I am deploying and configuring AWS CloudFront using a yaml file
I receive a message that stated "Encountered unsupported property Indexdocument"
This is the code from my yaml file and the block code. I am following the Cloud Resume Challenge instructional guide on how to complete the cloud resume challenge.
Resources:
MyWebsite:
Type: AWS::S3::Bucket
Properties:
AccessControl: Public Read
WebsiteConfiguration:
Indexdocument: index.html
BucketName: mcderkaderkas-first-website
MyDistribution:
Type: "AWS::CloudFront::Distribution"
Properties:
DistributionConfig:
DefaultCacheBehavior:
ViewProtocolPolicy: allow-all
TargetOriginId: http://mcderkaderkas-first-website.s3-website-us-east-1.amazonaws.com
DefaultTTL: 0
MinTTL: 0
MaxTTL: 0
ForwardedValues:
QueryString: false
Origins:
- DomainName: http://mcderkaderkas-first-website.s3-website-us-east-1.amazonaws.com
Id: http://mcderkaderkas-first-website.s3-website-us-east-1.amazonaws.com
CustomOriginConfig:
OriginProtocolPolicy: match-viewer
Enabled: "true"
DefaultRootObject: index.html
CloudFormation events from stack operations (refresh every 0.5 seconds)
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
UPDATE_FAILED AWS::S3::Bucket MyWebsite Encountered unsupported property Indexdocument
UPDATE_ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack cloud-resume-challenge The following resource(s) failed to update:
[MyWebsite].
UPDATE_COMPLETE AWS::S3::Bucket MyWebsite -
UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS AWS::CloudFormation::Stack cloud-resume-challenge -
UPDATE_ROLLBACK_COMPLETE AWS::CloudFormation::Stack cloud-resume-challenge -
Error: Failed to create/update the stack: cloud-resume-challenge, Waiter StackUpdateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "UPDATE_ROLLBACK_COMPLETE" at least once
Cloudformation generally provides pretty decent documentation on what to pass where, including for an S3 bucket's website configuration.
In this case I can see you specify a key Indexdocument while the documentation capitalizes Document ie IndexDocument. Yaml, cloudformation, and nearly everything else involving computers is case sensitive (notable exceptions include windows / mac os filesystems with default settings, DNS, and email addresses ). So make sure to get that case right in your Yaml files!
I'm trying to create a AWS::MSK::Configuration resource, as described here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-configuration.html.
This is my CF template:
Resources:
MSKConfig:
Type: AWS::MSK::Configuration
Properties:
Description: Basic configuration.
Name: test-msk-configuration
ServerProperties: |
auto.create.topics.enable=false
........
It doesn't work failing with the following error:
An error occurred (ValidationError) when calling the CreateChangeSet operation: Template format error: #Unrecognized resource types: [AWS::MSK::Configuration]
I'm not able to find any example with this resource type online. Has anyone ever used it?
Update on 26/03/2022:
I was able to get this deployed. I use the serverless framework for deployment.
MSK-Cluster.yml:
Resources:
ServerlessMSK:
Type: AWS::MSK::Cluster
Properties:
ClusterName: ${self:service}-${self:provider.stage}-msk
KafkaVersion: 2.6.2
BrokerNodeGroupInfo:
InstanceType: kafka.t3.small
ClientSubnets:
- !Ref ServerlessPrivateSubnet1
- !Ref ServerlessPrivateSubnet2
- !Ref ServerlessPrivateSubnet3
SecurityGroups:
- !GetAtt ServerlessMSKSecurityGroup.GroupId
StorageInfo:
EBSStorageInfo:
VolumeSize: 10
NumberOfBrokerNodes: 3
EncryptionInfo:
EncryptionInTransit:
ClientBroker: TLS
InCluster: true
EnhancedMonitoring: PER_TOPIC_PER_BROKER
ConfigurationInfo:
Arn: !GetAtt ServerlessMSKConfiguration.Arn
Revision: 1
MSK-config.yml
Resources:
ServerlessMSKConfiguration:
Type: AWS::MSK::Configuration
Properties:
Description: cluster for msk cluster-${sls:stage}
Name: node-mongo-kafka-experiment-${sls:stage}-config
ServerProperties: ${file('./assets/server.properties')}
server.properties
auto.create.topics.enable=true
default.replication.factor=2
min.insync.replicas=2
num.io.threads=8
num.network.threads=5
num.partitions=10
num.replica.fetchers=2
replica.lag.time.max.ms=30000
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
socket.send.buffer.bytes=102400
unclean.leader.election.enable=true
zookeeper.session.timeout.ms=18000
basically, no base64 was used. I just referenced the file in the deployment and managed to get it up. Hope this helps.
Orginal Answer Below:
I haven't been able to deploy this correctly too. But maybe I can point you in the right direction.I always get back a 400 error with my serverless deployment for this. The only thing I would like to add on here is that serverproperties must be a Base64 encoded string.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-configuration.html
My Template (that results in error):
Resources:
ServerlessMSKConfiguration:
Type: AWS::MSK::Configuration
Properties:
ServerProperties: !Base64 |
auto.create.topics.enable=true
NB: Answering due to the fact I don't have reputation to comment.
I managed to fix the 400 issue, it looks like the AWS::MSK::Configuration resource suspects a name. While the documentation says it is not required.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-configuration.html#cfn-msk-configuration-name
My template:
KafkaConfiguration:
Type: AWS::MSK::Configuration
Properties:
Name: Kafkaconfiguration
ServerProperties: |
auto.create.topics.enable=false
I have a requirement to replicate objects present in bucket A to bucket B and C, bucket B is present in same account but in different region and bucket C is present in different AWS account.
I have tried to setup above requirement manually and I was able to do it, While trying to do via cloudformation I was getting an error as "Number of distinct destination bucket ARNs cannot exceed 1"
I have coded replication rule as shown below, whole code is being done by referring to AWS documentation.
ReplicationConfiguration:
Role: !Ref S3RoleArn
Rules:
- Id: Rule1
Destination:
Bucket: "arn:aws:s3:::bucketB"
StorageClass: STANDARD
Status: Enabled
- Id: Rule2
Destination:
Bucket: "arn:aws:s3:::bucketC"
AccessControlTranslation:
Owner: Destination
Account: !Ref DestAccountId
StorageClass: STANDARD
Status: Enabled
First I have put the replication rule for bucketB which is in same account but in different region and it worked fine. Then I have written another rule for replication object from bucket A to bucketC. bucketC is present in different AWS account.
To overcome this issue, I have to use Filter, Priority and DeleteMarkerReplication properties.
ReplicationConfiguration:
Role: !Ref S3RoleArn
Rules:
- Id: Rule1
Destination:
Bucket: "arn:aws:s3:::bucketB"
StorageClass: STANDARD
Status: Enabled
Priority: 1
Filter:
Prefix: ''
DeleteMarkerReplication:
Status: Enabled
- Id: Rule2
Destination:
Bucket: "arn:aws:s3:::bucketC"
AccessControlTranslation:
Owner: Destination
Account: !Ref DestAccountId
StorageClass: STANDARD
Status: Enabled
Priority: 2
Filter:
Prefix: ''
DeleteMarkerReplication:
Status: Enabled
by using the above mentioned properties, I was able to successfully create the stack with the required replication rule.
We are trying create a AWS::WAFv2::IPSet in our SAM template.
WhitelistedIPAddressesIPSet:
Type: AWS::WAFv2::IPSet
Properties:
Description: 'Merchant IPs'
Scope: REGIONAL
IPAddressVersion: IPV4
Addresses: [0.0.0.0/32, 0.0.10.0/32]
The creation of the IP sets is done successfully.
Once creating the AWS::WAFv2::WebACLAssociation.
WAFApiAssociation:
Type: AWS::WAFv2::WebACLAssociation
DependsOn:
- ApiGateway
- WAFWebAcl
Properties:
ResourceArn: !Sub 'arn:aws:apigateway:${AWS::Region}::/restapis/${ApiGateway}/stages/${EnvType}'
WebACLArn: !GetAtt WAFWebAcl.Arn
The CloudFormation failes and does a rollback. Error displayed is as follows:
Resource handler returned
ion message: "AWS WAF couldn?t
perform the operation
because your resource
doesn?t exist. (Service:
Wafv2, Status Code: 400,
Request ID: e337720a-e32c-
4c29-acde-1896855405c9,
Extended Request ID:
null)" (RequestToken: f24d
0488-3016-4030-3a3b-bbb246
66f130, HandlerErrorCode:
NotFound)
We tried different formatting the SAM template of the IP set, to see if that causes the issues, without any success.
Anyone that could share some helpful insights to this issue?
A) You don't need DependsOn if your resource already directly depends on those other resources. In this case it does, so you can remove this property.
B) You'll need to share your whole stack here, not just what is shared because there is likely a problem with your APIGW configuration. Because that failed to be created, it's possible you get this subsequent problem showing up.
Creating the APIGW isn't enough, you need to make sure to actually attach the WAF after the APIGW stage was created and not just the APIGW. In this case replace the ResourceArn with one that references the APIGW Stage. (And further you might need to wait for the stage deployment to finish.)
This is the APIGW template Warren Parad
CDEAPI:
Type: AWS::Serverless::Api
Properties:
# Domain:
# DomainName: !Ref CDEAPIDomainName
# SecurityPolicy: TLS_1_2
# CertificateArn: !Sub 'arn:aws:acm:us-east-1:${AWS::AccountId}:certificate/${CDEAPICertificateArn}'
# EndpointConfiguration: EDGE
# Route53:
# HostedZoneId: !Ref CDEAPIHostedZoneId
AccessLogSetting:
DestinationArn: !GetAtt CDEAPIAccessLogGroup.Arn
Format: >-
{ "requestId":"$context.requestId",
"ip":"$context.identity.sourceIp",
"caller":"$context.identity.caller",
"user":"$context.identity.user",
"userAgent":"$context.identity.userAgent",
"userArn":"$context.identity.userArn",
"requestTime":"$context.requestTime",
"requestTimeEpoch":"$context.requestTimeEpoch",
"httpMethod":"$context.httpMethod",
"resourcePath":"$context.resourcePath",
"path":"$context.path",
"status":"$context.status",
"protocol":"$context.protocol",
"responseLength":"$context.responseLength",
"responseLatency":"$context.responseLatency",
"authorizerLatency":"$context.authorizer.integrationLatency",
"integrationLatency":"$context.integrationLatency",
"integrationStatus":"$context.integrationStatus",
"xrayTraceId":"$context.xrayTraceId",
"errorMessage":"$context.error.message",
"domainName":"$context.domainName",
"domainPrefix":"$context.domainPrefix",
"tokenScopes":"$context.authorizer.claims.scope",
"tokenIat":"$context.authorizer.claims.iat",
"tokenExp":"$context.authorizer.claims.exp",
"cognitoIdentityId":"$context.identity.cognitoIdentityId",
"awsEndpointRequestId":"$context.awsEndpointRequestId",
"arn":"$context.identity.userArn",
"account":"$context.identity.accountId",
"claims-sub":"$context.authorizer.claims.sub",
"waf-error":"$context.waf.error",
"waf-status":"$context.waf.status",
"waf-latency":"$context.waf.latency",
"waf-response":"$context.waf.wafResponseCode",
"authenticate-error":"$context.authenticate.error",
"authenticate-status":"$context.authenticate.status",
"authenticate-latency":"$context.authenticate.latency",
"integration-error":"$context.integration.error",
"integration-status":"$context.integration.status",
"integration-latency":"$context.integration.latency",
"integration-requestId":"$context.integration.requestId",
"integration-integrationStatus":"$context.integration.integrationStatus",
"response-latency":"$context.responseLatency" }
StageName: !Ref EnvType
Auth:
DefaultAuthorizer: CognitoAuthorizer
AddDefaultAuthorizerToCorsPreflight: false
Authorizers:
CognitoAuthorizer:
AuthType: COGNITO_USER_POOLS
UserPoolArn: !Sub 'arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/${CognitoUserPoolArn}'
I have a problem with finding a mistake. I'm trying to connect WafACL to API Gateway Deployment and I'm using such command:
aws wafv2 associate-web-acl --web-acl-arn d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'
An error occurred (WAFInvalidParameterException) when calling the
AssociateWebACL operation: Error reason: The ARN isn’t valid. A valid
ARN begins with arn: and includes other information separated by
colons or slashes., field: RESOURCE_ARN, parameter:
d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf
I tried also to use CloudFormation:
AWSTemplateFormatVersion: "2010-09-09"
Description: "DB Management Service"
Resources:
WebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn: 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'
WebACLArn:
Ref: WebACL
WebACL:
Type: AWS::WAFv2::WebACL
Properties:
DefaultAction:
Allow: {}
Rules:
- Name: WebACLRule
Action:
Block: {}
Priority: 0
Statement:
RateBasedStatement:
AggregateKeyType: IP
Limit: 2048
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: Requests
SampledRequestsEnabled: false
Scope: REGIONAL
VisibilityConfig:
CloudWatchMetricsEnabled: true
MetricName: WafACL
SampledRequestsEnabled: true
But here I also get:
Error reason: The ARN isn?t valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN
I don't think that Arn is incorrect. I tried use it on various combinations.
Wafv2 has a different scheme for the arn.
Waf v1 used what looks like a UUID where as Wafv2 uses a fully qualified ARN.
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--resource-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a \
--region us-west-2
So in your case it may look like
aws wafv2 associate-web-acl --web-acl-arn arn:aws:wafv2:<region>:<account>:regional/webacl/<webacl name>/d3b11jj1-30c6-46ae-8e58-6a90ae69eeaf --resource-arn 'arn:aws:apigateway:us-east-1::/restapis/*api-id*/stages/dev'
Also in CFN, Wafv2 has multiple return attr so you cannot do the good ol
WebACLArn: !Ref <webacl>
But you will have to do something like
WebACLArn: !GetAtt <webacl>.Arn
Ref
https://docs.aws.amazon.com/cli/latest/reference/wafv2/associate-web-acl.html