AWS EC2 Plugin

AWS EC2 Plugin

AWS integration is achieved via a simple but powerful tagging system on EC2 instances. Tags are paired with AWS role/policy allowing connector instances to discover resources we want to expose via sockets.

For this example we will assume our AWS datacenter is us-west-2(Oregon)

The YAML configuration:

1. we expand the “connector” section to include the region

connector:
   name: "my-awesome-connector"
   aws-region: "us-west-2"

2. create plugin specific “aws_groups” section containing our discovery group name with access definitions

aws_groups:
    - group: infra_team
      policies: [my-connector-policy]

3. Add tags to EC2 instances with following format:

3.1. Key: border0_someName

The Key must start with “border0” and can be followed by any alphanumeric set of characters, eg: border0_http, border0_server01, border01

3.2. Value: port=1234,type=http,group=infra_team

The tag value represents CSV encoded parameters for a given socket.

  • group : the name of aws group defined in the YAML
  • port : the TCP port we wish to expose via the socket
  • type : one of the supported types of sockets: ssh, http, database, tls
Complete tag with value will look like this:

Key: border0_webserver
Value: port=80,type=http,group=infra_team

Once created it should appear like this in the AWS EC2 console:

727727
3.4. We need to give the connector instance access to read from AWS API.

This can be achieved in multiple ways and will be dependent on your deployment and type of infrastructure you run. One of the methods is an AMI role attached to a connector instance.

Sample AWS policy allowing EC2 describe to the connector code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        }
    ]
}