Deploying RenderQueue into isolated subnets and Secrets Management enabled fails

[jusiskin]

When using RFDK 0.38.0 and Deadline 10.1.19.x with Secrets Management enabled, the following deployment error is encountered if the RenderQueue is deployed into an isolated subnet (subnet without internet access) without sufficient VPC endpoints:

2:04:12 AM | CREATE_FAILED        | AWS::AutoScaling::AutoScalingGroup        | RenderQueueConfigu...ositoryASG23B635D7
Received 1 FAILURE signal(s) out of 1.  Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

The CloudFormation stack then rolls back.

Reproduction Steps

1. Create a new RFDK 0.38.0 app:

   cd "$(mktemp -d)"
   mkdir bla && cd bla
   rfdk_ver=0.38.0
   cdk_ver=$(npm view aws-rfdk@0.38.0 'dependencies.@aws-cdk/core')
   npx cdk@${cdk_ver} init --language=typescript
   npm install --save-exact "aws-rfdk@${rfdk_ver}" "@aws-cdk/aws-ec2@${cdk_ver}"

2. Configure VPC subnets in lib/myapp-stack.ts:

   import * as ec2 from '@aws-cdk/aws-ec2';
   
   
   export class MyappStack extends cdk.Stack {
     constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
       super(scope, id, props);
   
       const vpc = new ec2.Vpc(this, 'Vpc', {
           subnetConfiguration: [
           {
               name: 'Public',
               subnetType: ec2.SubnetType.PUBLIC,
           },
           {
               name: 'Private',
               subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
           },
           {
               name: 'Isolated',
               subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
           },
       });
   
       const version = new deadline.VersionQuery(this, 'Version', {
         version: '10.1.19',
       });
   
       const repository = new deadline.Repository(this, 'Repository', {
         vpc,
         version,
         vpcSubnets: privateSubnets,
       });
   
       const images = new deadline.ThinkboxDockerImages(this, 'Images', {
         // change to USER_ACCEPTS_AWS_THINKBOX_EULA to accept the AWS Thinkbox EULA
         userAwsThinkboxEulaAcceptance: deadline.AwsThinkboxEulaAcceptance.USER_REJECTS_AWS_THINKBOX_EULA,
         version,
       });
   
       const renderQueue = new deadline.RenderQueue(this, 'RQ', {
         vpc,
         images,
         repository,
         version,
         // This is the condition that causes the deployment failure
         vpcSubnets: {
           subnetGroupName: 'Isolated',
         },
       });
     }
   }

3. Create a second stack with a WorkerInstanceFleet. This is needed to overcome the resolved circular dependency issue in fix(deadline): change dependency when configuring repository clients … #626:

   // A secrets management consumer (e.g. Workers) is required to materialize the DeploymentInstance
   new deadline.WorkerInstanceFleet(this, 'Workers', {
     renderQueue,
     vpc,
     workerMachineImage: ec2.MachineImage.genericLinux({
       'us-west-2': 'ami-04ae356533dc07fb5',
     }),
   });

4. Attempt to build and deploy the application

Error Log

2:04:12 AM | CREATE_FAILED        | AWS::AutoScaling::AutoScalingGroup        | RenderQueueConfigu...ositoryASG23B635D7
Received 1 FAILURE signal(s) out of 1.  Unable to satisfy 100% MinSuccessfulInstancesPercent requirement

Environment

• CDK CLI Version : 1.129.0
• CDK Framework Version: 1.129.0
• RFDK Version: 0.38.0
• Deadline Version: 10.1.19.4
• Node.js Version: 14.18.1
• OS : Linux
• Language (Version): all

---

This is 🐛 Bug Report