How do I resolve the "Internal Failure" error when I try to create or update a stack in AWS CloudFormation?
Last updated: 2021-02-18
I want to resolve the "Internal Failure" error in AWS CloudFormation.
If you're creating or updating your AWS CloudFormation stack, you can receive an "Internal Failure" error when an operation on a resource fails. You can also receive this error if your stack fails to deploy.
An operation on a resource can fail in the following scenarios:
- Your resources or properties are set to incorrect values. To resolve this issue, complete the steps in the Deploy a test stack to find the incorrect values for your resources or properties section.
- An internal workflow failed. To resolve this issue using AWS CloudTrail, complete the steps in the Find the failed API operations in your CloudTrail event logs section.
Finally, your stack can fail to deploy if you pass incorrect values to the Outputs section of your AWS CloudFormation template. To resolve this error, complete the steps in the Check the values in the Outputs section of your AWS CloudFormation template section.
Note: The following steps apply only to "Internal Failure" errors that you receive when you try to create or update a stack in AWS CloudFormation.
Deploy a test stack to find the incorrect values for your resources or properties
To find the incorrect values for your resource properties or attributes, deploy a test stack with an AWS CloudFormation template that includes only the failed resource.
If your test stack deploys successfully, follow the steps in the Find the failed API operations in your CloudTrail event logs section.
If your test stack deployment fails, continue to eliminate non-required properties and attributes from the test stack until you find the incorrect values.
In the following example scenario, you receive an "Internal Failure" error when AWS CloudFormation tries to create an AWS::Config::ConformancePack resource with AWS Config. An error is returned because the DeliveryS3Bucket property uses incorrect syntax. The DeliveryS3Bucket property accepts only a bucket name as a value (for example, bucketname). A file path that includes the bucket name isn't an acceptable value (for example, s3://bucketname).
AWSTemplateFormatVersion: 2010-09-09 Resources: CloudFormationCanaryPack: Type: AWS::Config::ConformancePack Properties: ConformancePackName: ConformancePackName DeliveryS3Bucket: s3://bucketname # Incorrect value for DeliveryS3Bucket TemplateS3Uri: s3://bucketname/prefix
Find the failed API operations in your CloudTrail event logs
1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. For Time range, enter a time range to isolate the failed API call, and then choose Apply.
Tip: For the From time, enter the time when the resource entered the CREATE_IN_PROGRESS or UPDATE_IN_PROGRESS status in your AWS CloudFormation stack. For the To time, enter the time when the API call failed.
4. To identify the root cause of the failure, review the error message for the event that's returned.
Note: Some API operation failures require you to update your original AWS CloudFormation template, and then perform a test deployment to confirm that the error is resolved.
Check the values in the Outputs section of your AWS CloudFormation template
In your AWS CloudFormation template, confirm that the values in the Outputs section don't contain syntax errors. For example, remove any trailing spaces.
If you retrieve resource attributes with dynamic references, you must confirm that the attributes are available during stack deployment. To simulate this outside of AWS CloudFormation, do the following:
1. Make a Create* or Update* API call to the resource type with the failed attribute (to create or modify).
2. Make a Describe* API call to retrieve current attributes of the resource during the stack creation or update process.
The following example scenario demonstrates an internal error returned by a stack when the ReplicationInstancePrivateIpAddresses attribute of the AWS::DMS::ReplicationInstance resource is passed to Outputs.
In the following example, the instance's private IP attribute is available only after the ReplicationInstance resource has switched its status to available. If the ReplicationInstance resource isn't in the available status by the time the stack executes Outputs, AWS CloudFormation can't retrieve the private IP attribute. Then, the deployment fails.
AWSTemplateFormatVersion: 2010-09-09 Resources: BasicReplicationInstance: Type: AWS::DMS::ReplicationInstance Properties: ReplicationInstanceClass: dms.t2.small Outputs: DmsInstanceIP: Value: !GetAtt BasicReplicationInstance.ReplicationInstancePrivateIpAddresses