Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

aws-eks: aws-auth creation failure takes 1 hour #30455

Closed
taku-hatano opened this issue Jun 5, 2024 · 4 comments
Closed

aws-eks: aws-auth creation failure takes 1 hour #30455

taku-hatano opened this issue Jun 5, 2024 · 4 comments
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@taku-hatano
Copy link

Describe the bug

In creation cluster stack, aws-auth creation step was failed and it took 1 hour for fail parent stack.
Error message is below,

CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId [ca31f6eb-af1b-412e-8a06-f312c8affcc7]. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.

(Parent stack fails after 1 hour regardless of whether Lambda processing fails or succeeds)

Expected Behavior

If aws-auth creation fail/success, the parent Stack will also fail/success immediately.

Current Behavior

If aws-auth creation fail/success, the parent Stack fail after 1 hour.

Reproduction Steps

deploy by this code.

		const vpc = Vpc.fromLookup(this, "vpc", {
			vpcId: "your-vpc-id",
		});

		const eksRole = new Role(this, "eksRole", {
			assumedBy: new ServicePrincipal("eks.amazonaws.com"),
			managedPolicies: [
				ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSClusterPolicy"),
				ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSServicePolicy"),
			],
		});

		const clusterAdmin = new Role(this, "clusterAdmin", {
			assumedBy: new AccountRootPrincipal(),
		});

		const cluster = new Cluster(this, "cluster", {
			defaultCapacity: 0,
			vpc,
			role: eksRole,
			mastersRole: clusterAdmin,
			clusterName: "sample-eks-cluster",
			vpcSubnets: [
				{
					subnetType: SubnetType.PUBLIC,
				},
				{
					subnetType: SubnetType.PRIVATE_WITH_EGRESS,
				},
			],
		});

		const awsAuth = new AwsAuth(this, "awsAuth", {
			cluster,
		});
		awsAuth.addMastersRole(
			Role.fromRoleArn(this, "clusterAdminAtAwsAuth", clusterAdmin.roleArn),
			clusterAdmin.roleName,
		);

Possible Solution

I read deployed Lambda handler code, but I cannot find cfn response.
ref. here

Where is cfn response for Python custom resource handlers?

Additional Information/Context

No response

CDK CLI Version

2.137.0 (build bb90b4c)

Framework Version

No response

Node.js Version

v20.14.0

OS

AmazonLinux 2023.3.20240312

Language

TypeScript

Language Version

5.4.3

Other information

No response
@taku-hatano taku-hatano added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Jun 5, 2024
@pahud
Copy link
Contributor

pahud commented Jun 5, 2024

Can you try remove this and create a new VPC and see if the issue still exists?

const vpc = Vpc.fromLookup(this, "vpc", {
			vpcId: "your-vpc-id",
		});

And

awsAuth.addMastersRole(
			Role.fromRoleArn(this, "clusterAdminAtAwsAuth", clusterAdmin.roleArn),
			clusterAdmin.roleName,
		);

This should not be required as when you specifiy

mastersRole: clusterAdmin,

The clusterAdmin should already be added with addMastersRole

aws-cdk/packages/aws-cdk-lib/aws-eks/lib/cluster.ts

Lines 1681 to 1685 in a46bbc3

if (props.mastersRole) {
const mastersRole = props.mastersRole;
// map the IAM role to the `system:masters` group.
this.awsAuth.addMastersRole(mastersRole);

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 5, 2024
@taku-hatano
Copy link
Author

Can you try remove this and create a new VPC and see if the issue still exists?

I try it and process is complete successfully!
If I find out why the first code fails, I'll comment.

Thank you for your help.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jun 10, 2024
Closed
@github-actions github-actions bot mentioned this issue Jul 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
@aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service bug This issue is a bug. effort/small Small work item – less than a day of effort p3 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @aws-cdk-automation @taku-hatano