[ActiveDirectory] In AD 1-click template fail faster in case of issues.

In particular:
  1. Make the Ad admin node signal the failure, not only the success; in this way the wait condition handle can fail faster.
  2. reduced the number of retries made by adcli from 5 to 3 because in case of issues is not necessary to do that many retries; especially considering that adcli has a 2min retry delay.
  3. reduced the condition handle timeout from 900s to 600s as 10min are enough to include AD admin node bootstrap and 3 adcli retries.

Author: gmarciani

cloudformation/ad/ad-integration.yaml

@@ -402,7 +402,7 @@ Resources:
     Properties:
       Count: 1
       Handle: !Ref AdDomainAdminNodeWaitConditionHandle
-      Timeout: 900
+      Timeout: 600
 
   AdDomainAdminNode:
     Type: AWS::EC2::Instance
@@ -446,57 +446,68 @@ Resources:
               #!/bin/bash -e
               set -o pipefail
               exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
-              yum update -y aws-cfn-bootstrap
-              /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource AdDomainAdminNode --configsets setup --region "${AWS::Region}"
-              echo "Directory Id: ${DirectoryId}"
-              echo "Domain Name: ${DirectoryDomain}"
-              echo "Domain DNS IP 1: ${DnsIp1}"
-              echo "Domain DNS IP 2: ${DnsIp2}"
-              echo "Domain Certificate Secret: ${DomainCertificateSecretArn}"
-              echo "Domain Private Key Secret: ${DomainPrivateKeySecretArn}"
-              
-              echo "Describing directory..."
-              aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
-              echo "Describing domain controllers..."
-              aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
+              function main() {
+                yum update -y aws-cfn-bootstrap
+                /opt/aws/bin/cfn-init -v --stack "${AWS::StackName}" --resource AdDomainAdminNode --configsets setup --region "${AWS::Region}"
+                echo "Directory Id: ${DirectoryId}"
+                echo "Domain Name: ${DirectoryDomain}"
+                echo "Domain DNS IP 1: ${DnsIp1}"
+                echo "Domain DNS IP 2: ${DnsIp2}"
+                echo "Domain Certificate Secret: ${DomainCertificateSecretArn}"
+                echo "Domain Private Key Secret: ${DomainPrivateKeySecretArn}"
+                
+                echo "Describing directory..."
+                aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
+                echo "Describing domain controllers..."
+                aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
+                
+                exit 1
+                
+                ADMIN_PW="${AdminPassword}"
+                
+                USERNAMES="ReadOnlyUser,${UserNames}"
+                echo "Registering Users: $USERNAMES ..."
+                for username in $(echo $USERNAMES | sed "s/,/ /g")
+                do
+                  attempt=0
+                  max_attempts=3
+                  until [ $attempt -ge $max_attempts ]; do
+                    attempt=$((attempt+1))
+                    echo "Registering user $username (attempt $attempt/$max_attempts) ..."
+                    echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp1}" --display-name="$username" "$username" && echo "User registered: $username" && break
+                    echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp2}" --display-name="$username" "$username" && echo "User registered: $username" && break
+                    echo "User creation failed, describing directory and controllers for troubleshooting..."
+                    aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
+                    aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
+                    sleep 10
+                  done
+                done
+  
+                echo "Creating domain certificate..."
+                PRIVATE_KEY="${DirectoryDomain}.key"
+                CERTIFICATE="${DirectoryDomain}.crt"
+                printf '.\n.\n.\n.\n.\n%s\n.\n' "${DirectoryDomain}" | openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout "$PRIVATE_KEY" -days 365 -out "$CERTIFICATE"
+  
+                echo "Storing domain private key to Secrets Manager..."
+                aws secretsmanager put-secret-value --secret-id "${DomainPrivateKeySecretArn}" --secret-string "file://$PRIVATE_KEY" --region "${AWS::Region}"
+  
+                echo "Storing domain certificate to Secrets Manager..."
+                aws secretsmanager put-secret-value --secret-id "${DomainCertificateSecretArn}" --secret-string "file://$CERTIFICATE" --region "${AWS::Region}"
+  
+                echo "Deleting private key and certificate from local file system..."
+                rm -rf "$PRIVATE_KEY" "$CERTIFICATE"
+              }
 
-              exit 1
+              function signal_success() {
+                /opt/aws/bin/cfn-signal -e 0 --stack "${AWS::StackName}" --resource "${AdDomainAdminNodeWaitConditionHandle}" --region "${AWS::Region}"
+              }
 
-              ADMIN_PW="${AdminPassword}"
+              function signal_failure() {
+                /opt/aws/bin/cfn-signal -e 0 --stack "${AWS::StackName}" --resource "${AdDomainAdminNodeWaitConditionHandle}" --region "${AWS::Region}"
+                exit 1
+              }
 
-              USERNAMES="ReadOnlyUser,${UserNames}"
-              echo "Registering Users: $USERNAMES ..."
-              for username in $(echo $USERNAMES | sed "s/,/ /g")
-              do
-                attempt=0
-                max_attempts=5
-                until [ $attempt -ge $max_attempts ]; do
-                  attempt=$((attempt+1))
-                  echo "Registering user $username (attempt $attempt/$max_attempts) ..."
-                  echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp1}" --display-name="$username" "$username" && echo "User registered: $username" && break
-                  echo "$ADMIN_PW" | adcli create-user -v -x -U "${Admin}" --domain-controller="${DnsIp2}" --display-name="$username" "$username" && echo "User registered: $username" && break
-                  echo "User creation failed, describing directory and controllers for troubleshooting..."
-                  aws ds describe-directories --directory-id "${DirectoryId}" --region "${AWS::Region}"
-                  aws ds describe-domain-controllers --directory-id "${DirectoryId}" --region "${AWS::Region}"
-                  sleep 10
-                done
-              done
-
-              echo "Creating domain certificate..."
-              PRIVATE_KEY="${DirectoryDomain}.key"
-              CERTIFICATE="${DirectoryDomain}.crt"
-              printf '.\n.\n.\n.\n.\n%s\n.\n' "${DirectoryDomain}" | openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout "$PRIVATE_KEY" -days 365 -out "$CERTIFICATE"
-
-              echo "Storing domain private key to Secrets Manager..."
-              aws secretsmanager put-secret-value --secret-id "${DomainPrivateKeySecretArn}" --secret-string "file://$PRIVATE_KEY" --region "${AWS::Region}"
-
-              echo "Storing domain certificate to Secrets Manager..."
-              aws secretsmanager put-secret-value --secret-id "${DomainCertificateSecretArn}" --secret-string "file://$CERTIFICATE" --region "${AWS::Region}"
-
-              echo "Deleting private key and certificate from local file system..."
-              rm -rf "$PRIVATE_KEY" "$CERTIFICATE"
-
-              /opt/aws/bin/cfn-signal -e "$?" --stack "${AWS::StackName}" --region "${AWS::Region}" "${AdDomainAdminNodeWaitConditionHandle}"
+              main && signal_success || signal_failure
 
             - { DirectoryId: !GetAtt Prep.DirectoryId,
                 DirectoryDomain: !GetAtt Prep.DomainName,