search

wallix / awless

A Mighty CLI for AWS
http://awless.io/
Apache License 2.0
4.97k stars 263 forks source link

Fails custom template #174

Closed skloeckner-inc closed 6 years ago

skloeckner-inc commented 6 years ago

Hi there,

I'm having trouble running a template I've mish-mashed together and have gotten through issues of having to pass through variables properly. For some odd reason, however, it seems to be just skipping past the VPC creation alongside a subnet and security groups creation as well.

This is the output of the error:

$ awless run ./Templates/m2_infra.aws dbname=$dbname dbuser=$dbuser dbpassword=$dbpassword myip=$myip
Please specify (Ctrl+C to quit, Tab for completion):
Contains the master username for the DB instance:
dbusername? root
[error]   cannot resolve aliases: ["magento2-vpc"]. Maybe you need to update your local model with `awless sync` ?

Here's my template so far:

# Title: Magento 2 deployment templates for awless.io
# Tags: infra

# VPC and its Internet gateway
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc

# Subnet and its route table
subnet = create subnet cidr=10.0.0.0/24 vpc=$vpc name=magento2-subnet
update subnet id=$subnet public=true
routetable = create routetable vpc=$vpc
attach routetable subnet=$subnet id=$routetable
create route cidr=0.0.0.0/0 gateway=$igw table=$routetable

# Create 2 security groups and authorize access from the Internet for port 80 and 443
secgroup = create securitygroup vpc=$vpc description="authorize http/s from internet" name=magento-secgroup
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=443
update securitygroup id=$secgroup inbound=authorize protocol=tcp cidr=0.0.0.0/0 portrange=80

sshsecgroup = create securitygroup vpc=$vpc description="authorize ssh from origin IP" name=ssh-whitelist
update securitygroup id=$sshsecgroup inbound=authorize protocol=tcp cidr={myip}/32 portrange=22

###############

# Create database security group (authorize access from private subnet to port 3306)
dbsec = create securitygroup name=magento2-database-secgroup vpc=@magento2-vpc description="authorize mysql port 3306 from private subnets"

update securitygroup id=$dbsec inbound=authorize cidr=10.0.0.0/24 portrange=3306

# Expose MariaDB database to subnet for magento instance

dbsub = create dbsubnetgroup name=magento2-dbsubnets description="subnet for magento2 database" subnets=10.0.10.0/24

create database engine=mariadb id=m2-database password={dbpassword} size=8 type=db.t2.micro username={dbusername} dbname={dbname} subnetgroup=$dbsub vpcsecuritygroups=$dbsec

Just as a sanity check, I took the first 7 lines and dumped it into a separate file and here was the results:

$ awless run test1 
[info]    Dry running template ...
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc

Confirm? [y/N] y
[info]    OK create vpc (vpc-bb38fac2) 
[info]    OK create internetgateway (igw-71f03717) 
[info]    OK attach internetgateway

[info]    Revert this template with `awless revert 01C2WQCABADFK2GRT9DHG92JWZ`

Is there some sort of file limit to the templates? Am I missing something here?

I suppose I can try and separate each section into its own template but it's easier if I have it all in one in case I need to expand a variable somewhere.

I'm running awless version 0.1.7 and I'm also just running a script to call the awless run command with passed in variables.

fxaguessy commented 6 years ago

Hi,

We resolve aliases (i.e. @resource-name) when compiling the template, before running it. So, when you run your template, the alias magento2-vpc you use at line 27 is not yet defined: in dbsec = create securitygroup ... vpc=@magento2-vpc, @magento2-vpc can not be resolved because it has not been yet created on the cloud, when compiling the template and resolving aliases.

Running the first part in one template, then the one after '###############' in another will work, because when running the second template, the VPC is created, and the alias @magento2-vpc can be resolved.

Thus, the solution here is to replace @magento2-vpc with $vpc in dbsec = create securitygroup ... vpc=@magento2-vpc as the reference $vpc will be replaced at template runtime by the id of the VPC.

However, we could perhaps improve the error message cannot resolve aliases: ["magento2-vpc"]. Maybe you need to update your local model with awless sync ? which is not very accurate in your context.

skloeckner-inc commented 6 years ago

Thank you for the detailed answer. I tried replacing the @magento2-vpc with $vpc and that did indeed solve it!

$ ./m2-deploy-docker-rds.sh 
Please specify (Ctrl+C to quit, Tab for completion):
Contains the master username for the DB instance:
dbusername? root
[info]    Dry running template ...
vpc = create vpc cidr=10.0.0.0/16 name=magento2-vpc
igw = create internetgateway
attach internetgateway id=$igw vpc=$vpc
subnet = create subnet cidr=10.0.0.0/24 name=magento2-subnet vpc=$vpc
update subnet id=$subnet public=true
routetable = create routetable vpc=$vpc
attach routetable id=$routetable subnet=$subnet
create route cidr=0.0.0.0/0 gateway=$igw table=$routetable
secgroup = create securitygroup description='authorize http/s from internet' name=magento-secgroup vpc=$vpc
update securitygroup cidr=0.0.0.0/0 id=$secgroup inbound=authorize portrange=443 protocol=tcp
update securitygroup cidr=0.0.0.0/0 id=$secgroup inbound=authorize portrange=80 protocol=tcp
sshsecgroup = create securitygroup description='authorize ssh from origin IP' name=ssh-whitelist vpc=$vpc
update securitygroup cidr=$MYIP/32 id=$sshsecgroup inbound=authorize portrange=22 protocol=tcp
dbsec = create securitygroup description='authorize mysql port 3306 from private subnets' name=magento2-database-secgroup vpc=$vpc
update securitygroup cidr=10.0.0.0/24 id=$dbsec inbound=authorize portrange=3306 protocol=tcp
dbsub = create dbsubnetgroup description='subnet for magento2 database' name=magento2-dbsubnet subnets=10.0.10.0/24
create database dbname=magento2 engine=mariadb id=m2-database password=secretpassword size=8 subnetgroup=$dbsub type=db.t2.micro username=root vpcsecuritygroups=$dbsec

Confirm? [y/N]

I would suggest "cannot resolve aliases: ["magento2-vpc"]. Does your alias pre-exist?" or something along those lines. That might've pushed me in the right direction. I suppose it's kind of a chicken and egg situation.

Also, I seem to be getting this dbusername everytime even though I specify a username. Is there a parameter for the master username of the database when creating RDS instances?

Edit: Nevermind, made a typo on my dbuser variable. I'm all good.

skloeckner-inc commented 6 years ago

Thanks for the answer. I will leave this open unless you'd like to add anything. The only suggestion I would make for the error message is this:

cannot resolve aliases: ["magento2-vpc"]. Does your alias pre-exist?
fxaguessy commented 6 years ago

Thanks for the feedback