How to debug your CloudFormation Stack for ASK CLI(Version2) Error
When we deploy our own Alexa Skill backend by AWS CloudFormation, we got a deployment error from the CLI. We c […]
目次
When we deploy our own Alexa Skill backend by AWS CloudFormation, we got a deployment error from the CLI.
✖ Deploy Alexa skill infrastructure for region "default"
[Error]: The CloudFormation deploy failed for Alexa region "default" for the reasons: We can check the CloudFormation error by two way.
1: Use AWS CLI to validate your template
AWS CLI has validate command. We can check your template syntax easily.
% aws cloudformation validate-template --template-body file://infrastructure/cfn-deployer/skill-stack.yaml
An error occurred (ValidationError) when calling the ValidateTemplate operation: Template format error: Unrecognized resource types: [AWS::IAM::Role1]
The example tell us your template has invalid resource type like AWS::IAM:Role1. So we have to fix the resource type to AWS::IAM::Role.
Then, we pass the validation command.
% aws cloudformation validate-template --template-body file://infrastructure/cfn-deployer/skill-stack.yaml
{
"Parameters": [
{
"ParameterKey": "LambdaHandler",
"NoEcho": false
},
{
"ParameterKey": "CodeBucket",
"NoEcho": false
},
{
"ParameterKey": "CodeKey",
"NoEcho": false
},
{
"ParameterKey": "CodeVersion",
"NoEcho": false
},
{
"ParameterKey": "SkillId",
"NoEcho": false
},
{
"ParameterKey": "LambdaRuntime",
"NoEcho": false
}
],
"Capabilities": [
"CAPABILITY_IAM"
],
"CapabilitiesReason": "The following resource(s) require capabilities: [AWS::IAM::Role]"
}2: Get CloudFormation event from AWS-CLI and jq
AWS CLI can get the stack update events.
We can get the failure event by the following command.
% aws cloudformation describe-stack-events
--stack-name $(cat .ask/ask-states.json | jq ".profiles.default.skillInfrastructure["@ask-cli/cfn-deployer"].deployState.default.stackId" -r) |
jq ".StackEvents[] | select(.ResourceStatus == "UPDATE_FAILED")"
{
"StackId": "arn:aws:cloudformation:us-east-1:9999999:stack/example-skill-default-skillStack-1587380830650/1e4f54f0-82f7-11ea-86a4-0eb40de15aba",
"EventId": "AlexaSkillIAMRole-UPDATE_FAILED-2020-04-20T11:41:55.871Z",
"StackName": "example-skill-default-skillStack-1587380830650",
"LogicalResourceId": "AlexaSkillIAMRole",
"PhysicalResourceId": "example-skill-default-skillSta-AlexaSkillIAMRole-YFXEA2L5SOA4",
"ResourceType": "AWS::IAM::Role",
"Timestamp": "2020-04-20T11:41:55.871Z",
"ResourceStatus": "UPDATE_FAILED",
"ResourceStatusReason": "Resource arn:aws:s3:*:*:* can not contain region information. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a7194a5d-6c32-47e3-ad53-f0ae70269a1e)",
"ResourceProperties": "{"Path":"/","Policies":[{"PolicyName":"alexaExternalPolicy1","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Action":["s3:GetObject"],"Resource":"arn:aws:s3:*:*:*","Effect":"Allow"}]}},{"PolicyName":"alexaSkillExecutionPolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Action":["logs:*"],"Resource":"arn:aws:logs:*:*:*","Effect":"Allow"}]}}],"AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Action":["sts:AssumeRole"],"Effect":"Allow","Principal":{"Service":["lambda.amazonaws.com"]}}]}}"
}
ResourceStatusReason is the reason of failure.
In this case, the reason is Resource arn:aws:s3:::* can not contain region information. So we have to fix the definition.
Optional: use ask deploy --debug
ask deploy has debug option. We can check the deployment progress on the CLI.