DisableApiTermination true setting is creating a new bastion during Kernel update but unable to delete the old bastion

wayneW · December 2, 2023, 11:21pm

We have bastion hosts managed via the CDK. A pen test required they have DisableApiTermination=true set on them, and we do that via a cloud formation override as so:

var cfnBastion = (CfnInstance) bastion.getNode().getDefaultChild().getNode().getDefaultChild();
cfnBastion.addPropertyOverride("DisableApiTermination", true);```


However, now whenever Amazon update the kernel version cloudformation decides to add a new bastion and delete the old one - which fails because of the api termination protection!

Is there a hook to allow the CDK specifically to allow api termination?

wayneW · December 2, 2023, 11:42pm

Also asked <How can I enable termination protection for an EC2 Instance managed by the CDK, and still allow the CDK to terminate it in order to replace it? | AWS re:Post AWS re:Post:>

pOdom · December 3, 2023, 12:27am

Seems like you have a few options

pOdom · December 3, 2023, 1:09am

Disable termination protection and then terminate

Shut down the instance from within the os

Use an asg to manage instance termination/lifecycle

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#termination-overview|https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html#termination-overview

pOdom · December 3, 2023, 1:52am

The DisableApiTermination attribute does not prevent Amazon EC2 Auto Scaling from terminating an instance.

pOdom · December 3, 2023, 2:29am

The DisableApiTermination attribute does not prevent you from terminating an instance by initiating shutdown from the instance (using an operating system command for system shutdown) when the InstanceInitiatedShutdownBehavior attribute is set

pOdom · December 3, 2023, 3:22am

I’m thinking that using an auto scaling group is the best option for a bastion, and then cdk just needs to deal with the autoscaling group configuration and the launch template

pOdom · December 3, 2023, 3:27am

And it never needs to touch the instances themselves

pOdom · December 3, 2023, 4:14am

But as a quick workaround you can just sequentially disable the termination protection and terminate it, but still spin up new instances with the termination protection enabled :man-shrugging:

wayneW · December 3, 2023, 4:38am

Cool, thanks for the ideas