amazon-genomics-cli icon indicating copy to clipboard operation
amazon-genomics-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

agc account activate fail to create VPC in China region

Open Marlin-Na opened this issue 2 years ago • 5 comments

Try running agc account activate without specifying custom --vpc results the following error:

2022-05-22T22:49:10-06:00 ✘  Agc-Core | 10:47:18 PM | CREATE_FAILED        | AWS::EC2::VPCEndpoint                 | Vpc/AgcEcrDkrEndpoint (VpcAgcEcrDkrEndpointXXXXXXXX) The Vpc Endpoint Service 'com.amazonaws.cn-northwest-1.ecr.dkr' does not exist (Service: AmazonEC2; Status Code: 400; Error Code: InvalidServiceName; Request ID: xxxxxxxx; Proxy: null)

I guess this is related to the version of CDK bundled with amazon-genomics-cli. See https://github.com/aws/aws-cdk/issues/9864

AGC Version: 1.4.0

Marlin-Na avatar May 23 '22 05:05 Marlin-Na

One other error which is related to agc context deploy (after creating and using a custom cromwell ECR mirror):

Partition "aws" is not valid for resource "arn:aws:ecr:cn-northwest-1:<account_id>:repository/aws/cromwell-mirror". 
(Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxx; Proxy: null)

Marlin-Na avatar May 23 '22 05:05 Marlin-Na

Hi @Marlin-Na ,

Amazon Genomics CLI is not officially supported in AWS China regions. It is something we are evaluating for a future release based on customer feedback.

Per your individual errors:

When agc creates a VPC on its own (the default), it will also create a few VPC endpoints to help reduce costs by reducing traffic through the NAT Gateway - e.g. one for S3 and another for DynamoDB. As the issue you've identified is upstream in the CDK we'd need to wait for it to be resolved there before it can be fixed in agc.

Can you describe how you are creating a custom Cromwell mirror? It looks like the partition is incorrect for pulling a container from an ECR registry in cn-northwest-1.

wleepang avatar May 23 '22 17:05 wleepang

Thanks for your response. I understand it is not supported yet, but want to report the errors anyway to see if that can help you (in future) when you plan to support the China regions.

For the custom cromwell mirror, I am setting it up in the same account and China region where I deploy the AGC, according to #461. Then I use environment variables (ECR_CROMWELL_ACCOUNT_ID, ECR_CROMWELL_REGION and ECR_CROMWELL_TAG) to indicate the image location. I guess the error is probably because the partition aws is hardcoded somewhere in the code while the actual partition should be aws-cn, which is understandable since you haven't considered that use case.

Marlin-Na avatar May 23 '22 18:05 Marlin-Na

Hi @Marlin-Na, you may also need to ensure the repository name is aws/cromwell-mirror, however if that is what you are using then it could be that CDK is not looking up the container as expected.

markjschreiber avatar May 24 '22 16:05 markjschreiber

@markjschreiber Yes, I was using aws/cromwell-mirror as the repository name.

Marlin-Na avatar May 24 '22 16:05 Marlin-Na