CloudFormation deployment failure: The following resource(s) failed to create: [createNetworks].

[chrisammon3000]

Description

• Following the Quickstart guide: https://aws-quickstart.github.io/quickstart-databricks-unified-data-analytics-platform/#_launch_the_quick_start
• Attempting to deply this stack: https://aws-quickstart.s3.amazonaws.com/quickstart-databricks-unified-data-analytics-platform/templates/databricks-multi-workspace.template.yaml

CloudFormation stack creation fails with the message:

Received response status [FAILED] from custom resource. Message returned: Forbidden InputData: {'network_name': 'dev-databricks-9668-network', 'vpc_id': 'vpc-094b482c5c4bf52bd', 'subnet_ids': ['subnet-04c98b052d41a2249', 'subnet-0f6d6e9afdba32681', 'subnet-036c58df910957595'], 'security_group_ids': ['sg-02a6921bca796f478']} (RequestId: 5aa94534-8294-4621-ab55-6be142dec5d6)

CloudFormation Parameters	Key	Value
AccountId	**
BucketName	databricks-workspace-root-XXXXXXXX
DeploymentName	dev-databricks-XXXX
ExistingDataBucketName	-
HIPAAparm	No
IAMRole	DatabricksWorkspaceXXXXCrossAccountRole
KeyAlias	-
KeyArn	-
KeyReuseForClusterVolumes	-
KeyUseCases	-
Password	****
PrivateLinkMode	Disabled
PrivateLinkSubnetIds	-
QSS3BucketName	aws-quickstart
QSS3KeyPrefix	quickstart-databricks-unified-data-analytics-platform/
SecurityGroupIDs	-
SubnetIDs	-
TagValue	databricks-quickstart-cloud-formation
Username	*****@gmail.com
VPCID	-

What I've tried

• Confirmed Databricks AccountId is correct
• Confirmed email and password are correct

Background

Before deploying this stack in us-east-1 I was able to deploy it in us-west-2 and recently deleted it there. The stack fails at the same resource each time with the above message (Forbidden InputData):

# https://github.com/aws-quickstart/quickstart-databricks-unified-data-analytics-platform/blob/main/templates/databricks-multi-workspace.template.yaml
# Databricks API for network configuration
  createNetworks:
    Type: Custom::createNetworks
    DependsOn: WaitForVpc
    Properties:
      ServiceToken: !GetAtt databricksApiFunction.Arn
      action: CREATE_NETWORKS
      accountId: !Ref AccountId
      username: !Ref Username
      password: !Ref Password
      network_name: !If [IsDeploymentNameSet, !Sub '${DeploymentName}-network', !Sub '${AWS::StackName}-network']
      vpc_id: !If [CreateDBManagedVPC, !Ref DBSVpc, !Ref VPCID]
      subnet_ids: !If
        - CreateDBManagedVPC
        - !If
          - IsThirdAvailabilityZoneSupported
          - !Sub ${DBSClusterSubnet1}, ${DBSClusterSubnet2}, ${DBSClusterSubnet3}
          - !Sub ${DBSClusterSubnet1}, ${DBSClusterSubnet2}
        - !Ref SubnetIDs
      security_group_ids: !If [CreateDBManagedVPC, !Ref DBSWorkspaceSecurityGroup, !Ref SecurityGroupIDs]
      relay_access_endpoint_id: !If [IsPrivateLinkEnabled, !Ref BackendVpcEnpoint, !Ref AWS::NoValue]
      rest_access_endpoint_id: !If [IsPrivateLinkEnabled, !Ref WorkspaceVpcEnpoint, !Ref AWS::NoValue]
      user_agent: databricks-CloudFormation-provider