search

awslabs / compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us

This solution enables you to quickly deploy a secure, scalable, multi-account environment in AWS GovCloud (US) based on AWS best practices. This solution is architected to follow the Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (SRG) for hosting Impact Level (IL) 4 and 5 workloads in the cloud. Using the Compliant Framework solution, you are able to quickly deploy an architecture baseline that accommodates U.S. federal and Department of Defense (DoD) requirements to rapidly achieve Authority to Operate (ATO). In addition, the Compliant Framework solution is also architected to support Cybersecurity Maturity Model Certification (CMMC) readiness.
https://aws.amazon.com/solutions/implementations/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/
Apache License 2.0
55 stars 25 forks source link

Build fails on AmazonLinux2/Standard/3.0 Image #14

Open smparekh opened 2 years ago

smparekh commented 2 years ago

Describe the bug Buildspec generated by solution uses fails on AmazonLinux2/Standard/3.0 image on:

[Container] 2022/08/14 00:56:15 Running command cdk bootstrap aws://$GOVCLOUD_CENTRAL_ACCOUNT_ID/us-gov-west-1
Unexpected token '?'
Subprocess exited with error 1

To Reproduce Deploy solution as described here: https://docs.aws.amazon.com/solutions/latest/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/deployment.html

Expected behavior cdk bootstrap should succeed

Please complete the following information about the solution:

Screenshots If applicable, add screenshots to help explain your problem (please DO NOT include sensitive information).

Additional context Build needs nodejs 14 to run the bootstrap command successfully.

I was able to run the buildspec using the ubuntu/standard/5.0 image.

bigg47 commented 2 years ago

I can verify I received the same error and failure today. I used all default values with the exception of the required email addresses.

COMMAND_EXECUTION_ERROR: Error while executing command: cdk bootstrap aws://$GOVCLOUD_CENTRAL_ACCOUNT_ID/us-gov-west-1. Reason: exit status 1

Build details, Environment, Image: aws/codebuild/standard:3.0

[Container] 2022/08/31 17:36:11 Running command npm install
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN notsup Unsupported engine for constructs@3.4.85: wanted: {"node":">= 14.17.0"} (current: {"node":"12.16.1","npm":"6.13.4"})
npm WARN notsup Not compatible with your version of node/npm: constructs@3.4.85
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules/jest-haste-map/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN @aws-cdk/assert@1.71.0 requires a peer of jest@^26.6.1 but none is installed. You must install peer dependencies yourself.
npm WARN compliant-framework@1.0.0 No description
npm WARN compliant-framework@1.0.0 No repository field.
npm WARN compliant-framework@1.0.0 No license field.

added 863 packages from 485 contributors and audited 868 packages in 21.123s

66 packages are looking for funding
  run `npm fund` for details

found 25 vulnerabilities (10 moderate, 14 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

[Container] 2022/08/31 17:36:33 Running command npm run build

> compliant-framework@1.0.0 build /codebuild/output/src285289670/src/compliant-framework-central-pipeline
> tsc[Container] 2022/08/31 17:36:43 Running command cdk bootstrap aws://$GOVCLOUD_CENTRAL_ACCOUNT_ID/us-gov-west-1
Unexpected token '?'
Subprocess exited with error 1

[Container] 2022/08/31 17:36:46 Command did not exit successfully cdk bootstrap aws://$GOVCLOUD_CENTRAL_ACCOUNT_ID/us-gov-west-1 exit status 1
[Container] 2022/08/31 17:36:46 Phase complete: BUILD State: FAILED
[Container] 2022/08/31 17:36:46 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: cdk bootstrap aws://$GOVCLOUD_CENTRAL_ACCOUNT_ID/us-gov-west-1. Reason: exit status 1
[Container] 2022/08/31 17:36:46 Entering phase POST_BUILD
[Container] 2022/08/31 17:36:46 Running command echo "Post build completed on `date`"
Post build completed on Wed Aug 31 17:36:46 UTC 2022

[Container] 2022/08/31 17:36:46 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2022/08/31 17:36:46 Phase context status code:  Message:
bigg47 commented 2 years ago

If anyone comes across this issue like I did today, I was able to work around it by changing the template you download from https://s3.amazonaws.com/solutions-reference/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/latest/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us.template. Look for line 1944 and change "Image": "aws/codebuild/standard:3.0", to "Image": "aws/codebuild/standard:5.0", before running the deployment. I was able to delete the CloudFormation Stack and create new stack without having to run the nuke option.

bigg47 commented 2 years ago

Quick note to anyone looking to use this solution. Chances are they will not update this repo, but they did post on the complaint framework page. As of Oct 7, 2022, this solution will no longer be supported. It's being replaced with Landing Zone Accelerator.

https://docs.aws.amazon.com/solutions/latest/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/welcome.html

https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/