Datazone CloudFormation Region Enablement Error In Env Blueprint Configuration

0

Hello All,

I am running into the following error thrown by DataZone when I am attempting to create a Data Zone Domain/Project/Environment Profile/Environment via CloudFormation. It states I need to explicitly enable regions but I have already done so in the code. I would appreciate any guidance or possible pointers!

Error: Resource handler returned message: "Environment DataZoneStackCF with id REDACTED and domain id REDACTED failed to stabilize due to internal failure, last deployment status Deployment(DeploymentId=REDACTED, DeploymentStatus=FAILED, DeploymentType=CREATE, FailureReason=EnvironmentError(Code=400, Message=Environment blueprint configuration needs to enable atleast one region), IsDeploymentComplete=true)" (RequestToken: REDACTED, HandlerErrorCode: NotStabilized)

CF Template in Question:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template for creating an Amazon Data Zone Domain, Project, Environment Blueprint, Environment Profile, and Environment with parameterized inputs

Parameters:
  DomainName:
    Type: String
    Description: The name of the Data Zone domain
  DomainDescription:
    Type: String
    Description: A description for the Data Zone domain
  ProjectName:
    Type: String
    Description: The name of the Data Zone project
  EnvProfileName:
    Type: String
    Description: The name of the environment profile (Data Lake Blueprint)
  EnvironmentName:
    Type: String
    Description: The name of the Data Zone environment
  DataZoneDomainExecutionRoleArn:
    Type: String
    Description: The ARN of the existing service role for Data Zone domain execution

Resources:
  DataZoneDomain:
    Type: AWS::DataZone::Domain
    Properties:
      Name: !Ref DomainName
      Description: !Ref DomainDescription
      DomainExecutionRole: !Ref DataZoneDomainExecutionRoleArn

  DataZoneProject:
    Type: AWS::DataZone::Project
    Properties:
      Name: !Ref ProjectName
      Description: !Ref DomainDescription
      DomainIdentifier: !GetAtt DataZoneDomain.Id
    DependsOn: DataZoneDomain

  DataZoneEnvBlueprint:
    Type: AWS::DataZone::EnvironmentBlueprintConfiguration
    Properties:
      EnabledRegions:
        - us-east-1
        - us-east-2
        - us-west-1
        - us-west-2
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentBlueprintIdentifier: DefaultDataLake
    DependsOn: DataZoneDomain

  DataZoneEnvProfile:
    Type: AWS::DataZone::EnvironmentProfile
    Properties:
      Name: !Ref EnvProfileName
      ProjectIdentifier: !GetAtt DataZoneProject.Id
      AwsAccountId: !Ref AWS::AccountId
      AwsAccountRegion: us-east-1
      Description: !Ref DomainDescription
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentBlueprintIdentifier: !GetAtt DataZoneEnvBlueprint.EnvironmentBlueprintId
    DependsOn: DataZoneEnvBlueprint

  DataZoneEnvironment:
    Type: AWS::DataZone::Environment
    Properties:
      Name: !Ref EnvironmentName
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentProfileIdentifier: !GetAtt DataZoneEnvProfile.Id
      ProjectIdentifier: !GetAtt DataZoneProject.Id
    DependsOn: DataZoneEnvProfile

profile picture
be_ezy
asked 3 months ago219 views
2 Answers
0

The error suggests that the environment blueprint configuration needs to enable at least one region, even though you have specified multiple regions in your CloudFormation template. I suggest checking the correctness of the region codes, the permissions of the IAM role, any potential resource limits, and the blueprint configuration

profile picture
EXPERT
answered 3 months ago
0

Resolution-

There are several key aspects missing from the above template, which led to the deployment failures.

To address this, here is an updated AWS CloudFormation template that should resolve the issue.

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS CloudFormation template for creating an Amazon Data Zone
  Domain, Project, Environment Blueprint, Environment Profile, and Environment
Parameters:
  DataZoneDomainExecutionRoleArn:
    Type: String
    Description: The ARN of the existing service role for Data Zone domain execution
    Default:                    #your AmazonDataZoneDomainExecution Role Arn
Resources:
  DataZoneDomain:
    Type: AWS::DataZone::Domain
    Properties:
      Name: MyDomain
      DomainExecutionRole: !Ref DataZoneDomainExecutionRoleArn
  DataZoneProject:
    DependsOn: DataZoneDomain
    Type: AWS::DataZone::Project
    Properties:
      Name: MyProject
      DomainIdentifier: !GetAtt DataZoneDomain.Id
  DataZoneEnvBlueprint:
    DependsOn: DataZoneDomain
    Type: AWS::DataZone::EnvironmentBlueprintConfiguration
    Properties:
      EnabledRegions:
        - us-east-1
        - us-east-2
        - us-west-1
        - us-west-2
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentBlueprintIdentifier: DefaultDataLake
      ManageAccessRoleArn: !Ref DataZoneDomainExecutionRoleArn
      ProvisioningRoleArn: !Ref DataZoneDomainExecutionRoleArn
      RegionalParameters:
        - Parameters:
            S3Location: s3://MY-S3-BUCKET-NAME
          Region: us-east-1
  DataZoneEnvProfile:
    DependsOn: DataZoneEnvBlueprint
    Type: AWS::DataZone::EnvironmentProfile
    Properties:
      Name: MyEnvProfile
      ProjectIdentifier: !GetAtt DataZoneProject.Id
      AwsAccountId: !Ref AWS::AccountId
      AwsAccountRegion: us-east-1
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentBlueprintIdentifier: !GetAtt DataZoneEnvBlueprint.EnvironmentBlueprintId
  DataZoneEnvironment:
    DependsOn: DataZoneEnvProfile
    Type: AWS::DataZone::Environment
    Properties:
      Name: MyEnvironment
      DomainIdentifier: !GetAtt DataZoneDomain.Id
      EnvironmentProfileIdentifier: !GetAtt DataZoneEnvProfile.Id
      ProjectIdentifier: !GetAtt DataZoneProject.Id

Please note the following considerations:

  1. Ensure that ManageAccessRoleArn and ProvisioningRoleArn properties are correctly specified.
  2. Provide an S3 bucket and region as noted under RegionalParameters.
  3. Ensure that the IAM role AmazonDataZoneDomainExecution has the necessary managed policies attached:
  • AmazonAthenaFullAccess
  • AmazonDataZoneDomainExecutionRolePolicy
  • AmazonDataZoneRedshiftGlueProvisioningPolicy
  • AmazonS3FullAccess.

Once all of the above are satisfied, you should see the deployment of the stack succeed and another stack automatically being deployed to create the environment.

Thank you.

AWS
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions