iakov-aws
commented
1 month ago Checking
Closed Waqiah closed 1 month ago
iakov-aws
commented
1 month ago Checking
iakov-aws
commented
1 month ago I just did the test of fresh deployment and it looked fine. is there any additional info you can provide? What is the failing nested stack? what region?
Waqiah
commented
1 month ago Thank you for your response, the error occurs for the AWS::StepFunctions::StateMachine (ModuleStepFunction) resource in nested stack with name 'CidDataCollection-OrgDataModule-5SJTXXYQLBDW' in the eu-central-1 region.
iakov-aws
commented
1 month ago The s3 object of nested stack is public
❯ curl https://aws-managed-cost-intelligence-dashboards-eu-central-1.s3.amazonaws.com/cfn/data-collection/module-organization.yaml -I
HTTP/1.1 200 OK
please check if you do not have SCP that? Probably a full text of CloudTrail error can help.
yoericm
commented
1 month ago Hi @iakov-aws
I'm the customer client who opened a support ticket with Waqiah from AWS support.
It's not failing on the module-organization.yaml, but the following key which is part of the ModuleStepFunction within the template.
cfn/data-collection/source/step-functions/main-state-machine-v2.json
Based on your command above, I've reran it with the updated object key and bump against the 403.
curl https://aws-managed-cost-intelligence-dashboards-eu-central-1.s3.amazonaws.com/cfn/data-collection/source/step-functions/main-state-machine-v2.json -I
HTTP/1.1 403 Forbidden
x-amz-request-id: CG3DBDDAYZ1P9DFT
x-amz-id-2: BqBGsjpVa8j/dWmSiKFv15dlZ+v1QnIs5bcQYJojDPVxlu442CXt5hNi2dvvPhT7dKzaT49tjJI=
Content-Type: application/xml
Date: Mon, 22 Jul 2024 08:32:35 GMT
Server: AmazonS3
Connection: closeWaqiah opened an additional support ticket with the S3 team to check why we received the 403 access denied error, and they let us know that we received the error because the object doesn't exist in that bucket and we don't have list permissions in that bucket.
Waqiah
commented
1 month ago I would also like to add that during my testing of deploying and updating the solution successfully, I have noticed that for my ModuleStepFunction resource, the following s3 key is being passed: "cfn/data-collection/source/step-functions/main-state-machine-v1.json" Instead of "cfn/data-collection/source/step-functions/main-state-machine-v2.json".
@iakov-aws, in your fresh deployment please may you confirm which key was being passed?
iakov-aws
commented
1 month ago Ok i see. This file from the version that is from upstream version NOT YET RELEASED. Please use the template link from readme file. or from the workshop doc
https://catalog.workshops.aws/awscid/en-US/data-collection/deploy
Hello team,
When trying to deploy the latest version of the data collection deployment of the cid-framework from https://github.com/awslabs/cid-framework/blob/main/data-collection/deploy/deploy-data-collection.yaml based on the https://catalog.workshops.aws/awscid/en-US/data-collection/deploy#step-2.-in-data-collection-account-deployment-of-data-collection-stack
The following error occurs in CloudFormation for each nested module:
Resource handler returned message: "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 9SJWPSZDVYSE9KR9; S3 Extended Request ID: yGA/CEtSFw4KsJJKHdtku5G5h5eOKbUxom2eoxtmjq6+hhr0s9CClyiQUnikln47QhQpCW1Tsbg=; Proxy: null)" (RequestToken: 34e98e50-bcba-596d-143c-44efc056b6a7, HandlerErrorCode: GeneralServiceException)
In CloudTrail it is seen that the GetBucketAcl API has errored with the "AccessDenied", could this API be the cause of the issue? Unsure what is causing the permission issue for the S3 bucket.