cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

EKS Cluster Certificate Data too long for output

Open nicc777 opened this issue 3 years ago • 3 comments

Name of the resource

AWS::EKS::Cluster

Resource Name

n/a

Issue Description

I have the following output section:

Outputs:

  EksClusterCertificateData:
    Description: "Certificate Data for  EksCluster"
    Value:
      Fn::GetAtt: 
      - "EksCluster"
      - "CertificateAuthorityData"
    Export:
      Name:
        Fn::Join:
        - '-'
        - - Ref: AWS::StackName
          - "EksClusterCertificateData"

However, during the CloudFormation deployment, the following error is generated:

Cannot export output EksClusterCertificateData with length 1424. Max length of 1024 exceeded.. Rollback requested by user.

Can the max. output length perhaps not be increased to something more reasonable for certificates?

Expected Behavior

The certificate data should be present in the CloudFormation outputs

Observed Behavior

During the CloudFormation deployment, the following error is generated:

Cannot export output EksClusterCertificateData with length 1424. Max length of 1024 exceeded.. Rollback requested by user.

Test Cases

Create any EKS cluster and try to export the certificate data in the Outputs.

Other Details

No response

nicc777 avatar Feb 06 '22 09:02 nicc777

Same problem met here using CDK, in the following conditions :

  1. EKS Cluster created using CDK with NodeGroup (Automatic ASG and LaunchTemplate created), and no specific ASG --> no problem met

  2. EKS Cluster created using CDK without NodeGroup + add an ASG with CDK (connectAutoScalingGroupCapacity method, class AutoScalingGroup).

In this case the template created for EKS Cluster contains CertificateAuthorityData as exported output which is used as imported value for ASG, but the export cannot be done on cluster creation, so cluster is rollbacked.

"Cannot export output ExportsOutputFnGetAttTTIntegrationCluster1A5876DACertificateAuthorityData4FB22293 with length 1468. Max length of 1024 exceeded.. Rollback requested by user.."

gunterweb avatar Jun 09 '22 16:06 gunterweb

@nicc777 did you find any solution for this issue? i have encountered this recently 😿

mateusz-szczesny avatar Jul 29 '22 13:07 mateusz-szczesny

@nicc777 did you find any solution for this issue? i have encountered this recently 😿

@mateusz-szczesny At the moment I am using the AWS API to obtain the certificate data in order to inject it as a parameter into other CF templates that need it. Not sure if there is a better workaround.

nicc777 avatar Jul 29 '22 13:07 nicc777

Better way I found so far is to decouple it using SSM parameter store

StringParameter(
    self,
    "ClusterCaData",
    parameter_name=f"/platform/{self.name}ClusterCaData",
    string_value=self.cluster.cluster_certificate_authority_data
)

And reference it in the other stack

string_value = ssm.StringParameter.value_from_lookup(self, "/platform/ClusterDevClusterCaData")

Edit: Of course this is something in CDK, but can try with AWS::SSM::Parameter in CloudFormation.

akmalharith avatar Jul 16 '23 01:07 akmalharith