aws-security-reference-architecture-examples icon indicating copy to clipboard operation
aws-security-reference-architecture-examples copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

[BUG] Updating existing SRA GuardDuty solution to include feature (#213) fails to deploy rGuardDutyOrgLambdaCustomResource

Open julian-price opened this issue 5 months ago • 0 comments

Describe the bug

We have an existing SRA solution deployed into a Control Tower environment using the CfCT. This was using pre v3 (#205) release code. To make use of the newly enabled features, we decided to upgrade to the latest SRA GuardDuty solution, but this failed to deploy the rGuardDutyOrgLambdaCustomResource in the StackSet-CustomControlTower-sra-guardduty-org-main-ssm-64-rGuardDutyConfigurationStack nested stack.

To Reproduce

Steps to reproduce the behavior:

  1. An existing (pre V3) version of the SRA GuardDuty solution must already be deployed
  2. Clone or update to the latest aws-security-reference-architecture-examples repo
  3. In a command window, package up the latest GuardDuty solution and upload to the staging S3 bucket
./aws_sra_examples/utils/packaging_scripts/stage_solution.sh  --profile <profile name> --solution_directory $PWD/aws_sra_examples/solutions/guardduty/guardduty_org/
  1. Verify that the latest code has been successfully uploaded to the S3 bucket
  2. Within your CfCT repo, update the parameters/sra-guardduty-org-main-ssm.json and templates/sra-guardduty-org-main-ssm.yaml files to the latest copies from the SRA GuardDuty solution.
  3. Commit the files to kick off the CfCT update.
  4. The stacks will fail to update with the following error:
Received response status [FAILED] from custom resource. Message returned: 'ENABLE_EKS_RUNTIME_MONITORING' parameter with value of '' does not follow the allowed pattern: (?i)^true|false$. (RequestId: ebace497-cb43-4000-9f02-9f022e519f86)

Expected behavior

The solution should update all stacks, including the rGuardDutyOrgLambdaCustomResource to the latest version, ensuring that the order of updates does not cause stack failures. In particular, the sra-guardduty-org lambda should get updated with the latest code prior to it being executed by the stack.

Deployment Environment (please complete the following information)

  • Deployment Framework CfCT v2.7.1

Additional context

I worked around this issue by navigating to the sra-guardduty-org lambda directly and selecting to upload the latest source code from the staging S3 bucket. Once this was done, the CfCT update of the GuardDuty SRA solution comp[leted successfully and all new features were enabled.

julian-price avatar Sep 19 '24 07:09 julian-price