OptionalaccessEnable and configures access logs.
OptionalapplicationEnable and configures application logs.
The port your application runs on.
OptionalblockAdd block devices (additional storage).
OptionalcertificateSpecify certificate for the load balancer.
OptionaldefaultYou can specify how long after an instance reaches the InService state it waits before contributing usage data to the aggregated metrics. This specified time is called the default instance warmup. This keeps dynamic scaling from being affected by metrics for individual instances that aren't yet handling application traffic and that might be experiencing temporarily high usage of compute resources.
OptionalgoogleConfigure Google Auth.
OptionalallowedGroups?: string[]Groups used for membership checks.
If specified, cannot be empty. Users must be a member of at least one group to gain access.
WARNING: groups must be specified with the guardian.co.uk domain, even
if that is the non-idiomatic choice for daily use.
OptionalcognitoAuthStage?: stringWhen using Auth in the ALB, which stage of cognito-lambda to use.
For most applications this should always be PROD, even in the CODE environments.
OptionalcredentialsSecretsManagerPath?: stringSecrets Manager path containing Google OAuth2 Client credentials.
NOTE: you do not need to set this value, but you DO need to generate and store the associated credentials in Secrets Manager.
Credentials should be stored in Secrets Manager as JSON:
{
"clientId": "my-client-id",
"clientSecret": "my-client-secret"
}
The domain users will access your service.
Set this to the same as for certificateProps.
Enables Google Auth (via Cognito). Additional MANUAL steps required - see below.
Limits access to members of the allowed Google groups.
Note, this does not currently support simultaneous machine access, so only set to true if you only require staff access to your service, or are supporting machine access in some other way.
MANUAL STEPS: to get this to work, we need a Google Project and associated credentials. Full instructions can be found here:
https://docs.google.com/document/d/1_k1FSE52AZHXufWLTiKTI3xy5cGpziyHazSHTKrYfco/edit?usp=sharing
DevX hope to automate this process in the near future.
OptionalsessionTimeoutInMinutes?: numberThe number of minutes before the session expires.
Set this value to a safe period of time that revoked users sessions will continue to function.
NOTE: This value cannot be larger than 60 minutes.
OptionalhealthcheckSpecify custom healthcheck
OptionalimageConfigure AMIgo image recipe. This is only necessary if you are using GuCDK to generate your riff-raff.yaml file.
OptionalinstanceSet http put response hop limit for the launch template. It can be necessary to raise this value from the default of 1 for example when sharing the instance profile with a docker container running on the instance.
How often to send EC2 metrics, such as CPU usage.
By default, AWS will produce 5Minute granular metrics.
It is recommended to produce 1Minute granular metrics in production,
especially when using ASG metrics to trigger horizontal scaling as it allows for earlier scaling.
EC2 instance type. Note, ensure your code is built for the same architecture family (arm64 - 'Graviton' instances - or x64).
Enable and configure alarms.
OptionalprivateSpecify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.
OptionalpublicSpecify private subnets if using a non-default VPC or (generally discouraged) to limit to a subset of the available subnets.
OptionalroleConfigure IAM roles for autoscaling group EC2 instances.
Autoscaling group min and max sizes.
OptionalupdateSpecify an update policy for the ASG created by this pattern.
User data for the autoscaling group.
OptionalvpcSpecify the VPC to use.
Network access restrictions for your load balancer.
Note, this merely provides defence in depth; you should, for example, limit access to the VPN and then treat that as sufficient. Instead, use Google Auth for human access, or a suitable machine auth mechanism.