amazon-web-services - Cloudformation 堆栈创建期间的 cfn-init 和 cfn-signal 超时

Question

我的 EC2Instance 资源的 UserData 部分具有以下内容:

#!/bin/bash
apt-get update -y
apt-get -y install python3-pip
mkdir -p /opt/aws/
pip3 install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz
ln -s /usr/local/init/ubuntu/cfn-hup /etc/init.d/cfn-hup
/usr/local/bin/cfn-init -v --stack ${AWS::StackId} --resource EC2Instance --configsets server_install --region ${AWS::Region}
/usr/local/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource EC2Instance --region ${AWS::Region}

在运行堆栈创建过程时，我注意到 cfn-init 和 cfn-signal 命令无法运行，因为我的 EC2 没有任何我通过 AWS::Cloudformation:Init 安装的软件包。

我登录到服务器来检查情况(注意:只有在失败时不恢复堆栈或不发出失败信号时，才能在堆栈构建失败后登录到服务器)，我发现以下错误:

/var/log/cloud-init.log:

2023-04-12 21:17:17,121 - subp.py[DEBUG]: Running command 
['/var/lib/cloud/instance/scripts/part-001'] with allowed return codes [0] (shell=False, capture=False)
2023-04-12 21:28:34,625 - subp.py[DEBUG]: Unexpected error while running command.
Command: ['/var/lib/cloud/instance/scripts/part-001']
Exit code: 1
Reason: -
Stdout: -
Stderr: -
2023-04-12 21:28:34,629 - cc_scripts_user.py[WARNING]: Failed to run module scripts-user (scripts in /var/lib/cloud/instance/scripts)

/var/lib/cloud/instance/scripts/part-001:与 CF 模板相同的 UserData 部分

/var/log/cloud-init-output.log:

2023-04-12 21:18:06,101 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.us-east-1.amazonaws.com
2023-04-12 21:18:06,102 [DEBUG] Describing resource EC2Instance in stack arn:aws:cloudformation:us-east-1:<accountId>:stack/<app-name>/<uuid>
2023-04-12 21:19:06,102 [WARNING] Timeout of 60 seconds breached
2023-04-12 21:19:06,103 [ERROR] Client-side timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/cfnbootstrap/util.py", line 193, in _retry
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/cfnbootstrap/util.py", line 266, in _timeout
    raise TimeoutError(
cfnbootstrap.util.TimeoutError


2023-04-12 21:18:06,101 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.us-east-1.amazonaws.com
2023-04-12 21:18:06,102 [DEBUG] Signlaing resource EC2Instance in stack arn:aws:cloudformation:us-east-1:<accountId>:stack/<app-name>/<uuid>
2023-04-12 21:19:06,102 [WARNING] Timeout of 60 seconds breached
2023-04-12 21:19:06,103 [ERROR] Client-side timeout
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/cfnbootstrap/util.py", line 193, in _retry
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/cfnbootstrap/util.py", line 266, in _timeout
    raise TimeoutError(
cfnbootstrap.util.TimeoutError

Answer 1

我在 Stackoverflow 和其他地方看到了大量其他答案，指出 EC2 实例需要使用具有公共(public)子网的 VPC。它需要公开，因为 cfn-init脚本通过公共(public)互联网访问 Cloudformation API。

我通过以下 these steps 验证我的 VPC 子网实际上是公共(public)的。我还按照 these steps 验证我的实例已连接到互联网。 .

但是，我注意到当我尝试从 EC2 实例 curl cloudformation API 时，它超时了:

curl -v https://cloudformation.us-east-1.amazonaws.com

但是，我随后注意到，如果我 curl 不同的区域，效果会很好。所以这有效:

curl -v https://cloudformation.us-east-2.amazonaws.com

同一地区的不同服务冰壶也​​有效:

curl -v https://ec2.us-east-1.amazonaws.com

所有这些都令人困惑，它让我想到了 this question and answer .

之后，我意识到，当我 curl 来自不同区域的两个 Cloudformation API 时，us-east-1 上的 IP 地址是私有(private)的 (192.168.x.x:443)，而 IP 地址来自 us-east-2是公开的 (52.95.16.95:443)。

然后，我进一步深入研究了我的 VPC，发现除了公有子网之外，还创建了 VPC 接口(interface)终端节点，其中包括一个提供对 cloudformation.us-east-1.amazonaws.com 的访问的终端节点。 。该 VPC 接口(interface)端点附加了一个安全组，我意识到它的限制太多。一旦我更新了该 SG 上的入站规则，我从 EC2 实例到 Cloudformation API 的调用就开始工作。问题解决了。

尾注:我在 https://repost.aws 的故障排除步骤中注意到它说了以下内容:

If you're using an interface VPC endpoint, then the endpoint must be located in the same AWS Region as the instance. Also, the security group that's attached to the interface endpoint must allow incoming connections on port 443 from the private subnet of the Amazon VPC.

但不幸的是，直到后来我才意识到接口(interface)端点正在被使用......