"Kendra FAQ Failed to Stabilize" Error when attempting to create a Kendra FAQ in CFN

0

Hi all, I am getting a strange error when attempting to create a Kendra FAQ using a CFN template:

Resource of type 'AWS::Kendra::Faq' with identifier 'BLAH_GUID' did not stabilize.

In this template I define an Index, DataSrouce, IAM role and FAQ - only the FAQ fails to create (if I remove the FAQ definition, the stack creation succeeds). I have triple checked my FAQ definition against the AWS docs and cannot find anything wrong. Prior to creating this FAQ, I have ensured that the S3 resource has been created and seeded with the FAQ file at the indicated path.

I have inserted a version of my template here with sensitive info removed:

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Kendra Configuration for the service
Parameters:
  paramEnvironment:
    Type: String
    Description: Which environment do you want to deploy to? (local, dev, test, or prod)
    AllowedValues:
      - local
      - dev
      - test
      - prod
    Default: local
  paramServiceName:
    Type: String
    Description: The name of the service
    Default: myService
  paramFaqFilename:
    Type: String
    Description: The name of the FAQ file
    Default: faq-v1.json

Conditions:
  conditionIsProd: !Equals [ !Ref paramEnvironment, prod ]

Resources:
  # Kendra IAM Role
  resIamRoleKendra:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${paramEnvironment}_${paramServiceName}_kendraRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ kendra.amazonaws.com ]
            Action: sts:AssumeRole
      Policies:
        - PolicyName: KendraPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - logs:DescribeLogStreams
                Resource:
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${paramEnvironment}_${paramServiceName}_*:log-stream:*"
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !ImportValue export-myService-data-source-bucket-arn
                  - !Sub
                      - "arn:aws:s3:::${BucketArn}/*"
                      - BucketArn: !ImportValue export-myService-data-source-bucket-arn

  # Kendra Index
  resKendraIndex:
    Type: AWS::Kendra::Index
    Properties:
      Name: !Sub "${paramEnvironment}-${paramServiceName}-kendraIndex"
      Description: "Index for questions around a redacted topic"
      Edition: !If [conditionIsProd, "ENTERPRISE_EDITION", "DEVELOPER_EDITION"]
      RoleArn: !GetAtt resIamRoleKendra.Arn

  # Kendra Data Source (S3)
  resKendraS3DataSource:
    Type: AWS::Kendra::DataSource
    Properties:
      Name: !Sub "${paramEnvironment}_${paramServiceName}_kendraS3DataSource"
      Description: "S3 Data source for Kendra"
      IndexId: !Ref resKendraIndex
      Type: S3
      DataSourceConfiguration:
        S3Configuration:
          BucketName: !ImportValue export-myService-data-source-bucket-name
      RoleArn: !GetAtt resIamRoleKendra.Arn

  # Kendra FAQ (stored in S3)
  resKendraFaq:
    Type: AWS::Kendra::Faq
    Properties:
      IndexId: !Ref resKendraIndex
      Name: !Sub "${paramEnvironment}_${paramServiceName}_kendraFaq"
      S3Path:
        Bucket: !ImportValue export-myService-data-source-bucket-name
        Key: !Sub "kendra/indexes/faq/${paramFaqFilename}"
      RoleArn: !GetAtt resIamRoleKendra.Arn

Outputs:
  KendraIndexId:
    Description: Kendra Index ID
    Value: !Ref resKendraIndex
    Export:
      Name: export-myService-kendra-index-id

asked 3 months ago133 views
1 Answer
1
Accepted Answer

Hello.

The problem is with the IAM policy that is tied to the IAM role.
Please modify the CFn template as below.
Originally, the part that referred to ARN was "arn:aws:s3:::${BucketArn}/*", but it was changed to "${BucketArn}/*".

  resIamRoleKendra:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${paramEnvironment}_${paramServiceName}_kendraRole"
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ kendra.amazonaws.com ]
            Action: sts:AssumeRole
      Policies:
        - PolicyName: KendraPolicy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                  - logs:DescribeLogStreams
                Resource:
                  - !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${paramEnvironment}_${paramServiceName}_*:log-stream:*"
              - Effect: Allow
                Action:
                  - s3:GetObject
                  - s3:ListBucket
                Resource:
                  - !ImportValue export-myService-data-source-bucket-arn
                  - !Sub
                      - "${BucketArn}/*" # Edit
                      - BucketArn: !ImportValue export-myService-data-source-bucket-arn
profile picture
EXPERT
answered 3 months ago
  • That is a great catch! I had recently refactored these Kendra resources out of a larger template file and missed this mistake. I have since corrected the wrong ARN substitution and tried re-creating the stack.

    Unfortunately, it didn't fix the original issue. I still get the same 'FAQ did not stabilize' error message.

  • Be sure to use "DependsOn" to control the creation order of resources as shown below. Also, please set the file format to "JSON". https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kendra-faq.html#cfn-kendra-faq-fileformat

      resKendraS3DataSource:
        Type: AWS::Kendra::DataSource
        DependsOn: resKendraIndex
        Properties:
          Name: !Sub "${paramEnvironment}_${paramServiceName}_kendraS3DataSource"
          Description: "S3 Data source for Kendra"
          IndexId: !Ref resKendraIndex
          Type: S3
          DataSourceConfiguration:
            S3Configuration:
              BucketName: !ImportValue export-myService-data-source-bucket-name
          RoleArn: !GetAtt resIamRoleKendra.Arn
    
      # Kendra FAQ (stored in S3)
      resKendraFaq:
        DependsOn: resKendraS3DataSource
        Type: AWS::Kendra::Faq
        Properties:
          IndexId: !Ref resKendraIndex
          Name: !Sub "${paramEnvironment}_${paramServiceName}_kendraFaq"
          S3Path:
            Bucket: !ImportValue export-myService-data-source-bucket-name
            Key: !Sub "kendra/indexes/faq/${paramFaqFilename}"
          RoleArn: !GetAtt resIamRoleKendra.Arn
          FileFormat: JSON
    
  • Thank you! The 'DependsOn' statements ended up being the key to this puzzle.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions