I am trying to deploy AWS API Gateway Developer Portal using serverless repo
The Cloud formation fails and triggers rollback of the deployment. The error that causes the failure is as follows:
Logical ID: StaticAssetUploader
Status: CREATE_FAILED
Reason: CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId [ea5b3458-f29c-4950-b068-d0a3f352ad5f]. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.
Help is appreciated
Related
I'm trying to create ECS Fargate deployment using Cloudformation script, but the script fails during creation of ECS Cluster with error saying that unable to assume service role. I'm not able to figure out what I'm missing in the script, I have tried many ways none of them seem to be working.
Here is the link to cloud formation script as I'm not able to post it here due to character limitation.
ECS Cloudformation script
the error where the resource creation fails.
Resource handler returned message: "Invalid request provided: CreateCluster Invalid Request: Unable to assume the service linked role. Please verify that the ECS service linked role exists. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: e08ab312-4bd8-4c21-852f-ae5d49cc5932; Proxy: null)" (RequestToken: a686f226-e1d3-7b4c-13f1-66fa0a516c51, HandlerErrorCode: InvalidRequest
I'm able to get it working if I create an ECS cluster from aws console, as it creates a service liked role. But I want to work without creating the cluster manually from Console, enerything building up from Cloudformation. I tried looking over aws docs and did dig up Internet but couldn't get it working.Can anyone please help me out.
I'm trying to deploy a conformance pack stack via cloudformation for AWS Config. I'm using https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-NIST-CSF.yaml for my template and I'm getting an error saying "The sourceIdentifier AWS_CONFIG_PROCESS_CHECK is invalid. Please refer to the documentation for a list of valid sourceIdentifiers that can be used when AWS is the Owner. (Service: AmazonConfig; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: cbaa077f-f932-4918-84a9-b38cecf8b1df; Proxy: null)" which is causing a rollback and deletion of resources. I deployed this same template through AWS Config and it worked just fine. I also used a NIST CSF sample pack template through AWS Config and it worked as well. My question is why it doesn't deploy via cloudformation with the script. Thank you.
I'm using CDK version 1.139.0, and I had a waf earlier added in my previous deployment.
Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.
new CfnLoggingConfiguration(scope,'WafLoggingConfig',{
resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app],
})
Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)
After synthesizing/generating the template I did cdk deploy to update the Cloud formation.
List of policies I have already attached to the Cloudformation :
'wafv2:AssociateWebACL',
'wafv2:CreateWebACL',
'wafv2:DeleteWebACL',
'wafv2:DescribeManagedRuleGroup',
'wafv2:DisassociateWebACL',
'wafv2:Get*',
'wafv2:List*',
'wafv2:UpdateWebACL',
'wafv2:GetLoggingConfiguration',
'wafv2:ListLoggingConfiguration',
'wafv2:PutLoggingConfiguration',
'wafv2:DeleteLoggingConfiguration',
'cloudwatch:DeleteAlarms',
'cloudwatch:Describe*',
'cloudwatch:DisableAlarmActions',
'cloudwatch:EnableAlarmActions',
'cloudwatch:GetDashboard',
'cloudwatch:ListDashboards',
'cloudwatch:PutDashboard',
'cloudwatch:DeleteDashboards',
'cloudwatch:GetMetricData',
'cloudwatch:GetMetricStatistics',
'cloudwatch:ListMetrics',
'cloudwatch:PutMetricAlarm',
'cloudwatch:PutMetricData',
and other policies for other resources.
But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.
Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken.
I believe I have given the needed policies for the cloud formation.
Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?
You have wafv2:PutLoggingConfiguration action allowed in your policy but this by itself is not sufficient to allow the action. This is because wafv2:PutLoggingConfiguration has iam:CreateServiceLinkedRole as a dependent action.
References
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html Refer the dependent actions column
https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
The Dependent actions column includes any additional permissions that you must have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.
I'm trying to get this repo going: https://github.com/mydatastack/google-analytics-to-s3.
A link is provided to launch the AWS CloudFormation stack, its meant to be one click to launch the stack but it is no longer working because the S3 bucket containing the template is no longer active.
As a result I'm trying to launch the stack myself via sam deploy --guided --capabilities CAPABILITY_AUTO_EXPAND CAPABILITY_IAM since all the resources for the stack are within the repo. I've added this lambda layer for the paramiko package referenced by collector-ga.yaml to fix this error .
Frustratingly, I'm not quite up and running yet, GlueConfigurationLambda, an AWS lambda function (line 691) failed to create:
Waiting for changeset to be created..
CloudFormation stack changeset
---------------------------------------------------------------------------------------------------------------------
Operation LogicalResourceId ResourceType Replacement
---------------------------------------------------------------------------------------------------------------------
+ Add GoogleAnalyticsCollectorSta AWS::CloudFormation::Stack N/A
ck
---------------------------------------------------------------------------------------------------------------------
Changeset created successfully. arn:aws:cloudformation:eu-central-1:XXXXXX:changeSet/samcli-deploy1628597635/4ee26e-46b5-4131-bdba-1b9fc34f99d6
Previewing CloudFormation changeset before deployment
======================================================
Deploy this changeset? [y/N]: y
2021-08-10 13:14:04 - Waiting for stack create/update to complete
CloudFormation events from changeset
---------------------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
---------------------------------------------------------------------------------------------------------------------------------------------------------
CREATE_IN_PROGRESS AWS::CloudFormation::Stack GoogleAnalyticsCollectorStack -
CREATE_IN_PROGRESS AWS::CloudFormation::Stack GoogleAnalyticsCollectorStack Resource creation Initiated
CREATE_FAILED AWS::CloudFormation::Stack GoogleAnalyticsCollectorStack Embedded stack
arn:aws:cloudformation:eu-central-1:
XXXXXX:stack/GAN2S3-GoogleAnal
yticsCollectorStack-JUATDT3EBD82/e19
a4950-ff27-11ea-943e-06072e1f2808
was not successfully created: The
following resource(s) failed to
create: [GlueConfigurationLambda].
Full Trace - https://pastebin.pl/view/50b3e402
My first question is if there's anywhere to get a more in-depth log of the error?
My second question is if anyone knows how to fix this error.
Can you have a look at the AWS Console CloudFormation application? You should be able to opt to view the Deleted stacks, after which you should be able to select the substack that has failed. In the events list of that deleted stack, you should be able to view a more precise error of what went wrong.
If it's still unclear from that precise error, feel free to edit the question to add the specific error and add a comment to this answer to draw my attention to it.
(Edit)
I've looked through the template file again and noticed the Lambda that's failing is still configured to use Node.js 8, which has been deprecated for some time. You should change it to a newer version, e.g., Node.js 14.
Find the currently supported runtimes here: Lambda runtimes
I have migrated existing AWS Resources from one Cloudformation (CFT) stack to another CFT stack using below link.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import-new-stack.html
After migration, my new CFT stack's status was "IMPORT_COMPLETE". Then I have created an AWS CodePipeline wherein my source is AWS CodeCommit and I am trying to deploy it in Cloudformation stack using CodePipeline.
In my CodePipeline I am using my new CFT stack where I have migrated my existing AWS resources and in the same template I have updated my code by added SQS queue policy and uploaded the code in CodeCommit.
So, when my AWS CodePipeline is getting triggered it is getting failed with "InternalFailure" error and it is not giving any specific error about why it is getting failed.
Also, I have checked into CloudTrail logs and there I can see my pipeline is getting failed after "UploadArchive" event which belongs to CodeCommit and it is nor moving further. Also, I tried to give administrator permission to my pipeline service role as well as cloudformation role but still the error is same.
Later, one thing I observed and that is when I update my new Cloudformation stack using AWS Cloudformation console then my stack's status is changing to "Update_Complete" status. Then after that if I try to update the code into CodeCommit then my pipeline is getting completed successfully.
So, not sure why my Pipeline is getting failed with "InternalFailure" when my stacks status is "IMPORT_COMPLETE". Could you please help me to understand if I am missing any specific step die to which my pipeline is getting failed with this error when my CFT stacks status is "IMPORT_COMPLETE" status
It's a bug in codepipeline. I'd recommend submitting at ticket to them in hopes they make a fix. I only found this out via support myself.