search

aws-solutions / aws-control-tower-customizations

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html
Apache License 2.0
360 stars 205 forks source link

Error Deploying Managed AWS Config Rule EFS_ENCRYPTED_CHECK to New Account in OU #134

Open jmundia-rackspace opened 1 year ago

jmundia-rackspace commented 1 year ago

Describe the bug

When deploying an AWS Managed Config Rule (EFS_ENCRYPTED_CHECK), with the resouce_file set as the standard location for the CFn template (http://s3.amazonaws.com/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template), there is an error in the CloudformationResource stage of the pipeline related to the deployment of the rule:

Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template".

The URL we are using in the manifest file is accurate, however in the log, the url provided is HTTPS and the s3 url syntax is incorrect in the above error message (s3.com.amazonaws.com).

Another instance of the error message in the Codebuild logs, for reference:

{"time_stamp": "2022-10-19 23:36:05,892","log_level": "ERROR","log_message": Unhandled Exception: Could not connect to the endpoint URL: "https://s3.com.amazonaws.com/s3/aws-configservice-us-east-1/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template"

This occurred when a new account was added to the OU that the manifest file targets as a destination for Config Rules.

To Reproduce

Create CfCT pipeline via AWS CFn template. Deploy resources to the OU via the manifest file. Add a new account to the OU target named in the manifest file. After the inital phases of the pipeline, manually approve the deployment steps. Observe the pipeline for errors in the CloudformationResource stage.

Expected behavior

The expected behavior is that the new account would receive the CFn resources named in the manifest file, in this case the EFS_ENCRYPTED_CHECK Config Rule.

Please complete the following information about the solution:

Screenshots

Manifest file entry for the Rule:

image

The "create" request for the Config rule from Codebuild logs, note that it is using the proper URL here"

image

Additional context

This rule deployed without issue to the other account in the OU, and the manifest file has stayed consistent since that deployment.

CW Logs: efs-encrypted-check-errors.csv

stumins commented 1 year ago

Hi @jmundia-rackspace,

Thanks for reaching out. CFCT expects any S3 HTTPS URLs to be provided in regional format, e.g. http://<bucket-name>.s3.<region>.amazonaws.com/<path>/<object-key>.

For the template you linked, this would be: http://aws-configservice-us-east-1.s3.us-east-1.amazonaws.com/cloudformation-templates-for-managed-rules/EFS_ENCRYPTED_CHECK.template.

I was able to deploy this Config Rule in my CFCT test environment using the regional format - please try using the above resource link and kindly let us know if that works.

The documentation does indicate that this format is required, however, I think it could be more clear that this format is required rather than just an example. I've created a backlog item for our team to improve the documentation in this area.