fortinet / aws-cloudformation-templates

Cloud Formation Templates for getting you started in AWS with Fortinet.
MIT License
34 stars 67 forks source link

RunImageFunction ERROR [FGCP/7.0/DualAZ] #16

Open laptom opened 2 years ago

laptom commented 2 years ago

Getting such error when running CF, 7.0:

RunImageFunction ERROR

{ "Status": "FAILED", "Reason": "See the details in CloudWatch Log Stream: 2022/03/16/[$LATEST]786ee947e4d84923935a99224406f956", "PhysicalResourceId": "2022/03/16/[$LATEST]786ee947e4d84923935a99224406f956", "StackId": "arn:aws:cloudformation:eu-central-1:729267244622:stack/FGStack/73419f90-a550-11ec-87d7-0275f7a88d18", "RequestId": "d002c7c1-86f5-41c3-91e9-67d47c15f483", "LogicalResourceId": "RunImageFunction", "NoEcho": false, "Data": { "msg": "error" } }

PLEASE CHECK QUICKLy, THX

SgtMike70 commented 2 years ago

appears to be related to the S3 bucket that is created

laptom commented 2 years ago

Nope. I manually created S3 bucket & seems CF has access to create txt files. Also in the bucket I noticed two files created fgt1.txt and fgt2.txt with below content.

Need to check S3 bucket policies. It might be due to some missing rights.

AccessDenied Access Denied 0VBWGW849PAKT187 V045eaeo0ywjPiQkhdYDhJIei2mOdeHsevq7CghnYtSjQevQs6TGvNFi82uKbePolS0BuQof/i0=
SgtMike70 commented 2 years ago

Ok, be sure to check the permissions on the bucket and see that is not blocking public access.

On Wed, Mar 16, 2022 at 11:27 PM laptom @.***> wrote:

Nope. I manually created S3 bucket. Also in the bucket I noticed two files created fgt1.txt and fgt2.txt with below content. AccessDenied Access Denied 0VBWGW849PAKT187 V045eaeo0ywjPiQkhdYDhJIei2mOdeHsevq7CghnYtSjQevQs6TGvNFi82uKbePolS0BuQof/i0=

— Reply to this email directly, view it on GitHub https://github.com/fortinet/aws-cloudformation-templates/issues/16#issuecomment-1070369385, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJBWUFT26Z56PCGZV2KOGR3VALGFPANCNFSM5Q4XRAAA . You are receiving this because you commented.Message ID: @.***>

laptom commented 2 years ago

Acutally I tried those combinations and only one works fine, there is no issue with S3 policy bucket:

FGCP/7.0/DualAZ) - PAYG - fails on RunImageFunction, configs (fgt1.txt and fgt2.txt) uploaded to S3 FGCP/7.0/DualAZ) - BYOL - fails on RunImageFunction, configs (fgt1.txt and fgt2.txt) uploaded to S3 FGCP7.0/SingleAZ) - PAYG - fails FGCP7.0/SingleAZ) -BYOL - works OK.

############### Seems that there is an issue with accessing proper AMI, weird thing is that same code works for SignleAZ -BYOL.

[ERROR] 2022-03-19T09:12:24.291Z f3179b1c-d7a4-4506-bb0e-0de8ab5439aa !!--> Unable to find AMI in response! {'Images': [], 'ResponseMetadata': {'RequestId': '604c55e0-ae76-403a-97ec-ca0d7607b6bf', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': '604c55e0-ae76-403a-97ec-ca0d7607b6bf', 'cache-control': 'no-cache, no-store', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'content-type': 'text/xml;charset=UTF-8', 'content-length': '219', 'date': 'Sat, 19 Mar 2022 09:12:23 GMT', 'server': 'AmazonEC2'}, 'RetryAttempts': 0}}

SgtMike70 commented 2 years ago

Each file (fgt1.txt and fgt2.txt) should have a base configuration for the corresponding firewall. are you using the exact name of the S3 bucket during the deployment set up or the ARN of the bucket?

On Fri, Mar 18, 2022 at 11:41 AM laptom @.***> wrote:

My S3 policy allows access and also I see those two emtpy files in my S3 bucket:

Any idea what might br wrong?

fgt1.txt fgt2.tx

S3 policy: { "Id": "Policy1647621792464", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1647621791412", "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::tls3/ ", "Principal": "" } ] }

— Reply to this email directly, view it on GitHub https://github.com/fortinet/aws-cloudformation-templates/issues/16#issuecomment-1072698944, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJBWUFWJVRVYK74KK7TPAIDVATE7BANCNFSM5Q4XRAAA . You are receiving this because you commented.Message ID: @.***>