Я создаю группу автомасштабирования, но конфигурация запуска продолжает давать сбой, потому что я использую зашифрованный AMI (необходимо для безопасности), но он вылетает после таймера и выдает следующую ошибку:
Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: {
ActivityId: "35c5cb87-fc76-a0bc-e547-xxxxxx",
AutoScalingGroupName: "autoscaling group",
Cause: "At 2020-06-23T16:24:50Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.",
Description: "Launching a new EC2 instance: i-xxxxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch",
Details: "{\"Subnet ID\":\"subnet-xxxxxxx\",\"Availability Zone\":\"us-east-2b\"}",
EndTime: 2020-06-23 16:25:23 +0000 UTC,
Progress: 100,
StartTime: 2020-06-23 16:24:52.392 +0000 UTC,
StatusCode: "Cancelled",
StatusMessage: "Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch"
}
Вот политика
resource "aws_iam_policy" "kms_policy" {
name = "KMS_grant"
path = "/"
description = "A policy to allow the autoscaling group to use KMS"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:CreateGrant",
"kms:ListGrants",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
"Condition": {
"StringEquals": {
"kms:ViaService": [
"ec2.us-west-2.amazonaws.com",
"rds.us-west-2.amazonaws.com"
]
}
}
}
]
}
EOF
}
{
"Images": [
{
"Architecture": "x86_64",
"CreationDate": "2020-06-15T19:01:08.000Z",
"ImageId": "ami-xxxxxxx",
"ImageLocation": "8xxxxxxx/amazon-linux-ami-2-x",
"ImageType": "machine",
"Public": false,
"OwnerId": "8xxxxxxx",
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"State": "available",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": true,
"SnapshotId": "snap-xxxxxx",
"VolumeSize": 8,
"VolumeType": "gp2",
"Encrypted": true
}
}
],
"EnaSupport": true,
"Hypervisor": "xen",
"Name": "amazon-linux-ami-2-x",
"RootDeviceName": "/dev/xvda",
"RootDe
module "asg" {
source = "terraform-aws-modules/autoscaling/aws"
version = "~> 3.0"
name = "service"
# Launch configuration
lc_name = "launch-config"
image_id = "ami-xxxx"
instance_type = "t2.micro"
associate_public_ip_address = true
recreate_asg_when_lc_changes = true
iam_instance_profile = "${aws_iam_instance_profile.kms_instance.name}"
security_groups = [module.network.autoscale_security_group]
ebs_block_device = [
{
device_name = "/dev/xvdz"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = true
},
]
root_block_device = [
{
volume_size = "50"
volume_type = "gp2"
delete_on_termination = true
},
]
# Auto scaling group
asg_name = "asg_name"
vpc_zone_identifier = ["subnet-xxxxx", "subnet-xxxx"]
health_check_type = "EC2"
min_size = 1
max_size = 1
desired_capacity = 1
wait_for_capacity_timeout = "5m"
force_delete = true
tags = ommitted
}
извините, если не очень подробно, любая помощь будет оценена. Я также использую этот terraform-aws-modules / autoscaling / aws
aws ec2 describe-images --image-ids ami-xxxx
(заменивami-xxx
на AMI, который вы используете), пожалуйста? Вы можете подвергнуть его цензуре, но полезно увидеть конфигурацию шифрования на томах EBS. - person ydaetskcoR   schedule 23.06.2020An error occurred (UnauthorizedOperation) when calling the DescribeImages operation: You are not authorized to perform this operation.
я знаю, что она была создана в другой учетной записи, я не знаю о KMS на ней, но я знаю, что корневой том AMI зашифрован - person thecoderguy   schedule 23.06.2020KMS
ключ, который они использовали для шифрования AMI. Не уверен, почему ваша ИТ-команда ограничила васDescribeImages
звонками, поскольку это совершенно безвредно. - person Asdfg   schedule 23.06.2020