Closed peterellisjones closed 6 years ago
cf-gitbot
commented
6 years ago We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
abbyachau
commented
6 years ago Hi @peterellisjones, our pipelines suite does not support minor to minor upgrades (1.12 to 2.0). Could you clarify which pipeline you've used to do the upgrade, what version of the pipelines release, and whether any modifications were made to the pipeline? Thanks.
peterellisjones
commented
6 years ago Hi @abbyachau if you look at the source code for the BOSH AWS CPI you can see that it requires the copy-image permission when creating a new encrypted stemcell:
We saw this issue when upgrading from a heavily modified 1.12 pipeline with encrypted stemcells (ie encrypted EBS volumes: https://docs.pivotal.io/pivotalcf/1-12/customizing/cloudform-om-ebs-config.html) to a heavily modified 2.0 but anyone who uses encrypted EBS volumes will likely hit this error sooner or later.
By adding the ec2:CopyImage permission to the PcfAdminPolicy you will allow people to use pcf-pipelines to deploy a foundation and then turn on EBS volume encryption without having to make any further modifications to pcf-pipelines
cheers,
Pete
peterellisjones
commented
6 years ago Forgot to mention: the version of pcf-pipelines we're using is 0.23.0 with some of our own commits cherry-picked on top (we regularly rebase when you make a new release)
abbyachau
commented
6 years ago @peterellisjones many thanks. Prioritising for engineering review.
When upgrading from PCF 1.12 to 2.0 we encountered an error when deploying the bosh director
Looking at the CloudTrail logs showed this was caused by the
pcf-$FOUNDATION_pcf_iam_useruser lacking theec2:CopyImageIAM permissionI have tested this change in a fork of PCF Pipelines and confirmed that it fixes the error