Bootstrap Script sets the wrong template version for AWS so ASG health checks fail #3
Description
This is a little hard to explain, but hopefully, this drops down through the stack to get to this point, but the current order of the ASG bootstrap script means that the LB health checks fail
Starting with this line in the following file:
CloudGuard-NS-AWS-GWLB/tgw-gwlb.yaml
Line 510 in d253ea1
This uses a nested stack to download https://cgi-cfts.s3.amazonaws.com/gwlb/gwlb.yaml to launch the first part of this stack.
Within this file, at line 373, it then uses another nested stack to download https://cgi-cfts.s3.amazonaws.com/gwlb/autoscale-gwlb.yaml and one of the parameters GatewayBootstrapScript includes the following at lines 393-403 that shows the following:
GatewayBootstrapScript: !Join
- ';'
- - 'echo -e "\nStarting Bootstrap script\n"'
- 'echo "Updating cloud-version file"'
- 'template="autoscale_gwlb"'
- 'cv_path="/etc/cloud-version"'
- 'if test -f ${cv_path}; then sed -i ''/template_name/c\template_name: ''"${template}"'''' /etc/cloud-version; fi'
- 'cv_json_path="/etc/cloud-version.json"'
- 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
- 'if test -f ${cv_json_path}; then cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' > ${cv_json_path_tmp}; mv ${cv_json_path_tmp} ${cv_json_path}; fi'
- 'echo -e "\nFinished Bootstrap script\n"'
This sets the cloud-version files to include the template name "autoscale_gwlb" which is expected. However, in the autoscale-gwlb.yaml stack, on line 407 onwards, the template includes the above script, and then includes it own - which changes the value:
- !Join ['', ['bootstrap="$(echo ', 'Fn::Base64': !Ref GatewayBootstrapScript, ' | base64 -d)"']]
- 'echo "Updating cloud-version file"'
- 'template="autoscale"'
- 'cv_path="/etc/cloud-version"'
- 'echo "Updating cloud-version file"'
- 'if test -f ${cv_path}; then'
- ' echo template_name: ${template} >> ${cv_path}'
- ' echo template_version: 20211212 >> ${cv_path}'
- 'fi'
- 'cv_json_path="/etc/cloud-version.json"'
- 'cv_json_path_tmp="/etc/cloud-version-tmp.json"'
- 'if test -f ${cv_json_path}; then'
- ' cat ${cv_json_path} | jq ''.template_name = "''"${template}"''"'' | jq ''.template_version = "20211212"'' > ${cv_json_path_tmp}'
- ' mv ${cv_json_path_tmp} ${cv_json_path}'
- 'fi'
- 'if [[ -z ${pwd_hash} ]]; then'
- ' echo "Generating random password hash"'
- ' pwd_hash="$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)"'
- 'fi'
This changes the value to autoscale without the _gwlb at the end.
When the CME tool runs and provisions the configuration on the CloudGuard instance, the log shows the following:
2022-01-18 14:59:07,927 CME_SERVICE INFO Running post install configuration on AWSAccount--i-07f694a5604dxxxxx--eu-west-2
Post install config script: 10.xx.xx.xx: /opt/CPcme/service/../features/lb_health_check.py -> /etc/fw/tmp/lb_health_check.py
Transferred file /opt/CPcme/service/../features/lb_health_check.py to /etc/fw/tmp/lb_health_check.py
__success__
This shows that the LB scripts run, and is successful, but no settings are changed
On line 16-18 of the lb_health_check.py file it says:
CLOUD_VERSION_FILE = '/etc/cloud-version'
CLOUD_VERSION_JSON_FILE = '/etc/cloud-version.json'
AWS_GWLB_SOLUTIONS = ['autoscale_gwlb']
Which is used in the main part of the script here:
def main():
# health port is the trigger for this feature - configure last
args = parse_arguments()
if args.cloud_provider == AWS:
if get_cloud_version_data('template_name') in AWS_GWLB_SOLUTIONS:
log('Configuring health check IP range and health probe port')
configure_health_ips(args.cloud_balancer_ip1,
args.cloud_balancer_ip2)
configure_health_port(args.cloud_provider,
args.cloud_balancer_port)
else:
configure_health_port(args.cloud_provider, args.cloud_balancer_port)
log('__success__')Because the version file has been overridden with the new value, this never runs and exits without setting the health_check IP's which is required for this to start on the AWS ASG instance.
Manually updating the bootstrap script to change autoscale to autoscale_gwlb fixes the issue, and the LB Health Checks work.
Wondering if this is the best place to report the issue, or is there a place where these nested templates are stored on GitHub
Thanks
Colin