Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-eks: aws-auth creation failure takes 1 hour #30455

Closed
taku-hatano opened this issue Jun 5, 2024 · 4 comments
Closed

aws-eks: aws-auth creation failure takes 1 hour #30455

taku-hatano opened this issue Jun 5, 2024 · 4 comments
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@taku-hatano
Copy link

Describe the bug

In creation cluster stack, aws-auth creation step was failed and it took 1 hour for fail parent stack.
Error message is below,

CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId [ca31f6eb-af1b-412e-8a06-f312c8affcc7]. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.

(Parent stack fails after 1 hour regardless of whether Lambda processing fails or succeeds)

Expected Behavior

If aws-auth creation fail/success, the parent Stack will also fail/success immediately.

Current Behavior

If aws-auth creation fail/success, the parent Stack fail after 1 hour.

Reproduction Steps

deploy by this code.

		const vpc = Vpc.fromLookup(this, "vpc", {
			vpcId: "your-vpc-id",
		});

		const eksRole = new Role(this, "eksRole", {
			assumedBy: new ServicePrincipal("eks.amazonaws.com"),
			managedPolicies: [
				ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSClusterPolicy"),
				ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSServicePolicy"),
			],
		});

		const clusterAdmin = new Role(this, "clusterAdmin", {
			assumedBy: new AccountRootPrincipal(),
		});

		const cluster = new Cluster(this, "cluster", {
			defaultCapacity: 0,
			vpc,
			role: eksRole,
			mastersRole: clusterAdmin,
			clusterName: "sample-eks-cluster",
			vpcSubnets: [
				{
					subnetType: SubnetType.PUBLIC,
				},
				{
					subnetType: SubnetType.PRIVATE_WITH_EGRESS,
				},
			],
		});

		const awsAuth = new AwsAuth(this, "awsAuth", {
			cluster,
		});
		awsAuth.addMastersRole(
			Role.fromRoleArn(this, "clusterAdminAtAwsAuth", clusterAdmin.roleArn),
			clusterAdmin.roleName,
		);

Possible Solution

I read deployed Lambda handler code, but I cannot find cfn response.
ref. here

Where is cfn response for Python custom resource handlers?

Additional Information/Context

No response

CDK CLI Version

2.137.0 (build bb90b4c)

Framework Version

No response

Node.js Version

v20.14.0

OS

AmazonLinux 2023.3.20240312

Language

TypeScript

Language Version

5.4.3

Other information

No response
@taku-hatano taku-hatano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Jun 5, 2024
@pahud
Copy link
Contributor

pahud commented Jun 5, 2024

Can you try remove this and create a new VPC and see if the issue still exists?

const vpc = Vpc.fromLookup(this, "vpc", {
			vpcId: "your-vpc-id",
		});

And

awsAuth.addMastersRole(
			Role.fromRoleArn(this, "clusterAdminAtAwsAuth", clusterAdmin.roleArn),
			clusterAdmin.roleName,
		);

This should not be required as when you specifiy

mastersRole: clusterAdmin,

The clusterAdmin should already be added with addMastersRole

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Lines 1681 to 1685 in a46bbc3

if (props.mastersRole) {
const mastersRole = props.mastersRole;
// map the IAM role to the `system:masters` group.
this.awsAuth.addMastersRole(mastersRole);

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 5, 2024
@taku-hatano
Copy link
Author

Can you try remove this and create a new VPC and see if the issue still exists?

I try it and process is complete successfully!
If I find out why the first code fails, I'll comment.

Thank you for your help.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jun 10, 2024
Closed
@github-actions github-actions bot mentioned this issue Jul 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @aws-cdk-automation @taku-hatano