feat: Expose cachedInContext flag to prevent instance recycling (#27)

* feat: Expose cachedInContext flag to prevent instance recycling * Pass false by default * chore: self mutation Signed-off-by: github-actions <[email protected]> * Doc tweak * chore: self mutation Signed-off-by: github-actions <[email protected]> --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: JT <[email protected]> Co-authored-by: github-actions <[email protected]>
Hawxy · Jan 15, 2025 · 4363d90 · 4363d90
1 parent 10b7459
commit 4363d90
Show file tree

Hide file tree

Showing 11 changed files with 1,259 additions and 996 deletions.
diff --git a/.eslintrc.json b/.eslintrc.json
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: Hawxy
diff --git a/.github/workflows/pull-request-lint.yml b/.github/workflows/pull-request-lint.yml
diff --git a/.mergify.yml b/.mergify.yml
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projen/tasks.json b/.projen/tasks.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -5,7 +5,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
   authorAddress: '[email protected]',
   cdkVersion: '2.80.0',
   constructsVersion: '10.1.0',
-  jsiiVersion: '~5.5.0',
+  jsiiVersion: '~5.7.0',
   majorVersion: 2,
   defaultReleaseBranch: 'main',
   name: 'cdk-tailscale-bastion',

diff --git a/API.md b/API.md
diff --git a/package.json b/package.json
diff --git a/src/index.ts b/src/index.ts
@@ -38,6 +38,8 @@ export interface TailscaleCredentials {
    * Provides an auth key as a plaintext string.
    * This option will expose the auth key in your CDK template and should only be used with non-reusable keys.
    * Potentially useful for DevOps runbooks and temporary instances.
+   *
+   * The `cachedInContext` configuration option might be relevant to you if you use this parameter.
    */
   readonly unsafeString?: string;
 }
@@ -103,6 +105,14 @@ export interface TailscaleBastionProps {
    * Advertise a custom route instead of using the VPC CIDR, used for Tailscale 4via6 support.
    */
   readonly advertiseRoute?: string;
+  /**
+   * Setting this to true will result in the Amazon Linux AMI being cached in `cdk.context.json` and prevent the instance being replaced when the image is updated.
+   * Enable this if you'd like to use non-reusable Tailscale keys, or you'd prefer the instance to remain stable.
+   * Keep in mind that the AMI will grow old over time and is it your responsibility to evict it from the context.
+   *
+   * @default false
+   */
+  readonly cachedInContext?: boolean;
 }
 
 export class TailscaleBastion extends Construct {
@@ -122,6 +132,7 @@ export class TailscaleBastion extends Construct {
       incomingRoutes,
       advertiseRoute,
       cpuType,
+      cachedInContext,
     } = props;
 
     const authKeyCommand = this.computeTsKeyCli(tailscaleCredentials);
@@ -132,7 +143,7 @@ export class TailscaleBastion extends Construct {
       instanceName: instanceName ?? 'BastionHostTailscale',
       securityGroup,
       instanceType,
-      machineImage: MachineImage.latestAmazonLinux2023({ cpuType: cpuType ?? AmazonLinuxCpuType.X86_64 }),
+      machineImage: MachineImage.latestAmazonLinux2023({ cpuType: cpuType ?? AmazonLinuxCpuType.X86_64, cachedInContext: cachedInContext ?? false }),
       subnetSelection: subnetSelection ?? { subnetType: SubnetType.PUBLIC },
       init: CloudFormationInit.fromElements(
         // Configure IP forwarding