Comments (5)
ckamps
commented on June 23, 2024
@awspankj thanks for the report. We're in the process of preparing a heavily refactored version of this automation for publishing here in aws-samples. The refactored version has many enhancements including more robust error handling.
In the meantime, did you get a chance to inspect the cfn-init.log data to potentially better understand the issue? As mentioned in Troubleshooting stack creation.
Selecting the following option during stack creation can help preserve some of the resources so that it's easier to troubleshoot:
Separately, I've also provided you with a pointer to the heavily refactored fork in case you'd like to try that version.
from aws-cloudhsm-cloudformation-template.
ckamps
commented on June 23, 2024
@awspankj it appears that the kmsuser was created, but at the point that the CloudHSM key store was being connected, the kmuser is in an inconsistent state. i.e. the user is not present on each of the two HSMs in the cluster. The connect operation fails due to the user not being present in all HSMs of the cluster.
I'm investigating why, under some circumstances, the user gets into that state. This failure appears to be a result of enhancing the code to use the cloudhsm-cli package vs the cloudhsm-client package.
While the CloudFormation stack is waiting for the key store to get into the connected state, a workaround is to access the EC2 client, delete, and create again the kmsuser using the the cloudhsm-cli.
from aws-cloudhsm-cloudformation-template.
awspankj
commented on June 23, 2024
Hi @christopher ***@***.***> Thanks for the update. This is interesting and something new I learned.
After the stack was failing in the end, I learned to do it manually with latest cloudhsm CLI commands + console – attached are the steps.
Hope to see the github version working again! Meanwhile I will test the fork version.
Warm Regards,
Pankaj Patil
Partner Solutions Architect WWPS
Mob- +919967936244
From: Christopher Kampmeier ***@***.***>
Reply to: aws-samples/aws-cloudhsm-cloudformation-template ***@***.***>
Date: Saturday, 13 May 2023 at 3:56 AM
To: aws-samples/aws-cloudhsm-cloudformation-template ***@***.***>
Cc: "Patil, Pankaj" ***@***.***>, Mention ***@***.***>
Subject: Re: [aws-samples/aws-cloudhsm-cloudformation-template] The stack fails at last stage due to custom key store failing to connect with HSM cluster (Issue #12)
@awspankj<https://github.com/awspankj> it appears that the kmsuser was created, but at the point that the CloudHSM key store was being connected, the kmuser is in an inconsistent state. i.e. the user is not present on each of the two HSMs in the cluster. The connect operation fails due to the user not being present in all HSMs of the cluster.
I'm investigating why, under some circumstances, the user gets into that state. This failure appears to be a result of enhancing the code to use the cloudhsm-cli package vs the cloudhsm-client package.
—
Reply to this email directly, view it on GitHub<#12 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZQPQMO7RRGATCUO75GF4OTXF22H7ANCNFSM6AAAAAAX4WPLZM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
from aws-cloudhsm-cloudformation-template.
ckamps
commented on June 23, 2024
@awspankj I reverted this repository to the commit prior to introducing use of the cloudhsm-cli package in place of the cloudhsm-client package so that the kmsuser creation is stable. I'll send a note to you once the newly refactored form of the overall automation is published to this repository. In the meantime, you can use the internal fork I referenced separately.
from aws-cloudhsm-cloudformation-template.
awspankj
commented on June 23, 2024
@christopher ***@***.***> I gave it a try just now:
1. The stack completed (with parameter ‘custom key store’)
2. Cluster is in active state. However, Custom key store is not created.
***@***.***
1. The Kmsuser is not created
***@***.***
1. Creation of kmsuser succeeds when done manually:
***@***.***
1. Now using the kmsuser and anchor certificate stored in secrets manager, custom key store is created from aws console.
***@***.***
Warm Regards,
Pankaj Patil
Partner Solutions Architect WWPS
Mob- +919967936244
From: Christopher Kampmeier ***@***.***>
Reply to: aws-samples/aws-cloudhsm-cloudformation-template ***@***.***>
Date: Sunday, 14 May 2023 at 9:43 PM
To: aws-samples/aws-cloudhsm-cloudformation-template ***@***.***>
Cc: "Patil, Pankaj" ***@***.***>, Mention ***@***.***>
Subject: Re: [aws-samples/aws-cloudhsm-cloudformation-template] The stack fails at last stage due to custom key store failing to connect with HSM cluster (Issue #12)
@awspankj<https://github.com/awspankj> I reverted this repository to the changes prior to introducing use of the cloudhsm-cli package in place of the cloudhsm-client package so that the kmsuser creation is stable. I'll send a note to you once the newly refactored form of the overall automation is published to this repository. In the meantime, you can use the internal fork I referenced separately.
—
Reply to this email directly, view it on GitHub<#12 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AZQPQMKAUTPRM43US6RW4P3XGEABTANCNFSM6AAAAAAX4WPLZM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
from aws-cloudhsm-cloudformation-template.
Related Issues (20)
- Support external cluster cert signing processes HOT 1
- Move EC2 client-based automation to create cluster Step Functions state machine HOT 1
- BYO PKI: Help address situations in which first HSM gets replaced before initalization
- cloudhsm-cli: when selected for installation, run as ssm-user results in warning and log messages to terminal
- Detect and handle HSMs in `DEGRADED` state
- Delete: Optimization when no HSMs exist HOT 1
- Key store: Support stack updates
- Security: Add documentation and guidance for the EC2 client's egress 443 rule
- Security: Add parameter for CloudHSM cluster VPC CIDR to tighten up egress rule for EC2 client to connect to HSMs
- CloudHSM cluster: Explore using auto scaling group of 1 to help support resilience of EC2 client
- Consider adding attributes to the CloudHSM cluster resource
- Cost optimization: Support deletion of all HSMs in a cluster without deleting the cluster HOT 2
- Enhancement: support the stack to work with private VPCs
- Enhance create cluster from backup to highlight dependency on customer CA cert from original cluster
- Enhancement AL 2023 support
- Implement test automation
- Provide Template URL HOT 4
- Update to use CloudHSM client v5 HOT 1
- Provide option to install CloudHSM client SDK v3 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cloudhsm-cloudformation-template.