Open jmundia-rackspace opened 1 year ago
Hi @jmundia-rackspace,
Thanks for reaching out. CFCT expects any S3 HTTPS URLs to be provided in regional format, e.g. http://<bucket-name>.s3.<region>.amazonaws.com/<path>/<object-key>
.
For the template you linked, this would be: http://aws-configservice-us-east-1.s3.us-east-1.amazonaws.com/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template.
I was able to deploy this Config Rule in my CFCT test environment using the regional format - please try using the above resource link and kindly let us know if that works.
The documentation does indicate that this format is required, however, I think it could be more clear that this format is required rather than just an example. I've created a backlog item for our team to improve the documentation in this area.
Describe the bug
When deploying an AWS Managed Config Rule (EFS_ENCRYPTED_CHECK), with the
resouce_file
set as the standard location for the CFn template (http://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template), there is an error in theCloudformationResource
stage of the pipeline related to the deployment of the rule:Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template"
.The URL we are using in the manifest file is accurate, however in the log, the url provided is HTTPS and the s3 url syntax is incorrect in the above error message
(s3.com.amazonaws.com)
.Another instance of the error message in the Codebuild logs, for reference:
{"time_stamp": "2022-10-19 23:36:05,892","log_level": "ERROR","log_message": Unhandled Exception: Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template"
This occurred when a new account was added to the OU that the manifest file targets as a destination for Config Rules.
To Reproduce
Create CfCT pipeline via AWS CFn template. Deploy resources to the OU via the manifest file. Add a new account to the OU target named in the manifest file. After the inital phases of the pipeline, manually approve the deployment steps. Observe the pipeline for errors in the
CloudformationResource
stage.Expected behavior
The expected behavior is that the new account would receive the CFn resources named in the manifest file, in this case the EFS_ENCRYPTED_CHECK Config Rule.
Please complete the following information about the solution:
Version: v2.4.0
Region: [e.g. us-east-2]
Was the solution modified from the version published on this repository? No
If the answer to the previous question was yes, are the changes available on GitHub? N/A
Have you checked your service quotas for the sevices this solution uses? N/A
Were there any errors in the CloudWatch Logs? Yes, attached
Screenshots
Manifest file entry for the Rule:
The "create" request for the Config rule from Codebuild logs, note that it is using the proper URL here"
Additional context
This rule deployed without issue to the other account in the OU, and the manifest file has stayed consistent since that deployment.
CW Logs: efs-encrypted-check-errors.csv