Troubleshoot the AWS CloudFormation Template deployment
Use this information to troubleshoot issues relating to CloudFormation Template deployment.
[ERROR]: Error parsing parameter '--tempate-body': Unable to load param file
The CloudFormation template fails to deploy when running the AWS CLI CloudFormation command.
Cause
There is an error in the S3 bucket template and the parameters file cannot be loaded.
Solution
- Navigate to the Setup Data Ingestion page and click the Download template button to download a new copy of the S3 bucket template.
- Verify that you are running the AWS CLI CloudFormation command from the directory where the S3 bucket template file is located.
- If you are still seeing this error message, Contact Splunk Support.
[ERROR]: Error parsing parameter '--tempate-body': JSON does not exist
The CloudFormation template fails to deploy when running the AWS CLI CloudFormation command.
Cause
The CloudFormation template cannot be found.
Solution
- Navigate to the Setup Data Ingestion page and click the Download template button to download a new copy of the CloudFormation template.
- Verify that you are running the AWS CLI CloudFormation command from the directory where the CloudFormation template file is located.
- If you are still seeing this error message, Contact Splunk Support.
Multiple account input prerequisite validation on data account fails when using StackSet template to create the SplunkDMReadOnly role
Cause
When onboarding multiple AWS accounts in a data input, you receive the following IAM role validation error:
The prerequisite roles do not exist or have incorrect policies in the following highlighted accounts. Ask your AWS admin to prepare the policies and onboarding roles that you need for the next steps.
Solution
Perform the following steps to replace the StackSet template in your control account with the correct one.
- In the Data Manager app, navigate to the prerequisites page for onboarding multiple AWS accounts.
- Verify that the prerequisite steps were performed correctly.
- Navigate to the step where you download the StackSet template, and download the template.
- Navigate to the directory where you downloaded the StackSet template, and open it with a text editor.
- Inside the StackSet template, navigate to the
policyDocument
stanza. - Replace the contents of the
policyDocument
stanza with the following contents:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetRolePolicy", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "guardduty:GetMasterAccount", "securityhub:ListMembers", "securityhub:GetMasterAccount", "securityhub:GetEnabledStandards", "securityhub:ListInvitations", "cloudformation:DescribeStacks" ], "Resource": [ { "Fn::Join": [ ":", [ "arn:aws:iam:", { "Ref": "AWS::AccountId" }, "role/AWSCloudFormationStackSetExecutionRole" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:iam:", { "Ref": "AWS::AccountId" }, "role/aws-service-role/member.org.stacksets.cloudformation.amazonaws.com/AWSServiceRoleForCloudFormationStackSetsOrgMember" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:iam:", { "Ref": "AWS::AccountId" }, "role/SplunkDM*" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:iam:", { "Ref": "AWS::AccountId" }, "policy/*" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:guardduty:*", { "Ref": "AWS::AccountId" }, "detector/*" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:securityhub:*", { "Ref": "AWS::AccountId" }, "hub/default" ] ] }, { "Fn::Join": [ ":", [ "arn:aws:cloudformation:*", { "Ref": "AWS::AccountId" }, "stack/StackSet-SplunkDM*/*" ] ] } ] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudtrail:DescribeTrails", "access-analyzer:ListAnalyzers", "guardduty:ListDetectors", "guardduty:ListMembers", "guardduty:ListInvitations", "guardduty:GetFindingsStatistics", "ec2:DescribeFlowLogs" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters" ], "Resource": [ { "Fn::Join": [ ":", [ "arn:aws:logs:*", { "Ref": "AWS::AccountId" }, "log-group:*" ] ] } ] }, { "Effect": "Allow", "Action": ["firehose:DescribeDeliveryStream"], "Resource": [ { "Fn::Join": [ ":", [ "arn:aws:firehose:*", { "Ref": "AWS::AccountId" }, "deliverystream/SplunkDM*" ] ] } ] }, { "Effect": "Allow", "Action": ["events:DescribeRule"], "Resource": [ { "Fn::Join": [ ":", [ "arn:aws:events:*", { "Ref": "AWS::AccountId" }, "rule/SplunkDM*" ] ] } ] }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::splunkdmfailed*"] }, { "Effect": "Allow", "Action": ["lambda:GetFunction"], "Resource": [ { "Fn::Join": [ ":", [ "arn:aws:lambda:*", { "Ref": "AWS::AccountId" }, "function:SplunkDM*" ] ] } ] } ] }
- Verify that there are no syntax errors in the CloudFormation template.
- Save your changes.
- Log in to the control account for your AWS deployment.
- Navigate to the StackSet that will create the SplunkDMReadOnly roles in each data account.
- In the StackSet, replace the existing CloudFormation template with the new, edited template.
- After updating the StackSet, navigate to Data Manager, and check to see if the error is gone.
Troubleshoot the AWS account prerequisites | Troubleshoot the AWS Deployment Status |
This documentation applies to the following versions of Data Manager: 1.8.0
Feedback submitted, thanks!