Hi I m trying to set up a MWAA environment and I m stuck dis

Question

Hi I m trying to set up a MWAA environment and I m stuck disappointed Initially I was getting this error ``` aws mwaa Environment dev aqua airflow error 1 error occurred error creating MWAA Environment ValidationException Failed to assume role arn aws iam lt account id gt role dev airflow execution role This could be due to the role s trust policy Please ensure your role is assumable by Service Principal and try again ``` And this is what my execution role looks like ```mwaa execution role = aws iam Role f stack airflow execution role name=f stack airflow execution role assume role policy=json dumps Version 2012 10 17 Statement Action sts AssumeRole Principal Service Effect Allow ``` I then decided to create the S3 bucket role and policies before creating the MWAA Environment and this is the error I m getting now ``` aws mwaa Environment dev aqua airflow error 1 error occurred creating urn pulumi dev data ml airflow aws mwaa environment Environment dev aqua airflow 1 error occurred error waiting for MWAA Environment dev aqua airflow dd6bc3e creation unexpected state CREATE FAILED wanted target AVAILABLE last error s lt nil gt ``` When I go to the AWS Console this is the error I see ```Error code INCORRECT CONFIGURATION Message You may need to check the execution role permissions policy for your environment and that each of the VPC networking components required by the environment are configured to allow traffic Troubleshooting ``` And this is my Pulumi MWAA code ```airflow env = aws mwaa Environment f stack aqua airflow dag s3 path= dags execution role arn=mwaa execution role arn airflow version= 2 2 2 kms key=mwaa kms key arn logging configuration=aws mwaa EnvironmentLoggingConfigurationArgs dag processing logs=aws mwaa EnvironmentLoggingConfigurationDagProcessingLogsArgs enabled=True log level= DEBUG scheduler logs=aws mwaa EnvironmentLoggingConfigurationSchedulerLogsArgs enabled=True log level= INFO task logs=aws mwaa EnvironmentLoggingConfigurationTaskLogsArgs enabled=True log level= WARNING webserver logs=aws mwaa EnvironmentLoggingConfigurationWebserverLogsArgs enabled=True log level= ERROR worker logs=aws mwaa EnvironmentLoggingConfigurationWorkerLogsArgs enabled=True log level= CRITICAL network configuration=aws mwaa EnvironmentNetworkConfigurationArgs security group ids= vpc vpcDefaultSecurityGroupID subnet ids= vpc privateSubnetsIDs 0 vpc privateSubnetsIDs 1 source bucket arn=airflow dags bucket arn tags= Environment f stack opts=ResourceOptions depends on= mwaa execution role mwaa kms key airflow dags bucket ``` Any idea what I m doing incorrectly I m trying to look into this ```That your Amazon VPC is configured to allow network traffic between the different AWS resources used by your Amazon MWAA environment as defined in About networking on Amazon MWAA For example your VPC security group must either allow all traffic in a self referencing rule or optionally specify the port range for HTTPS port range 443 and a TCP port range 5432 ```

salmon-motherboard-78006 · Answer

looked into my sg outbound rules and looks like all ports are enabled

salmon-motherboard-78006 · Answer

looks like creating log groups was failing

salmon-motherboard-78006 · Answer

was missing this in the kms key ``` Effect Allow Principal Service <http logs us west 2 amazonaws com|logs us west 2 amazonaws com> Action kms Encrypt kms Decrypt kms ReEncrypt kms GenerateDataKey kms Describe Resource Condition ArnLike kms EncryptionContext aws logs arn arn aws logs us west 2 ```