amazon-web-services - CloudFormation cfn-init 在 Ubuntu 基础上的 AWS::EC2::LaunchTemplate 中中断

Question

我正在尝试使用 CloudFormation cfn-init 在基于 Ubuntu 18.04 构建的集群中引导创建按需计算节点。由于某种原因，cnf-init 进入死循环。这是我尝试使用的 CloudFormation:

Resources:
  InstanceRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: 
                  - ec2:DescribeTags
                  - cloudformation:DescribeStackResource
                Resource: '*'

  InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref InstanceRole

  LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Metadata:
      AWS::CloudFormation::Init:
        configSets:
          default:
            - "basic"
        basic:
          files:
            /home/ubuntu/.emacs:
              content: !Sub |
                ;; ========== Configuring basic Emacs behavior ==========
                ;; Try to auto split vertically all the time
                (setq split-height-threshold nil)
              
                ;; ========== Enable Line and Column Numbering ==========
              
                ;; Show line-number in the mode line
                (line-number-mode 1)
              
                ;; Show column-number in the mode line
                (column-number-mode 1)
              
                ;; Display size in human format in Dired mode
                (setq dired-listing-switches "-alh")
              mode: "000644"
              owner: "ubuntu"
              group: "ubuntu"
          
          packages:
            apt:
              build-essential: []
              emacs-nox: []
    Properties:
      LaunchTemplateData:
        ImageId: ami-07a29e5e945228fa1
        IamInstanceProfile:
          Arn: !GetAtt [ InstanceProfile, Arn ]    
        UserData:
          Fn::Base64:
            !Sub |
              #!/bin/bash -x

              # Install the aws CloudFormation Helper Scripts
              apt-get update -y && apt-get upgrade -y
              apt-get install -y python2.7 
              update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
              curl https://bootstrap.pypa.io/get-pip.py --output get-pip.py
              python get-pip.py
              rm get-pip.py

              pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz

              ## Running init stack
              cfn-init -v --stack ${AWS::StackName} --resource LaunchTemplate --region ${AWS::Region}
      LaunchTemplateName: MyLaunchTemplate

查看/var/log/cfn-init.log并没有多大帮助

2020-11-11 17:17:59,172 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.us-west-2.amazonaws.com
2020-11-11 17:17:59,172 [DEBUG] Describing resource LaunchTemplate in stack LaunchTemplate
2020-11-11 17:17:59,237 [ERROR] Throttling: Rate exceeded
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 162, in _retry
    return f(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 234, in _timeout
    raise exc[0]
HTTPError: 400 Client Error: Bad Request
2020-11-11 17:17:59,237 [DEBUG] Sleeping for 0.143176 seconds before retrying
2020-11-11 17:17:59,381 [DEBUG] Describing resource LaunchTemplate in stack LaunchTemplate
2020-11-11 17:17:59,445 [ERROR] Throttling: Rate exceeded
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 162, in _retry
    return f(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/cfnbootstrap/util.py", line 234, in _timeout
    raise exc[0]
HTTPError: 400 Client Error: Bad Request
2020-11-11 17:17:59,445 [DEBUG] Sleeping for 1.874780 seconds before retrying
2020-11-11 17:18:01,323 [DEBUG] Describing resource LaunchTemplate in stack LaunchTemplate

调查/var/log/cloud-init.log，我可以看到它首先中断的位置:

(...)
2020-11-11 17:16:57,175 - util.py[DEBUG]: Running command ['/var/lib/cloud/instance/scripts/part-001'] with allowed return codes [0] (shell=False, capture=False)
2020-11-11 17:21:17,126 - util.py[WARNING]: Failed running /var/lib/cloud/instance/scripts/part-001 [1]
2020-11-11 17:21:17,129 - util.py[DEBUG]: Failed running /var/lib/cloud/instance/scripts/part-001 [1]
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cloudinit/util.py", line 878, in runparts
  File "/usr/lib/python3/dist-packages/cloudinit/util.py", line 2164, in subp
    break
cloudinit.util.ProcessExecutionError: Unexpected error while running command.
Command: ['/var/lib/cloud/instance/scripts/part-001']
Exit code: 1
Reason: -
Stdout: -
Stderr: -
(...)

这是模板的UserData的内容:

$ cat /var/lib/cloud/instance/scripts/part-001
#!/bin/bash -x

# Install the aws CloudFormation Helper Scripts
apt-get update -y && apt-get upgrade -y
apt-get install -y python2.7 
update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
curl https://bootstrap.pypa.io/get-pip.py --output get-pip.py
python get-pip.py
rm get-pip.py

pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz

## Running init stack
cfn-init -v --stack LaunchTemplate --resource LaunchTemplate --region us-west-2

即使我在 InstanceRole 中设置了 cloudformation:DescribeStackResource，以 root 身份运行脚本也会返回以下错误:

(...)
Successfully built aws-cfn-bootstrap
+ cfn-init -v --stack LaunchTemplate --resource LaunchTemplate --region us-west-2
AccessDenied: Instance i-0bcf477579987a0e8 is not allowed to call DescribeStackResource for LaunchTemplate

这真的很奇怪，因为当我使用相同的 AMI 在 AWS::EC2::Instance 中执行相同操作时效果很好。知道这是怎么回事吗？我错过了什么？

谢谢

Answer 1

这可能是因为 --resource LaunchTemplate 不正确。它应该是使用启动模板的 ASG 或实例资源，而不是 LaunchTemplate 本身。