Example solutions demonstrating how to implement patterns within the AWS Security Reference Architecture guide using CloudFormation (including Customizations for AWS Control Tower) and Terraform.
Other
982
stars
248
forks
source link
[BUG] Updating existing SRA GuardDuty solution to include feature (#213) fails to deploy rGuardDutyOrgLambdaCustomResource #267
We have an existing SRA solution deployed into a Control Tower environment using the CfCT. This was using pre v3 (#205) release code. To make use of the newly enabled features, we decided to upgrade to the latest SRA GuardDuty solution, but this failed to deploy the rGuardDutyOrgLambdaCustomResource in the StackSet-CustomControlTower-sra-guardduty-org-main-ssm-64-rGuardDutyConfigurationStack nested stack.
To Reproduce
Steps to reproduce the behavior:
An existing (pre V3) version of the SRA GuardDuty solution must already be deployed
Verify that the latest code has been successfully uploaded to the S3 bucket
Within your CfCT repo, update the parameters/sra-guardduty-org-main-ssm.json and templates/sra-guardduty-org-main-ssm.yaml files to the latest copies from the SRA GuardDuty solution.
Commit the files to kick off the CfCT update.
The stacks will fail to update with the following error:
Received response status [FAILED] from custom resource. Message returned: 'ENABLE_EKS_RUNTIME_MONITORING' parameter with value of '' does not follow the allowed pattern: (?i)^true|false$. (RequestId: ebace497-cb43-4000-9f02-9f022e519f86)
Expected behavior
The solution should update all stacks, including the rGuardDutyOrgLambdaCustomResource to the latest version, ensuring that the order of updates does not cause stack failures. In particular, the sra-guardduty-org lambda should get updated with the latest code prior to it being executed by the stack.
Deployment Environment (please complete the following information)
Deployment Framework CfCT v2.7.1
Additional context
I worked around this issue by navigating to the sra-guardduty-org lambda directly and selecting to upload the latest source code from the staging S3 bucket. Once this was done, the CfCT update of the GuardDuty SRA solution comp[leted successfully and all new features were enabled.
Describe the bug
We have an existing SRA solution deployed into a Control Tower environment using the CfCT. This was using pre v3 (#205) release code. To make use of the newly enabled features, we decided to upgrade to the latest SRA GuardDuty solution, but this failed to deploy the
rGuardDutyOrgLambdaCustomResourcein the StackSet-CustomControlTower-sra-guardduty-org-main-ssm-64-rGuardDutyConfigurationStack nested stack.To Reproduce
Steps to reproduce the behavior:
Expected behavior
The solution should update all stacks, including the
rGuardDutyOrgLambdaCustomResourceto the latest version, ensuring that the order of updates does not cause stack failures. In particular, the sra-guardduty-org lambda should get updated with the latest code prior to it being executed by the stack.Deployment Environment (please complete the following information)
Additional context
I worked around this issue by navigating to the sra-guardduty-org lambda directly and selecting to upload the latest source code from the staging S3 bucket. Once this was done, the CfCT update of the GuardDuty SRA solution comp[leted successfully and all new features were enabled.