What parameter is missing for AWS CloudFormation template?

0
votes

I am attempting to implement this template in a test environment on AWS: https://github.com/awslabs/hids-cloudwatchlogs-elasticsearch-template

I've performed the following steps:

  1. Create SSH Key Pair and select it
  2. Create S3 bucket
  3. Add zipped Lamba deployment package to S3 bucket
  4. Specify S3 bucket in configuration
  5. Select the test VPC
  6. Select the test Subnet
  7. Configure the Trusted Network CIDR
  8. Subnet is active with other test instances running
  9. Default VPC Security Group allows all outbound traffic
  10. Execute the template with defaults for one test and then another test using an AWS role that has the built-in AdministratorAccess policy assigned (I understand this is not the best practice; I just need the Stack created before scaling back permissions in this test environment)

I keep getting the following error:

17:02:50 UTC-0700 ROLLBACK_IN_PROGRESS AWS::CloudFormation::Stack HIDS The following resource(s) failed to create: [HIDSLinuxHost02, HIDSLinuxHost01]. . Rollback requested by user.
17:02:49 UTC-0700 CREATE_FAILED AWS::EC2::Instance HIDSLinuxHost02 Resource creation cancelled
17:02:48 UTC-0700 CREATE_FAILED AWS::EC2::Instance HIDSLinuxHost01 Failed to receive 1 resource signal(s) within the specified duration Physical ID:i-0ee21727a8f28d057 Client Request Token:Console-CreateStack-3bce5b46-9677-4c8e-99c6-687b7e03f51b

Any ideas on why this is might occur?

1
amazon-web-servicesamazon-ec2amazon-cloudformation
Looks like CloudFormation is waiting for a notification from that EC2 instance, which would normally be sent by cfn-signal at the end of the userdata bootstrapping script. I'd check the networking configuration of the existing VPC that you're launching these HIDS instances into. At a guess they're failing to reach some resource over the network, resulting in timeout.jarmod
Thank you, @jarmod . I will follow that path and report back. I appreciate the assistance.Scott
I can see nothing wrong with the network configuration or Security Groups. We have other test machines on that subnet that work fine, can access the Internet (although they have their own Security Groups), etc.Scott
If you re-run the template, is it 100% reproducible?jarmod
Yes, it is 100% reproducible.Scott

1 Answers

1
votes

@jarmod assisted me down the right path. NAT wasn't configured properly so the EC2 instances were not able to traverse the router. Thank you @jarmod.