Failure in Cloudformation template [ CommandRunenr] while running CLI command for Cloudtrail

0

Hi Guys,

I am trying to run CLI command to update a CloudTrail but stack is getting failed. Requirement is to apply advanced data events to existing CloudTrail.

Please find below details of CF template:

  1. CF template

AWSTemplateFormatVersion: 2010-09-09 Resources: UpdateTrail: Type: AWSUtility::CloudFormation::CommandRunner Properties: Role: ec2-role-name SubnetId: subnet-XXXXXXXXX LogGroup: log-group-name Command: aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX
--advanced-event-selectors....

  1. Error

Resource handler returned message: "Either the command failed to execute, the value written to /command-output.txt was invalid or the Subnet specified did not have internet access. The value written to /command-output.txt must be a non-empty single word value without quotation marks. Check cloud-init.log in the LogGroup specified for more information."

  1. CLI command

aws cloudtrail put-event-selectors --trail-name XXXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XX"] } ] } ]'

Note : Command runs successfully in CLI. pre-requisites for commandRunner is installed. Also, Subnet specified does have internet access.

I sense, it might be the issue with command format or may be something else. Any assistance would be appreciated.

Thanks

Pradnya
asked a year ago496 views
1 Answer
0

Hello, as indicated here, you must write the command's output to a reserved file called /command-output.txt. Now, per the code, the above error can occur if SSM PutParameter failed due to invalid value in /command-output.txt.

I tested the template in my lab and noticed PutParameter event in CloudTrail failed with the following error:

"1 validation error detected: Value at 'value' failed to satisfy constraint: Member must have length greater than or equal to 1.

Then, observed the following error in a log named i-****/cloud-init-output.log in the CloudWatch log group that I configured using the LogGroup property in AWSUtility::CloudFormation::CommandRunner resource type.

aws: error: argument --event-selectors is required
Contents of /command-output.txt =

As seen above, contents of the /command-output.txt is empty.

This --event-selectors argument error occurs if the session uses AWS CLI v1 and is not seen in AWS CLI v2. Observed the Amazon Linux AMI used by CommandRunner does not have the latest version of the AWS CLI installed at present, therefore we will need to update the AWS CLI on the instance to successfully execute the above put-event-selectors command. I used the following snippet to fix the issue:

....
Resources:
  CommandRunner:
    Type: 'AWSUtility::CloudFormation::CommandRunner'
    Properties:
      Command: >-
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip";
        unzip awscliv2.zip;
        sudo ./aws/install;
        aws --version;
        aws cloudtrail put-event-selectors --trail-name XXX --region XXXX --advanced-event-selectors '[ { "Name": "S3EventSelector", "FieldSelectors": [ { "Field": "eventCategory", "Equals": ["Data"] }, { "Field": "resources.type", "Equals": ["AWS::S3::Object"] }, { "Field": "eventName", "Equals": ["PutObject","DeleteObject"] }, { "Field": "resources.ARN", "StartsWith": ["arn:aws:s3:::XX","arn:aws:s3:::XXX"] } ] } ]' --output text > /command-output.txt
      Role: yourrole
      LogGroup: log-group-name

Hope it helps!

AWS
SUPPORT ENGINEER
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions