Cloud Block Store: CloudFormation Deployment Errors

Last updated
Save as PDF

Cloud Formation Deployment Configuration Errors

This article details Cloud Formation deployment errors that we discovered during testing.

Availability / Capacity

Issue	Error	Resolution
Unable to allocate all 7 required i3.2xlarge VD instances	AWS::AutoScaling::AutoScalingGroup VDGroup0 Group did not stabilize. {current/minSize/maxSize} group size = {6/7/7}. Failed Scaling Activity: We currently do not have sufficient i3.2xlarge capacity in the Availability Zone you requested (us-west-2d). Our system will be working on provisioning additional capacity. You can currently get i3.2xlarge capacity by not specifying an Availability Zone in your request or choosing us-west-2a, us-west-2b, us-west-2c. Launching EC2 instance failed.	Deploy into a different AZ by selecting subnet or creating a new subnet that resides in different AZ
c5n.9xlarge unavailable in deployment AZ	CREATE_FAILED AWS::EC2::Instance PurityInstanceCT0 Your requested instance type (c5n.9xlarge) is not supported in your requested Availability Zone (us-west-2d). Please retry your request by not specifying an Availability Zone or choosing us-west-2a, us-west-2b, us-west-2c. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 673a83d5-37ac-4992-a01c-ecdd6b0fc0cd)	Deploy into a different AZ by selecting subnet or creating a new subnet that resides in a different AZ.
Unable to Deploy CBS - Array Bucket Cannot Create	The following resource(s) failed to create: [ArrayBucket]. API: s3:SetBucketMetricsConfiguration Access Denied	With Purity 6.3.x new permissions were added to the IAM Role. Please verify you have the latest role policy. https://support.purestorage.com/Pure_Cloud_Block_Store/Pure_Cloud_Block_Store_on_AWS_Implementation_Guide/Cloud_Block_Store_on_AWS_Prerequisites#IAM_Role_and_Permissions_(Mandatory)

Issue

Error

Resolution

Unable to allocate all 7 required i3.2xlarge VD instances

AWS::AutoScaling::AutoScalingGroup VDGroup0 Group did not stabilize. {current/minSize/maxSize} group size = {6/7/7}. Failed Scaling Activity: We currently do not have sufficient i3.2xlarge capacity in the Availability Zone you requested (us-west-2d). Our system will be working on provisioning additional capacity. You can currently get i3.2xlarge capacity by not specifying an Availability Zone in your request or choosing us-west-2a, us-west-2b, us-west-2c. Launching EC2 instance failed.

Deploy into a different AZ by selecting subnet or creating a new subnet that resides in different AZ

c5n.9xlarge unavailable in deployment AZ

CREATE_FAILED AWS::EC2::Instance PurityInstanceCT0 Your requested instance type (c5n.9xlarge) is not supported in your requested Availability Zone (us-west-2d). Please retry your request by not specifying an Availability Zone or choosing us-west-2a, us-west-2b, us-west-2c. (Service: AmazonEC2; Status Code: 400; Error Code: Unsupported; Request ID: 673a83d5-37ac-4992-a01c-ecdd6b0fc0cd)

Deploy into a different AZ by selecting subnet or creating a new subnet that resides in a different AZ.

Unable to Deploy CBS - Array Bucket Cannot Create

The following resource(s) failed to create: [ArrayBucket].

API: s3:SetBucketMetricsConfiguration Access Denied

With Purity 6.3.x new permissions were added to the IAM Role. Please verify you have the latest role policy.

https://support.purestorage.com/Pure_Cloud_Block_Store/Pure_Cloud_Block_Store_on_AWS_Implementation_Guide/Cloud_Block_Store_on_AWS_Prerequisites#IAM_Role_and_Permissions_(Mandatory)

System Subnet / ENI Subnet AZ Mismatch

Issue	Error	Resolution
System subnet in us-west-2c but iSCSI interface in us-west-2b.	Value (us-west-2c) for parameter availabilityZone is invalid. Network interface 'eni-077c3a51a42fd2e0a' is in the availability zone us-west-2b (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 45508662-1fa0-4f69-bee4-0990fb88ee13)	The system subnet and subnet specified for iSCSI, replication, mgmt ENIs must be in the same AZ.

Subnet / Security Group VPC Mismatch

Issue	Error	Resolution
Security group in different VPC than subnet for ENI (in this case replication)	You have specified two resources that belong to different networks. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroup.NotFound; Request ID: 369efd65-574f-4d72-b891-054fe5ca1833)	Make sure security groups and subnet specified for ENI are in the same VPC
The required ports for replication, security, management not allowed in security group specified as parameters during deployment.	Faild to create resource. See the details in CloudWatch Log Stream: 2019/08/08/[$LATEST]33788b0f070b4b1891f3c0487ce1493	Security group specified as parameter needs to allow: inbound tcp port 8117 for replication, inbound tcp port 3260 for iSCSI, inbound tcp port 22, 80, 443, 8084 for management.

Issue

Error

Resolution

Security group in different VPC than subnet for ENI (in this case replication)

You have specified two resources that belong to different networks. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidGroup.NotFound; Request ID: 369efd65-574f-4d72-b891-054fe5ca1833)

Make sure security groups and subnet specified for ENI are in the same VPC

The required ports for replication, security, management not allowed in security group specified as parameters during deployment.

Faild to create resource. See the details in CloudWatch Log Stream: 2019/08/08/[$LATEST]33788b0f070b4b1891f3c0487ce1493

Security group specified as parameter needs to allow:

inbound tcp port 8117 for replication,

inbound tcp port 3260 for iSCSI,

inbound tcp port 22, 80, 443, 8084 for management.

Failed Activation

Issue	Error	Resolution
License Key Invalid	WaitCondition received failed message: 'License Key Activation Failed' for uniqueId	A valid license is require for deployment.

CloudWatch logs

SubnetCheckupCall stuck on create_in_progress

If subnetcheckupCall hangs, this is an indication the array cannot reach Pure1. This lambda function performs a telnet over port 443 to Pure1.

    PhoneHomeAddresses:
      Value:
        - 'rest.cloud-support.purestorage.com'
        - 'ra.cloud-support.purestorage.com'
    PhonehomeCidrIp:
      Value: '52.40.255.224/27'

Check the Events for any details like the following in CloudWatch:

SubnetCheckupCall

2019/07/23/[$LATEST]baa52aafce9147a3a1ae837b9b4d221a

2020-10-12 at 2.37 PM.png

Confirm there is a valid route to the internet from deployment (system subnet).

AZ selection explanation

The system subnet parameter on CF stack deployment, determines the Availability Zone (AZ) where the CBS stack is created. CBS internal resources including virtual drives and controllers are deployed into the system subnet.

When the system subnet was created as a prerequisite to CBS stack creation, it was linked to a single AZ in the deployment region.

The VPCInfo lambda function shown below, which is part of the CBS CF template, provides the AZ and VPC ID when querying a lambda endpoint for response data with the system subnet ID. This AZ information is then used elsewhere in the template when allocating additional resources.