Hi,

Right now after creating using quickstart our Kafka services are only accessible through IP or a generate DNS name using the IP on it. We are thinking this is probably not good practice, since this service will eventually get updated and the IP will be changed.

We are thinking our services should respond by a proper DNS URL. I.E - "kafka-broker.dev.latam.exampledomain.com", "schema-registry.dev.latam.exampledomain.com". This prevents internal changes in applications that may be using those services.

If you are using the quick start CFT to start a cluster on AWS is it possible to give the Zookeeper, Schema Registry, Connectors, Rest endpoints and Broker ec2s a CNAME through the CFT? If the creation of the EC2 was done in the CFT then we could use its IP to create a CNAME but as I can’t see any instances being created in the quick start this may not be possible?

Much Appreciated
Michael

The excellent blog post here:

https://aws.amazon.com/blogs/infrastructure-and-automation/building-a-ci-cd-pipeline-for-hugo-websites/

..did not work for me this morning. When building the cloudformation stack today, the WebHostingBucket step fails with this Status Reason:

Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting (Service: Amazon S3; Status Code: 400; Error Code: InvalidBucketAclWithObjectOwnership; Request ID: QHZW5HM2KENR0Z6P; S3 Extended Request ID: Nk4f41M6G5zY2jLqOswB0UckFLIH2K39oo2YxURqblAClcrjjglbXvg7FQXKODATHklckqDAABcopNuQIWPFqQ==; Proxy: null)

I think it is failing now because of the April 2023 change which AWS described in this snippet I paste here:

We are reaching out to inform you that starting in April 2023 Amazon S3 will change the default security configuration for all new S3 buckets. For new buckets created after this date, S3 Block Public Access will be enabled, and S3 access control lists (ACLs) will be disabled.

I was fumbling around inside of the repo where a fix might happen:
https://github.com/aws-quickstart/quickstart-examples/tree/main/samples/hugo-pipeline

..but AWS perms are not my favorite kind of work ;-) But it would be nice if this super easy and clear blog worked again.

Would you please update to include an example Cloudformation for a Lambda container? Not SAM, but Cloudformation, please.

Python 2.7 is EOL in January 2020. We need to upgrade the CopyZips function prior to then.

When launching this template from AWS Service Catalog, the CfnStackAssumeRole lambda function (QuickStartStackMakerLambda) fails due to using reserved tags. The error message the Lambda returns is as follows

An error occurred (ValidationError) when calling the CreateStack operation: aws: prefixed tag key names are not allowed for external use.
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 133, in cfn_handler
physical_resource_id, response_data = create_func(event, context)
File "/var/task/lambda_function.py", line 335, in create
}] + parent_properties['Tags']
File "/var/runtime/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (ValidationError) when calling the CreateStack operation: aws: prefixed tag key names are not allowed for external use.

LambdaZip is a great source on how to support the initial deployment but it does not support an update as the copy will happen, however the lambda function will not get updated.

Hi,
I really liked the blog. I would like to know how to do this for a lambda function that is created outside of the yaml template.
From my understanding I cannot use cfnresponse because it is not an inline function. Could you please explain what the requirements are for a lambda function that's not an inline function in the yaml template?
Thanks in advance

Update year to 2021 in Partner Quick Start Template and Style Guide doc

PR to follow.

for k in ["Complete", "Poll", "permission", "rule"] is meaningless because k is not used inside the for.

if k in response_data.keys(): together with del response_data[k] should delete all the keys.

Overall, the code doesn't seem to be intentional.

HI Team,

I have tried to use this code by the lambda function is just timing out and no zip is created.

Regards,
SR

The link to AWS Quick Start examples repository is dated. 404.

Getting this error:

User: arn:aws:sts::30237836XXXX:assumed-role/delm5c-DeleteAfterTTLStac-DeleteCFNLambdaExecution-1JN3G0KJGWPOV/DeleteCFNLambda-delm5c is not authorized to perform: ssm:DeleteParameter on resource: arn:aws:ssm:us-east-1:30237836XXXX:parameter/CFN-DemoParameter-N8kk1WlMtNg3 (Service: AmazonSSM; Status Code: 400; Error Code: AccessDeniedException; Request ID: 4bbdd9b5-51a2-4a0c-bfb6-e458c570a847)

Stack-overflow reference:

https://stackoverflow.com/questions/59405215/remove-a-template-after-5-minutes

I Want only for S3 url paste and create lambda function without zip example.

I tried to CopyZipsFunction remove but error through.

So please update the for only S3 URL based

thanks

README for cloudformation-cross-account sample was last updated 2 years ago. README says:

For a walkthrough on it's usage see this article

But the link to article appears to have never been valid. Is there a legit article we can link?

Great stack, thanks for making it available!

One issue I found was that there were additional permissions required for the delete stack role.

         # The following were missing from the example
          -  
            Sid: IAMPermissions
            Effect: "Allow"
            Action:
              - iam:DeleteRolePolicy
              - iam:DeleteRole
            Resource: 
              - !Sub "arn:aws:iam::${AWS::AccountId}:role/${StackName}-DeleteCFNLambda"
              - !Sub "arn:aws:iam::${AWS::AccountId}:role/${StackName}-DeleteCFNLambdaExecutionRole"
              - !Sub "arn:aws:iam::${AWS::AccountId}:role/${StackName}-GenerateCronExpLambdaRole"
          - 
            Sid: LamdaPermissions
            Effect: "Allow"
            Action:
              - lambda:DeleteFunction
              - lambda:InvokeFunction
              - lambda:RemovePermission
            Resource: 
              - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-GenerateCronExpLambda"
              - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${StackName}-DeleteCFNLambda"
          -  
            Sid: EventsPermissions
            Effect: "Allow"
            Action: 
              - events:RemoveTargets
              - events:DeleteRule
            Resource: 
             - !Sub  "arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/${StackName}-DeleteStackEventRule"

How can i work around this since it doesn't seem possible to inline the lambda code after the depreciation is in effect? We then end up with the same issue this copyzips was trying to solve.

Note: The AWS Quick Start team is in the process of updating our entire catalog to reflect SigV4 requests. A blog-post is in progress at this time. For the moment, this issue serves as a placeholder for additional details - including links to relevant blog posts / documentation, etc.. Watch this space!

Using ToUniversalTime() results in an incorrect timestamp as the UTC conversion is repeated when the event is marshalled:

https://github.com/aws/aws-sdk-net/blob/0fb3f01067713d215363ec098a92d3ee05898434/sdk/src/Core/Amazon.Runtime/Internal/Transform/CustomMarshallTransformations.cs#L12

This isn't too obvious from the docs, perhaps it could also be clarified there?