aws cloudformation 在堆栈中使用 waitcondition 协调资源创建和相关操作
参考资料
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-waitcondition.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-waitcondition.html
本文介绍cloudformation的waitcondition条件,waitcondition会使cdn堆栈停止并等待信号,从而协调堆栈相关资源创建和其他操作。
理解 waitcondition
注意:对于asg和ec2来说,创建createpolicy显然更好,只需要在资源配置完成后使用cfn-signal发送信号即可
amazon_linux.template
waitcondition涉及到的cfn资源有
-
AWS::CloudFormation::WaitCondition
Fn::GetAtt Data,包含来自指定等待条件的等待条件信号的 UniqueId 和 Data 值
!GetAtt mywaitcondition.Data -
AWS::CloudFormation::WaitConditionHandle
WaitConditionHandle 类型没有属性。当使用 Ref 函数引用 WaitConditionHandle 资源时,cfn返回一个指定的 URL。可以将此 URL 传递给在 AmazonEC2实例上运行的应用程序或脚本,以向该 URL 发送信号
!Ref mywaitconditionhandle
waitcondition的使用场景如下
- 在应用程序配置过程中,埋点发送信号到cfn跟踪资源的创建进度
- 在资源的创建过程中触发其他资源部署,不需要等待创建完毕
- 等待资源内部创建逻辑完整运行后,才进行cfn的下一阶段部署
注意: cfn等待条件资源需要使用s3服务,向特定的presign url发送响应。否则cfn不会收到相关信息导致堆栈失败。因此如果无法访问公网,需要注意终端节点的配置是否正确
waitcondition的工作流程
-
waitcondition本身也是个资源,堆栈创建后处于CREATE_IN_PROGRESS状态,直到收到指定数量信号,或超时和接受失败信号 -
如果超时则进入
CREATE_FAILED状态,最大超时时间为43200秒 (12 hours ) -
将
DependsOn属性添加到waitcondition,则资源创建后堆栈立即停止 -
waitcondition的Count属性指定需要接受信号的数量,满足条件后进入CREATE_COMPLETE状态,如果没有设置count则默认为1 -
waitcondition需要相应的WaitConditionHandle创建的presign url完成信号发送(json字符),避免了认证{ "Status" : "SUCCESS", "Reason" : "Configuration Complete", "UniqueId" : "ID1234", "Data" : "Application has completed configuration." } -
发送信号的方式是HTTP请求,请求方法为
PUT,Content-Type标头为空$ cat > /tmp/a << EOF { "Status" : "SUCCESS", "Reason" : "Configuration Complete", "UniqueId" : "ID1234", "Data" : "Application has completed configuration." } EOF $ curl -T /tmp/a "https://cloudformation-waitcondition-cn-north-1.s3.cn-north-1.amazonaws.com.cn/arn%3Aaws-cn%3Acloudformation%3Acn-north-1%3A037047667284%3Astack/awstemp/52d456e0-9649-11ed-983f-025e4a0fdde2/mywaitconditionhandle?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230117T092841Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86399&X-Amz-Credential=AKIAOMTUJJXMXKXJZEPQ%2F20230117%2Fcn-north-1%2Fs3%2Faws4_request&X-Amz-Signature=0cb81d51fe65253e3dc7378b865b0dcae1370f512f275b4bf3f648f6cd05d298" $ curl -X PUT -H 'Content-Type:' --data-binary '{"Status" : "SUCCESS","Reason" : "Configuration Complete","UniqueId" : "ID1234","Data" : "Application has completed configuration."}' "https://cloudformation-waitcondition-test.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-2%3A034017226601%3Astack%2Fstack-gosar-20110427004224-test-stack-with-WaitCondition--VEYW%2Fe498ce60-70a1-11e0-81a7-5081d0136786%2FmyWaitConditionHandle?Expires=1303976584&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=ik1twT6hpS4cgNAw7wyOoRejVoo%3D" -
waitcondition的Handle和TimeOut属性是必须的
配置工具和测试堆栈
安装cfn帮助脚本
yum install -y aws-cfn-bootstrap
查看cfn-signal命令说明,常用的几个参数如下
$ /opt/aws/bin/cfn-signal
Usage: cfn-signal [options] [WaitConditionHandle URL]
Options:
-h, --help show this help message and exit
-s SUCCESS, --success=SUCCESS If true, signal success to CloudFormation; if false, signal failure. Default: true
-i ID, --id=ID A unique ID to send with the signal
-e EXIT_CODE, --exit-code=EXIT_CODE Derive success or failure from specified exit code
AWS Credentials:
Options for specifying AWS Account Credentials.
-f CREDENTIAL_FILE, --credential-file=CREDENTIAL_FILE A credential file, with keys 'AWSAccessKeyId' and 'AWSSecretKey'
--role=IAM_ROLE An IAM Role
--access-key=ACCESS_KEY An AWS Access Key
--secret-key=SECRET_KEY An AWS Secret Key
WaitConditionHandle Signal Options:
-r REASON, --reason=REASON The reason for success/failure
-d DATA, --data=DATA Data to include with the WaitCondition signal
Resource Signal Options:
--stack=STACK_NAME A CloudFormation stack
--resource=LOGICAL_RESOURCE_ID A CloudFormation logical resource ID
--url=ENDPOINT The CloudFormation service URL.
--region=REGION The CloudFormation region. Default: us-east-1.
在ec2的userdata中常见的用法,WebServerInstance是ec2的资源逻辑id
yum install -y aws-cfn-bootstrap
/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
/opt/aws/bin/cfn-signal --exit-code $? --stack ${AWS::StackName} --resource WebServerInstance --region ${AWS::Region}
创建简单的堆栈
AWSTemplateFormatVersion: "2010-09-09"
Description: AWS CloudFormation test waitcondition.
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
VersioningConfiguration:
Status: Suspended
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
mywaitconditionhandle:
Type: AWS::CloudFormation::WaitConditionHandle
mywaitcondition:
Type: AWS::CloudFormation::WaitCondition
DependsOn: S3Bucket
Properties:
Handle: !Ref "mywaitconditionhandle"
Timeout: "60"
Count: 1
Outputs:
WaitConditionUrl:
Description: WaitConditionUrl
Value: !Ref mywaitconditionhandle
WaitConditionData:
Description: WaitConditionData
Value: !GetAtt mywaitcondition.Data
查看控制台的cfn事件如下
创建了特定的资源,handle的逻辑id很有趣,是一个s3预签名url
事件卡在了创建等待条件上,这里设定60秒超时查看超时状态的结果
手动发送信号
将超时时间修改为1800秒,尝试手动发送失败信号
通过cfn-signal发送
可见如果通过cfn-signal发送信号,那么实例id会自动作为UID,需要权限才能向cfn发送信号,这里直接指定aksk。
但是发了很多次,无论是success还是failure还是堆栈都没反应,有点奇怪
$ /opt/aws/bin/cfn-signal --exit-code 1 --stack awstemp --resource mywaitcondition --region cn-north-1
Could not open /var/log/cfn-init.log for logging. Using stderr instead.
2023-01-17 09:30:59,853 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.cn-north-1.amazonaws.com.cn
2023-01-17 09:30:59,854 [DEBUG] Signaling resource mywaitcondition in stack awstemp with unique ID i-017ff62b060a71f0a and status FAILURE
AccessDenied: Instance i-01xxxxxxxx0a is not allowed to call SignalResource for awstemp
$ /opt/aws/bin/cfn-signal --exit-code 1 --stack awstemp --resource mywaitcondition --region cn-north-1 --access-key=AKxxxxxxxxxxxxT4 --secret-key=lVw4xxxxxxxxxxxxxxxizLW
Could not open /var/log/cfn-init.log for logging. Using stderr instead.
2023-01-17 09:35:30,693 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.cn-north-1.amazonaws.com.cn
2023-01-17 09:35:30,694 [DEBUG] Signaling resource mywaitcondition in stack awstemp with unique ID i-017ff62b060a71f0a and status FAILURE
$ /opt/aws/bin/cfn-signal -i uid1234567 --exit-code 0 --stack awstemp1 --resource mywaitcondition --region cn-north-1 --access-key=AKxxxxxxxxxxxxT4 --secret-key=lVw4xxxxxxxxxxxxxxxizLW
Could not open /var/log/cfn-init.log for logging. Using stderr instead.
2023-01-17 10:12:06,024 [DEBUG] CloudFormation client initialized with endpoint https://cloudformation.cn-north-1.amazonaws.com.cn
2023-01-17 10:12:06,025 [DEBUG] Signaling resource mywaitcondition in stack awstemp1 with unique ID uid1234567 and status SUCCESS
使用aws cli发送信号
https://docs.aws.amazon.com/cli/latest/reference/cloudformation/signal-resource.html#examples
如果资源不存在则报错
$ aws cloudformation signal-resource --stack-name awstemp --logical-resource-id mywaitconditio --unique-id uuid123456 --status SUCCESS
An error occurred (ValidationError) when calling the SignalResource operation: Resource mywaitconditio does not exist for stack awstemp1
发送成功信号,发了很多次,无论是success还是failure还是堆栈也都没反应
$ aws cloudformation signal-resource \
--stack-name awstemp \
--logical-resource-id mywaitcondition \
--unique-id uuid123456 \
--status SUCCESS
使用http请求发送信号
这种方式更够触发堆栈信号
$ curl -T /tmp/a "https://cloudformation-waitcondition-cn-north-1.s3.cn-north-1.amazonaws.com.cn/arn%3Aaws-cn%3Acloudformation%3Acn-north-1%3A037047667284%3Astack/awstemp/6b872d70-964e-11ed-a57a-0e1ccbbaa2e8/mywaitconditionhandle?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230117T100510Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86399&X-Amz-Credential=AKIAOMTUJJXMXKXJZEPQ%2F20230117%2Fcn-north-1%2Fs3%2Faws4_request&X-Amz-Signature=31ec53a42ed56e3481fbdbd9eef3a7867c34c62d9a8e74c7bbfbeb63b6d9d861"
继续通过http请求发信号测试
如果发送失败信号,则堆栈失败
如果发送success和failure之外的状态信号,则报错
而且发信号之后到接收信号开始处理有一定的延迟,并非是立即执行的
此外,对于在cdk中使用waitcondition,找到一篇文章可以参考
https://9incloud.com/aws/cdk-aws-codedeploy-autoscaling-waitcondition-creationpolicy