Once again I have some catching up to do, and as usual that means I’ll first focus on AWS announcements. Two very powerful new tools were released with CloudFormation Macros and the Session Manager. In addition Fargate now supports scheduled tasks.
The release of CloudFormation Macros finally gives us more power when building CloudFormation templates. I will likely write a full article with examples on this in the near future, but in short it allows you to use Lambda functions in your template to add functionalities that weren’t possible with CloudFormation before. It was of course possible to use other tools such as CFNDSL to generate templates that had everything you needed, but it’s nicer to have native tools to do so.
Under the hood it seems to be using the same transform functionality that was introduced with SAM templates, which should give you some idea about the power these macros can have. As always with something like this, you have to use it to really see how useful it can be. Luckily the announcement above links to several AWS provided examples of the functionality, and others have already released some ideas as well.
AWS Session Manager
The unfortunate complete name of this feature is the AWS Systems Manager Session Manager, but that just sounds silly when you say it1 so I’ll call it the Session Manager. So, what does it actually do? Well, it gives you a terminal session for your instance. In your browser, even for private instances.
If that sounds familiar, you might remember the Azure Serial Console which did a similar thing. There are differences though with the Azure version. First among them that you won’t log in with an existing user onto the instance. Instead, Session Manager will create a new user for you called ssm-user, and you don’t need any authentication to sign into it. This user is also added to the sudoers list, so you can immediately become root and do what you need to do.
The advantage of this is that you can really get away without keys that give you access to the machine, but on the other hand it almost seems less secure. Technically speaking it’s just as secure however, but you have to make sure that your IAM permissions are set correctly. If there are groups or assumed roles you don’t want to be able to log in, your best bet is probably to add an explicit deny to their IAM roles. Either for instances that are tagged a certain way, or just for all of them.
The second major difference is that it even works for Windows machines, where you’ll get a Powershell session. If you need to click around in Windows this won’t obviate the need for a bastion2 of some sort, but for many tasks it will likely be enough.
Because I really like Fargate, I do want to mention that it now has proper support for time and event-based scheduling. As I strongly believe that Fargate’s biggest strength lies in running short term tasks, this is obviously very useful. In addition, it serves as a nice intro in mentioning that I’ll be giving a Serverless Containers Deep Dive talk at the AWS User Group Conference, which is part of the AISA Cyberconference, on the 10th and 11th of October.
Related content you might like:
- Week 47, 2018 - CloudFormation Drift Detection; Multiple Instance Types in ASGs; Amazon Corretto
- Week 32, 2018 - Istio 1.0; AWS CDK
- Week 31, 2018 - Lambda SQS event source; ALB redirects; Application Auto Scaling; Fargate in Sydney
- Week 31 2017 - CloudFormation StackSets; Microsoft Container Instances; Flash EOL
- Building and Testing CloudFormation Macros