EC2: LaunchTemplate does not create a UserData when machineImage is provided used with AsgCapacityProvider

[tochny]

Describe the bug

As documented, Launch Template should creates a UserData based on the type of provided machineImage, but no UserData generated when machineImage is provided.
When uses with AsgCapacityProvider will throw an error The provided launch template does not expose its user data

Expected Behavior

Should create UserData based on machineImage

Current Behavior

No UserData generated.

Reproduction Steps

If provided machineImage only:

const asgLaunchTemplate = new ec2.LaunchTemplate(this, 'ASG-LaunchTemplate', {
    instanceType: new ec2.InstanceType('t3.medium'),
    machineImage: ecs.EcsOptimizedImage.amazonLinux2(),
});

Which will produce

LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        ImageId:
          Ref: SsmParameterValueawsserviceecsoptimizedamiamazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter
        InstanceType: t3.medium
        TagSpecifications:
          - ResourceType: instance
            Tags:
              - Key: Name
                Value: Test-Dev/LaunchTemplate
          - ResourceType: volume
            Tags:
              - Key: Name
                Value: Test-Dev/LaunchTemplate
    Metadata:
      aws:cdk:path: Test-Dev/LaunchTemplate/Resource

And if UserData provided:

const asgLaunchTemplate = new ec2.LaunchTemplate(this, 'ASG-LaunchTemplate', {
    instanceType: new ec2.InstanceType('t3.medium'),
    machineImage: ecs.EcsOptimizedImage.amazonLinux2(),
    userData: ec2.UserData.forLinux(),
});

const autoScalingGroup = new autoscaling.AutoScalingGroup(this, 'ASG', {
    vpc,
    mixedInstancesPolicy: {
    instancesDistribution: {
      onDemandPercentageAboveBaseCapacity: 50,
    },
    launchTemplate: asgLaunchTemplate,
  },
});

const capacityProvider = new ecs.AsgCapacityProvider(this, 'AsgCapacityProvider', {autoScalingGroup});
cluster.addAsgCapacityProvider(capacityProvider);

Which will add the UserData

ASGLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateData:
        IamInstanceProfile:
          Arn:
            Fn::GetAtt:
              - ASGLaunchTemplateProfile
              - Arn
        ImageId:
          Ref: SsmParameterValueawsserviceecsoptimizedamiamazonlinux2recommendedimageidC96584B6F00A464EAD1953AFF4B05118Parameter
        InstanceType: t3.medium
        TagSpecifications:
          - ResourceType: instance
            Tags:
              - Key: Name
                Value: Test-Dev/ASG-LaunchTemplate
          - ResourceType: volume
            Tags:
              - Key: Name
                Value: Test-Dev/ASG-LaunchTemplate
        UserData:
          Fn::Base64:
            Fn::Join:
              - ""
              - - |-
                  #!/bin/bash
                  echo ECS_CLUSTER=
                - Ref: Cluster
                - |-2
                   >> /etc/ecs/ecs.config
                  sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP
                  sudo service iptables save
                  echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config
    Metadata:
      aws:cdk:path: Test-Dev/ASG-LaunchTemplate/Resource

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.29.1

Framework Version

No response

Node.js Version

16

OS

Amazon Linux 2 aarch64

Language

Typescript

Language Version

No response

Other information

No response

[corymhall]

@tochny I think this is a bug in the documentation and a feature request to have the currently
documented behavior be the actual behavior.

This issue has been classified as p2. That means a workaround is available or it is deemed a nice-to-have feature. Given the amount of work there is to do and the relative priority of this issue, the CDK team is unlikely to address it. That does not mean the issue will never be fixed! If someone from the community submits a PR to fix this issue, and the PR is small and straightforward enough, and meets the quality bars to be reviewed and merged with little effort we will accept that PR. PRs that do not build or need complex or multiple rounds of reviews are unlikely to be merged and will be closed to keep our backlog manageable.

In the mean time, remember that you can always use the escape hatch (https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html) mechanism to have fine control over the CloudFormation output you want. We will keep the issue open for discoverability, to collect upvotes, and to facilitate discussion around this topic.

We use +1s on this issue to help prioritize our work, and are happy to re-evaluate the prioritization of this issue based on community feedback. You can reach out to the cdk.dev community on Slack (https://cdk.dev/) to solicit support for reprioritization.

[neilkuan]

I think issue is this part.

aws-cdk/packages/@aws-cdk/aws-ecs/lib/cluster.ts

Lines 389 to 426 in 4e52091

	private configureAutoScalingGroup(autoScalingGroup: autoscaling.AutoScalingGroup, options: AddAutoScalingGroupCapacityOptions = {}) {
	if (autoScalingGroup.osType === ec2.OperatingSystemType.WINDOWS) {
	this.configureWindowsAutoScalingGroup(autoScalingGroup, options);
	} else {
	// Tie instances to cluster
	switch (options.machineImageType) {
	// Bottlerocket AMI
	case MachineImageType.BOTTLEROCKET: {
	autoScalingGroup.addUserData(
	// Connect to the cluster
	// Source: https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-ECS.md#connecting-to-your-cluster
	'[settings.ecs]',
	`cluster = "${this.clusterName}"`,
	);
	// Enabling SSM
	// Source: https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-ECS.md#enabling-ssm
	autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore'));
	// required managed policy
	autoScalingGroup.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AmazonEC2ContainerServiceforEC2Role'));
	break;
	}
	default:
	// Amazon ECS-optimized AMI for Amazon Linux 2
	autoScalingGroup.addUserData(`echo ECS_CLUSTER=${this.clusterName} >> /etc/ecs/ecs.config`);
	if (!options.canContainersAccessInstanceRole) {
	// Deny containers access to instance metadata service
	// Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
	autoScalingGroup.addUserData('sudo iptables --insert FORWARD 1 --in-interface docker+ --destination 169.254.169.254/32 --jump DROP');
	autoScalingGroup.addUserData('sudo service iptables save');
	// The following is only for AwsVpc networking mode, but doesn't hurt for the other modes.
	autoScalingGroup.addUserData('echo ECS_AWSVPC_BLOCK_IMDS=true >> /etc/ecs/ecs.config');
	}
	if (autoScalingGroup.spotPrice && options.spotInstanceDraining) {
	autoScalingGroup.addUserData('echo ECS_ENABLE_SPOT_INSTANCE_DRAINING=true >> /etc/ecs/ecs.config');
	}
	}
	}

[pahud]

As documented, Launch Template should creates a UserData based on the type of provided machineImage, but no UserData generated when machineImage is provided.

Hi @tochny, can you share the document link? I think we should fix the document and provide a sample with LaunchTemplate and ECS capacity provider.

Hi @kimisme9386, per our previous talk off line, are you available to pick up this PR and add some sample in the aws-ecs README for this scenario?

[kimisme9386]

Hi @pahud, The PR #21047 is here. Please take a look. thanks.

[pahud]

Hi @corymhall and @peterwoodworth

please check out #21047 for a quick doc update for this issue.