2

I am creating an autoscaling group but the launch configuration keeps on failing because I am using an encrypted AMI (have to for security), but it crashes after the timer and give this error:

Error: "autoscaling group": Waiting up to 5m0s: Need at least 1 healthy instances in ASG, have 0. Most recent activity: {
  ActivityId: "35c5cb87-fc76-a0bc-e547-xxxxxx",
  AutoScalingGroupName: "autoscaling group",
  Cause: "At 2020-06-23T16:24:50Z an instance was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 1.",
  Description: "Launching a new EC2 instance: i-xxxxx.  Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch",
  Details: "{\"Subnet ID\":\"subnet-xxxxxxx\",\"Availability Zone\":\"us-east-2b\"}",
  EndTime: 2020-06-23 16:25:23 +0000 UTC,
  Progress: 100,
  StartTime: 2020-06-23 16:24:52.392 +0000 UTC,
  StatusCode: "Cancelled",
  StatusMessage: "Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch"
}

Here's the policy

resource "aws_iam_policy" "kms_policy" {
  name        = "KMS_grant"
  path        = "/"
  description = "A policy to allow the autoscaling group to use KMS"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:DescribeKey"
      ],
      "Effect": "Allow",
      "Resource": "*"
      "Condition": {
        "StringEquals": {
          "kms:ViaService": [
            "ec2.us-west-2.amazonaws.com",
            "rds.us-west-2.amazonaws.com"
          ]
        }
      }
    }
  ]
}
EOF
}

{
    "Images": [
        {
            "Architecture": "x86_64",
            "CreationDate": "2020-06-15T19:01:08.000Z",
            "ImageId": "ami-xxxxxxx",
            "ImageLocation": "8xxxxxxx/amazon-linux-ami-2-x",
            "ImageType": "machine",
            "Public": false,
            "OwnerId": "8xxxxxxx",
            "PlatformDetails": "Linux/UNIX",
            "UsageOperation": "RunInstances",
            "State": "available",
            "BlockDeviceMappings": [
                {
                    "DeviceName": "/dev/xvda",
                    "Ebs": {
                        "DeleteOnTermination": true,
                        "SnapshotId": "snap-xxxxxx",
                        "VolumeSize": 8,
                        "VolumeType": "gp2",
                        "Encrypted": true
                    }
                }
            ],
            "EnaSupport": true,
            "Hypervisor": "xen",
            "Name": "amazon-linux-ami-2-x",
            "RootDeviceName": "/dev/xvda",
            "RootDe


module "asg" {
  source  = "terraform-aws-modules/autoscaling/aws"
  version = "~> 3.0"

  name = "service"

  # Launch configuration
  lc_name = "launch-config"

  image_id                    = "ami-xxxx"
  instance_type               = "t2.micro"
  associate_public_ip_address = true
  recreate_asg_when_lc_changes = true
  iam_instance_profile        = "${aws_iam_instance_profile.kms_instance.name}"
  security_groups             = [module.network.autoscale_security_group]

  ebs_block_device = [
    {
      device_name           = "/dev/xvdz"
      volume_type           = "gp2"
      volume_size           = "50"
      delete_on_termination = true
    },
  ]

  root_block_device = [
    {
      volume_size = "50"
      volume_type = "gp2"
      delete_on_termination = true
    },
  ]

  # Auto scaling group
  asg_name                  = "asg_name"
  vpc_zone_identifier       = ["subnet-xxxxx", "subnet-xxxx"]
  health_check_type         = "EC2"
  min_size                  = 1
  max_size                  = 1
  desired_capacity          = 1
  wait_for_capacity_timeout = "5m"
  force_delete              = true

  tags = ommitted
}

sorry if not very detailed, any help would be appreciated. I am also using this terraform-aws-modules/autoscaling/aws

thecoderguy
  • 31
  • 1
  • 6
  • Can you share how you've created the AMI and also share the Terraform code for creating the ASG? – ydaetskcoR Jun 23 '20 at 16:47
  • i did not create the AMI, I will add the module to the question – thecoderguy Jun 23 '20 at 16:52
  • If you didn't create the AMI then can you add the output of `aws ec2 describe-images --image-ids ami-xxxx` (replacing `ami-xxx` with the AMI you are using) please? You can censor it but it's useful to see the encryption configuration on the EBS volumes. – ydaetskcoR Jun 23 '20 at 17:04
  • why do you think this is happening because of encrypted AMI? – Asdfg Jun 23 '20 at 17:08
  • @ydaetskcoR i did not create it my company did – thecoderguy Jun 23 '20 at 17:12
  • @Asdfg I know it is because i tried this code with an amazon provided AMI and it works – thecoderguy Jun 23 '20 at 17:12
  • Okay but we still need to see the encryption configuration on the AMI to be able to answer the question. Running the command above and editing the result into the question will help. If the KMS key is in another AWS account then you will also need to have them change the key policy to allow access from the account the ASG is in so you should make it clear whether the KMS key for the AMI volumes and the ASG are in the same or different accounts. – ydaetskcoR Jun 23 '20 at 17:15
  • did they encrypt the AMI using the keys from the same region you are trying to create your EC2 instance? If not, that could be the problem. – Asdfg Jun 23 '20 at 17:17
  • @ydaetskcoR the operation is not allowed by my account `An error occurred (UnauthorizedOperation) when calling the DescribeImages operation: You are not authorized to perform this operation.` i do know that it was created in another account, i don't know about the KMS on it but I know the AMI root volume is encrypted – thecoderguy Jun 23 '20 at 17:30
  • @Asdfg yes they did – thecoderguy Jun 23 '20 at 17:46
  • Looks like the IAM role you are using does not have proper permissions on the `KMS` key they used to encrypt the AMI. Not sure why your IT team have you restricted on `DescribeImages` call as it is totally harmless. – Asdfg Jun 23 '20 at 17:48
  • Here are the example key policies: https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html – Asdfg Jun 23 '20 at 17:54
  • @Asdfg i gave a policy to wildcard – thecoderguy Jun 23 '20 at 18:06
  • @ydaetskcoR here everything is updated – thecoderguy Jun 23 '20 at 18:50
  • You are most probably missing the policy on the key itself. – Asdfg Jun 24 '20 at 02:38

2 Answers2

1

You have grabted EC2 and RDS access. For a launch configuratuon, yoy also need to grant the AutoScaling service access to the KMS CMK used to encrypt the volume.

Example: CMK Key Policy Sections That Allow Access to the CMK

{
   "Sid": "Allow service-linked role use of the CMK",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       ]
   },
   "Action": [
       "kms:Encrypt",
       "kms:Decrypt",
       "kms:ReEncrypt*",
       "kms:GenerateDataKey*",
       "kms:DescribeKey"
   ],
   "Resource": "*"
}

{
   "Sid": "Allow attachment of persistent resources",
   "Effect": "Allow",
   "Principal": {
       "AWS": [
           "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
       ]
   },
   "Action": [
       "kms:CreateGrant"
   ],
   "Resource": "*",
   "Condition": {
       "Bool": {
           "kms:GrantIsForAWSResource": true
       }
    }
}
Alain O'Dea
  • 21,033
  • 1
  • 58
  • 84
0

[solution][1]

here is the solution provided by amazon [1]: https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#configuring-key-policies

thecoderguy
  • 31
  • 1
  • 6