I'm looking to get started with EKS and CloudFormation.

It would be great if there were examples here to reference.

Having forced the access to S3 via CloudFormation, there is not need to abuse the 403 return code and act on it as a 404.

I explain it with plenty of particulars in my article on medium: Deploy a static web application on AWS, the right way where I explain how to use CloudFront and S3 to deliver an HTTPS-only static web application, while avoiding misuse of the 403 response code.

Hope this could help.

Best regards,
Emiliano

Hi,
I am trying to create a VPC with using the template but failed to create VPC. The error message is very generic. I am not able to figure it out whether failure comes from?

An error occurred (ValidationError) when calling the ValidateTemplate operation: Template format error: unsupported structure.

The template I am using:

VPC template

Utility Script to run

Environment info
Mac os: Majove
CLI version: aws-cli/1.16.70 Python/3.7.1 Darwin/18.2.0 botocore/1.12.60

Appreciate for your advice.

Hi , the custom resource helper that helps with handling custom resources is written in python and can be found at - aws-cloudformation-templates/community/custom_resources/python_custom_resource_helper/

Any idea/release plan for a c# version of this?

Hi,
please provide an example cloud-formation template to add IAM Role to an Amazon Neptune Cluster.
Manual steps are described here:
https://docs.aws.amazon.com/neptune/latest/userguide/bulk-load-tutorial-IAM.html

I would like to have this on my cloud-formation template

Thanks

Could we add the templates from https://aws.amazon.com/blockchain/templates?

aws/solutions/StackSetsResource/Templates/stackset-function-template.yaml

I recently submitted a PR to this custom resource to take advantage of the recent enhancement the Lambda service to support 15 minute timeout vs the previous 5 minute timeout, but I neglected to update the stackset-functiona-template.yml file to increase from 300 seconds to 900 seconds.

As a workaround, you can modify the following line of code:

https://github.com/awslabs/aws-cloudformation-templates/blob/master/aws/solutions/StackSetsResource/Templates/stackset-function-template.yaml#L91

to specify:

      Timeout: 900

As mentioned here and can be accessible from here

Couldn't find any sample CloudFormation template on VPC Endpoint for Endpoint Type Interface.

Hi,

StackSetsResource template is really great and helps a lot, so thank you for creating it.

I would like to report a problem that I am having. I have an account "A" in a region - eu-central-1, which holds a template that is to be referenced by the StackSet Custom Resource (i.e. via the Lambda) in account 'B' in region us-west-1. I am getting this error:

Failed to update resource. Unexpected error: An error occurred (ValidationError) when calling the UpdateStackSet operation: Must reference a valid S3 object to which you have access. (See CloudWatch Log Stream:

the TemplateURL is pointing to: https://s3.eu-central-1.amazonaws.com/<bucket>/tempate.yaml

I have customised the Custom Resource Lambda to use TemplateBody and I use:

  TemplateBody:
    Fn::Transform:
      Name: AWS::Include
      Parameters:
        Location: !Sub 's3://${ArtifactBucket}/https-certificate.yaml'

and this works. However, there are some limitations due to using AWS::Include, such as one cannot use Ref in the Outputs section and also the size of the template

So an "M out of N" alarm could be like if 3/5 datapoints are above the threshhold for X consecutive periods, the alarm is raised.

I get that M is for Datapoints to Alarm, and N is for EvaluationPeriods.

EvaluationPeriods: "4" DatapointsToAlarm: "5" Threshold: "15"

I have 5 Data points set, but I only want it so if atleast 3 are above the threshold for 4 periods, an alarm is released. How would I specify in a CFT yaml file that I want 3/5 datapoints?

https://github.com/awslabs/aws-cloudformation-templates/blob/6c300b10af998d2759a6bc40b1fde2040178b695/aws/services/Config/Config.yaml#L40

As far as I've seen during testing, if you re-run this template after initially creating the config recorder and delivery channel (DC), but set the DeliveryChannelExists flag to 'true' (having just created a DC in the first run), cloudformation will use that condition to determine that the DC should be deleted. It attempts to delete the DC but fails because a ConfigRecorder is running.

This means that the Condition in this case 'leaves out' the resource entirely and cloudformation thinks it should be deleted.

Is this the case?

@cmmeyer Thank you for merging my PR but now I need some help please

I get the overall concept we're using custom resources to help us create our changeset with Cloudformation since cloudformation doesn't have that ability out of the box; which is the intended use of custom resources to fill in where cloudformation comes up short.

Now, when I make an update to the TestResources/events.yaml to add a TableName property to the dynamodb table in events.yam, I need to re-deploy the stack-set-template right? When I redeploy it fails to create a changeset because cloudformation doesn't see the updates I made to that TestResources/events.yaml

One solution would be to delete the stacks, modify my TestResources/events.yaml and start again from scratch by redeploying but if we're going to be provisioning resources in qa and dev overtime these resources will add up and if we need to go back and update one of our resources in the TestResources/events.yaml let's say to include a new IAM role to some resource then the current solution doesn't seem to be able to detect those changes

So how do I make my stackset be aware of changes/updates made to the TestResources/events.yaml templates without deleting everything and redeploying?

The accompagnying video showed how to do updates by adding another account and region but what about updates to the actual resources that we're provisionning?

It throws this error since it can't detect any changes from that TemplateURL properties under the stackset custom resource:

Failed to create the changeset: Waiter ChangeSetCreateComplete failed: Waiter encountered a terminal failure state Status: FAILED. Reason: The submitted information didn't contain changes. Submit different information to create a change set.
Done

I am pretty sure that line 34 in crhelper.py has a minor typo in it. The line reads:

loglevel = event['ResourceProperties']['botolevel']
when I think it should instead read:
botolevel = event['ResourceProperties']['botolevel']

This means that even if botolevel is defined as an input to the custom resource, the boto level of debug (botocore and boto3) will not be affected. Only a direct invocation of log_level with the parameter of botolevel='SETTING' will set it to the desired level. However, issue #157 seems to stop the actual boto debug from making it into the logs.

I can see the lambda running when I create my CF stack, but I do not see any output from the logger.

What could I be doing wrong?

https://github.com/awslabs/aws-cloudformation-templates/tree/master/aws/services/CloudFormation/MacrosExamples/StringFunctions

Under Basic Usage it says that the input string is being converted to lowercase, but the Operation listed is Upper

Hi,

The Publicly Exposed Service with Private Networking section of the ECS sample includes this:

### Run in AWS Fargate

1. Launch the [public + private](FargateLaunchType/clusters/private-vpc.yml) cluster template
2. Launch the [public facing service template](FargateLaunchType/services/public-service.yml).

I think the second link should point to the private-subnet-public-service.yml template instead. I followed the instructions literally and it took me a while to notice that my containers were running in the public subnet rather than the private one.

Thanks :-)

connection to bastion via ssh works
connection to rds does not work because connection is redirected to the bastion...

quote: "Using a security group ID as a source only works when the traffic is addressed to the private IP. By trying to hit the public IP the traffic is being routed outside the VPC and back in to the VPC, at which point the source security group information has been lost. "

running the command inside bastion at public bastion ip:
mysql -h rds-cluster-endpoint -P 3306 -u startupadmin -p
Enter password:

generates error:
ERROR 1045 (28000): Access denied for user 'startupadmin'@'bastion private ip' (using password: YES)

Hi All,

I was trying to create a EC2 instance with the existing values in my AWS account. When am validating the template at cloudformation it says valid, after trying to create a stalk it got failed with the below error.

CREATE_FAILED AWS::EC2::Instance Ec2Instance The requested configuration is currently not supported. Please check the documentation for supported configurations.

Can anyone help me out with the error where exactly am missing the configuration
from the below template, and what changes i need to make.

Thankyou.

AWSTemplateFormatVersion: 2010-09-09
Parameters:
KeyName:
Description: 'key pair of the ec2-user to establish a SSH connection to the EC2 instance'
Type: String
InstanceType:
Description: 'The instance type for the EC2 instance.'
Type: String
Default: 't2.micro'
Name:
Description: 'Then name of the EC2 instance'
Type: String
Default: 'KS-Test'
SubnetName:
Description: ' The subnet id'
Type: String
Default: 'subnet-0axxxxxxxxxxx'
SecurityGroup:
Description: 'The security group'
Type: ListAWS::EC2::SecurityGroup::Id
Mappings:
RegionMap:
ap-south-1:
AMI: ami-b46f48db
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroupIds: !Ref SecurityGroup
KeyName: !Ref KeyName
ImageId: !FindInMap
- RegionMap
- !Ref 'AWS::Region'
- AMI
SubnetId: !Ref SubnetName

There's seems to be an issue with cloudformation in eu-west-1 (ireland region) when creating/modifying database resources. Please see the following threads
https://stackoverflow.com/questions/45117089/deletionpolicysnapshot-cannot-be-specified-for-a-cluster-instance-use-deletion

https://forums.aws.amazon.com/thread.jspa?threadID=259843&tstart=0

Is there any resolution?

Hi! I wonder if there is a template that connects to Kinesis Video Stream and takes in videos to do the analysis ? I have been searching for this but cannot find any...

Thank you for your time and effort!

All the best,
Han

I wrote a question about CodeStar packages and how to deploy them onto different accounts. It would be helpful if we (as a customer) had a way to spin up a basic stack so that deploy CodeStar developed packages.

For example, imagine John builds code in CodeStar, and hands me the GitHub handle for his package. Now, I want to deploy his code in my AWS account. I need someway to spin up the CodePipeline in my account along with the CodeCommit repo and things so I can push John's code into my CodeCommit repo and have the build process automatically spin off and create my stack.

These stacks are easy enough to get. In fact, I pulled one out for the CodeStar project I was demoing here,

AWSTemplateFormatVersion: 2010-09-09
Description: A Python web service deployed to AWS Lambda.
Parameters:
  ProjectId:
    Type: String
    Description: Project ID.
    AllowedPattern: '^[a-z]([a-z0-9-])+$'
    ConstraintDescription: >-
      Project IDs must be between 2 and 15 characters, begin with a letter, and
      only contain lowercase letters, numbers, and hyphens (-).
    MinLength: 2
    MaxLength: 15
  RepositoryName:
    Type: String
    Description: AWS CodeCommit repository name.
    MinLength: 1
    MaxLength: 100
  AppName:
    Type: String
    Description: Name of the application.
    MinLength: 1
    MaxLength: 100
Metadata:
  CodeBuildImage: 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'
  CodeBuildImageOverride: 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'
  IsWebsite: false
  ProjectTemplateId: webservice-pythonservice-lambda
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Parameters:
          - ProjectId
        Label:
          default: Application
  WebsiteS3Bucket: !Ref WebsiteS3Bucket
Outputs:
  LambdaTrustRole:
    Description: AWS CodeStar role for AWS Lambda used for passRole to Lambda functions.
    Value: !GetAtt 
      - LambdaTrustRole
      - Arn
    Export:
      Name: !Join 
        - '-'
        - - !Ref ProjectId
          - !Ref 'AWS::Region'
          - LambdaTrustRole
Resources:
  CodeBuildPolicy:
    Condition: CreateCodeBuildResources
    Type: 'AWS::IAM::Policy'
    Description: Setting IAM policy for service role for Amazon EC2 instances
    Properties:
      PolicyName: CodeStarWorkerCodeBuildPolicy
      PolicyDocument:
        Statement:
          - Action:
              - 'logs:CreateLogGroup'
              - 'logs:CreateLogStream'
              - 'logs:PutLogEvents'
            Resource: '*'
            Effect: Allow
          - Action:
              - 's3:PutObject'
              - 's3:GetObject'
              - 's3:GetObjectVersion'
            Resource:
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
                  - /*
            Effect: Allow
          - !If 
            - CreateWebSiteS3Bucket
            - Action:
                - 's3:PutObject*'
                - 's3:GetObject'
                - 's3:GetObjectVersion'
              Resource:
                - !Join 
                  - ''
                  - - 'arn:aws:s3:::'
                    - !Ref WebsiteS3Bucket
                - !Join 
                  - ''
                  - - 'arn:aws:s3:::'
                    - !Ref WebsiteS3Bucket
                    - /*
              Effect: Allow
            - !Ref 'AWS::NoValue'
          - Action:
              - 'codecommit:GitPull'
            Resource:
              - !Join 
                - ':'
                - - arn
                  - aws
                  - codecommit
                  - !Ref 'AWS::Region'
                  - !Ref 'AWS::AccountId'
                  - !Ref RepositoryName
            Effect: Allow
          - Action:
              - 'kms:GenerateDataKey*'
              - 'kms:Encrypt'
              - 'kms:Decrypt'
            Resource:
              - !Join 
                - ':'
                - - 'arn:aws:kms'
                  - !Ref 'AWS::Region'
                  - !Ref 'AWS::AccountId'
                  - !Join 
                    - /
                    - - alias
                      - aws/s3
            Effect: Allow
      Roles:
        - !Ref CodeBuildRole
  CodeBuildRole:
    Condition: CreateCodeBuildResources
    Type: 'AWS::IAM::Role'
    Description: Creating service role in IAM for Amazon EC2 instances
    Properties:
      Path: /
      RoleName: !Join 
        - '-'
        - - CodeStarWorker
          - !Ref ProjectId
          - CodeBuild
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
  EnvironmentEC25d7bb5833f7211e8b0e8c56afceba475:
    Type: 'AWS::Cloud9::EnvironmentEC2'
    Properties:
      Repositories:
        - PathComponent: /uyfu
          RepositoryUrl: 'https://git-codecommit.us-west-2.amazonaws.com/v1/repos/uyfu'
      OwnerArn: 'arn:aws:iam::169564663130:user/macaidan'
      Description: Created from CodeStar.
      AutomaticStopTimeMinutes: '30'
      SubnetId: subnet-7c76ce05
      InstanceType: t2.micro
      Name: uyfu
  S3ArtifactBucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Description: Setting Amazon S3 bucket policy for AWS CodePipeline access
    Properties:
      Bucket: !Ref S3Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Condition:
              Bool:
                'aws:SecureTransport': false
            Action:
              - 's3:GetObject'
              - 's3:GetObjectVersion'
              - 's3:GetBucketVersioning'
            Resource:
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
                  - /*
            Effect: Allow
            Principal:
              AWS:
                - !GetAtt 
                  - CodePipelineTrustRole
                  - Arn
                - !GetAtt 
                  - CodeBuildRole
                  - Arn
                - !GetAtt 
                  - CloudFormationTrustRole
                  - Arn
            Sid: WhitelistedGet
          - Action:
              - 's3:PutObject'
            Resource:
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
              - !Join 
                - ''
                - - 'arn:aws:s3:::'
                  - !Ref S3Bucket
                  - /*
            Effect: Allow
            Principal:
              AWS:
                - !GetAtt 
                  - CodePipelineTrustRole
                  - Arn
                - !GetAtt 
                  - CodeBuildRole
                  - Arn
            Sid: WhitelistedPut
        Id: SSEAndSSLPolicy
  CodePipelineTrustRole:
    Type: 'AWS::IAM::Role'
    Description: Creating service role in IAM for AWS CodePipeline
    Properties:
      Path: /
      RoleName: !Join 
        - '-'
        - - CodeStarWorker
          - !Ref ProjectId
          - CodePipeline
      Policies:
        - PolicyName: CodeStarWorkerCodePipelineRolePolicy
          PolicyDocument:
            Statement:
              - Action:
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:GetBucketVersioning'
                  - 's3:PutObject'
                Resource:
                  - !Join 
                    - ''
                    - - 'arn:aws:s3:::'
                      - !Ref S3Bucket
                  - !Join 
                    - ''
                    - - 'arn:aws:s3:::'
                      - !Ref S3Bucket
                      - /*
                Effect: Allow
              - Action:
                  - 'codecommit:CancelUploadArchive'
                  - 'codecommit:GetBranch'
                  - 'codecommit:GetCommit'
                  - 'codecommit:GetUploadArchiveStatus'
                  - 'codecommit:UploadArchive'
                Resource:
                  - !Join 
                    - ':'
                    - - arn
                      - aws
                      - codecommit
                      - !Ref 'AWS::Region'
                      - !Ref 'AWS::AccountId'
                      - !Ref RepositoryName
                Effect: Allow
              - Action:
                  - 'codebuild:StartBuild'
                  - 'codebuild:BatchGetBuilds'
                  - 'codebuild:StopBuild'
                Resource:
                  - !GetAtt 
                    - CodeBuildProject
                    - Arn
                Effect: Allow
              - Action:
                  - 'cloudformation:DescribeStacks'
                  - 'cloudformation:DescribeChangeSet'
                  - 'cloudformation:CreateChangeSet'
                  - 'cloudformation:DeleteChangeSet'
                  - 'cloudformation:ExecuteChangeSet'
                Resource:
                  - !Join 
                    - ':'
                    - - arn
                      - aws
                      - cloudformation
                      - !Ref 'AWS::Region'
                      - !Ref 'AWS::AccountId'
                      - !Join 
                        - /
                        - - stack
                          - !Join 
                            - '-'
                            - - awscodestar
                              - !Ref ProjectId
                              - lambda
                          - '*'
                Effect: Allow
              - Action:
                  - 'iam:PassRole'
                Resource:
                  - !GetAtt 
                    - CloudFormationTrustRole
                    - Arn
                Effect: Allow
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
            Sid: 1
  SyncInitialResources:
    DependsOn:
      - SeedRepo
    Type: 'AWS::CodeStar::SyncResources'
    Description: Adding the AWS CodeCommit repository to your AWS CodeStar project.
    Version: 1
    Properties:
      ProjectId: !Ref ProjectId
  CodeBuildProject:
    Condition: CreateCodeBuildResources
    DependsOn:
      - CodeBuildPolicy
    Type: 'AWS::CodeBuild::Project'
    Properties:
      Artifacts:
        Type: codepipeline
        Packaging: zip
      Description: !Join 
        - ''
        - - 'AWS CodeStar created CodeBuild Project for '
          - !Ref AppName
      ServiceRole: !Ref CodeBuildRole
      Environment:
        Type: container
        EnvironmentVariables:
          - Value: !Ref S3Bucket
            Name: S3_BUCKET
          - Value: !If 
              - CreateWebSiteS3Bucket
              - !Join 
                - ''
                - - 'https://s3-us-west-2.amazonaws.com/'
                  - !Ref WebsiteS3Bucket
              - NoVal
            Name: WEBSITE_S3_PREFIX
          - Value: !If 
              - CreateWebSiteS3Bucket
              - !Ref WebsiteS3Bucket
              - NoVal
            Name: WEBSITE_S3_BUCKET
        Image: 'aws/codebuild/eb-nodejs-6.10.0-amazonlinux-64:4.0.0'
        ComputeType: small
      Source:
        Type: codepipeline
      Name: !Ref ProjectId
  CodeCommitRepo:
    Type: 'AWS::CodeCommit::Repository'
    Description: Creating AWS CodeCommit repository for application source code
    Properties:
      RepositoryName: !Ref RepositoryName
      RepositoryDescription: !Join 
        - ''
        - - !Ref ProjectId
          - ' project repository'
  SourceEvent:
    Type: 'AWS::Events::Rule'
    Properties:
      EventPattern:
        detail-type:
          - CodeCommit Repository State Change
        resources:
          - !GetAtt 
            - CodeCommitRepo
            - Arn
        detail:
          referenceType:
            - branch
          event:
            - referenceCreated
            - referenceUpdated
          referenceName:
            - master
        source:
          - aws.codecommit
      Description: >-
        Rule for Amazon CloudWatch Events to detect changes to the source
        repository and trigger pipeline execution
      State: ENABLED
      Targets:
        - Id: ProjectPipelineTarget
          Arn: !Join 
            - ':'
            - - arn
              - aws
              - codepipeline
              - !Ref 'AWS::Region'
              - !Ref 'AWS::AccountId'
              - !Join 
                - '-'
                - - !Ref ProjectId
                  - Pipeline
          RoleArn: !GetAtt 
            - SourceEventRole
            - Arn
      Name: !Join 
        - '-'
        - - awscodestar
          - !Ref ProjectId
          - SourceEvent
  CloudFormationTrustRole:
    Type: 'AWS::IAM::Role'
    Description: Creating service role in IAM for AWS CloudFormation
    Properties:
      Path: /
      RoleName: !Join 
        - '-'
        - - CodeStarWorker
          - !Ref ProjectId
          - CloudFormation
      Policies:
        - PolicyName: CodeStarWorkerCloudFormationRolePolicy
          PolicyDocument:
            Statement:
              - Action:
                  - 's3:PutObject'
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                Resource:
                  - !Join 
                    - ''
                    - - 'arn:aws:s3:::'
                      - !Ref S3Bucket
                  - !Join 
                    - ''
                    - - 'arn:aws:s3:::'
                      - !Ref S3Bucket
                      - /*
                Effect: Allow
              - Action:
                  - 'codestar:SyncResources'
                  - 'lambda:CreateFunction'
                  - 'lambda:DeleteFunction'
                  - 'lambda:AddPermission'
                  - 'lambda:UpdateFunction'
                  - 'lambda:UpdateFunctionCode'
                  - 'lambda:GetFunction'
                  - 'lambda:GetFunctionConfiguration'
                  - 'lambda:UpdateFunctionConfiguration'
                  - 'lambda:RemovePermission'
                  - 'lambda:listTags'
                  - 'lambda:TagResource'
                  - 'lambda:UntagResource'
                  - 'apigateway:*'
                  - 'dynamodb:CreateTable'
                  - 'dynamodb:DeleteTable'
                  - 'dynamodb:DescribeTable'
                  - 'kinesis:CreateStream'
                  - 'kinesis:DeleteStream'
                  - 'kinesis:DescribeStream'
                  - 'sns:CreateTopic'
                  - 'sns:DeleteTopic'
                  - 'sns:ListTopics'
                  - 'sns:GetTopicAttributes'
                  - 'sns:SetTopicAttributes'
                  - 's3:CreateBucket'
                  - 's3:DeleteBucket'
                  - 'config:DescribeConfigRules'
                  - 'config:PutConfigRule'
                  - 'config:DeleteConfigRule'
                Resource: '*'
                Effect: Allow
              - Action:
                  - 'iam:PassRole'
                Resource:
                  - !GetAtt 
                    - LambdaTrustRole
                    - Arn
                Effect: Allow
              - Action:
                  - 'cloudformation:CreateChangeSet'
                Resource:
                  - >-
                    arn:aws:cloudformation:us-west-2:aws:transform/Serverless-2016-10-31
                  - 'arn:aws:cloudformation:us-west-2:aws:transform/CodeStar'
                Effect: Allow
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
  SourceEventRole:
    Type: 'AWS::IAM::Role'
    Description: >-
      IAM role to allow Amazon CloudWatch Events to trigger AWS CodePipeline
      execution
    Properties:
      RoleName: !Join 
        - '-'
        - - CodeStarWorker
          - !Ref ProjectId
          - CloudWatchEventRule
      Policies:
        - PolicyName: CodeStarWorkerCloudWatchEventPolicy
          PolicyDocument:
            Statement:
              - Action:
                  - 'codepipeline:StartPipelineExecution'
                Resource:
                  - !Join 
                    - ':'
                    - - arn
                      - aws
                      - codepipeline
                      - !Ref 'AWS::Region'
                      - !Ref 'AWS::AccountId'
                      - !Join 
                        - '-'
                        - - !Ref ProjectId
                          - Pipeline
                Effect: Allow
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Sid: 1
  S3Bucket:
    DeletionPolicy: Retain
    Type: 'AWS::S3::Bucket'
    Description: Creating Amazon S3 bucket for AWS CodePipeline artifacts
    Properties:
      BucketName: !Join 
        - '-'
        - - aws
          - codestar
          - !Ref 'AWS::Region'
          - !Ref 'AWS::AccountId'
          - !Ref ProjectId
          - pipe
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Value: !Join 
            - '-'
            - - !Ref ProjectId
              - S3Bucket
          Key: Name
  SyncResources:
    DependsOn:
      - SeedRepo
      - CodeBuildProject
      - ProjectPipeline
      - SyncInitialResources
    Type: 'AWS::CodeStar::SyncResources'
    Description: Adding all created resources to your AWS CodeStar project
    Version: 1
    Properties:
      ProjectId: !Ref ProjectId
  ProjectPipeline:
    DependsOn:
      - SeedRepo
      - LambdaTrustRole
      - CodePipelineTrustRole
      - S3Bucket
      - CodeBuildProject
      - CloudFormationTrustRole
    Type: 'AWS::CodePipeline::Pipeline'
    Description: Creating a deployment pipeline for your project in AWS CodePipeline
    Properties:
      ArtifactStore:
        Type: S3
        Location: !Ref S3Bucket
      Stages:
        - Actions:
            - ActionTypeId:
                Owner: AWS
                Category: Source
                Version: 1
                Provider: CodeCommit
              Configuration:
                PollForSourceChanges: false
                RepositoryName: !Ref RepositoryName
                BranchName: master
              InputArtifacts: []
              OutputArtifacts:
                - Name: !Join 
                    - '-'
                    - - !Ref ProjectId
                      - SourceArtifact
              RunOrder: 1
              Name: ApplicationSource
          Name: Source
        - Actions:
            - ActionTypeId:
                Owner: AWS
                Category: Build
                Version: 1
                Provider: CodeBuild
              Configuration:
                ProjectName: !Ref ProjectId
              InputArtifacts:
                - Name: !Join 
                    - '-'
                    - - !Ref ProjectId
                      - SourceArtifact
              OutputArtifacts:
                - Name: !Join 
                    - '-'
                    - - !Ref ProjectId
                      - BuildArtifact
              RunOrder: 1
              Name: PackageExport
          Name: Build
        - Actions:
            - ActionTypeId:
                Owner: AWS
                Category: Deploy
                Version: 1
                Provider: CloudFormation
              Configuration:
                TemplatePath: !Join 
                  - ''
                  - - !Ref ProjectId
                    - '-BuildArtifact'
                    - '::template-export.yml'
                ActionMode: CHANGE_SET_REPLACE
                Capabilities: CAPABILITY_IAM
                ParameterOverrides: !Join 
                  - ''
                  - - '{"ProjectId":"'
                    - !Ref ProjectId
                    - '"}'
                ChangeSetName: pipeline-changeset
                RoleArn: !GetAtt 
                  - CloudFormationTrustRole
                  - Arn
                StackName: !Join 
                  - '-'
                  - - awscodestar
                    - !Ref ProjectId
                    - lambda
              InputArtifacts:
                - Name: !Join 
                    - '-'
                    - - !Ref ProjectId
                      - BuildArtifact
              OutputArtifacts: []
              RunOrder: 1
              Name: GenerateChangeSet
            - ActionTypeId:
                Owner: AWS
                Category: Deploy
                Version: 1
                Provider: CloudFormation
              Configuration:
                ActionMode: CHANGE_SET_EXECUTE
                ChangeSetName: pipeline-changeset
                StackName: !Join 
                  - '-'
                  - - awscodestar
                    - !Ref ProjectId
                    - lambda
              InputArtifacts: []
              OutputArtifacts: []
              RunOrder: 2
              Name: ExecuteChangeSet
          Name: Deploy
      RoleArn: !GetAtt 
        - CodePipelineTrustRole
        - Arn
      Name: !Join 
        - '-'
        - - !Ref ProjectId
          - Pipeline
  LambdaTrustRole:
    Type: 'AWS::IAM::Role'
    Description: Creating service role in IAM for AWS Lambda
    Properties:
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
        - 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
      RoleName: !Join 
        - '-'
        - - CodeStarWorker
          - !Ref ProjectId
          - Lambda
      Policies:
        - PolicyName: CodeStarLambdaWorkerPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Resource: '*'
                Effect: Allow
      AssumeRolePolicyDocument:
        Statement:
          - Action: 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
  SeedRepo:
    DeletionPolicy: Retain
    DependsOn:
      - CodeCommitRepo
    Type: 'AWS::CodeStar::SeedRepository'
    Description: >-
      Adding application source code to the AWS CodeCommit repository for the
      project
    Properties:
      DefaultBranchName: master
      RepositoryURL: !GetAtt 
        - CodeCommitRepo
        - CloneUrlHttp
      ProjectTemplateId: >-
        arn:aws:codestar:us-west-2::project-template/codecommit/webservice-pythonservice-lambda
      RepositoryProvider: CodeCommit
  CodeStarProject:
    Type: 'AWS::CodeStar::Project'
    Description: Starting project creation
    Version: 1
    Properties:
      ProjectName: !Ref AppName
      ProjectId: !Ref ProjectId
      ProjectDescription: AWS CodeStar created project
      ProjectTemplateId: >-
        arn:aws:codestar:us-west-2::project-template/codecommit/webservice-pythonservice-lambda
      StackId: !Ref 'AWS::StackId'
  WebsiteS3Bucket:
    Condition: CreateWebSiteS3Bucket
    DeletionPolicy: Retain
    Type: 'AWS::S3::Bucket'
    Description: Creating Amazon S3 bucket for Website static artifacts
    Properties:
      BucketName: !Join 
        - '-'
        - - aws
          - codestar
          - !Ref 'AWS::Region'
          - !Ref 'AWS::AccountId'
          - !Ref ProjectId
          - app
      VersioningConfiguration:
        Status: Enabled
      Tags:
        - Value: !Join 
            - '-'
            - - !Ref ProjectId
              - WebsiteS3Bucket
          Key: Name
Transform:
  - 'AWS::CodeStar'
Conditions:
  CreateWebSiteS3Bucket: !Equals 
    - false
    - true
  CreateCodeBuildResources: !Equals 
    - true
    - true

It would be nice if these templates were provided with a quick script that could launch these pipelines into your AWS account. Is this available somewhere?

Hello,

A colleague reported problems using the S3 website suffix for us-east-2 that had been copied from a template in this repo. I looked into it and see that some of the endpoints in S3_Website_With_CloudFront_Distribution.yaml do not match those listed in the AWS documentation.

For example, the suffix for us-east-2:

.s3-website-us-east-2.amazonaws.com   // this repo
 s3-website.us-east-2.amazonaws.com   // general docs

These are subtle differences (- vs .) which vary between regions, not appearing to follow any consistent rule.

Can someone confirm which source should be taken as correct, and if this repo should be updated?

Hi,

I've been using the aws/services/ECS/FargateLaunchType/clusters/private-vpc.yml template to create a VPC. On one instantiation I received this error message for the PublicLoadBalancer resource:

VPC vpc-01bc156233b79a0b6 has no internet gateway (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: InvalidSubnet; Request ID: ef47ee8e-af60-11e8-a6e2-2da24784aabf)

According to https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-dependson.html#gatewayattachment, load balancers need a DependsOn entry for the internet gateway. Does that need to be added here?

Thanks :-)

Simon

Some where I see people mention "S3Origin", here I saw only-origin? how do get it dynamically like Domain name

I'd like to use this handler with an SNS triggered custom resource, to handle a multi account scenario rather than to lambda in the local account.

In theory the message content delivered to lambda could be handled in the same way but would have been through custom resource in CF > SNS Remote > Lambda? i.e rather than dealing with the event directly, something like json.loads(event['Records'][0]['Sns']['Message'])? It would be great to be able to use this handler in that scenario.

I'm getting an error when libraries are attempting to log

response = self.requests.get(url, auth=self._get_auth())
File "/var/task/requests/api.py", line 75, in get
return request('get', url, params=params, **kwargs)
File "/var/task/requests/api.py", line 60, in request
return session.request(method=method, url=url, **kwargs)
File "/var/task/requests/sessions.py", line 524, in request
resp = self.send(prep, **send_kwargs)
File "/var/task/requests/sessions.py", line 637, in send
r = adapter.send(request, **kwargs)
File "/var/task/requests/adapters.py", line 449, in send
timeout=timeout
File "/var/task/urllib3/connectionpool.py", line 588, in urlopen
conn = self._get_conn(timeout=pool_timeout)
File "/var/task/urllib3/connectionpool.py", line 248, in _get_conn
return conn or self._new_conn()
File "/var/task/urllib3/connectionpool.py", line 205, in _new_conn
self.num_connections, self.host, self.port or "80")
File "/var/lang/lib/python3.6/logging/__init__.py", line 1294, in debug
self._log(DEBUG, msg, args, **kwargs)
File "/var/lang/lib/python3.6/logging/__init__.py", line 1442, in _log
self.handle(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 1452, in handle
self.callHandlers(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 1514, in callHandlers
hdlr.handle(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 863, in handle
self.emit(record)
File "/var/runtime/awslambda/bootstrap.py", line 446, in emit
msg = self.format(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 838, in format
return fmt.format(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 578, in format
s = self.formatMessage(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 547, in formatMessage
return self._style.format(record)
File "/var/lang/lib/python3.6/logging/__init__.py", line 391, in format
return self._fmt % record.__dict__
KeyError: 'requestid'

I believe this is caused because the logger is attempting to obtain the requestid field, but this is only provided as an adaptor

https://github.com/awslabs/aws-cloudformation-templates/blob/master/community/custom_resources/python_custom_resource_helper/crhelper.py#L49

When the library does logging.getlogger(__name__), it retrieves the root logger, not the 'adapted' logger. Is this correct? Is it supposed to work this way?

I found this project via Google search, again feeling very frustrated that I, and those who appear to be on similar quests, are again wasting HOURS if not DAYS of our time because AWS software teams do not properly package their software into RPMs, DEBs and MSIs.

There should be no need for these workarounds, period.

Imagine if every time you wanted to use tomcat, you had to write your own init.d script or systemd script, or were given only an init.d script on RHEL 7 which didn't work because it uses systemd. Then, compound that with NO examples, NO documentation on how to get things to work.

I have literally lost over TWO WHOLE MONTHS of my time in the last 3 years having to deal with problems related to a lack of proper software packaging which has been standard in the industry for RHEL/CentOS and Ubuntu distributions for well over 10, maybe 20 years. This lack of proper packaging is something I'd find a bit "non-professional" for a startup with 10 people. To see this coming out of AWS, the largest/best (other than in this area) cloud provider, with thousands of engineers, is just flat out shocking.

Today, my problem is attempting to get cfn-hup to work properly in Ubuntu. Yeah, I know - pretty obscure. THE way AWS advertises as the way to install software inside CloudFormation. THE way AWS creates all their QuickStarts to show how complex applications can be automated. An OS that no one uses any more. I guess everyone has switched to Teraform. ... W. T. F.?

The cfn-init services section doesn't support systemd. It still uses initv, Install the new amazon-cloudwatch-agent and try to setup a services section which restarts when a stack update changes the config file - good luck. The idiots who "packaged" the deb file never bothered to test that this worked in CloudFormation. It doesn't, thows errors. That's because Ubuntu has not used init scripts in what - 5 to 7 years - I've lost count.

Is it really too much to ask that AWS software delivers the few key packages we use to integrate with and automate AWS in the form of packages that EVERY. SINGLE. OTHER. MAJOR. SOFTWARE. VENDOR. uses to deliver their stuff?

I have opened over a dozen tickets, asking for this. Wasted weeks of time figuring out workarounds. You can see many, many google posts for people who have similarly lost time because this has not been done properly. What is it going to take for AWS management to stop, take a FUCKING WEEK OR TWO - seriously that's all the effort required to package this stuff right, I've done it myself many times, and stop this madness!

Forgive me for venting. I'm just fed up that this festering problem just does not get fixed.

Please do talk to whoever works for you that packaged SSM Agent. Promote that guy and ask him to help the other teams do this right. This is not rocket science. Thousands of open source projects do this every day. You would save me, as well as what I can tell are hundreds of other people, based on my research looking for solutions and seeing the pain out there, hundreds of hours of wasted time.

it is the correct way to do this. It is the right way to treat your customers. It is not hard to do this. Thousands of other open source projects do this. You can do this. Please do this!

What I want:

• Create and RPM, DEB, MSI, for
• awscli, amazon-ssm-agent (mostly there), amazon-cloudwatch-agent (PATHETIC!!!!!!!!!), cfn-init (PATHETIC!!!!!).
• keep these CURRENT, Jesus! Publish a new rpm/deb/msi when you publish the tar.gz, like everyone else does.
• Put the binaries, conf, data files in the correct, SAME locations on each Linux OS, following the LFHS convention. It is the standard!

Every other open source project does this. Why can't you? You're a $1T company.

That is all.

Are there any plans for supporting AWS Athena operations via cloudformation ?
From docs, it seems to only support creating named resources https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-reference-athena.html

Hi

I'm not really sure where to submit this to, so please let me know if there is a better location.

I have created a simple CF stack that returns the IOT Endpoint as an output given there is now way to include this endpoint via any other CF/SSM reference.

https://github.com/waynerobinson/aws-iot-endpoint-stack/tree/master

Please let me know if you have any feedback or feel free to submit this here or elsewhere.

@stilvoid

https://github.com/awslabs/aws-cloudformation-templates/blob/dafa8f270d5047e97722dd0b0d49995a8ea90396/aws/services/CloudFormation/MacrosExamples/ShortHand/README.md

I'm not sure it's a good idea to encourage customers to omit the AWS Service prefix.

When a new resource type is launched that introduces new ambiguity, all of those CloudFormation templates creating the previously unambiguous resource type this way could be broken overnight.

We use AWS Cloudformation stack to provision resources. I have noticed that when we create a new stack using our cloudformation template the final status of our stack is Update_Complete instead of Create_Complete. This is causing our monitoring scripts to fail because the final status of stack is Update_Complete and not Create_Complete. Can anyone help to find out why the final status of a newly created stack be Update_Complete?

Our Cloudformation template provisions an EC2instance and then executes some UserData commands. We make use of WaitCondition to wait for the EC2instance to become available. Any idea what could be the issue here?

OK - I have been looking at this a while and I am not a python ninja. However, I have come to an initial conclusion that the setting of log format in crhelper.py lines 46-48 breaks boto3, botocore, and other loggers:
# Set log message format
logfmt = '[%(requestid)s][%(asctime)s][%(levelname)s] %(message)s \n'
mainlogger.handlers[0].setFormatter(logging.Formatter(logfmt))

Boto3 and botocore seem to catch the exception (which is of the general form:'requestid': KeyError Traceback) and just don't write anything out even when explicitly set. Use of other modules which don't catch this exception seem to just die. This seems to be due to the fact that the format string expects 'requestid' which is not a reserved attribute (one that is always set, see https://docs.python.org/2/library/logging.html#logrecord-attributes for a list). The ability to set custom attributes seems to be here to let code define some data to present that is outside the always defined attributes, and can be done by passing a dict as an extra argument to the logging function (ex: logger.error('Something bad happened', extra={'requestid': 'SOMEIDNUM'}). However, this requires every call to the logger to define that requestid field (or whatever you want to use in your code). The documentation states that "While this might be annoying, this feature is intended for use in specialized circumstances, such as multi-threaded servers where the same code executes in many contexts, and interesting conditions which arise are dependent on this context".

However, there is another helper function which does seem to be used in crhelper.py on line 49:
return logging.LoggerAdapter(mainlogger, {'requestid': event['RequestId']})
The LoggerAdapter (discussed https://docs.python.org/2/library/logging.html#loggeradapter-objects) pretty much emulates a logger object, but passes the extra dictionary every time without being asked. It seems to make it easier to automatically include, but still hide the complexity of, the additional attribute. You can pass a LoggerAdapter back to anything expecting to see a logger and all calls to that logger will include the extra parameter. Here is where my python ninja definitely runs short: it seems the author is 'handling' this by passing back the LoggerAdapter and in the README.md in handler() it seems they are trying to make it 'stick' by declaring logger global. I am not sure this is having the intended effect. Since other modules will likely be calling logging.getLogger(name) directly, they will not be passed the global LoggerAdapter version. Even though many (all?) may indeed call it logger, since that logger is of more local scope in that module, the raw logger (not the LoggerAdapater) version will be used and thus it won't have the LoggerAdapter dictionary. Perhaps I am missing something subtle here, or there is a simple fix. However, the only one I can arrive at is removing requestid from the format string. You can simply log the request id at the entry into 'handler'. This is less functional as the visual sorting by eventid is nice, as each time update and delete are called they will have different ids and it is easy to see where the custom resource 'restarted' entry, but not crashing is generally more desirable. But, perhaps I am missing something simple.

Hi Team
Please help me to resolve the below ValidationError

• /opt/aws/bin/cfn-signal -e 0 --stack RedHat7Cfn --resource EC2Instance --region us-east-1
  ValidationError: Stack arn:aws:cloudformation:us-east-1:861450004289:stack/RedHat7Cfn/7d2e3dd0-f5f3-11e7-93f5-50a686e4bb4a is in CREATE_COMPLETE state and cannot be signaledhanks

Thanks
Prem

The 'timeout' function of crhelper.py

https://github.com/awslabs/aws-cloudformation-templates/blob/master/community/custom_resources/python_custom_resource_helper/crhelper.py#L91

appears to persist across executions of the lambda. Output from my logs:

START RequestId: 3df43426-e759-11e8-aff6-b1e7e3385b5e Version: $LATEST
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:31:51,929][INFO] Handling event
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:31:51,929][INFO] Lambda RequestId: 3df43426-e759-11e8-aff6-b1e7e3385b5e CloudFormation RequestId: 34aadf4b-279d-4712-8371-41fcfd235262
... trimmed extra log lines
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:31:52,173][INFO] Update complete returning new physicial id 5beaee6831e2bc2eaf94adf1, old_id 5beae8d431e2bc2eaf94a80c
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:31:52,174][INFO] Completed successfully, sending response to cfn
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:31:52,438][INFO] CloudFormation returned status code: OK
END RequestId: 3df43426-e759-11e8-aff6-b1e7e3385b5e
REPORT RequestId: 3df43426-e759-11e8-aff6-b1e7e3385b5e	Duration: 509.22 ms	Billed Duration: 600 ms Memory Size: 128 MB	Max Memory Used: 31 MB
START RequestId: 415fe7fd-e759-11e8-9e47-abc0bdddf7ef Version: $LATEST
[0f0b6f2f-0b00-4284-8402-47a973dd5cd0][2018-11-13 15:31:57,054][INFO] Handling event
[0f0b6f2f-0b00-4284-8402-47a973dd5cd0][2018-11-13 15:31:57,055][INFO] Lambda RequestId: 415fe7fd-e759-11e8-9e47-abc0bdddf7ef CloudFormation RequestId: 0f0b6f2f-0b00-4284-8402-47a973dd5cd0
... trimmed extra log lines
[0f0b6f2f-0b00-4284-8402-47a973dd5cd0][2018-11-13 15:31:57,075][INFO] Completed successfully, sending response to cfn
[0f0b6f2f-0b00-4284-8402-47a973dd5cd0][2018-11-13 15:31:57,265][INFO] CloudFormation returned status code: OK
END RequestId: 415fe7fd-e759-11e8-9e47-abc0bdddf7ef
REPORT RequestId: 415fe7fd-e759-11e8-9e47-abc0bdddf7ef	Duration: 211.26 ms	Billed Duration: 300 ms Memory Size: 128 MB	Max Memory Used: 31 MB
START RequestId: 6a652871-e759-11e8-8441-65b8ac4aa8ef Version: $LATEST
[54fe2a17-c453-41a9-a46c-538e88ab7e0a][2018-11-13 15:33:05,877][INFO] Handling event
[54fe2a17-c453-41a9-a46c-538e88ab7e0a][2018-11-13 15:33:05,877][INFO] Lambda RequestId: 6a652871-e759-11e8-8441-65b8ac4aa8ef CloudFormation RequestId: 54fe2a17-c453-41a9-a46c-538e88ab7e0a
[34aadf4b-279d-4712-8371-41fcfd235262][2018-11-13 15:33:05,877][ERROR] Execution is about to time out, sending failure message
[0f0b6f2f-0b00-4284-8402-47a973dd5cd0][2018-11-13 15:33:05,880][ERROR] Execution is about to time out, sending failure message
[54fe2a17-c453-41a9-a46c-538e88ab7e0a][2018-11-13 15:33:05,881][INFO] Received a Update Request

As you can see, with my lambda timeout set to 10s, the third execution (the first two complete within 10 seconds) of the lambda contains log lines related to the first two requests. Does this mean that the background thread is suspended while the lambda is inactive and continues when the lambda next starts?

I believe that the code should remove the timer as a final step, after successful completion of the lambda. Would this be a good idea?

I believe the code is missing functions of upper, title and swapcase python functions. Please have a look and correct this.

Regards,
bogdan

Hello,

I am trying to generate a template which can instantiate an AWS Sagemaker via CloudFormation, do you have any simple example (to start) ?

Thank you,
Andre

Request to support ECS Service autoscaling. Not many examples out there at this point. Most are about the same scenario. Nothing about more advanced use case to answer if Rolling upgrade possible within ECS service autoscaling.

Hi There,
using the template: aws-cloudformation-templates/aws/services/DynamoDB/DynamoDB_Table.yaml
I receive the following error:
"An error occurred (ValidationError) when calling the CreateStack operation: Parameters: [HashKeyElementName] must have values"

Cheers.

Has anyone been able to successfully deploy their stackset?

I'm relatively new and learning AWS right now. We have a requirement to provision resources across DEV and QA environments.

You have the following in stackset-function-template.yaml:

Parameters:
  ModuleName:
    Type: String
    Default: "lambda_function"

  RoleName:
    Type: String
    Default: ""

  RolePath:
    Type: String
    Default: ""

1. It looks like step 1 is to deploy the function stack:
   When I deploy the function stack (stackset-function-template.yaml), it deploys it successfully
   1a. But where do I get the Rolename and rolepath?_
   It seems that if I don't wanna override those 2 parameters, they'll automatically be assigned during stack deployment

2. It then seems that step 2 is to issue a stack create command to create the stackset stack (stack-set-template.yaml)

But when I do that I get the following error below:

The following resource(s) failed to create: [StackSet]. . Rollback requested by user.
Where do I get the AdministrationRoleARN and ExecutionRoleName and how do I pass them to the template?

  | 17:02:39 UTC-0400 | CREATE_FAILED | Custom::StackSet | StackSet | Failed to create resource. Parameter validation failed: Invalid length for parameter AdministrationRoleARN, value: 0, valid range: 20-inf Invalid length for parameter ExecutionRoleName, value: 0, valid range: 1-inf (See CloudWatch Log Stream: 2018/10/26/[$LATEST]3de21a37c64c35sdfa08e2194ecc22b5b)
  | 17:02:39 UTC-0400 | CREATE_IN_PROGRESS | Custom::StackSet | StackSet | Resource creation Initiated

Where do I get the AdministrationRoleARN and ExecutionRoleName ?

I'm not sure if it's an issue with the way I'm using crhelper, a bug with crhelper, or a bug with botocore so I hope you guys can help. I'm getting an error when trying to upload to the S3 presigned bucket provided by CloudFormation.

When I enable debug logging, I see that it attempts to send thefollowing success payload:

{
    "Status": "SUCCESS",
    "Reason": "See details in CloudWatch Log Stream: 2018/05/16/[$LATEST]4f22852ff28146e3a881d10a12487690",
    "PhysicalResourceId": "2018/05/16/[$LATEST]4f22852ff28146e3a881d10a12487690",
    "StackId": "arn:aws:cloudformation:us-east-1:1111111111111:stack/postgis-test/346b09b0-5607-11e8-bd3a-503aca261635",
    "RequestId": "e55bae87-799b-4410-8ee6-f0d5a97992f7",
    "LogicalResourceId": "PostGisProvisioner"
}

But it hangs and times out, eventually sending a FAILED messaged.

Going to the presigned URL passed in the request, I see the following output:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your key and signing method.
</Message>
<AWSAccessKeyId>AKIAIEJAAAAAAAAAAAAAA</AWSAccessKeyId>
<StringToSign>
GET 1526465289 /cloudformation-custom-resource-response-useast1/arn%3Aaws%3Acloudformation%3Aus-east-1%3A111111111111%3Astack/postgis-test/346b09b0-5607-11e8-bd3a-503aca261635%7CPostGisProvisioner%7Ce55bae87-799b-4410-8ee6-f0d5a97992f7
</StringToSign>
<SignatureProvided>*******************************</SignatureProvided>
<StringToSignBytes>
47 45 54 0a 0a 0a 31 35 32 36 34 36 35 32 38 39 0a 2f 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 2d 63 75 73 74 6f 6d 2d 72 65 73 6f 75 72 63 65 2d 72 65 73 70 6f 6e 73 65 2d 75 73 65 61 73 74 31 2f 61 72 6e 25 33 41 61 77 73 25 33 41 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 25 33 41 75 73 2d 65 61 73 74 2d 31 25 33 41 35 33 31 37 31 34 34 36 39 36 31 32 25 33 41 73 74 61 63 6b 2f 70 6f 73 74 67 69 73 2d 74 65 73 74 2f 33 34 36 62 30 39 62 30 2d 35 36 30 37 2d 31 31 65 38 2d 62 64 33 61 2d 35 30 33 61 63 61 32 36 31 36 33 35 25 37 43 50 6f 73 74 47 69 73 50 72 6f 76 69 73 69 6f 6e 65 72 25 37 43 65 35 35 62 61 65 38 37 2d 37 39 39 62 2d 34 34 31 30 2d 38 65 65 36 2d 66 30 64 35 61 39 37 39 39 32 66 37
</StringToSignBytes>
<RequestId>E346B08F29FC4712</RequestId>
<HostId>
UrBU5lKTctOGF4eXtnbexGNMmLx8k//bxp0r6eJfU0rvfL0s/Cj3BQUV8hCQ8ZhGFJsaXR1rd5g=
</HostId>
</Error>

Thinking it's a permission issue, I tried attaching the PowerUserAccess policy to my Lambda's role and it's still not working.

Is this an issue with botocore.vendored.requests.put? Or is there something I need to configure to make the signature right?

The code in awslabs/aws-cloudformation-templates/blob/master/community/custom_resources/python_custom_resource_helper/crhelper.py it shows that there is no physical id being returned to cloudformation when a custom resource is being deleted. There is just a return event with no arguments.

Therefore I have mirrored this in my code.

def delete(event, context):
    """
    Place your code to handle Delete events here
    
    To return a failure to CloudFormation simply raise an exception, the exception message will be sent to CloudFormation Events.
    """
    return

However when I delete the cloudformation stack it timseout deleting the custom resource.

Looking at the guide here: (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/crpg-ref-requesttypes-delete.html) it shows that the PhysicalResourceId should be returned when performing a delete.

Can you please advise whether I am doing something wrong and need to handle the delete event differently for my custom resource.

An example of using the helper with real code would be very useful.

Thanks

Got the following issue when i terminated instance manually to validate autoscaling creation process.
If i shutdown one, i expected one more instance to be created.
This script creates one more but getting following exception in logs:

$sudo grep cloud-init /var/log/messages
Output:

• /opt/aws/bin/cfn-signal -e 0 --stack jenkins --resource JenkinsSlaveAutoScalingGroup --region us-east-1
  Dec 5 10:08:51 ip-10-80-48-198 cloud-init: ValidationError: Stack arn:aws:cloudformation:us-east-1:****:stack/jenkins/75854780-f86e-11e8-a417-*******is in CREATE_COMPLETE state and cannot be signaled

I am trying to initialize an RDS instance using a lambda function triggered from a cloudformation custom resource. I am using the python_custom_resource_helper from this repo (which has been great) to handle sending the response.

The lambda function is called successfully and the database initializes without issue. However the lambda function seems unable to connect to s3 to write the response. I assume it is a permissions issue, but am not sure what I need to update.

cloudwatch logs:

[16b5f688-cc49-4163-bb05-d961ba437ce9][2018-10-24 03:04:11,113][INFO] Completed successfully, sending response to cfn
[16b5f688-cc49-4163-bb05-d961ba437ce9][2018-10-24 03:04:12,170][ERROR] send(..) failed executing requests.put(..): HTTPSConnectionPool(host='cloudformation-custom-resource-response-useast1.s3.amazonaws.com', port=443): Max retries exceeded with url: /arn%3Aaws%3Acloudformation%3Aus-east-1%3A164513338535%3Astack/ltak2/86ac7dd0-d735-11e8-9b9e-503aca4a5835%7CrdsInitCustom%7C16b5f688-cc49-4163-bb05-d9

Lambda role has the following permissions
AmazonS3FullAccess
AWSLambdaVPCAccessExecutionRole

My user that kicks off cloudformation has AdministratorAccess and AmazonS3FullAccess as well.

Is there something else I need to configure for the response to write correctly?

Hello,

I am looking for the Iterator/Loop Macro which you had explained in AWS Reinvent:2018. Can you please share it here ?

Thanks

In cfnresponse.send, the response data is logged to CloudWatch when NoEcho set to True.

Please see: https://github.com/awslabs/aws-cloudformation-templates/blob/master/aws/services/CloudFormation/MacrosExamples/StackMetrics/lambda/cfnresponse.py#L31

Current cloudformation version seems not provide pre token generation for lambda trigger config

I'm relatively new and learning AWS right now. We have a requirement to provision resources across DEV and QA environments.

You have the following in stackset-function-template.yaml:

Parameters:
  ModuleName:
    Type: String
    Default: "lambda_function"

  RoleName:
    Type: String
    Default: ""

  RolePath:
    Type: String
    Default: ""

1. It looks like step 1 is to deploy the function stack:
   When I deploy the function stack (stackset-function-template.yaml), it deploys it successfully
   1a. But where do I get the Rolename and rolepath?_
   It seems that if I don't wanna override those 2 parameters, they'll automatically be assigned during stack deployment

2. It then seems that step 2 is to issue a stack create command to create the stackset stack (stack-set-template.yaml)

But when I do that I get the following error below:

The following resource(s) failed to create: [StackSet]. . Rollback requested by user.
Where do I get the AdministrationRoleARN and ExecutionRoleName and how do I pass them to the template?

  | 17:02:39 UTC-0400 | CREATE_FAILED | Custom::StackSet | StackSet | Failed to create resource. Parameter validation failed: Invalid length for parameter AdministrationRoleARN, value: 0, valid range: 20-inf Invalid length for parameter ExecutionRoleName, value: 0, valid range: 1-inf (See CloudWatch Log Stream: 2018/10/26/[$LATEST]3de21a37c64c35sdfa08e2194ecc22b5b)
  | 17:02:39 UTC-0400 | CREATE_IN_PROGRESS | Custom::StackSet | StackSet | Resource creation Initiated

Where do I get the AdministrationRoleARN and ExecutionRoleName ?

DeprecationWarning when using cfnresponse in Python Lambda:

https://pypi.org/project/cfnresponse/ with source in 'aws-cloudformation-templates/aws/services/CloudFormation/MacrosExamples/StackMetrics/lambda/cfnresponse.py'

/var/task/botocore/vendored/requests/api.py:67: DeprecationWarning: You are using the put() function from 'botocore.vendored.requests'. This is not a public API in botocore and will be removed in the future. Additionally, this version of requests is out of date. We recommend you install the requests package, 'import requests' directly, and use the requests.put() function instead.

This is a question, not an issue per se. What changes you make to this template to redirect HTTP to HTTPS?

When using custom admin/execution roles there are errors updating stack sets with a PassRole permissions error. The solution to the issue is updating the update_stack_set method signature to include the admin role and execution role and follow the same strategy as create_stack_set. Attached is the code I updated to make it work in my account.
lambda_function.py.zip