-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
4.13.z
-
No
-
Rejected
-
False
-
-
Customer Escalated
Description of problem:
The AWS Private IPI cluster installation fails to create EC2 instances for masters due to authorization issue. The customer has SCP set up in their AWS environment which blocks creation of EC2 instances if the field `associate_public_ip_address` is not explicitly set to false. As the field is set to `known after apply` for the masters while terraform creates the EC2 instances, the installer fails to create EC2 instances and the installation fails with authorization failure.
Version-Release number of selected component (if applicable):
4.13.z
How reproducible:
This can be reproduced by applying the SCP on AWS level blocking the creation of EC2 instances with public IPs and thereby needing the flag `associate_public_ip_address` to be set to `false` for EC2 instance creation and installing a Private cluster on AWS.
Steps to Reproduce:
1. Apply the SCP on AWS as below to block public IP.
~~~
{
"Sid": "DenyPubIPAssignt",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"BoolIfExists": {
"ec2:AssociatePublicIpAddress": "true"
}
}
}
~~~
2. Install a private cluster on AWS using 4.13.z release
Actual results:
Installation fails while creating EC2 instances for master nodes
Expected results:
The variable `associate_public_ip_address` to be set to `false` before the install so that terraform detects the same and EC2 instances get created and cluster installing successfully.
Additional info:
Upon trying to install a private AWS cluster for testing purpose, the variable `associate_public_ip_address` is set to `false` for the bootstrap node. There was no SCP setup in the AWS environment while testing.
~~~
# aws_instance.bootstrap will be created"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + resource \"aws_instance\" \"bootstrap\" {"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + ami = \"ami-03c7dfb29b8d70db7\""
time="2023-10-10T18:34:45+05:30" level=debug msg=" + arn = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + associate_public_ip_address = false" <-------------------------
time="2023-10-10T18:34:45+05:30" level=debug msg=" + availability_zone = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + cpu_core_count = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + cpu_threads_per_core = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + disable_api_stop = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + disable_api_termination = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + ebs_optimized = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + get_password_data = false"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + host_id = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + host_resource_group_arn = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + iam_instance_profile = \"adikulka-n5lhk-bootstrap-profile\""
time="2023-10-10T18:34:45+05:30" level=debug msg=" + id = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + instance_initiated_shutdown_behavior = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + instance_state = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + instance_type = \"m6i.xlarge\""
time="2023-10-10T18:34:45+05:30" level=debug msg=" + ipv6_address_count = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + ipv6_addresses = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + key_name = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + monitoring = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + outpost_arn = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + password_data = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + placement_group = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + placement_partition_number = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + primary_network_interface_id = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + private_dns = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + private_ip = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + public_dns = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + public_ip = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + secondary_private_ips = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + security_groups = (known after apply)"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + source_dest_check = true"
time="2023-10-10T18:34:45+05:30" level=debug msg=" + subnet_id = \"subnet-09ce94d1a60f164fa\""
time="2023-10-10T18:34:45+05:30" level=debug msg=" + tags = {"
~~~
