CloudFormation Deployment Errors | Pure CBS on AWS

Availability / Capacity

Issue	Error	Resolution
Unable to allocate all 7 required i3.2xlarge VD instances	AWS::AutoScaling::AutoScalingGroup VDGroup0 Group did not stabilize. {current/minSize/maxSize} group size = {6/7/7}. Failed Scaling Activity: We currently do not have sufficient i3.2xlarge capacity in the Availability Zone you requested (us-west-2d). Our system will be working on provisioning additional capacity. You can currently get i3.2xlarge capacity by not specifying an Availability Zone in your request or choosing us-west-2a, us-west-2b, us-west-2c. Launching EC2 instance failed.	Deploy into a different AZ by selecting subnet or creating a new subnet that resides in different AZ
c5n.9xlarge unavailable in deployment AZ	CREATE_FAILED AWS::EC2::Instance PurityInstanceCT0 Your requested instance type (c5n.9xlarge) is not supported in your requested Availability Zone (us-west-2d). Please retry your request by not specifying an Availability Zone or choosing us-west-2a, us-west-2b, us-west-2c. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 673a83d5-37ac-4992-a01c-ecdd6b0fc0cd)	Deploy into a different AZ by selecting subnet or creating a new subnet that resides in a different AZ.
Unable to Deploy CBS - Array Bucket Cannot Create	The following resource(s) failed to create: [ArrayBucket]. API: s3:SetBucketMetricsConfiguration Access Denied	With Purity 6.3.x new permissions were added to the IAM Role. Please verify you have the latest role policy. Link to IAM Role and Permissions.

System Subnet / ENI Subnet AZ Mismatch

Issue	Error	Resolution
System subnet in us-west-2c but iSCSI interface in us-west-2b.	Value (us-west-2c) for parameter availabilityZone is invalid. Network interface 'eni-077c3a51a42fd2e0a' is in the availability zone us-west-2b (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 45508662-1fa0-4f69-bee4-0990fb88ee13)	The system subnet and subnet specified for iSCSI, replication, mgmt ENIs must be in the same AZ.

Subnet / Security Group VPC Mismatch

Issue	Error	Resolution
Security group in different VPC than subnet for ENI (in this case replication)	You have specified two resources that belong to different networks. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroup.NotFound; Request ID: 369efd65-574f-4d72-b891-054fe5ca1833)	Make sure security groups and subnet specified for ENI are in the same VPC
The required ports for replication, security, management not allowed in security group specified as parameters during deployment.	Faild to create resource. See the details in CloudWatch Log Stream: 2019/08/08/[$LATEST]33788b0f070b4b1891f3c0487ce1493	Security group specified as parameter needs to allow: inbound tcp port 8117 for replication, inbound tcp port 3260 for iSCSI, inbound tcp port 22, 80, 443, 8084 for management.

Issue

Error

Resolution

Security group in different VPC than subnet for ENI (in this case replication)

You have specified two resources that belong to different networks. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroup.NotFound; Request ID: 369efd65-574f-4d72-b891-054fe5ca1833)

Make sure security groups and subnet specified for ENI are in the same VPC

The required ports for replication, security, management not allowed in security group specified as parameters during deployment.

Faild to create resource. See the details in CloudWatch Log Stream: 2019/08/08/[$LATEST]33788b0f070b4b1891f3c0487ce1493

Security group specified as parameter needs to allow:

inbound tcp port 8117 for replication,
inbound tcp port 3260 for iSCSI,
inbound tcp port 22, 80, 443, 8084 for management.

Failed Activation

Issue	Error	Resolution
License Key Invalid	WaitCondition received failed message: 'License Key Activation Failed' for uniqueId	A valid license is required for deployment. Please refer to Understanding CBS Licensing.
License Activation Wait	WaitCondation timed out. Received 0 conditions when expecting 1	Add your AWS account number to the Allowlist on Pure1 Subscription. Please refer to Retrieve CBS License from Pure1.

Issue

Error

Resolution

License Key Invalid

WaitCondition received failed message: 'License Key Activation Failed' for uniqueId

A valid license is required for deployment.

Please refer to Understanding CBS Licensing.

License Activation Wait

WaitCondation timed out. Received 0 conditions when expecting 1

Add your AWS account number to the Allowlist on Pure1 Subscription.

Please refer to Retrieve CBS License from Pure1.

Organization Level Restriction (SCP)

Issue	Error	Resolution
Fails to create Array S3 bucket policy	The bucket policy already exists on bucket pure-xxxxxxx-xxxxx-xxxx-xxx	The cause of this issue might be an SCP policy applied on the AWS Organization level. When the CBS CloudFormation creates the bucket, the Org level SCP applies a bucket restriction policy. Subsequently, when CloudFormation with account level permission attempts to apply the defined bucket policy on the template, it fails due to a bucket restriction policy has already been defined by SCP. Please contact your Account admin to give an exception for your account, or any S3 bucket with pure-* prefix to have its own restriction policy applied.

SubnetCheckupCall stuck on `create_in_progress`

If subnetcheckupCall hangs, this is an indication the array cannot reach Pure1. This lambda function performs a telnet over port 443 to Pure1.

    PhoneHomeAddresses:
      Value:
        - 'rest.cloud-support.purestorage.com'
        - 'ra.cloud-support.purestorage.com'
    PhonehomeCidrIp:
      Value: '52.40.255.224/27'

Check the Events for any details like the following in CloudWatch:

SubnetCheckupCall

2019/07/23/[$LATEST]baa52aafce9147a3a1ae837b9b4d221a

2020-10-12 at 2.37 PM.png

Confirm there is a valid route to the internet from deployment (system subnet).