search

aws-samples / aws-cudos-framework-deployment

Command Line Interface tool for Cloud Intelligence Dashboards deployment
https://catalog.workshops.aws/awscid
MIT No Attribution
400 stars 157 forks source link

Error deploying CUR(cur-aggregation.yaml) in Master (Payer) account. ap-southeast-2 #854

Closed kp2401075 closed 3 months ago

kp2401075 commented 3 months ago

we're facing unusual error deploying cur-aggregation.yaml template in region ap-southeast-2

Error occurs while creating CUR report.

Deployment worked 2 weeks back just fine.

image

I checked cloudwatch logs from custom lambda that deploys CUR

I also checked custom lambda cloudwatch Logs from 2 weeks back it looks identical except for the Validation Error and failure.

Here is error from it

    2024-06-24T00:43:04.762Z
{
    "RequestType": "Create",
    "ServiceToken": "arn:aws:lambda:ap-southeast-2:<Account-ID>:function:cid-CID-CURCreator",
    "ResponseURL": "https://cloudformation-custom-resource-response-apsoutheast2.s3-ap-southeast-2.amazonaws.com/<LONGURL>",
    "StackId": "arn:aws:cloudformation:ap-southeast-2:<Account-ID>::stack/CID-CUR-Replication/947d97d0-31c2-11ef-8dfa-065e04df0855",
    "RequestId": "d7bc1ac5-2e17-4123-9935-04886a3049fa",
    "LogicalResourceId": "CURinUSEAST1",
    "ResourceType": "Custom::CURCreator",
    "ResourceProperties": {
        "ServiceToken": "arn:aws:lambda:ap-southeast-2:<Account-ID>::function:cid-CID-CURCreator",
        "BucketPolicyWait": "cid-<Account-ID>:-local",
        "ReportDefinition": {
            "AdditionalArtifacts": [
                "ATHENA"
            ],
            "Compression": "Parquet",
            "ReportName": "cid",
            "Format": "Parquet",
            "RefreshClosedReports": "true",
            "S3Bucket": "cid-<Account-ID>:-local",
            "ReportVersioning": "OVERWRITE_REPORT",
            "S3Region": "ap-southeast-2",
            "TimeUnit": "HOURLY",
            "S3Prefix": "cur/<Account-ID>:",
            "AdditionalSchemaElements": [
                "RESOURCES"
            ]
        }
    }
}
    2024-06-24T02:06:24.181Z
An error occurred (ValidationException) when calling the PutReportDefinition operation: 
An error occurred (ValidationException) when calling the PutReportDefinition operation:
    2024-06-24T02:06:24.181Z
FAILURE
FAILURE
    2024-06-24T02:06:24.181Z
https://cloudformation-custom-resource-response-apsoutheast2.s3-ap-southeast-2.amazonaws.com/<Long URL>
    2024-06-24T02:06:24.181Z
Response body:
Response body:
    2024-06-24T02:06:24.181Z
{
    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: 2024/06/24/[$LATEST]7a8559e3985f46e9be4a9ac3cc460436",
    "PhysicalResourceId": "cid",
    "StackId": "arn:aws:cloudformation:ap-southeast-2:<Account-ID>:stack/CID-CUR-Replication/38759a30-31ce-11ef-87fb-0aca3664afab",
    "RequestId": "c4e72774-42e1-4541-a482-32ee67edf264",
    "LogicalResourceId": "CURinUSEAST1",
    "NoEcho": false,
    "Data": {
        "Data": "An error occurred (ValidationException) when calling the PutReportDefinition operation: "
    }
}
kp2401075 commented 3 months ago

Update: Had a chat with aws support regarding this,

They got me to deploy the stack without condition in SourceS3BucketPolicy.

Like this

  SourceS3BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Condition: IsSourceAccount
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      Bucket: !Ref SourceS3
      PolicyDocument:
        Id: CrossAccessPolicy
        Version: "2012-10-17"
        Statement:
          - Sid: AllowTLS12Only
            Effect: Deny
            Principal: "*"
            Action: s3:*
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
            Condition:
              NumericLessThan:
                s3:TlsVersion: 1.2
          - Sid: AllowOnlyHTTPS
            Effect: Deny
            Principal: "*"
            Action: s3:*
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
            Condition:
              Bool:
                aws:SecureTransport: false
          - Sid: AllowReadBilling
            Effect: Allow
            Principal:
              Service: billingreports.amazonaws.com
            Action:
              - s3:GetBucketAcl
              - s3:GetBucketPolicy
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
          - Sid: AllowWriteBilling
            Effect: Allow
            Principal:
              Service: billingreports.amazonaws.com
            Action:
              - s3:PutObject
            Resource:
              - !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'

So may be the conditions introduced in this commit is causing the failure. Or it may be something else.

But I was able to deploy without the conditions.

iakov-aws commented 3 months ago

Thanks for reporting this. Fixing in this PR https://github.com/aws-samples/aws-cudos-framework-deployment/pull/857

iakov-aws commented 3 months ago

Fixed. Please retry