Optional accessEnable and configures access logs.
Optional applicationEnable and configures application logs.
The port your application runs on.
Optional blockAdd block devices (additional storage).
Optional certificateSpecify certificate for the load balancer.
Optional googleConfigure Google Auth.
Optional allowedGroups used for membership checks.
If specified, cannot be empty. Users must be a member of at least one group to gain access.
WARNING: groups must be specified with the guardian.co.uk domain, even
if that is the non-idiomatic choice for daily use.
[engineering@guardian.co.uk]
Optional cognitoWhen using Auth in the ALB, which stage of cognito-lambda to use.
For most applications this should always be PROD, even in the CODE environments.
PROD
Optional credentialsSecrets Manager path containing Google OAuth2 Client credentials.
NOTE: you do not need to set this value, but you DO need to generate and store the associated credentials in Secrets Manager.
Credentials should be stored in Secrets Manager as JSON:
{
"clientId": "my-client-id",
"clientSecret": "my-client-secret"
}
googleAuth.enabled for how to generate.
/:STAGE/:stack/:app/google-auth-credentials
The domain users will access your service.
Set this to the same as for certificateProps.
Enables Google Auth (via Cognito). Additional MANUAL steps required - see below.
Limits access to members of the allowed Google groups.
Note, this does not currently support simultaneous machine access, so only set to true if you only require staff access to your service, or are supporting machine access in some other way.
MANUAL STEPS: to get this to work, we need a Google Project and associated credentials. Full instructions can be found here:
https://docs.google.com/document/d/1_k1FSE52AZHXufWLTiKTI3xy5cGpziyHazSHTKrYfco/edit?usp=sharing
DevX hope to automate this process in the near future.
Optional sessionThe number of minutes before the session expires.
Set this value to a safe period of time that revoked users sessions will continue to function.
NOTE: This value cannot be larger than 60 minutes.
15
Optional healthcheckSpecify custom healthcheck
Optional imageConfigure AMIgo image recipe. This is only necessary if you are using GuCDK to generate your riff-raff.yaml file.
Optional instanceSet http put response hop limit for the launch template. It can be necessary to raise this value from the default of 1 for example when sharing the instance profile with a docker container running on the instance.
EC2 instance type. Note, ensure your code is built for the same architecture family (arm64 - 'Graviton' instances - or x64).
Enable and configure alarms.
Optional privateSpecify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.
Optional publicSpecify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.
Optional roleConfigure IAM roles for autoscaling group EC2 instances.
Autoscaling group min and max sizes.
User data for the autoscaling group.
Optional vpcSpecify the VPC to use.
Optional withoutDisable imdsv2. Most of the time you should not set this.
Network access restrictions for your load balancer.
Note, this merely provides defence in depth; you should, for example, limit access to the VPN and then treat that as sufficient. Instead, use Google Auth for human access, or a suitable machine auth mechanism.