search

aws-samples / aws-security-reference-architecture-examples

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
977 stars 245 forks source link

[BUG] SRA Solution: account_alternate_contacts #163

Closed sbrown-tecracer closed 1 year ago

sbrown-tecracer commented 1 year ago

Describe the bug

When running the account_alternate_contacts using CfCT, the stack_set is failing to create the rAccountAlternateContactsLambdaCustomResource with the attached error from CloudWatch

To Reproduce

Steps to reproduce the behavior:

CfCT 2.6.0/SRA1.3/Solutionv1.1

  1. Go to CodeCommit & commit required solution: manifest.yaml `- name: sra-account-alternate-contacts-main-ssm resource_file: templates/sra-account-alternate-contacts-main-ssm.yaml parameters:

    • parameter_key: pBillingContactAction parameter_value: 'add'
    • parameter_key: pBillingEmail parameter_value: '****>'
    • parameter_key: pBillingName parameter_value: '****'
    • parameter_key: pBillingPhone parameter_value: '****'
    • parameter_key: pBillingTitle parameter_value: '-'
    • parameter_key: pComplianceFrequency parameter_value: '7'
    • parameter_key: pExcludeAlternateContactAccountTags parameter_value: '{"Key": "_Offboarded", "Value": "true"}'
    • parameter_key: pOperationsContactAction parameter_value: 'add'
    • parameter_key: pOperationsEmail parameter_value: '****'
    • parameter_key: pOperationsName parameter_value: '****'
    • parameter_key: pOperationsPhone parameter_value: '****'
    • parameter_key: pOperationsTitle parameter_value: '-'
    • parameter_key: pSecurityContactAction parameter_value: 'add'
    • parameter_key: pSecurityEmail parameter_value: '****'
    • parameter_key: pSecurityName parameter_value: '****'
    • parameter_key: pSecurityPhone parameter_value: '****'
    • parameter_key: pSecurityTitle parameter_value: '-' deploy_method: stack_set deployment_targets: accounts:
      • xxxx ` templates/sra-account-alternate-contacts-main-ssm.yaml included in commit

  2. See error: { "timestamp": "2023-08-18 09:10:10,692", "level": "ERROR", "location": "crhelper.resource_helper._wrap_function:206", "RequestType": "Create", "StackId": "arn:aws:cloudformation:eu-central-1:xxxxxxxxxxxx:stack/StackSet-CustomControlTower-sra-account-alternate-con-rAccountAlternateContactsStack-1KQY56N9A0SL4/c5c1c521-3da6-11ee-a0ef-027341257266", "RequestId": "16304ad7-ad00-4a12-ac73-c9e60fceadd2", "LogicalResourceId": "rAccountAlternateContactsLambdaCustomResource", "aws_request_id": "75617787-be71-4fa8-bf2f-a5cea73e3d04", "message": "'str' object has no attribute 'get'", "exception": "Traceback (most recent call last):\n File \"/var/task/crhelper/resource_helper.py\", line 204, in _wrap_function\n self.PhysicalResourceId = func(self._event, self._context) if func else ''\n File \"/var/task/app.py\", line 462, in process_event_cloudformation\n params = get_validated_parameters({\"RequestType\": event[\"RequestType\"]})\n File \"/var/task/app.py\", line 569, in get_validated_parameters\n params.update(parameter_pattern_validator(\"EXCLUDE_ACCOUNT_TAGS\", os.environ.get(\"EXCLUDE_ACCOUNT_TAGS\"), pattern=\"tags_json\", is_optional=True))\n File \"/var/task/app.py\", line 532, in parameter_pattern_validator\n return parameter_tags_validator(parameter_name, parameter_value)\n File \"/var/task/app.py\", line 496, in parameter_tags_validator\n if not tag.get(\"Key\") or \"Value\" not in tag:\nAttributeError: 'str' object has no attribute 'get'" }

I can see that its related to the Tag exclsion:

- parameter_key: pExcludeAlternateContactAccountTags
        parameter_value: '{"Key": "_Offboarded", "Value": "true"}'

What format should this be set

sbrown-tecracer commented 1 year ago

Ok, format must be:

- parameter_key: pExcludeAlternateContactAccountTags
        parameter_value: '[{"Key": "_Offboarded", "Value": "true"}]'

Closing, my mistake