# AWS CloudFormation Stack Failed

Common Error Patterns

CloudFormation failures typically show:

bash
Stack creation failed. The following resource(s) failed to create: [MyBucket].
bash
Template format error: Unresolved resource dependencies [MyVPC] in the Resources block of the template
bash
Resource creation failed: Resource handler returned message: "Insufficient permissions"
bash
ROLLBACK_IN_PROGRESS - The following resource(s) failed to delete

Root Causes and Solutions

1. Template Syntax Errors

Invalid YAML/JSON syntax or structural errors.

Solution:

Validate template before deployment:

bash
aws cloudformation validate-template \
  --template-body file://template.yaml

Common syntax issues:

```yaml # WRONG - Missing indentation Resources: MyBucket: Type: AWS::S3::Bucket

# CORRECT - Proper indentation Resources: MyBucket: Type: AWS::S3::Bucket ```

Use a linter:

```bash # Install cfn-lint pip install cfn-lint

# Validate template cfn-lint template.yaml ```

2. Circular Dependencies

Resources reference each other in a circular manner.

Solution:

Restructure to break circular dependencies:

```yaml # WRONG - Circular dependency Resources: MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: SecurityGroupIngress: - SourceSecurityGroupId: !Ref OtherSecurityGroup

OtherSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: SecurityGroupIngress: - SourceSecurityGroupId: !Ref MySecurityGroup

# CORRECT - Use DependsOn or restructure Resources: MySecurityGroup: Type: AWS::EC2::SecurityGroup Properties: SecurityGroupIngress: - SourceSecurityGroupId: !Ref OtherSecurityGroup

OtherSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Other security group"

# Add ingress rule separately OtherSecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: GroupId: !Ref OtherSecurityGroup SourceSecurityGroupId: !Ref MySecurityGroup ```

3. Resource Already Exists

Resource name conflict with existing resources.

Solution:

Use unique names or generate them:

yaml
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'my-bucket-${AWS::AccountId}-${AWS::Region}'

Or use DeletionPolicy to retain resources:

yaml
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    DeletionPolicy: Retain
    Properties:
      BucketName: my-existing-bucket

4. Insufficient IAM Permissions

The deployment role lacks required permissions.

Solution:

Check stack events for permission errors:

bash
aws cloudformation describe-stack-events \
  --stack-name my-stack \
  --query 'StackEvents[?ResourceStatus==`CREATE_FAILED`]'

Create a deployment role with necessary permissions:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:*",
        "s3:*",
        "ec2:*",
        "iam:PassRole"
      ],
      "Resource": "*"
    }
  ]
}

Deploy with a service role:

bash
aws cloudformation create-stack \
  --stack-name my-stack \
  --template-body file://template.yaml \
  --role-arn arn:aws:iam::123456789012:role/CloudFormationServiceRole

5. Resource Limit Exceeded

AWS service quotas have been reached.

Solution:

Check current quotas and request increases:

bash
aws service-quotas get-service-quota \
  --service-code ec2 \
  --quota-code L-12345678

Request quota increase:

bash
aws service-quotas request-service-quota-increase \
  --service-code ec2 \
  --quota-code L-12345678 \
  --desired-value 50

6. Custom Resource Timeout

Custom resources taking too long to respond.

Solution:

Increase timeout or fix Lambda handler:

yaml
MyCustomResource:
  Type: Custom::MyCustomResource
  Properties:
    ServiceToken: !GetAtt MyCustomResourceFunction.Arn
    Timeout: 600  # Increase timeout

Ensure Lambda sends response:

```python import cfnresponse

def lambda_handler(event, context): try: # Process resource response_data = {'Result': 'Success'} cfnresponse.send(event, context, cfnresponse.SUCCESS, response_data) except Exception as e: cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)}) ```

7. Stack Drift

Resources have been modified outside CloudFormation.

Solution:

Detect drift:

```bash aws cloudformation detect-stack-drift --stack-name my-stack

aws cloudformation describe-stack-drift-detection-status \ --stack-name my-stack ```

View drift details:

bash
aws cloudformation describe-stack-resource-drifts \
  --stack-name my-stack

Rollback Troubleshooting

Stuck in Rollback

If rollback fails:

```bash # Continue rollback aws cloudformation continue-update-rollback \ --stack-name my-stack

# Skip failed resource (use with caution) aws cloudformation continue-update-rollback \ --stack-name my-stack \ --resources-to-skip MyFailedResource ```

Delete Failed Stack

bash
# Force delete
aws cloudformation delete-stack \
  --stack-name my-stack \
  --deletion-mode FORCE_DELETE_STACK

Debugging Commands

```bash # Get stack details aws cloudformation describe-stacks --stack-name my-stack

# View recent events aws cloudformation describe-stack-events --stack-name my-stack

# Get template aws cloudformation get-template --stack-name my-stack

# List stack resources aws cloudformation list-stack-resources --stack-name my-stack

# Check stack policy aws cloudformation get-stack-policy --stack-name my-stack ```

Best Practices

  1. 1.Use cfn-lint in CI/CD pipeline
  2. 2.Enable termination protection for production stacks
  3. 3.Use nested stacks for large deployments
  4. 4.Implement stack policies to prevent accidental deletion
  5. 5.Test in sandbox account before production

Quick Reference

Error TypeSolution
Template errorValidate with cfn-lint
Permission deniedCheck IAM role permissions
Resource existsUse unique names
Circular dependencyRestructure resources
TimeoutIncrease timeout or optimize
Drift detectedReconcile or import
  • [AWS IAM Permission Denied](#)
  • [Terraform Plan Failed in CI](#)
  • [AWS VPC Peering Not Working](#)