Failure in Cloudformation template [ CommandRunenr] while running CLI command for Cloudtrail

0

Hi Guys,

I am trying to run CLI command to update a CloudTrail but stack is getting failed. Requirement is to apply advanced data events to existing CloudTrail.

Please find below details of CF template:

  1. CF template

AWSTemplateFormatVersion: 2010-09-09 Resources: UpdateTrail: Type: AWSUtility::CloudFormation::CommandRunner Properties: Role: ec2-role-name SubnetId: subnet-XXXXXXXXX LogGroup: log-group-name Command: aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX
--advanced-event-selectors....

  1. Error

Resource handler returned message: "Either the command failed to execute, the value written to /command-output.txt was invalid or the Subnet specified did not have internet access. The value written to /command-output.txt must be a non-empty single word value without quotation marks. Check cloud-init.log in the LogGroup specified for more information."

  1. CLI command

aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XX"] } ] } ]'

Note : Command runs successfully in CLI. pre-requisites for commandRunner is installed. Also, Subnet specified does have internet access.

I sense, it might be the issue with command format or may be something else. Any assistance would be appreciated.

Thanks

Pradnya
질문됨 일 년 전540회 조회
1개 답변
0

Hello, as indicated here, you must write the command's output to a reserved file called /command-output.txt. Now, per the code, the above error can occur if SSM PutParameter failed due to invalid value in /command-output.txt.

I tested the template in my lab and noticed PutParameter event in CloudTrail failed with the following error:

"1 validation error detected: Value at 'value' failed to satisfy constraint: Member must have length greater than or equal to 1.

Then, observed the following error in a log named i-****/cloud-init-output.log in the CloudWatch log group that I configured using the LogGroup property in AWSUtility::CloudFormation::CommandRunner resource type.

aws: error: argument --event-selectors is required
Contents of /command-output.txt =

As seen above, contents of the /command-output.txt is empty.

This --event-selectors argument error occurs if the session uses AWS CLI v1 and is not seen in AWS CLI v2. Observed the Amazon Linux AMI used by CommandRunner does not have the latest version of the AWS CLI installed at present, therefore we will need to update the AWS CLI on the instance to successfully execute the above put-event-selectors command. I used the following snippet to fix the issue:

....
Resources:
  CommandRunner:
    Type: 'AWSUtility::CloudFormation::CommandRunner'
    Properties:
      Command: >-
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip";
        unzip awscliv2.zip;
        sudo ./aws/install;
        aws --version;
        aws cloudtrail put-event-selectors --trail-name XXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XXX"] } ] } ]' --output text > /command-output.txt
      Role: yourrole
      LogGroup: log-group-name

Hope it helps!

AWS
지원 엔지니어
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠