From adaf3ad5fd5ebb8992eccb8039a8a12cde96e364 Mon Sep 17 00:00:00 2001
From: mikesplain <mike.splain@gmail.com>
Date: Fri, 21 Jun 2019 09:21:30 -0400
Subject: [PATCH] First pass at instance protection

---
 pkg/apis/kops/instancegroup.go                 |  2 ++
 pkg/apis/kops/v1alpha1/instancegroup.go        |  2 ++
 .../kops/v1alpha1/zz_generated.conversion.go   |  2 ++
 .../kops/v1alpha1/zz_generated.deepcopy.go     |  5 +++++
 pkg/apis/kops/v1alpha2/instancegroup.go        |  2 ++
 .../kops/v1alpha2/zz_generated.conversion.go   |  2 ++
 .../kops/v1alpha2/zz_generated.deepcopy.go     |  5 +++++
 pkg/apis/kops/zz_generated.deepcopy.go         |  5 +++++
 pkg/model/awsmodel/autoscalinggroup.go         |  2 ++
 .../fi/cloudup/awstasks/autoscalinggroup.go    | 18 ++++++++++++++++++
 10 files changed, 45 insertions(+)

diff --git a/pkg/apis/kops/instancegroup.go b/pkg/apis/kops/instancegroup.go
index 2c13350943..3b1518d249 100644
--- a/pkg/apis/kops/instancegroup.go
+++ b/pkg/apis/kops/instancegroup.go
@@ -149,6 +149,8 @@ type InstanceGroupSpec struct {
 	IAM *IAMProfileSpec `json:"iam,omitempty"`
 	// SecurityGroupOverride overrides the default security group created by Kops for this IG (AWS only).
 	SecurityGroupOverride *string `json:"securityGroupOverride,omitempty"`
+	// InstanceProtection makes new instances in an autoscaling group protected from scale in
+	InstanceProtection *bool `json:"instanceProtection,omitempty"`
 }
 
 const (
diff --git a/pkg/apis/kops/v1alpha1/instancegroup.go b/pkg/apis/kops/v1alpha1/instancegroup.go
index ef900d9e54..32c5daa9c3 100644
--- a/pkg/apis/kops/v1alpha1/instancegroup.go
+++ b/pkg/apis/kops/v1alpha1/instancegroup.go
@@ -136,6 +136,8 @@ type InstanceGroupSpec struct {
 	IAM *IAMProfileSpec `json:"iam,omitempty"`
 	// SecurityGroupOverride overrides the default security group created by Kops for this IG (AWS only).
 	SecurityGroupOverride *string `json:"securityGroupOverride,omitempty"`
+	// InstanceProtection makes new instances in an autoscaling group protected from scale in
+	InstanceProtection *bool `json:"instanceProtection,omitempty"`
 }
 
 const (
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 401460e46f..79fc4ffb65 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -2751,6 +2751,7 @@ func autoConvert_v1alpha1_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 		out.IAM = nil
 	}
 	out.SecurityGroupOverride = in.SecurityGroupOverride
+	out.InstanceProtection = in.InstanceProtection
 	return nil
 }
 
@@ -2871,6 +2872,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha1_InstanceGroupSpec(in *kops.I
 		out.IAM = nil
 	}
 	out.SecurityGroupOverride = in.SecurityGroupOverride
+	out.InstanceProtection = in.InstanceProtection
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
index 0d5d944c16..a10c680261 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go
@@ -1529,6 +1529,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceProtection != nil {
+		in, out := &in.InstanceProtection, &out.InstanceProtection
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/apis/kops/v1alpha2/instancegroup.go b/pkg/apis/kops/v1alpha2/instancegroup.go
index c6902a6620..93f7829cb1 100644
--- a/pkg/apis/kops/v1alpha2/instancegroup.go
+++ b/pkg/apis/kops/v1alpha2/instancegroup.go
@@ -143,6 +143,8 @@ type InstanceGroupSpec struct {
 	IAM *IAMProfileSpec `json:"iam,omitempty"`
 	// SecurityGroupOverride overrides the default security group created by Kops for this IG (AWS only).
 	SecurityGroupOverride *string `json:"securityGroupOverride,omitempty"`
+	// InstanceProtection makes new instances in an autoscaling group protected from scale in
+	InstanceProtection *bool `json:"instanceProtection,omitempty"`
 }
 
 const (
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index d263b2b3c9..7c5122bacb 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -2869,6 +2869,7 @@ func autoConvert_v1alpha2_InstanceGroupSpec_To_kops_InstanceGroupSpec(in *Instan
 		out.IAM = nil
 	}
 	out.SecurityGroupOverride = in.SecurityGroupOverride
+	out.InstanceProtection = in.InstanceProtection
 	return nil
 }
 
@@ -2994,6 +2995,7 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha2_InstanceGroupSpec(in *kops.I
 		out.IAM = nil
 	}
 	out.SecurityGroupOverride = in.SecurityGroupOverride
+	out.InstanceProtection = in.InstanceProtection
 	return nil
 }
 
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
index 99834aa18d..9181f5ad7f 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go
@@ -1491,6 +1491,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceProtection != nil {
+		in, out := &in.InstanceProtection, &out.InstanceProtection
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go
index e0a25cb85a..bf1cdf2125 100644
--- a/pkg/apis/kops/zz_generated.deepcopy.go
+++ b/pkg/apis/kops/zz_generated.deepcopy.go
@@ -1657,6 +1657,11 @@ func (in *InstanceGroupSpec) DeepCopyInto(out *InstanceGroupSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceProtection != nil {
+		in, out := &in.InstanceProtection, &out.InstanceProtection
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }
 
diff --git a/pkg/model/awsmodel/autoscalinggroup.go b/pkg/model/awsmodel/autoscalinggroup.go
index 74e0daefb0..0519fa8334 100644
--- a/pkg/model/awsmodel/autoscalinggroup.go
+++ b/pkg/model/awsmodel/autoscalinggroup.go
@@ -315,6 +315,8 @@ func (b *AutoscalingGroupModelBuilder) buildAutoScalingGroupTask(c *fi.ModelBuil
 	}
 	t.SuspendProcesses = &processes
 
+	t.InstanceProtection = ig.Spec.InstanceProtection
+
 	// @step: are we using a mixed instance policy
 	if ig.Spec.MixedInstancesPolicy != nil {
 		spec := ig.Spec.MixedInstancesPolicy
diff --git a/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go b/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
index a23ebf9e5e..7c2aba8d89 100644
--- a/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
+++ b/upup/pkg/fi/cloudup/awstasks/autoscalinggroup.go
@@ -45,6 +45,8 @@ type AutoscalingGroup struct {
 
 	// Granularity specifys the granularity of the metrics
 	Granularity *string
+	// InstanceProtection makes new instances in an autoscaling group protected from scale in
+	InstanceProtection *bool
 	// LaunchConfiguration is the launch configuration for the autoscaling group
 	LaunchConfiguration *LaunchConfiguration
 	// LaunchTemplate is the launch template for the asg
@@ -171,6 +173,10 @@ func (e *AutoscalingGroup) Find(c *fi.Context) (*AutoscalingGroup, error) {
 	// Avoid spurious changes
 	actual.Lifecycle = e.Lifecycle
 
+	if g.NewInstancesProtectedFromScaleIn != nil {
+		actual.InstanceProtection = g.NewInstancesProtectedFromScaleIn
+	}
+
 	return actual, nil
 }
 
@@ -315,6 +321,11 @@ func (v *AutoscalingGroup) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *Autos
 				return fmt.Errorf("error suspending processes: %v", err)
 			}
 		}
+
+		if e.InstanceProtection != nil {
+			request.NewInstancesProtectedFromScaleIn = e.InstanceProtection
+		}
+
 	} else {
 		// @logic: else we have found a autoscaling group and we need to evaluate the difference
 		request := &autoscaling.UpdateAutoScalingGroupInput{
@@ -451,6 +462,11 @@ func (v *AutoscalingGroup) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *Autos
 			changes.SuspendProcesses = nil
 		}
 
+		if changes.InstanceProtection != nil {
+			request.NewInstancesProtectedFromScaleIn = e.InstanceProtection
+			changes.InstanceProtection = nil
+		}
+
 		empty := &AutoscalingGroup{}
 		if !reflect.DeepEqual(empty, changes) {
 			klog.Warningf("cannot apply changes to AutoScalingGroup: %v", changes)
@@ -628,6 +644,7 @@ type terraformAutoscalingGroup struct {
 	MetricsGranularity      *string                          `json:"metrics_granularity,omitempty"`
 	EnabledMetrics          []*string                        `json:"enabled_metrics,omitempty"`
 	SuspendedProcesses      []*string                        `json:"suspended_processes,omitempty"`
+	InstanceProtection      *bool                            `json:"protect_from_scale_in,omitempty"`
 }
 
 // RenderTerraform is responsible for rendering the terraform codebase
@@ -638,6 +655,7 @@ func (_ *AutoscalingGroup) RenderTerraform(t *terraform.TerraformTarget, a, e, c
 		MaxSize:            e.MaxSize,
 		MetricsGranularity: e.Granularity,
 		EnabledMetrics:     aws.StringSlice(e.Metrics),
+		InstanceProtection: e.InstanceProtection,
 	}
 
 	for _, s := range e.Subnets {