Unable to create EC2 cluster outside workshop

evdevr commented 1 year ago

A few (i think independent) errors:

hit vCPU limit in account with only Rancher MCM cluster and cloud9 running, so can't start the instances for the rke2 or EKS clusters. (this one we can only document to tell users they should check and may need a quota increase before running the workshop independently)
access denied when Rancher tries to register container instance

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "<removed>",
        "arn": "arn:aws:sts::<removed>:assumed-role/rancher-manager-stack-RancherInstanceRole-CIFYWUCSX4BB/i-0f710f998e9831e3d",
        "accountId": "<removed>",
        "accessKeyId": "<removed>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "<removed>",
                "arn": "arn:aws:iam::<removed>:role/rancher-manager-stack-RancherInstanceRole-CIFYWUCSX4BB",
                "accountId": "<removed>",
                "userName": "rancher-manager-stack-RancherInstanceRole-CIFYWUCSX4BB"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-06-09T09:33:48Z",
                "mfaAuthenticated": "false"
            },
            "ec2RoleDelivery": "2.0"
        }
    },
    "eventTime": "2023-06-09T10:14:31Z",
    "eventSource": "ecs.amazonaws.com",
    "eventName": "RegisterContainerInstance",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "<removed>",
    "userAgent": "Amazon ECS Agent - v1.53.0 (225bc3a5) (linux) (+http://aws.amazon.com/ecs/)",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::<removed>:assumed-role/rancher-manager-stack-RancherInstanceRole-CIFYWUCSX4BB/i-0f710f998e9831e3d is not authorized to perform: ecs:RegisterContainerInstance on resource: arn:aws:ecs:us-east-1:0<removed>:cluster/default because no identity-based policy allows the ecs:RegisterContainerInstance action",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "0f35992b-d1f8-43c9-b727-0fd23121749a",
    "eventID": "b55dd53a-46dd-485b-af92-9157d89553c6",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<removed>",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "TLSv1.2",
        "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "clientProvidedHostHeader": "ecs.us-east-1.amazonaws.com"
    }
}

evdevr commented 1 year ago

i submitted a quota increase request in the account i'm testing in so i can come back and re-test. default isengard vCPU limit is 32, requested increase to 128

zackbradys commented 1 year ago

my personal and work accounts didn't hit a limit so most users should be all set. do we want to call this out in the workshop introduction to be safe?

evdevr commented 1 year ago

Yes let's call it out as a dependency and close this one out 🙂

zackbradys commented 1 year ago

I'll do some math (ugh) and add it the prerequisite list.

zackbradys commented 1 year ago

CPU: 2 (cloud9) + 48 (both rke2) + 6 (eks) = 56 vCPU

RAM: 4 (cloud9) + 192 (both rke2) + 24 (eks) = 220 GiB

SSD: 24 (cloud9) + 1536 (both rke2) + 192 (eks) = 1752 GB

zackbradys commented 1 year ago

updated requirement section of the workshop and pending merge!

aws-samples / rancher-on-aws-workshop

Unable to create EC2 cluster outside workshop #29