Error deploying CUR(cur-aggregation.yaml) in Master (Payer) account. ap-southeast-2
Closed this issue · 3 comments
kp2401075 commented
we're facing unusual error deploying cur-aggregation.yaml template in region ap-southeast-2
Error occurs while creating CUR report.
Deployment worked 2 weeks back just fine.
I checked cloudwatch logs from custom lambda that deploys CUR
I also checked custom lambda cloudwatch Logs from 2 weeks back it looks identical except for the Validation Error and failure.
Here is error from it
2024-06-24T00:43:04.762Z
{
"RequestType": "Create",
"ServiceToken": "arn:aws:lambda:ap-southeast-2:<Account-ID>:function:cid-CID-CURCreator",
"ResponseURL": "https://cloudformation-custom-resource-response-apsoutheast2.s3-ap-southeast-2.amazonaws.com/<LONGURL>",
"StackId": "arn:aws:cloudformation:ap-southeast-2:<Account-ID>::stack/CID-CUR-Replication/947d97d0-31c2-11ef-8dfa-065e04df0855",
"RequestId": "d7bc1ac5-2e17-4123-9935-04886a3049fa",
"LogicalResourceId": "CURinUSEAST1",
"ResourceType": "Custom::CURCreator",
"ResourceProperties": {
"ServiceToken": "arn:aws:lambda:ap-southeast-2:<Account-ID>::function:cid-CID-CURCreator",
"BucketPolicyWait": "cid-<Account-ID>:-local",
"ReportDefinition": {
"AdditionalArtifacts": [
"ATHENA"
],
"Compression": "Parquet",
"ReportName": "cid",
"Format": "Parquet",
"RefreshClosedReports": "true",
"S3Bucket": "cid-<Account-ID>:-local",
"ReportVersioning": "OVERWRITE_REPORT",
"S3Region": "ap-southeast-2",
"TimeUnit": "HOURLY",
"S3Prefix": "cur/<Account-ID>:",
"AdditionalSchemaElements": [
"RESOURCES"
]
}
}
}
2024-06-24T02:06:24.181Z
An error occurred (ValidationException) when calling the PutReportDefinition operation:
An error occurred (ValidationException) when calling the PutReportDefinition operation:
2024-06-24T02:06:24.181Z
FAILURE
FAILURE
2024-06-24T02:06:24.181Z
https://cloudformation-custom-resource-response-apsoutheast2.s3-ap-southeast-2.amazonaws.com/<Long URL>
2024-06-24T02:06:24.181Z
Response body:
Response body:
2024-06-24T02:06:24.181Z
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2024/06/24/[$LATEST]7a8559e3985f46e9be4a9ac3cc460436",
"PhysicalResourceId": "cid",
"StackId": "arn:aws:cloudformation:ap-southeast-2:<Account-ID>:stack/CID-CUR-Replication/38759a30-31ce-11ef-87fb-0aca3664afab",
"RequestId": "c4e72774-42e1-4541-a482-32ee67edf264",
"LogicalResourceId": "CURinUSEAST1",
"NoEcho": false,
"Data": {
"Data": "An error occurred (ValidationException) when calling the PutReportDefinition operation: "
}
}
kp2401075 commented
Update: Had a chat with aws support regarding this,
They got me to deploy the stack without condition in SourceS3BucketPolicy.
Like this
SourceS3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Condition: IsSourceAccount
DeletionPolicy: Delete
UpdateReplacePolicy: Delete
Properties:
Bucket: !Ref SourceS3
PolicyDocument:
Id: CrossAccessPolicy
Version: "2012-10-17"
Statement:
- Sid: AllowTLS12Only
Effect: Deny
Principal: "*"
Action: s3:*
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
Condition:
NumericLessThan:
s3:TlsVersion: 1.2
- Sid: AllowOnlyHTTPS
Effect: Deny
Principal: "*"
Action: s3:*
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
Condition:
Bool:
aws:SecureTransport: false
- Sid: AllowReadBilling
Effect: Allow
Principal:
Service: billingreports.amazonaws.com
Action:
- s3:GetBucketAcl
- s3:GetBucketPolicy
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}'
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
- Sid: AllowWriteBilling
Effect: Allow
Principal:
Service: billingreports.amazonaws.com
Action:
- s3:PutObject
Resource:
- !Sub 'arn:${AWS::Partition}:s3:::${SourceS3}/*'
So may be the conditions introduced in this commit is causing the failure. Or it may be something else.
But I was able to deploy without the conditions.
iakov-aws commented
Fixed. Please retry