4

I am trying to create a cloud formation stack using AWS Events to trigger an API call on a schedule. Most of the stack is working, however, the AWS::Events::ApiConnection is failing to create and I am not sure why.

This is the CF snippet that is failing: (Note, The API doesn't have any authentication yet, however, cloud formation requires the AuthParameters property)

"CronServerApiConnection": {
      "Type": "AWS::Events::Connection",
      "Properties": {
        "Name": "api-connection",
        "AuthorizationType": "API_KEY",
        "AuthParameters": {
          "ApiKeyAuthParameters": {
            "ApiKeyName": "foo",
            "ApiKeyValue": "bar"
          }
        }
      }
    },

In the cloud formation console this fails to create with the following error:

Resource handler returned message: "Error occurred during operation 'AWS::Events::Connection'." (RequestToken: xxxxxxxxxxxxxxxxx, HandlerErrorCode: GeneralServiceException)

I can't for the life of me figure this one out. from what I can see my CF snippet matches exactly what AWS specify in their docs here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.html

chinds
  • 1,761
  • 4
  • 28
  • 54

2 Answers2

2

I ran into this issue myself a few weeks ago, and while looking for an answer I found this question unresolved so I thought I would share the answer. The events API is not descriptive at all with any of the errors, in my case the issues were permissions related. While is not clear in the documentation the AWS::Events::Connection not only needs permissions for the events API but also for the secretsmanager API since it will create some secrets for you under the hood. I solved this by adding full API permissions to the role creating the stack but of course I scoped the permissions by the resource to avoid security issues, something like:

effects: "Allow"
actions: [
        "events:*",
        "secretsmanager:*"
      ]
resources: [
        "arn:aws:secretsmanager:<your region>:<your-account-id>:secret:events!connection/<yoursecretnameprefix>-*"
      ]

I will leave the addition of the event resource to you, but essentially is the same just scope by the arn of your resource. The above is just an example please replace the placeholders with the correct values.

r4cc00n
  • 1,927
  • 1
  • 8
  • 24
0

In my case, I had a CF template which created a connection (AWS::Events::Connection) and a destination (AWS::Events::ApiDestination) and was receiving this error on the Destination resource.

What worked for me was including a DependsOn statement in the ApiDestination that referenced the connection like so

  ApiDestination:
    Type: AWS::Events::ApiDestination
    DependsOn: 
      - ApiConnection
    Properties:
      ConnectionArn: !GetAtt 
        - ApiConnection
        - Arn
      HttpMethod: POST
      InvocationEndpoint: !Ref DevUrl
Enrique Avina
  • 973
  • 7
  • 20