I am creating a cloudformation stack to generate aws instance scheduler in aws gov cloud via TF. The goal is to start/stop ec2 based on tags. Many way to achieve it but I have to use terraform and cloudformation. Here is the repo --> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
Below is the part of the code where I think I am blocked:
"InstanceSchedulerEncryptionKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "Key for SNS",
"Enabled": true,
"EnableKeyRotation": true,
"KeyPolicy": {
"Statement": [
{
"Sid": "default",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allows use of key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"SchedulerRole",
"Arn"
]
}
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
},
"Code": {
"S3Bucket": {
"Fn::Join": [
"-",
[
"solutions",
{
"Ref": "AWS::Region"
}
]
]
},
"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
The error :
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [InstanceSchedulerEncryptionKey, SchedulerRule]. Rollback requested by user." "Resource creation cancelled" "Parameter arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain is not valid. Reason: Provided Arn is not in correct format. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: 37adac0c-6758-4b4f-ac86-0d0140742c80; Proxy: null)"]
Not sure if it's doable in gov cloud but I am looking for potential solutions and found this https://github.com/awslabs/aws-instance-scheduler/issues/11. I am testing it but no success yet.. please help !!
Adding a new line:
Thank you all for the response. My issue was using the correct arn arn:aws-us-gov
I just apply the code and it's going through. Now I am getting this below and I am sure it's related to the policy/role on my s3. Please let me know what is wrong in my code below. Any thoughts?
the s3 code part:
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},
"Properties": {
"PolicyName": "SchedulerPolicy",
"Roles": [
{
"Ref": "SchedulerRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy"
],
"Resource": [
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group",
{
"Ref": "SchedulerLogGroup"
},
"*"
]
]
},
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:*"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:s3:::instanceschedulertest",
"arn:aws-us-gov:s3:::instanceschedulertest/*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:DeleteDBSnapshot",
"rds:DescribeDBSnapshots",
"rds:StopDBInstance"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:rds:*",
{
"Ref": "AWS::AccountId"
},
"snapshot:*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:DescribeDBSnapshots",
"rds:StartDBInstance",
"rds:StopDBInstance"
The error:
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]
Thank you all for all the pointers I really appreciate your input.
arn:aws-us-gov:lambda:account-id:function:function-namebut in your error show it isarn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain– samtoddler