Aws-cdk: [autoscaling] Unable to use the same iam role for multiple AutoscalingGroups
I had an EKS Cluster with an iam assigned to an autoscaling group used for the worker nodes. When creating a second ASG and assigning the same iam Role I get the error in cloudformation:
"Property ManagedPolicyArns contains duplicate values."
Reproduction Steps
this.eksCluster = new eks.Cluster(this, 'Cluster', {
clusterName: clusterName,
defaultCapacity: 0,
role: clusterRole,
securityGroup: eksSg,
version: context['ClusterVersion'],
vpc: vpc,
vpcSubnets: [
vpcSubnets
]
});
const workerRole = new iam.Role(this, "WorkerRole", {
assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
roleName: `${applicationName}${environment}${uniqueIdentifier}EKSWorkerRole`,
inlinePolicies: {
"WorkerPolicies": new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
effect: Effect.ALLOW,
actions: [
"autoscaling:DescribeAutoScalingGroups"
],
resources: ["*"]
})
]
})
}
})
const onDemandASG = new autoscaling.AutoScalingGroup(this, 'OnDemandASG', {
vpc: vpc,
role: workerRole,
minCapacity: 2,
maxCapacity: 10,
instanceType: new ec2.InstanceType("t3.large"),
machineImage: new eks.EksOptimizedImage({
kubernetesVersion: clusterVersion,
nodeType: eks.NodeType.STANDARD // wihtout this, incorrect SSM parameter for AMI is resolved
}),
updateType: autoscaling.UpdateType.ROLLING_UPDATE,
vpcSubnets: vpcSubnets
});
this.eksCluster.addAutoScalingGroup(onDemandASG, {
bootstrapEnabled: true,
mapRole: true
})
const elasticsearchASG = new autoscaling.AutoScalingGroup(this, 'ElasticsearchASG', {
vpc: vpc,
role: workerRole,
minCapacity: 3,
maxCapacity: 4,
desiredCapacity: 3,
instanceType: new ec2.InstanceType("t3.large"),
machineImage: new eks.EksOptimizedImage({
kubernetesVersion: clusterVersion,
nodeType: eks.NodeType.STANDARD // wihtout this, incorrect SSM parameter for AMI is resolved
}),
updateType: autoscaling.UpdateType.ROLLING_UPDATE,
vpcSubnets: {
subnets: [ publicSubnet1a ]
}
});
elasticsearchASG.connections.allowFrom(ec2.Peer.ipv4(context['OfficeIP']), ec2.Port.allTcp())
this.eksCluster.addAutoScalingGroup(elasticsearchASG, {
bootstrapEnabled: true,
mapRole: true
})
Error Log
In cloudformation I get the following error:
WorkerRole8DD27D41 | UPDATE_FAILED | Property ManagedPolicyArns contains duplicate values.
Environment
- *CLI Version : 1.23.0 (build 01f326e)
- *
Language : Typescript
This is :bug: Bug Report
moatazelmasry2
All 4 comments
Solved the problem by creating a second role and assigning it to the second ASG
moatazelmasry2
on 19 Feb 2020
@moatazelmasry2 I'm glad you found a solution! Can I go ahead and close this issue?
SomayaB
on 19 Feb 2020
Nop. I’d say this is still a bug. In cloudformation I’m able to reuse an
iam role for multiple ASGs, so I’d expect the same from CDK
On Wed 19. Feb 2020 at 20:07, Somaya notifications@github.com wrote:
@moatazelmasry2 https://github.com/moatazelmasry2 I'm glad you found a
solution! Can I go ahead and close this issue?—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aws/aws-cdk/issues/6368?email_source=notifications&email_token=ABCADRLXKDE2IWHF6PQNDMDRDV7QXA5CNFSM4KX52EVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMJCZKY#issuecomment-588393643,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABCADRPPDMD3RFF7IEJYFALRDV7QXANCNFSM4KX52EVA
.
moatazelmasry2
on 19 Feb 2020
I think we can automatically deduplicate managed policy ARNs
eladb
on 10 Aug 2020
Related issues
cybergoof
·
3Comments
vgribok
·
3Comments
Kent1
·
3Comments
sudoforge
·
3Comments
NukaCody
·
3Comments