Does anyone know if it is possible, to have an Azure Policy, that checks that the VM size is set to the same value as the value of Tag 'ProductionSize' which is on the same VM Resource?
Yes, you can check that the VM size equals the tag value. You should use the Modify effect for tags which will allow you to add or replace. I would model it after one of the inherit built-in policies.
Related
I'm trying to create an autoscaling group manages EKS worker node provisioning. According to AWS' docs under the "Nodes fail to join cluster" section, in order for instances to join a cluster, the new instances must contain the tag kubernetes.io/cluster/my-cluster where my-cluster is the name of the cluster and the value of the tag must be owned. However, when the auto scaling group tries to provision new instances, I see the following error in the activity section:
Launching a new EC2 instance. Status Reason: Could not launch Spot
Instances. InvalidParameterValue -
'kubernetes.io/cluster/my-cluster' is not a valid tag
key. Tag keys must match pattern ([0-9a-zA-Z\-_+=,.#:]{1,255}), and
must not be a reserved name ('.', '.', '_index'). Launching EC2
instance failed.
Does anyone know why this is happening and how I can address this?
I worked with AWS Support and discovered the issue is coming from a new feature called instance tags on EC2 instance metadata service.
This feature provides an alternative solution to making API calls via AWS CLI by allowing developers to use the metadata service API to query instance tags. This is useful to reduce the number of API calls if you are having issues with exceeding the maximum number of requests to AWS.
However, this causes conflicts with auto scaling group when the special IAM key is required which includes non-supported characters.
The solution to the problem is to set 'Metadata accessible' to 'Don't include in launch template' or 'Disabled' when creating your launch template.
You can find this option when creating or modifying a launch template under: Advanced details section > Metadata accessible
I am exploring managed instance groups on GCP, and I am trying to create a multi-zone (regional) MIG. However, it always selects the default network, and I don't see any way to change it (I know it can change if the MIG is zonal). Is it possible to use a custom network with a regional MIG, or is that just a current limitation that it always needs to use the default?
First you will need to create the VPC Network and set its dynamic routing mode to Global.
Then simple while Creating an instance group, select Create New Instance Template under Instance Template and while setting the instance template choose the created network under the Networking section .
I am new to GCP but I have worked on AWS. Here, what I want to achieve to restrict IAM users to particular region and Compute Engine type
Like We have in AWS, writing custom roles to restrict them in us-east, the same way I want them to locked-in 'us-central1' and lock the compute engine type to most basic one.
Can I create such a custom role or condition to achieve the requirement?
Explicit deny kind off permission I need here
Update: Restricting Location at Organization level this is something useful, please help me any other way if there?
You may rely on Cloud IAM Conditions in this case. They add extra granularity level to IAM policies. An access to the resource is granted only if the condition expression is True. You can check against various attributes using available variables, operators, functions.
Resources that accept conditional role bindings:
Compute Engine
Global backend services
Regional backend services
Firewalls
Images
Instance templates
Instances
Regional persistent disks
Zonal persistent disks
Snapshots
In the existing Resource name format names of VM instances contain zone-id that could be helpful for the location-based restrictions:
Compute Engine instances projects/project-id/zones/zone-id/instances/instance-id
Next you can use Resource attributes to create conditions that evaluate the resource in the access request, for example:
resource.type == "compute.googleapis.com/Instance"
resource.name.startsWith("projects/project-id/zones/zone-id")
IAM policies that use instance type are not supported at this time. A relevant feature request was recently created on the Issue Tracker. You may keep an eye on this one:
https://issuetracker.google.com/158524244.
Google Cloud Platform supports resource locations restrictions. This relevant section of the documentation explains them in details. Refer to the Setting the organization policy section of the documentation for the exact procedure to be followed. But notice that in the specific case for Compute Engine there are the following limitations to the resource location constraints that you set up, related to different aspects of the products such as Snapshots and images, Managed Instance Groups, Sole-tenant nodes, etc.
I'm looking to scale my Compute Engine instances based on memory which is an agent metric in Stackdriver. The caveat is that out of the 5 states that the agent can monitor(buffered, cached, free, slab, used) see the link here, I only want to look at 'used' memory and if that value is above certain %age threshold across the group(or per-instance would also work for me), I want to autoscale.
I've already installed the Stackdriver Monitoring agent in all the nodes across the Managed Instance Group and I am successfully able to visualize 'used' memory in my monitoring dashboard as I'm well acquainted with it.
Unfortunately, I can't do it for autoscaling. This is what I see when I go to configure it in the autoscaling section of MIG.
In my belief, adding filter expressions should work as expected, since this expression works correctly in the Stackdriver console using the Monitoring dashboard. Also, it's mentioned here that the syntax is compatible with Cloud Monitoring filter syntax that is given here.
I've tried different combinations for the syntax in the filter expression field but none of them has worked. Please help.
I was attempting the exact same configuration in attempts to scale based on memory usage. After testing various unsuccessful entries I reached out to Google support. Based on your question I can't tell what kind of instance group you have. It matters because of the following.
TLDR
Based on input from Google support, only zonal instance groups allow the filter expression entry.
Zonal Instance Group
Only zonal instance groups will allow the metric setting. The setting you are attempting to enter is correct with metric.state=used for a zonal instance group. However, that field must be left blank for regional instance group.
Regional Instance Group
As noted above, applying the filter for a regional instance group is not supported. As noted in their documentation they mention that you leave that field blank.
In the Additional filter expression section:For a zonal MIG, optionally enter a filter to use individual values from metrics with multiple streams or labels. For more information, see Filtering per-instance metrics.For a regional MIG, leave this section blank.
If you add an entry you'll receive the message "Regional managed instance groups do not support autoscaling using per-group metrics." when attempting to save your changes.
On the other hand if you leave the field empty it will save. However, I found that leaving the field empty and setting almost any number in the Target Utilization field always caused my group to scale to the maximum number.
Summary
Google informed me that they do have a feature request for this. I communicated that it didn't make sense to even have the option to select percent_used if it's not supported. The response was that we should see the documentation updated in the future to clarify that point.
I need to use a service of compute engine API, however, need to specify the region and zone. How should I set multi zone value to 'zone' parameter of service?
https://www.googleapis.com/compute/beta/projects/-project-/zones/-zone-/instanceGroupManagers/instanceGroupManager
My instance group is multi zone type, running at europe-west1-b, europe-west1-d, and europe-west1-c, but I can't use a value like europe-west1 to the zone parameter.
There are two kinds of Instance Group Managers (IGMs), which are almost identical.
Zonal, and
Regional.
There are two differences between them:
Service used to managed them (compute.instanceGroupManagers for zonal and compute.regionInstanceGroupManagers for regional),
Fields you can set (you must set zone for regional but can not set it for regional, reverse that for with region field).
You want to create a regional IGM. So you must send call to compute.regionInstanceGroupManagers.create method not set any value to zone field but set value of region field.
If you are just starting it's probably easiest to use web UI. You can also use command gcloud compute instance-groups managed create (with --region flag) if you like console. If you want to interact with API more directly APIs Explorer makes that easier.