Install Waypoint Server on AWS behind NLB

Hello all,

I was wondering if someone was able to install waypoint server on an EC2 behind a load balancer. I’ve been trying to do it using either the docker platform or a local installation but I can’t get the context created to point to the installation.
I tried to follow this topic: Run (not install) a centrilized Waypoint server and reach it from a remote workstation · Issue #1217 · hashicorp/waypoint · GitHub but no success so far.
Any advice would be appreciated.

@diogozedan I extracted a gist from my own experiments in getting this up using terraform. I haven’t included all the modules referenced but it should be enough for you to get the, umm, gist. :drum:

Thanks a lot. That’s really good.
However, my biggest issue is to integrate it with a load balancer so that Waypoint is secured using a TLS certificate and I don’t expose the EC2 directly. Have you tried it yet?

I just got that working today. I updated my gist accordingly. The key idea is a network load balancer to terminate SSL with a valid cert and forward to port 9702 on the instance, as well as forward 9701 for GRPC connections.

(I also added IAM policy to support AWS SessionManager in hopes that I can set up ssh over awscli. So far I can use it to get a command line on the instance (aws ssm start-session), but yet via SSH.)

Cool thanks a lot for the help!

@lukemelia as we are speaking, they release version 0.4 with a nice feature for ECS Fargate install.
waypoint install --platform=ecs -accept-tos -ecs-cluster waypoint-server

Still your code works like a charm for me, appreciate the reply.

1 Like

Looks like the 0.4.0 feature uses EFS to store the waypoint.db file. That’s a nice approach that would be good to incorporate in the terraform approach.

I’m doing something very similar with AWS and a NLB. The UI and everything starts up just fine but when I try to use the CLI locally on my workstation I receive context deadlines. Does anyone have any clue as to why?

go git:(main) ✗ waypoint init
2021-06-18T16:47:41.779-1000 [INFO]  waypoint: waypoint version: full_string="v0.4.0 (3b3dd831)" version=v0.4.0 prerelease= metadata= revision=3b3dd831
2021-06-18T16:47:41.780-1000 [DEBUG] waypoint: home configuration directory: path=/Users/mrspanishviking/Library/Preferences/waypoint
2021-06-18T16:47:41.782-1000 [INFO]  waypoint.server: attempting to source credentials and connect
✓ Configuration file appears valid
❌ Failed to initialize client for Waypoint server.

! The Waypoint client validation step validates that we can connect to the
  configured Waypoint server. If this is a local-only operation (no Waypoint
  server is configured), then we validate that we can initialize local writes.
  The error for this failure is shown below.

! context deadline exceeded
! Project had errors during initialization.
  Waypoint experienced some errors during project initialization. The output
  above should contain the failure messages. Please correct these errors and
  run 'waypoint init' again.

Hi there. From what I’ve seen in my experience it is likely that the problem is due to authentication. Try to copy the local context settings from the server installation.
A few things to check:

  • Can you connect to the UI and authenticate with a new token by issuing waypoint token new ?
  • What happens if you run waypoint context verify ?
    This is what my context file looks like:
server {
  address          = ""
  tls              = true
  tls_skip_verify  = true
  address_internal = ""
  require_auth     = true
  auth_token       = "<token>"
  platform         = "docker"

Let me know how it goes.

Oh, that’s interesting. I see my config is a bit different. I copied from the UI, using the CLI button. Let me try setting tls_skip_verify to true and the platform to docker. I am using docker so that makes sense.

server {
  address          = ""
  tls              = true
  tls_skip_verify  = false
  address_internal = ""
  require_auth     = true
  auth_token       = "<token>"
  platform         = ""

@diogozedan That was it, the key was changing tls_skip_verify to true.

It’s interesting because using the UI, the following snippet is provided:

waypoint context create \ \
    -server-require-auth=true \

I wonder if -server-tls-skip-verify should be added to the default snippet?