search

aws-samples / aws-security-reference-architecture-examples

Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
965 stars 235 forks source link

[BUG] SRA prerequisites does not automatically handle new regions (e.g. ap-southeast-4) #211

Closed julian-price closed 2 months ago

julian-price commented 5 months ago

Describe the bug

This bug is apparent only when a new region is enabled for Control Tower (e.g. ap-southeast-4 in Nov 2023) and that region is to be brought under Control Tower governance. The issue arises because the get_enabled_regions method in the sra-common-prerequisites lambda contains a hardcoded region list - default_available_regions - which is written to the /sra/regions/enabled-regions ssm parameter and also used to write SRA ssm parameters to each region in the list. If a region is not in the hardcoded list in the lambda, then the SSM parameters are not written to that region in the master account, even though the new region does get written to the /sra/regions/customer-control-tower-regions SSM parameter.

To Reproduce

Steps to reproduce the behavior:

  1. Enable Control Tower in a new region that is not default_available_regions list in the sra-common-prerequisites Python lambda code (e.g. ap-southeast-4).
  2. Deploy the /aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-management-account-parameters.yaml CloudFormation template to set up the SSM parameters in the master account.
  3. Validate that the /sra/regions/customer-control-tower-regions SSM parameter contains the region when viewed from the home region in the master account. Notice that the region does not exist in the /sra/regions/enabled-regions ssm parameter.
  4. Navigate to the new region in the master account. No sra parameters will have been written.

Expected behavior

The SRA solution should dynamically determine what regions are available for Control Tower, or at minimum for the inclusion of every region contained in the /sra/regions/customer-control-tower-regions SSM parameter into the /sra/regions/enabled-regions parameter.

Additional context

While the need to enable a new region in Control Tower may not be a frequent activity, AWS does bring new regions on-line quite often and this bug might be a barrier to organisations in those regions looking to adopt the SRA.

liamschn commented 3 months ago

I have code to fix this @julian-price; also know you are not the only one with this bug :) I will get this resolved ASAP for you (and others). thank you for submitting and sorry for the late reply (been super busy 'round here)