Skip to content

feat(toolkit-lib): surface CloudTrail control-plane errors for failed resources#1676

Open
iankhou wants to merge 11 commits into
mainfrom
iankhou-cr-cloudtrail
Open

feat(toolkit-lib): surface CloudTrail control-plane errors for failed resources#1676
iankhou wants to merge 11 commits into
mainfrom
iankhou-cr-cloudtrail

Conversation

@iankhou

@iankhou iankhou commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Today, some cases of resource deployment failures do not present useful error messages to users in the CDK CLI:

  1. Custom resources - a handler may crash before responding to CloudFormation, a third-party/user-written handler may swallow the error, or the response may be generic (e.g. "internal error")
  2. Services acting on a resource's behalf - Lambda creating ENIs for a VPC-attached function, or CodeBuild binding to a VPC, where the service may fail to make a call, and the failure does not propagate back to CloudFormation

Solution

In all of these cases, CloudTrail records failed management (control-plane) events, with the error code and message. This PR looks for those events in deployment diagnosis and attributes them to the right stack resource.

Prerequisite fix for cdk diagnose

cdk diagnose currently reports "no issues found" on any rolled-back stack, because it sees the rollback operation as a success.

Output on a failed stack deployment that contained a custom resource, but rolled back successfully:

✅ Stack IamDeniedCustomResourceStack: no issues found.

The same command on this branch (after our changes) finds the failure and adds the CloudTrail attribution:

❌ Stack IamDeniedCustomResourceStack:
Resource updates failed:
IamDeniedCustomResourceStack/MyDeniedResource/Default  (AWS::CloudFormation::CustomResource MyDeniedResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log
  Stream: 2026/07/07/[$LATEST]45cdfe6c... (RequestId: 3bf1818a-...)

   Logs from /aws/lambda/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-AvCwUKZrq5co:
   INFO  request type: "Create"
   ERROR Setup failed: AccessDenied - User: ... is not authorized to perform: s3:CreateBucket ...
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/...

   CrHandler8F2F7DBF (AWS::Lambda::Function): AccessDenied on s3.amazonaws.com:CreateBucket — User: ... is not
   authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::iam-denied-setup-..." because no
   identity-based policy allows the s3:CreateBucket action

The fix was in PollRange.mostRecentDeploymentAttempt(), which, after our changes, spans the rollback plus the operation that triggered it. It only spans two operations when the newest one actually is a rollback, i.e. a --no-rollback failure stops at the first operation boundary, so a previous attempt's stale failures are not re-reported.

Implementation details

  • cdk deploy and cdk diagnose paths run the same investigation, once per failed deployment. Right after a failed deploy, the events may not be delivered yet. The output says so and suggests running cdk diagnose.

  • The lookup is unfiltered server-side. LookupEvents accepts at most one attribute per call. So the sweep is scoped only by time, and attribution happens client-side: an event belongs to the stack when a known stack identity (physical IDs, IAM roles referenced by Role/RoleArn properties at any depth, ServiceToken functions) appears as a whole ARN segment in the event's calling-principal fields (userIdentity.arn, sessionIssuer.arn, inScopeOf.credentialsIssuedTo). Only the caller is matched so that we do not misattribute calls.

  • The time window we use is derived from the failed operation's stack events and closes shortly after the last failure event, so rollback-teardown noise isn't captured (e.g. failures in rollback).

  • Pagination is capped at 10 pages (~500 events); truncation is disclosed in the output.

  • Only events carrying an errorCode are considered. Duplicates collapse by (eventSource, eventName, errorCode) to the earliest occurrence (the call closest to the root cause); up to 5 are shown earliest-first, with a note for anything collapsed or cut.

  • Best-effort: failures of the lookup itself are not diagnosis results. A missing cloudtrail:LookupEvents permission presents as an IoHost warning with the grant hint; throttles and other errors degrade to debug logging. Nothing blocks or fails the deploy/diagnose.

Considerations

  • CloudTrail management events are available for 90 days by default, and incur no charges to the customer. Data-plane events are not recorded by default.

  • The sweep is page-capped (10 pages ≈ 500 events) and we disclose truncation.

  • Everything is best-effort via the lookup role; no new permissions are required beyond the default ReadOnlyAccess (cloudtrail:LookupEvents is included).

Validations

The correlation design was validated against failed stacks in a test account before implementation, and the final build was compared end-to-end against a main-built CLI across four scenarios (custom resource with swallowed error, silently-crashing handler, VPC/ENI denial, app-level failure as the negative case):

iankhou/cdk-app-with-problems @ iankhou-cr-main:

Results

  • No false attributions, including testing with two stacks failing concurrently in the same account (each run correctly excluded the other stack's errored events).

  • Custom-resource scenario: 110 events swept, 80 errored, 2 correlated — the root-cause S3 denial plus one benign CreateLogStream 404, both attributed to the handler.

  • VPC/ENI scenario: 68 events correlated, but 67 were identical post-rollback polling noise (ResourceNotFoundException on the already-deleted function) vs 1 root cause — which is why the window ends at the failure and duplicates collapse to the earliest occurrence, rather than showing "the last 5" chronologically.

  • The negative case (handler throws an app-level error; no control-plane call fails) correctly produces no CloudTrail output.

  • On the main branch, cdk diagnose returns a false "no issues found" for every rolled-back stack (shown above) and deploy output shows StatusReason only.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions Bot added the p2 label Jun 25, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team June 25, 2026 20:35
Comment thread packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/stack-diagnoser.ts Outdated
@codecov-commenter

codecov-commenter commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.59%. Comparing base (9bf08e5) to head (22fc606).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1676   +/-   ##
=======================================
  Coverage   89.59%   89.59%           
=======================================
  Files          77       77           
  Lines       11758    11758           
  Branches     1651     1651           
=======================================
  Hits        10534    10534           
  Misses       1195     1195           
  Partials       29       29           
Flag Coverage Δ
suite.unit 89.59% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances @aws-cdk/toolkit-lib’s post-failure diagnosis for custom resources by optionally consulting CloudTrail to surface underlying control-plane errors (e.g., AccessDenied) that typically don’t show up clearly in the custom resource Lambda logs. It also fixes a pre-existing diagnosis gap for rolled-back stacks by expanding the stack event poll range to cover both the failed operation and its rollback.

Changes:

  • Add a CloudTrail lookup (scoped to the custom resource’s backing Lambda “Username”) to surface errored API calls during cdk diagnose, while keeping cdk deploy on a hint-only path.
  • Fix rolled-back stack diagnosis by introducing PollRange.mostRecentDeploymentAttempt() and using it in fresh diagnosis.
  • Add/update tests and SDK mocking to cover CloudTrail behavior, pagination, and the rolled-back regression.

Reviewed changes

Copilot reviewed 12 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
yarn.lock Adds the CloudTrail AWS SDK v3 client (and transitive updates) to the workspace lockfile.
packages/aws-cdk/THIRD_PARTY_LICENSES Updates bundled third-party attributions to include the newly bundled CloudTrail client and related deps.
packages/@aws-cdk/toolkit-lib/test/api/diagnosing/stack-diagnoser.test.ts Adds regression test ensuring diagnosis finds failures across rollback + failed create operations.
packages/@aws-cdk/toolkit-lib/test/api/diagnosing/resource-investigation.test.ts Adds tests for CloudTrail integration (gating, scoping, pagination, and “no errors” behavior).
packages/@aws-cdk/toolkit-lib/test/_helpers/mock-sdk.ts Adds CloudTrail client mocking support for unit tests.
packages/@aws-cdk/toolkit-lib/package.json Declares @aws-sdk/client-cloudtrail as a runtime dependency of toolkit-lib.
packages/@aws-cdk/toolkit-lib/lib/api/stack-events/stack-event-poller.ts Introduces PollRange.mostRecentDeploymentAttempt() to span rollback + triggering operation.
packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/stack-diagnoser.ts Threads cloudTrailEnabled and uses the new poll range for diagnose-from-fresh.
packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/resource-investigation.ts Extends the investigation dispatcher to pass options through to custom-resource investigation.
packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/investigate-ecs-service.ts Clarifies shared vs resource-specific investigation options in comments.
packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/investigate-custom-resource.ts Implements CloudTrail lookup + deploy-path hint for custom resource investigation.
packages/@aws-cdk/toolkit-lib/lib/api/aws-auth/sdk.ts Adds ICloudTrailClient and SDK.cloudTrail() wrapper.
packages/@aws-cdk/toolkit-lib/.projen/deps.json Records the new runtime dependency for projen-managed dependency tracking.
.projenrc.ts Adds the CloudTrail SDK dependency to the toolkit-lib project configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/@aws-cdk/toolkit-lib/lib/api/diagnosing/investigate-custom-resource.ts Outdated
@rix0rrr

rix0rrr commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Why do this only for custom resources? Can we not do it in a way that works generically for all resources?

I haven't though too deeply about how we should get "useful information" from CloudTrail; I was hoping you would.

I was hoping we could do something like the following:

image

@rix0rrr

rix0rrr commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

CloudTrail LookupEvents records write/mutating API denials, not most read calls (e.g. ssm:GetParameter).

Mostly true, but not exactly: CloudTrail records control plane events, not data plane events. Usually that means: low-traffic configuration events are recorded, high-traffic events are not.

So 2 counterexamples to your statement above:

  • S3's PutObject is a mutating call, but wouldn't be recorded.
  • Lambda's GetFunctionConfiguration is a read call, but would be recorded.

The point still stands that not everything will be recorded, but you need to know what will and won't be, and for what reasons, to give accurate guidance to users.

Speaking of, can you make sure that you understand the Pull Request and write the PR body yourself, rather than extrude some text via AI? I would like some proof of understanding. Thank you.

@iankhou

iankhou commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

CloudTrail LookupEvents records write/mutating API denials, not most read calls (e.g. ssm:GetParameter).

Mostly true, but not exactly: CloudTrail records control plane events, not data plane events. Usually that means: low-traffic configuration events are recorded, high-traffic events are not.

So 2 counterexamples to your statement above:

  • S3's PutObject is a mutating call, but wouldn't be recorded.
  • Lambda's GetFunctionConfiguration is a read call, but would be recorded.

The point still stands that not everything will be recorded, but you need to know what will and won't be, and for what reasons, to give accurate guidance to users.

Speaking of, can you make sure that you understand the Pull Request and write the PR body yourself, rather than extrude some text via AI? I would like some proof of understanding. Thank you.

Will do, rewritten. Missed the errant caveats at the end, and thanks for the catch. Removed that section because it's evident from the main section of the PR body anyway. I'll outsource less for the PR descriptions.

@github-actions

Copy link
Copy Markdown
Contributor

Total lines changed 7257 is greater than 1000. Please consider breaking this PR down.

@iankhou

iankhou commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Total lines changed 7257 is greater than 1000. Please consider breaking this PR down.

It's from THIRD_PARTY_LICENSES, which should be ignored. See #1680 for fix.

@iankhou

iankhou commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Why do this only for custom resources? Can we not do it in a way that works generically for all resources?

I haven't though too deeply about how we should get "useful information" from CloudTrail; I was hoping you would.

I was hoping we could do something like the following:

image

Yep this is what we are doing for custom resources. I'll explore how to do this generically.

iankhou and others added 8 commits July 6, 2026 14:13
… custom resources

When a custom resource fails because its backing Lambda was denied an AWS API
call (a control-plane failure), the function's own logs often don't show it — but
CloudTrail records the AccessDenied. This adds a CloudTrail lookup to the
custom-resource investigation.

CloudTrail events are delivered with several minutes of latency, so they aren't
available when a `cdk deploy` fails. Since deploy and diagnose share the diagnosis
code, this is gated on a cloudTrailEnabled flag:
- diagnoseFromFresh (`cdk diagnose`, run after the fact) enables it and looks up
  CloudTrail, scoped to the function server-side via the Username attribute (the
  Lambda execution role's session name is the function name), paginated and bounded
  to a window around the failure. Errored events are surfaced (e.g. "AccessDenied
  on s3:CreateBucket").
- diagnoseFromErrorCollection (`cdk deploy`) leaves it off and adds a hint to re-run
  `cdk diagnose` in a few minutes.

Also fixes diagnoseFromFresh reporting "no issues found" on any rolled-back stack:
a rolled-back deployment spans two CloudFormation operations (the failed create and
the rollback); the poll range only covered the most recent (the rollback's
successful deletes), excluding the real CREATE_FAILED. Adds
PollRange.mostRecentDeploymentAttempt() spanning both.

- Add @aws-sdk/client-cloudtrail and an ICloudTrailClient.lookupEvents wrapper.
- Thread cloudTrailEnabled through DiagnoseOptions/InvestigateOptions.

Validated end-to-end against a denied s3:CreateBucket. Known limitation: CloudTrail
LookupEvents records write/mutating denials, not most read calls. Tests cover both
paths, Username scoping, pagination, and the rolled-back regression; new behaviors
are mutation-verified.
…enied

When the lookup role lacks cloudtrail:LookupEvents (common in locked-down
accounts), the custom-resource investigation previously swallowed the
AccessDenied to debug and returned nothing, leaving the user with the same
unhelpful message CloudTrail was meant to improve. Detect the authorization
failure specifically and emit a one-line hint pointing at the missing
permission; other lookup failures still degrade silently (best-effort).
…ources

Rework the custom-resource-only CloudTrail lookup into a stack-level
investigation, per review feedback on #1676:

- One unfiltered LookupEvents sweep per diagnosis, bounded to the failure
  window, correlated client-side against a stack identity set (physical IDs,
  IAM roles referenced by *Role* properties, custom-resource backing
  functions). This covers calls by customer code AND by services acting on a
  resource's behalf (e.g. Lambda creating ENIs with the function's role),
  which the previous Username-scoped lookup could never match.
- No ranking: correlated events are deduplicated by
  (eventSource, eventName, errorCode) and shown earliest-first, capped at 5
  with disclosure. The window ends shortly after the last failure event so
  rollback teardown noise never enters the sweep.
- The deploy/diagnose fork (cloudTrailEnabled) is removed: both paths run the
  same investigation. A recent failure with zero correlated events yields a
  single 'events may not be delivered yet' note.
- Lookup failures are IoHost warnings, not diagnosis results.

Correlation design validated against real failed stacks (custom-resource
AccessDenied and VPC-Lambda ENI denial): zero false attributions with two
stacks failing concurrently in the same account.
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ation

- mostRecentDeploymentAttempt only spans into a second operation when the
  newest operation is a rollback; a --no-rollback failure stops at the first
  operation boundary instead of pulling in a previous deployment's events
- correlation matches identity keys as whole ARN segments (never bare
  substrings) and only against the calling principal's ARNs — resources[].ARN
  is excluded, so foreign principals' calls against stack resources can no
  longer be attributed to the stack
- findings attach to problems by (stackArn, logicalId), not bare logicalId,
  so nested stacks with repeated logical IDs attribute correctly; findings
  for resources that are not themselves problems are labeled with the
  resource they matched
- role discovery walks nested template properties (Firehose destination
  configs, EventBridge targets) and resolves Fn::Sub role ARNs with literal
  name segments
- the truncation note reports events checked, not errored events kept; the
  overflow disclosure moved from a fake error entry to the notes channel;
  dedup keeps the earlier event's own attribution; the delivery-latency hint
  is no longer suppressed by partial delivery
- drop the unused InvestigateResourceOptions alias and dead _options
  parameter
…sification

getStackTemplate was copied between the custom-resource and CloudTrail
investigations; it now lives once in diagnosing/stack-template.ts.
isAccessDeniedError moves to aws-auth/util.ts and replaces the three ad-hoc
AccessDenied/AccessDeniedException checks in cloudtrail-investigation,
environment-resources, and stack-activity-monitor.
@iankhou

iankhou commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Logs from VpcEniDeniedStack

Here, we captured the CloudTrail event at the end of cdk deploy, but this is not always the case. CloudTrail events can take 5-15 minutes to deliver.

Before (CDK CLI on main branch)

cdk deploy

❌  VpcEniDeniedStack failed: DeploymentError: Resource updates failed:
VpcEniDeniedStack/VpcFn/Resource  (AWS::Lambda::Function VpcFn9FC86E3A)
  Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface
  on EC2 (Service: Lambda, Status Code: 400, Request ID: caa3f179-ad3e-4d83-9741-88b2fba0ae35) (SDK Attempt Count: 1)"
  (RequestToken: 58b579ff-9c29-28a5-6e8b-111fc185fdd7, HandlerErrorCode: InvalidRequest)

cdk diagnose

✨  Synthesis time: 4.95s
✅ Stack VpcEniDeniedStack: no issues found.

After (CDK CLI on PR branch)

cdk deploy

❌  VpcEniDeniedStack failed: DeploymentError: Resource updates failed:
VpcEniDeniedStack/VpcFn/Resource  (AWS::Lambda::Function VpcFn9FC86E3A)
  Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface
  on EC2 (Service: Lambda, Status Code: 400, Request ID: 939e8121-8315-483a-a946-5fd77bd37d83) (SDK Attempt Count: 1)"
  (RequestToken: 24d31fd5-c4fa-172a-58d0-13d9eded25fe, HandlerErrorCode: InvalidRequest)

   VpcFnRole816F5053 (AWS::IAM::Role): Client.UnauthorizedOperation on ec2.amazonaws.com:CreateNetworkInterface — You are not authorized to perform this operation. User: arn:aws:sts::053108159643:assumed-role/VpcEniDeniedStack-VpcFnRole816F5053-SKQoIWrY8tkG/awslambda_110_20260707205603235 is not authorized to perform: ec2:CreateNetworkInterface on resource: arn:aws:ec2:us-east-1:053108159643:subnet/subnet-055ecfa84f64e2949 because no identity-based policy allows the ec2:CreateNetworkInterface action. Encoded authorization failure message: NxQW1rUd6gb50hdjGeSrDUHhtH_KGo5SL5tx-PvDilMoV1mCWY1QCl5P56LOiWLBPBysk8rboU2MroD6AjGf1W2wzO3aYFRIVfvzZlr6wkjSdJYCKMCKZenLU2Q_HhZQ5GD9Uidd7IT2qjpTexuYbA4pf2liKT-Ecn-96zqoGnD8crIf8QqbschJKBYFVTwVM4HBLS8_8WdYata9J_tfQpiNvTNljic_IkJX-SR5YYtyFb9WPqXJ-5RCBIIJhTUiJU7XDesz1bRpEIqVdAbMOypqBywJbxPV2vJT40S7FBHEP1_52cp5HU0E76691l0QJ2z3Fpz5IJmbFKBDsmlqvEzAqRdwZ5kwi0u4CJmS5aAI34mgrm-K6cg3eC6aKxn7n3ijp83GEW5TyAvB4pc-SPFKPVS25IWVS1ILZ4lT0DENCQSqB2TaDbQk7yDkgxyLHZY53HVTBE9n0aH1xuYGZrIGXNNOyCf8Lj4XO58wUqk0_dGQTR-o8Ek2KxTFcfKNhoOhTbqTt4WJo3_EEqttCySeE4wb2IkJWeHczG25iitzqtlikfKNCpqUAUb_rncmEZz6qwmwP-Npoa...

   CloudTrail delivery can lag up to 15 minutes behind the failure; re-run `cdk diagnose` in a few minutes to check for additional control-plane errors (e.g. AccessDenied).

cdk diagnose

✨  Synthesis time: 4.65s
❌ Stack VpcEniDeniedStack:
Resource updates failed:
VpcEniDeniedStack/VpcFn/Resource  (AWS::Lambda::Function VpcFn9FC86E3A)
  Resource handler returned message: "The provided execution role does not have permissions to call CreateNetworkInterface
  on EC2 (Service: Lambda, Status Code: 400, Request ID: a8cb8131-03c8-4aba-96c8-ff0a51297f57) (SDK Attempt Count: 1)"
  (RequestToken: 1a5ad8ac-d327-1b2f-f3d6-d57a49f1c803, HandlerErrorCode: InvalidRequest)

   VpcFnRole816F5053 (AWS::IAM::Role): Client.UnauthorizedOperation on ec2.amazonaws.com:CreateNetworkInterface — You are not authorized to perform this operation. User: arn:aws:sts::053108159643:assumed-role/VpcEniDeniedStack-VpcFnRole816F5053-1Wa1zAaVs3wa/awslambda_955_20260708173034266 is not authorized to perform: ec2:CreateNetworkInterface on resource: arn:aws:ec2:us-east-1:053108159643:subnet/subnet-055ecfa84f64e2949 because no identity-based policy allows the ec2:CreateNetworkInterface action. Encoded authorization failure message: HRDQQqdty2J3QJsZ2hqJ_rv9Bq_SU9r16u9UgDatsHenAcIw3zGARVXNVrC4j7z5zLhcp5dAed5J40WdepGJIqD51NM046FUknzkyi80j5M51VotzlAFNDKvp82XIfX_ob3C4tgCQEn3iv3dMAA_O4lgD7O0d6ndmk3gM9n0KlwbtFtozZ1yCGA55FaAK0vz62ePYYolJZ3lp2VnmGsqc1HjY3_vefmib5v8A1-Tf03ExTf0REH-HZbNSw0I_zZwIOTYSArW39YkfIVqNd15ajneuO_1DipmKk3d96xuNp_QMnhvUkwFwpICl_Z63kIBktI7R-GE4uKW0m0314Rdm2HSdKgStuBAbRLY1hS50OjjuKAzF5EOnn_DwCgrnPyWicwbN4B-n9wlyy1uzAWY4Hob02iIuisrKtiQnQix62MCxVVzQImq0-5JPaj58sJHP-BtG1uJjJDFEE7VGSJfedxUANKy80cE4Cw6_ZgMsKNTKyyiLUtHrsN5mVj1nmv_-q7e8w612Aiq5aKarl_ZSGIZA6sCmQ05ru1hwzOPw31GSOfQEA9Z5pz7S34nnMaqUkU0Mh6p-ARMz2...

   (only the most recent 500 CloudTrail events in the window were checked)

@iankhou

iankhou commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Logs from IamDeniedCustomResourceStack

In this case, the lambda handler returns a useful message, so much of the CloudTrail log is redundant. We also get useful CloudTrail logs from cdk deploy, and get the same ones from cdk diagnose.

Before (CDK CLI on main branch)

cdk deploy

❌  IamDeniedCustomResourceStack failed: DeploymentError: Resource updates failed:
IamDeniedCustomResourceStack/MyDeniedResource/Default  (AWS::CloudFormation::CustomResource MyDeniedResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/07/[$LATEST]faf26d2bc27544d4ab14eaa84a92f076 (RequestId: 3c09a963-8895-4fb9-ac9e-da5a9f70cc10)

   Logs from /aws/lambda/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-lDRtDMZV8ffb:
   INFO  request type: "Create"
   ERROR Setup failed: AccessDenied - User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-lRH80BHMvvJa/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-lDRtDMZV8ffb is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::iam-denied-setup-9bd7372e-aab2-4ba7-ac98-be2826d29621" because no identity-based policy allows the s3:CreateBucket action
   ERROR Full error: {"stack":"AccessDenied: User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-lRH80BHMvvJa/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-lDRtDMZV8ffb is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-9bd7372e-aab2-4ba7-ac98-be2826d29621\" because no identity-based policy allows the s3:CreateBucket action\n    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:422:20)\n    at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:431:5\n    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:5202:14)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:36:20\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:488:18\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:312:38\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:110:22\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:137:14\n    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22","name":"AccessDenied","$fault":"client","$metadata":{},"Code":"AccessDenied","RequestId":"E9EY9VSAD0WQHJEZ","HostId":"ZqZVHI2UKio9Lf4MBwq03JTFV4Z5Gbcmv4gNI1MtdAiF77f/sxNhZa+Jlb4GlDWkFCQPEPkAlQrdNi4VVFs/w0wicoLJwMYq","message":"User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-lRH80BHMvvJa/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-lDRtDMZV8ffb is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-9bd7372e-aab2-4ba7-ac98-be2826d29621\" because no identity-based policy allows the s3:CreateBucket action","$response":{}}
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FIamDeniedCustomResourceStack-CrHandler8F2F7DBF-lDRtDMZV8ffb

cdk diagnose

✨  Synthesis time: 5.78s
✅ Stack IamDeniedCustomResourceStack: no issues found.

After (CDK CLI on PR branch)

cdk deploy

❌  IamDeniedCustomResourceStack failed: DeploymentError: Resource updates failed:
IamDeniedCustomResourceStack/MyDeniedResource/Default  (AWS::CloudFormation::CustomResource MyDeniedResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]f3d033c8fe2a4720bd61e35c8d415be1 (RequestId: 75f768f5-3a31-4ad0-a49e-f83e67096fd1)

   Logs from /aws/lambda/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS:
   INFO  request type: "Create"
   ERROR Setup failed: AccessDenied - User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d" because no identity-based policy allows the s3:CreateBucket action
   ERROR Full error: {"stack":"AccessDenied: User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d\" because no identity-based policy allows the s3:CreateBucket action\n    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:422:20)\n    at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:431:5\n    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:5202:14)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:36:20\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:488:18\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:312:38\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:110:22\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:137:14\n    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22","name":"AccessDenied","$fault":"client","$metadata":{},"Code":"AccessDenied","RequestId":"0G2HDQXGHQPPTVQD","HostId":"I6r8BHAIyMJLYgRSQaQcKW2dECK9u0SuZBbBUiolMvOoaXQSg7Dx2I0S72Lig634V8z+UyUmWrw=","message":"User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d\" because no identity-based policy allows the s3:CreateBucket action","$response":{}}
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FIamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS

   CloudTrail delivery can lag up to 15 minutes behind the failure; re-run `cdk diagnose` in a few minutes to check for additional control-plane errors (e.g. AccessDenied).

cdk diagnose

✨  Synthesis time: 5.18s
❌ Stack IamDeniedCustomResourceStack:
Resource updates failed:
IamDeniedCustomResourceStack/MyDeniedResource/Default  (AWS::CloudFormation::CustomResource MyDeniedResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]f3d033c8fe2a4720bd61e35c8d415be1 (RequestId: 75f768f5-3a31-4ad0-a49e-f83e67096fd1)

   Logs from /aws/lambda/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS:
   INFO  request type: "Create"
   ERROR Setup failed: AccessDenied - User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d" because no identity-based policy allows the s3:CreateBucket action
   ERROR Full error: {"stack":"AccessDenied: User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d\" because no identity-based policy allows the s3:CreateBucket action\n    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:422:20)\n    at /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/smithy-client/dist-cjs/index.js:431:5\n    at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:5202:14)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-serde/dist-cjs/index.js:36:20\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:488:18\n    at async /var/runtime/node_modules/@aws-sdk/node_modules/@smithy/middleware-retry/dist-cjs/index.js:312:38\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:110:22\n    at async /var/runtime/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:137:14\n    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22","name":"AccessDenied","$fault":"client","$metadata":{},"Code":"AccessDenied","RequestId":"0G2HDQXGHQPPTVQD","HostId":"I6r8BHAIyMJLYgRSQaQcKW2dECK9u0SuZBbBUiolMvOoaXQSg7Dx2I0S72Lig634V8z+UyUmWrw=","message":"User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: \"arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d\" because no identity-based policy allows the s3:CreateBucket action","$response":{}}
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FIamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS

   CrHandler8F2F7DBF (AWS::Lambda::Function): AccessDenied on s3.amazonaws.com:CreateBucket — User: arn:aws:sts::053108159643:assumed-role/IamDeniedCustomResourceSt-CrHandlerServiceRole2D0F6-UlztxgkpoGK1/IamDeniedCustomResourceStack-CrHandler8F2F7DBF-llNoqKZOJ9iS is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::iam-denied-setup-27a9ec06-7d94-4a45-9318-e6f08c9aea4d" because no identity-based policy allows the s3:CreateBucket action

   (only the most recent 500 CloudTrail events in the window were checked)
   CloudTrail delivery can lag up to 15 minutes behind the failure; re-run `cdk diagnose` in a few minutes to check for additional control-plane errors (e.g. AccessDenied).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 17 out of 20 changed files in this pull request and generated 1 comment.

…match a CloudTrail event

An assumed-role session ARN contains both the role name and (for Lambda-made
calls) the function name, so a single event can match two stack identities;
first-match made the attribution depend on DescribeStackResources response
order. The most specific match now wins: a key equal to the session-name
segment (the actual caller) beats any other match, and key length breaks
ties.
@iankhou

iankhou commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Logs from CrashingCustomResourceStack

Before (CDK CLI on main branch)

cdk deploy

❌  CrashingCustomResourceStack failed: DeploymentError: Resource updates failed:
CrashingCustomResourceStack/MyCrashingResource/Default  (AWS::CloudFormation::CustomResource MyCrashingResource)
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [a3cb38b0-42ff-48d6-8acd-31fd244015ea]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [0db7ce3f-4583-4a52-8466-ee81ef340617]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.

   Logs from /aws/lambda/CrashingCustomResourceStack-CrHandler8F2F7DBF-h6vVHBoEoew9:
   INFO  request type: "Create"
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FCrashingCustomResourceStack-CrHandler8F2F7DBF-h6vVHBoEoew9

cdk diagnose

✨  Synthesis time: 5.98s
❌ Stack CrashingCustomResourceStack:
Resource updates failed:
CrashingCustomResourceStack/MyCrashingResource/Default  (AWS::CloudFormation::CustomResource MyCrashingResource)
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [0db7ce3f-4583-4a52-8466-ee81ef340617]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.

   Logs from /aws/lambda/CrashingCustomResourceStack-CrHandler8F2F7DBF-h6vVHBoEoew9:
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FCrashingCustomResourceStack-CrHandler8F2F7DBF-h6vVHBoEoew9

After (CDK CLI on PR branch)

cdk deploy

❌  CrashingCustomResourceStack failed: DeploymentError: Resource updates failed:
CrashingCustomResourceStack/MyCrashingResource/Default  (AWS::CloudFormation::CustomResource MyCrashingResource)
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [139c188b-8575-46af-bd8d-7cec27391a4b]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [393dcb1f-b967-447d-92f5-f2e730fce882]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.

   Logs from /aws/lambda/CrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT:
   INFO  request type: "Create"
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FCrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT

   CrHandler8F2F7DBF (AWS::Lambda::Function): AccessDenied on s3.amazonaws.com:CreateBucket — User: arn:aws:sts::053108159643:assumed-role/CrashingCustomResourceSta-CrHandlerServiceRole2D0F6-JSHpJJOkpmuR/CrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::crash-setup-3dc65f07-e398-44d2-a05d-33412a39a03c" because no identity-based policy allows the s3:CreateBucket action

   (only the most recent 500 CloudTrail events in the window were checked)
   CloudTrail delivery can lag up to 15 minutes behind the failure; re-run `cdk diagnose` in a few minutes to check for additional control-plane errors (e.g. AccessDenied).

cdk diagnose

✨  Synthesis time: 4.56s
❌ Stack CrashingCustomResourceStack:
Resource updates failed:
CrashingCustomResourceStack/MyCrashingResource/Default  (AWS::CloudFormation::CustomResource MyCrashingResource)
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [139c188b-8575-46af-bd8d-7cec27391a4b]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.
  CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId
  [393dcb1f-b967-447d-92f5-f2e730fce882]. If you are using the Python cfn-response module, you may need to update your
  Lambda function code so that CloudFormation can attach the updated version.

   Logs from /aws/lambda/CrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT:
   INFO  request type: "Create"
   INFO  request type: "Delete"
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FCrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT

   CrHandler8F2F7DBF (AWS::Lambda::Function): AccessDenied on s3.amazonaws.com:CreateBucket — User: arn:aws:sts::053108159643:assumed-role/CrashingCustomResourceSta-CrHandlerServiceRole2D0F6-JSHpJJOkpmuR/CrashingCustomResourceStack-CrHandler8F2F7DBF-2ziHrXop2KHT is not authorized to perform: s3:CreateBucket on resource: "arn:aws:s3:::crash-setup-3dc65f07-e398-44d2-a05d-33412a39a03c" because no identity-based policy allows the s3:CreateBucket action

   (only the most recent 500 CloudTrail events in the window were checked)

@iankhou

iankhou commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Logs from FailingCustomResourceStack

This is the negative case, where CloudTrail events don't add additional utility.

Before (CDK CLI on main branch)

cdk deploy

❌  FailingCustomResourceStack failed: DeploymentError: Resource updates failed:
FailingCustomResourceStack/MyFailingResource/Default  (AWS::CloudFormation::CustomResource MyFailingResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0 (RequestId: 69e68e35-5b4f-4203-afa5-a5e1184e2d55)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0 (RequestId: be09270b-b7bd-4be6-b0d3-4979e1c45f1d)

   Logs from /aws/lambda/FailingCustomResourceStack-CrHandler8F2F7DBF-zQwGwYzWWLOG:
   INFO  request type: "Create"
   ERROR Boom: simulated custom resource failure on Create
   INFO  Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0","PhysicalResourceId":"2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0","StackId":"arn:aws:cloudformation:us-east-1:053108159643:stack/FailingCustomResourceStack/68146920-7a4b-11f1-9b9a-12a872f2799d","RequestId":"69e68e35-5b4f-4203-afa5-a5e1184e2d55","LogicalResourceId":"MyFailingResource","NoEcho":false,"Data":{"error":"simulated"}}
   INFO  Status code: 200
   INFO  Status message: OK
   INFO  request type: "Delete"
   ERROR Boom: simulated custom resource failure on Create
   INFO  Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0","PhysicalResourceId":"2026/07/07/[$LATEST]532a29f2c46044f9bdecfa68bf63c8e0","StackId":"arn:aws:cloudformation:us-east-1:053108159643:stack/FailingCustomResourceStack/68146920-7a4b-11f1-9b9a-12a872f2799d","RequestId":"be09270b-b7bd-4be6-b0d3-4979e1c45f1d","LogicalResourceId":"MyFailingResource","NoEcho":false,"Data":{"error":"simulated"}}
   INFO  Status code: 200
   INFO  Status message: OK
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FFailingCustomResourceStack-CrHandler8F2F7DBF-zQwGwYzWWLOG

After (CDK CLI on PR branch)

cdk deploy

❌  FailingCustomResourceStack failed: DeploymentError: Resource updates failed:
FailingCustomResourceStack/MyFailingResource/Default  (AWS::CloudFormation::CustomResource MyFailingResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290 (RequestId: 4646b7c9-6561-4974-9494-716779cc43e5)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290 (RequestId: d0bb8c57-6a8e-42f2-a2fd-fb34793aa1da)

   Logs from /aws/lambda/FailingCustomResourceStack-CrHandler8F2F7DBF-m4EDYE34RpWR:
   INFO  request type: "Create"
   ERROR Boom: simulated custom resource failure on Create
   INFO  Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","PhysicalResourceId":"2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","StackId":"arn:aws:cloudformation:us-east-1:053108159643:stack/FailingCustomResourceStack/ac9de7e0-7af2-11f1-bf59-12f1b2ea4589","RequestId":"4646b7c9-6561-4974-9494-716779cc43e5","LogicalResourceId":"MyFailingResource","NoEcho":false,"Data":{"error":"simulated"}}
   INFO  Status code: 200
   INFO  Status message: OK
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FFailingCustomResourceStack-CrHandler8F2F7DBF-m4EDYE34RpWR

cdk diagnose

✨  Synthesis time: 4.49s
❌ Stack FailingCustomResourceStack:
Resource updates failed:
FailingCustomResourceStack/MyFailingResource/Default  (AWS::CloudFormation::CustomResource MyFailingResource)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290 (RequestId: 4646b7c9-6561-4974-9494-716779cc43e5)
  Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream:
  2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290 (RequestId: d0bb8c57-6a8e-42f2-a2fd-fb34793aa1da)

   Logs from /aws/lambda/FailingCustomResourceStack-CrHandler8F2F7DBF-m4EDYE34RpWR:
   INFO  request type: "Create"
   ERROR Boom: simulated custom resource failure on Create
   INFO  Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","PhysicalResourceId":"2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","StackId":"arn:aws:cloudformation:us-east-1:053108159643:stack/FailingCustomResourceStack/ac9de7e0-7af2-11f1-bf59-12f1b2ea4589","RequestId":"4646b7c9-6561-4974-9494-716779cc43e5","LogicalResourceId":"MyFailingResource","NoEcho":false,"Data":{"error":"simulated"}}
   INFO  Status code: 200
   INFO  Status message: OK
   INFO  request type: "Delete"
   ERROR Boom: simulated custom resource failure on Create
   INFO  Response body:
 {"Status":"FAILED","Reason":"See the details in CloudWatch Log Stream: 2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","PhysicalResourceId":"2026/07/08/[$LATEST]08dedaf1c41d42aabce24fe1c7b7f290","StackId":"arn:aws:cloudformation:us-east-1:053108159643:stack/FailingCustomResourceStack/ac9de7e0-7af2-11f1-bf59-12f1b2ea4589","RequestId":"d0bb8c57-6a8e-42f2-a2fd-fb34793aa1da","LogicalResourceId":"MyFailingResource","NoEcho":false,"Data":{"error":"simulated"}}
   INFO  Status code: 200
   INFO  Status message: OK
   Logs: https://us-east-1.console.aws.amazon.com/cloudwatch/home?region=us-east-1#logsV2:log-groups/log-group/$252Faws$252Flambda$252FFailingCustomResourceStack-CrHandler8F2F7DBF-m4EDYE34RpWR

…identifiers

identityMatches, nameSegment, and assumedRoleSessionName are pure identifier
parsers, so they belong in resource-identifiers.ts with the other ones — and
as exports they get direct unit tests for the segment-anchoring boundary
cases instead of being reachable only through the full investigation with
four mocked clients. The attribution policy (mostSpecificMatch) stays with
correlateEvents in cloudtrail-investigation.ts.
@iankhou

iankhou commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

cli-integ tests are failing due to today's release of typescript@7, which is automatically included into our testing workflow. Not related to this PR. See #1719.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants