User Data in EC2 for CloudFormation
- We can have user data at EC2 instance launch through the console
- We can also include it in CloudFormation
- The important thing to pass is the entire script through the function
Fn::Base64 - Good to know: user data script log is in
/var/log/cloud-init-output.log
Let’s see how to do this in CloudFormation. We have such an yml file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
--- Parameters: SSHKey: Type: AWS::EC2::KeyPair::KeyName Description: Name of an existing EC2 KeyPair to enable SSH access to the instance Resources: MyInstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: eu-central-1a ImageId: ami-00a205cb8e06c3c4e InstanceType: t2.micro KeyName: !Ref SSHKey SecurityGroups: - !Ref SSHSecurityGroup # we install our web server with user data UserData: Fn::Base64: | #!/bin/bash -xe yum update -y yum install -y httpd systemctl start httpd systemctl enable httpd echo "Hello World from user data" > /var/www/html/index.html # our EC2 security group SSHSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SSH and HTTP SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 |
Next->
Next -> Create stack
After the EC2 instance has been created we can check the public DNS address of the EC2 and go to that adress in the browser:
We can connect to the EC2 through SSH and check the output of user data:
|
1 |
cat /var/log/cloud-init-output.log |
cfn init
AWS::CloudFormation::Initmust be in the Metadata of a resource- With the cfn-init script, it helps make complex EC2 configurations readable
- The EC2 instance will query the CloudFormation service to get init data
- Logs go to
/var/log/cfn-init.log
Consider such a tamplate:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
--- Parameters: SSHKey: Type: AWS::EC2::KeyPair::KeyName Description: Name of an existing EC2 KeyPair to enable SSH access to the instance Resources: MyInstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: eu-central-1a ImageId: ami-00a205cb8e06c3c4e InstanceType: t2.micro KeyName: !Ref SSHKey SecurityGroups: - !Ref SSHSecurityGroup # we install our web server with user data UserData: Fn::Base64: !Sub | #!/bin/bash -xe # Get the latest CloudFormation package yum update -y aws-cfn-bootstrap # Start cfn-init /opt/aws/bin/cfn-init -s ${AWS::StackId} -r MyInstance --region ${AWS::Region} || error_exit 'Failed to run cfn-init' Metadata: Comment: Install a simple Apache HTTP page AWS::CloudFormation::Init: config: packages: yum: httpd: [] files: "/var/www/html/index.html": content: | <h1>Hello World from EC2 instance!</h1> <p>This was created using cfn-init</p> mode: '000644' commands: hello: command: "echo 'hello world'" services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' # our EC2 security group SSHSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SSH and HTTP SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 |
Cfn init is more readable way to install packages and modify the files on the system than user data way.
Let’s create a CfnInitExample stack:
Next ->
Next -> Create stack
Now we can go to the url of the new EC2 instance:
Now let’s ssh to the EC2 instance:
|
1 |
sudo cat /var/log/cloud-init-output.log |
And
|
1 2 3 4 5 6 7 8 9 10 11 |
[ec2-user@ip-172-31-24-120 ~]$ sudo cat /var/log/cfn-init.log 2021-06-01 12:50:36,880 [INFO] -----------------------Starting build----------------------- 2021-06-01 12:50:36,881 [INFO] Running configSets: default 2021-06-01 12:50:36,883 [INFO] Running configSet default 2021-06-01 12:50:36,884 [INFO] Running config config 2021-06-01 12:50:48,881 [INFO] Yum installed ['httpd'] 2021-06-01 12:50:48,888 [INFO] Command hello succeeded 2021-06-01 12:50:49,012 [INFO] enabled service httpd 2021-06-01 12:50:49,188 [INFO] Started httpd successfully 2021-06-01 12:50:49,189 [INFO] ConfigSets completed 2021-06-01 12:50:49,189 [INFO] -----------------------Build complete----------------------- |
All the logs:
|
1 2 3 |
[ec2-user@ip-172-31-24-120 ~]$ ls /var/log amazon boot.log cfn-init-cmd.log cfn-wire.log cloud-init.log cron grubby_prune_debug journal maillog sa spooler wtmp audit btmp cfn-init.log chrony cloud-init-output.log dmesg httpd lastlog messages secure tallylog yum.log |
If we need troubleshot:
|
1 2 3 4 5 6 7 8 9 10 11 |
[ec2-user@ip-172-31-24-120 ~]$ sudo cat /var/log/cfn-init.log 2021-06-01 12:50:36,880 [INFO] -----------------------Starting build----------------------- 2021-06-01 12:50:36,881 [INFO] Running configSets: default 2021-06-01 12:50:36,883 [INFO] Running configSet default 2021-06-01 12:50:36,884 [INFO] Running config config 2021-06-01 12:50:48,881 [INFO] Yum installed ['httpd'] 2021-06-01 12:50:48,888 [INFO] Command hello succeeded 2021-06-01 12:50:49,012 [INFO] enabled service httpd 2021-06-01 12:50:49,188 [INFO] Started httpd successfully 2021-06-01 12:50:49,189 [INFO] ConfigSets completed 2021-06-01 12:50:49,189 [INFO] -----------------------Build complete----------------------- |
cfn signal & wait conditions
- We still don’t know how to tell CloudFormation that the EC2 instance got properly configured after a cfn-init
- For this, we can use the cfn-signal script!
- We run cfn-signal right after cfn-init
- Tell CloudFormation service to keep on going or fail
- We need to define WaitCondition:
- Block the template until it receives a signal from cfn-signal
- We attach a CreationPolicy (also works on EC2, ASG)
Consider such a tamplate:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
--- Parameters: SSHKey: Type: AWS::EC2::KeyPair::KeyName Description: Name of an existing EC2 KeyPair to enable SSH access to the instance Resources: MyInstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: eu-central-1a ImageId: ami-00a205cb8e06c3c4e InstanceType: t2.micro KeyName: !Ref SSHKey SecurityGroups: - !Ref SSHSecurityGroup # we install our web server with user data UserData: Fn::Base64: !Sub | #!/bin/bash -xe # Get the latest CloudFormation package yum update -y aws-cfn-bootstrap # Start cfn-init /opt/aws/bin/cfn-init -s ${AWS::StackId} -r MyInstance --region ${AWS::Region} # Start cfn-signal to the wait condition /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource SampleWaitCondition --region ${AWS::Region} Metadata: Comment: Install a simple Apache HTTP page AWS::CloudFormation::Init: config: packages: yum: httpd: [] files: "/var/www/html/index.html": content: | <h1>Hello World from EC2 instance!</h1> <p>This was created using cfn-init</p> mode: '000644' commands: hello: command: "echo 'hello world'" services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' SampleWaitCondition: CreationPolicy: ResourceSignal: Timeout: PT2M Count: 1 Type: AWS::CloudFormation::WaitCondition # our EC2 security group SSHSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SSH and HTTP SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 |
Using this template let’s create a stack:
Next -> Create stack
cfn-signal failures troubleshooting
Wait Condition Didn’t Receive the Required Number of Signals from an Amazon EC2 Instance
- Ensure that the AMI you’re using has the AWS CloudFormation helper scripts installed. If the AMI doesn’t include the helper scripts, you can also cownload them to your instance.
- Verify that the
cfn-init&cfn-signalcommand was successfully run on the instance. You can view logs, such as/var/log/cloud-init.logor/var/log/cfn-init.log, to help you debug the instance launch. - You can retrieve the logs by logging in to your instance, but you must disable rollback on failure or else AWS-CloudFormation deletes the instance after your stack fails to create.
- Verify that the instance has a connection to the Internet. If the instance is in a VPC, the instance should be able to connect to the Internet through a NAT device if it’s is in a private subnet or through an Internet gateway if it’s in a public subnet
- For example, run:
curl -I https://aws.amazon.com
Consider a following yml tamplate:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
--- Parameters: SSHKey: Type: AWS::EC2::KeyPair::KeyName Description: Name of an existing EC2 KeyPair to enable SSH access to the instance Resources: MyInstance: Type: AWS::EC2::Instance Properties: AvailabilityZone: eu-central-1a ImageId: ami-00a205cb8e06c3c4e InstanceType: t2.micro KeyName: !Ref SSHKey SecurityGroups: - !Ref SSHSecurityGroup # we install our web server with user data UserData: Fn::Base64: !Sub | #!/bin/bash -xe # Get the latest CloudFormation package yum update -y aws-cfn-bootstrap # Start cfn-init /opt/aws/bin/cfn-init -s ${AWS::StackId} -r MyInstance --region ${AWS::Region} # Start cfn-signal to the wait condition /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource SampleWaitCondition --region ${AWS::Region} Metadata: Comment: Install a simple Apache HTTP page AWS::CloudFormation::Init: config: packages: yum: httpd: [] files: "/var/www/html/index.html": content: | <h1>Hello World from EC2 instance!</h1> <p>This was created using cfn-init</p> mode: '000644' commands: hello: command: "echo 'boom' && exit 1" services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' SampleWaitCondition: CreationPolicy: ResourceSignal: Timeout: PT1M Count: 1 Type: AWS::CloudFormation::WaitCondition # our EC2 security group SSHSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: SSH and HTTP SecurityGroupIngress: - CidrIp: 0.0.0.0/0 FromPort: 22 IpProtocol: tcp ToPort: 22 - CidrIp: 0.0.0.0/0 FromPort: 80 IpProtocol: tcp ToPort: 80 |
Command
|
1 |
hello: command: "echo 'boom' && exit 1" |
will exit with error 1. 1 is bad exit code, good is 0. This will directly trigger cfn-init failure.
Let’s create a stack:
Next
Next -> Create stack
And we see “Failed to receive 1 resource signal(s) within the specified duration”
As the result all the stack has been roll backed.
cfn-hup & cfn-metadata
We have such a yaml template:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 |
AWSTemplateFormatVersion: '2010-09-09' Description: AWS CloudFormation Sample Template for CFN Init Parameters: KeyName: Description: Name of an existing EC2 KeyPair to enable SSH access to the instances Type: AWS::EC2::KeyPair::KeyName ConstraintDescription: must be the name of an existing EC2 KeyPair. LatestLinuxAmiId: Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>' Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' WelcomeMessage: Type: String Default: "Hello World" Resources: WebServerSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Enable HTTP access via port 80 and SSH access via port 22 SecurityGroupIngress: - IpProtocol: tcp FromPort: '80' ToPort: '80' CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 WebServerHost: Type: AWS::EC2::Instance Metadata: Comment: Install a simple PHP application AWS::CloudFormation::Init: config: packages: yum: httpd: [] php: [] groups: apache: {} users: "apache": groups: - "apache" sources: "/home/ec2-user/aws-cli": "https://github.com/aws/aws-cli/tarball/master" files: "/var/www/html/index.html": content: !Sub | <h1>${WelcomeMessage} from ${AWS::StackName}</h1> mode: '000644' owner: apache group: apache # The cfn-hup.conf file stores the name of the stack and the AWS credentials that the cfn-hup daemon targets. "/etc/cfn/cfn-hup.conf": content: !Sub | [main] stack=${AWS::StackId} region=${AWS::Region} # The interval used to check for changes to the resource metadata in minutes. Default is 15 interval=2 mode: "000400" owner: "root" group: "root" # The user actions that the cfn-hup daemon calls periodically are defined in the hooks.conf configuration file. # To support composition of several applications deploying change notification hooks, cfn-hup supports a directory named hooks.d that is located in the hooks configuration directory. You can place one or more additional hooks configuration files in the hooks.d directory. The additional hooks files must use the same layout as the hooks.conf file. "/etc/cfn/hooks.d/cfn-auto-reloader.conf": content: !Sub | [cfn-auto-reloader-hook] triggers=post.update path=Resources.WebServerHost.Metadata.AWS::CloudFormation::Init action=/opt/aws/bin/cfn-init -v --stack ${AWS::StackName} --resource WebServerHost --region ${AWS::Region} mode: "000400" owner: "root" group: "root" services: sysvinit: httpd: enabled: 'true' ensureRunning: 'true' CreationPolicy: ResourceSignal: Timeout: PT5M Properties: ImageId: !Ref LatestLinuxAmiId KeyName: Ref: KeyName InstanceType: t2.micro SecurityGroups: - Ref: WebServerSecurityGroup UserData: "Fn::Base64": !Sub | #!/bin/bash -xe # Get the latest CloudFormation package yum update -y aws-cfn-bootstrap # Start cfn-init /opt/aws/bin/cfn-init -s ${AWS::StackId} -r WebServerHost --region ${AWS::Region} || error_exit 'Failed to run cfn-init' # Start up the cfn-hup daemon to listen for changes to the EC2 instance metadata /opt/aws/bin/cfn-hup || error_exit 'Failed to start cfn-hup' # All done so signal success /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource WebServerHost --region ${AWS::Region} Outputs: InstanceId: Description: The instance ID of the web server Value: Ref: WebServerHost WebsiteURL: Value: !Sub 'http://${WebServerHost.PublicDnsName}' Description: URL for newly created LAMP stack PublicIP: Description: Public IP address of the web server Value: !GetAtt WebServerHost.PublicIp # Get metadata (change the region accordingly) # /opt/aws/bin/cfn-get-metadata --stack CfnHupDemo --resource WebServerHost --region eu-west-1 |
Let’s create a stack:
Next ->
Next -> Create stack
The stack has successfully been created
The http server on EC2 instance is up:
To get metatdata from EC2 instance let’s connect to it and run command:
|
1 |
/opt/aws/bin/cfn-get-metadata --stack CfnHupDemo --resource WebServerHost --region eu-central-1 |
The output:
Now let’s update the parameter of stack:
Next -> Next -> Update stack
The meadata of EC2 instance has been changed:
But the content of index.html bas been changed after 2 minutues:
