Skip to main content
Pure Technical Services

CloudFormation Deployment Errors | Pure CBS on AWS

Currently viewing public documentation. Please login to access the full scope of documentation.

This article details Cloud Formation deployment errors that we discovered during testing.

Availability / Capacity

Issue Error Resolution
Unable to allocate all 7 required i3.2xlarge VD instances

AWS::AutoScaling::AutoScalingGroup    VDGroup0    Group did not stabilize. {current/minSize/maxSize} group size = {6/7/7}. Failed Scaling Activity: We currently do not have sufficient i3.2xlarge capacity in the Availability Zone you requested (us-west-2d). Our system will be working on provisioning additional capacity. You can currently get i3.2xlarge capacity by not specifying an Availability Zone in your request or choosing us-west-2a, us-west-2b, us-west-2c. Launching EC2 instance failed.

Deploy into a different AZ by selecting subnet or creating a new subnet that resides in different AZ
c5n.9xlarge unavailable in deployment AZ  CREATE_FAILED    AWS::EC2::Instance    PurityInstanceCT0    Your requested instance type (c5n.9xlarge) is not supported in your requested Availability Zone (us-west-2d). Please retry your request by not specifying an Availability Zone or choosing us-west-2a, us-west-2b, us-west-2c. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 673a83d5-37ac-4992-a01c-ecdd6b0fc0cd) Deploy into a different AZ by selecting subnet or creating a new subnet that resides in a different AZ.
Unable to Deploy CBS - Array Bucket Cannot Create The following resource(s) failed to create: [ArrayBucket].

API: s3:SetBucketMetricsConfiguration Access Denied

With Purity 6.3.x new permissions were added to the IAM Role. Please verify you have the latest role policy. Link to IAM Role and Permissions.

System Subnet / ENI Subnet AZ Mismatch

Issue Error Resolution
System subnet in us-west-2c but iSCSI interface in us-west-2b. Value (us-west-2c) for parameter availabilityZone is invalid. Network interface 'eni-077c3a51a42fd2e0a' is in the availability zone us-west-2b (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 45508662-1fa0-4f69-bee4-0990fb88ee13) The system subnet and subnet specified for iSCSI, replication, mgmt ENIs must be in the same AZ.

Subnet / Security Group VPC Mismatch

Issue Error Resolution
Security group in different VPC than subnet for ENI (in this case replication) You have specified two resources that belong to different networks. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroup.NotFound; Request ID: 369efd65-574f-4d72-b891-054fe5ca1833) Make sure security groups and subnet specified for ENI are in the same VPC
The required ports for replication, security, management not allowed in security group specified as parameters during deployment. Faild to create resource. See the details in CloudWatch Log Stream: 2019/08/08/[$LATEST]33788b0f070b4b1891f3c0487ce1493

Security group specified as parameter needs to allow:

  • inbound tcp port 8117 for replication,
  • inbound tcp port 3260 for iSCSI,
  • inbound tcp port 22, 80, 443, 8084 for management.

Failed Activation 

Issue Error Resolution
License Key Invalid WaitCondition received failed message: 'License Key Activation Failed' for uniqueId

A valid license is required for deployment.

Please refer to Understanding CBS Licensing.

License Activation Wait

WaitCondation timed out. Received 0 conditions when expecting 1


Add your AWS account number to the Allowlist on Pure1 Subscription. 

Please refer to Retrieve CBS License from Pure1.

Organization Level Restriction (SCP)

Issue Error Resolution
Fails to create Array S3 bucket policy The bucket policy already exists on bucket pure-xxxxxxx-xxxxx-xxxx-xxx

The cause of this issue might be an SCP policy applied on the AWS Organization level.
When the CBS CloudFormation creates the bucket, the Org level SCP applies a bucket restriction policy. Subsequently, when CloudFormation with account level permission attempts to apply the defined bucket policy on the template, it fails due to a bucket restriction policy has already been defined by SCP.

Please contact your Account admin to give an exception for your account, or any S3 bucket with pure-* prefix to have its own restriction policy applied. 

SubnetCheckupCall stuck on create_in_progress

  1. If subnetcheckupCall hangs, this is an indication the array cannot reach Pure1. This lambda function performs a telnet over port 443 to Pure1.
        - ''
        - ''
      Value: ''
  1. Check the Events for any details like the following in CloudWatch:
SubnetCheckupCall 2019/07/23/[$LATEST]baa52aafce9147a3a1ae837b9b4d221a

2020-10-12 at 2.37 PM.png

  1. Confirm there is a valid route to the internet from deployment (system subnet).