aws-cloudformation - AWS 云形成 : How to get details on status reason in Events tab?

Question

当 AWS CF 只提供很少的关于失败原因的信息时，调试我的 CF 模板是非常令人沮丧且不可能的。

例如:

23:27:52 UTC-0700 CREATE_FAILED AWS::IAM::Role PeerRole 资源创建已取消

是否没有其他方法可以准确找出资源被取消的原因？这就是我必须处理的全部内容，但还不足以确定发生这种情况的原因。

"PeerRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
        "AssumeRolePolicyDocument": {
            "Statement": [ {
                "Effect": "Allow",
                "Principal": { "Service": [ "ec2.amazonaws.com" ] },
                "Action": [ "sts:AssumeRole" ]
            } ]
        },
        "Path": "/",
        "Policies": [ {
            "PolicyName" : "PeerPrivs",
            "PolicyDocument" : {
                "Statement" : [{
                    "Effect" : "Allow",
                    "Action": [ "cloudwatch:PutMetricData", "cloudwatch:PutMetricDataBatch" ],
                    "Resource" : "*"
                },{
                    "Effect" : "Allow",
                    "Action" : [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Scan", "dynamodb:Query" ],
                    "Resource" : { "Fn::Join" : [ "", [ "arn:aws:dynamodb:*:", { "Ref" : "AWS::AccountId" }, ":table/", { "Fn::FindInMap" : [ "stage", { "Ref" : "Stage" }, "ddbTable" ] } ] ]}
                }]
            }
        }]
    }
}

    "PeerInstanceProfile": {
        "Type": "AWS::IAM::InstanceProfile",
        "Properties": {
            "Path": "/",
            "Roles": [{ "Ref": "PeerRole" }]
        }
    },

Answer 1

错误资源创建已取消的意思是——资源的创建已被取消。发生这种情况的典型原因有两个:

1. 响应用户向 cancel the stack update 发起的请求.
2. 如果由于资源更新失败而自动取消堆栈更新。根据documentation ,

If a resource update fails, AWS CloudFormation rolls back any resources that it has updated during the upgrade to their configurations before the update.

因此，假设您自己没有手动取消堆栈更新，那么导致堆栈创建/更新失败的根本错误实际上是在不同的资源中。在管理控制台的Events 选项卡中查看堆栈事件历史记录或 using the CLI ，并查找在发布示例错误之前发生的 CREATE_FAILED 事件，您将找到导致堆栈创建失败的实际资源(这可能与AWS::IAM::Role 资源本身)。