Merge pull request #35 from Teradata/fix/aws-lb-issue

Fix Security Group and *LB issues on AWS
Teradata · Jul 23, 2024 · 09d50f7 · 09d50f7
2 parents 1610c37 + f517fa0
commit 09d50f7
Show file tree

Hide file tree

Showing 9 changed files with 990 additions and 295 deletions.
diff --git a/deployments/aws/templates/ai-unlimited/ai-unlimited-with-alb.yaml b/deployments/aws/templates/ai-unlimited/ai-unlimited-with-alb.yaml
@@ -35,9 +35,9 @@ Metadata:
           - AiUnlimitedHttpPort
           - AiUnlimitedGrpcPort
           - AiUnlimitedVersion
-
-          # - AiUnlimitedSchedulerVersion
-          # - AiUnlimitedSchedulerPort
+          - AiUnlimitedSchedulerVersion
+          - AiUnlimitedSchedulerHttpPort
+          - AiUnlimitedSchedulerGrpcPort
       - Label:
           default: Persistent volume
         Parameters:
@@ -125,13 +125,22 @@ Parameters:
     MinValue: 0
     MaxValue: 65535
 
-  # AiUnlimitedSchedulerPort:
-  #   Description: port to access the AI Unlimited Scheduler API.
-  #   Type: Number
-  #   Default: 50051
-  #   ConstraintDescription: must be a valid ununsed port between 0 and 65535.
-  #   MinValue: 0
-  #   MaxValue: 65535
+  AiUnlimitedSchedulerHttpPort:
+    Description: port to access the AI Unlimited Scheduler API.
+    Type: Number
+    Default: 50061
+    ConstraintDescription: must be a valid ununsed port between 0 and 65535.
+    MinValue: 0
+    MaxValue: 65535
+
+  AiUnlimitedSchedulerGrpcPort:
+    Description: port to access the AI Unlimited Scheduler API.
+    Type: Number
+    Default: 50051
+    ConstraintDescription: must be a valid ununsed port between 0 and 65535.
+    MinValue: 0
+    MaxValue: 65535
+
   AiUnlimitedGrpcPort:
     Description: port to access the AI Unlimited API.
     Type: Number
@@ -145,10 +154,11 @@ Parameters:
     Type: String
     Default: latest
 
-  # AiUnlimitedSchedulerVersion:
-  #   Description: Which version of AI Unlimited Scheduler to deploy, uses container version tags, defaults to "latest"
-  #   Type: String
-  #   Default: latest
+  AiUnlimitedSchedulerVersion:
+    Description: Which version of AI Unlimited Scheduler to deploy, uses container version tags, defaults to "latest"
+    Type: String
+    Default: latest
+
   RootVolumeSize:
     Description: size of the root disk to the AI Unlimited server.
     Type: Number
@@ -331,6 +341,10 @@ Conditions:
       - !Ref SecurityGroup
       - ""
 
+  HASCIDRORPREFIXLIST: !Or
+    - !Condition HASCIDR
+    - !Condition HASPREFIXLIST
+
   HASCIDRORPREFIXLISTORSECGROUP: !Or
     - !Condition HASCIDR
     - !Condition HASPREFIXLIST
@@ -522,8 +536,8 @@ Resources:
                 ExecStartPre=/usr/bin/docker pull teradata/ai-unlimited-scheduler:latest
                 ExecStart=/usr/bin/docker run \
                     --network ai_unlimited \
-                    -p 50051:50051 \
-                    -p 50061:50061 \
+                    -p ${ AiUnlimitedSchedulerGrpcPort }:50051 \
+                    -p ${ AiUnlimitedSchedulerHttpPort }:50061 \
                     -v /etc/td/ai-unlimited:/etc/td \
                     -e TD_WSSCHED_LOG_PATH=/etc/td/workspaces/scheduler_logs \
                     -e TD_WSSCHED_TASK_LOG_PATH=/etc/td/workspaces/scheduler_logs/projects \
@@ -553,6 +567,11 @@ Resources:
           SubnetId: !Ref Subnet
           GroupSet:
             - !GetAtt AiUnlimitedSecurityGroup.GroupId
+            - !GetAtt AiUnlimitedSchedulerSecurityGroup.GroupId
+            - !If
+              - HASKEYANDCIDRORPREFIXLISTORSECGROUP
+              - !GetAtt SecurityGroupIngress.GroupId
+              - !Ref AWS::NoValue
           AssociatePublicIpAddress: !If
             - HASPUBLICIP
             - true
@@ -593,7 +612,7 @@ Resources:
           /opt/aws/bin/cfn-init -v --stack ${AWS::StackId} --resource AiUnlimitedServer --configsets ai_unlimited_install --region ${AWS::Region}
           /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackId} --resource AiUnlimitedServer --region ${AWS::Region}
 
-  LoadBalancerSecurityGroup:
+  LoadBalancerAiUnlimitedSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
       VpcId: !Ref Vpc
@@ -629,9 +648,17 @@ Resources:
             - HASSECURITYGROUP
             - !Ref SecurityGroup
             - !Ref AWS::NoValue
-        - FromPort: 50061
+    Condition: HASCIDRORPREFIXLISTORSECGROUP
+
+  LoadBalancerSchedulerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Ref Vpc
+      GroupDescription: Enable access to AI Unlimited server from LoadBalancer over http, grpc, and ssh
+      SecurityGroupIngress:
+        - FromPort: !Ref AiUnlimitedSchedulerHttpPort
           IpProtocol: tcp
-          ToPort: 50061
+          ToPort: !Ref AiUnlimitedSchedulerHttpPort
           CidrIp: !If
             - HASCIDR
             - !Ref AccessCIDR
@@ -640,13 +667,9 @@ Resources:
             - HASPREFIXLIST
             - !Ref PrefixList
             - !Ref AWS::NoValue
-          SourceSecurityGroupId: !If
-            - HASSECURITYGROUP
-            - !Ref SecurityGroup
-            - !Ref AWS::NoValue
-        - FromPort: 50051
+        - FromPort: !Ref AiUnlimitedSchedulerGrpcPort
           IpProtocol: tcp
-          ToPort: 50051
+          ToPort: !Ref AiUnlimitedSchedulerGrpcPort
           CidrIp: !If
             - HASCIDR
             - !Ref AccessCIDR
@@ -669,7 +692,8 @@ Resources:
         - !Ref LoadBalancerSubnetOne
         - !Ref LoadBalancerSubnetTwo
       SecurityGroups:
-        - !GetAtt LoadBalancerSecurityGroup.GroupId
+        - !GetAtt LoadBalancerAiUnlimitedSecurityGroup.GroupId
+        - !GetAtt LoadBalancerSchedulerSecurityGroup.GroupId
       Type: application
 
   AiUnlimitedHTTPListener:
@@ -703,18 +727,23 @@ Resources:
         - Type: forward
           TargetGroupArn: !Ref AiUnlimitedSchedulerHTTPTargetGroup
       LoadBalancerArn: !Ref LoadBalancer
-      Port: 50061
-      Protocol: HTTP
+      Port: !Ref AiUnlimitedSchedulerHttpPort
+      Protocol: HTTPS
+      Certificates:
+        - CertificateArn: !Ref ACMCertificate
+
+  AiUnlimitedSchedulerGRPCListener:
+    Type: AWS::ElasticLoadBalancingV2::Listener
+    Properties:
+      DefaultActions:
+        - Type: forward
+          TargetGroupArn: !Ref AiUnlimitedSchedulerGRPCTargetGroup
+      LoadBalancerArn: !Ref LoadBalancer
+      Port: !Ref AiUnlimitedSchedulerGrpcPort
+      Protocol: HTTPS
+      Certificates:
+        - CertificateArn: !Ref ACMCertificate
 
-  # AiUnlimitedSchedulerGRPCListener:
-  #   Type: AWS::ElasticLoadBalancingV2::Listener
-  #   Properties:
-  #     DefaultActions:
-  #       - Type: forward
-  #         TargetGroupArn: !Ref AiUnlimitedSchedulerGRPCTargetGroup
-  #     LoadBalancerArn: !Ref LoadBalancer
-  #     Port: 50051
-  #     Protocol: HTTP
   AiUnlimitedHTTPTargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup
     Properties:
@@ -816,8 +845,8 @@ Resources:
           - aisch
           - ui
           - http
-      Port: 50061
-      Protocol: HTTP
+      Port: !Ref AiUnlimitedSchedulerHttpPort
+      Protocol: HTTPS
       TargetGroupAttributes:
         - Key: stickiness.enabled
           Value: true
@@ -829,47 +858,48 @@ Resources:
           Value: "20"
       Targets:
         - Id: !Ref AiUnlimitedServer
-          Port: 50061
+          Port: !Ref AiUnlimitedSchedulerHttpPort
+      VpcId: !Ref Vpc
+
+  AiUnlimitedSchedulerGRPCTargetGroup:
+    Type: AWS::ElasticLoadBalancingV2::TargetGroup
+    Properties:
+      HealthCheckIntervalSeconds: 30
+      HealthCheckProtocol: HTTPS
+      HealthCheckTimeoutSeconds: 15
+      Matcher:
+        GrpcCode: "0"
+      Name: !Join
+        - '-'
+        - - !Select
+            - 4
+            - !Split
+              - '-'
+              - !Select
+                - 2
+                - !Split
+                  - /
+                  - !Ref AWS::StackId
+          - aisch
+          - api
+          - grpc
+      Port: !Ref AiUnlimitedSchedulerGrpcPort
+      Protocol: HTTPS
+      ProtocolVersion: GRPC
+      TargetGroupAttributes:
+        - Key: stickiness.enabled
+          Value: true
+        - Key: stickiness.type
+          Value: app_cookie
+        - Key: stickiness.app_cookie.cookie_name
+          Value: TDWUNLIMITEDHTTPSSESSION
+        - Key: deregistration_delay.timeout_seconds
+          Value: "20"
+      Targets:
+        - Id: !Ref AiUnlimitedServer
+          Port: !Ref AiUnlimitedSchedulerGrpcPort
       VpcId: !Ref Vpc
 
-  # AiUnlimitedSchedulerGRPCTargetGroup:
-  #   Type: AWS::ElasticLoadBalancingV2::TargetGroup
-  #   Properties:
-  #     HealthCheckIntervalSeconds: 30
-  #     HealthCheckProtocol: HTTPS
-  #     HealthCheckTimeoutSeconds: 15
-  #     Matcher:
-  #       GrpcCode: "0"
-  #     Name: !Join
-  #       - "-"
-  #       - - !Select
-  #           - 4
-  #           - !Split
-  #             - "-"
-  #             - !Select
-  #               - 2
-  #               - !Split
-  #                 - /
-  #                 - !Ref AWS::StackId
-  #         - aisch
-  #         - api
-  #         - grpc
-  #     Port: 50051
-  #     Protocol: HTTPS
-  #     ProtocolVersion: GRPC
-  #     TargetGroupAttributes:
-  #       - Key: stickiness.enabled
-  #         Value: true
-  #       - Key: stickiness.type
-  #         Value: app_cookie
-  #       - Key: stickiness.app_cookie.cookie_name
-  #         Value: TDWUNLIMITEDHTTPSSESSION
-  #       - Key: deregistration_delay.timeout_seconds
-  #         Value: "20"
-  #     Targets:
-  #       - Id: !Ref AiUnlimitedServer
-  #         Port: 50051
-  #     VpcId: !Ref Vpc
   AiUnlimitedSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
@@ -879,19 +909,54 @@ Resources:
         - IpProtocol: tcp
           FromPort: !Ref AiUnlimitedHttpPort
           ToPort: !Ref AiUnlimitedHttpPort
-          SourceSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
+          SourceSecurityGroupId: !GetAtt LoadBalancerAiUnlimitedSecurityGroup.GroupId
         - IpProtocol: tcp
           FromPort: !Ref AiUnlimitedGrpcPort
           ToPort: !Ref AiUnlimitedGrpcPort
-          SourceSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
+          SourceSecurityGroupId: !GetAtt LoadBalancerAiUnlimitedSecurityGroup.GroupId
+        - !If
+          - HASSECURITYGROUP
+          - IpProtocol: tcp
+            FromPort: !Ref AiUnlimitedHttpPort
+            ToPort: !Ref AiUnlimitedHttpPort
+            SourceSecurityGroupId: !Ref SecurityGroup
+          - !Ref AWS::NoValue
+        - !If
+          - HASSECURITYGROUP
+          - IpProtocol: tcp
+            FromPort: !Ref AiUnlimitedGrpcPort
+            ToPort: !Ref AiUnlimitedGrpcPort
+            SourceSecurityGroupId: !Ref SecurityGroup
+          - !Ref AWS::NoValue
+
+  AiUnlimitedSchedulerSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      VpcId: !Ref Vpc
+      GroupDescription: Enable access to AI Unlimited server over http and grpc
+      SecurityGroupIngress:
         - IpProtocol: tcp
-          FromPort: 50061
-          ToPort: 50061
-          SourceSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
+          FromPort: !Ref AiUnlimitedSchedulerGrpcPort
+          ToPort: !Ref AiUnlimitedSchedulerGrpcPort
+          SourceSecurityGroupId: !GetAtt LoadBalancerSchedulerSecurityGroup.GroupId
         - IpProtocol: tcp
-          FromPort: 50051
-          ToPort: 50051
-          SourceSecurityGroupId: !GetAtt LoadBalancerSecurityGroup.GroupId
+          FromPort: !Ref AiUnlimitedSchedulerHttpPort
+          ToPort: !Ref AiUnlimitedSchedulerHttpPort
+          SourceSecurityGroupId: !GetAtt LoadBalancerSchedulerSecurityGroup.GroupId
+        - !If
+          - HASSECURITYGROUP
+          - IpProtocol: tcp
+            FromPort: !Ref AiUnlimitedSchedulerHttpPort
+            ToPort: !Ref AiUnlimitedSchedulerHttpPort
+            SourceSecurityGroupId: !Ref SecurityGroup
+          - !Ref AWS::NoValue
+        - !If
+          - HASSECURITYGROUP
+          - IpProtocol: tcp
+            FromPort: !Ref AiUnlimitedSchedulerGrpcPort
+            ToPort: !Ref AiUnlimitedSchedulerGrpcPort
+            SourceSecurityGroupId: !Ref SecurityGroup
+          - !Ref AWS::NoValue
 
   SecurityGroupIngress:
     Type: AWS::EC2::SecurityGroupIngress
@@ -1155,9 +1220,23 @@ Outputs:
     Description: Loadbalancer access endpoint for AI Unlimited API Access
     Value: !Sub ${ DnsName }:${ AiUnlimitedGrpcPort }
 
-  SecurityGroup:
+  InstanceSecurityGroups:
     Description: AI Unlimited Security Group
-    Value: !GetAtt AiUnlimitedSecurityGroup.GroupId
+    Value: !Join
+      - ', '
+      - - !GetAtt AiUnlimitedSecurityGroup.GroupId
+        - !GetAtt AiUnlimitedSchedulerSecurityGroup.GroupId
+        - !If
+          - HASKEYANDCIDRORPREFIXLISTORSECGROUP
+          - !GetAtt SecurityGroupIngress.GroupId
+          - !Ref AWS::NoValue
+
+  LoadBalancerSecurityGroups:
+    Description: AI Unlimited Load Balancer Security Group
+    Value: !Join
+      - ', '
+      - - !GetAtt LoadBalancerAiUnlimitedSecurityGroup.GroupId
+        - !GetAtt LoadBalancerSchedulerSecurityGroup.GroupId
 
   PublicSshConeection:
     Description: AI Unlimited ssh connnection string