search

hashicorp / go-discover

Discover nodes in cloud environments
Mozilla Public License 2.0
562 stars 123 forks source link

Cloud Auto-Join: AWS Partitions and custom ec2 endpoints #104

Open davidhessler opened 5 years ago

davidhessler commented 5 years ago

When filing a bug, please include the following headings if possible. Any example text in this template can be deleted.

Overview of the Issue

Cloud Auto-Join does not support cases where the region is part of one of the alternative AWS Segments. For example in isob-east-1 region, Consul queries https://ec2.us-isob-east-1.amazonaws.com (this DNS record does not exist). Attempted to specify the region and received the same error.

With packer, you can level customer ec2 endpoints, but cannot with Consul.

Reproduction Steps

Steps to reproduce this issue, eg:

  1. Include "retry_join": ["provider=aws tag_key=... tag_value=..."] in server.json configuration file
  2. Run consul agent
  3. Get error.

Consul info for both Client and Server

Attempting to create 3 node server cluster. Included in config.json "retry_join": ["provider=aws tag_key=cault tag_value=server"]

Getting [ERR] agent: Join LAN: discover-aws: DescribeInstanceInput failed: RequestError: send request

Operating system and Environment details

Running Centos 7.5 on AWS. Same exact config.json works in us-gov-west-1 region.

Log Fragments

[ERR] agent: Join LAN: discover-aws: DescribeInstanceInput failed: RequestError: send request

marcuschaney commented 5 years ago

We are also able to specify an "endpoint" using Vault (which does work in the same region); however, Consul doesn't seem to have this functionality.

shantanugadgil commented 5 years ago

Could this be related to the Go SDK? (just a hunch) https://github.com/aws/aws-sdk-go/issues/2219

I just googled for the term "isob-east-1" as I had never seen such a region name :grinning:

pearkes commented 5 years ago

I moved this to the library where the change would me made for this to work.

davidhessler commented 4 years ago

Has anyone thought about this?

oberones commented 2 years ago

I know it's been a couple years, but has there been any traction on this? A number of recent high profile vulnerabilities have caused a growing number of organizations, including ours, to begin heavily restricting their egress traffic. This includes using VPC endpoints instead of public AWS endpoints. We need the ability to define a custom ec2 endpoint for cloud auto join in order to operate vault and consul in networks with restricted egress.