Skip to main content

CloudFormation Stack Deployment Fails When Using a Shared VPC

CloudFormation Stack Deployment Fails When Using a Shared VPC

Updated over 2 weeks ago

Problem Description

When you try to deploy the InfraandProxyDeploymentStack using AWS CloudFormation, the process fails. You'll see errors indicating that the stack is unable to create several essential networking resources within the target Virtual Private Cloud (VPC).

Cause

  • The root cause of this failure is that the deployment is being attempted in a shared VPC.

  • In a shared VPC model, a central "owner" account shares subnets with "participant" accounts. Participant accounts, like the one you are deploying from, typically lack the necessary IAM permissions to create or modify VPC-level resources such as VPC endpoints.

  • The CloudFormation template is trying to create these resources, but the shared nature of the VPC prevents it.

Traceback

The deployment fails because it cannot create the following specific resources, which require VPC owner permissions:

  • SSM and SSMMessageEndpoints: For AWS Systems Manager connectivity.

  • CFEndpoint: For AWS CloudFormation.

  • LogEndpoint: For Amazon CloudWatch Logs.

  • EREndpoint: For Amazon EventBridge.

  • S3Endpoint: Gateway endpoint for Amazon S3.

  • LambdaEndpoint: For AWS Lambda.

  • EC2 and EC2Message Endpoints: For Amazon EC2.

  • SQSEndpoint: For Amazon Simple Queue Service.

  • CollateEPRGSLogsLambdaCallout: A specific Lambda function callout.

Resolution

  • To resolve this issue, you must deploy the CloudFormation stack in a VPC that is owned by your AWS account, not one that is shared with you.

  • You need to select a different VPC where your account has the full permissions required to create VPC endpoints and other associated resources.

Verification

You can verify if a VPC is shared using the following methods.

1. Check in the AWS Management Console

  • Navigate to the VPC Dashboard in the AWS Console.

  • Select Your VPCs from the side menu.

  • Find the VPC in question and look at the Owner ID column.

    • If the Owner ID is different from your own AWS account ID, the VPC is shared with you.

2. Check in AWS Resource Access Manager (RAM)

  • Open the AWS Resource Access Manager (RAM) console.

  • In the navigation pane, under "Shared with me," select Resource shares.

  • If the VPC is listed here, it confirms that it has been shared with your account from another account.

Did this answer your question?