Etcd cluster.

MartinRixham · MartinRixham · commit 6e763e397219 · 2025-08-18T15:54:31.000+01:00
diff --git a/Makefile b/Makefile
@@ -1,6 +1,9 @@
 create-stack:
 	aws cloudformation create-stack --stack-name asyncdb --template-body file://cloudformation.json --capabilities CAPABILITY_NAMED_IAM
 
+update-stack:
+	aws cloudformation update-stack --stack-name asyncdb --template-body file://cloudformation.json --capabilities CAPABILITY_NAMED_IAM
+
 delete-stack:
 	aws cloudformation delete-stack --stack-name asyncdb
 
diff --git a/cloudformation.json b/cloudformation.json
@@ -9,6 +9,10 @@
     "ECSAMI": {
       "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
       "Default": "/aws/service/ecs/optimized-ami/amazon-linux-2/recommended/image_id"
+    },
+    "EtcdAmiId": {
+      "Type": "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>",
+      "Default": "/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2"
     }
   },
   "Resources": {
@@ -34,7 +38,7 @@
       "Type": "AWS::EC2::Subnet",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "CidrBlock": "10.0.1.0/24",
+        "CidrBlock": "10.0.0.0/24",
         "AvailabilityZone": { "Fn::Select": [ 0, { "Fn::GetAZs": "" } ] },
         "MapPublicIpOnLaunch": true
       }
@@ -43,7 +47,7 @@
       "Type": "AWS::EC2::Subnet",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "CidrBlock": "10.0.2.0/24",
+        "CidrBlock": "10.0.1.0/24",
         "AvailabilityZone": { "Fn::Select": [ 1, { "Fn::GetAZs": "" } ] },
         "MapPublicIpOnLaunch": true
       }
@@ -52,7 +56,7 @@
       "Type": "AWS::EC2::Subnet",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "CidrBlock": "10.0.3.0/24",
+        "CidrBlock": "10.0.2.0/24",
         "AvailabilityZone": { "Fn::Select": [ 2, { "Fn::GetAZs": "" } ] },
         "MapPublicIpOnLaunch": true
       }
@@ -118,7 +122,7 @@
       "Type": "AWS::EC2::SecurityGroup",
       "Properties": {
         "VpcId": { "Ref": "VPC" },
-        "GroupDescription": "Allow inbound traffic from  application load balancer",
+        "GroupDescription": "Allow inbound traffic from application load balancer",
         "SecurityGroupIngress": [
           {
             "IpProtocol": "tcp",
@@ -135,6 +139,36 @@
         ]
       }
     },
+    "EtcdLoadBalancerSecurityGroup": {
+      "Type": "AWS::EC2::SecurityGroup",
+      "Properties": {
+        "VpcId": { "Ref": "VPC" },
+        "GroupDescription": "Allow etcd traffic",
+        "SecurityGroupIngress": [
+          {
+            "IpProtocol": "tcp",
+            "FromPort": 2379,
+            "ToPort": 2380,
+            "CidrIp": "0.0.0.0/0"
+          }
+        ]
+      }
+    },
+    "EtcdSecurityGroup": {
+      "Type": "AWS::EC2::SecurityGroup",
+      "Properties": {
+        "VpcId": { "Ref": "VPC" },
+        "GroupDescription": "Allow etcd traffic",
+        "SecurityGroupIngress": [
+          {
+            "IpProtocol": "tcp",
+            "FromPort": 2379,
+            "ToPort": 2380,
+            "CidrIp": "0.0.0.0/0"
+          }
+        ]
+      }
+    },
     "InstanceRole": {
       "Type": "AWS::IAM::Role",
       "Properties": {
@@ -173,20 +207,20 @@
           "UserData": {
             "Fn::Base64": {
               "Fn::Join": [
-                "",
+                "\n",
                 [
-                  "#! /bin/bash\n",
-                  "sudo yum update\n",
-                  "sudo yum -y install unzip\n",
-                  "curl \"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip\" -o \"awscliv2.zip\"\n",
-                  "unzip awscliv2.zip\n",
-                  "./aws/install\n",
-                  "REGISTRY_URL=332187735950.dkr.ecr.eu-west-2.amazonaws.com\n",
-                  "VERSION=0.0.2\n",
-                  "IMAGE=$REGISTRY_URL/asyncdb:$VERSION\n",
-                  "aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin $REGISTRY_URL\n",
-                  "docker pull $IMAGE\n",
-                  "docker run -d -p 80:80 $IMAGE\n"
+                  "#! /bin/bash",
+                  "sudo yum update",
+                  "sudo yum -y install unzip",
+                  "curl \"https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip\" -o \"awscliv2.zip\"",
+                  "unzip awscliv2.zip",
+                  "./aws/install",
+                  "REGISTRY_URL=332187735950.dkr.ecr.eu-west-2.amazonaws.com",
+                  "VERSION=0.0.2",
+                  "IMAGE=$REGISTRY_URL/asyncdb:$VERSION",
+                  "aws ecr get-login-password --region eu-west-2 | docker login --username AWS --password-stdin $REGISTRY_URL",
+                  "docker pull $IMAGE",
+                  "docker run -d -p 80:80 $IMAGE"
                 ]
               ]
             }
@@ -199,7 +233,11 @@
       "Properties": {
         "Name": "ClusterALB",
         "Scheme": "internet-facing",
-        "Subnets": [{ "Ref": "PublicSubnet1" }, { "Ref": "PublicSubnet2" }, { "Ref": "PublicSubnet3" }],
+        "Subnets": [
+          { "Ref": "PublicSubnet1" },
+          { "Ref": "PublicSubnet2" },
+          { "Ref": "PublicSubnet3" }
+        ],
         "SecurityGroups": [{ "Ref": "ALBSecurityGroup" }]
       }
     },
@@ -230,7 +268,11 @@
     "AutoScalingGroup": {
       "Type": "AWS::AutoScaling::AutoScalingGroup",
       "Properties": {
-        "VPCZoneIdentifier": [ { "Ref": "PublicSubnet1" }, { "Ref": "PublicSubnet2" }, { "Ref": "PublicSubnet3" } ],
+        "VPCZoneIdentifier": [
+          { "Ref": "PublicSubnet1" },
+          { "Ref": "PublicSubnet2" },
+          { "Ref": "PublicSubnet3" }
+        ],
         "LaunchTemplate": {
           "LaunchTemplateId": { "Ref": "LaunchTemplate" },
           "Version": { "Fn::GetAtt": [ "LaunchTemplate", "LatestVersionNumber" ] }
@@ -240,6 +282,170 @@
         "MaxSize": "4",
         "TargetGroupARNs":[{ "Ref":"ALBTargetGroup" } ]
       }
+    },
+    "DiscoveryTokenLambdaRole": {
+      "Type": "AWS::IAM::Role",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Service": "lambda.amazonaws.com"
+              },
+              "Action": "sts:AssumeRole"
+            }
+          ]
+        },
+        "ManagedPolicyArns": [
+          "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+        ]
+      }
+    },
+    "DiscoveryTokenLambda": {
+      "Type": "AWS::Lambda::Function",
+      "Properties": {
+        "Handler": "index.handler",
+        "Role": { "Fn::GetAtt": ["DiscoveryTokenLambdaRole", "Arn"] },
+        "Runtime": "python3.9",
+        "Timeout": 30,
+        "Code": {
+          "ZipFile": {
+            "Fn::Join": [
+              "\n",
+              [
+                "import urllib.request",
+                "import cfnresponse",
+                "def handler(event, context):",
+                "    try:",
+                "        if event['RequestType'] in ('Create','Update'):",
+                "            url = \"https://discovery.etcd.io/new?size=3\"",
+                "            token = urllib.request.urlopen(url).read().decode().strip()",
+                "            cfnresponse.send(event, context, cfnresponse.SUCCESS,",
+                "                             { 'DiscoveryURL': token })",
+                "        else:",
+                "            cfnresponse.send(event, context, cfnresponse.SUCCESS, {})",
+                "    except Exception as e:",
+                "        print(\"Error:\", e)",
+                "        cfnresponse.send(event, context, cfnresponse.FAILED, {})"
+              ]
+            ]
+          }
+        }
+      }
+    },
+    "DiscoveryTokenCustomResource": {
+      "Type": "Custom::EtcdDiscovery",
+      "Properties": {
+        "ServiceToken": { "Fn::GetAtt": ["DiscoveryTokenLambda", "Arn"] }
+      }
+    },
+    "EtcdLaunchTemplate": {
+      "Type": "AWS::EC2::LaunchTemplate",
+      "Properties": {
+        "LaunchTemplateData": {
+          "ImageId": { "Ref": "EtcdAmiId" },
+          "InstanceType": { "Ref": "InstanceType" },
+          "SecurityGroupIds": [{ "Ref": "EtcdSecurityGroup" }],
+          "UserData": {
+            "Fn::Base64": {
+              "Fn::Join": [
+                "\n",
+                [
+                  "#!/bin/bash",
+                  "yum install -y wget",
+                  "ETCD_VER=v3.5.10",
+                  "DOWNLOAD_URL=https://github.com/etcd-io/etcd/releases/download",
+                  "wget ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz",
+                  "tar xvf etcd-${ETCD_VER}-linux-amd64.tar.gz",
+                  "mv etcd-${ETCD_VER}-linux-amd64/etcd* /usr/local/bin/",
+                  "PRIVATE_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)",
+                  "DISCOVERY_URL='${DiscoveryTokenCustomResource.DiscoveryURL}'",
+                  "nohup etcd \\",
+                  "  --name ${PRIVATE_IP} \\",
+                  "  --initial-advertise-peer-urls http://${PRIVATE_IP}:2380 \\",
+                  "  --listen-peer-urls http://${PRIVATE_IP}:2380 \\",
+                  "  --listen-client-urls http://${PRIVATE_IP}:2379,http://127.0.0.1:2379 \\",
+                  "  --advertise-client-urls http://${PRIVATE_IP}:2379 \\",
+                  "  --discovery ${DISCOVERY_URL} &"
+                ]
+              ]
+            }
+          }
+        }
+      }
+    },
+    "EtcdAutoScalingGroup": {
+      "Type": "AWS::AutoScaling::AutoScalingGroup",
+      "Properties": {
+        "VPCZoneIdentifier": [
+          { "Ref": "PublicSubnet1" },
+          { "Ref": "PublicSubnet2" },
+          { "Ref": "PublicSubnet3" }
+        ],
+        "LaunchTemplate": {
+          "LaunchTemplateId": { "Ref": "EtcdLaunchTemplate" },
+          "Version": { "Fn::GetAtt": ["EtcdLaunchTemplate", "LatestVersionNumber"] }
+        },
+        "MinSize": "3",
+        "MaxSize": "3",
+        "DesiredCapacity": "3",
+        "HealthCheckType": "EC2",
+        "Tags": [
+          {
+            "Key": "Name",
+            "Value": "etcd-node",
+            "PropagateAtLaunch": true
+          }
+        ]
+      }
+    },
+    "EtcdTargetGroup": {
+      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
+      "Properties": {
+        "VpcId": { "Ref": "VPC" },
+        "Port": 2379,
+        "Protocol": "TCP",
+        "TargetType": "instance",
+        "HealthCheckProtocol": "TCP"
+      }
+    },
+    "EtcdNLB": {
+      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
+      "Properties": {
+        "Subnets": [
+          { "Ref": "PublicSubnet1" },
+          { "Ref": "PublicSubnet2" },
+          { "Ref": "PublicSubnet3" }
+        ],
+        "SecurityGroups": [{ "Ref": "EtcdLoadBalancerSecurityGroup" }],
+        "Scheme": "internet-facing",
+        "Type": "network"
+      }
+    },
+    "EtcdListener": {
+      "Type": "AWS::ElasticLoadBalancingV2::Listener",
+      "Properties": {
+        "LoadBalancerArn": { "Ref": "EtcdNLB" },
+        "Port": 2379,
+        "Protocol": "TCP",
+        "DefaultActions": [
+          {
+            "Type": "forward",
+            "TargetGroupArn": { "Ref": "EtcdTargetGroup" }
+          }
+        ]
+      }
+    },
+    "EtcdASGAttachment": {
+      "Type": "AWS::AutoScaling::LifecycleHook",
+      "Properties": {
+        "AutoScalingGroupName": { "Ref": "EtcdAutoScalingGroup" },
+        "LifecycleTransition": "autoscaling:EC2_INSTANCE_LAUNCHING",
+        "DefaultResult": "CONTINUE",
+        "HeartbeatTimeout": 300
+      }
     }
   }
 }
diff --git a/test-etcd.py b/test-etcd.py
@@ -0,0 +1,24 @@
+import grpc
+import socket
+from etcd3.etcdrpc import KVStub, RangeRequest
+
+def test_etcd(elb_hostname: str):
+    # Resolve ELB hostname to IPv4 manually
+    ip = socket.gethostbyname(elb_hostname)
+    target = f"{ip}:2379"
+    print(f"Connecting to {target}")
+
+    # Connect directly to the IP
+    channel = grpc.insecure_channel(target)
+
+    kv = KVStub(channel)
+    request = RangeRequest(key=b"test")
+    response = kv.Range(request, timeout=5)
+
+    print("Cluster responded OK")
+    print("KVs returned:", len(response.kvs))
+
+if __name__ == "__main__":
+    elb = "asyncd-EtcdN-On7N9ya3YCJL-caba21a201f8acff.elb.eu-west-2.amazonaws.com"
+    test_etcd(elb)
+
diff --git a/test-etcd.sh b/test-etcd.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# test-etcd-cluster.sh
+# Usage: ./test-etcd-cluster.sh <LOAD_BALANCER_DNS_NAME>
+
+LB_DNS=$1
+
+if [ -z "$LB_DNS" ]; then
+  echo "Usage: $0 <LOAD_BALANCER_DNS_NAME>"
+  exit 1
+fi
+
+echo "Checking etcd cluster via Load Balancer: $LB_DNS"
+
+# 1. Check health
+echo "==> Checking cluster health..."
+curl -s http://$LB_DNS:2379/health | jq .
+
+# 2. Write a test key
+echo "==> Writing test key..."
+curl -s http://$LB_DNS:2379/v2/keys/testkey -XPUT -d value="hello-etcd" | jq .
+
+# 3. Read the test key
+echo "==> Reading test key..."
+curl -s http://$LB_DNS:2379/v2/keys/testkey | jq .
+
+# 4. Delete the test key
+echo "==> Deleting test key..."
+curl -s http://$LB_DNS:2379/v2/keys/testkey -XDELETE | jq .
+
+echo "Done."
+
