0

I am creating a cloudformation stack to generate aws instance scheduler in aws gov cloud via TF. The goal is to start/stop ec2 based on tags. Many way to achieve it but I have to use terraform and cloudformation. Here is the repo --> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
Below is the part of the code where I think I am blocked:

        "InstanceSchedulerEncryptionKey": {
            "Type": "AWS::KMS::Key",
            "Properties": {
                "Description": "Key for SNS",
                "Enabled": true,
                "EnableKeyRotation": true,
                "KeyPolicy": {
                    "Statement": [
                        {
                            "Sid": "default",
                            "Effect": "Allow",
                            "Principal": {
                               "AWS": { 
                                    "Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"    
                                }
                            },
                            "Action": "kms:*",
                            "Resource": "*"
                        },
                        {
                            "Sid": "Allows use of key",
                            "Effect": "Allow",
                            "Principal": {
                                "AWS": {
                                    "Fn::GetAtt": [
                                        "SchedulerRole",
                                        "Arn"
                                    ]
                                }
                            },
                            "Action": [
                                "kms:GenerateDataKey*",
                                "kms:Decrypt"
                            ],
                            "Resource": "*"
                        }
                    ]
                }
            }
        },

              "Code": {
                    "S3Bucket": {
                        "Fn::Join": [
                            "-",
                            [
                                "solutions",
                                {
                                    "Ref": "AWS::Region"
                                }
                            ]
                        ]
                    },
                    "S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"

The error :

Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [InstanceSchedulerEncryptionKey, SchedulerRule]. Rollback requested by user." "Resource creation cancelled" "Parameter arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain is not valid. Reason: Provided Arn is not in correct format. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: 37adac0c-6758-4b4f-ac86-0d0140742c80; Proxy: null)"]

Not sure if it's doable in gov cloud but I am looking for potential solutions and found this https://github.com/awslabs/aws-instance-scheduler/issues/11. I am testing it but no success yet.. please help !!

Adding a new line:

Thank you all for the response. My issue was using the correct arn arn:aws-us-gov I just apply the code and it's going through. Now I am getting this below and I am sure it's related to the policy/role on my s3. Please let me know what is wrong in my code below. Any thoughts?

the s3 code part:

      "SchedulerPolicy": {
            "Type": "AWS::IAM::Policy",
            "Metadata": {
                "cfn_nag": {
                    "rules_to_suppress": [
                        {
                            "id": "W12",
                            "reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
                        }
                    ]
                }
            },
            "Properties": {
                "PolicyName": "SchedulerPolicy",
                "Roles": [
                    {
                        "Ref": "SchedulerRole"
                    }
                ],
                "PolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Action": [
                                "logs:CreateLogGroup",
                                "logs:CreateLogStream",
                                "logs:PutLogEvents",
                                "logs:PutRetentionPolicy"
                            ],
                            "Resource": [
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws-us-gov:logs",
                                            {
                                                "Ref": "AWS::Region"
                                            },
                                            {
                                                "Ref": "AWS::AccountId"
                                            },
                                            "log-group",
                                            {
                                                "Ref": "SchedulerLogGroup"
                                            },
                                            "*"
                                        ]
                                    ]
                                },
                                {
                                    "Fn::Join": [
                                        ":",
                                        [
                                            "arn:aws-us-gov:logs",
                                            {
                                                "Ref": "AWS::Region"
                                            },
                                            {
                                                "Ref": "AWS::AccountId"
                                            },
                                            "log-group:/aws/lambda/*"
                                        ]
                                    ]
                                }
                            ]
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "s3:GetObject",
                                "s3:PutObject",
                                "s3:*"
                            ],
                            "Resource": {
                                "Fn::Join": [
                                    ":",
                                    [
                                        "arn:aws-us-gov:s3:::instanceschedulertest",
                                        "arn:aws-us-gov:s3:::instanceschedulertest/*"
                                    ]
                                ]
                            }
                        },                        
                        {
                            "Effect": "Allow",
                            "Action": [
                                "rds:DeleteDBSnapshot",
                                "rds:DescribeDBSnapshots",
                                "rds:StopDBInstance"
                            ],
                            "Resource": {
                                "Fn::Join": [
                                    ":",
                                    [
                                        "arn:aws-us-gov:rds:*",
                                        {
                                            "Ref": "AWS::AccountId"
                                        },
                                        "snapshot:*"
                                    ]
                                ]
                            }
                        },
                        {
                            "Effect": "Allow",
                            "Action": [
                                "rds:AddTagsToResource",
                                "rds:RemoveTagsFromResource",
                                "rds:DescribeDBSnapshots",
                                "rds:StartDBInstance",
                                "rds:StopDBInstance"

The error:

Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]

Thank you all for all the pointers I really appreciate your input.

kddiji
  • 205
  • 1
  • 3
  • 14
  • Could you please edit your question so that it forms a [mcve]? Right now it looks like you are missing some of the chunk of the Cloudformation stack that creates the Lambda function which is what it's erroring on so there's not enough information here to be sure what you've done wrong. – ydaetskcoR Feb 12 '21 at 19:01
  • the lambda is seems like wrong. As per the [documentation](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html#using-govcloud-arn-syntax-lambda) it should be something like this `arn:aws-us-gov:lambda:account-id:function:function-name` but in your error show it is `arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain ` – samtoddler Feb 12 '21 at 19:23
  • in your tf code which you linked here [scheduler rule resource](https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf#L1420) and the policy [invoke policy](https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf#L1047). – samtoddler Feb 12 '21 at 19:25

1 Answers1

1

The reason why it is failing is because you are forming the wrong ARN in your Terraform Code.

In your repo, link

Replace these following lines with respect to Lambda: 1047, 1358, 1420 as "arn:aws-us-gov:lambda" instead of "arn:aws:lambda".

As per the documentation of aws: The ARN should be in this format arn:aws-us-gov:lambda:account-id:function:function-name.

The answer to your question is to update the above-mentioned line. But I am sure you will get errors with respect to other resources as all resources which you are creating are in the Us-Region. So please update all the necessary Joining Function Arn lines which your forming in your code. :)

bhavuk bhardwaj
  • 265
  • 1
  • 7
  • You saved me :).. I also added a new comment to the question – kddiji Feb 15 '21 at 14:09
  • There are a couple of things to look at. First check, Zip file is there or not in S3. Even if it's not there, AWS return Access Denied. Second Check your Bucket Policy Permission and its principal. Also check these two lines should be present:------------------------ "Resource": [ "arn:aws:s3:::BUCKET-NAME", "arn:aws:s3:::BUCKET-NAME/*" ] ---------------------- – bhavuk bhardwaj Feb 15 '21 at 14:32
  • Refer to this :) https://stackoverflow.com/questions/35589641/aws-lambda-function-getting-access-denied-when-getobject-from-s3 – bhavuk bhardwaj Feb 15 '21 at 14:34
  • thanks for your pointer. I just updated my codes but still the same issue on the s3. I added the output of the code above. I will take any pointers please – kddiji Feb 15 '21 at 18:27
  • Can you confirm that your hosted lambda and S3 bucket are in the same region. If not then please do it. – bhavuk bhardwaj Feb 15 '21 at 18:42
  • yes my region is : `us-gov-west-1` and only line where I had to make that update was on line 551 . Here is the repo I got the code from https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf – kddiji Feb 15 '21 at 19:50