Search code examples
amazon-web-servicesaws-cloudformationaws-cloudformation-custom-resource

CloudFormation template fails with error "Service: AmazonEC2; Status Code: 400; Error Code: Unsupported"

I have created CloudFormaton Template with below resources

---
Resources: 
  InsuranceVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 11.0.0.0/16
      EnableDnsSupport: 'false'
      EnableDnsHostnames: 'false'
      InstanceTenancy: dedicated
      Tags:
       - Key: work
         Value: insurance
       - Key: name
         Value: InsuranceVPC

  InsuranceInternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
      - Key: work
        Value: insurance
      - Key: name
        Value: InsuranceInternetGateway

  InsuranceSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: InsuranceVPC
      CidrBlock: 11.0.2.0/24
      AvailabilityZone: "ap-south-1a"
      Tags:
      - Key: work
        Value: insurance
      - Key: name
        Value: InsuranceSubnet

  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId:
         Ref: InsuranceVPC
      InternetGatewayId:
         Ref: InsuranceInternetGateway

  Ec2Instance: 
    Type: AWS::EC2::Instance
    Properties: 
      ImageId: "ami-0732b62d310b80e97"
      InstanceType: "t2.medium"
      KeyName: "DevOpsAutomation"
      NetworkInterfaces: 
        - AssociatePublicIpAddress: "true"
          DeviceIndex: "0"
          GroupSet: 
            - Ref: "InsuranceSecurityGroup"
          SubnetId: 
            Ref: "InsuranceSubnet"

  InsuranceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh to client host
        VpcId:
           Ref: InsuranceVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0

All resources creations are successful except EC2Instance which fails with below error:

The requested configuration is currently not supported. Please check the documentation for supported configurations. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: a59a2d39-3aa9-4f7b-9cbd-db05dca0d61e)

The following resource(s) failed to create: [Ec2Instance]. . Rollback requested by use

What I have checked:

  1. The ImageID and InstanceType exist in the same region (or AZ)
  2. All other objects and its dependencies are met
  3. though I understand I haven't yet created route table, route entries but that shouldn't affect EC2 instance resource creation
  4. I am privileged user to create resources.

Please help or guide what I am missing here

Solution

  • I launched your template on my sandbox account.

    I've identified some issues.

    • missing DependsOn on the instance,
    • VPC has dedicated tenancy,
    • and incorrect GroupSet.

    I modified the template so it fully works now in us-east-1. You have to adjust it to your own region (AMI also needs to be changed back to your original one if not using us-east-1).

    ---
Resources: 
  InsuranceVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 11.0.0.0/16
      EnableDnsSupport: 'false'
      EnableDnsHostnames: 'false'
      InstanceTenancy: default
      Tags:
       - Key: work
         Value: insurance
       - Key: name
         Value: InsuranceVPC

  InsuranceInternetGateway:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
      - Key: work
        Value: insurance
      - Key: name
        Value: InsuranceInternetGateway

  InsuranceSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId:
        Ref: InsuranceVPC
      CidrBlock: 11.0.2.0/24
      AvailabilityZone: "us-east-1a"
      Tags:
      - Key: work
        Value: insurance
      - Key: name
        Value: InsuranceSubnet

  AttachGateway:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId:
         Ref: InsuranceVPC
      InternetGatewayId:
         Ref: InsuranceInternetGateway

  Ec2Instance: 
    Type: AWS::EC2::Instance
    DependsOn: AttachGateway
    Properties: 
      ImageId: "ami-08f3d892de259504d"
      InstanceType: "t2.medium"
      KeyName: "MyKeyPair"
      NetworkInterfaces: 
        - AssociatePublicIpAddress: "true"
          DeviceIndex: "0"
          GroupSet: 
            - !GetAtt InsuranceSecurityGroup.GroupId
          SubnetId: 
            Ref: "InsuranceSubnet"

  InsuranceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow http and ssh to client host
        VpcId:
           Ref: InsuranceVPC
        SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0