Skip to content

Commit 3051466

Browse files
gmarcianigmarciani
committed
[ActiveDirectory] In AD 1-click template fail faster in case of issues.
In particular: 1. Make the Ad admin node signal the failure, not only the success; in this way the wait condition handle can fail faster. 2. reduced the number of retries made by adcli from 5 to 3 because in case of issues is not necessary to do that many retries; especially considering that adcli has a 2min retry delay. 3. reduced the condition handle timeout from 900s to 600s as 10min are enough to include AD admin node bootstrap and 3 adcli retries. 4. Execute the post processing lambda only if the AD admin node was able to setup the directory
1 parent f8faada commit 3051466

File tree

1 file changed

+62
-49
lines changed

1 file changed

+62
-49
lines changed

cloudformation/ad/ad-integration.yaml

Lines changed: 62 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -402,7 +402,7 @@ Resources:
402402
Properties:
403403
Count: 1
404404
Handle: !Ref AdDomainAdminNodeWaitConditionHandle
405-
Timeout: 900
405+
Timeout: 600
406406

407407
AdDomainAdminNode:
408408
Type: AWS::EC2::Instance
@@ -446,57 +446,68 @@ Resources:
446446
#!/bin/bash -e
447447
set -o pipefail
448448
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
449-
yum update -y aws-cfn-bootstrap
450-
/opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource AdDomainAdminNode --configsets setup --region "${AWS::Region}"
451-
echo "Directory Id: ${DirectoryId}"
452-
echo "Domain Name: ${DirectoryDomain}"
453-
echo "Domain DNS IP 1: ${DnsIp1}"
454-
echo "Domain DNS IP 2: ${DnsIp2}"
455-
echo "Domain Certificate Secret: ${DomainCertificateSecretArn}"
456-
echo "Domain Private Key Secret: ${DomainPrivateKeySecretArn}"
457-
458-
echo "Describing directory..."
459-
aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
460-
echo "Describing domain controllers..."
461-
aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
449+
function main() {
450+
yum update -y aws-cfn-bootstrap
451+
/opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource AdDomainAdminNode --configsets setup --region "${AWS::Region}"
452+
echo "Directory Id: ${DirectoryId}"
453+
echo "Domain Name: ${DirectoryDomain}"
454+
echo "Domain DNS IP 1: ${DnsIp1}"
455+
echo "Domain DNS IP 2: ${DnsIp2}"
456+
echo "Domain Certificate Secret: ${DomainCertificateSecretArn}"
457+
echo "Domain Private Key Secret: ${DomainPrivateKeySecretArn}"
458+
459+
echo "Describing directory..."
460+
aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
461+
echo "Describing domain controllers..."
462+
aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
463+
464+
exit 1
465+
466+
ADMIN_PW="${AdminPassword}"
467+
468+
USERNAMES="ReadOnlyUser,${UserNames}"
469+
echo "Registering Users: $USERNAMES ..."
470+
for username in $(echo $USERNAMES | sed "s/,/ /g")
471+
do
472+
attempt=0
473+
max_attempts=3
474+
until [ $attempt -ge $max_attempts ]; do
475+
attempt=$((attempt+1))
476+
echo "Registering user $username (attempt $attempt/$max_attempts) ..."
477+
echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp1}" --display-name="$username" "$username" && echo "User registered: $username" && break
478+
echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp2}" --display-name="$username" "$username" && echo "User registered: $username" && break
479+
echo "User creation failed, describing directory and controllers for troubleshooting..."
480+
aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
481+
aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
482+
sleep 10
483+
done
484+
done
485+
486+
echo "Creating domain certificate..."
487+
PRIVATE_KEY="${DirectoryDomain}.key"
488+
CERTIFICATE="${DirectoryDomain}.crt"
489+
printf '.\n.\n.\n.\n.\n%s\n.\n' "${DirectoryDomain}" | openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout "$PRIVATE_KEY" -days 365 -out "$CERTIFICATE"
490+
491+
echo "Storing domain private key to Secrets Manager..."
492+
aws secretsmanager put-secret-value --secret-id "${DomainPrivateKeySecretArn}" --secret-string "file://$PRIVATE_KEY" --region "${AWS::Region}"
493+
494+
echo "Storing domain certificate to Secrets Manager..."
495+
aws secretsmanager put-secret-value --secret-id "${DomainCertificateSecretArn}" --secret-string "file://$CERTIFICATE" --region "${AWS::Region}"
496+
497+
echo "Deleting private key and certificate from local file system..."
498+
rm -rf "$PRIVATE_KEY" "$CERTIFICATE"
499+
}
462500

463-
exit 1
501+
function signal_success() {
502+
/opt/aws/bin/cfn-signal -e 0 --stack "${AWS::StackName}" --resource "${AdDomainAdminNodeWaitConditionHandle}" --region "${AWS::Region}"
503+
}
464504

465-
ADMIN_PW="${AdminPassword}"
505+
function signal_failure() {
506+
/opt/aws/bin/cfn-signal -e 0 --stack "${AWS::StackName}" --resource "${AdDomainAdminNodeWaitConditionHandle}" --region "${AWS::Region}"
507+
exit 1
508+
}
466509

467-
USERNAMES="ReadOnlyUser,${UserNames}"
468-
echo "Registering Users: $USERNAMES ..."
469-
for username in $(echo $USERNAMES | sed "s/,/ /g")
470-
do
471-
attempt=0
472-
max_attempts=5
473-
until [ $attempt -ge $max_attempts ]; do
474-
attempt=$((attempt+1))
475-
echo "Registering user $username (attempt $attempt/$max_attempts) ..."
476-
echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp1}" --display-name="$username" "$username" && echo "User registered: $username" && break
477-
echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp2}" --display-name="$username" "$username" && echo "User registered: $username" && break
478-
echo "User creation failed, describing directory and controllers for troubleshooting..."
479-
aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
480-
aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
481-
sleep 10
482-
done
483-
done
484-
485-
echo "Creating domain certificate..."
486-
PRIVATE_KEY="${DirectoryDomain}.key"
487-
CERTIFICATE="${DirectoryDomain}.crt"
488-
printf '.\n.\n.\n.\n.\n%s\n.\n' "${DirectoryDomain}" | openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout "$PRIVATE_KEY" -days 365 -out "$CERTIFICATE"
489-
490-
echo "Storing domain private key to Secrets Manager..."
491-
aws secretsmanager put-secret-value --secret-id "${DomainPrivateKeySecretArn}" --secret-string "file://$PRIVATE_KEY" --region "${AWS::Region}"
492-
493-
echo "Storing domain certificate to Secrets Manager..."
494-
aws secretsmanager put-secret-value --secret-id "${DomainCertificateSecretArn}" --secret-string "file://$CERTIFICATE" --region "${AWS::Region}"
495-
496-
echo "Deleting private key and certificate from local file system..."
497-
rm -rf "$PRIVATE_KEY" "$CERTIFICATE"
498-
499-
/opt/aws/bin/cfn-signal -e "$?" --stack "${AWS::StackName}" --region "${AWS::Region}" "${AdDomainAdminNodeWaitConditionHandle}"
510+
main && signal_success || signal_failure
500511

501512
- { DirectoryId: !GetAtt Prep.DirectoryId,
502513
DirectoryDomain: !GetAtt Prep.DomainName,
@@ -624,6 +635,8 @@ Resources:
624635
625636
Post:
626637
Type: Custom::PostLambda
638+
DependsOn:
639+
- AdDomainAdminNodeWaitCondition
627640
Properties:
628641
ServiceToken: !GetAtt PostLambda.Arn
629642
AdminNodeInstanceId: !Ref AdDomainAdminNode

0 commit comments

Comments
 (0)