Remove CloudFormation changes from benchmark PR

Author: rgarcia

deploy/aws/cloudformation/template.yaml

@@ -11,17 +11,12 @@ Metadata:
           - SubnetId
           - AllowedApiCidr
           - ApiPort
-          - EnableHttpIngress
-          - EnableHttpsIngress
-          - AllowedIngressCidr
       - Label:
           default: Instance
         Parameters:
           - InstanceType
           - RootVolumeSize
           - DataVolumeSize
-          - DataVolumeIops
-          - DataVolumeThroughput
           - AmiSsmParameter
       - Label:
           default: Access
@@ -46,12 +41,6 @@ Metadata:
         default: Hypeman API access CIDR
       ApiPort:
         default: Hypeman API port
-      EnableHttpIngress:
-        default: Enable HTTP ingress
-      EnableHttpsIngress:
-        default: Enable HTTPS ingress
-      AllowedIngressCidr:
-        default: Hypeman ingress access CIDR
       EnableSSH:
         default: Enable SSH
       AllowedSshCidr:
@@ -62,10 +51,6 @@ Metadata:
         default: Root volume size
       DataVolumeSize:
         default: Hypeman data volume size
-      DataVolumeIops:
-        default: Hypeman data volume IOPS
-      DataVolumeThroughput:
-        default: Hypeman data volume throughput
       HypemanVersion:
         default: Hypeman release
       HypemanBranch:
@@ -98,21 +83,6 @@ Parameters:
     MinValue: 1
     MaxValue: 65535
     Description: Hypeman API port exposed to AllowedApiCidr.
-  EnableHttpIngress:
-    Type: String
-    Default: "false"
-    AllowedValues: ["true", "false"]
-    Description: Open port 80 from AllowedIngressCidr for Hypeman HTTP ingress traffic.
-  EnableHttpsIngress:
-    Type: String
-    Default: "false"
-    AllowedValues: ["true", "false"]
-    Description: Open port 443 from AllowedIngressCidr for Hypeman HTTPS ingress traffic.
-  AllowedIngressCidr:
-    Type: String
-    Default: 127.0.0.1/32
-    Description: Client CIDR allowed to reach Hypeman ingress ports when enabled. Use your current public IP /32 or a trusted VPN CIDR; avoid 0.0.0.0/0.
-    AllowedPattern: "^([0-9]{1,3}\\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$"
   EnableSSH:
     Type: String
     Default: "false"
@@ -139,18 +109,6 @@ Parameters:
     MinValue: 50
     MaxValue: 16384
     Description: Hypeman data EBS volume size in GiB. This volume is formatted as XFS and mounted at /var/lib/hypeman.
-  DataVolumeIops:
-    Type: Number
-    Default: 3000
-    MinValue: 3000
-    MaxValue: 80000
-    Description: Provisioned IOPS for the Hypeman data gp3 EBS volume. High values may require a larger DataVolumeSize.
-  DataVolumeThroughput:
-    Type: Number
-    Default: 125
-    MinValue: 125
-    MaxValue: 2000
-    Description: Provisioned throughput in MiB/s for the Hypeman data gp3 EBS volume. High values may require higher DataVolumeIops.
   HypemanVersion:
     Type: String
     Default: latest
@@ -170,8 +128,6 @@ Parameters:
 
 Conditions:
   UseSSH: !Equals [!Ref EnableSSH, "true"]
-  UseHttpIngress: !Equals [!Ref EnableHttpIngress, "true"]
-  UseHttpsIngress: !Equals [!Ref EnableHttpsIngress, "true"]
 
 Resources:
   HypemanSecurityGroup:
@@ -185,22 +141,6 @@ Resources:
           ToPort: !Ref ApiPort
           CidrIp: !Ref AllowedApiCidr
           Description: Hypeman API
-        - !If
-          - UseHttpIngress
-          - IpProtocol: tcp
-            FromPort: 80
-            ToPort: 80
-            CidrIp: !Ref AllowedIngressCidr
-            Description: Hypeman HTTP ingress
-          - !Ref AWS::NoValue
-        - !If
-          - UseHttpsIngress
-          - IpProtocol: tcp
-            FromPort: 443
-            ToPort: 443
-            CidrIp: !Ref AllowedIngressCidr
-            Description: Hypeman HTTPS ingress
-          - !Ref AWS::NoValue
         - !If
           - UseSSH
           - IpProtocol: tcp
@@ -246,10 +186,9 @@ Resources:
       Roles:
         - !Ref HypemanInstanceRole
 
-  # CloudFormation's typed EC2 instance block device mapping does not expose gp3
-  # throughput, and EC2 resources do not expose CpuOptions.NestedVirtualization
-  # yet. This helper creates a minimal launch template for those fields; the
-  # Hypeman EC2 instance itself remains a normal stack-managed resource.
+  # CloudFormation's typed EC2 resources do not expose CpuOptions.NestedVirtualization yet.
+  # This helper creates only the launch template that carries that EC2 API option;
+  # the Hypeman EC2 instance itself remains a normal stack-managed resource.
   NestedVirtualizationLaunchTemplateRole:
     Type: AWS::IAM::Role
     Properties:
@@ -346,24 +285,12 @@ Resources:
               stack_uuid = event["StackId"].rsplit("/", 1)[-1]
               return f"{event['ResourceProperties']['NamePrefix']}-{stack_uuid}"
 
-          def create_launch_template(name, props):
+          def create_launch_template(name):
               payload = {
                   "Action": "CreateLaunchTemplate",
                   "Version": "2016-11-15",
                   "LaunchTemplateName": name,
                   "LaunchTemplateData.CpuOptions.NestedVirtualization": "enabled",
-                  "LaunchTemplateData.BlockDeviceMapping.1.DeviceName": "/dev/sda1",
-                  "LaunchTemplateData.BlockDeviceMapping.1.Ebs.VolumeSize": props["RootVolumeSize"],
-                  "LaunchTemplateData.BlockDeviceMapping.1.Ebs.VolumeType": "gp3",
-                  "LaunchTemplateData.BlockDeviceMapping.1.Ebs.Encrypted": "true",
-                  "LaunchTemplateData.BlockDeviceMapping.1.Ebs.DeleteOnTermination": "true",
-                  "LaunchTemplateData.BlockDeviceMapping.2.DeviceName": "/dev/sdf",
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.VolumeSize": props["DataVolumeSize"],
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.VolumeType": "gp3",
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.Iops": props["DataVolumeIops"],
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.Throughput": props["DataVolumeThroughput"],
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.Encrypted": "true",
-                  "LaunchTemplateData.BlockDeviceMapping.2.Ebs.DeleteOnTermination": "true",
                   "TagSpecification.1.ResourceType": "launch-template",
                   "TagSpecification.1.Tag.1.Key": "Name",
                   "TagSpecification.1.Tag.1.Value": name,
@@ -399,7 +326,7 @@ Resources:
                       return
                   if request_type == "Update":
                       delete_launch_template(physical_id)
-                  data = create_launch_template(launch_template_name(event), event["ResourceProperties"])
+                  data = create_launch_template(launch_template_name(event))
                   send(event, context, "SUCCESS", data, physical_id=data["LaunchTemplateId"])
               except Exception as exc:
                   traceback.print_exc()
@@ -410,10 +337,6 @@ Resources:
     Properties:
       ServiceToken: !GetAtt NestedVirtualizationLaunchTemplateFunction.Arn
       NamePrefix: hypeman
-      RootVolumeSize: !Ref RootVolumeSize
-      DataVolumeSize: !Ref DataVolumeSize
-      DataVolumeIops: !Ref DataVolumeIops
-      DataVolumeThroughput: !Ref DataVolumeThroughput
 
   HypemanHost:
     Type: AWS::EC2::Instance
@@ -428,6 +351,19 @@ Resources:
         - !Ref HypemanSecurityGroup
       IamInstanceProfile: !Ref HypemanInstanceProfile
       KeyName: !If [UseSSH, !Ref KeyName, !Ref AWS::NoValue]
+      BlockDeviceMappings:
+        - DeviceName: /dev/sda1
+          Ebs:
+            VolumeSize: !Ref RootVolumeSize
+            VolumeType: gp3
+            Encrypted: true
+            DeleteOnTermination: true
+        - DeviceName: /dev/sdf
+          Ebs:
+            VolumeSize: !Ref DataVolumeSize
+            VolumeType: gp3
+            Encrypted: true
+            DeleteOnTermination: true
       Tags:
         - Key: Name
           Value: !Sub ${AWS::StackName}-hypeman

deploy/aws/cloudformation/template_test.go

@@ -16,15 +16,10 @@ func TestQuickstartParameters(t *testing.T) {
 	assertDefault(t, parameters, "InstanceType", "c8i.2xlarge")
 	assertDefault(t, parameters, "AllowedApiCidr", "127.0.0.1/32")
 	assertDefault(t, parameters, "ApiPort", "8080")
-	assertDefault(t, parameters, "EnableHttpIngress", "false")
-	assertDefault(t, parameters, "EnableHttpsIngress", "false")
-	assertDefault(t, parameters, "AllowedIngressCidr", "127.0.0.1/32")
 	assertDefault(t, parameters, "EnableSSH", "false")
 	assertDefault(t, parameters, "AllowedSshCidr", "127.0.0.1/32")
 	assertDefault(t, parameters, "RootVolumeSize", "30")
 	assertDefault(t, parameters, "DataVolumeSize", "100")
-	assertDefault(t, parameters, "DataVolumeIops", "3000")
-	assertDefault(t, parameters, "DataVolumeThroughput", "125")
 	assertDefault(t, parameters, "HypemanVersion", "latest")
 	assertDefault(t, parameters, "HypemanCliVersion", "latest")
 
@@ -36,10 +31,6 @@ func TestQuickstartParameters(t *testing.T) {
 	assertContains(t, scalar(t, apiCidr["Description"]), "current public IP /32")
 	assertContains(t, scalar(t, apiCidr["Description"]), "avoid 0.0.0.0/0")
 
-	ingressCidr := requireMapping(t, parameters["AllowedIngressCidr"])
-	assertContains(t, scalar(t, ingressCidr["Description"]), "current public IP /32")
-	assertContains(t, scalar(t, ingressCidr["Description"]), "avoid 0.0.0.0/0")
-
 	metadata := requireMapping(t, requireField(t, root, "Metadata"))
 	cfnInterface := requireMapping(t, requireField(t, metadata, "AWS::CloudFormation::Interface"))
 	groups := requireSequence(t, requireField(t, cfnInterface, "ParameterGroups"))
@@ -63,19 +54,16 @@ func TestCloudFormationLaunchContract(t *testing.T) {
 	securityGroup := requireMapping(t, requireField(t, resources, "HypemanSecurityGroup"))
 	sgProperties := requireMapping(t, requireField(t, securityGroup, "Properties"))
 	ingress := requireSequence(t, requireField(t, sgProperties, "SecurityGroupIngress"))
-	if len(ingress.Content) != 4 {
-		t.Fatalf("expected API ingress, HTTP ingress, HTTPS ingress, and SSH ingress, got %d entries", len(ingress.Content))
+	if len(ingress.Content) != 2 {
+		t.Fatalf("expected API ingress and conditional SSH ingress, got %d entries", len(ingress.Content))
 	}
 
 	apiIngress := requireMapping(t, ingress.Content[0])
 	assertRef(t, requireField(t, apiIngress, "FromPort"), "ApiPort")
 	assertRef(t, requireField(t, apiIngress, "ToPort"), "ApiPort")
 	assertRef(t, requireField(t, apiIngress, "CidrIp"), "AllowedApiCidr")
 
-	assertConditionalIngress(t, ingress.Content[1], "UseHttpIngress", "80", "AllowedIngressCidr")
-	assertConditionalIngress(t, ingress.Content[2], "UseHttpsIngress", "443", "AllowedIngressCidr")
-
-	sshIngress := ingress.Content[3]
+	sshIngress := ingress.Content[1]
 	if sshIngress.Tag != "!If" {
 		t.Fatalf("expected SSH ingress to be conditional !If, got %s", sshIngress.Tag)
 	}
@@ -99,14 +87,6 @@ func TestCloudFormationLaunchContract(t *testing.T) {
 	zipFile := scalar(t, requireField(t, code, "ZipFile"))
 	assertContains(t, zipFile, `"Action": "CreateLaunchTemplate"`)
 	assertContains(t, zipFile, `"LaunchTemplateData.CpuOptions.NestedVirtualization": "enabled"`)
-	assertContains(t, zipFile, `"LaunchTemplateData.BlockDeviceMapping.2.Ebs.Iops": props["DataVolumeIops"]`)
-	assertContains(t, zipFile, `"LaunchTemplateData.BlockDeviceMapping.2.Ebs.Throughput": props["DataVolumeThroughput"]`)
-
-	launchTemplateProperties := requireMapping(t, requireField(t, launchTemplate, "Properties"))
-	assertRef(t, requireField(t, launchTemplateProperties, "RootVolumeSize"), "RootVolumeSize")
-	assertRef(t, requireField(t, launchTemplateProperties, "DataVolumeSize"), "DataVolumeSize")
-	assertRef(t, requireField(t, launchTemplateProperties, "DataVolumeIops"), "DataVolumeIops")
-	assertRef(t, requireField(t, launchTemplateProperties, "DataVolumeThroughput"), "DataVolumeThroughput")
 
 	host := requireMapping(t, requireField(t, resources, "HypemanHost"))
 	if got := scalar(t, requireField(t, host, "Type")); got != "AWS::EC2::Instance" {
@@ -117,6 +97,17 @@ func TestCloudFormationLaunchContract(t *testing.T) {
 	assertGetAtt(t, requireField(t, hostLaunchTemplate, "LaunchTemplateId"), "NestedVirtualizationLaunchTemplate.LaunchTemplateId")
 	assertGetAtt(t, requireField(t, hostLaunchTemplate, "Version"), "NestedVirtualizationLaunchTemplate.VersionNumber")
 
+	blockDeviceMappings := requireSequence(t, requireField(t, hostProperties, "BlockDeviceMappings"))
+	if len(blockDeviceMappings.Content) != 2 {
+		t.Fatalf("expected root and Hypeman data block device mappings, got %d", len(blockDeviceMappings.Content))
+	}
+	dataDevice := requireMapping(t, blockDeviceMappings.Content[1])
+	if got := scalar(t, requireField(t, dataDevice, "DeviceName")); got != "/dev/sdf" {
+		t.Fatalf("data device name = %q, want /dev/sdf", got)
+	}
+	dataEBS := requireMapping(t, requireField(t, dataDevice, "Ebs"))
+	assertRef(t, requireField(t, dataEBS, "VolumeSize"), "DataVolumeSize")
+
 	userData := nodeText(requireField(t, hostProperties, "UserData"))
 	assertContains(t, userData, "curl -fsSL https://raw.githubusercontent.com/kernel/hypeman/main/scripts/install.sh | bash")
 	assertContains(t, userData, "xfsprogs")
@@ -153,26 +144,6 @@ func TestQuickstartOutputs(t *testing.T) {
 	assertContains(t, scalar(t, requireField(t, requireMapping(t, outputs["CreateTokenCommand"]), "Value")), "hypeman-create-token")
 }
 
-func assertConditionalIngress(t *testing.T, node *yaml.Node, condition, port, cidrRef string) {
-	t.Helper()
-
-	if node.Tag != "!If" {
-		t.Fatalf("expected ingress to be conditional !If, got %s", node.Tag)
-	}
-	parts := requireSequence(t, node)
-	if got := scalar(t, parts.Content[0]); got != condition {
-		t.Fatalf("expected condition %q, got %q", condition, got)
-	}
-	rule := requireMapping(t, parts.Content[1])
-	if got := scalar(t, requireField(t, rule, "FromPort")); got != port {
-		t.Fatalf("expected FromPort %s, got %q", port, got)
-	}
-	if got := scalar(t, requireField(t, rule, "ToPort")); got != port {
-		t.Fatalf("expected ToPort %s, got %q", port, got)
-	}
-	assertRef(t, requireField(t, rule, "CidrIp"), cidrRef)
-}
-
 func loadTemplate(t *testing.T) *yaml.Node {
 	t.Helper()