2025.09 - requires access to GitHub for auto-scaling / self healing

[keiranmraine]

Is your feature request related to a problem? Please describe.

yq is installed from github requiring further relaxation of Firewall rules to allow autoscaling or self-healing to be possible (already need to expose controlled repos). This is compounded in our environment as LZA doesn't support TLS inspection configuration to allow a more restricted firewall rule other than the domain.

Describe the solution you'd like

Pre built AMIs including dependencies provided as part of the RES release. Other benefits:

1. Reduced warmup on ASGs
2. More predictable
   • Use of latest or main branch causing "works today" / "not tomorrow" have been encountered
   • e.g. 109
3. Lower risk to wider environment (egress protection)

Describe alternatives you've considered

• Manual add/remove permission from firewall rules during deploy
  • auto-scaling/healing not possible
• Admin configured blocking of domains on user instances (current, but easily overlooked when new items added during deploy)
  • Ubuntu: /etc/host loopback on restricted domains
  • Windows: similar method, not implemented locally
• Manually adding TLS config to deployed LZA
  • Fragile, not easy to use IaC, audit trail issues
• More complex networking to separate firewall rules for RES management hosts from VDIs
  • Likely needing RES engineering to implement

Additional context

Active AWS support contract

[Mohjeet]

We allow the ability for users to build their own infrastructure AMIs and to build their own VDI AMIs.

Is the feature request for RES to publish its own prebaked AMIs? If so, are you requesting infrastructure AMIs, VDI AMIs, or both?

[keiranmraine]

Hi,

Thank you for the link to the infrastructure AMI documentation, we are only concerned with infrastructure AMIs in this instance.

As a user it feels like providing these images centrally would be beneficial for all - certainly if we're considering a "green" angle not wanting to waste compute resource generating the same things many times across deployments.

Thanks,

[keiranmraine]

... or providing it as an optional CDK stack in the deployment flow (rather than a manual setup).

[keiranmraine]

We have found some issues using a pre-built AMI with Amazon Linux 2023 prepped with /root/bootstrap/res-installation-scripts/scripts/infrastructure-host/install.sh (https://research-engineering-studio-eu-west-2.s3.amazonaws.com/releases/2025.09/res-installation-scripts.tar.gz)

• AL2023 install path attempts to use amazon-linux-extras to install epel during pre-build.
  • There is no amazon-linux-extras for AL2023
  • Absence doesn't appear to impact the rest of this script in the initial build
• VDC Gateway customisation - missing dependency gcc for python-ldap

We added gcc gcc-c++ make python3-devel openldap-devel openssl-devel libffi-devel to get an image that could successfully initialise, however potentially some were unnecessary - the problems only became evident during start-up of the individual nodes, not during the documented pre-build as different requirements were triggered by specific instance use case (gateway, etc).

Would the patch script provided for VDI build be expected to be used?
https://research-engineering-studio-us-east-1.s3.amazonaws.com/releases/2025.09/patch_scripts/patches/install_missing_packages.sh