@guardian/cdk
    Preparing search index...

    Interface GuEc2AppProps

    interface GuEc2AppProps {
        access: AppAccess;
        accessLogging?: AccessLoggingProps;
        app: string;
        applicationLogging?: ApplicationLoggingProps;
        applicationPort: number;
        blockDevices?: BlockDevice[];
        certificateProps?: GuDomainName;
        defaultInstanceWarmup?: Duration;
        googleAuth?: {
            allowedGroups?: string[];
            cognitoAuthStage?: string;
            credentialsSecretsManagerPath?: string;
            domain: string;
            enabled: true;
            sessionTimeoutInMinutes?: number;
        };
        healthcheck?: HealthCheck;
        imageRecipe?: string
        | AmigoProps;
        instanceMetadataHopLimit?: number;
        instanceMetricGranularity: "1Minute" | "5Minute";
        instanceType: InstanceType;
        monitoringConfiguration: NoMonitoring | Alarms;
        privateSubnets?: ISubnet[];
        publicSubnets?: ISubnet[];
        roleConfiguration?: GuInstanceRoleProps;
        scaling: GuAsgCapacity;
        updatePolicy?: UpdatePolicy;
        userData: UserData | GuUserDataProps;
        vpc?: IVpc;
    }

    Hierarchy (View Summary)

    Index

    Properties

    access: AppAccess

    Network access restrictions for your load balancer.

    Note, this merely provides defence in depth; you should, for example, limit access to the VPN and then treat that as sufficient. Instead, use Google Auth for human access, or a suitable machine auth mechanism.

    accessLogging?: AccessLoggingProps

    Enable and configures access logs.

    app: string
    applicationLogging?: ApplicationLoggingProps

    Enable and configures application logs.

    applicationPort: number

    The port your application runs on.

    blockDevices?: BlockDevice[]

    Add block devices (additional storage).

    certificateProps?: GuDomainName

    Specify certificate for the load balancer.

    defaultInstanceWarmup?: Duration

    You can specify how long after an instance reaches the InService state it waits before contributing usage data to the aggregated metrics. This specified time is called the default instance warmup. This keeps dynamic scaling from being affected by metrics for individual instances that aren't yet handling application traffic and that might be experiencing temporarily high usage of compute resources.

    googleAuth?: {
        allowedGroups?: string[];
        cognitoAuthStage?: string;
        credentialsSecretsManagerPath?: string;
        domain: string;
        enabled: true;
        sessionTimeoutInMinutes?: number;
    }

    Configure Google Auth.

    Type declaration

    • OptionalallowedGroups?: string[]

      Groups used for membership checks.

      If specified, cannot be empty. Users must be a member of at least one group to gain access.

      WARNING: groups must be specified with the guardian.co.uk domain, even if that is the non-idiomatic choice for daily use.

      [engineering@guardian.co.uk]

    • OptionalcognitoAuthStage?: string

      When using Auth in the ALB, which stage of cognito-lambda to use.

      For most applications this should always be PROD, even in the CODE environments.

      PROD
      
    • OptionalcredentialsSecretsManagerPath?: string

      Secrets Manager path containing Google OAuth2 Client credentials.

      NOTE: you do not need to set this value, but you DO need to generate and store the associated credentials in Secrets Manager.

      Credentials should be stored in Secrets Manager as JSON:

      {
      "clientId": "my-client-id",
      "clientSecret": "my-client-secret"
      }

      googleAuth.enabled for how to generate.

      /:STAGE/:stack/:app/google-auth-credentials
      
    • domain: string

      The domain users will access your service.

      Set this to the same as for certificateProps.

    • enabled: true

      Enables Google Auth (via Cognito). Additional MANUAL steps required - see below.

      Limits access to members of the allowed Google groups.

      Note, this does not currently support simultaneous machine access, so only set to true if you only require staff access to your service, or are supporting machine access in some other way.

      MANUAL STEPS: to get this to work, we need a Google Project and associated credentials. Full instructions can be found here:

      https://docs.google.com/document/d/1_k1FSE52AZHXufWLTiKTI3xy5cGpziyHazSHTKrYfco/edit?usp=sharing

      DevX hope to automate this process in the near future.

    • OptionalsessionTimeoutInMinutes?: number

      The number of minutes before the session expires.

      Set this value to a safe period of time that revoked users sessions will continue to function.

      NOTE: This value cannot be larger than 60 minutes.

      15
      
    healthcheck?: HealthCheck

    Specify custom healthcheck

    imageRecipe?: string | AmigoProps

    Configure AMIgo image recipe. This is only necessary if you are using GuCDK to generate your riff-raff.yaml file.

    instanceMetadataHopLimit?: number

    Set http put response hop limit for the launch template. It can be necessary to raise this value from the default of 1 for example when sharing the instance profile with a docker container running on the instance.

    instanceMetricGranularity: "1Minute" | "5Minute"

    How often to send EC2 metrics, such as CPU usage. By default, AWS will produce 5Minute granular metrics.

    It is recommended to produce 1Minute granular metrics in production, especially when using ASG metrics to trigger horizontal scaling as it allows for earlier scaling.

    instanceType: InstanceType

    EC2 instance type. Note, ensure your code is built for the same architecture family (arm64 - 'Graviton' instances - or x64).

    monitoringConfiguration: NoMonitoring | Alarms

    Enable and configure alarms.

    privateSubnets?: ISubnet[]

    Specify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.

    publicSubnets?: ISubnet[]

    Specify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.

    roleConfiguration?: GuInstanceRoleProps

    Configure IAM roles for autoscaling group EC2 instances.

    scaling: GuAsgCapacity

    Autoscaling group min and max sizes.

    updatePolicy?: UpdatePolicy

    Specify an update policy for the ASG created by this pattern.

    UpdatePolicy.none() - Cloudformation does not attempt to rotate instances in the ASG
    and must rely on riffraff to do so.
    userData: UserData | GuUserDataProps

    User data for the autoscaling group.

    vpc?: IVpc

    Specify the VPC to use.