feat(ecs): bottlerocket support

packages/@aws-cdk/aws-ecs/README.md

@@ -146,6 +146,26 @@ cluster.addCapacity('AsgSpot', {
 });
 ```
 
+### Bottlerocket
+
+[Bottlerocket](https://aws.amazon.com/bottlerocket/) is a Linux-based open source operating system that is
+purpose-built by AWS for running containers. You can launch Amazon ECS container instances with the Bottlerocket AMI.
+
+> **NOTICE**: The Bottlerocket AMI is in developer preview release for Amazon ECS and is subject to change.
+
+The following example will create a capacity with self-managed Amazon EC2 capacity of 2 `c5.large` Linux instances running with `Bottlerocket` AMI.
+
+Note that you must specify either a `machineImage` or `machineImageType`, at least one, not both.
+
+
+```ts
+cluster.addCapacity('bottlerocket-asg', {
+  minCapacity: 2,
+  instanceType: new ec2.InstanceType('c5.large'),
+  machineImageType: ecs.MachineImageType.BOTTLEROCKET,
+});
+```
+
 ### SNS Topic Encryption
 
 When the `ecs.AddCapacityOptions` that you provide has a non-zero `taskDrainTime` (the default) then an SNS topic and Lambda are created to ensure that the

packages/@aws-cdk/aws-ecs/lib/cluster.ts

@@ -50,6 +50,20 @@ export interface ClusterProps {
   readonly containerInsights?: boolean;
 }
 
+/**
+ * The machine image type
+ */
+export enum MachineImageType {
+  /**
+   * Amazon ECS-optimized Amazon Linux 2 AMI
+   */
+  AMAZON_LINUX_2,
+  /**
+   * Bottlerocket AMI
+   */
+  BOTTLEROCKET
+}
+
 /**
  * A regional grouping of one or more container instances on which you can run tasks and services.
  */
@@ -171,15 +185,27 @@ export class Cluster extends Resource implements ICluster {
    * Returns the AutoScalingGroup so you can add autoscaling settings to it.
    */
   public addCapacity(id: string, options: AddCapacityOptions): autoscaling.AutoScalingGroup {
+    if (options.machineImage && options.machineImageType) {
+      throw new Error('You can only specify either a machineImage or machineImageType, not both.');
+    }
+
+    let machineImage: ec2.IMachineImage;
+
+    machineImage = options.machineImage ?? options.machineImageType === MachineImageType.BOTTLEROCKET ?
+      new BottleRocketImage() : new EcsOptimizedAmi();
+
     const autoScalingGroup = new autoscaling.AutoScalingGroup(this, id, {
       ...options,
       vpc: this.vpc,
-      machineImage: options.machineImage || new EcsOptimizedAmi(),
+      machineImage,
       updateType: options.updateType || autoscaling.UpdateType.REPLACING_UPDATE,
       instanceType: options.instanceType,
     });
 
-    this.addAutoScalingGroup(autoScalingGroup, options);
+    this.addAutoScalingGroup(autoScalingGroup, {
+      machineImageType: options.machineImageType,
+      ...options,
+    });
 
     return autoScalingGroup;
   }
@@ -196,19 +222,33 @@ export class Cluster extends Resource implements ICluster {
     this.connections.connections.addSecurityGroup(...autoScalingGroup.connections.securityGroups);
 
     // Tie instances to cluster
-    autoScalingGroup.addUserData(`echo ECS_CLUSTER=${this.clusterName} >> /etc/ecs/ecs.config`);
-
-    if (!options.canContainersAccessInstanceRole) {
-      // Deny containers access to instance metadata service
-      // Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
-      autoScalingGroup.addUserData('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP');
-      autoScalingGroup.addUserData('sudo service iptables save');
-      // The following is only for AwsVpc networking mode, but doesn't hurt for the other modes.
-      autoScalingGroup.addUserData('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config');
-    }
+    // Bottlerocket AMI
+    if (options.machineImageType===MachineImageType.BOTTLEROCKET) {
+      autoScalingGroup.addUserData(
+        '[settings.ecs]',
+        `cluster = "${this.clusterName}"`,
+      );
+      // Enabling SSM
+      // Source: https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-ECS.md#enabling-ssm
+      autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));
+      // required managed policy
+      autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonEC2ContainerServiceforEC2Role'));
+    } else {
+      // Amazon ECS-optimized AMI for Amazon Linux 2
+      autoScalingGroup.addUserData(`echo ECS_CLUSTER=${this.clusterName} >> /etc/ecs/ecs.config`);
+
+      if (!options.canContainersAccessInstanceRole) {
+        // Deny containers access to instance metadata service
+        // Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
+        autoScalingGroup.addUserData('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP');
+        autoScalingGroup.addUserData('sudo service iptables save');
+        // The following is only for AwsVpc networking mode, but doesn't hurt for the other modes.
+        autoScalingGroup.addUserData('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config');
+      }
 
-    if (autoScalingGroup.spotPrice && options.spotInstanceDraining) {
-      autoScalingGroup.addUserData('echo ECS_ENABLE_SPOT_INSTANCE_DRAINING=true >> /etc/ecs/ecs.config');
+      if (autoScalingGroup.spotPrice && options.spotInstanceDraining) {
+        autoScalingGroup.addUserData('echo ECS_ENABLE_SPOT_INSTANCE_DRAINING=true >> /etc/ecs/ecs.config');
+      }
     }
 
     // ECS instances must be able to do these things
@@ -487,6 +527,41 @@ export class EcsOptimizedImage implements ec2.IMachineImage {
   }
 }
 
+/**
+ * Construct an Bottlerocket image from the latest AMI published in SSM
+ */
+class BottleRocketImage implements ec2.IMachineImage {
+  private readonly amiParameterName: string;
+  /**
+   * Bottlerocket AMI variant
+   * @default - `aws-ecs-1`
+   */
+  private readonly variant?: string;
+
+  /**
+   * Constructs a new instance of the BottleRocketImage class.
+   */
+  public constructor() {
+    // only `aws-ecs-1` is currently available
+    this.variant = 'aws-ecs-1';
+
+    // set the SSM parameter name
+    this.amiParameterName = `/aws/service/bottlerocket/${this.variant}/x86_64/latest/image_id`;
+  }
+
+  /**
+   * Return the correct image
+   */
+  public getImage(scope: Construct): ec2.MachineImageConfig {
+    const ami = ssm.StringParameter.valueForStringParameter(scope, this.amiParameterName);
+    return {
+      imageId: ami,
+      osType: ec2.OperatingSystemType.LINUX,
+      userData: ec2.UserData.custom(''),
+    };
+  }
+}
+
 /**
  * A regional grouping of one or more container instances on which you can run tasks and services.
  */
@@ -678,6 +753,13 @@ export interface AddAutoScalingGroupCapacityOptions {
    * @default The SNS Topic will not be encrypted.
    */
   readonly topicEncryptionKey?: kms.IKey;
+
+  /**
+   * Specify the machine image type.
+   *
+   * @default MachineImageType.AMAZON_LINUX_2
+   */
+  readonly machineImageType?: MachineImageType;
 }
 
 /**
@@ -689,9 +771,17 @@ export interface AddCapacityOptions extends AddAutoScalingGroupCapacityOptions,
    */
   readonly instanceType: ec2.InstanceType;
 
+  /**
+     * Machine image type. Ignored if `machineImage` is defined.
+     *
+     * @default MachineImageType.AMAZON_LINUX_2
+     */
+  readonly machineImageType?: MachineImageType;
+
   /**
    * The ECS-optimized AMI variant to use. For more information, see
    * [Amazon ECS-optimized AMIs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html).
+   * Ignored if `MachineImageType` is defined.
    *
    * @default - Amazon Linux 2
    */