I am trying to launch a Drupal container using ecs and connecting to a RDS MySQL instance for the database, using CloudFormation Templates in nested form.The nginx image is working fine but I am not so sure about drupal. The Instances works perfectly until the install part. But after which it provides this output.
Could really use some help.
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
Description: Name of an existing EC2 KeyPair to enable SSH access to the ECS instances.
VpcId:
Type: AWS::EC2::VPC::Id
Description: Select a VPC that allows instances access to the Internet.
SubnetId:
Type: List<AWS::EC2::Subnet::Id>
Description: Select at two subnets in your selected VPC.
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '1'
Description: Maximum number of instances that can be launched in your ECS cluster.
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.medium
AllowedValues:
- t2.micro
- t2.small
- t2.medium
- t2.large
- m3.medium
- m3.large
- m3.xlarge
- m3.2xlarge
- m4.large
- m4.xlarge
- m4.2xlarge
- m4.4xlarge
- m4.10xlarge
- c4.large
- c4.xlarge
- c4.2xlarge
- c4.4xlarge
- c4.8xlarge
- c3.large
- c3.xlarge
- c3.2xlarge
- c3.4xlarge
- c3.8xlarge
- r3.large
- r3.xlarge
- r3.2xlarge
- r3.4xlarge
- r3.8xlarge
- i2.xlarge
- i2.2xlarge
- i2.4xlarge
- i2.8xlarge
ConstraintDescription: Please choose a valid instance type.
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
DBName:
Default: mydb
Description: My database
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: Must begin with a letter and contain only alphanumeric characters.
DBInstanceClass:
Default: db.m5.large
Description: DB instance class
Type: String
ConstraintDescription: Must select a valid DB instance type.
DBAllocatedStorage:
Default: '50'
Description: The size of the database (GiB)
Type: Number
MinValue: '5'
MaxValue: '1024'
ConstraintDescription: must be between 20 and 65536 GiB.
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Mappings:
AWSRegionToAMI:
us-east-1:
AMIID: ami-09bee01cc997a78a6
us-east-2:
AMIID: ami-0a9e12068cb98a01d
us-west-1:
AMIID: ami-0fa6c8d131a220017
us-west-2:
AMIID: ami-078c97cf1cefd1b38
eu-west-1:
AMIID: ami-0c9ef930279337028
eu-central-1:
AMIID: ami-065c1e34da68f2b02
ap-northeast-1:
AMIID: ami-02265963d1614d04d
ap-southeast-1:
AMIID: ami-0b68661b29b9e058c
ap-southeast-2:
AMIID: ami-00e4b147599c13588
ap-south-1:
AMIID: ami-036eaa870decb368d
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
#DefaultRootObject:
#CacheBehaviors:
#- ViewerProtocolPolicy: allow-all
#TargetOrginId: vn2699
#PathPattern: /*.php
#LambdaFunctionAssociations:
# - EventType: string-value
# LambdaFunctionARN: string-value
Enabled: True
DefaultCacheBehavior:
TargetOriginId: vn2699
CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
ViewerProtocolPolicy: allow-all
#LambdaFunctionAssociations:
# - EventType: string-value
# LambdaFunctionARN: string-value
IPV6Enabled: False
Origins:
- DomainName: !GetAtt ECSALB.DNSName
Id: vn2699
CustomOriginConfig:
HTTPPort: 80
OriginKeepaliveTimeout: 5
OriginProtocolPolicy: http-only
OriginReadTimeout: 30
Tags:
- Key: Name
Value: ECS-example
ReactS3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: reacts3vn2699
WebsiteConfiguration:
IndexDocument: index.html
S3accessPoint:
Type: AWS::S3::AccessPoint
Properties:
Bucket: !Ref 'ReactS3Bucket'
Name: reactaccesspointvn2699
VpcConfiguration:
VpcId: !Ref 'VpcId'
ECSCluster:
Type: AWS::ECS::Cluster
#DependsOn: ECSAutoScalingGroup
#Properties:
#CapacityProviders:
#- Nse
ECSCapacityProvider:
Type: AWS::ECS::CapacityProvider
Properties:
AutoScalingGroupProvider:
AutoScalingGroupArn: !Ref ECSAutoScalingGroup
Name: Nse
DBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: DB Security Group
VpcId: !Ref 'VpcId'
SecurityGroupIngress:
- FromPort: 3306
IpProtocol: tcp
ToPort: 3306
SourceSecurityGroupId: !GetAtt EcsSecurityGroup.GroupId
- FromPort: 3306
IpProtocol: tcp
ToPort: 3306
SourceSecurityGroupId: !GetAtt BastionSecurityGroup.GroupId
BastionSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: BastionHost security group
VpcId: !Ref 'VpcId'
SecurityGroupIngress:
- FromPort: 22
IpProtocol: tcp
ToPort: 22
CidrIp: 0.0.0.0/0
- FromPort: 3306
IpProtocol: tcp
ToPort: 3306
#SourceSecurityGroupId: !GetAtt DBSecurityGroup.GroupId
CidrIp: 0.0.0.0/0
EcsSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: ECS Security Group
VpcId: !Ref 'VpcId'
EcsSecurityGroupHTTPinbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '80'
ToPort: '80'
CidrIp: 0.0.0.0/0
EcsSecurityGroupSQLInbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '3306'
ToPort: '3306'
SourceSecurityGroupId: !GetAtt DBSecurityGroup.GroupId
EcsSecurityGroupSSHinbound:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
NestedStackDB:
Type: AWS::CloudFormation::Stack
DependsOn:
- EcsSecurityGroup
- DBSecurityGroup
- BastionSecurityGroup
Properties:
TemplateURL: bucket-link
Parameters:
SecurityGroupBastion: !GetAtt BastionSecurityGroup.GroupId
SecurityGroup: !GetAtt DBSecurityGroup.GroupId
DBInstanceID: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
DBUsername: !Ref DBUsername
DBPassword: !Ref DBPassword
DBAllocatedStorage: !Ref DBAllocatedStorage
KeyName: !Ref KeyName
EcsSecurityGroupALBports:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '31000'
ToPort: '61000'
SourceSecurityGroupId: !Ref 'EcsSecurityGroup'
EcsSecurityGroupDrupal:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref 'EcsSecurityGroup'
IpProtocol: tcp
FromPort: '9000'
ToPort: '9000'
SourceSecurityGroupId: !Ref 'EcsSecurityGroup'
CloudwatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']]
RetentionInDays: 14
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]]
ExecutionRoleArn: arn:aws:iam::<accNo>:role/ecsTaskExecutionRole
#TaskRoleArn: arn:aws:iam::aws:policy/AmazonS3FullAccess
NetworkMode: bridge
#RequiredCompatibilities:
#- "EC2"
ContainerDefinitions:
- Name: webserver
Cpu: 256
DependsOn:
- Condition: "START"
ContainerName: "drupal"
#Essential: 'true'
Image: nginx-drupal:latest
Memory: 512
Hostname: webserver
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
VolumesFrom:
- SourceContainer: drupal
PortMappings:
- ContainerPort: 80
HostPort: 80
- Name: drupal
Cpu: 256
Essential: false
Image: drupal:9.1.5-php8.0-fpm-alpine3.12
Memory: 512
Hostname: drupal
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref 'CloudwatchLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: ecs-demo-app
MountPoints:
- ContainerPath: /var/www/html
SourceVolume: drupal-data
PortMappings:
- ContainerPort: 9000
Volumes:
- Name: drupal-data
ECSALB:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
#DependsOn: service
Properties:
Name: ECSALB
Scheme: internet-facing
LoadBalancerAttributes:
- Key: idle_timeout.timeout_seconds
Value: '30'
Subnets: !Ref 'SubnetId'
SecurityGroups: [!Ref 'EcsSecurityGroup']
ALBListener:
Type: AWS::ElasticLoadBalancingV2::Listener
DependsOn: ECSServiceRole
Properties:
DefaultActions:
- Type: forward
TargetGroupArn: !Ref 'ECSTG'
#RedirectConfig:
#Protocol: "HTTP"
#Host: "#{host}"
#Path: "/#{path}"
#Query: "#{query}"
#Port: 80
#StatusCode: "HTTP_302"
LoadBalancerArn: !Ref 'ECSALB'
Port: '80'
Protocol: HTTP
ECSALBListenerRule:
Type: AWS::ElasticLoadBalancingV2::ListenerRule
DependsOn: ALBListener
Properties:
Actions:
- Type: forward
TargetGroupArn: !Ref 'ECSTG'
#RedirectConfig:
#Protocol: "HTTP"
#Host: "#{host}"
#Path: "/#{path}"
#Query: "#{query}"
#Port: 80
#StatusCode: "HTTP_302"
Conditions:
- Field: path-pattern
Values: [/]
ListenerArn: !Ref 'ALBListener'
Priority: 1
ECSTG:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
DependsOn: ECSALB
Properties:
HealthCheckIntervalSeconds: 80
HealthCheckPath: /
HealthCheckProtocol: HTTP
HealthCheckTimeoutSeconds: 60
HealthyThresholdCount: 2
Matcher:
HttpCode: 302
Name: ECSTG
Port: 80
Protocol: HTTP
TargetType: instance
UnhealthyThresholdCount: 2
VpcId: !Ref 'VpcId'
ECSAutoScalingGroup:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
#VPCZoneIdentifier: !Ref 'SubnetId'
VPCZoneIdentifier:
- subnet-0c228c2e5e42708aa
- subnet-0bf3fcea01d2dd0a4
- subnet-0c6a01197480771b3
LaunchConfigurationName: !Ref 'ContainerInstances'
#LoadBalancerNames:
#- ECSALB
TargetGroupARNs: [!Ref 'ECSTG']
MinSize: '1'
MaxSize: !Ref 'MaxSize'
DesiredCapacity: !Ref 'DesiredCapacity'
CreationPolicy:
ResourceSignal:
Timeout: PT15M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
ImageId: !FindInMap [AWSRegionToAMI, !Ref 'AWS::Region', AMIID]
SecurityGroups: [!Ref 'EcsSecurityGroup']
InstanceType: !Ref 'InstanceType'
IamInstanceProfile: !Ref 'EC2InstanceProfile'
KeyName: !Ref 'KeyName'
UserData:
Fn::Base64: !Sub |
#!/bin/bash -xe
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
yum update -y
yum install -y aws-cfn-bootstrap
#/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
#sudo cat /var/log/cloud-init-output.log
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
service:
Type: AWS::ECS::Service
DependsOn:
- ALBListener
#- ECSAutoScalingGroup
Properties:
Cluster: !Ref 'ECSCluster'
DesiredCount: '1'
HealthCheckGracePeriodSeconds: 2147483647
LoadBalancers:
- ContainerName: webserver
ContainerPort: '80'
TargetGroupArn: !Ref 'ECSTG'
#LoadBalancerName: !GetAtt ECSALB.LoadBalancerName
#LoadBalancerName: ECSALB
#NetworkConfiguration:
# AwsvpcConfiguration:
# AssignPublicIp: ENABLED
# SecurityGroups:
# - !Ref 'EcsSecurityGroup'
# Subnets: !Ref 'SubnetId'
#ServiceName: Ecs
Role: !Ref 'ECSServiceRole'
TaskDefinition: !Ref 'taskdefinition'
ECSServiceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ecs.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets',
'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer',
'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress']
Resource: '*'
ServiceScalingTarget:
Type: AWS::ApplicationAutoScaling::ScalableTarget
#DependsOn: service
Properties:
MaxCapacity: 3
MinCapacity: 1
ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]]
RoleARN: !GetAtt [AutoscalingRole, Arn]
ScalableDimension: ecs:service:DesiredCount
ServiceNamespace: ecs
ServiceScalingPolicy:
Type: AWS::ApplicationAutoScaling::ScalingPolicy
Properties:
PolicyName: AStepPolicy
PolicyType: StepScaling
ScalingTargetId: !Ref 'ServiceScalingTarget'
StepScalingPolicyConfiguration:
AdjustmentType: PercentChangeInCapacity
Cooldown: 60
MetricAggregationType: Average
StepAdjustments:
- MetricIntervalLowerBound: 0
ScalingAdjustment: 200
ALB500sAlarmScaleUp:
Type: AWS::CloudWatch::Alarm
Properties:
EvaluationPeriods: '1'
Statistic: Average
Threshold: '10'
AlarmDescription: Alarm if our ALB generates too many HTTP 500s.
Period: '60'
AlarmActions: [!Ref 'ServiceScalingPolicy']
Namespace: AWS/ApplicationELB
Dimensions:
- Name: LoadBalancer
Value: !GetAtt
- ECSALB
- LoadBalancerFullName
ComparisonOperator: GreaterThanThreshold
MetricName: HTTPCode_ELB_5XX_Count
EC2Role:
Type: AWS::IAM::Role
Properties:
#ManagedPolicyArns:
#- arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint',
'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession',
'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents']
Resource: '*'
AutoscalingRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [application-autoscaling.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm',
'ecs:DescribeServices', 'ecs:UpdateService']
Resource: '*'
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [!Ref 'EC2Role']
Outputs:
ecsservice:
Value: !Ref 'service'
ecscluster:
Value: !Ref 'ECSCluster'
ECSALB:
Description: Your ALB DNS URL
Value: !Join ['', [!GetAtt [ECSALB, DNSName]]]
taskdef:
Value: !Ref 'taskdefinition'
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Type: AWS::EC2::KeyPair::KeyName
SecurityGroupBastion:
Type: AWS::EC2::SecurityGroup::Id
SecurityGroup:
Type: AWS::EC2::SecurityGroup::Id
DBInstanceID:
Default: mydbinstance
Description: My database instance
Type: String
MinLength: '1'
MaxLength: '63'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: >-
Must begin with a letter and must not end with a hyphen or contain two
consecutive hyphens.
DBName:
Default: mydb
Description: My database
Type: String
MinLength: '1'
MaxLength: '64'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: Must begin with a letter and contain only alphanumeric characters.
DBInstanceClass:
Default: db.m5.large
Description: DB instance class
Type: String
ConstraintDescription: Must select a valid DB instance type.
DBAllocatedStorage:
Default: '50'
Description: The size of the database (GiB)
Type: Number
MinValue: '5'
MaxValue: '1024'
ConstraintDescription: must be between 20 and 65536 GiB.
DBUsername:
NoEcho: 'true'
Description: Username for MySQL database access
Type: String
MinLength: '1'
MaxLength: '16'
AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*'
ConstraintDescription: must begin with a letter and contain only alphanumeric characters.
DBPassword:
NoEcho: 'true'
Description: Password MySQL database access
Type: String
MinLength: '8'
MaxLength: '41'
AllowedPattern: '[a-zA-Z0-9]*'
ConstraintDescription: must contain only alphanumeric characters.
Resources:
DrupalDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBInstanceIdentifier: !Ref DBInstanceID
DBName: !Ref DBName
DBInstanceClass: !Ref DBInstanceClass
AllocatedStorage: !Ref DBAllocatedStorage
Engine: MySQL
EngineVersion: 8.0.20
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBSubnetGroupName: !Ref DBSubnetGroupDrupal
#MonitoringInterval: '60'
#MonitoringRoleArn: ''
AllowMajorVersionUpgrade: true
#AssociatedRoles:
BackupRetentionPeriod: 1
#CopyTagsToSnapshot:
#DBClusterIdentifier:
#DBSecurityGroups:
#KmsKeyId:
MultiAZ: true
Port: 3306
#SourceDBInstanceIdentifier:
#PubliclyAccessible:
#SourceRegion:
StorageType: standard
VPCSecurityGroups: [!Ref SecurityGroup]
DBSubnetGroupDrupal:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: 'For Drupal DB'
DBSubnetGroupName: 'DrupalDB'
SubnetIds:
- subnet-01cc7a208ce068cd7
- subnet-0ed0f1627396e1a96
- subnet-0b38eb422f032ea76
BastionHost:
Type: AWS::EC2::Instance
Properties:
AvailabilityZone: ap-south-1a
#BlockDeviceMappings:
ImageId: ami-068d43a544160b7ef
InstanceType: t2.micro
KeyName: !Ref KeyName
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
GroupSet:
- !Ref SecurityGroupBastion
SubnetId: subnet-0c228c2e5e42708aa
Related
This is what i want to reach with envoy as proxy for https traffic:
I got the certificate (p12) from the java developer to load it with envoy, then make developer happy by hitting envoy without certificate (on port 8080). Check diagram above also.
In order to do that this is my envoy.yaml
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: app
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: api-example-https
http_filters:
- name: envoy.filters.http.router
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: api-example-https
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: api-example-https
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api.example.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"#type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_certificates:
- pkcs12:
filename: /etc/cert.p12
Unfortunately, i am getting this error:
[2022-11-01 22:17:48.788][1][critical][main] [source/server/server.cc:117] error initializing configuration '/etc/envoy.yaml': Failed to load pkcs12 from /etc/cert.p12
[2022-11-01 22:17:48.788][1][info][main] [source/server/server.cc:961] exiting
Failed to load pkcs12 from /etc/cert.p12
What am i missing ? 3 hours troubleshooting but no way :(
It turns out that the certificate has to be used alongside a password.
And i verified that by using curl on the external service directly:
curl --cert-type P12 --cert 'cert.p12:MyPass' https://api.example.com
This means that envoy.yaml must include the configuration of a password.
Hence, the config file should looks like:
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
codec_type: AUTO
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: app
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: api-example-https
http_filters:
- name: envoy.filters.http.router
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: api-example-https
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: api-example-https
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: api.example.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"#type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_certificates:
- pkcs12:
filename: /etc/cert.p1
password:
inline_string: MyPass ### 🔴🔴 Fixed By adding this 🔴🔴
REF: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-field-extensions-transport-sockets-tls-v3-tlscertificate-pkcs12
Use password to specify the password to unprotect the PKCS12 data, if necessary.
Problem is that the stack won't build when the count is greater than 1.
The reason for this is because - port: { get_resource: test_port } is not unique for every instance made.
Error code received: CREATE_FAILED Conflict: resources.compute_nodes.resources[3]: Port XXX is still in use.
Question: How can I make - port: { get_resource: test_port } unique for each instance?
compute_nodes:
type: OS::Heat::ResourceGroup
properties:
count: 3
resource_def:
type: OS::Nova::Server
properties:
name: test-%index%
key_name: { get_param: key_name }
image: "Ubuntu Server 18.04 LTS (Bionic Beaver) amd64"
flavor: m1.small
networks:
- port: { get_resource: test_port }
test_port:
type: OS::Neutron::Port
properties:
network_id: { get_resource: private_net }
security_groups: { get_param: sec_group_lin }
fixed_ips:
- subnet_id: { get_resource: private_subnet }
test_floating_ip:
type: OS::Neutron::FloatingIP
properties:
floating_network: { get_param: public_net }
port_id: { get_resource: test_port }
Iterate comma_delimited_list OS::Heat::ResourceGroup
Your stack tries to attach the same port to different Nova server, so this is failing.
The solution would be to create a nested stack that would create your 3 resources (Nova server, Neutron port and Neutron Floating IP), and then your main stack would implement a resource group to "scale" your servers:
Nested_stack: nested_stack.yaml
parameter:
index:
type: number
sec_group_lin:
type: string
key_name:
type: string
public_net:
type: string
resources:
compute_nodes:
type: OS::Nova::Server
depends_on: [test_port, test_floating_ip]
properties:
name: { list-join: ['-', ['test', {get_param: index} ] ] }
key_name: { get_param: key_name }
image: "Ubuntu Server 18.04 LTS (Bionic Beaver) amd64"
flavor: m1.small
networks:
- port: { get_resource: test_port }
test_port:
type: OS::Neutron::Port
properties:
network_id: { get_resource: private_net }
security_groups: { get_param: sec_group_lin }
fixed_ips:
- subnet_id: { get_resource: private_subnet }
test_floating_ip:
type: OS::Neutron::FloatingIP
depends_on: [test_port]
properties:
floating_network: { get_param: public_net }
port_id: { get_resource: test_port }
Then your main stack would look like:
parameters:
key_name:
type: string
public_net:
type: string
sec_group_lin:
type: string
resources:
compute_nodes:
type: OS::Heat::ResourceGroup
properties:
count: 3
resource_def:
type: nested_stack.yaml
properties:
index: %index%
key_name: {get_param: key_name}
public_net: { get_param: public_net }
sec_group_lin: { get_param: sec_group_lin }
This will created x (here x=3 as your count is set to 3) servers with each of them having its own test port and test floating IP.
Make use of "depends_on" to align the flow of execution of template
compute_nodes:
type: OS::Heat::ResourceGroup
depends_on: [test_port, test_floating_ip]
properties:
count: 3
resource_def:
type: OS::Nova::Server
properties:
name: test-%index%
key_name: { get_param: key_name }
image: "Ubuntu Server 18.04 LTS (Bionic Beaver) amd64"
flavor: m1.small
networks:
- port: { get_resource: test_port }
test_port:
type: OS::Neutron::Port
properties:
network_id: { get_resource: private_net }
security_groups: { get_param: sec_group_lin }
fixed_ips:
- subnet_id: { get_resource: private_subnet }
test_floating_ip:
type: OS::Neutron::FloatingIP
depends_on: [test_port]
properties:
floating_network: { get_param: public_net }
port_id: { get_resource: test_port }
"Conditions (..) They can be associated with resources and resource properties in the resources section (..)" - as the official openstack's docs said I can do that. But attached examples do not contains these with "resource properties".
I have my example, when user can set parameter to NOT create port2 AND not attach port2 (because port2 does not exist):
parameters:
global_port2_create:
description: Do you want eth1 (port2)
type: string
default: true
conditions:
create_port2: {equals : [{get_param: global_port2_create}, "true"]}
resources:
node_port1:
type: OS::Neutron::Port
properties:
network_id: {get_param: global_port1_net_id }
fixed_ips:
- subnet_id: {get_param: global_port1_net_id }
- ip_address: {get_param: node_port1_ip }
security_groups: {get_param: global_port1_security_groups_ids}
node_port2:
type: OS::Neutron::Port
condition: create_port2
properties:
network_id: {get_param: global_port_net_id }
fixed_ips:
- subnet_id: {get_param: global_port2_net_id }
- ip_address: {get_param: node5_port2_ip }
security_groups: {get_param: global_port2_security_groups_ids}
node5_server:
type: OS::Nova::Server
depends_on: [ node5_port1, node5_port2 ]
properties:
name: some_name
image: { get_param: global_image }
availability_zone: some_az
networks:
- port: { get_resource: node5_port1 }
- port: { get_resource: node5_port2 } #How to use a condition here?
I know, i can do a ResourceGroup with both ports and iterate them, but I do not want this resolution.
Maybe like this?
networks:
- port: { get_resource: node5_port1 }
- port:
condition: create_port2
get_resource: node5_port2
Anyone have any ideas how to accomplish this?
I had a similar use case and found a solution. However, say goodbye to readability if this was still a concern:
networks: {if: [ "create_port2", [port: { get_resource: node5_port1 }, port: { get_resource: node5_port2 }], [port: { get_resource: node5_port1 }]}
which you can also write:
networks:
if:
- "create_port2"
- [port: { get_resource: node5_port1 }, port: { get_resource: node5_port2 }]
- [port: { get_resource: node5_port1 }]
Or even:
networks:
if:
- "create_port2"
- - port: { get_resource: node5_port1 }
- port: { get_resource: node5_port2 }
- - port: { get_resource: node5_port1 }
Choose your poison!
I create Heat Template with Powershell commands and my template is not getting executed after adding deployment section. I have added this section to get output for commands.Below shown template I am using :
heat_template_version: 2016-10-14
description: Template to install HyperV Feature in Server
resources:
floating_ip:
type: OS::Neutron::FloatingIP
properties:
floating_network: Net_External_16
instance:
type: OS::Nova::Server
properties:
name: machine2
flavor: LARGE
networks:
- network: 71xxxx85-8a24-475b-9xxc-169xxxxxbb0
security_groups:
- default
- all_open
block_device_mapping_v2:
- device_name: /dev/vpa
volume_id: {get_resource: volume}
delete_on_termination: "true"
volume:
type: OS::Cinder::Volume
properties:
size: 25
image: 51xxxxxbe-44e6-4206-920c-xxxxxxxxxx
name: {get_param: volumename}
ps_script:
type: OS::Heat::SoftwareConfig
properties:
group: ungrouped
config:
str_replace:
template: |
#ps1_sysnative
$log = New-Item "C:\check_file.txt" -Type File
start-sleep -s 20
install-windowsfeature -Name DNS -IncludeManagementTools
start-sleep -s 60
$pass = "_parameter_1_"
Add-content $log $pass
params:
_parameter_1_: {get_param: parameter1}
association:
type: OS::Neutron::FloatingIPAssociation
properties:
floatingip_id: {get_resource: floating_ip}
port_id: {get_attr: [instance, addresses, 71xxxxx85-8a24-4xxb-9xxc-16xxxx84bb0, 0, port]}
deployment:
type: OS::Heat::SoftwareDeployment
properties:
config: {get_resource: ps_script}
server: {get_resource: instance }
outputs:
instance_ip:
description: Ipaddress
value: {get_attr: [instance,addresses]}
result:
description: Checkoutput
value: {get_attr: [deployent]}
If anybody tried this same method or any other solution they can provide to get output for powershell commands executed from Template.
Add the line user_data_format: SOFTWARE_CONFIG under OS::Nova::Server properties :
instance:
type: OS::Nova::Server
properties:
name: machine2
flavor: LARGE
networks:
- network: 71xxxx85-8a24-475b-9xxc-169xxxxxbb0
security_groups:
- default
- all_open
block_device_mapping_v2:
- device_name: /dev/vpa
volume_id: {get_resource: volume}
delete_on_termination: "true"
user_data_format: SOFTWARE_CONFIG
This line is required when there is another resource for software configuration.
And also there is a typo in the output section deployent -> deployment
outputs:
instance_ip:
description: Ipaddress
value: { get_attr: [instance,addresses] }
result:
description: Checkoutput
value: { get_attr: [deployment] }
Note: Add the space after { and before }. For example :
{ get_resource: volume }
I have configured 2-Node Openstack(Icehouse) setup and heat is also configured. when creating instance using HOT template it is successfully launched. But when I'm trying to create the flat network using my yml file it shows below error-
"Unable to create the network. No tenant network is available for allocation"
heat_template_version: 2013-05-23
description: Simple template to deploy a single compute instance
resources:
provider_01:
type: OS::Neutron::ProviderNet
properties:
physical_network: physnet2
shared: true
network_type: flat
network_01:
type: OS::Neutron::Net
properties:
admin_state_up: true
name: External2
shared: true
#admin tenant id
tenant_id: 6ec23610836048ddb8f9294dbf89a41e
subnet_01:
type: OS::Neutron::Subnet
properties:
name: Subnet2
network_id: { get_resource: network_01 }
cidr: 192.168.56.0/24
gateway_ip: 192.168.56.1
allocation_pools: [{"start": 192.168.56.50, "end": 192.168.56.70}]
enable_dhcp: true
port_01:
type: OS::Neutron::Port
properties:
admin_state_up: true
network_id: { get_resource: network_01 }
#security_groups: "default"
heat_template_version: 2014-10-16
description: Template to create a tenant network along with router config
parameters:
ImageId:
type: string
label: cirros-0.3.2-x86_64
description: cirros-0.3.2-x86_64
resources:
demo-net:
type: OS::Neutron::Net
properties:
name: demo-net
demo-subnet:
type: OS::Neutron::Subnet
properties:
name: demo-subnet
network_id: { get_resource: demo-net }
cidr: 10.10.0.0/24
gateway_ip: 10.10.0.1
my_instance:
type: OS::Nova::Server
properties:
name: "demo_test_nw_01"
image: { get_param: ImageId }
flavor: "m1.tiny"
networks:
- network : { get_resource: demo-net }