AWS integration fails to create the integration and rolls back cloudformation stack with Internal failure. #236
Description
Describe the bug
AWS integration fails with obscure error
To Reproduce
Steps to reproduce the behavior:
run a template that looks like this
Resources:
DatadogAWSDatadogIntegrationAWS:
Type: Datadog::Integrations::AWS
Properties:
AccountID: '123123123123'
RoleName: shared-datadog-aws-integration
Metadata:
aws:cdk:path: mystack/DatadogAWSDatadogIntegrationAWS
DatadogRoleF31A7099:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
Fn::Join:
- ''
- - '{{resolve:secretsmanager:arn:'
- Ref: AWS::Partition
- :secretsmanager:eu-west-1:123123123123:secret:DatadogIntegrationExternalID:SecretString:::}}
Effect: Allow
Principal:
AWS: arn:aws:iam::464622532012:root
Version: '2012-10-17'
Description: Datadog integration for aws monitoring
PermissionsBoundary:
Fn::Join:
- ''
- - 'arn:aws:iam::'
- Ref: AWS::AccountId
- :policy/base-permissions-boundary
RoleName: shared-datadog-aws-integration
Tags:
- Key: tag
value: tag
DependsOn:
- DatadogAWSDatadogIntegrationAWS
Metadata:
aws:cdk:path: mystack/DatadogRole/Resource
DatadogRolePolicy6CE03EE3:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- alldatadogstuffasperdocs
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: shared-datadog-integration-policy
Roles:
- Ref: DatadogRoleF31A7099
Logs
1:36:58 PM | CREATE_FAILED | Datadog::Integrations::AWS | DatadogAWSDatadogIntegrationAWS
Resource handler returned message: "" (RequestToken: 16b2f5a7-3d09-738e-76ae-33db3a6ad5b8, HandlerErrorCode: InternalFa
ilure)
❌ mystack failed: Error: The stack named mystack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "" (RequestToken: 16b2f5a7-3d09-738e-76ae-33db3a6ad5b8, HandlerErrorCode: InternalFailure)
at FullCloudFormationDeployment.monitorDeployment (/Users/me/code/place/project/node_modules/aws-cdk/lib/api/deploy-stack.ts:505:13)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at deployStack2 (/Users/me/code/place/project/node_modules/aws-cdk/lib/cdk-toolkit.ts:265:24)
at /Users/me/code/place/project/node_modules/aws-cdk/lib/deploy.ts:39:11
at run (/Users/me/code/place/project/node_modules/p-queue/dist/index.js:163:29)
❌ Deployment failed: Error: Stack Deployments Failed: Error: The stack named mystack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "" (RequestToken: 16b2f5a7-3d09-738e-76ae-33db3a6ad5b8, HandlerErrorCode: InternalFailure)
at deployStacks (/Users/me/code/place/project/node_modules/aws-cdk/lib/deploy.ts:61:11)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at CdkToolkit.deploy (/Users/me/code/place/project/node_modules/aws-cdk/lib/cdk-toolkit.ts:339:7)
at initCommandLine (/Users/me/code/place/project/node_modules/aws-cdk/lib/cli.ts:374:12)
Stack Deployments Failed: Error: The stack named mystack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Resource handler returned message: "" (RequestToken: 16b2f5a7-3d09-738e-76ae-33db3a6ad5b8, HandlerErrorCode: InternalFailure)
Expected behavior
The cloudformation should run to completion.
I expect the account integration to enable the account in datadog (this does occur)
I expect the secret to be written to secrets manager (this does NOT occur)
I expect my role to be created which I pull the secret from secrets manager (this does NOT occur)
Environment and Versions (please complete the following information):
Datadog AWS Integration 2.2.1
I am generating cloudformation via cdkv2 however I doubt this is relevant as I've included the generated cloudformation template above (which is run and faults).
Additional context
It essentially looks like the cloudformation handler is swallowing the error, which makes it very hard to troubleshoot this.
I've also logged a ticket with datadog support.