Issue with CF template? Status checker appears to look for SSM param fixed-solution-parameters before it exists

[davidyilee]

When attempting to deploy the CF template hosted at: https://solutions-reference.s3.amazonaws.com/cognito-user-profiles-export-reference-architecture/latest/cognito-user-profiles-export-reference-architecture.template

Stack creation fails with:

ERROR   AccessDeniedException: No access to reserved parameter name: {stackname}/fixed-solution-parameters.
  at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)    
  at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)    
  at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)    
  at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)    
  at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)    
  at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)    
  at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10    
  at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)    
  at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)    
  at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

The SSM parameter fixed-solution-parameters does not appear to exist in either CF resources or as an actual SSM param. I do see that the parameter should be created by: https://github.com/awslabs/cognito-user-profiles-export-reference-architecture/blob/a75b22afdaaab59ce47ec02b7aec06eeb53759f9/source/custom-resources/stack-checker.js#L38. Perhaps it isn't getting called in time?

[ericquinones]

Thanks for reporting this. To help troubleshoot, can you please let us know:

• What region you deployed the solution in as well as the region you selected as the SecondaryRegion in the CloudFormation parameters
• Which resource in CloudFormation failed to deploy and generated the error message you pasted
• Does this happen consistently or were you able to successfully deploy the template in a subsequent attempt?

A fix could be to add DependsOn: StackCheckerCustomResource to the StackSetManagerCustomResource resource but we'd like to be able to reproduce before confirming.

[davidyilee]

• Regions: Deploy into us-west-2, and set the secondaryRegion to us-east-1.
• StackCheckerCustomResource failed to deploy in relation to the error I posted - and this subsequently triggered a CF rollback
• This behavior seems repeatable, it happened across 3 attempts with the same parameters, within the same AWS account.

[ericquinones]

Apologies but I wasn't able to reproduce this yet.

The error seems to indicate that the Lambda function backing StackCheckerCustomResource does not have the permission to create the SSM parameter with that name. Given that the parameter name includes the Stack Name & region, do you have the same result if you launch the template with a different stack name? If you're able to share the Stack Name you're using, I can try with that name on my side.

Another thing to check: if you are able to access the StackSetManagerCustomResourceLambdaRole before CloudFormation removes it in the rollback, can you please verify that the resource in its SSMParametersPolicy (link) matches the name of the parameter you see in the error message?