aws-ia / cfn-ps-linux-bastion Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
I am looking to upgrade our Bastion host to use the AL2023 OS. There isnt currently an allowed value for AL2023 ARM in the aws cloudformation Bastion template. Can you please assist me in adding this option into the cloudformation stack?
Hi team, we use this cfn-ps-linux-bastion
repository as submodule in our project and deploy our bastion host accordingly. However, after a recent update of Amazon Linux2 AMI in IAD, our bastion host deployment started to fail in this region. After checking cfn-init.log
, looks like the root cause is that the latest AMI in IAD doesn't have auditd
installed by default. But we are trying to restart auditd service in auditing_configure.sh, which resulted in Failed to restart auditd.service: Unit not found.
cfn-init.log:
04:20:26,514 [DEBUG] Command a-add_auditd_rules output: + case "${BASTION_OS}" in
+ add_the_rules
+ cat /tmp/auditd.rules
+ rm /tmp/auditd.rules
+ restart_services
+ case "${BASTION_OS}" in
+ /usr/sbin/service auditd restart
Redirecting to /bin/systemctl restart auditd.service
Failed to restart auditd.service: Unit not found.
2024-04-01 04:20:26,514 [ERROR] Error encountered during build of config: Command a-add_auditd_rules failed
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 579, in run_config
CloudFormationCarpenter(config, self._auth_config, self.strict_mode).build(worklog)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 278, in build
self._config.commands)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command a-add_auditd_rules failed
2024-04-01 04:20:26,517 [ERROR] -----------------------BUILD FAILED!------------------------
2024-04-01 04:20:26,517 [ERROR] Unhandled exception during build: Command a-add_auditd_rules failed
Traceback (most recent call last):
File "/usr/bin/cfn-init", line 181, in <module>
worklog.build(metadata, configSets, strict_mode)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 137, in build
Contractor(metadata, strict_mode).build(configSets, self)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 567, in build
shttps://aws.amazon.com/cn/codebuild/features/?nc=sn&loc=2elf.run_config(config, worklog)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 579, in run_config
CloudFormationCarpenter(config, self._auth_config, self.strict_mode).build(worklog)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 278, in build
self._config.commands)
File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command a-add_auditd_rules failed
2024-04-01 04:20:26,766 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.us-east-1.amazonaws.com
2024-04-01 04:20:26,766 [DEBUG] Signaling resource BastionAutoScalingGroup in stack clickhouse-cluster-debug-BastionStack-2OMZEZYS7CVN with unique ID i-0537dfd1055d445ba and status FAILURE
Looks like auditd
is only missing in IAD, as I deployed AL2 AMI in other regions and I was able to find auditd
under /usr/sbin
path. Is this expected? If not, can we fix the logic in auditing_configure.sh and exclude IAD region so that it won't block deployments in IAD?
Hello team,
I have used the latest linux-bastion-entrypoint-existing-vpc.template.yaml template for a test in a new AWS account with default VPC and subnets in "me-central-1" region.
The following errors could be observed on running "cat /var/log/cloud-init-output.log" in the EC2 instance launched by ASG.
Error:
+ aws s3 cp --no-progress --region me-central-1 s3://aws-ia-me-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
+ echo Retrying...
Retrying...
+ aws s3 cp --no-progress --region me-central-1 s3://aws-ia-me-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
+ echo Retrying...
CloudFormation S3 bucket parameters (left as defaults):
QSS3BucketName aws-ia
QSS3BucketRegion. us-east-1
QSS3KeyPrefix cfn-ps-linux-bastion/
Stack Error (after 1 hour timeout as set in CreationPolicy):
BastionAutoScalingGroup CREATE_FAILED Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement
I was able to fix the issue and create a stack by cloning the GitHub repo to a custom S3 bucket as shown below:
QSS3BucketName aws-quickstart-copy-temp-123-test (randomized S3 bucket name)
QSS3BucketRegion. me-central-1
QSS3KeyPrefix cfn-ps-linux-bastion/
Also, the same template was successful in all other regions like me-south-1, us-east-1, eu-central-1.
+ aws s3 cp --no-progress --region me-south-1 s3://aws-ia-me-south-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-me-south-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh
+ aws s3 cp --no-progress --region us-east-1 s3://aws-ia-us-east-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-us-east-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh
+ aws s3 cp --no-progress --region eu-central-1 s3://aws-ia-eu-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-eu-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh
Based on above, it seems that the S3 bucket "aws-ia-me-central-1" is missing the required files/assets.
Could you please confirm the root cause and fix for this issue?
I'm trying to configure a bastion host with autoscaling group from cloudformation, and bootstraping it with the script bastion_boostrap.sh
Since many Amazon Linux AMI's have SSM agent instaled when the script tries to enable the service, command is failing raising the error:
'systemctl enable amazon-ssm-agent.service'. Failed to execute operation: File exists
The cause is this line:
I think it could be solved by checking the state of amazon-ssm-agent before enabling, and just restart it if it is already enabled, so it will enable the service just when needed.
My proposal is this:
if [[ $(systemctl is-enabled amazon-ssm-agent) != "enabled" ]]; then
systemctl enable amazon-ssm-agent.service
fi
It is working for me.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.