aws-samples / aws-admartech-samples

Samples and documentation for various advertising and marketing use cases on AWS.
MIT No Attribution
35 stars 16 forks source link

AddIamRoleToNeptuneStack Timeout #4

Closed cpnetdev closed 3 years ago

cpnetdev commented 3 years ago

I'm trying to deploy the Cloudformation script using the AWS Cloudformation dashboard found at the links in this repo. My AWS account is in US East 2, and I'm clicking the corresponding link (https://us-east-2.console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/create/review?templateURL=https://s3.amazonaws.com/aws-admartech-samples-us-east-2/identity-resolution/templates/identity-resolution.yml&stackName=Identity-Graph-Sample).

I've tried several times, but it always fails and rolls back with a timeout error at the AddIamRoleToNeptuneStack step. When I dig into the logs, I see the following error:

[ERROR] DBClusterRoleAlreadyExistsFault: An error occurred (DBClusterRoleAlreadyExists) when calling the AddRoleToDBCluster operation: Role ARN arn:aws:iam::087756882422:role/Identity-Graph-Sample-Neptun-NeptuneLoadFromS3Role-Z2KDEBED48SM is already associated with DB Cluster: neptunedbcluster-a1epw1ieprh8. Verify your role ARN and try again.
Traceback (most recent call last):
  File "/var/task/index.py", line 18, in handler
    addIamRole(dbClusterId, iamRoleArn)
  File "/var/task/index.py", line 37, in addIamRole
    RoleArn=iamRoleArn
  File "/var/runtime/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 676, in _make_api_call
    raise error_class(parsed_response, operation_name)

I just started using Terraform, and don't have any experience with Cloudformation. I'm also pretty green when it comes to IAM, VPC's etc. However, when I check our IAM roles, I see no role with Neptune or Graph in the name, so I assume this conflicting role only exists temporarily while Cloudformation is running, or it exists in someone else's account? I believe I have permissions to see all of the roles in our AWS account. Thanks for any help!

triggan commented 3 years ago

Thank for this. It appears there was an update to the Neptune Base Stack. The ability to associate a role for bulk loading was added as a native parameter for the Neptune cluster resource in CloudFormation. With that, a change was pushed to associate the role with the native parameter. This then broke the custom CloudFormation resource that was part of this stack for doing that same function. I'm removing the custom CloudFormation resource from the root stack and will be pushing an update here soon.

cpnetdev commented 3 years ago

I just tried deploying the stack again, and it worked! I was also able to delete the stack. I'm hoping to find some time to redeploy this and play with it on the weekend. ... Thanks!