the EC2 instancestring
timeoutSet keep-alive timeoutint
userDataConfigure EC2 instance with user datastring
waitTimeSet wait-time for EC2 instance launchint
*All other commons fieldCommon
Connection
connectionPath of existing connection e.g. connection://aws/instance/. Mutually exclusive with accessKey and secretKeyConnection
accessKeyMutually exclusive with connectionEnvVar
secretKeyMutually exclusive with connectionEnvVar
endpointCustom AWS endpointstring
regionAWS regionstring
skipTLSVerifySkip TLS verify when connecting to awsbool

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name:  aws-config-rule
    spec:
      interval: 30
      awsConfigRule:
        - name: AWS Config Rule Checker
          connection: connection://aws/internal
          rules:
            - "s3-bucket-public-read-prohibited"

  3. accessKey and secretKey EnvVar with the credentials stored in a secret.

    aws.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfigRule:
        - name: AWS Config Rule Checker
          accessKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_ACCESS_KEY_ID
          secretKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_SECRET_ACCESS_KEY
          region: us-east-1
          rules:
            - "s3-bucket-public-read-prohibited"