Fails to complete

Question

Fails to complete

Nanomoog opened this issue 8 years ago · 9 comments

Every time that we try to run this, it fails with the following error:-

The following resource(s) failed to create: [FunctionForVpcPeeringRouteTablesRule, FunctionForVpcFlowLogRule, FunctionForEvaluateCloudTrailBucketRule, SnsTopicForCloudWatchEvents, ConsoleLoginFailureCloudWatchMetric, FunctionForRoleForMfaOnUsersRule, FunctionForEvaluateConfigInAllRegionsRule, FunctionForEvaluateCloudTrailLogIntegrityRule, ConfigRuleForRequiredTags, UnauthorizedAttemptsCloudWatchFilter, ConfigRuleForIamPasswordPolicy, ConfigRuleForEncryptedVolumes, ConfigRuleForUnrestrictedPorts, IAMRootActivityCloudWatchMetric, BillingChangesCloudWatchFilter, FunctionForEvaluateRootAccountRule]. . Rollback requested by user.

We have tried running as root and as an admin.
Error persists.

We are running this from EU-WEST-1

Please advise.

Answer 1 · 2017-03-16T19:23:37.000Z

Please confirm whether the following conditions are present for that region:

AWS Config must be running in the region where this template will be run. This is needed for Config Rules.
Amazon CloudTrail must be delivering logs to CloudWatch Logs. This is needed for CloudWatch metrics and alarms.

Also, when you encounter an error when launching a stack, scroll down the list of events to see the first error that was encountered.

Rob

Answer 2 · 2017-03-17T08:29:02.000Z

Many thanks for getting back to us.

I can confirm that Config is running. We have other items working and reporting back correctly.
Also, CloudTrail logs are being sent to CloudWatch.

The first error that was encountered states:-

17:29:28 UTC+0000 CREATE_FAILED AWS::Config::ConfigRule ConfigRuleForIamPasswordPolicy The MaximumExecutionFrequency must be specified in either the ConfigRule or the SourceDetails for the provided SourceDetail's MessageTypes.

Then there are the following errors shortly afterward:-

17:29:32 UTC+0000	CREATE_FAILED	AWS::CloudFormation::Stack	CIS-Benchmark	The following resource(s) failed to create: [SnsTopicForCloudWatchEvents, RoleForDisableUnusedCredentialsFunction, ConfigRuleForIamPasswordPolicy, FunctionForEvaluatePolicyPermissionsRule, IAMRootActivityCloudWatchMetric].
17:29:30 UTC+0000	CREATE_FAILED	AWS::IAM::Role	RoleForDisableUnusedCredentialsFunction	Resource creation cancelled

Physical ID:CIS-Benchmark-RoleForDisableUnusedCredentialsFunct-TXBCZOTS6RA3
17:29:29 UTC+0000 CREATE_FAILED AWS::Lambda::Function FunctionForEvaluatePolicyPermissionsRule Resource creation cancelled
17:29:29 UTC+0000 CREATE_COMPLETE AWS::Lambda::Function FunctionForEvaluateCloudTrailBucketRule
17:29:29 UTC+0000 CREATE_FAILED AWS::SNS::Topic SnsTopicForCloudWatchEvents Resource creation cancelled
Physical ID:arn:aws:sns:eu-west-1:293425831536:CloudWatchNotifications
17:29:29 UTC+0000 CREATE_FAILED AWS::Logs::MetricFilter IAMRootActivityCloudWatchMetric Resource creation cancelled

Answer 3 · 2017-03-18T11:47:08.000Z

Thank you for the response. The "MaximumExecutionFrequency" error you're seeing is being reported by the Config service. At this point, the error does not occur in us-east-1 but seems to be occurring elsewhere. I will follow up on this internally.

Answer 4 · 2017-03-20T09:23:22.000Z

Many thanks

Answer 5 · 2017-03-20T11:05:31.000Z

Hello everyone,

i had this issue aswell. "MaximumExecutionFrequency" seems to be a missing parameter.

What is strange though, the template did work in an older account of ours, but is not working in another. I added the parameter and then it did work in both. Its not very stable at the moment :-/

` ConfigRuleForEvaluateKeyRotations:

  Type: AWS::Config::ConfigRule
  Condition: IsLevel2
  DependsOn: 
    - FunctionForEvaluateKeyRotationRule
    - ConfigPermissionToCallEvaluateKeyRotationLambda
  Properties: 
    ConfigRuleName: KmsCustomerKeysMustBeRotated
    Description: Evaluates whether customer-managed KMS keys are rotated.
    MaximumExecutionFrequency: Twelve_Hours
    Source: 
      Owner: CUSTOM_LAMBDA
      SourceDetails: 
        - 
          EventSource: aws.config
          MessageType: ConfigurationSnapshotDeliveryCompleted
      SourceIdentifier: !GetAtt FunctionForEvaluateKeyRotationRule.Arn

`

Added the MaximumExecutionFrequency to the SourceDetails didn't work. Seems to be an error in the documentation. http://docs.aws.amazon.com/config/latest/APIReference/API_SourceDetail.html

Answer 6 · 2017-03-20T17:39:24.000Z

Your observation is accurate--the parameter is not supported. This seems to have been introduced recently. Meantime, you can remove that particular rule from the CloudFormation template until this issue has been addressed.

Answer 7 · 2017-03-21T09:42:04.000Z

Thanks for the update. This does not work either.
However, no worries, I'll just not bother with the script.

Thanks

Answer 8 · 2017-03-22T11:45:23.000Z

Have you added the maximum execution frequency to your config recorder? Seems to be something that is also causing such issues.

Answer 9 · 2017-03-23T12:15:38.000Z

Yes, I tried that. But it still fails.
I have tried running it with out the 2.8 rule, and it still fails.

My experience with AWS is one of complete frustration. As trying to work out what it is doing and why it's not happy is not easy. Logging is less than poor. But then I come from a security background, where logging is key and I have access to all components along the way. Obviously on someone else's infrastructure, that luxury is not going to be available to you, for obvious reasons.

Still, you pay your money and make your choice. Cheers