I'm trying to deploy a single-tier deployment to an existing VPC by embedding this template to a CloudFormation template that I'm using.
I have created the AdministratorSecret in Secret Manager and I'm using a CMK to encrypt the key. I haven't seen it anywhere in https://aws-quickstart.github.io/quickstart-microsoft-pki/ that this wouldn't be allowed so I assume that it should work even if not using the default encryption key.
But when I try to create the stack I get "Received FAILURE signal with UniqueId i-xxxxxxxx" and when checking from Cloud Watch I find an error saying: "Getting (SecretArn) Failed to get (SecretArn) Secret Access to KMS is not allowed"
How this should work? The stack deployment stops to the failure but instances are still running so selecting "Retry" in the "Stack rollback paused" notification after adding the role to key users might work but seems very clunky way of handling this.
I say "might work" since it seems that the update cannot be re-started anymore because I get "Nested stack [CREATE_FAILED] has disable-rollback option and cannot be updated directly. Please perform update from root stack with disable-rollback parameter or perform rollback-stack operation from root stack."
I'm trying to deploy a single-tier deployment to an existing VPC by embedding this template to a CloudFormation template that I'm using.
I have created the AdministratorSecret in Secret Manager and I'm using a CMK to encrypt the key. I haven't seen it anywhere in https://aws-quickstart.github.io/quickstart-microsoft-pki/ that this wouldn't be allowed so I assume that it should work even if not using the default encryption key.
But when I try to create the stack I get "Received FAILURE signal with UniqueId i-xxxxxxxx" and when checking from Cloud Watch I find an error saying: "Getting (SecretArn) Failed to get (SecretArn) Secret Access to KMS is not allowed"
How this should work? The stack deployment stops to the failure but instances are still running so selecting "Retry" in the "Stack rollback paused" notification after adding the role to key users might work but seems very clunky way of handling this.
I say "might work" since it seems that the update cannot be re-started anymore because I get "Nested stack [CREATE_FAILED] has disable-rollback option and cannot be updated directly. Please perform update from root stack with disable-rollback parameter or perform rollback-stack operation from root stack."