search

aws / codecatalyst-blueprints

Apache License 2.0
48 stars 18 forks source link

GenAI Chatbot dosen't work in some region #541

Closed emanuelr93 closed 2 months ago

emanuelr93 commented 2 months ago

Describe the bug

The installation of blueprint gen-ai-chatbot fail when you select a region that not support log delivery for cloudfront, reported here . There are also some issue during cleanup of the resources.

Steps to reproduce

  1. Install code catalist blueprint selecting one of the region that doesn't support Cloudfront Bucket Log Delivery as reported there:
  2. During the execution, you will have this error:
❌  BedrockChatBotStack-c2719xmh failed: Error: The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: 2ef8f1e1-9360-4136-9a71-ec54340ad1a6)'." (RequestToken: 52fbca04-83fb-cfba-5e07-3334a47a74d5, HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:427:10615)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.deployStack2 [as deployStack] (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:198662)
at async /usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:180258

❌ Deployment failed: Error: The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: 2ef8f1e1-9360-4136-9a71-ec54340ad1a6)'." (RequestToken: 52fbca04-83fb-cfba-5e07-3334a47a74d5, HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:427:10615)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async Object.deployStack2 [as deployStack] (/usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:198662)
at async /usr/local/npm/lib/node_modules/aws-cdk/lib/index.js:430:180258
The stack named BedrockChatBotStack-c2719xmh failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'AWS::CloudFront::Distribution: You don't have permission to access the S3 bucket for CloudFront logs: bedrockchatbotstack-c2719x-accesslogbucketda470295-35p4yqu2eafi.s3.eu-south-1.amazonaws.com If you're using IAM, you need s3:GetBucketAcl and s3:PutBucketAcl permissions to create a distribution or to update log settings for an existing distribution. In addition, the S3 ACL for the bucket must grant you FULL_CONTROL. (Service: CloudFront, Status Code: 403, Request ID: 2ef8f1e1-9360-4136-9a71-ec54340ad1a6)'." (RequestToken: 52fbca04-83fb-cfba-5e07-3334a47a74d5, HandlerErrorCode: AccessDenied)

::set-output name=ACTION_RUN_SUMMARY::[{text:CDK_DEPLOY_COMMAND_ERROR,level:Error,message:"The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information."}]
Error: The AWS CDK deploy action failed to perform one or more commands. Check the action logs for more information.

[Container] 2024/04/20 11:30:58.690445 Command failed with exit status 1
[Container] 2024/04/20 11:30:58.690490 Failed to run action due to exit status 1
  1. If you try to clean up the resources, a new error there are raised:
[Container] 2024/04/20 11:53:05.153277 Running command aws s3 cp ./updated-template-$stack_name.json s3://$cfn_template_upload_bucket/updated-template-$stack_name.json
upload failed: ./updated-template-BedrockChatBotStack-c2719xmh.json to s3://tmp-cleanup-workflow-sg2qbmbj8grwjuyjiy6vdnn3j79zxlmx/updated-template-BedrockChatBotStack-c2719xmh.json An error occurred (IllegalLocationConstraintException) when calling the PutObject operation: The eu-south-1 location constraint is incompatible for the region specific endpoint this request was sent to.

[Container] 2024/04/20 11:53:05.732005 Command failed with exit status 1

Expected behavior

In this case, the installarion should be use another region for log bucket for region not supported.

Version information

N/A

Additional context

Maybe in this phase this region should be disabled in order to fix the issue

skeppeler commented 2 months ago

Fix has been published in version 0.3.107 of the blueprint - thanks for the report!

emanuelr93 commented 2 months ago

Thank you for fixing this, there was also an issue on cleanup procedure as reported on point 3. I just fix this with MR https://github.com/aws/codecatalyst-blueprints/pull/544.

Can you please look at this?

Thank you