terraform-aws-bastion
terraform-aws-bastion copied to clipboard
Guimove
sync users not running
Here is a snippet of my .tf
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = var.environment_name
cidr = "10.2.0.0/16"
azs = ["us-east-2a", "us-east-2b", "us-east-2c"]
private_subnets = ["10.2.1.0/24", "10.2.2.0/24", "10.2.3.0/24"]
public_subnets = ["10.2.101.0/24", "10.2.102.0/24", "10.2.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
tags = {
terraform = "true"
environment = var.environment_name
}
}
module "bastion" {
source = "Guimove/bastion/aws"
bucket_name = "bowtie-${var.environment_name}"
region = "eu-east-2"
vpc_id = module.vpc.vpc_id
is_lb_private = "false"
bastion_host_key_pair = "bowtie-dev"
create_dns_record = "false"
elb_subnets = module.vpc.public_subnets
auto_scaling_group_subnets = module.vpc.private_subnets
tags = {
terraform = "true"
environment = var.environment_name
name = "bastion-${var.environment_name}"
}
}
This doesn't appear to be adding the sync_users command to the crontab. No users are ever created, either on startup if the bucket is there with data in it, or anytime thereafter. Everything seems to be created properly in AWS and I can log into the bastion server as the ec2_user with the proper key pair .pem file.
What am I doing wrong, neat solution, if I can get it to work.
mmh I don't see any issue with your code, I think the issue is in the user data script execution.
Are all the scripts created on the server ?
I mean are these script present on the bastion :
- /usr/bin/bastion/sync_users
- /usr/bin/bastion/sync_s3
- /usr/bin/bastion/shell
The crontab of the root user is empty ?
The scripts are there, no crontab entry.
On Mon, Apr 25, 2022, at 12:29 AM, Guillaume wrote:
mmh I don't see any issue with your code, I think the issue is in the user data script execution.
Are all the scripts created on the server ?
I mean are these script present on the bastion :
- /usr/bin/bastion/sync_users
- /usr/bin/bastion/sync_s3
- /usr/bin/bastion/shell The crontab of the root user is empty ?
— Reply to this email directly, view it on GitHub https://github.com/Guimove/terraform-aws-bastion/issues/137#issuecomment-1108066511, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZJ4SEWVBVDJ5NFCD7MQYTVGYNQZANCNFSM5UHJYKIA. You are receiving this because you authored the thread.Message ID: @.***>
I am getting the same issue as well, however I see crontab entries present on my bastion box, also files sync_users is also present at /usr/bin/bastion/
[root@ip-10-122-22-79 home]# crontab -l */5 * * * * /usr/bin/bastion/sync_users 0 0 * * * yum -y update --security */5 * * * * /usr/bin/bastion/sync_s3
@brunelloriserva did you get your problem sorted? @Guimove - can you please help us with this.
AWS- Looks like on this bastion aws cli version is 1.2x
NOTE- I am not sure, but looks like it does not respond at following script line aws s3api list-objects --bucket
I got the same issue and it has something to do with the s3 bucket name. I renamed the s3 bucket after the second apply. The s3 bucket was replaced just fine but the scripts inside the ec2 instance was not updated and it still points to the old bucket.
@matloob-smartmimic @brunelloriserva I resolved my issue by making sure that the bastion EC2 instance is updated with the latest launch template template version. You can compare the EC2 tag aws:ec2launchtemplate:version with the launch template tag.
TLDR: Triggering instance refresh on EC2 > Auto Scaling Groups > ${bastion ASG} > Instance Refresh resolved my issue. You can also do this using awscli.
@Guimove I guess the fix would be utilizing https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#instance_refresh.
I had this problem when I was setting the auto_scaling_group_subnets to private subnets just like @brunelloriserva. The fix was using public subnets for the ASG and triggering an Instance Refresh as indicated by @kcasas
@josescuderoh I'm having the same problem. how do you trigger an Instance Refresh?
