Problem Statement : While Registering new IP in ELB Fargate under Target Group, Old IP went into the Unhealthy status. I want to Deregister old IP automatically with the help of Github actions workflow.
What did I tried so far ?
These are the three steps which I added into the existing workflow file (Added descriptive comments in the below steps for more clarification).
name: List Targets
id: list-targets <!-- Assigns an ID to this step for reference in later steps. -->
env:
AWS_TARGET_GROUP_ARN: ${{ inputs.AWS_TARGET_GROUP_ARN }}
run: |
aws elbv2 describe-target-health --target-group-arn $AWS_TARGET_GROUP_ARN > targets.json <!-- Executes an AWS CLI command to retrieve the target health descriptions for the specified target group and saves the output to targets.json. -->
cat targets.json <!-- Prints the content of `targets.json` to the log for debugging purposes. -->
name: Filter Unused IPs
id: filter-unused-ips <!-- Assigns an ID to this step for reference in later steps. -->
run: |
jq -r '.TargetHealthDescriptions[] | select(.TargetHealth.State == "unhealthy") | .Target.Id' targets.json > unused-ips.txt <!-- Here, Filter targets where the health state is "unhealthy". Then, Extract the IP addresses of these targets and write the unused IPs to unused-ips.txt. -->
cat unused-ips.txt <!-- Prints the content of unused-ips.txt to the log for debugging purposes. -->
if [[ -s unused-ips.txt ]]; then <!-- Checks if unused-ips.txt is non-empty and sets an environment variable unused-ips to true or false accordingly using $GITHUB_ENV. -->
echo "unused-ips=true" >> $GITHUB_ENV
else
echo "unused-ips=false" >> $GITHUB_ENV
fi
name: Deregister Unused IPs
if: env.unused-ips == 'true' <!-- This step will only run if the environment variable unused-ips is set to true. -->
env:
AWS_TARGET_GROUP_ARN: ${{ inputs.AWS_TARGET_GROUP_ARN }}
run: |
while IFS= read -r IP; do <!-- It reads each IP address from unused-ips.txt and deregisters it from the target group using the AWS CLI. -->
echo "Deregistering $IP"
aws elbv2 deregister-targets --target-group-arn $AWS_TARGET_GROUP_ARN --targets Id=$IP || echo "Failed to deregister $IP"
done < unused-ips.txt
All these steps in the workflow is working fine without having any issues and I can also see this print statement Deregistering <IP> at the end but somehow IPs are not deregistering from the target groups.
Also, I tried to deregister it via aws-cli from my laptop and command executed successfully but still IP is not deregistering/draining in the AWS console.
echo "Attempting to deregister <IP> from <AWS_TARGET_GROUP_ARN>"
result=$(aws elbv2 deregister-targets --target-group-arn <AWS_TARGET_GROUP_ARN> --targets Id=<IP> 2>&1)
echo "Command result: $result"
From above commands, it’s prints $result as an empty and not showing any error.
I also verified the IAM policy attached to the user to ensure that attached IAM policy has the required permissions to deregister the target.
I am having this policy attached to the user, and I don’t think there is any permission issue.
{
"Version": "****-**-**",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Can someone help me to understand why unhealthy target group IPs are not deregistering from the AWS console ?
2
Answers
I am able to fix this issue by adding a port at the end in
deregister-targetscommand.Even though the wildcard policy permits all actions, Try to specify the required permissions.