Which action should the engineer take to resolve this issue?
Ensure the Lambda function code has exited successfully.
Ensure the Lambda function code returns a response to the pre-signed URL.
Ensure the Lambda function IAM role has cloudformation:UpdateStack permissions for the stack ARN.
Ensure the Lambda function IAM role has ds:ConnectDirectory permissions for the AWS account.
Explanations:
The Lambda function must return a response to CloudFormation indicating success or failure, but merely exiting successfully does not ensure this response is sent.
CloudFormation waits for a response from the Lambda function via a pre-signed URL. If the response is not returned, the stack cannot transition to CREATE_COMPLETE.
The Lambda function does not need thecloudformation:UpdateStackpermission. It needs permissions to interact with the service responsible for the custom resource.
The Lambda function does not needds:ConnectDirectorypermissions to create or manage an AD Connector. This is not related to CloudFormation’s status update.