cloudformation-cli
cloudformation-cli copied to clipboard
aws-cloudformation
AWS::IoT::TopicRuleDestination fails with "Internal Error"
To reproduce, use the following template:
AWSTemplateFormatVersion: "2010-09-09"
Parameters:
VPC:
Type: AWS::EC2::VPC::Id
Subnet:
Type: AWS::EC2::Subnet::Id
Resources:
Role:
Type: AWS::IAM::Role
Properties:
Description: Role which IoT will assume to send data to MSK
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: iot.amazonaws.com
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: VPCDestinationPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "ec2:CreateNetworkInterface"
- "ec2:DescribeNetworkInterfaces"
- "ec2:CreateNetworkInterfacePermission"
- "ec2:DeleteNetworkInterface"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSubnets"
- "ec2:DescribeVpcs"
- "ec2:DescribeVpcAttribute"
Resource: "*"
VPCDestination:
Type: AWS::IoT::TopicRuleDestination
Properties:
VpcProperties:
RoleArn: !GetAtt Role.Arn
SubnetIds:
- !Ref Subnet
VpcId: !Ref VPC
# SecurityGroups: []
Attempt to create the stack:
aws cloudformation create-stack \
--stack-name bug \
--template-body file://bug.yml \
--capabilities CAPABILITY_IAM \
--parameters ParameterKey=VPC,ParameterValue=<id of some existing vpc> ParameterKey=Subnet,ParameterValue=<id of some subnet in that vpc>
It fails when attempting to create the TopicRuleDestination with the message:
Internal error reported from downstream service during operation 'CreateTopicRuleDestination'.
Looking in CloudTrail event history, I can see a similarly vague error message from the CreateTopicRuleDestination call:
{
...
"errorCode": "InternalFailure",
"errorMessage": "An unknown error occurred",
"responseElements": null,
...
}
If you uncomment the last line of the above template, the stack creation succeeds. I would hazard a guess that this is some kind of schema validation error that is being hidden. The documentation states that the SecurityGroups property is not required.
