CloudFormation and private subnets

Question

I am trying to build an ECS cluster via CloudFormation. The su.nets that the cluster instances will reside in are to be private. Additionally, I have created an image from an EC2 I built, and have verified the SSM agent, ECS agent, and cloud-init are installed and running. I have also added an inbound rule in my security group to allow HTTPS traffic from the su.net/CIDR of the private su.net with the endpoints as well.

I have added the following endpoints to my private su.net:

• com.amazonaws.us-west-2.ssm
• com.amazonaws.us-west-2.ssmmessages
• com.amazonaws.us-west-2.ecs
• com.amazonaws.us-west-2.ecs-agent
• com.amazonaws.us-west-2.ecs-telemetry
• com.amazonaws.us-west-2.cloudformation

Here is my CF template:

Description: >-
  A stack for deploying containerized applications onto a cluster of EC2 hosts
  using Elastic Container Service. This stack runs containers on hosts that are
  in a public VPC subnet, and includes a public facing load balancer to register
  the services in.
Parameters:
  DesiredCapacity:
    Type: Number
    Default: '1'
    Description: Number of EC2 instances to launch in your ECS cluster.
  MaxSize:
    Type: Number
    Default: '2'
    Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
  ECSAMI:
    Description: AMI ID
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
  InstanceType:
    Description: EC2 instance type
    Type: String
    Default: t2.micro
  SecurityGroup:
    Description: Select the Security Group to use for the ECS cluster hosts
    Type: 'AWS::EC2::SecurityGroup::Id'
  Subnets:
    Description: Choose which subnets this ECS cluster should be deployed to
    Type: 'List<AWS::EC2::Subnet::Id>'
  VPC:
    Description: Choose which VPC this ECS cluster should be deployed to
    Type: 'AWS::EC2::VPC::Id'

Resources:
  ECSCluster:
    Type: 'AWS::ECS::Cluster'
    Properties:
      Clustername: change-name
    
  ECSAutoScalingGroup:
    Type: 'AWS::AutoScaling::AutoScalingGroup'
    Properties:
      AvailabilityZones:
        - 'us-west-2a'
#      VPCZoneIdentifier:
#        - '
      LaunchConfigurationName: !Ref ContainerInstances
      MinSize: '1'
      MaxSize: !Ref MaxSize
      DesiredCapacity: !Ref DesiredCapacity
    CreationPolicy:
      ResourceSignal:
        Count: 1
        Timeout: PT5M
    UpdatePolicy:
      AutoScalingReplacingUpdate:
       WillReplace: 'true'
    
  ContainerInstances:
    Type: 'AWS::AutoScaling::LaunchConfiguration'
    Properties:
      ImageId: <custom ami>
      SecurityGroups:
        - !Ref SecurityGroup
      InstanceType: !Ref InstanceType
      IamInstanceProfile: !Ref EC2InstanceProfile
      UserData:
        "Fn::Base64":
         !Sub |
          #!/bin/bash -xe
          yum update -y 
          yum install -y aws-cfn-bootstrap
          yum install cloud-init
          echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
          systemctl enable amazon-ssm-agent
          systemctl start amazon-ssm-agent
          
         
    
  AutoscalingRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - application-autoscaling.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: service-autoscaling
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'application-autoscaling:*'
                  - 'cloudwatch:DescribeAlarms'
                  - 'cloudwatch:PutMetricAlarm'
                  - 'ecs:DescribeServices'
                  - 'ecs:UpdateService'
                Resource: '*'
    
  EC2InstanceProfile:
    Type: 'AWS::IAM::InstanceProfile'
    Properties:
      Path: /
      Roles:
        - !Ref EC2Role
    
  EC2Role:
    Type: 'AWS::IAM::Role'
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
        - 'arn:aws:iam::aws:policy/AmazonECS_FullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ecs:CreateCluster'
                  - 'ecs:DeregisterContainerInstance'
                  - 'ecs:DiscoverPollEndpoint'
                  - 'ecs:Poll'
                  - 'ecs:RegisterContainerInstance'
                  - 'ecs:StartTelemetrySession'
                  - 'ecs:Submit*'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                  - 'ecr:GetAuthorizationToken'
                  - 'ecr:BatchGetImage'
                  - 'ecr:GetDownloadUrlForLayer'
                Resource: '*'
    
  ECSRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: ecs-service
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'ec2:AttachNetworkInterface'
                  - 'ec2:CreateNetworkInterface'
                  - 'ec2:CreateNetworkInterfacePermission'
                  - 'ec2:DeleteNetworkInterface'
                  - 'ec2:DeleteNetworkInterfacePermission'
                  - 'ec2:Describe*'
                  - 'ec2:DetachNetworkInterface'
                  - 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
                  - 'elasticloadbalancing:DeregisterTargets'
                  - 'elasticloadbalancing:Describe*'
                  - 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
                  - 'elasticloadbalancing:RegisterTargets'
                Resource: '*'
    
Outputs:
  ClusterName:
    Description: The name of the ECS cluster
    Value: !Ref ECSCluster
    Export:
      Name: !Join 
        - ':'
        - - !Ref 'AWS::StackName'
          - ClusterName
  ECSRole:
    Description: The ARN of the ECS role
    Value: !GetAtt ECSRole.Arn
    Export:
      Name: !Join 
        - ':'
        - - !Ref 'AWS::StackName'
          - ECSRole

The issue is that at the final stage of creating the AutoScaling role, it hangs and errors out with a failure to receive a successful status code.

Error:

Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

Any help would be greatly appreciated, thank you for your time.

Answer 1

A possible reason could be the following line:

yum install cloud-init

Since you are missing -y , yum probably is waiting for a manual confirmation. The line should be replaced with

yum install -y cloud-init

Also, I'm not sure what is the meaning of:

      ImageId: <custom ami>

since you are using SSM AMI parameter. Thus, natural procedure would be to use it:

      ImageId: !Ref ECSAMI