DEV Community: Trevor Roberts Jr The latest articles on DEV Community by Trevor Roberts Jr (@trevorrobertsjr7). https://dev.to/trevorrobertsjr7 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F888242%2F32eba5e8-62de-4c95-adce-ec5ae5ca5c38.jpeg DEV Community: Trevor Roberts Jr https://dev.to/trevorrobertsjr7 en Automating EKS Auto Mode Pod Subnet Range Customization with EKS Node Classes, Karpenter Node Pools, and Terraform Trevor Roberts Jr Mon, 23 Jun 2025 14:00:00 +0000 https://dev.to/aws-builders/automating-eks-auto-mode-pod-subnet-range-customization-with-eks-node-classes-karpenter-node-4nkg https://dev.to/aws-builders/automating-eks-auto-mode-pod-subnet-range-customization-with-eks-node-classes-karpenter-node-4nkg <h2> Introduction </h2> <p>On June 13, 2025, the EKS Auto Mode Node Class feature was <a href="https://docs.aws.amazon.com/eks/latest/userguide/doc-history.html" rel="noopener noreferrer">updated</a> to include <code>podSubnetSelectorTerms</code> and <code>podSecurityGroupSelectorTerms</code> parameters to specify subnets for pod IP addressing. You can use an <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-node-class.html#auto-node-class-spec" rel="noopener noreferrer">EKS Node Class</a> with a <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-node-pool.html" rel="noopener noreferrer">Karpenter Node Pool</a> to specify additional configurations such as which types of instances to use for your workloads. You can then specify that Node Pool in any pod manifests that you deploy to your EKS Auto Mode cluster.</p> <p>EKS clusters have supported pod-specific subnets since around 2019/2020, and it is great to see this feature come to EKS Auto Mode clusters. Now, how do we simplify using this feature? Let's automate it! </p> <h2> EKS Node Class and Karpenter Node Pool Creation...powered by Terraform! </h2> <h3> Prerequisites: </h3> <ol> <li>Deploy an EKS Auto Mode cluster with an authentication mode that includes the API option.</li> <li>Create the subnets you want to use with your pods (I created a /21 in each of my availability zones).</li> <li>(Recommended) Create a security group specifically for your pods rather than reuse your node's security group for the podSecurityGroupSelectorTerms parameter in the Node Class spec.</li> <li>(Optional) Set a distinct tag in each of the pod subnets from step 2 to reference in the Node Class spec.</li> </ol> <blockquote> <p><strong>NOTE</strong></p> <p>The Node Class <code>podSubnetSelectorTerms</code> parameter requires you to either specify the subnet IDs you want to use with your pods or the tag you assigned to those subnets (see the <a href="https://docs.aws.amazon.com/eks/latest/userguide/create-node-pool.html" rel="noopener noreferrer">documented example</a>). I opted to use tags and assigned the tag of <code>kubernetes.io/role/cni</code> with a value of <code>1</code>. The tag key and value do not matter; what matters is that the tag you specify in your Node Class spec matches the actual subnet tag.</p> </blockquote> <p>For this blog, I will focus on the Terraform automation for the EKS Node Class and Karpenter Node Pool.</p> <h3> Feature Deployment Checklist </h3> <p>Before we write our Terraform, let's review the steps required to configure dedicated subnets for our pods.</p> <ol> <li>Create a new IAM role and Instance Profile for the nodes that will run the pods with the custom IP addresses.</li> <li>Create an EKS Access Entry for that IAM role that has the <code>AmazonEKSAutoNodePolicy</code> access policy.</li> <li>Create your EKS Node Class with your <code>podSubnetSelectorTerms</code> and <code>podSecurityGroupSelectorTerms</code> parameters.</li> <li>Create your Karpenter Node Pool to assign any other desired characteristics like instance types, spot vs on-demand, etc, and reference your Node Class in the Node Pool spec.</li> <li>Deploy a sample workload that uses the Karpenter Node Pool.</li> </ol> <p>Fortunately, the AWS and Kubernetes Terraform providers include all the necessary functionality to complete these tasks. All of my Terraform code for this blog can be found on <a href="https://github.com/trevorrobertsjr/eks-nodeclass-example" rel="noopener noreferrer">GitHub</a>, but I will focus on interesting code snippets here:</p> <p>First, the Kubernetes nodes need IAM permissions to manage AWS resources including assigning the pod subnets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"custom_nodeclass_worker_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"custom_nodeclass_cni_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"custom_nodeclass_registry_policy"</span> <span class="p">{</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># VPC networking policy as well for the pod subnet functionality</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy"</span> <span class="s2">"custom_nodeclass_vpc_policy"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-t4g-nodeclass-vpc-policy"</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">id</span> <span class="nx">policy</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Allow"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"ec2:DescribeSubnets"</span><span class="p">,</span> <span class="s2">"ec2:DescribeNetworkInterfaces"</span><span class="p">,</span> <span class="s2">"ec2:CreateNetworkInterface"</span><span class="p">,</span> <span class="s2">"ec2:AttachNetworkInterface"</span><span class="p">,</span> <span class="s2">"ec2:DeleteNetworkInterface"</span><span class="p">,</span> <span class="s2">"ec2:DetachNetworkInterface"</span><span class="p">,</span> <span class="s2">"ec2:ModifyNetworkInterfaceAttribute"</span><span class="p">,</span> <span class="s2">"ec2:AssignPrivateIpAddresses"</span><span class="p">,</span> <span class="s2">"ec2:UnassignPrivateIpAddresses"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>The Kubernetes nodes also need an EKS access entry with the <code>AmazonEKSAutoNodePolicy</code> access policy to join the EKS Auto Mode cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_eks_access_entry"</span> <span class="s2">"nodeclass_access_entry"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">kubernetes_groups</span> <span class="p">=</span> <span class="p">[]</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"EC2"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_eks_access_policy_association"</span> <span class="s2">"nodeclass_policy"</span> <span class="p">{</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">cluster_name</span> <span class="nx">principal_arn</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:eks::aws:cluster-access-policy/AmazonEKSAutoNodePolicy"</span> <span class="nx">access_scope</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"cluster"</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_eks_access_entry</span><span class="p">.</span><span class="nx">nodeclass_access_entry</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Next comes the EKS Node Class and Karpenter Node Pool deployment. It is important to note that these are Kubernetes resources. As of this blog's publication date, it is not possible to use AWS APIs to create your Node Class nor your Node Pool. Hence we use the <code>kubernetes_manifest</code> resource type from the <a href="https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest" rel="noopener noreferrer">Terraform Kubernetes provider</a>.</p> <p>Notice the <code>podSubnetSelectorTerm</code> and the <code>podSecurityGroupSelectorTerms</code> parameters in the Node Class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"custom_nodeclass"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com/v1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"NodeClass"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"t4g-nodeclass"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Use the role NAME (not ARN)</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span><span class="p">.</span><span class="nx">name</span> <span class="c1"># Subnets for EC2 instances (nodes) - using tags for flexibility</span> <span class="nx">subnetSelectorTerms</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/internal-elb"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># Security groups for nodes</span> <span class="nx">securityGroupSelectorTerms</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">node_security_group_id</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># Dedicated pod subnets - EKS Auto Mode will handle VPC CNI automatically</span> <span class="nx">podSubnetSelectorTerms</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"kubernetes.io/role/cni"</span> <span class="p">=</span> <span class="s2">"1"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># Pod security groups (dedicated security group for pods)</span> <span class="nx">podSecurityGroupSelectorTerms</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">pod_security_group_id</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># Let EKS Auto Mode manage networking automatically</span> <span class="nx">snatPolicy</span> <span class="p">=</span> <span class="s2">"Random"</span> <span class="nx">networkPolicy</span> <span class="p">=</span> <span class="s2">"DefaultAllow"</span> <span class="nx">networkPolicyEventLogs</span> <span class="p">=</span> <span class="s2">"Disabled"</span> <span class="c1"># Ephemeral storage configuration optimized for t4g instances</span> <span class="nx">ephemeralStorage</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">size</span> <span class="p">=</span> <span class="s2">"40Gi"</span> <span class="nx">iops</span> <span class="p">=</span> <span class="mi">3000</span> <span class="nx">throughput</span> <span class="p">=</span> <span class="mi">125</span> <span class="p">}</span> <span class="c1"># Tags for cost allocation and management</span> <span class="nx">tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="kd">local</span><span class="p">.</span><span class="nx">common_tags</span><span class="p">,</span> <span class="p">{</span> <span class="nx">NodeClass</span> <span class="p">=</span> <span class="s2">"t4g-nodeclass"</span> <span class="nx">InstanceType</span> <span class="p">=</span> <span class="s2">"t4g-arm64"</span> <span class="nx">Purpose</span> <span class="p">=</span> <span class="s2">"general-workload"</span> <span class="p">}</span> <span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="k">data</span><span class="p">.</span><span class="nx">terraform_remote_state</span><span class="p">.</span><span class="nx">eks_infrastructure</span><span class="p">,</span> <span class="nx">aws_eks_access_entry</span><span class="p">.</span><span class="nx">nodeclass_access_entry</span><span class="p">,</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">custom_nodeclass_role</span> <span class="p">]</span> <span class="p">}</span> <span class="c1"># NodePool using the custom NodeClass</span> <span class="k">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"t4g_nodepool"</span> <span class="p">{</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"karpenter.sh/v1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"NodePool"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"t4g-nodepool"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">nodepool-type</span> <span class="p">=</span> <span class="s2">"t4g-arm64"</span> <span class="nx">billing-team</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">project_name</span> <span class="nx">environment</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Reference our custom NodeClass</span> <span class="nx">nodeClassRef</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">group</span> <span class="p">=</span> <span class="s2">"eks.amazonaws.com"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"NodeClass"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"t4g-nodeclass"</span> <span class="p">}</span> <span class="c1"># Requirements for t4g.small and t4g.medium only</span> <span class="nx">requirements</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"node.kubernetes.io/instance-type"</span> <span class="nx">operator</span> <span class="p">=</span> <span class="s2">"In"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t4g.small"</span><span class="p">,</span> <span class="s2">"t4g.medium"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"kubernetes.io/arch"</span> <span class="nx">operator</span> <span class="p">=</span> <span class="s2">"In"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"arm64"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"kubernetes.io/os"</span> <span class="nx">operator</span> <span class="p">=</span> <span class="s2">"In"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"linux"</span><span class="p">]</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"karpenter.sh/capacity-type"</span> <span class="nx">operator</span> <span class="p">=</span> <span class="s2">"In"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"spot"</span><span class="p">,</span> <span class="s2">"on-demand"</span><span class="p">]</span> <span class="p">},</span> <span class="c1"># Distribute across all available zones</span> <span class="p">{</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"topology.kubernetes.io/zone"</span> <span class="nx">operator</span> <span class="p">=</span> <span class="s2">"In"</span> <span class="nx">values</span> <span class="p">=</span> <span class="kd">local</span><span class="p">.</span><span class="nx">availability_zones</span> <span class="p">}</span> <span class="p">]</span> <span class="c1"># Node termination settings</span> <span class="nx">terminationGracePeriod</span> <span class="p">=</span> <span class="s2">"30s"</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Resource limits for the NodePool</span> <span class="nx">limits</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"100"</span> <span class="c1"># 100 vCPUs total limit</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"400Gi"</span> <span class="c1"># 400 GiB memory total limit</span> <span class="p">}</span> <span class="c1"># Disruption settings for cost optimization</span> <span class="nx">disruption</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">consolidationPolicy</span> <span class="p">=</span> <span class="s2">"WhenEmptyOrUnderutilized"</span> <span class="nx">consolidateAfter</span> <span class="p">=</span> <span class="s2">"30s"</span> <span class="c1"># expireAfter = "72h" # Uncomment to auto-expire nodes after 72 hours</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">kubernetes_manifest</span><span class="p">.</span><span class="nx">custom_nodeclass</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Finally, I deploy a sample workload to verify that my pods get ip addresses from a different subnet than my nodes. Notice the nodeSelector parameter to specify our Node Pool:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"kubernetes_manifest"</span> <span class="s2">"test_deployment"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">create_test_deployment</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">manifest</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">apiVersion</span> <span class="p">=</span> <span class="s2">"apps/v1"</span> <span class="nx">kind</span> <span class="p">=</span> <span class="s2">"Deployment"</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"t4g-test-app"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"default"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">selector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">matchLabels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"t4g-test-app"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">template</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"t4g-test-app"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># Node selector to target our t4g NodePool</span> <span class="nx">nodeSelector</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"nodepool-type"</span> <span class="p">=</span> <span class="s2">"t4g-arm64"</span> <span class="p">}</span> <span class="nx">containers</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"nginx:alpine"</span> <span class="nx">ports</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">containerPort</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="p">]</span> <span class="nx">resources</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">requests</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"100m"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"128Mi"</span> <span class="p">}</span> <span class="nx">limits</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">cpu</span> <span class="p">=</span> <span class="s2">"200m"</span> <span class="nx">memory</span> <span class="p">=</span> <span class="s2">"256Mi"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span> <span class="nx">kubernetes_manifest</span><span class="p">.</span><span class="nx">t4g_nodepool</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> Verifying our work </h3> <p>If the configuration was successful, the terraform apply succeeds AND my pods and nodes are in different subnets. Let's use <code>kubectl</code> to verify.</p> <h4> Checking the Node </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ kubectl describe node i-04ddfb1f83f3288fe Name: i-04ddfb1f83f3288fe <span class="nb">.</span> <span class="nb">.</span> <span class="nb">.</span> Addresses: InternalIP: 10.0.33.121 InternalDNS: ip-10-0-33-121.ec2.internal Hostname: ip-10-0-33-121.ec2.internal </code></pre> </div> <h4> Checking the Pods </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>❯ kubectl get pods <span class="nt">-o</span> wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES t4g-test-app-5ccc4dcd59-6p5hp 1/1 Running 0 57s 10.0.41.144 i-04ddfb1f83f3288fe &lt;none&gt; &lt;none&gt; t4g-test-app-5ccc4dcd59-8tfvx 1/1 Running 0 57s 10.0.41.145 i-04ddfb1f83f3288fe &lt;none&gt; &lt;none&gt; </code></pre> </div> <p><strong>Success!</strong> My node's subnet CIDR is <code>10.0.33.0/24</code>, and my pods' subnet CIDR is <code>10.0.40.0/21</code>; my node IP (<code>10.0.33.121</code>) and pod IPs (<code>10.0.41.144</code> and <code>10.0.41.145</code>) fit into their respective subnet IP ranges.</p> <h2> Wrapping Things Up... </h2> <p>In this blog post, we discussed EKS Auto Mode's support for pod-specific subnets by leveraging EKS Node Class and Karpenter Node Pool resources. Further, we demonstrated how to automate this process with Terraform.</p> <p>If you found this article useful, let me know on <a href="https://bsky.app/profile/trevorrobertsjr.bsky.social" rel="noopener noreferrer">BlueSky</a> or on <a href="https://www.linkedin.com/in/trevorrobertsjr/" rel="noopener noreferrer">LinkedIn</a>!</p> terraform aws networking kubernetes Allowing GCP Compute Resources to Assume AWS IAM Roles with Pulumi Trevor Roberts Jr Wed, 27 Dec 2023 18:35:19 +0000 https://dev.to/aws-builders/allowing-gcp-compute-resources-to-assume-aws-iam-roles-with-pulumi-1111 https://dev.to/aws-builders/allowing-gcp-compute-resources-to-assume-aws-iam-roles-with-pulumi-1111 <p>Did you know that AWS IAM has built-in support for some well-known OIDC providers, including Google? Neither did I until I worked on a project that required GCP compute instances to securely access Amazon S3 buckets...</p> <h2> Introduction </h2> <p>Security is paramount in cloud native application design. This is especially true if you have resources running in multiple clouds that have interdependencies. I recently worked on such a project where GCP Compute Instances needed to access data in Amazon S3. For expediency, the GCP team requested static access keys, which I <strong><em>politely</em></strong> (I <em>think</em> 😅) refused. Instead, my team and I researched methods for GCP Compute Instances to use STS to dynamically-generate temporary credentials to assume an AWS IAM Role. We lucked out with this finding in the AWS documentation covering <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html">Creating Roles for OIDC Federated Identity Providers</a>.</p> <p>Out of the box, AWS IAM supports OIDC Federation with Amazon Cognito, Amazon.com, Facebook, and Google. It is possible to configure support for other Identity Providers (IdPs) besides these four (<strong>IF</strong> they offer federated OIDC), but that requires a little extra setup.</p> <p>After reading the documentation I put together the high-level list of items I needed to configure and where:</p> <ol> <li> <strong>GCP</strong> - create an IAM Service Account</li> <li> <strong>GCP</strong> - deploy an Compute Instance</li> <li> <strong>AWS</strong> - create an IAM Policy for Amazon S3 access</li> <li> <strong>AWS</strong> - create an IAM Role with Trust configured to allow a web identity to assume it.</li> </ol> <p>I enjoy pointing and clicking just about as much as you do. So, I used Pulumi to automate the creation of all four cloud resources along with an Amazon S3 bucket to validate that the policy worked properly.</p> <h2> Getting Started </h2> <p>First things first: ensure your AWS and GCP credentials are properly set in your development environment. Next, ensure Pulumi is installed and you can successfully run <a href="https://www.pulumi.com/docs/clouds/aws/get-started/">Pulumi's AWS Getting Started example</a>. <strong>NOTE:</strong> I've been using Python recently. So, my example code will be in Python.</p> <p>The Pulumi example only imports the AWS module for you. So, it will be necessary to import the GCP module as well. With Python, this can be accomplished by adding the GCP module to the requirements.txt file in the root of your Pulumi codebase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pulumi&gt;=3.0.0,&lt;4.0.0 pulumi-aws&gt;=6.0.2,&lt;7.0.0 pulumi-gcp </code></pre> </div> <p>Then, from the root of your Pulumi codebase, run <strong>pip install</strong> for the virtual environment generated during the Pulumi getting started example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>venv/bin/pip install -r requirements.txt </code></pre> </div> <p>Finally, configure your GCP Project in your pulumi settings (<strong>NOTE:</strong> make sure you use the correct project id when you execute this command!)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pulumi config set gcp:project mahnamahna-muppets-196911 </code></pre> </div> <p>With these prerequisites out of the way, let's take a look at the code!</p> <h2> Imports </h2> <p>In an attempt to be minimalist, I only import the modules that I need.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">pulumi</span><span class="p">,</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">pulumi_aws</span> <span class="kn">import</span> <span class="n">iam</span><span class="p">,</span> <span class="n">s3</span> <span class="kn">from</span> <span class="n">pulumi_gcp</span> <span class="kn">import</span> <span class="n">serviceaccount</span><span class="p">,</span> <span class="n">compute</span> </code></pre> </div> <h2> Create the GCP IAM Service Account </h2> <p>The first parameter is the name that Pulumi uses to identify the GCP resource it's creating. The account_id is what GCP will call the service account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">aws_service_access_sa</span> <span class="o">=</span> <span class="n">serviceaccount</span><span class="p">.</span><span class="nc">Account</span><span class="p">(</span><span class="sh">"</span><span class="s">awsAccessServiceAccount</span><span class="sh">"</span><span class="p">,</span> <span class="n">account_id</span><span class="o">=</span><span class="sh">"</span><span class="s">aws-service-access</span><span class="sh">"</span><span class="p">,</span> <span class="n">display_name</span><span class="o">=</span><span class="sh">"</span><span class="s">AWS Service Access Service Account</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Create the GCP Compute Instance </h2> <p>With this Pulumi code, I create a simple GCP Compute Instance, and I make sure to assign the service account I created earlier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">aws_service_instance</span> <span class="o">=</span> <span class="n">compute</span><span class="p">.</span><span class="nc">Instance</span><span class="p">(</span><span class="sh">"</span><span class="s">awsserviceaccess</span><span class="sh">"</span><span class="p">,</span> <span class="n">machine_type</span><span class="o">=</span><span class="sh">"</span><span class="s">e2-micro</span><span class="sh">"</span><span class="p">,</span> <span class="n">zone</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east4-c</span><span class="sh">"</span><span class="p">,</span> <span class="n">boot_disk</span><span class="o">=</span><span class="n">compute</span><span class="p">.</span><span class="nc">InstanceBootDiskArgs</span><span class="p">(</span> <span class="n">initialize_params</span><span class="o">=</span><span class="n">compute</span><span class="p">.</span><span class="nc">InstanceBootDiskInitializeParamsArgs</span><span class="p">(</span> <span class="n">image</span><span class="o">=</span><span class="sh">"</span><span class="s">debian-cloud/debian-11</span><span class="sh">"</span><span class="p">,</span> <span class="p">),</span> <span class="p">),</span> <span class="n">network_interfaces</span><span class="o">=</span><span class="p">[</span><span class="n">compute</span><span class="p">.</span><span class="nc">InstanceNetworkInterfaceArgs</span><span class="p">(</span> <span class="n">network</span><span class="o">=</span><span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">,</span> <span class="n">access_configs</span><span class="o">=</span><span class="p">[</span><span class="n">compute</span><span class="p">.</span><span class="nc">InstanceNetworkInterfaceAccessConfigArgs</span><span class="p">()],</span> <span class="p">)],</span> <span class="n">service_account</span><span class="o">=</span><span class="n">compute</span><span class="p">.</span><span class="nc">InstanceServiceAccountArgs</span><span class="p">(</span> <span class="n">email</span><span class="o">=</span><span class="n">aws_service_access_sa</span><span class="p">.</span><span class="n">email</span><span class="p">,</span> <span class="n">scopes</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">cloud-platform</span><span class="sh">"</span><span class="p">],</span> <span class="p">))</span> </code></pre> </div> <h2> Create the Amazon S3 bucket </h2> <p>Very simple Pulumi code to create an Amazon S3 bucket. <strong>PLEASE</strong> do not use the force_destroy parameter in production. This is my demo environment. So, I only used it for quick clean-ups.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># NOTE: Do not use the force_destroy option in PRODUCTION # I only used this setting because this is a demo environment. </span><span class="n">aws_bucket</span> <span class="o">=</span> <span class="n">s3</span><span class="p">.</span><span class="nc">Bucket</span><span class="p">(</span><span class="sh">'</span><span class="s">gcp-sa-access-bucket</span><span class="sh">'</span><span class="p">,</span> <span class="n">force_destroy</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> </code></pre> </div> <h2> Create the AWS IAM Policy </h2> <p>This Pulumi code creates the AWS IAM Policy to allow access to the Amazon S3 bucket. Note that in Pulumi, we need to use the <strong>apply</strong> method when accessing the string value of a resource's output. This is due to Pulumi resource outputs being similar to a promise. You can read more in their <a href="https://www.pulumi.com/docs/concepts/inputs-outputs/">documentation</a>. <strong>TL;DR</strong>: you need to use the <strong>apply</strong> method to run a function that will insert the Pulumi resource output as a string into your code at runtime.</p> <p>In this example, I am using the apply method with an anonymous function (aka Python Lambda) to insert the bucket's id instead of defining a separate function for this single purpose.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">aws_iam_policy_bucket_read</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Policy</span><span class="p">(</span><span class="sh">"</span><span class="s">gcp-sa-access-bucket-read</span><span class="sh">"</span><span class="p">,</span> <span class="n">policy</span><span class="o">=</span><span class="n">aws_bucket</span><span class="p">.</span><span class="nb">id</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="n">name</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2012-10-17</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Effect</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="sh">"</span><span class="s">s3:GetObject</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">s3:ListBucket</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">s3:HeadBucket</span><span class="sh">"</span> <span class="p">],</span> <span class="sh">"</span><span class="s">Resource</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:s3:::</span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">arn:aws:s3:::</span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">/*</span><span class="sh">"</span> <span class="p">]</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}</span> <span class="p">))</span> </code></pre> </div> <h2> Create the AWS IAM Role </h2> <p>I use another Python Lambda here to insert the GCP Service Account's unique id into the trust relationship policy. Notice the Action here is <strong>sts:AssumeRoleWithWebIdentity</strong>, and the Principal is <strong>accounts.google.com</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">aws_s3_read_only_role</span> <span class="o">=</span> <span class="n">iam</span><span class="p">.</span><span class="nc">Role</span><span class="p">(</span><span class="sh">"</span><span class="s">awsS3ReadRole</span><span class="sh">"</span><span class="p">,</span> <span class="n">assume_role_policy</span><span class="o">=</span><span class="n">aws_service_access_sa</span><span class="p">.</span><span class="n">unique_id</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="k">lambda</span> <span class="nb">id</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2012-10-17</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Statement</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Effect</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Allow</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Principal</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Federated</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">accounts.google.com</span><span class="sh">"</span> <span class="p">},</span> <span class="sh">"</span><span class="s">Action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">sts:AssumeRoleWithWebIdentity</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Condition</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">StringEquals</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">accounts.google.com:aud</span><span class="sh">"</span><span class="p">:</span> <span class="nb">id</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">]</span> <span class="p">}),</span> <span class="n">managed_policy_arns</span><span class="o">=</span><span class="p">[</span> <span class="n">aws_iam_policy_bucket_read</span><span class="p">.</span><span class="n">arn</span><span class="p">,</span> <span class="p">]</span> <span class="p">)</span> </code></pre> </div> <p>Thanks for sticking with me this far. Now, the fun starts as we run the <strong>pulumi up</strong> command. All the resources are deployed in less than 30 seconds.</p> <p>To validate that everything worked correctly, I SSH'ed to my GCP Compute Instance, installed the <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html">AWS CLI</a>, and ran the following command to generate my temporary credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aws sts assume-role-with-web-identity \ --role-arn arn:aws:iam::867530987654321:role/awsS3ReadRole-1969112 \ --role-session-name "AWSS3access" \ --web-identity-token $(gcloud auth print-identity-token) &gt; assume-role-output </code></pre> </div> <p>Finally, I exported my AWS access key, secret access key, and session token as environment variables and accessed my S3 content from my GCP Compute Instance!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>export AWS_ACCESS_KEY_ID=ASIA** export AWS_SECRET_ACCESS_KEY=82** export AWS_SESSION_TOKEN=Fwo** </code></pre> </div> <p>Even though my project used a GCP Compute Instance, this workflow is applicable to any GCP compute resource than can assume an IAM Service Account like your GKE Kubernetes Pods.</p> <h2> Wrapping Things Up... </h2> <p>In this blog post, we discussed how you can enable GCP compute resources to use the AWS IAM and STS services to securely access the AWS resources for which they have permissions. We used Pulumi to deploy the GCP IAM Service Account and Compute Instance and to deploy the Amazon S3 bucket and IAM Role and Policy. Finally, we demonstrated the GCP Compute Instance accessing the Amazon S3 bucket. If you would like take a look at the code, I hosted it on <a href="https://github.com/trevorrobertsjr/gcp-sa-aws-role-pulumi">GitHub</a>.</p> <p>If you found this article useful, let me know on <a href="https://www.linkedin.com/in/trevorrobertsjr/">LinkedIn</a>!</p> python aws pulumi iam Modifying Application Behavior with Go Lambda Functions and AWS AppConfig Feature Flags Trevor Roberts Jr Fri, 07 Apr 2023 13:08:45 +0000 https://dev.to/aws-builders/modifying-application-behavior-with-go-lambda-functions-and-aws-appconfig-feature-flags-3h3m https://dev.to/aws-builders/modifying-application-behavior-with-go-lambda-functions-and-aws-appconfig-feature-flags-3h3m <p>The Obi-Wan Kenobi series' depiction of the conflict between light and dark reminded me of a similar struggle faced by my favorite video game character: Cecil (Final Fantasy IV). I used AWS AppConfig Feature Flags to dynamically generate an information page about Cecil based on his decision...</p> <h2> Introduction </h2> <p>Developers can use AWS AppConfig for a simplified implementation of feature flags to alter an application’s behavior. My sample application displays information about a fictional character named Cecil. The displayed data varies according to Cecil's allegiance to the dark or to the light. If you don’t use feature flags today to modify your application behavior, read on to see how this feature may fit in with your upcoming projects!</p> <h3> What is AWS AppConfig? </h3> <p>AWS AppConfig is a capability built into <a href="https://aws.amazon.com/systems-manager/faq/" rel="noopener noreferrer">AWS Systems Manager</a> that allows developers to dynamically alter application functionality. In March 2022, the AWS AppConfig team made the <a href="https://aws.amazon.com/about-aws/whats-new/2022/03/aws-appconfig-feature-flags/" rel="noopener noreferrer">Feature Flags</a> capability generally available. This release added more functionality including setting constraints on the data types and acceptable values and rolling back feature flag updates based on CloudWatch alarms. </p> <h3> Why not use other services (ex: Amazon DynamoDB, Amazon S3, or Amazon ElastiCache)? </h3> <p>It is possible to use another service to manage your feature flag data. However, the advanced capabilties I mentioned earlier (i.e. feature flag validation and rollback) would need to be built into your application. When using AWS AppConfig, you can offload that complexity to AWS and focus on your core application code. To read more about AWS AppConfig's use cases, check out the <a href="https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html" rel="noopener noreferrer">documentation</a>.</p> <h2> My Application </h2> <p>I created a simple web application that displays different character designs for Cecil depending on whether he remains a Dark Knight or becomes a Paladin.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3qcikd1fwvc490lddioq.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3qcikd1fwvc490lddioq.png" alt="Figure 01: Cecil Remains a Dark Knight"></a><br> Figure 01: Cecil Remains a Dark Knight</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99fs2fkn49zpjws047fu.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F99fs2fkn49zpjws047fu.png" alt="Figure 02: Cecil Becomes a Paladin"></a><br> Figure 02: Cecil Becomes a Paladin</p> <p>My application's frontend consists of an HTML page with an empty div tag that will be populated with code returned by a JavaScript query (credit to the <a href="https://catalog.us-east-1.prod.workshops.aws/workshops/2ee2fc71-0618-479c-86dd-1d5fb168eb20/en-US" rel="noopener noreferrer">AppConfig Feature Flags Workshop</a> for the idea.)</p> <p>The empty div tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"displayCecil"</span><span class="nt">&gt;</span> <span class="nt">&lt;/div&gt;</span> </code></pre> </div> <p>The JavaScript code to update the div content based on the Lambda function return data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://1234567890987654321abccba.lambda-url.us-east-1.on.aws/</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">response</span> <span class="o">=&gt;</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">())</span> <span class="p">.</span><span class="nf">then</span><span class="p">((</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">displayCecil</span><span class="dl">"</span><span class="p">).</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">data</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The JavaScript code is using my Lambda function's URL to obtain the information about Cecil to display in the browser. The Lambda function changes what data it returns based on the current setting of the AppConfig feature flag. I'll step through the lines of code relevant to AppConfig since I've done a walkthrough of how to write a Lambda function in Go in a previous <a href="//@/blog/cloudfront-cache-invalidation-go.md">blog post</a>:</p> <p>First, I initialize a client for the AppConfig service specific to retrieving data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="c">// Create a AppConfigData client from the AWS Session.</span> <span class="n">svc</span> <span class="o">:=</span> <span class="n">appconfigdata</span><span class="o">.</span><span class="n">New</span><span class="p">(</span><span class="n">mySession</span><span class="p">)</span> </code></pre> </div> <p>I obtain a token that is required to make a query of the AppConfig service. I must specify my AppConfig application, configuration profile, and environment identifiers that I created in advance in the AppConfig service. This ensures my application is reading the correct feature flag data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">token</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">svc</span><span class="o">.</span><span class="n">StartConfigurationSession</span><span class="p">(</span><span class="o">&amp;</span><span class="n">appconfigdata</span><span class="o">.</span><span class="n">StartConfigurationSessionInput</span><span class="p">{</span> <span class="c">// The ApplicationIdentifier for the application that depends on the feature flag.</span> <span class="n">ApplicationIdentifier</span><span class="o">:</span> <span class="n">jsii</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">ApplicationIdentifier</span><span class="p">),</span> <span class="c">// The configuration profile ID or the configuration profile name.</span> <span class="n">ConfigurationProfileIdentifier</span><span class="o">:</span> <span class="n">jsii</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">ConfigurationProfileIdentifier</span><span class="p">),</span> <span class="c">// The AppConfig environment ID (ex: dev, beta, prod, etc.).</span> <span class="n">EnvironmentIdentifier</span><span class="o">:</span> <span class="n">jsii</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="n">EnvironmentIdentifier</span><span class="p">),</span> <span class="p">})</span> </code></pre> </div> <p>I then use the token to make a <strong>GetLatestConfiguration</strong> API call to the AppConfig service. This returns whatever is the latest value that the feature flag is set to.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="n">result</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">svc</span><span class="o">.</span><span class="n">GetLatestConfiguration</span><span class="p">(</span><span class="o">&amp;</span><span class="n">appconfigdata</span><span class="o">.</span><span class="n">GetLatestConfigurationInput</span><span class="p">{</span> <span class="n">ConfigurationToken</span><span class="o">:</span> <span class="n">jsii</span><span class="o">.</span><span class="n">String</span><span class="p">(</span><span class="o">*</span><span class="n">token</span><span class="o">.</span><span class="n">InitialConfigurationToken</span><span class="p">),</span> <span class="p">})</span> </code></pre> </div> <p>Finally, I create structs for the JSON data returned by the AppConfig service, and I use the feature flag data (<strong>featureFlagResults.Allegiance.Choice</strong>) to determine which HTML code should be returned by the Lambda function invocation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code> <span class="k">type</span> <span class="n">featureflagdata</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Choice</span> <span class="kt">string</span> <span class="n">Enabled</span> <span class="kt">bool</span> <span class="p">}</span> <span class="k">type</span> <span class="n">featureflag</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Allegiance</span> <span class="n">featureflagdata</span> <span class="p">}</span> <span class="k">var</span> <span class="n">featureFlagResults</span> <span class="n">featureflag</span> <span class="n">json</span><span class="o">.</span><span class="n">Unmarshal</span><span class="p">(</span><span class="n">result</span><span class="o">.</span><span class="n">Configuration</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">featureFlagResults</span><span class="p">)</span> <span class="n">CecilsChoice</span> <span class="o">:=</span> <span class="n">featureFlagResults</span><span class="o">.</span><span class="n">Allegiance</span><span class="o">.</span><span class="n">Choice</span> <span class="k">if</span> <span class="n">CecilsChoice</span> <span class="o">==</span> <span class="s">"paladin"</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="n">htmlPaladinOutput</span><span class="p">),</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Sprintf</span><span class="p">(</span><span class="n">htmlDarkKnightOutput</span><span class="p">),</span> <span class="no">nil</span> </code></pre> </div> <p>FYI, the complete Lambda source code can be found on <a href="https://github.com/trevorrobertsjr/appconfig-blog-go/blob/main/lambda/Lambda.go" rel="noopener noreferrer">GitHub</a>.</p> <p>My application's feature flag is initially set to <strong>darkknight</strong>. I then update my feature flag as follows in the AWS AppConfig console (you can make your update via API and CLI as well):</p> <p>I click on my AppConfig Application (blogAppConfigGo)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxt8323cmexvbhpi9cec0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxt8323cmexvbhpi9cec0.png" alt="Figure 03: AWS AppConfig Service Home Page"></a><br> Figure 03: AWS AppConfig Service Home Page</p> <p>I click on my feature flag (whichSide)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx74pazsnolyi1z93modt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx74pazsnolyi1z93modt.png" alt="Figure 04: AppConfig Application Details"></a><br> Figure 04: AppConfig Application Details</p> <p>I click on edit.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtp5akcpcg08rsyd6k2j.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmtp5akcpcg08rsyd6k2j.png" alt="Figure 05: Feature Flag Details"></a><br> Figure 05: Feature Flag Details</p> <p>Notice the constraint textbox which lists the acceptable values for the feature flags. I update to <strong>paladin</strong> and click <strong>Confirm</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23ux97cajil3t1vwblow.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F23ux97cajil3t1vwblow.png" alt="Figure 06: Updating the Feature Flag"></a><br> Figure 06: Updating the Feature Flag</p> <p>I click on <strong>Save new version</strong> (Yes! your feature flags are versioned for simplified rollback)</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feppoyokj6hkszoyw24by.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feppoyokj6hkszoyw24by.png" alt="Figure 07: Save a New Feature Flag Version"></a><br> Figure 07: Save a New Feature Flag Version</p> <p>I click on <strong>Start Deployment</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6ea54dqiz8gfgmyw6qp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv6ea54dqiz8gfgmyw6qp.png" alt="Figure 08: Start the Feature Flag Deployment"></a><br> Figure 08: Start the Feature Flag Deployment</p> <p>I select my environment (<strong>prod</strong>...why not?) and select a <strong>Deployment strategy</strong> that dictates how the feature flag should be rolled out to your environment. I click <strong>Start deployment</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F684ls8wykad164d5elas.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F684ls8wykad164d5elas.png" alt="Figure 09: Confirm the Deployment Parameters"></a><br> Figure 09: Confirm the Deployment Parameters</p> <p>I observe the deployment progress</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffo43phh7cyg3t8djfjav.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffo43phh7cyg3t8djfjav.png" alt="Figure 10: Feature Flag Deployment Progress"></a><br> Figure 10: Feature Flag Deployment Progress</p> <p>My deployment is complete, and the application is adjusted as shown in <strong>Figure 02</strong> earlier in the blog</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft9nsykipvckk7ocs9z1e.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft9nsykipvckk7ocs9z1e.png" alt="Figure 11: Feature Flag Deployment Complete"></a><br> Figure 11: Feature Flag Deployment Complete</p> <h2> AWS AppConfig and Go Lambda Functions </h2> <p>The AppConfig service features a simple integration using Lambda Layers for <a href="https://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-integration-lambda-extensions.html#appconfig-integratio-lambda-extensions-runtimes" rel="noopener noreferrer">multiple runtimes</a>. The Go runtime isn’t on the supported list today. However, you can try out the Lambda Layer capability by running through the <a href="https://catalog.us-east-1.prod.workshops.aws/workshops/2ee2fc71-0618-479c-86dd-1d5fb168eb20/en-US" rel="noopener noreferrer">AWS AppConfig Feature Flags Workshop</a>. If you are a Go developer and like the Lambda Layers approach, please be sure to let your AWS account team know!</p> <h2> What's Next? </h2> <p>When using this service, make sure to lockdown IAM permissions for AppConfig configuration profile updates. It is advisable to use automation tooling to update your feature flag to reduce human error. One more feature to be aware of is that you can trigger feature flag update rollbacks in response to CloudWatch Alarms. In my next blog post, I'll share how I automated the creation of my application's AWS AppConfig feature flag with Pulumi.</p> <p>If you found this article useful, let me know on <a href="https://twitter.com/trevorrobertsjr" rel="noopener noreferrer">Twitter</a>!</p> go aws lambda