search

aws-samples / aws-saas-factory-ref-solution-serverless-saas

MIT No Attribution
459 stars 153 forks source link

CloudFormation stack serverless-saas-LambdaFunctions not successfully created: The following resource(s) failed to create: [AuthorizerExecutionRole] #20

Closed chalcrow closed 2 years ago

chalcrow commented 2 years ago

During initial deployment of the solution using /aws-saas-factory-ref-solution-serverless-saas/deployment.sh within Cloud9, the step that creates the initial serverless-saas CloudFormation stack (for shared tenancy resources used by the basic plan) is failing with the following error:

ResourceStatus CREATE_FAILED

ResourceType
AWS::CloudFormation::Stack

LogicalResourceId LambdaFunctions

ResourceStatusReason
Embedded stack arn:aws:cloudformation:ap-southeast- 1:123456789012:stack/serverless-
saas-LambdaFunctions-[...myId...]
was not successfully created: The
following resource(s) failed to
create: [AuthorizerExecutionRole].

ujwalbukka commented 2 years ago

@chalcrow can you please provide the error message under the status reason under events in the cloudformation. I did a quick dry run in ap-southest-1 and it deployed successfully.

chalcrow commented 2 years ago

Hi @ujwalbukka in CloudFormation it's the same as I already provided in the initial issue description above:

Logical ID LambdaFunctions

Status CREATE_FAILED

Status reason Embedded stack arn:aws:cloudformation:ap-southeast-1:123456789012:stack/serverless-saas-LambdaFunctions-[...myId...] was not successfully created: The following resource(s) failed to create: [AuthorizerExecutionRole].

chalcrow commented 2 years ago

@ujwalbukka I suspect that I may be getting this error as I have previously deployed the reference solution successfully to a first region (ap-southeast-2), and now I'm trying to deploy to a second region (ap-southeast-1) within the same account. An IAM resource already exists for AuthorizerExecutionRole in the account (for the first deployment), and it appears to exist as a global resource. Is there a way to deploy successfully to a 2nd region in the same account?

ujwalbukka commented 2 years ago

@chalcrow In this case you need to make AuthorizerExecutionRole name unique per region, one way to resolve this is you can append region name to the role name. Remember you might need to do the same thing for all the resources which fall into this category.

ujwalbukka commented 2 years ago

Closing this issue. Please reopen if you still have any issues/questions.