Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS log forwarder CloudFormation template intermittently fails to deploy because it can't get the role ARN #800

Open
JohnLudlow opened this issue Jun 4, 2024 · 0 comments
Open

AWS log forwarder CloudFormation template intermittently fails to deploy because it can't get the role ARN #800

JohnLudlow opened this issue Jun 4, 2024 · 0 comments

Comments

@JohnLudlow
Copy link

JohnLudlow commented Jun 4, 2024
edited
Loading

Describe what happened:
On a new environment deployment of our datadog-forwarder failed with the following error:

Unable to retrieve Arn attribute for AWS::IAM::Role, with error message The role with name datadog-forwarder-ForwarderRole-xxxxx cannot be found. (Service: Iam, Status Code: 404, Request ID: <guid>)

In the CloudFormation events we can see the ForwarderRole creation succeeded, and the Forwarder creation failed saying it couldn't find the role.

image

Describe what you expected:
I expected the deployment to complete successfully

Steps to reproduce the issue:

  1. Prepare an empty AWS account

  2. Prepare a deployment as described in the docs.

     // Pulumi C# example based on our deployment, which was based on the above docs

 var cloudFormationStack = new PulumiAwsCloudFormation.Stack(
     "datadog-forwarder",
     new()
     {
         Name = "datadog-forwarder",
         Capabilities = { "CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND" },
         TemplateUrl = "https://datadog-cloudformation-template.s3.amazonaws.com/aws/forwarder/latest.yaml",

         Parameters =
         {
             ["DdApiKeySecretArn"]   = dataDogApiKeySecretArn,
             ["DdSite"]              = "datadoghq.eu",
             ["DdTags"]              = $"env:{Configuration.Company}-{Configuration.Environment},envkey:{Configuration.EnvKey},version:{Configuration.LambdaVersion},release:{Configuration.Release}",
             ["DdFetchLambdaTags"]   = "true",
             ["DdFetchLogGroupTags"] = "true",
             ["FunctionName"]        = "datadog-forwarder",
         }
     }
 );

  3. Run the deployment

  4. Observe the failure

Workaround

  • Destroy the stack and redeploy. The issue is intermittent so might work the second time

IMPORTANT

This is highly intermittent. You may need to try this a few times to reproduce it.

Notes from investigation

We noticed the template has this element:

image

We think this should depend on ForwarderRole

Resources:
  Forwarder:
    Type: AWS::Lambda::Function
    DependsOn: 
      - ForwarderZipReady
      - ForwarderRole
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JohnLudlow