Interface GuEc2AppProps

interface GuEc2AppProps {
    access: AppAccess;
    accessLogging?: AccessLoggingProps;
    app: string;
    applicationLogging?: ApplicationLoggingProps;
    applicationPort: number;
    blockDevices?: BlockDevice[];
    certificateProps?: GuDomainName;
    googleAuth?: {
        allowedGroups?: string[];
        cognitoAuthStage?: string;
        credentialsSecretsManagerPath?: string;
        domain: string;
        enabled: true;
        sessionTimeoutInMinutes?: number;
    healthcheck?: HealthCheck;
    imageRecipe?: string | AmigoProps;
    instanceMetadataHopLimit?: number;
    instanceType: InstanceType;
    monitoringConfiguration: NoMonitoring | Alarms;
    privateSubnets?: ISubnet[];
    publicSubnets?: ISubnet[];
    roleConfiguration?: GuInstanceRoleProps;
    scaling: GuAsgCapacity;
    userData: string | GuUserDataProps;
    vpc?: IVpc;
    withoutImdsv2?: boolean;

Hierarchy (view full)


access: AppAccess

Network access restrictions for your load balancer.

Note, this merely provides defence in depth; you should, for example, limit access to the VPN and then treat that as sufficient. Instead, use Google Auth for human access, or a suitable machine auth mechanism.

accessLogging?: AccessLoggingProps

Enable and configures access logs.

app: string
applicationLogging?: ApplicationLoggingProps

Enable and configures application logs.

applicationPort: number

The port your application runs on.

blockDevices?: BlockDevice[]

Add block devices (additional storage).

certificateProps?: GuDomainName

Specify certificate for the load balancer.

googleAuth?: {
    allowedGroups?: string[];
    cognitoAuthStage?: string;
    credentialsSecretsManagerPath?: string;
    domain: string;
    enabled: true;
    sessionTimeoutInMinutes?: number;

Configure Google Auth.

Type declaration

  • Optional allowedGroups?: string[]

    Groups used for membership checks.

    If specified, cannot be empty. Users must be a member of at least one group to gain access.

    WARNING: groups must be specified with the domain, even if that is the non-idiomatic choice for daily use.

    Default Value


  • Optional cognitoAuthStage?: string

    When using Auth in the ALB, which stage of cognito-lambda to use.

    For most applications this should always be PROD, even in the CODE environments.

    Default Value

  • Optional credentialsSecretsManagerPath?: string

    Secrets Manager path containing Google OAuth2 Client credentials.

    NOTE: you do not need to set this value, but you DO need to generate and store the associated credentials in Secrets Manager.

    Credentials should be stored in Secrets Manager as JSON:

    "clientId": "my-client-id",
    "clientSecret": "my-client-secret"


    googleAuth.enabled for how to generate.

    Default Value

  • domain: string

    The domain users will access your service.

    Set this to the same as for certificateProps.

  • enabled: true

    Enables Google Auth (via Cognito). Additional MANUAL steps required - see below.

    Limits access to members of the allowed Google groups.

    Note, this does not currently support simultaneous machine access, so only set to true if you only require staff access to your service, or are supporting machine access in some other way.

    MANUAL STEPS: to get this to work, we need a Google Project and associated credentials. Full instructions can be found here:

    DevX hope to automate this process in the near future.

  • Optional sessionTimeoutInMinutes?: number

    The number of minutes before the session expires.

    Set this value to a safe period of time that revoked users sessions will continue to function.

    NOTE: This value cannot be larger than 60 minutes.

    Default Value

healthcheck?: HealthCheck

Specify custom healthcheck

imageRecipe?: string | AmigoProps

Configure AMIgo image recipe. This is only necessary if you are using GuCDK to generate your riff-raff.yaml file.

instanceMetadataHopLimit?: number

Set http put response hop limit for the launch template. It can be necessary to raise this value from the default of 1 for example when sharing the instance profile with a docker container running on the instance.

instanceType: InstanceType

EC2 instance type. Note, ensure your code is built for the same architecture family (arm64 - 'Graviton' instances - or x64).

monitoringConfiguration: NoMonitoring | Alarms

Enable and configure alarms.

privateSubnets?: ISubnet[]

Specify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.

publicSubnets?: ISubnet[]

Specify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.

roleConfiguration?: GuInstanceRoleProps

Configure IAM roles for autoscaling group EC2 instances.

scaling: GuAsgCapacity

Autoscaling group min and max sizes.

userData: string | GuUserDataProps

User data for the autoscaling group.

vpc?: IVpc

Specify the VPC to use.

withoutImdsv2?: boolean

Disable imdsv2. Most of the time you should not set this.