1

I have a minimal stack for creating a simple service with a listener. The listener gets created first and succeeds. The service gets initiated next but gets stuck on "CREATE_IN_PROGRESS". Now I have seen this issue on SO but that has a clear reason for it failing. In my occasion the Cloudtrail logs simple show the initiation and 10 minutes later (custom timeout) the delete but nothing in between. The Cloudformation dashboard events also just show initiation and delete thereafter.

The service does not get created during this time either. This I visually checked by going over to the services and having other services there but not my own.

I have trimmed down the cloudformation template to the bare (i.e. only listener and service with reference to existing resources) but it still gets stuck.

Apart from the usual cloudtrail and cloudformation logs, what could I do to identify the problem?

[EDIT] Here is the template I use. The parameters are based on my current setup.

AWSTemplateFormatVersion: "2010-09-09"
Description: "The Script to configure the RDS services."
Parameters:
  ClusterNameARN:
    Default: "arn:aws:ecs:eu-central-1:<NR_HERE>:cluster/AmsCluster"
    Type: String
  StaLBARN:
    Default: "arn:aws:elasticloadbalancing:eu-central-1:<NR_HERE>:loadbalancer/app/StaPostgrestLoadBalancer/<ID_HERE>"
    Type: String
  StaTargetGroupARN:
    Default: "arn:aws:elasticloadbalancing:eu-central-1:<NR_HERE>:targetgroup/LBTargetGroupSta/<ID_HERE>"
    Type: String
  LoadBalancerSG:
    Type: 'AWS::EC2::SecurityGroup::Id'
  LoadBalancerSubnet1:
    Description: Subnet instance.
    Type: 'AWS::EC2::Subnet::Id'
  LoadBalancerSubnet2:
    Description: Subnet region B instance.
    Type: 'AWS::EC2::Subnet::Id'
  LoadBalancerSubnet3:
    Description: Subnet region for public.
    Type: 'AWS::EC2::Subnet::Id'
  StaTaskDefinitionARN:
    Default: "arn:aws:ecs:eu-central-1:<NR_HERE>:task-definition/RDSPostgrestFamily:2"
    Type: String
  CertificateARN:
    Default: "arn:aws:acm:eu-central-1:<NR_HERE>:certificate/<ID_HERE>"
    Type: String
Resources:
  LBListenerSta:
    Type: 'AWS::ElasticLoadBalancingV2::Listener'
    Properties:
      Certificates:
        - CertificateArn: !Ref CertificateARN
      DefaultActions:
        - Type: forward
          TargetGroupArn: !Ref StaTargetGroupARN
      LoadBalancerArn: !Ref StaLBARN
      Port: 443
      Protocol: HTTPS
  StaService:
    Type: 'AWS::ECS::Service'
    Properties:
      Cluster: !Ref ClusterNameARN
      DesiredCount: 2
      LaunchType: 'FARGATE'
      LoadBalancers:
        - ContainerName: 'Postgrest'
          ContainerPort: 3000
          TargetGroupArn: !Ref StaTargetGroupARN
      NetworkConfiguration:
        AwsvpcConfiguration:
          SecurityGroups:
            - !Ref LoadBalancerSG
          Subnets:
            - !Ref LoadBalancerSubnet1
            - !Ref LoadBalancerSubnet2
            - !Ref LoadBalancerSubnet3
      ServiceName: StaPostgrestService
      TaskDefinition: !Ref StaTaskDefinitionARN
    DependsOn:
     - LBListenerSta
Outputs:
  StaServices:
    Description: "The ARN of the service for the STA tasks."
    Value: !Ref StaService
JustLudo
  • 1,690
  • 12
  • 29
  • 1
    Can you show the template and the at what resource it gets stuck? – Marcin Feb 09 '21 at 11:46
  • Hi @Marcin: I updated the question and added the template. It gets stuck on creating "Staservice". The Listener is created fine. – JustLudo Feb 09 '21 at 12:22
  • Can you please go to ECS Console, Your cluster->Service -> Events. It may have more info you your ecs service fails. – Marcin Feb 09 '21 at 12:25
  • 2
    Ah yes. Now I finally see something. Thanks again @Marcin for the assistance. I have a new lead to investigate. Please make your last comment into an answer as it does answer the original question. (fyi: The tasks fails because a role cannot be assumed. I think I can figure that one out myself. – JustLudo Feb 09 '21 at 13:24
  • Thank you. Answer added. – Marcin Feb 09 '21 at 22:35
  • +1 https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/139 for links in the CloudFormation console itself :) – Pat Myron Feb 09 '21 at 22:43

1 Answers1

1

Based on the comments.

The issue is with the StaService ECS service. To get more information of possible reason why it fails, one can go to:

ECS Console -> Cluster -> Service -> Events

Based on this, the Events showed that the role used for ECS has incorrect permissions.

Marcin
  • 215,873
  • 14
  • 235
  • 294