Code Monkey home page Code Monkey logo

cfn-ps-linux-bastion's People

Contributors

davmayd avatar troy-ameigh avatar vsnyc avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

davmayd reelieuglie troy-ameigh

cfn-ps-linux-bastion's Issues

Bastion host deployment keeps failing in IAD.

Hi team, we use this cfn-ps-linux-bastion repository as submodule in our project and deploy our bastion host accordingly. However, after a recent update of Amazon Linux2 AMI in IAD, our bastion host deployment started to fail in this region. After checking cfn-init.log, looks like the root cause is that the latest AMI in IAD doesn't have auditd installed by default. But we are trying to restart auditd service in auditing_configure.sh, which resulted in Failed to restart auditd.service: Unit not found.

cfn-init.log:

04:20:26,514 [DEBUG] Command a-add_auditd_rules output: + case "${BASTION_OS}" in
+ add_the_rules
+ cat /tmp/auditd.rules
+ rm /tmp/auditd.rules
+ restart_services
+ case "${BASTION_OS}" in
+ /usr/sbin/service auditd restart
Redirecting to /bin/systemctl restart auditd.service
Failed to restart auditd.service: Unit not found.

2024-04-01 04:20:26,514 [ERROR] Error encountered during build of config: Command a-add_auditd_rules failed
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 579, in run_config
    CloudFormationCarpenter(config, self._auth_config, self.strict_mode).build(worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 278, in build
    self._config.commands)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
    raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command a-add_auditd_rules failed
2024-04-01 04:20:26,517 [ERROR] -----------------------BUILD FAILED!------------------------
2024-04-01 04:20:26,517 [ERROR] Unhandled exception during build: Command a-add_auditd_rules failed
Traceback (most recent call last):
  File "/usr/bin/cfn-init", line 181, in <module>
    worklog.build(metadata, configSets, strict_mode)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 137, in build
    Contractor(metadata, strict_mode).build(configSets, self)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 567, in build
    shttps://aws.amazon.com/cn/codebuild/features/?nc=sn&loc=2elf.run_config(config, worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 579, in run_config
    CloudFormationCarpenter(config, self._auth_config, self.strict_mode).build(worklog)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/construction.py", line 278, in build
    self._config.commands)
  File "/usr/lib/python3.7/site-packages/cfnbootstrap/command_tool.py", line 127, in apply
    raise ToolError(u"Command %s failed" % name)
cfnbootstrap.construction_errors.ToolError: Command a-add_auditd_rules failed
2024-04-01 04:20:26,766 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.us-east-1.amazonaws.com
2024-04-01 04:20:26,766 [DEBUG] Signaling resource BastionAutoScalingGroup in stack clickhouse-cluster-debug-BastionStack-2OMZEZYS7CVN with unique ID i-0537dfd1055d445ba and status FAILURE

Looks like auditd is only missing in IAD, as I deployed AL2 AMI in other regions and I was able to find auditd under /usr/sbin path. Is this expected? If not, can we fix the logic in auditing_configure.sh and exclude IAD region so that it won't block deployments in IAD?

CloudFormation deployment fails in me-central-1 region due to missing S3 assets.

Hello team,

I have used the latest linux-bastion-entrypoint-existing-vpc.template.yaml template for a test in a new AWS account with default VPC and subnets in "me-central-1" region.

The following errors could be observed on running "cat /var/log/cloud-init-output.log" in the EC2 instance launched by ASG.

Error:

+ aws s3 cp --no-progress --region me-central-1 s3://aws-ia-me-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
+ echo Retrying...
Retrying...
+ aws s3 cp --no-progress --region me-central-1 s3://aws-ia-me-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
+ echo Retrying...

CloudFormation S3 bucket parameters (left as defaults):

QSS3BucketName	    aws-ia	
QSS3BucketRegion.   us-east-1	
QSS3KeyPrefix	    cfn-ps-linux-bastion/

Stack Error (after 1 hour timeout as set in CreationPolicy):

BastionAutoScalingGroup	CREATE_FAILED Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

I was able to fix the issue and create a stack by cloning the GitHub repo to a custom S3 bucket as shown below:

QSS3BucketName	     aws-quickstart-copy-temp-123-test   (randomized S3 bucket name)	
QSS3BucketRegion.    me-central-1	
QSS3KeyPrefix	     cfn-ps-linux-bastion/

Also, the same template was successful in all other regions like me-south-1, us-east-1, eu-central-1.

+ aws s3 cp --no-progress --region me-south-1 s3://aws-ia-me-south-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-me-south-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh

+ aws s3 cp --no-progress --region us-east-1 s3://aws-ia-us-east-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-us-east-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh

+ aws s3 cp --no-progress --region eu-central-1 s3://aws-ia-eu-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh .
download: s3://aws-ia-eu-central-1/cfn-ps-linux-bastion/scripts/cfn-tools.sh to ./cfn-tools.sh

Based on above, it seems that the S3 bucket "aws-ia-me-central-1" is missing the required files/assets.

Could you please confirm the root cause and fix for this issue?

bastion_bootstrap.sh fails on Amazon Linux AMI's

I'm trying to configure a bastion host with autoscaling group from cloudformation, and bootstraping it with the script bastion_boostrap.sh

Since many Amazon Linux AMI's have SSM agent instaled when the script tries to enable the service, command is failing raising the error:

'systemctl enable amazon-ssm-agent.service'. Failed to execute operation: File exists

The cause is this line:

cfn-ps-linux-bastion/scripts/bastion_bootstrap.sh

Line 211 in 4363a4c

systemctl enable amazon-ssm-agent.service

I think it could be solved by checking the state of amazon-ssm-agent before enabling, and just restart it if it is already enabled, so it will enable the service just when needed.

My proposal is this:

if [[ $(systemctl is-enabled amazon-ssm-agent) != "enabled" ]]; then
    systemctl enable amazon-ssm-agent.service
fi

It is working for me.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.