aws-solutions / network-orchestration-for-aws-transit-gateway

The Network Orchestration for AWS Transit Gateway solution automates the process of setting up and managing transit networks in distributed AWS environments. It creates a web interface to help control, audit, and approve (transit) network changes.
https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/
Apache License 2.0
124 stars 52 forks source link

Empty PREFIX_LISTS environment variable causes Step Function to fail in case of "Custom-Destinations" value for DEFAULT_ROUTE environment variable #78

Closed ayubhari closed 1 year ago

ayubhari commented 1 year ago

Describe the bug

PREFIX_LISTS environment variable in STNO-State-Machine Lambda Function should-be/is optional where "Custom-Destinations" is specified for DEFAULT_ROUTE variable if CIDR_BLOCKS is provided (as per the CustomerManagedPrefixListIds parameter in network-orchestration-hub.yaml CloudFormation template).

However, by keeping PREFIX_LISTS empty while specifying CIDR_BLOCKS and setting "Custom-Destinations" as a value for DEFAULT_ROUTE, causes Step Function to fail and respective TGW VPC attachment doesn't get associated/propagated to the specified TGW Route Table.

To Reproduce

Specify ListOfCustomCidrBlocks in network-orchestration-hub.yaml CloudFormation template while setting "Custom-Destinations" as a value for DEFAULT_ROUTE and keep CustomerManagedPrefixListIds empty.

Once STNO Hub and Spoke stacks are deployed, create a VPC with populated "Associate-with" and/or "Propagate-to" tags and then create subnets having tag "Attach-to-tgw" added.

This will cause step function to fail as in the underlying Lambda code following two functions are getting called for Custom-Destinations in DEFAULT_ROUTE:

Expected behavior

Empty PREFIX_LISTS should be effectively handled in the Lambda code so that Step Function could succeed in case of "Custom-Destinations" for the DEFAULT_ROUTE with just requiring CIDR_BLOCKS environment variable.

For this in the code block the first check should be making sure PREFIX_LISTS is a non-empty string like following: if environ.get("PREFIX_LISTS") != "": or simply if environ.get("PREFIX_LISTS"): Then the PREFIX_LISTS should be split to avoid the above issue.

Similar thing can be done in case just PREFIX_LISTS is required but not the CIDR_BLOCKS, in code block of _update_route_table_with_cidr_blocks(...)

Please complete the following information about the solution:

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Add any other context about the problem here.

groverlalit commented 1 year ago

Thanks for raising this issue. This bug will be resolved in the next release.