CREATE_FAILED have been observed with Events like shown below
2020-07-02 13:56:12 UTC+0900 SecurityHubToAWSChatBot ROLLBACK_IN_PROGRESS The following resource(s) failed to create: [EventRuleCustomAction, SlackChannelConfig, LambdaIAMPolicy]. . Rollback requested by user.
2020-07-02 13:56:11 UTC+0900 LambdaIAMPolicy CREATE_FAILED Resource creation cancelled
2020-07-02 13:56:11 UTC+0900 EventRuleCustomAction CREATE_FAILED Resource creation cancelled
2020-07-02 13:56:11 UTC+0900 SlackChannelConfig CREATE_FAILED Invalid request provided: The chat configuration with the name securityhubnotification already exists. Retry with a unique configuration name. (Service: AWSChatbot; Status Code: 400; Error Code: InvalidParameterException; Request ID: f6aXXXXX-XXXX-XXXX-XXXXXXXXXXXXXXXXX; Proxy: null)
It does not happen when a region was the first one(assuming us-east-1 here) on a AWS accunt.
Thereafter failure then happens on further creations on another regions such as us-east-2 or whatever else.
In my understanding, since AWS Chatbot is a global service, 'SlackChannelConfig' would also not be dedicated for a particular region neither cannot be defined idempotently on CloudFormation. It simply disallows duplication. Therefore in order to deploy among multiple regions, an option should be present NOT to attempt to duplicate 'SlackChannelConfig' needlessly.
With this pr, user would unfortunately have to work additional steps as follows(if he wanted create-stack after the 2nd regions):
provide explicit false as a parameter of Cloudformation stack, to supress 'SlackChannelConfig'
After CREATE_COMPLETE, Go to AWS Chatbot console > Configured clients > Slack workspace: YOURWORKSPACE > securityhubnotification
On securityhubnotification, press Edit button on top-right
Navigate to bottom of the page, press 'Add another Region', Choose appropreate Region and SNS Topic which supposed to appear
Then finally user would be able to obtain cross-region findings automatically on his slack channel.
I know this is not very smart but this is the best I could come up with for now.
If there was more reasonable way, I would like it.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available:
Description of changes:
CREATE_FAILED have been observed with Events like shown below
It does not happen when a region was the first one(assuming us-east-1 here) on a AWS accunt. Thereafter failure then happens on further creations on another regions such as us-east-2 or whatever else. In my understanding, since AWS Chatbot is a global service, 'SlackChannelConfig' would also not be dedicated for a particular region neither cannot be defined idempotently on CloudFormation. It simply disallows duplication. Therefore in order to deploy among multiple regions, an option should be present NOT to attempt to duplicate 'SlackChannelConfig' needlessly.
With this pr, user would unfortunately have to work additional steps as follows(if he wanted create-stack after the 2nd regions):
securityhubnotification, press Edit button on top-rightThen finally user would be able to obtain cross-region findings automatically on his slack channel. I know this is not very smart but this is the best I could come up with for now. If there was more reasonable way, I would like it.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.