Cloud Formation for CWP for Storage AWS fails when attempting to deploy CFT
search cancel

Cloud Formation for CWP for Storage AWS fails when attempting to deploy CFT

book

Article ID: 232603

calendar_today

Updated On:

Products

Cloud Workload Protection for Storage

Issue/Introduction

After download of the cloud formation template (CFT) from Cloud Workload Protection (CWP) for Storage console, when admin deploys the formation from template, the installation begins, but then  rolls back.

CFT appears not able to create group policy for auto-scaling.

Cause

Multiple possible causes:

  1. 80% of rollbacks during initial deployment are due to failure to open ports or URLs within the Virtual Private Cloud (VPC) settings for the firewall requirements of CWP for Storage.
  2. Failure to remove previous Controller Unit from CWP for Storage console before attempting to re-deploy CFT.
  3. Inability of the Controller Unit (CU) EC2 instance to communicate to the Symantec cloud servers to enroll in our console.

 

Resolution

Before troubleshooting, confirm that the VPC settings have been set to allow for the firewall requirements, here:

 

  1. To check whether a Controller already exists in the AWS account and region, in CWP for Storage console, navigate to Assets > Controllers
  2. Locate the controller ID from the region and account you seek to deploy.
  3. On the right side, click the ellipses ('...', but vertical), then click Delete Controller.
  4. Attempt to re-deploy.
    If steps above prevent rollback, cause is: "Only one controller unit is supported per AWS account per region. Deleting the controller from the AWS side does not delete the controller in the CWP console, and when the new controller unit attempts to check in with our cloud servers, it finds the object already exists with different parameters and rolls back the install."
  5. If rollback occurs again, gather more information about the failure from logs in the S3 bucket configured for the deployment.

 

Additional Information

The following AWS output is an example where the firewall rules were not configured as required...

UpdateProvisioningStatusS3Inprogress [REMOVED BY AUTHOR] Custom::UpdateProvisioningStatusS3Inprogress  
CREATE_FAILED CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId [REMOVED BY AUTHOR]. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.
 
 

 

[ERROR] MissingSchema: Invalid URL 'URL': No schema supplied. Perhaps you meant http://URL?
Traceback (most recent call last):
  File "/var/task/UpdateProvisioningStatusS3.py", line 86, in lambda_handler
    response = requests.post(url, headers=headers, data=json_data)
  File "/var/task/requests/api.py", line 116, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/var/task/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/var/task/requests/sessions.py", line 519, in request
    prep = self.prepare_request(req)
  File "/var/task/requests/sessions.py", line 452, in prepare_request
    p.prepare(
  File "/var/task/requests/models.py", line 313, in prepare
    self.prepare_url(url, params)
  File "/var/task/requests/models.py", line 387, in prepare_url
    raise MissingSchema(error)