Open mikeoleary opened 3 months ago
Hi @mikeoleary, I created issue EC-526 for this, but cannot start work on it yet because our account also needs access to that region (it's been requested).
That said, for the first error you should have been able to get around it by providing an AMI for the bigIpCustomImageId parameter since looking up the AMI by name is the only thing GetLayerVersion is used for.
The second error is from runtime init. The validator for the secret ARN doesn't include any il regions and the one for simple secret name doesn't support uppercase. There are two options to work around this until we can fix:
@mikeshimkus, big thank you as always. I have asked customer to try this and also to subscribe to this issue.
bigIpCustomImageId: we used these AMIs--ami-084b3f263e7cff637 / ami-0e38f7892a301a8ca
Leave the secret ID parameter empty so that the template creates a new secret with a random value: yes we tried in call @mikeoleary
Then use that non-ARN value for the bigIpSecretArn input. : need assistance here
@shiv-dasari The options are either leave the secret ID empty or use non-ARN value for bigIpSecretArn (the latter assumes you have already created the secret).
We are going to release an update to F5 BIG-IP Runtime Init that should fix the issue with using the existing secret. I will post here when it's available.
Hi @shiv-dasari, for the secret ARN issue, please try updating the bigIpRuntimeInitPackageUrl parameter to https://cdn.f5.com/product/cloudsolutions/f5-bigip-runtime-init/v2.0.3/dist/f5-bigip-runtime-init-2.0.3-1.gz.run and then redeploy.
@mikeshimkus ---we are seeing this error- Resource handler returned message: "User: arn:aws:sts::068900102323:assumed-role/AWS_DCS_NetworkingAdmin/usa-shivshiva@deloitte.com is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:il-central-1:770693421928:layer:Klayers-p312-requests:3 because no resource-based policy allows the lambda:GetLayerVersion action (Service: Lambda, Status Code: 403, Request ID: db0fa450-3c54-43ca-9a82-98f196c0d2b3)" (RequestToken: 44adda57-3da7-95d2-1370-5239df6a8179, HandlerErrorCode: AccessDenied)
We don not have visibility/access to this account arn:aws:lambda:il-central-1:770693421928:layer:Klayers-p312-requests:3
For the GetLayerVersion error, you will either need to use the AMI ID for bigIpCustomImageId, or grant the required permissions to arn:aws:lambda:il-central-1:770693421928:layer:Klayers-p312-requests:3 in your IAM policy (the latter is only required when using the AMI lookup function, which should be bypassed if you provide bigIpCustomImageId.
@mikeshimkus --Thank you I have full access on my account
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" } ]
AdministratorAccess | AWS managed - job function
I think it should be allowed on 770693421928: this account.
@mikeshimkus and @mikeoleary -- We were using this Image ID- in our last / even I checked again same error. bigIpCustomImageId | ami-0e38f7892a301a8ca
-
@shiv-dasari Looks like your IAM policy needs to allow lambda:GetLayerVersion
@mikeoleary --Need your assistance, can we connect on Monday. Please let me know.
@shiv-dasari - ok will email you.
@mikeshimkusWe were able to add the Function stack to our S3 and run it, but we are still encountering this issue with the last stack (VM the building phase).
2024-07-16 20:03:18 UTC+0530 | ill-f5-stack-BigIpInstance02-1KORPCAEL3P6Q | CREATE_FAILED | The following resource(s) failed to create: [Bigip3NicInstance].
-- | -- | -- | --
2024-07-16 20:03:18 UTC+0530 | Bigip3NicInstance | CREATE_FAILED | Failed to receive 1 resource signal(s) within the specified duration
AWSTemplateFormatVersion: '2010-09-09' Description: >- This template creates BIG-IP PAYG or BYOL High Availability WAF solution. The template uses nested templates for provisioning network, access, and compute resources for hosting BIG-IP Failover solution. Metadata: AWS::CloudFormation::Interface: ParameterGroups:
= to the number of subnets created. Mask for subnets. Valid values include 16-28.' MaxValue: 28 MinValue: 16 Type: Number uniqueString: ConstraintDescription: 'Must contain between 1 and 12 lowercase alphanumeric characters with first character as a letter.' AllowedPattern: ^[a-z][a-z0-9]{1,11}$ Description: Unique String used when creating object names or Tags. Type: String Default: gcsawsiscf5 vpcCidr: AllowedPattern: '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$' ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 Default: 10.203.146.0/24 Description: CIDR block for the VPC. Type: String Conditions: 2nic: !Or
- !Condition '3nic'
- !Equals
I am using this parent stack in AWS Israel region
And I added Function stack template into our S3 , then after we were able to ran with out any issue but still failing.
@shiv-dasari Do you have ssh access to the BIG-IP(s)? If yes can you share the content of /var/log/cloud/startup-script.log?
@mikeoleary --I have sent the requested below logs over email. var/log/cloud-init-output.log
/var/log/cloud/bigipruntimeinit.log /var/log/cloud/startup-script.log
/config/cloud/runtime-init.conf
@mikeshimkus , please find for the /var/log/cloud/startup-script.log [Uploading putty.log…]()
Describe the bug
It appears that we cannot deploy the CFT in region il-central-1. Can we get support for this?
Expected behavior
CFT to deploy new stack will work.
Current behavior
Customer cannot deploy into Tel Aviv region (il-central-1). He gets the following error when trying the template for a Failover pair into a NEW VPC:
Resource handler returned message: "User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/xxx/xxx@company.com is not authorized to perform: lambda:GetLayerVersion on resource: arn:aws:lambda:il-central-1:xxxxxxxxxxxx:layer:Klayers-p312-requests:3 because no resource-based policy allows the lambda:GetLayerVersion action (Service: Lambda, Status Code: 403, Request ID: xxx)" (RequestToken: xxx, HandlerErrorCode: AccessDenied)
Customer says he was able to get around this by creating a bucket specifically for himself and copying our templates into it. However, after that, he got a new error:
2024-07-01T12:08:56.958Z [9032]: error: AWS Cloud Client secret id arn:aws:secretsmanager:il-central-1:xxxxxxxxx:secret:xxxxxf5-bigIpSecret-xxxxxx is the wrong format
However, we double-checked this secret and it is in the correct format. (Secret itself is a string of letters and numbers without illegal special characters. IAM role allows permissions to secret).
Steps to reproduce
Deploy CFT into il-central-1
Note I cannot test in this region (il-central-f5) with my F5 account. I am unable to replicate customer's problem because of this.