aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
858 stars 364 forks source link

Failing to create security-automations-for-aws-waf in il-central-1 #253

Closed arshikam closed 1 year ago

arshikam commented 1 year ago

Describe the bug Solution is not deploying in il-central-1 region.

To Reproduce Try to deploy the stack in il-central-1 region:

https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.html

Expected behavior It should deploy in the il-central-1 region.

Please complete the following information about the solution:

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "Security Automations for AWS WAF v3.1: This AWS CloudFormation template helps you provision the Security Automations for AWS WAF stack without worrying about creating and configuring the underlying AWS infrastructure". If the description does not contain the version information, you can look at the mappings section of the template:

Mappings:
  SourceCode:
    General:
      TemplateBucket: 'solutions-reference'
      SourceBucket: 'solutions'
      KeyPrefix: 'waf-security-automation/v3.1'

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context

When trying to deploy the below solution in il-central-1 region: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.html

Getting below error:

Error 1:

There was an error creating this change set Template format error: Unrecognized resource types: [AWS::ServiceCatalogAppRegistry::AttributeGroup, AWS::ServiceCatalogAppRegistry::Application, AWS::ServiceCatalogAppRegistry::AttributeGroupAssociation, AWS::ServiceCatalogAppRegistry::ResourceAssociation]

Now I found a document where it says that 'ServiceCatalogAppRegistry' is not supported for il-central-1 region but it is not a official document.

https://www.aws-services.info/servicecatalog-appregistry.html

The same stack is getting deployed successfully in us-east-1 region.

Tried to remove the dependancy for 'ServiceCatalogAppRegistry' resource from the template and deployed the stack. This time it failed with below error:

Resource handler returned message: "Error occurred while GetObject. S3 Error Code: IllegalLocationConstraintException. S3 Error Message: The unspecified location constraint is incompatible for the region specific endpoint this request was sent to. (Service: Lambda, Status Code: 400, Request ID: )" (RequestToken: , HandlerErrorCode: InvalidRequest)

Please guide on this as to how we can proceed and deploy the solution in il-central-1 region

taniwallach commented 1 year ago

I think https://github.com/aws-solutions/aws-waf-security-automations/pull/254 provides a solution to be able to deploy to a region without AppRegistry.

Obviously AppRegistry cannot be used for monitoring in such a case.

aijunpeng commented 1 year ago

The out-of-box solution is not supported in il-central-1 region. You can try to customize the source code, build and upload assets to s3, following https://github.com/aws-solutions/aws-waf-security-automations/blob/main/README.md.

This is a duplicate of an internal ticket. Close this ticket.

morjoan commented 1 year ago

Looks like this is a duplicate of issue #256. Closing.