I've currently been trying to follow the AWS Workshops guide for the 'Amazon Labs for PostgreSQL'.
The first prerequisite is to create a Cloudformation template using the template provided (see here: https://catalog.us-east-1.prod.workshops.aws/workshops/098605dc-8eee-4e84-85e9-c5c6c9e43de2/en-US/1-prereq/i-need-to-deploy-lab-environment-manually/setup-with-aurora-pg)
However, the creation process consistently ends up failing. The two images above show the errors I'm receiving.
I know that template creation should work (and has previously) given that the role I'm using has PowerUser rights so CF is possible for myself. Are there any other reasons as to why this failure could be occurring?
in your template aupglabsGDBstack resource attribute
Properties.OwnerArn is a string that says Specify Cloud9 owner ARN instead of an actual arn of the cloud9 owner. Make sure to add a valid Arn:
aupglabsGDBstack:
Properties:
OwnerArn: <insert-valid-arn>
Related
I'm trying to use CloudFormation AddOn template in the following scenario:
Service 1
creates an SNS Topic and a Managed Policy that has all the necessary permissions to publish to it. The SNS Topic will collect "Activity" records and then fan them out to multiple subscribers.
A common code library abstracts away the usage of SNS - any applications that need to post activity messages do so without any knowledge that SNS is being used underneath the covers.
Service N needs to publish activity messages using the common code library and needs whatever permissions are necessary.
So service 1 writes the Managed Policy ARN out as an exported output to the AddOn stack like so:
Outputs:
activityPublishPolicy:
Description: "Activity Publish Policy ARN"
Value: !Ref activitySnsTopicPublishPolicy
Export:
Name: !Sub ${App}-${Env}-activity-publish-policy
Then in service N, I was hoping to import the ARN of the publishing policy and get it attached to the task role:
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !ImportValue
'Fn::Sub': '${App}-${Env}-activity-publish-policy'
The ARN is imported just fine and written out to the Cloud Formation stack of Service N; however, the Task Role does not get the Managed Policy attached to it.
I did a quick test to see if adding the policy directly to the AddOn stack would attach and that does indeed work.
Outputs:
activityPublishAccessPolicy:
Description: "The IAM::ManagedPolicy to attach to the task role."
Value: !Ref activityPolicy
This leads me to believe that Copilot only attaches ManagedPolicies to the Task Role that are created in its own AddOn Stack, but that's just a guess.
I'd prefer not to write a new policy in every service to do this, and I'd prefer not to open up the topic policy our whole VPC if possible.
Is there a better way of doing this?
Thanks!
This is because Copilot scans the Addons template to determine the type of the resource you're outputting. There are several "magic" outputs for addons. They are:
Security Groups
Managed Policies
Secrets
To detect these outputs, we scan the template looking for the logical ID of the referenced resource. This means that we don't currently have a way of deriving the resource type of the results of Fn::ImportValue calls, since they don't refer to a logical ID defined in that addons template!
I'm sorry this is causing you problems--it seems like you may need to add the managed policy to the addons stack of each service you want to grant this access to. This is something we might be able to do something about, though, and would love if if you could cut us a Github issue so we can prioritize and gather feedback on a proposal.
I'm attempting to achieve the following through CloudFormation.
From a stack created in EU region I want to create (and verify) a public certificate against Route53 in US-EAST-1 due to using Cloudfront. Aiming to have zero actions performed in the console or AWS CLI.
The new CloudFormation support for ACM was a little sketchy last week but seems to be working now.
Certifcate
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: !Sub "${Env}.domain.cloud"
ValidationMethod: DNS
DomainValidationOptions:
-
DomainName: !Sub "${Env}.domain.cloud"
HostedZoneId: !Ref HostedZoneId
All I need to do is use Cloudformation to deploy this into the US-EAST-1 region from stack in a different region. Everything else is ready for this.
I thought that using Codepipeline's cross region support would be great so I started to look into [this documentation][1] after getting setting things up in my template I met the following error message...
An error occurred while validating the artifact bucket {...} The bucket named is not located in the `us-east-1` AWS region.
To me this makes no sense as it seems that you already need at least a couple of resources to exist in target region for it to work. Cart before the horse kind of behavior. To test this I create an artifact bucket in the target region by hand and things worked fine, but requires using CLI or the console when I'm aiming for a CloudFormation based solution.
Note: I'm running out of time to write this so I'll update it when I can in a few hours time. any help before I can do that would be great though
Sadly, that's required for cross-region CodePipeline. From docs:
When you create or edit a pipeline, you must have an artifact bucket in the pipeline Region and then you must have one artifact bucket per Region where you plan to execute an action.
If you want to fully automate this through CloudFormation, you either have to use custom resource to create buckets in all the regions in advance or look at stack sets to deploy one template bucket in multiple regions.
p.s.
Your link does not work, thus I'm not sure if you refer to the same documentation page.
Hello i am planning to run the cloudFormation stack that is preconfigured by aws here.
It prompts me to fill out
NeptuneBulkloadIAMRoleArn
NeptuneClusterEndpoint
NeptuneLambdaIAMRoleArn
But i don't know what to fill in there, can you help me out?
The parameters you described above are used for the following:
NeptuneBulkloadIAMRoleArn - This is an IAM role setup to run the loader command. Instructions for setting this up found here.
NeptuneClusterEndpoint - This is the endpoint of your Neptune database, it will be accessible either from the console or the CLI.
NeptuneLambdaIAMRoleArn - This allows you to pass in your own role the Lambda should use, if not specified the CloudFormation stack should make one for you.
If this is invalid CloudFormation templating then someone should tell the engineer that wrote this blog post: Managing Lambda#Edge and CloudFront deployments by using a CI/CD pipeline | Networking & Content Delivery
I'm using that template to deploy successfully.
But I want to use change sets to have safer deploys.
When I try to create a change set CloudFormation tells me CodeUri is missing:
Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [LambdaEdgeFunctionSample] is invalid. Either 'InlineCode' or 'CodeUri' must be set
This template deploys without issue.
Also I don't think I can use the sam commands for this (A simpler deployment experience with AWS SAM CLI | AWS Compute Blog) because the lambda function is only a small part of this CloudFormation template.
When trying a different CodeURI I can see it demands an s3 URL:
Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [MyFunction] is invalid. 'CodeUri' is not a valid S3 Uri of the form \"s3://bucket/key\" with optional versionId query parameter.
For the template in the first article, If you remove the line 'CodeUri:' the template should deploy successfully. It seems to be complaining cause the line is empty.
If you are looking for a simple template to kick off a sam project, take a look at this one https://github.com/healthbridgeltd/nodejs-sam-bootstrap
It has a make file with multiple targets that makes your life easier.
I am simply trying to create a stack(Name: wordpress) on cloud formation via the AWS console (region N. virginia) by specifying an
amazon S3 template URL (https://s3.amazonaws.com/awsinaction/chapter2/template.json) and putting the keyName as "mykey" in the parameter section. Also, I'm providing values for the Key(system) and Value(wordpress) fields in tag section. Every time after I am clicking the create button on Review Page, the status is transitioning to ROLLBACK_COMPLETE from CREATE_IN_PROGRESS. The status reason showing is "Parameter validation failed: parameter value for parameter name KeyName does not exist. Rollback requested by user".
I know I am missing out something very prominent but can't figure out what. Any help on this would be great, I am trying to replicate an example from oreily amazon web service in action, chapter 2.
I can see that you do not have a key pair - 'my.pem' in your account. You need to replace it with a key pair name you have in your account. You can check for the key pairs in your account using AWS EC2 Console and checking 'Key Pairs' tab.
Note: You don't need to supply .pem, in above case key name will be just my
I have the same issues when creating stack then check StackStatusReason
StackStatusReason": "The following resource(s) failed to create: ...
some resources already exist, rename or delete them then create stack again.
aws cloudformation create-stack --stack-name <> --disable-rollback
hope it's helpful!