3

I'm getting the following error when I run the cognito quickstart stack:

Embedded stack arn:aws:cloudformation:eu-west-1:950742359761:stack/SaaS-identity-with-Cognito-IdentityStack-17TE8ATW0MEDM/35414bc0-2dab-11e9-801f-02f49d781af6 was not successfully created: The following resource(s) failed to create: [SecurityGroups, Role, DynamoDBTables, BucketRepository].

I have no idea why this happening.

Values entered for the template are the following:
S3 URL: https://aws-quickstart.s3.amazonaws.com/saas-identity-cognito/templates/saas-identity-cognito-master.template  This is supplied by Amazon
Available Zones: eu-central-1a and eu-central-1b
Key Pair Name: Dev-Cognito-KP (I created this and selected it from the drop down)
IAM role name: SaaS-Cognito-Stack (System and Network Administrator Policies)
Capabilities: Check both boxes.

Everything else is the defaults in the templates.

Here is the failure that is reported on the dashboard. Its says that the VPCStack failed when it tried to create the NAT and Route tables. Other parts of the VPCStack complete without any issues.

Here is the Template:

---
AWSTemplateFormatVersion: 2010-09-09
Description: This CloudFormation ... (Removed to shorten post)
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Network Configuration
      Parameters:
      - AvailabilityZones
      - VPCCIDR
      - PrivateSubnet1CIDR
      - PrivateSubnet2CIDR
      - PublicSubnet1CIDR
      - PublicSubnet2CIDR
    - Label:
        default: AWS Quick Start Configuration
      Parameters:
      - QSS3BucketName
      - QSS3KeyPrefix
    - Label:
        default: SaaS Identity Quick Start Configuration
      Parameters:
      - KeyPairName
      - InstanceType
    - Label:
        default: SaaS Identity Sys Admin Configuration
      Parameters:
      - Email
      - Company
      - Firstname
      - Lastname
    - Label:
        default: SaaS Identity DynamoDB Table Configuration
      Parameters:
      - UserTable
      - TenantTable
      - ProductTable
      - OrderTable
    ParameterLabels:
      AvailabilityZones:
        default: Availability Zones
      KeyPairName:
        default: Key Pair Name
      InstanceType:
        default: Instance Type
      PrivateSubnet1CIDR:
        default: Private Subnet 1 CIDR
      PrivateSubnet2CIDR:
        default: Private Subnet 2 CIDR
      PublicSubnet1CIDR:
        default: Public Subnet 1 CIDR
      PublicSubnet2CIDR:
        default: Public Subnet 2 CIDR
      QSS3KeyPrefix:
        default: Quick Start S3 Key Prefix
      QSS3BucketName:
        default: Quick Start S3 Bucket Name
      VPCCIDR:
        default: VPC CIDR
      Email:
        default: Email Address
      Company:
        default: Company Name
      Firstname:
        default: First Name
      Lastname:
        default: Last Name
      UserTable:
        default: User
      TenantTable:
        default: Tenant
      ProductTable:
        default: Product
      OrderTable:
        default: Order
Parameters:
  AvailabilityZones:
    Description: 'List of Availability Zones to use for the subnets in the VPC. Note:
      The logical order is preserved and only 2 AZs are used for this deployment.'
    Type: List<AWS::EC2::AvailabilityZone::Name>
  KeyPairName:
    Description: Public/private ... (Removed to shorten post)
    Type: AWS::EC2::KeyPair::KeyName
  InstanceType:
    Type: String
    Default: t2.small
    AllowedValues:
      - t2.micro
      - t2.small
      - t2.large
    Description: Enter t2.micro, t2.small, or t2.large. Default is t2.small.
  PrivateSubnet1CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.0.0/19
    Description: CIDR block for private subnet 1 located in Availability Zone 1.
    Type: String
  PrivateSubnet2CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.32.0/19
    Description: CIDR block for private subnet 2 located in Availability Zone 2.
    Type: String
  PublicSubnet1CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.128.0/20
    Description: CIDR Block for the public DMZ subnet 1 located in Availability Zone
      1
    Type: String
  PublicSubnet2CIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.144.0/20
    Description: CIDR Block ... (Shortened)
      2
    Type: String
  QSS3BucketName:
    AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$
    ConstraintDescription: Quick Start bucket name can include numbers, lowercase
      letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen
      (-).
    Default: aws-quickstart
    Description: S3 bucket name for the Quick Start assets. Quick Start bucket name
      can include numbers, lowercase letters, uppercase letters, and hyphens (-).
      It cannot start or end with a hyphen (-).
    Type: String
  QSS3KeyPrefix:
    AllowedPattern: ^[0-9a-zA-Z-/]*$
    ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters,
      uppercase letters, hyphens (-), and a forward slash (/) at the end of the prefix.
    Default: saas-identity-cognito/
    Description: S3 key prefix ... (Shortened)
    Type: String
  VPCCIDR:
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28
    Default: 10.0.0.0/16
    Description: CIDR Block for the VPC
    Type: String
  Email:
    Description: The Email Address of the Sys Admin.
    Default: email@example.com
    Type: String
  Company:
    Description: The Name of the Company that will manage the Reference Architecture.
    Default: MyCompanyName
    Type: String
  Firstname:
    Description: The First Name of the Sys Admin.
    Default: MyFirstName
    Type: String
  Lastname:
    Description: The Last Name of the Sys Admin.
    Default: MyLastName
    Type: String
  UserTable:
    Description: The DynamoDB Table for Users of the Multi-Tenant System
    Default: User
    Type: String
  TenantTable:
    Description: The DynamoDB Table for Tenants of the Multi-Tenant System
    Default: Tenant
    Type: String
  ProductTable:
    Description: The DynamoDB Table for Products of the Multi-Tenant System
    Default: Product
    Type: String
  OrderTable:
    Description: The DynamoDB Table for Orders of the Multi-Tenant System
    Default: Order
    Type: String
Resources:
  VPCStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-aws-vpc/templates/aws-vpc.template
      Parameters:
        AvailabilityZones:
          !Join
          - ','
          - !Ref AvailabilityZones
        KeyPairName: !Ref KeyPairName
        NumberOfAZs: '2'
        PrivateSubnet1ACIDR: !Ref PrivateSubnet1CIDR
        PrivateSubnet2ACIDR: !Ref PrivateSubnet2CIDR
        PublicSubnet1CIDR: !Ref PublicSubnet1CIDR
        PublicSubnet2CIDR: !Ref PublicSubnet2CIDR
        VPCCIDR: !Ref VPCCIDR
  IdentityStack:
    DependsOn: VPCStack
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: !Sub https://${QSS3BucketName}.s3.amazonaws.com/${QSS3KeyPrefix}templates/saas-identity-cognito.template
      Parameters:
        KeyPairName: !Ref KeyPairName
        InstanceType: !Ref InstanceType
        PublicSubnet1ID:
          !GetAtt
          - VPCStack
          - Outputs.PublicSubnet1ID
        PublicSubnet2ID:
          !GetAtt
          - VPCStack
          - Outputs.PublicSubnet2ID
        PrivateSubnet1ID:
          !GetAtt
          - VPCStack
          - Outputs.PrivateSubnet1AID
        PrivateSubnet2ID:
          !GetAtt
          - VPCStack
          - Outputs.PrivateSubnet2AID
        QSS3BucketName: !Ref QSS3BucketName
        QSS3KeyPrefix: !Ref QSS3KeyPrefix
        Email: !Ref Email
        Company: !Ref Company
        Firstname: !Ref Firstname
        Lastname: !Ref Lastname
        UserTable: !Ref UserTable
        TenantTable: !Ref TenantTable
        ProductTable: !Ref ProductTable
        OrderTable: !Ref OrderTable
        VPCID:
          !GetAtt
          - VPCStack
          - Outputs.VPCID
Outputs:
  Website:
    Description: The URL endpoint for the product service
    Value: !GetAtt IdentityStack.Outputs.Website
...
S. Yacko
  • 386
  • 4
  • 14
  • 1
    which is the 1st resource that failed to create? Check your template URLs in the template. – asr9 Feb 12 '19 at 22:51
  • I have added the stack that is having issue, VPCStack and the template. I'm new to CloudFormation and Cognito so if you need more information, I will need instructions on how to retrieve it. - Thank ASR for your help! – S. Yacko Feb 13 '19 at 17:49
  • It could possibly be role problem (the role you provided). This seems to work for me & I did not provide any role (so CFN assumed my admin role). – asr9 Feb 13 '19 at 19:08
  • Are you running as root on your account or a defined user? – S. Yacko Feb 13 '19 at 19:16
  • Update: I run the template with the root account and it got the same error. I agree that it appears to be a permissions issue and I don't know what permission is missing. – S. Yacko Feb 13 '19 at 19:40
  • I'm going to open a support case with AWS and see what they say. – S. Yacko Feb 13 '19 at 19:50
  • 1
    i was running with `AdministratorAccess` role. – asr9 Feb 13 '19 at 22:16
  • 1
    Working with AWS Support to increase default account limits for needed resources. It was not a permissions issue as thought. There are limits for every aws account that have to be increase with a support ticket. Example: Max 5 Elastic IP's, which is why this was failing. I had 4 and with this, it pushed my account to 6. – S. Yacko Feb 15 '19 at 19:11
  • The final solution after getting passed the account limitation was to create a role with the following Policies; System Administrator, Network Administrator and a Custom Policy with the following services listed above. – S. Yacko Feb 19 '19 at 23:46

1 Answers1

1

Permissions needed for the SaaS identity and isolation with Amazon Cognito:

API Gateway   Full access   All resources
Application Auto Scaling  Full access   All resources
Cloud Map   Full access  All resources
CloudFormation  Full access  All resources
CloudTrail  Full access  All resources
CloudWatch  Full access  All resources
CloudWatch Events  Full access  All resources
CloudWatch Logs  Full access  All resources
CodeBuild  Full access  All resources
CodeDeploy  Full access  All resources
Cognito User Pools  Full access  All resources
DynamoDB  Full access  All resources
EC2  Full access  All resources
EC2 Auto Scaling  Full access  All resources
Elastic Container Registry  Full access  All resources
Elastic Container Service  Full access  All resources
ELB  Full access  All resources
ELB v2  Full access  All resources
IAM  Full access All resources
Lambda  Full access  All resources
Route 53  Full access  All resources
S3  Full access  All resources
SNS  Full access  All resources
Systems Manager  Full access  All resources

along with System and Network Administrator

S. Yacko
  • 386
  • 4
  • 14