Docker-machine amazonec2 driver tagging after instance creation causes issues with AWS Config rules
With MachineOptions = "amazonec2-tags=key,value"
docker-machine adds the tags to the EC2 instance after its creation.
It seems that the code that relates to this is in https://gitlab.com/gitlab-org/ci-cd/docker-machine/-/blob/main/drivers/amazonec2/amazonec2.go
d.waitForInstance()
log.Debugf("created instance ID %s, IP address %s, Private IP address %s",
d.InstanceId,
d.IPAddress,
d.PrivateIPAddress,
)
log.Debug("Settings tags for instance")
err := d.configureTags(d.Tags)
The issue is that this implementation does not play well with AWS Config. With AWS Config, we have a rule to check for instances with no tags. Since tags are added after creation of docker-machine runners, there is a window where the instances are noncompliant and causes issues in our infrastructure.
I believe this would apply to any other AWS Config rule with TriggerType
=Configuration changes
that checks for specified tags. So the tag should be defined at the same time the instance is created.