Apply Terraform configurations using CloudFormation through a proxy lambda
License: Apache License 2.0
Note
AWS Service Catalog recently introduced support for Terraform open source so we recommend users to use that instead. This sample will be deprecated in the future. More details on Service Catalog and Terraform open source can be found in the documentation.
Please see README_OLD for the legacy README details.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
I'm getting the following error when trying to create the stack, any ideas?
2019-07-06 18:09:01 UTC+0200 TerraformFulfillmentServer DELETE_IN_PROGRESS - AWS::CloudFormation::Stack
2019-07-06 18:08:58 UTC+0200 TerraformArchitecture-SingleAccount ROLLBACK_IN_PROGRESS The following resource(s) failed to create: [TerraformFulfillmentServer]. . Rollback requested by user. AWS::CloudFormation::Stack
2019-07-06 18:08:58 UTC+0200 TerraformFulfillmentServer CREATE_FAILED Embedded stack arn:aws:cloudformation:us-east-1:541585145005:stack/TerraformArchitecture-SingleAccount-TerraformFulfillmentServer-1ATOO1NYI6K3X/55e738b0-a008-11e9-95ab-12926a34023c was not successfully created: The following resource(s) failed to create: [TerraformNatEip, OutputStore, SsmCommandStore, TerraformLambdaSnsTopic, TerraformInternetGateway, TerraformConfigStore, TerraformVpc, StateStore]. AWS::CloudFormation::Stack
Hi,
There's a use case for one of our customers to use this solution but they want to build service catalog products' templates using terraform as well.
for example how to : If cloudformation is going to work as only proxy, how would i parameterize the terraform variable within service catalog ?
passing the parameters can be done via a service catalog api in terraform surely with parameters of the template .customer want to build product for client who can launched there product from their side, but most of our team are fond of using terraform for creating resources/product.
regards...
Issue Description:
Launching "Lamp-TF" named sample product fails to create both ways:
1- Either in a single Hub/Spoke Account
2- Or in a different Spoke than Hub Account
The respective CloudFormation stack to "Lamp-TF" product fails with below error:
Custom::TerraformStack MyTerraformStack "Failed to create resource. Encountered error during fulfillment script execution - `terraform apply` finished with exit code 1. Terraform wrapper script output at: http://terraformarchitecture-singleaccount-t-outputstore-1wgbbba0qqs53.s3-website.us-east-1.amazonaws.com/redirects/1gxS4E63Nv"
Moreover, no wrapper script output exists at the specified location.
I believe that issue is coming due to something wrong in TerraformCustomResourceHandler module as I was able to see the respective Lambda function being invoked in order to launch this product but failing due to something wrong in the code(maybe).
Requesting the ability to use the most recent version of terraform as all my other projects are up to date and I have a need to use functions and other features of the latest version of terraform
I have experienced the following error with the latest updated code path for new Terraform versions.( TF-12 ).
Tested with Single account and Sample S3 website product.
CF stack Error.
Logs
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 240, in main
run(cleanups, args, args.request, config, s3, response_poster)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 155, in run
user_tags = terraform_tag.retrieve_user_tags_from_cfn(stack_arn, assume_role_input)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/terraform_tag.py", line 68, in retrieve_user_tags_from_cfn
tags = _retrieve_tags_from_cfn(stack_arn, assume_role_input)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/terraform_tag.py", line 72, in _retrieve_tags_from_cfn
cfn_client = terraform_utils.get_assume_role_client(assume_role_input, 'cloudformation', stack_arn.region)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/terraform_utils.py", line 48, in get_assume_role_client
ExternalId=assume_role_input.external_id)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 599, in _make_api_call
operation_model, request_dict)
File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 148, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 173, in _send_request
request = self.create_request(request_dict, operation_model)
File "/usr/local/lib/python3.7/site-packages/botocore/endpoint.py", line 157, in create_request
operation_name=operation_model.name)
File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 227, in emit
return self._emit(event_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 360, in _emit
aliased_event_name, kwargs, stop_on_response
File "/usr/local/lib/python3.7/site-packages/botocore/hooks.py", line 210, in _emit
response = handler(**kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 90, in handler
return self.sign(operation_name, request)
File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 156, in sign
auth.add_auth(request)
File "/usr/local/lib/python3.7/site-packages/botocore/auth.py", line 352, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/sc-terraform-wrapper", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 243, in main
response_poster.post_response_with_expiration_check('FAILED', reason=msg)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 39, in post_response_with_expiration_check
state_file_location=state_file_location, reason=reason)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 44, in _post_response
output_url = self.create_proxy_object()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 71, in create_proxy_object
presigned_url = self.generate_presigned_url()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 92, in generate_presigned_url
ExpiresIn=ONE_WEEK_IN_SECONDS)
File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 593, in generate_presigned_url
operation_name=operation_name)
File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 266, in generate_presigned_url
'presign-url', expires_in, signing_name)
File "/usr/local/lib/python3.7/site-packages/botocore/signers.py", line 156, in sign
auth.add_auth(request)
File "/usr/local/lib/python3.7/site-packages/botocore/auth.py", line 739, in add_auth
raise NoCredentialsError
botocore.exceptions.NoCredentialsError: Unable to locate credentials
Hi I have followed the steps to install the custom type into CloudFomation for Cloudsoft::Terraform::Infrastructure.
When I try to create a stack to create the Type: Cloudsoft::Terraform::Infrastructure, the stack gets stuck in Create in progress and then timeout after a few minutes.
I added in the LogBucketName in the cfn yaml file but no logs are getting generated.
Any advise?
Issue Description
The guide in README.md never explained where and how to launch this sample product. This causes confusion for customers as they end up facing product creation failures due to different reasons. Would be good to have a section describing a walkthrough on launching a sample service catalog product from "SC Sample TF Portfolio".
Referencing the line in question. Linter says [cfn-lint] E0000: mapping values are not allowed in this context
When I deploy in CF Console i get and error referencing the same line
Template format error: YAML not well-formed. (line 110, column 16)
I am getting below tfvars error for the variables in json file sc
"TerraformVariables": {
"aws_region": {
"Fn::Sub": "${AWS::Region}"
},
"bucket_name": {
"Ref": "BucketName"
Error
on variables-5c5533be-f385-4136-b0cb-a09205ea48ab.auto.tfvars line 1:
1: {"aws_region": "eu-west-1", "bucket_name": "ibs-test-sc-tf-bucket"}
An argument or block definition is required here.
=================================
I am getting the "Custom Resource failed to stabilize in expected time" error while launching S3 using the sample product.
Has anyone else faced the same issue?
Need help..!
The template aws-service-catalog-terraform-reference-architecture/TerraformScripts/cloudformation-templates/terraform-launch-lambda.yaml is substituting wrong value for "S3Bucket" under "Code" property of "TerraformLaunchLambda" named resource.
When no value is passed to stack for LambdaJarBucket and LambdaJarKey stack parameters, it should fetch TerraformCustomResourceHandler/bin/aws-servicecatalog-terraform-wrapper.jar file from scterraform-[S3-Content-Holding-AccountId] bucket instead it is trying to fetch this file from scterraform-[Current-Spoke-AccountId] bucket. This is causing stack creation failures as according to implementation guide, no such bucket is supposed to be existing in this Current Spoke Account.
Note:
a- "Current Spoke Account" is the account in which "Terraform Lambda launch function" is being created.
b- "S3-Content-Holding-Account" is the account in which all the required files reside.
Wrong Snippet:
TerraformLaunchLambda:
Type: AWS::Lambda::Function
Properties:
Code:
S3Bucket: !If
- UseDefaultJar
- !Sub "scterraform-${AWS::AccountId}"
- !Ref LambdaJarBucket
S3Key: !If
- UseDefaultJar
- !Sub "TerraformCustomResourceHandler/bin/aws-servicecatalog-terraform-wrapper.jar"
- !Ref LambdaJarKey
Environment:
Variables:
HUB_SNS_TOPIC_ARN: !Sub arn:aws:sns:${FulfillmentRegion}:${FulfillmentHubAccountId}:terraform-commands-topic
FunctionName: TerraformLaunchHandler
Handler: com.amazon.servicecatalog.terraform.customresource.TerraformLaunchRequestHandler
MemorySize: 512
ReservedConcurrentExecutions: 50
Role: !Sub arn:aws:iam::${AWS::AccountId}:role/TerraformLaunchLambdaRole
Runtime: java8
Timeout: 300
TerraformLaunchLambda:
Type: 'AWS::Lambda::Function'
Properties:
Code:
S3Bucket: !If
- UseDefaultJar
- !Join
- '-'
- - scterraform
- !Ref S3-Content-Holding-AccountId ##Supposedly another parameter to this stack in Spoke Account
- !Ref LambdaJarBucket
S3Key: !If
- UseDefaultJar
- !Sub >-
TerraformCustomResourceHandler/bin/aws-servicecatalog-terraform-wrapper.jar
- !Ref LambdaJarKey
Environment:
Variables:
HUB_SNS_TOPIC_ARN: !Sub >-
arn:aws:sns:${FulfillmentRegion}:${FulfillmentHubAccountId}:terraform-commands-topic
FunctionName: TerraformLaunchHandler
Handler: >-
com.amazon.servicecatalog.terraform.customresource.TerraformLaunchRequestHandler
MemorySize: 512
ReservedConcurrentExecutions: 50
Role: !Sub 'arn:aws:iam::${AWS::AccountId}:role/TerraformLaunchLambdaRole'
Runtime: java8
Timeout: 300
Followed documentation to setup AWS ServiceCatalog terraform reference architecture in my AWS account, where spoke account and hub account reside in the same region of the AWS account.
For end user setup i followed steps mentioned here
End user is able to see the products and provision the listed products. Even though product (for example s3) gets provisioned (can be seen through console by Admin user) but on service catalog console end user gets an error "Custom Resource failed to stabilize in expected time".
Error log collected from "terraformarchitecture-singleaccount-t-outputstore-<>" bucket is attached below
`
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/main.py", line 240, in main
run(cleanups, args, args.request, config, s3, response_poster)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/main.py", line 216, in run
state_file_location=state_file_location)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 39, in post_response_with_expiration_check
state_file_location=state_file_location, reason=reason)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 44, in _post_response
output_url = self.create_proxy_object()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 80, in create_proxy_object
WebsiteRedirectLocation=presigned_url
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/sc-terraform-wrapper", line 11, in
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/main.py", line 243, in main
response_poster.post_response_with_expiration_check('FAILED', reason=msg)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 39, in post_response_with_expiration_check
state_file_location=state_file_location, reason=reason)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 44, in _post_response
output_url = self.create_proxy_object()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 80, in create_proxy_object
WebsiteRedirectLocation=presigned_url
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
`
Note: After looking at the error I did try again by giving all permissions to all the user but no luck.
It would be great if someone could help in what is the expected permissions or if I have overlooked some crucial step because of which i am getting this error.
Issue Description:
sc-sample-lamp.json template doesn't handle respective AWS Account Ids well.Custom::TerraformStack resource from the account in which product is being launched irrespective of taking Hub/Spoke(S3-DataHolding) Accounts into consideration and causes problems for customers1- TerraformLaunchHandler
2- TerraformArtifactURL
3- LaunchRoleArn
IsSpokeAccount to check whether current account is Hub or Spoke and referencing values accordingly to above mentioned properties might be helpful. Below is the sample that I edited a bit.{
"Parameters": {
"ImageID": {
"Type": "String",
"Description":"Enter an AMI for your region"
},
"KeyName": {
"Type": "AWS::EC2::KeyPair::KeyName"
},
"SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup::Id"
},
"Subnet": {
"Type": "AWS::EC2::Subnet::Id"
},
"Size": {
"Type": "String",
"Default":"t2.micro",
"AllowedValues": ["t2.micro","t2.medium","t2.large","t2.xlarge"]
},
"HubAccountID": {
"Type": "String",
"AllowedPattern": "[0-9]{13,13}"
}
},
"Conditions": {
"IsSpokeAccount": {"Fn::Equals" : [{"Ref": "AWS::AccountId"},{"Ref":"HubAccountID"}]}
},
"Resources": {
"MyTerraformStack": {
"Type": "Custom::TerraformStack",
"Condition": "IsSpokeAccount",
"Properties": {
"ServiceToken": {
"Fn::If": ["IsSpokeAccount",{"Fn::Sub": "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:TerraformLaunchHandler"},{"Fn::Sub": "arn:aws:lambda:${AWS::Region}:${HubAccountID}:function:TerraformLaunchHandler"}]
},
"TerraformArtifactUrl": {
"Fn::Sub": "https://s3.amazonaws.com/terraform-config-${HubAccountID}/sc-sample-lamp.tf"
},
"LaunchRoleArn": {
"Fn::If": ["IsSpokeAccount",{"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:role/TerraformResourceCreationRole"},{"Fn::Sub": "arn:aws:iam::${HubAccountID}:role/TerraformResourceCreationRole"}]
},
"TerraformVariables": {
"aws_region": {
"Fn::Sub": "${AWS::Region}"
},
"aws_ami": {
"Ref": "ImageID"
},
"key_name": {
"Ref": "KeyName"
},
"aws_sg": {
"Ref": "SecurityGroup"
},
"aws_subnet": {
"Ref": "Subnet"
},
"instance_type": {
"Ref": "Size"
}
}
}
}
},
"Outputs": {
"ScriptOutput": {
"Value": {
"Fn::GetAtt": [
"MyTerraformStack",
"TerraformScriptOutputLocation"
]
}
},
"MyOutputVariables": {
"Value": {
"Fn::GetAtt": [
"MyTerraformStack",
"Outputs"
]
}
}
}
}
Hi there,
I tried to deploy the arch in AWS china region(NingXia).
My CloudFormation IAM role had admin permission, but still failed.
Can you guys help with?
Terraform server creation failed with the following error, trying to create a new terraform server with the template provided "https://console.aws.amazon.com/cloudformation/home?#/stacks/new?stackName=cfrtrsetup&templateURL=https://kwdem0s.s3.amazonaws.com/cs/crt-tf-provider-setup.json"
We are trying to deploy utilizing our own VPC, Subnets etc..
In our network stack we do not allow native NAT-Gateway service, we utilize a corporate proxy.
Could you assist in where a http and https proxy would need to be set?
After deploying the infrastructure, and then provisioning a product (using end user) via service catalog, I can see the provisioned product using admin's console but the end user doesnt receive the success message since both service catalog and cloud formation show status as "CREATE_IN_PROGRESS" (which later changes to "ROLLBACK_IN_PROGRESS")
Following is the error stack trace received
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 240, in main
run(cleanups, args, args.request, config, s3, response_poster)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 216, in run
state_file_location=state_file_location)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 39, in post_response_with_expiration_check
state_file_location=state_file_location, reason=reason)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 44, in _post_response
output_url = self.create_proxy_object()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 80, in create_proxy_object
WebsiteRedirectLocation=presigned_url
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/sc-terraform-wrapper", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/__main__.py", line 243, in main
response_poster.post_response_with_expiration_check('FAILED', reason=msg)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 39, in post_response_with_expiration_check
state_file_location=state_file_location, reason=reason)
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 44, in _post_response
output_url = self.create_proxy_object()
File "/usr/local/lib/python3.7/site-packages/sc_terraform_wrapper/response_poster.py", line 80, in create_proxy_object
WebsiteRedirectLocation=presigned_url
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.7/site-packages/botocore/client.py", line 612, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
failed to run commands: exit status 1
Also going through stdout to find details i get following
Attempt to load configuration at: /usr/local/var/sc-config.json
Creating workspace
Downloading artifact file
Writing backend configuration to file
Creating AWS provider override file
Writing variables to file
Starting Terraform execution
Tagging resources with tags: {'Name': 'trial21', 'CfnStackId': 'arn:aws:cloudformation:us-west-2:<<MyAccountID>>:stack/SC-<<MyAccountID>>-pp-spkckdpjc3mmk/64352560-1b11-11ea-a978-02b749140c52', 'TfResourceGroupName': 'SC-<<MyAccountID>>-pp-spkckdpjc3mmk-MyTerraformStack-03192b6e60d98c9c066769b0214eb57392de066f88c9ac888ad133b1006206bc'}
Tagging try #1. Attempt to tag ARNs: ['arn:aws:sqs:us-west-2:<<MyAccountID>>:trial21.fifo']
Creating resource group if not exist
Created resource group: {'ResponseMetadata': {'RequestId': 'c4cc57dd-d7d6-44ab-a782-0a49f2b80aa5', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Tue, 10 Dec 2019 05:54:06 GMT', 'content-type': 'application/json', 'content-length': '994', 'connection': 'keep-alive', 'x-amzn-requestid': 'c4cc57dd-d7d6-44ab-a782-0a49f2b80aa5', 'x-amz-apigw-id': 'EeTnxFaGvHcFsuQ=', 'x-amzn-trace-id': 'Root=1-5def32fe-ee9600089e7e5bf06419bbbc;Sampled=0'}, 'RetryAttempts': 0}, 'Group': {'GroupArn': 'arn:aws:resource-groups:us-west-2:<<MyAccountID>>:group/SC-<<MyAccountID>>-pp-spkckdpjc3mmk-MyTerraformStack-03192b6e60d98c9c066769b0214eb57392de066f88c9ac888ad133b1006206bc', 'Name': 'SC-<<MyAccountID>>-pp-spkckdpjc3mmk-MyTerraformStack-03192b6e60d98c9c066769b0214eb57392de066f88c9ac888ad133b1006206bc', 'Description': 'Auto-created from Terraform wrapper script'}, 'ResourceQuery': {'Type': 'TAG_FILTERS_1_0', 'Query': '{"ResourceTypeFilters": ["AWS::AllSupported"], "TagFilters": [{"Key": "TfResourceGroupName", "Values": ["SC-<<MyAccountID>>-pp-spkckdpjc3mmk-MyTerraformStack-03192b6e60d98c9c066769b0214eb57392de066f88c9ac888ad133b1006206bc"]}]}'}, 'Tags': {'Name': 'trial21', 'CfnStackId': 'arn:aws:cloudformation:us-west-2:<<MyAccountID>>:stack/SC-<<MyAccountID>>-pp-spkckdpjc3mmk/64352560-1b11-11ea-a978-02b749140c52', 'TfResourceGroupName': 'SC-<<MyAccountID>>-pp-spkckdpjc3mmk-MyTerraformStack-03192b6e60d98c9c066769b0214eb57392de066f88c9ac888ad133b1006206bc'}}
Posting SUCCESS response to https://cloudformation-custom-resource-response-uswest2.s3-us-west-2.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-west-2%3A<<MyAccountID>>%3Astack/SC-<<MyAccountID>>-pp-spkckdpjc3mmk/64352560-1b11-11ea-a978-02b749140c52%7CMyTerraformStack%7Ce9f9f920-4d2b-4b66-b4ca-fce4ac306b60?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20191210T055333Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA54RCMT6SAVTEM6XA%2F20191210%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Signature=31b97d9a634a137ec23206394437adc36c66f9bed668cfca869a66347b673865
Posting FAILED response to https://cloudformation-custom-resource-response-uswest2.s3-us-west-2.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-west-2%3A<<MyAccountID>>%3Astack/SC-<<MyAccountID>>-pp-spkckdpjc3mmk/64352560-1b11-11ea-a978-02b749140c52%7CMyTerraformStack%7Ce9f9f920-4d2b-4b66-b4ca-fce4ac306b60?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20191210T055333Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA54RCMT6SAVTEM6XA%2F20191210%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Signature=31b97d9a634a137ec23206394437adc36c66f9bed668cfca869a66347b673865
Remove workspace
Curious about why it is trying to post on "cloudformation-custom-resource-response-uswest2.s3-us-west-2.amazonaws.com" bucket, since it is not in my account (or mentioned anywhere in code), and if at all this bucket is causing the error.
Moreover reason for two "SUCCESS" & "FAILED" response to that bucket
The TerraformResourceCreationRole created by the Terraform Spoke Principals stack is missing at least one permission to create the sample S3 Website stack.
Encountered error during fulfillment script execution - ClientError: An error occurred (AccessDeniedException) when calling the CreateGroup operation: User: arn:aws:sts::xxxx:assumed-role/TerraformResourceCreationRole/TerraformAssumeRoleSession-52905d76-bacb-430a-88e8-c5ab453cb834 is not authorized to perform: resource-groups:Tag on resource: arn:aws:resource-groups:us-east-2:xxxx:group/SC-275098837840-pp-lyk6a4tkd67no-MyTerraformStack-970a9f351a871af3fc62f31dd71dcd98875e5056416ef3ab78818ba78188b26c
I added the "resource-groups:Tag" permission manually, and was able to get it to get further along.
I was working off the master branch at commit fa01af1
Issue Description:
The first most section in the installation guide describing copying all the data from this repo to scterraform-[YOUR-ACCOUNT-ID] S3 bucket is missing a sub-section on setting up permissions for this bucket and its objects. Obviously, not a big deal to manage access on an S3 bucket, however, stack creation failures happening for customers on their first run experience is not the goal.
It would be good to add up a section mentioning "Manage Access of scterraform-[YOUR-ACCOUNT-ID] named S3 Bucket".
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.