I am trying to build an ECS cluster via CloudFormation. The su.nets that the cluster instances will reside in are to be private. Additionally, I have created an image from an EC2 I built, and have verified the SSM agent, ECS agent, and cloud-init are installed and running. I have also added an inbound rule in my security group to allow HTTPS traffic from the su.net/CIDR of the private su.net with the endpoints as well.
I have added the following endpoints to my private su.net:
Here is my CF template:
Description: >-
A stack for deploying containerized applications onto a cluster of EC2 hosts
using Elastic Container Service. This stack runs containers on hosts that are
in a public VPC subnet, and includes a public facing load balancer to register
the services in.
Parameters:
DesiredCapacity:
Type: Number
Default: '1'
Description: Number of EC2 instances to launch in your ECS cluster.
MaxSize:
Type: Number
Default: '2'
Description: Maximum number of EC2 instances that can be launched in your ECS cluster.
ECSAMI:
Description: AMI ID
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: /aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id
InstanceType:
Description: EC2 instance type
Type: String
Default: t2.micro
SecurityGroup:
Description: Select the Security Group to use for the ECS cluster hosts
Type: 'AWS::EC2::SecurityGroup::Id'
Subnets:
Description: Choose which subnets this ECS cluster should be deployed to
Type: 'List<AWS::EC2::Subnet::Id>'
VPC:
Description: Choose which VPC this ECS cluster should be deployed to
Type: 'AWS::EC2::VPC::Id'
Resources:
ECSCluster:
Type: 'AWS::ECS::Cluster'
Properties:
Clustername: change-name
ECSAutoScalingGroup:
Type: 'AWS::AutoScaling::AutoScalingGroup'
Properties:
AvailabilityZones:
- 'us-west-2a'
# VPCZoneIdentifier:
# - '
LaunchConfigurationName: !Ref ContainerInstances
MinSize: '1'
MaxSize: !Ref MaxSize
DesiredCapacity: !Ref DesiredCapacity
CreationPolicy:
ResourceSignal:
Count: 1
Timeout: PT5M
UpdatePolicy:
AutoScalingReplacingUpdate:
WillReplace: 'true'
ContainerInstances:
Type: 'AWS::AutoScaling::LaunchConfiguration'
Properties:
ImageId: <custom ami>
SecurityGroups:
- !Ref SecurityGroup
InstanceType: !Ref InstanceType
IamInstanceProfile: !Ref EC2InstanceProfile
UserData:
"Fn::Base64":
!Sub |
#!/bin/bash -xe
yum update -y
yum install -y aws-cfn-bootstrap
yum install cloud-init
echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config
/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
AutoscalingRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- application-autoscaling.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: service-autoscaling
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'application-autoscaling:*'
- 'cloudwatch:DescribeAlarms'
- 'cloudwatch:PutMetricAlarm'
- 'ecs:DescribeServices'
- 'ecs:UpdateService'
Resource: '*'
EC2InstanceProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Path: /
Roles:
- !Ref EC2Role
EC2Role:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore'
- 'arn:aws:iam::aws:policy/AmazonECS_FullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchFullAccess'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ecs:CreateCluster'
- 'ecs:DeregisterContainerInstance'
- 'ecs:DiscoverPollEndpoint'
- 'ecs:Poll'
- 'ecs:RegisterContainerInstance'
- 'ecs:StartTelemetrySession'
- 'ecs:Submit*'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchGetImage'
- 'ecr:GetDownloadUrlForLayer'
Resource: '*'
ECSRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:AttachNetworkInterface'
- 'ec2:CreateNetworkInterface'
- 'ec2:CreateNetworkInterfacePermission'
- 'ec2:DeleteNetworkInterface'
- 'ec2:DeleteNetworkInterfacePermission'
- 'ec2:Describe*'
- 'ec2:DetachNetworkInterface'
- 'elasticloadbalancing:DeregisterInstancesFromLoadBalancer'
- 'elasticloadbalancing:DeregisterTargets'
- 'elasticloadbalancing:Describe*'
- 'elasticloadbalancing:RegisterInstancesWithLoadBalancer'
- 'elasticloadbalancing:RegisterTargets'
Resource: '*'
Outputs:
ClusterName:
Description: The name of the ECS cluster
Value: !Ref ECSCluster
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ClusterName
ECSRole:
Description: The ARN of the ECS role
Value: !GetAtt ECSRole.Arn
Export:
Name: !Join
- ':'
- - !Ref 'AWS::StackName'
- ECSRole
The issue is that at the final stage of creating the AutoScaling role, it hangs and errors out with a failure to receive a successful status code.
Error:
Received 0 SUCCESS signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement
Any help would be greatly appreciated, thank you for your time.
A possible reason could be the following line:
yum install cloud-init
Since you are missing -y
, yum
probably is waiting for a manual confirmation. The line should be replaced with
yum install -y cloud-init
Also, I'm not sure what is the meaning of:
ImageId: <custom ami>
since you are using SSM AMI parameter. Thus, natural procedure would be to use it:
ImageId: !Ref ECSAMI
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.