Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Updating existing SRA GuardDuty solution to include feature (#213) fails to deploy rGuardDutyOrgLambdaCustomResource #267

Open
julian-price opened this issue Sep 19, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@julian-price
Copy link

Describe the bug

We have an existing SRA solution deployed into a Control Tower environment using the CfCT. This was using pre v3 (#205) release code. To make use of the newly enabled features, we decided to upgrade to the latest SRA GuardDuty solution, but this failed to deploy the rGuardDutyOrgLambdaCustomResource in the StackSet-CustomControlTower-sra-guardduty-org-main-ssm-64-rGuardDutyConfigurationStack nested stack.

To Reproduce

Steps to reproduce the behavior:

  1. An existing (pre V3) version of the SRA GuardDuty solution must already be deployed
  2. Clone or update to the latest aws-security-reference-architecture-examples repo
  3. In a command window, package up the latest GuardDuty solution and upload to the staging S3 bucket
./aws_sra_examples/utils/packaging_scripts/stage_solution.sh  --profile <profile name> --solution_directory $PWD/aws_sra_examples/solutions/guardduty/guardduty_org/
  1. Verify that the latest code has been successfully uploaded to the S3 bucket
  2. Within your CfCT repo, update the parameters/sra-guardduty-org-main-ssm.json and templates/sra-guardduty-org-main-ssm.yaml files to the latest copies from the SRA GuardDuty solution.
  3. Commit the files to kick off the CfCT update.
  4. The stacks will fail to update with the following error:
Received response status [FAILED] from custom resource. Message returned: 'ENABLE_EKS_RUNTIME_MONITORING' parameter with value of '' does not follow the allowed pattern: (?i)^true|false$. (RequestId: ebace497-cb43-4000-9f02-9f022e519f86)

Expected behavior

The solution should update all stacks, including the rGuardDutyOrgLambdaCustomResource to the latest version, ensuring that the order of updates does not cause stack failures. In particular, the sra-guardduty-org lambda should get updated with the latest code prior to it being executed by the stack.

Deployment Environment (please complete the following information)

  • Deployment Framework CfCT v2.7.1

Additional context

I worked around this issue by navigating to the sra-guardduty-org lambda directly and selecting to upload the latest source code from the staging S3 bucket. Once this was done, the CfCT update of the GuardDuty SRA solution comp[leted successfully and all new features were enabled.

@julian-price julian-price added the bug Something isn't working label Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant