user-data still freezing the instance

Author: Madisonw

lib/allora/README.md

@@ -90,7 +90,15 @@ We will use AWS Cloud9 to execute the subsequent commands. Follow the instructio
    > cdk bootstrap aws://ACCOUNT-NUMBER/REGION
    > ```
 
-3. Deploy Allora Worker Node
+3. Deploy Common Stack
+
+   ```bash
+   pwd
+   # Make sure you are in aws-blockchain-node-runners/lib/allora
+   npx cdk deploy allora-edge-common --json --outputs-file allora-edge-common-deploy.json
+   ```
+
+5. Deploy Allora Worker Node
 
    ```bash
    pwd

lib/allora/allora.ts

@@ -4,6 +4,7 @@ import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
 import * as ec2 from "aws-cdk-lib/aws-ec2";
 import * as constants from "../constructs/constants";
+import { EdgeCommonStack } from "./lib/common-stack";
 import { AlloraStack } from './lib/allora-stack';
 
 const parseDataVolumeType = (dataVolumeType: string) => {
@@ -22,6 +23,12 @@ const parseDataVolumeType = (dataVolumeType: string) => {
 };
 
 const app = new cdk.App();
+
+new EdgeCommonStack(app, "allora-edge-common", {
+  stackName: `allora-edge-nodes-common`,
+  env: { account: process.env.AWS_ACCOUNT_ID || "xxxxxxxxxxx", region: process.env.AWS_REGION || 'us-east-1' }
+});
+
 new AlloraStack(app, 'allora-single-node', {
   stackName: 'allora-single-node',
   env: { 

lib/allora/lib/allora-stack.ts

@@ -55,10 +55,10 @@ export class AlloraStack extends cdk.Stack {
 
     // Create VPC
     const vpc = new ec2.Vpc(this, `${resourceNamePrefix}Vpc`, {
-      maxAzs: props?.vpcMaxAzs || 1,
-      natGateways: typeof props?.vpcNatGateways !== 'undefined' ? props?.vpcNatGateways : 0,
+      maxAzs: props.vpcMaxAzs,
+      natGateways: props.vpcNatGateways,
       subnetConfiguration: [{
-        cidrMask: props?.vpcSubnetCidrMask || 24,
+        cidrMask: props.vpcSubnetCidrMask,
         name:`${resourceNamePrefix}PublicSubnet`,
         subnetType: ec2.SubnetType.PUBLIC,
       }]
@@ -84,26 +84,11 @@ export class AlloraStack extends cdk.Stack {
     const ec2UserData = ec2.UserData.forLinux();
     ec2UserData.addCommands(modifiedUserData);
 
-    // Getting the snapshot bucket name and IAM role ARN from the common stack
-    const instanceRole = new iam.Role(this, "node-role", {
-        assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
-        managedPolicies: [
-            iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore"),
-            iam.ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy")
-
-        ]
-    });
-
-    instanceRole.addToPolicy(new iam.PolicyStatement({
-        resources: ["*"],
-        actions: ["cloudformation:SignalResource"]
-    }));
 
+    // Getting the snapshot bucket name and IAM role ARN from the common stack
+    const importedInstanceRoleArn = cdk.Fn.importValue("EdgeNodeInstanceRoleArn");
 
-    new cdk.CfnOutput(this, "Instance Role ARN", {
-        value: instanceRole.roleArn,
-        exportName: "EdgeNodeInstanceRoleArn"
-    });
+    const instanceRole = iam.Role.fromRoleArn(this, "iam-role", importedInstanceRoleArn);
 
     // Making sure our instance will be able to read the assets
     bucket.grantRead(instanceRole);
@@ -134,12 +119,16 @@ export class AlloraStack extends cdk.Stack {
       INSTANCE_ID: singleNode.instanceId,
       INSTANCE_NAME: `${resourceNamePrefix}Instance`,
       REGION: region,
-  })
+    });
 
-  new cw.CfnDashboard(this, 'single-cw-dashboard', {
+    new cw.CfnDashboard(this, 'single-cw-dashboard', {
       dashboardName: `AlloraStack-${singleNode.instanceId}`,
       dashboardBody: dashboardString,
-  });
+    });
+
+    new cdk.CfnOutput(this, "node-instance-id", {
+      value: singleNode.instanceId,
+    });
 
     // Elastic IP
     const eip = new ec2.CfnEIP(this, `${resourceNamePrefix}EIP`);

lib/allora/lib/assets/user-data/node.sh

@@ -1,4 +1,7 @@
 #!/bin/bash
+echo "----------------------------------------------"
+echo "[user-data] STARTING ALLORA USER DATA SCRIPT"
+echo "----------------------------------------------"
 
 echo "AWS_REGION=${_AWS_REGION_}" >> /etc/environment
 echo "ASSETS_S3_PATH=${_ASSETS_S3_PATH_}" >> /etc/environment
@@ -13,37 +16,41 @@ echo "ASSETS_S3_PATH=${_ASSETS_S3_PATH_}" >> /etc/environment
 #############################
 
 # Update Ubuntu, answer yes to all prompts non-interactively
-sudo apt update --yes
+echo "[user-data] Update Ubuntu package list"
+sudo apt-get update --yes
 
 # Install pip
-sudo apt install python3-pip --yes
+echo "[user-data] Install Pip"
+sudo apt-get install python3-pip --yes
 
 # Install Pipx
-sudo apt install pipx --yes
+echo "[user-data] Install Pipx"
+sudo apt-get install pipx --yes
 
 # Install Go
-sudo apt install golang-go --yes
-
-
-
+echo "[user-data] Install Go"
+sudo apt-get install golang-go --yes
 
 # Install Docker Compose
 # Install ca-certificates, a certificate authority package for verifying third-party identities, and curl, a data transfer tool:
-sudo apt install ca-certificates curl
+echo "[user-data] Install ca-certificates"
+sudo apt-get install ca-certificates --yes
+
+echo "[user-data] Install curl"
+sudo apt-get install curl --yes
 
 # Set ownership permissions for the /etc/apt/keyrings directory:
+echo "[user-data] Set ownership perms for /etc/apt/keyrings"
 sudo install -m 0755 -d /etc/apt/keyrings
 
 # Download the key with curl:
+echo "[user-data] Downloading key with curl"
 sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
 
 # Set read permissions for the key:
+echo "[user-data] set read permissions for key"
 sudo chmod a+r /etc/apt/keyrings/docker.asc
 
- 
-
-
-
 
 # Add the Docker repository to the list of APT sources:
 echo \
@@ -52,19 +59,27 @@ echo \
   sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
 
 # Install Docker Compose:
-sudo apt install docker-compose-plugin -y
+echo "[user-data] Install docker compose"
+sudo apt-get install docker-compose-plugin --yes
 
 # Install Docker.io
-sudo apt install docker.io
+echo "[user-data] Install docker.io"
+sudo apt-get install docker.io --yes
 
 # After the download completes, confirm that Docker Compose is installed by typing:
+echo "[user-data] run docker compose version"
 docker compose version
 
+echo "[user-data] docker group and usermod"
 # Create the docker group if it does not already exist:
 sudo groupadd -f docker
 # Add the current user to the docker group via the usermod command:
 sudo usermod -aG docker $USER
+
 # Start docker service
+echo "[user-data] Starting docker service"
 sudo service docker start
 
-echo "Allora user-data script successful"
+echo "----------------------------------------------"
+echo "[user-data] Allora user-data script successful"
+echo "----------------------------------------------"

lib/allora/lib/common-stack.ts

@@ -0,0 +1,54 @@
+import * as cdk from "aws-cdk-lib";
+import * as cdkConstructs from "constructs";
+import * as iam from "aws-cdk-lib/aws-iam";
+import * as secrets from "aws-cdk-lib/aws-secretsmanager";
+import * as nag from "cdk-nag";
+
+export interface EdgeCommonStackProps extends cdk.StackProps {
+
+}
+
+export class EdgeCommonStack extends cdk.Stack {
+    AWS_STACK_NAME = cdk.Stack.of(this).stackName;
+    AWS_ACCOUNT_ID = cdk.Stack.of(this).account;
+
+    constructor(scope: cdkConstructs.Construct, id: string, props: EdgeCommonStackProps) {
+        super(scope, id, props);
+
+        const instanceRole = new iam.Role(this, "node-role", {
+            assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
+            managedPolicies: [
+                iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMManagedInstanceCore"),
+                iam.ManagedPolicy.fromAwsManagedPolicyName("CloudWatchAgentServerPolicy")
+
+            ]
+        });
+
+        instanceRole.addToPolicy(new iam.PolicyStatement({
+            resources: ["*"],
+            actions: ["cloudformation:SignalResource"]
+        }));
+
+
+        new cdk.CfnOutput(this, "Instance Role ARN", {
+            value: instanceRole.roleArn,
+            exportName: "EdgeNodeInstanceRoleArn"
+        });
+
+        // cdk-nag suppressions
+        nag.NagSuppressions.addResourceSuppressions(
+            this,
+            [
+                {
+                    id: "AwsSolutions-IAM4",
+                    reason: "AmazonSSMManagedInstanceCore and CloudWatchAgentServerPolicy are restrictive enough"
+                },
+                {
+                    id: "AwsSolutions-IAM5",
+                    reason: "Can't target specific stack: https://github.com/aws/aws-cdk/issues/22657"
+                }
+            ],
+            true
+        );
+    }
+}