Filling out this field will help us investigate the issue efficiently. Providing detailed information allows us to set the appropriate priority. We appreciate your cooperation.
Steps to reproduce the behavior:
Deploy the stack to a region that does not support standard log delivery by CloudFront
Observe the following CloudFormation error
❌ BedrockChatBotStack-c2719xmh failed: Error: The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: ***)'." (RequestToken: ***, HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:427:10615)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.deployStack2 [as deployStack] (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:198662)
at async /usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:180258
❌ Deployment failed: Error: The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: )'." (RequestToken: , HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:427:10615)
at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.deployStack2 [as deployStack] (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:198662)
at async /usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:180258
The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: )'." (RequestToken: , HandlerErrorCode: AccessDenied)
::set-output name=ACTION_RUN_SUMMARY::[{text:CDK_DEPLOY_COMMAND_ERROR,level:Error,message:"The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information."}]
Error: The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information.
[Container] 2024/04/20 11:30:58.690445 Command failed with exit status 1
[Container] 2024/04/20 11:30:58.690490 Failed to run action due to exit status 1
3. Attempting to clean up the resource then returns
[Container] 2024/04/20 11:53:05.153277 Running command aws s3 cp ./updated-template-$stack_name.json s3://$cfn_template_upload_bucket/updated-template-$stack_name.json
upload failed: ./updated-template-BedrockChatBotStack-c2719xmh.json to s3://tmp-cleanup-workflow-sg2qbmbj8grwjuyjiy6vdnn3j79zxlmx/updated-template-BedrockChatBotStack-c2719xmh.json An error occurred (IllegalLocationConstraintException) when calling the PutObject operation: The eu-south-1 location constraint is incompatible for the region specific endpoint this request was sent to.
[Container] 2024/04/20 11:53:05.732005 Command failed with exit status 1
Describe the bug
CloudFront does not support standard log delivery in all regions https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket
To Reproduce
Filling out this field will help us investigate the issue efficiently. Providing detailed information allows us to set the appropriate priority. We appreciate your cooperation.
Steps to reproduce the behavior:
❌ Deployment failed: Error: The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: )'." (RequestToken: , HandlerErrorCode: AccessDenied) at FullCloudFormationDeployment.monitorDeployment (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:427:10615) at runMicrotasks ()
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.deployStack2 [as deployStack] (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:198662)
at async /usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:180258
The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: )'." (RequestToken: , HandlerErrorCode: AccessDenied)
::set-output name=ACTION_RUN_SUMMARY::[{text:CDK_DEPLOY_COMMAND_ERROR,level:Error,message:"The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information."}] Error: The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information.
[Container] 2024/04/20 11:30:58.690445 Command failed with exit status 1 [Container] 2024/04/20 11:30:58.690490 Failed to run action due to exit status 1
[Container] 2024/04/20 11:53:05.153277 Running command aws s3 cp ./updated-template-$stack_name.json s3://$cfn_template_upload_bucket/updated-template-$stack_name.json upload failed: ./updated-template-BedrockChatBotStack-c2719xmh.json to s3://tmp-cleanup-workflow-sg2qbmbj8grwjuyjiy6vdnn3j79zxlmx/updated-template-BedrockChatBotStack-c2719xmh.json An error occurred (IllegalLocationConstraintException) when calling the PutObject operation: The eu-south-1 location constraint is incompatible for the region specific endpoint this request was sent to.
[Container] 2024/04/20 11:53:05.732005 Command failed with exit status 1